Aug 102011
 

Introduction

Information technology (IT) is one of the most agile industries that is critical for a business in today’s tough economic times.  Information, on the other hand, is an asset of utmost importance to a business organization.  And so is information security.  If the information of a business organization is not secure enough, unfortunately, it is susceptible to attacks.

Everything today is done through the internet.  There are many businesses that run only through internet, and might not even have a physical office location.  For example, sending emails, uploading or downloading data from the internet, clouds – processing information with the help of internet, many public documents are posted online for the general public to see, organizational information flows through the network they have and sits on their servers, and many more.  Today, almost everything on the internet is monitored.  All these activities require protection from the cyber hackers who can penetrate into the network systems and misuse the information.  Such attacks inculcate hard economic consequences on individuals, organizations, and society as a whole.  In this paper, we will study about some of the economic consequences that incurred, and their benefits and problems.

In the first section, we discuss about the background of the cyber attacks, talk about a few known cyber attacks.  In the second section, we discuss about the economic consequences of cyber attacks and their impact on individual, society, and organization along with their problems.  In the third section, the future of cyber attacks is discussed.  And in the fourth section, we summarize the paper with our analysis of the findings.

Background

Cyber attacks are by and large computer to computer attacks which are motivated to delete, steal, or modify the information on the targeted computer systems.

Vatis (2002) categorizes different types of cyber attacks as: (a) unauthorized intrusions, wherein the attackers hack the computers through different hacking methods, or in case of a company, an insider goes beyond his authorized access to break into the company’s network for some confidential information; (b) destructive viruses or worms, which are easy to spread from one computer to another in various forms like through emails; and (c) denial of service (DoS) attacks that may even lead to network bottleneck with tremendous traffic load.  He suggests that the following are some of the politically motivated attacks that are prevalent today:

  1. Web Defacements and Semantic Attacks are used to propagate false information by changing the web page content subtly.
  2. In Domain Name Server (DNS) Attacks, when the user requests for a particular website to the DNS server, then (s)he is diverted to an unwanted website because of a wrong Internet Protocol (IP) address generated by the DNS server.  This method of attacking is common within most of the networks today.
  3. Distributed Denial of Service (DDoS) Attacks involve high volume of communications to the targeted computers is the strategy that cyber attackers focus on to slow down those target machines.  These communications are drawn from web servers and email servers, and diverted to the target computers to create a bottleneck, and ultimately slow down or even shut down the machines.
  4. Types of Malicious Code are viruses, worms, and Trojan Horses.  Usually, system administrators are well aware of viruses and worms that can be caught and remedied, but there are certain malicious codes that are easily ignored by the system administrators which may be detected only after disrupting the information.  This is the most cost-effective way of playing disrupting the foundation of information infrastructure of a business when the motive is only destruction.
  5. In Exploitation of Routing Vulnerabilities routers, also known as air traffic controllers of the internet, ensures that the information packets get from the source to the destination.  Routing disorders in the network could lead to attacks that may destruct the Internet.
  6. There are Compound Attacks wherein attackers can combine a number of attacks and make a series out of them which can destroy everything leaving no possibility of recovery.

Laws are made to address such attacks, but these laws do not suffice the needs of the businesses to survive or get back on the same track as they were before.  Etsebeth (2011) argues that businesses should not only protect their information, but also should be aware of whom to give access to that information.  He classifies three categories of cyber attacks against United States: (a) interference with information and/or data: occurs when availability, confidentiality, and integrity of the information asset are compromised by an adversary; (b) interception of information and/or data: when the adversary modifies or deletes the compromised data; and (c) impersonation: where an adversary pretends to be an authorized individual.  He states that information security is mandatory and is no longer an option because any activity that tends to threaten the information assets of the business would be directly threatening the performance and efficiency of the business or the concerned firm.  He suggests that with corporate information been given to the stakeholders, and public in some instances, for the purpose of encouraging them to invest in the business, there should be legal liabilities involved in case of violation of transparency or information disclosure.  Recommendations for important legal aspects of information security, and how to defend in case of getting involved in a legal action, have been suggested by the author in his paper.

One of the latest attacks was on the Twitter Account of the Fox News by a group of cyber hackers.  They call themselves AntiSec.  This hacker group reported that President Obama was shot dead.  Although there are no economic consequences in this case in particular, but such situations can exist with different websites that hold extremely important and sensitive information.  Even though these attacks were prank, but can lead to substantial monetary losses to these companies.

