In this week's Monday Opener, our UK editor-in-chief, Steve Ranger, asked a number of compelling questions about the Internet as battlespace. He pointed out that NATO heads of state have officially designated cyberspace as a domain for military operations with the same level of importance as air, sea, and land. This is big.
From the point of view of government investment and military strategy, this determination goes way beyond our early quest to get leaders to understand there was risk, and moves the bar all the way to the point where defense forces in cyberspace stand on equal footing with those in the other battlespaces.
Steve asked four questions, each reflecting what might be a national perspective on cyberwarfare:
- Will NATO members really spend more on cyber defense as a result?
- What about cyber offense?
- How will the rest of the world react?
- Does cyberwarfare even exist anymore?
These are all important questions, but I'm going to move the discussion from national investment to IT investment. And I'm going to move the discussion from national defense forces to you and your buddies in your IT organization. That's because you and your company are going to be collateral damage.
Actually, that's not strictly true. Collateral damage is something damaged accidentally as a side-effect of an attack. If you haven't already been attacked, you will be. You will be a purposely-selected target of enemy attackers. Welcome to the 21st century. You are the battlespace.
Back in World War II, Allied bombers flew mission after mission to destroy the Nazi ability to make war.
The bombers attacked munitions factories, aircraft factories, communications junctions, fuel supplies -- just about anything that could provide infrastructure and war materiel. The Allies also bombed bridges, including civilian ones, in order to hobble the enemy's ability to move resources and weaponry.
In other words, enterprises in Nazi Germany were just as much fair game as military bases.
In cyberwar, everyone is fair game. Let's take a quick moment to answer Steve's question about whether cyberwar is too narrow a topic when the sphere of battle now encompasses multiple battlegrounds.
Cyberwar exists. It's like the idea of an air war or a ground war. Each of these are components of an integrated attack and defense strategy, but each has its own very special weapons, defenses, strategies, tactics, and rules of engagement.
Remember that a cyberattack can do far more to benefit the attacker than the old bombings could do for the Allies. Every time a bomber flew, it cost the Allies real money and real resources. While a blown-up factory might keep enemy planes off the ground, it never increased the war chest of its attacker.
By contrast, cyberwar can not only damage the target, it can enrich the attacker. Cyberwar doesn't necessarily need to be an expense line in a national budget. Especially for rogue nation states, cyberwar is a profit center.
I talk a lot about nation state cyberwar, and while many top-level executives share my concern, others are skeptical. For the skeptics, the prevailing belief is that national security concerns belong to the nation and don't devolve into the enterprise. Sadly (and I'll prove this in a few minutes), the attackers out there don't share this belief.
If you think it through, it's hard to imagine how Verizon's number (the one that cites half a buck per record) is realistic when you look at insurance costs, recovery costs, liability costs, and regulatory penalty costs, and that's on top of just the overall IT cost.
Oddly enough, given the scale of breaches, it doesn't even matter. That's because, as the next figure shows, whether your breach costs you pennies on the dollar or hundreds of dollars per record, each individual breach can take a whopping chunk of change out of your bottom line.
International professional services firm PwC conducted their 2016 Global State of Information Survey with some disturbing results. I went through their numbers and built up some aggregated information to give you a cross-industry perspective on the cost of attacks, the number of incidents, and the budget of companies in those industries.
First, let's take a look at the number of attacks by industry:
This number reflects the growth, year-over-year in the actual number of attacks. As you can see, a few sectors (finance, energy, industrial products) actually show a reduction in growth rate. That doesn't mean they had fewer incidents. That means the rate of the growth in the number of incidents went down. On the other hand, healthcare's incident rate grew by a whopping 241 percent, year-over-year. Keep that in mind. It will become relevant in a few minutes.
Next, let's look at growth in damage. PwC considers damage to include intellectual property theft, brand damage, identity theft, regulatory issues, and so on. For our purposes, consider it simply as how much more a world of hurt each industry experienced year-over-year.
The takeaway from the above chart has to be how even the least amount of growth in damage is in the double digits. Then notice that half of the sectors cited had damage levels that more than doubled in a single year.
That, boys and girls, is why cyberwar isn't just a problem we can ignore and leave to the government. Because while governments have finally formally recognized cyberspace as a battlespace, it's your bottom line that's going to take the hit.
In that context, let's look at what may be the most disturbing set of statistics yet: how much IT organizations are spending to keep their companies safe:
There is some limited good news. In most industries, the amount of money companies are allocating to defend against cyberattacks is increasing. The gotcha: those budgets aren't even close to keeping pace with the pace of the attacks. Let's look at three industries and think about whether or not they've got their priorities in order:
Out of the dozen industries I aggregated from PwC data, I've pulled out three to waggle my finger at: industrial products, power, and healthcare. The problem exists in other sectors as well, but limiting this cart to three makes the priority gap as clear as possible.
The numbers for industrial products are interesting. The growth in number of incidents they had year-over-year declined by 25 percent, so it makes some sense that their investment in IT security also went down. But when you realize that the damage doubled year-over-year, it becomes obvious that this is an industry setting itself up for a world of hurt.
Likewise, power and energy had fewer incidents, but oh-my-gosh, how the damage has gone up! Here's an industry with a 234 percent growth in damage -- in the space of one year -- and they're only increasing their defense budget by less than 10 percent.
Finally, that brings us to healthcare, the gold standard in what not to do. Take, for example, the Anthem breach in 2015. This insurance company lost more than 80 million records, a breach that impacted just about a third of all insured Americans.
The healthcare sector had a 56 percent year-over-year growth in damages (which means you should expect at least one and a half more Anthems this year), a whopping 241 percent increase in incidents and how much do they allocate to their IT defense budget? That's a mere eight percent jump over the previous year. Face it, folks. Your health records will be p0wn3d.
So there you go. Is it the responsibility of private industry to defend in an active battlespace also occupied by national forces? It is now.
By the way, I discussed this information in a recent TechRepublic webcast. Feel free to tune into the on-demand recording and you can learn a bit more about how breaches impact the bottom line, and the fundamental trust equation that drives business.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.