Cybercrime is a growing issue for individuals, businesses and governments. In an ongoing Wharton study about how S&P 500 firms think about catastrophic risk, conducted by Wharton faculty Michael Useem, the William and Jacalyn Egan Professor of Management; Howard Kunreuther, the James G. Dinan Professor; and Erwann Michel-Kerjan, the majority of interviewed firms list cybercrime as a top-three risk. The dangers to businesses cover a range of issues from data breaches to financial losses to legal liability to intellectual property theft. The Privacy Rights Clearinghouse conservatively estimates that 535 data breaches involving 30.4 million sensitive records happened in 2011. Cybercrime can cost millions of dollars both in prevention efforts and crisis management, but there is no way to safeguard a firm from it. For governments, it can be a matter of national security. But it’s not completely ominous. The good news is that new security technologies are being developed and that Wharton alumni are at the forefront of these new solutions.
First, Doom and Gloom
Although the businesses interviewed by Useem, Kunreuther and Michel-Kerjan and his colleagues recognize the priority of cyberrisk, many organizations do not.
An overall “knowledge deficit” exists among businesses and the government, says Andrea Matwyshyn, an assistant professor of legal studies and business ethics.
“Organizations are on the upswing of the learning curve for these issues, especially in the government spaces, where deep regulatory expertise doesn’t yet exist, with a few individual exceptions,” she explains.
This is a problem, she notes, as the aggressiveness of malicious actors is growing. Matwyshyn points to targeted strikes by agents believed to be sponsored by foreign government, as well as hacks that have temporarily disrupted multiple securities exchanges, such as the Tel Aviv Stock Exchange and the Abu Dhabi Securities Exchange. Last summer, the U.S. Department of Defense made headlines as the target of a “foreign intelligence service” of an “unnamed nation state,” and more recently in September, Iranian hackers allegedly targeted U.S. banks.
But it’s not just foreign hackers that are a problem. Matwyshyn says it’s an internal issue for organizations as well, noting the New York Stock Exchange’s recent fine by the SEC for failing to correct known problems in its software. The regulatory aspect of cybersecurity is an area of deep interest for Matwyshyn, who has worked in the space for over a decade, including as an attorney advising corporate clients about such issues in the days before data breach notification laws.
Even if companies are aware of the dangers, current protections might not be adequate.
“It’s not like hurricanes or tornadoes where weather forecasters can predict storms and businesses can avoid building factories in known flood and wind zones,” says Michel-Kerjan, managing director of Wharton’s Risk Management and Decision Processes Center. “Even if you do find a way to bulletproof the door, a cyberadversary can come in through a window. There is just no way to predict when and where it will happen.” Yet Michel-Kerjan is optimistic that defenses are being developed. “We’ve been hearing for years that cybercrime will destroy us, but it’s not the case that nothing can be done. New approaches are evolving very fast,” he says.
Ultimate Verification for All
Zafar Khan, WG’98, is one of those people working on new technologies to address cybercrime. The co-founder and CEO of RPost in Los Angeles explains how his company was launched in 2000 as a Registered Email® service, managing outbound messages for three elements: proof, privacy and electronic signatures. Today, with 46 patents, it serves customers around the world in a wide range of businesses and functional areas. RPost provides data-protecting encryption, as well as a record of how customers have complied with regulatory requirements.
“If someone questions whether they were responsible for a data breach, they have proof that the data remained private on their watch,” Khan says of his customers. Khan works mostly with businesses dealing with private information, but he says email is a security risk for individuals as well. While individuals may have “some level of security by obscurity,” when they send a message with sensitive information by email, hackers can easily cull information. Anything sensitive should be encrypted, Khan warns. Businesses also have to contend with data breach laws in 46 states, the District of Columbia and Puerto Rico, which require them to notify people when their personal information is breached. Consumers are more aware of the issue. However, Matwyshyn says, consumers don’t necessarily foresee the risks from that leaked information at the time they sign up for a website, such as pilfered passwords or credit card numbers.
Even when leaks aren’t the issue, Matwyshyn says, consumers don’t often anticipate the potential secondary uses of such information. An example is social media. Users likely aren’t thinking that their postings could be archived forever by a website and at least for seven years by third-party aggregators, but the Federal Trade Commission recently stated that it’s permissible— as well as to be resold by aggregation companies, to prospective employers, for instance.
“This is an implicit sanctioning of relatively aggressive data archiving by data aggregators, and skilled attackers can hack into those companies’ databases that will hold our information for the next seven years,” Matwyshyn admonishes. “You have to look at information integrity as an end-to-end process and assess the vulnerability of each holder who possesses the information in question. Information is only as secure as the weakest point in the chain.