Economic Consequences of Cyber Attacks- Impact on Individual, Society & Organization

The economic consequences of cyber attacks have many aspects.  They are different at societal level, organizational level, and individual level.  United States spends a major chunk of resources like cash flow and intelligence on developing the weapons, and training and maintaining large army and military bases.  On the contrary, today these resources have to be mobilized and shared with information technology (IT) risks and cyber attacks.  This means that along with the security of this country’s nationals, now humongous amount of resources have to be invested in cyber security as it is a threat of an equivalent magnitude of risk.

An example that involves all the above three levels of impacts, i.e. societal, organizational, and individual levels, is of United States cyberwar with China.  Mason (2011) explores the People’s Republic of China’s (PRC) intentions of targeting American companies and government networks.  The PRC has developed offensive capabilities like the recruitment of citizen hacker groups, creation of logic bombs and their placements in foreign networks, and creating and maintaining cyber military forces.  Their main targets include U.S. government systems, and numerous other computer systems across the globe.  In addition to this, a number of western clients were supplied reverse-engineered Cisco servers by the Chinese companies and it has been found out that a few compromised routers were sold to U.S. Marine Corps, Air Force, and other defense contractors with objective of slowing down the systems or weakening their cryptographic systems.  Following the example of China, it clearly indicates that instead of spending most of the resources on creating weapons and machinery, the resources have to be spent on IT in the security direction, and on the U.S. Cyber Command within the Department of Defense (DoD).  These cyber squad people should be provided with all the possible technical support with solid infrastructure at their disposal to defend the American companies and the government networks.  If there is a cyber attack, then the economic impact would be tremendous.  The privacy would no longer exist.  To exemplify this situation, in 2010, Google Inc. revealed that there was a Chinese origin attack.  With the help of spear-phishing techniques, Gmail accounts of the Chinese dissidents were accessed. The consequences of such situations led to the adoption of strict security measures towards the mission of keeping our infrastructure in place and maintain a tight and effective protection shield.   The problem is that the development of software and installation of infrastructure by employing fiber-optic cable, routers, and servers through Internet Service Providers (ISPs) is not enough.  The United States is facing such cyber attacks since 1982 (Lemieux, 2011).  As a consequence, American leaders are also facing critical decision making prospects with limited information in extremely truncated timeframes while under attack (Mason, 2011).

The major challenging economic consequences of cyber attacks are budget constraints, and resource limitations.  Lemieux (2011) asserts that most law enforcement agencies are presented with funding as a critical challenge.  Furthermore, the investigation resources like sufficient manpower to be employed in case of a cyber attack are always limited.  Characterizing the threats is important to know: (a) the method of setting investigation priorities, (b) the ways of how law enforcement and national security agencies achieve their organization objectives and goals, and (c) finding the definition of success as defined by the law enforcement and national security agencies.  In tough economic conditions like that of the United States, it is crucial for the federal agencies to conduct the most effective protection missions of cyber crimes.  Lemieux (2011)  concludes that the federal government has plans on investing vast amount of money for protection of public and private cyber infrastructures. 

Cashell et. al. (2004) provides the economic impact of cyber-attacks on businesses.  Identified target firms have to suffer 1% – 5% of losses in days after an attack which if translated to the magnitude of shareholders’ loss, it would account to about $50 million to $200 million.  In 2003 the losses ranged from $13 billion due to viruses and worms only, to $226 billion from rest of the attack forms.  These figures are compiled by the computer security consulting firms, and the numbers change due to change in the nature of attack and the firm on which the attack is focused.  By the end of 2003, for a company traded on Nasdaq, the average market capitalization was $870 million; for a company listed on New York Stock Exchange (NYSE), it was $4.4 billion.  A 2% drop in market capitalization could be an average dollar loss of $17 million for a Nasdaq company, and $88 million for an NYSE firm in and around the year 2003.

Figure 1 Cost of Computer Crime As Reported in the CSI/FBI Surveys, 1997-2003 (Cashell et. al., 2004)

Figure 1 shows that there is no definite consistent trend in the cost of computer crime’s total reported losses.  But what we do find here is that there is a difference of approximately $355 million in the costs of computer crime between 1997 and 2002.  This means that with high stakes involved, at present this particular figure should be surprisingly in its higher multiples keeping in mind the largest number of cyber crimes ever recorded.

