Hans Brechbühl is executive director of the Glassmeyer/McNamee Center for Digital Strategies and an adjunct associate professor at the Tuck School of Business. M. Eric Johnson is faculty director of the Center and associate dean of the MBA program at Tuck.
ATMs stopped dispensing cash. Computer screens at major broadcasters went blank. Online banking services ground to a halt. Last week, South Korea experienced a cyber-nightmare that may not be unusual in the coming years. An attack on the scale of "DarkSeoul," whose origins are as yet unknown, is almost certain to be replicated in the U.S. and Europe in the next decade.
Threats from cyberattacks have increased dramatically over the past ten years. In response, spending on information security has exploded, and was estimated to reach $60 billion globally last year, according to Gartner. A decade ago, many security staff were technicians in closet-sized offices responsible for maintaining a company's firewall and giving the occasional lecture to employees on avoiding dubious websites or putting suspect thumb-drives in their laptops. Today chief information security officers have staffs and are briefing the board of directors—and they're playing a lead role in managing risk across the world's biggest companies.
There are three major forces thrusting information security departments to the fore: the spread of connectivity to industrial machinery of all types; the rapidly increasing sophistication of cyber-criminals; and the integration of workers' personal and professional lives on a single device—a phenomenon epitomized by Bring Your Own Device/Application (BYOD/BYOA) mobile work environments.
Examples of the new ways our economy is vulnerable abound. Months before the famed U.S. and Israeli Stuxnet cyberattack that disabled centrifuges at an Iranian nuclear facility came to light in 2010, the Texas Auto Center in Austin experienced its own version of cyberwarfare. Until then, cyberattacks that crippled machinery and industrial controls were virtually unknown. But as local television station KXAN reported, in late February 2010 customers of the used car dealership began calling to complain that their car horns wouldn't stop honking and that the cars wouldn't start.
This sort of hack didn't require huge teams of Defense Department programmers. Police later arrested a 20-year-old disgruntled former employee and accused him of disabling more than 100 cars through the dealership's web-based vehicle immobilization system—a system normally used to punish those behind on their monthly payments.
Increased connectivity has brought huge advances in productivity. At the click of a mouse, an engineer can precisely change the rate of water release on a dam and a chemist can make minute changes to compounds in a petrochemical plant—advances that were unimaginable a few decades ago. These gains are likely to continue: a recent study by GE forecast that the creation of an industrial internet—a huge network of sensors and machines that could do everything from warning airlines when parts on jet engines are wearing out to allowing repairmen to diagnose a broken garbage disposal remotely—could add as much as $15 trillion to global GDP by 2030.
Yet as the Texas City Auto case demonstrates, the more machines linked to a network, the greater the risk that someone can cause havoc from miles away and bring business to a grinding—or honking—halt. This so-called "dark side of connectivity" means that the productivity gains are only as durable as the security that protects those systems.
This threat becomes more difficult to manage given the growing resources of the commercial, governmental and criminal operations trying to break in. Economic cyber-espionage is big business: a 2011 report from the National Counterintelligence Executive, based on work from 14 U.S. intelligence agencies, estimated that tens of billions of dollars in trade secrets and intellectual property are stolen from U.S. computer systems annually.
Perhaps the foremost group is the Shanghai-based Chinese People's Liberation Army's Unit 61398. Its resources include an estimated 1,000 servers and possibly hundreds of people and has successfully compromised 141 companies spanning 20 major industries, according to a report earlier this year from Mandiant.
The groups behind such attacks are also investing in more sophisticated approaches. An executive for General Dynamics Corp. recently received an e-mail from what appeared to be his spouse, who has a different last name than him, and that was copied to several other executives with the firm. The well-planned ruse worked: he opened it before realizing it wasn't what it seemed and reported it to the security department. "We were able to stop it," Ray Musser, vice president of security at the firm, told a recent Tuck School of Business workshop of security executives. But "seven days later they hit the executive again. Same type of tactic—a different email, but scripted all the same. They're persistent."
The greater threat comes as mounting a stiff defense has become more complicated for corporations. A decade ago, many large companies were able to keep much of their employees' computing behind a firewall. Work was done on company desktops and laptops or corporate-issued Blackberry smartphones, which were renowned for their security.
Such moats have been steadily eroded since the introduction of the first iPhone in 2007 spurred a flight away from company-issued devices—a retreat that was accelerated by the rapid adoption of tablet computers. Now many, if not most, workers at large companies expect to access their work files from any of their devices. That means information security departments have to protect data across a dizzying array of consumer platforms, and on devices where a file containing details about the company's new product shares space with Flixster, Angry Birds and other apps downloaded from sites beyond IT's control.
"There's a real blurring between what's being done in the office and what's being done outside of the office, and it's all always accessible," says Twila Day, chief information officer at restaurant distributor Sysco, told the Roundtable on Digital Strategies, a group of Global 1000 CIOs and other senior executives who meet regularly for discussions led by the Tuck School's Center for Digital Strategies. "Before if someone tried to print out your whole item file with all the pricing, it was going to be kind of bulky, right? Now they don't have to. They've got it all right on their device."
The shift makes it hard for companies to keep their data behind a firewall—and makes training employees all the more important. "Consumerization magnifies the reality that 80 percent of your information security risk is about people, not things," added Eric Cowperthwaite, chief information security officer at Providence Health & Services.
Companies like Bechtel try to mitigate the risk of having data on employee's devices through contracts and user agreements that allow the company to confiscate the worker's smartphone or iPad in the event of a legal matter. Mitre Corp. has begun inviting spouses and children to security training, figuring that they'll be surfing on the same devices used for work. Nike has hired an outside advertising firm to produce ads for employees reminding them about how to keep data safe on their personal devices. The campaign includes sports-themed messages such as "Would the coach leave the playbook on the subway? No. Why would you?"
These trends have shaped how information security has evolved until today. But looking ahead, some businesses are wondering if the best defense is a good offense. Companies such as Cisco Systems Inc. already have formed teams of elite cyber incident teams. These commandos of cyber-security are trained to deal with the most sophisticated and poorly understood attacks—but the same skills can easily be converted to launching counterattacks at intruders.
"It's often the same people attacking everybody's company but we all basically stop at our firewall," Scott Bancroft, chief information security officer for Novartis AG, told us. "It's left to law enforcement, which is hopelessly overworked, under-resourced and under-funded and can't reach across international borders."
Such attacks would bring companies into a legal gray area—but in the absence of effective law enforcement or policy response, it may be the next big trend in information security.