“It starts the minute you answer a security question like, ‘What is your favorite flavor of ice cream?’ Although the information may seem innocuous on its face, because you may be using it to safeguard your bank account, your favorite flavor of ice cream suddenly becomes high-value information.”
Swordfish123 or Swordfish1234?
That question leads to a huge security headache—and point of vulnerability for individual Internet users: logins and passwords.
“We’ve all had breaches in this area, whether we know it or not. Just this year alone, LinkedIn [and] eHarmony … have been victims of cyberattacks,” says Alex Doll, W’92, ENG’92, CEO of Redwood City, CA-based OneID, whose technology focuses on this exposure.
“A lot of people think, ‘Who cares if they get my user name and password?’ But it is a problem if you’re like most people and have hit a cognitive limit in how many passwords you can remember and use the same one on multiple sites,” Doll says.
If a hacker gets information for one site, there is a good chance they can use that information to get access to sites with more sensitive information, like bank accounts, explains the graduate of Penn’s dual-degree Jerome Fisher Program in Management & Technology. Hackers stole in the aggregate more than 250 million user names and passwords during the past few years. These are known good combinations for hackers to use to sharpen their approaches.
“They can now test how good their algorithms are at finding this information and use it in future hacks,” Doll says. “This unfortunately is very good ‘quality assurance’ testing for hackers, making the next attacks that we have yet to see all quicker and more likely to inflict damage via data breaches, account takeovers, digital fraud and other types of cybercrime.”
OneID, which was founded last year, intends to replace the username and password model with a new way to login: a OneID button on sites that automatically authenticates a device.
“You’ll never have to strengthen your password from swordfish 123 to swordfish1234 or keep a notebook of all the sites you have accounts on,” he says, adding that users can still use pin numbers as needed for higher security transactions and disable the service for lost devices.
Not only will websites no longer need to store user names and passwords, but OneID would not store them either. Instead, users would sign in with a sequence of private keys; the site would verify a sequence of public keys. The solution is built on a security principle called public key cryptography, says Doll, who states that hundreds of millions of users will soon transact business on OneID-enabled sites.
Timothy Chiu, W’89, EE’89, who has worked in the cybersecurity industry since graduation and is now director of product marketing for security at Blue Coat in Sunnyvale, CA, says that his niche involves Web security. In part, that comprises what employers do to mitigate the risks that their individual workers expose them to through their Internet usage.
Malware, which today broadly refers to things like viruses, worms and spyware, has emerged as a significant cyberthreat for anyone using the Internet. Malware networks now gather users usually when they are visiting trusted sites and route them to malware, the M&T graduate says, noting that the average business faces 5,000 malware-network threats every month, reflecting a 240 percent increase in malicious sites over 2010.
Companies used to try to limit employee Internet usage on work desktops to minimize the risk of malware infections. As companies have moved toward allowing employees to access more sites at work, the use of a proxy is more important than ever. Chiu points to search engines and social media sites as common malware entry points. No matter their Internet usage policies, employers still face the evolving issue of employees accessing the Internet while away from the office.
“Malware threats are scarier than you think because we have multiple devices with tablets and smart phones that access the web in different ways. Now there are three sets of web pages for companies to maintain, so it gets really complicated fast,” Chiu says.
Blue Coat offers both a cloud-based security-as-a-service (SaaS) and an “appliance” installed on a company’s network, which work together to provide secure online access for any device (laptops, tablets or smartphones) whether in the office, at home or on the road. When users access the Internet, Chiu explains, they have to stop at this gateway, which then terminates the connection and acts as a proxy by opening a new connection and sending back the requested information. To users, it appears as if they are using the Internet as usual.
By actively tracking the malware network, the proxy blocks clients from those networks.
An Understanding Deficit
Malware, data theft and regulatory compliance are all problems that companies are increasingly aware of, but the risk is far deeper than many appreciate. In 2004, Matwyshyn wrote a paper advocating that the Securities and Exchange Commission pass a disclosure requirement specifically around information security problems. In 2011, a portion of her recommendation was adopted by the SEC in guidance, and the SEC has since gone on record to state that it is not seeing adequate compliance.
“That is a signal that the market doesn’t yet understand the importance to investors of these issues, and I expect to see more activity in this space by the SEC,” she says. “This is an issue public companies need to address head on by getting the right decisionmakers in the room, including general counsel. Information security and integrity are officer- and director-level concerns.” Any company certifying financial statements without a strong set of audit protocols is opening itself up to risk, according to Matwyshyn.
“You can’t know that your financials possess integrity if you don’t know how many times hackers have rooted around in your database in the last year,” she says.
Still, Matwyshyn is encouraged to see more attention on cybersecurity risks.
“The longer we wait to address the wide-scale vulnerability of our information, the more severe the problems will become. Time is of the essence,” she says.