 

Figure 2  The distribution of cyber-attacks across SPEC dimensions (Gandhi et. al., 2011).

            There are various social, political, economic, and cultural dimensions of cyber attacks.  Gandhi et. al. (2011) call the combination of these factors as SPEC.  They propose that the key components in preventing and tracing cyber-attacks are their backgrounds and behaviors, their motivation for the attacks, and their level of socio-technological complexity, and also propose how they can be reduced or prevented.  They describe how SPEC events are correlated to cyber-attacks and how in the past, these events led to cyber-attacks.  They also present their analysis along the lines of SPEC dimensions.  Figure 2 shows the distribution of cyber-attacks across SPEC dimensions.  Politically motivated attacks can lead to economic consequences of misuse of cyberspace to attack the enemy’s website, thereby wastage of national resources like time and money which can lead to protests and this fire might even result in physical violence (which could account for the social dimension).  These politically motivated attacks can affect society and cultures as well.  For example, in cases like (a) land-dispute (e.g. between India and Pakistan), (b) dissatisfaction with the launch of a public document, policy, or law (e.g. Estonia-Russia DoS attack), (c) protesting government/political actions (e.g. the United States, Netherlands, New Zealand, and England attacked India’s nuclear power plant’s (BARC) website), (d) specific anniversary or historic day events triggered attacks (e.g. (i) April Fool’s Day Conficker Worm, and (ii) CIH/Chernobyl virus), and so on.

Future

The future of cyber attacks is really difficult to describe.  The obvious thought would be that it could be far worse and beyond one’s imagination.  But as we pass through this critical phase of cyber attacks, we are learning the motivation behind these attacks, and so could be able predict with a number of different algorithmic software about the probability of the kind of attacks possible in the future.  Yet facing the truth that the level of intricacy and sophistication involved, we are still prone to something worse.  Moreover, with the upcoming cloud technology, business organizations should be very careful of the attacks possibly known as it involves huge cash flows which would eventually affect our economic conditions then.

Finding the motivation behind a cyber attack is probably the beginning point of understanding as to how and why do cyber attacks occur.  Proper study of the motivation of the attacks can help the cyber squad people analyze those attacks better and it would therefore relatively easy for foreseeing other attacks in the same lines in the same context.  Businesses should take risks and invest in prevention and protection software, thereby ensuring their critical information security and not letting the attacks occur at the first place.  The worst economic consequence of business coming to a standstill thereby heavily impacting the individual, organization, and society, can be prevented this way.  Moreover, organizations should hire highly skilled cyber security specialists.  The monetary infrastructure of organizations should divide their resources wisely, and invest in IT technology instead of compromising on it.

Summary

To sum up, there are severe economic consequences of cyber attacks such as stealing or misuse of critical organizational information, stagnant cash flow, unemployment, huge investment to recover from the attack without any success guarantees, tough political decisions for public, and so on.  We reviewed as to how do governments react in case of an attack, what political decisions were made and how people reacted to such actions, why issues like privacy would no longer hold any kind of importance, what strategies should be adopted in order to create a balance in infrastructure, how limited available resources can be utilized efficiently and effectively, how different researchers analyze attacks and deduct dimensional analysis out of the present available data, how do stock prices at Nasdaq and NYSE get affected, and so on.  So, preventive measures like heavy investment into information security should be taken before running into a cyber attack.

References

Cashell, B., Jackson, W. D., Jickling, M., & Webel, B. (2004). The Economic Impact of Cyber-Attacks. Congrssional Research Service. The Library of Congress.

Etsebeth, V. (2011). Defining the Current Corporate IT Risk Landscape. Journal of International Commercial Law and Technology .

Gandhi, R., Sharma, A., Mahoney, W., Sousan, W., Zhu, Q., & Laplante, P. (2011). Dimensions of Cyber-Attacks Social, Political, Economic, and Cultural. IEEE Technology and Society Magazine , 28-38.

Lemieux, F. (2011). Investigating Cyber Security Threats: Exploring National Security and Law Enforcement Perspectives. Cyber Security Policy and Research Institute, George Washington University.

Mason, G. P. (2011, June). Cyberwar: The United States and China Prepare for the Next Generation of Conflict. Comparative Strategy , pp. 121-133.

Vatis, M. (2002). Cyber Attacks: Protecting America’s Security Against Digital Threats. John F. Kennedy School of Government, Harvard University.