Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum

You don’t have to be all that sharp to see that there’s a lot of hacking going on lately. As I type, Rupert Murdoch and his allies are testifying before British Parliament over the mushrooming News of the World disaster (live video here). It seems like everyone on earth is getting hacked: consultants and cops, Sony and the Senate, the IMF and Citi, and firms ranging from Lockheed Martin (China suspected) to Google (ditto) to dowdy old PBS. But is there really more hacking than usual of late, or are we just more observant?

To answer this question, we put together a Freakonomics Quorum of cyber-security and I.T. experts (see past Quorums here) and asked them the following:

Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?

Thanks to everyone in the Quorum for their sharp and helpful replies. There is a lot of information below, some of it contradictory, much of it provocative. Interestingly, it appears very very hard to quantify the level of hacking in any real way, in part because much of the most “valuable” hacking goes either undetected or unreported.

Bruce Schneier (earlier Q&A here) is an internationally renowned security technologist and author. His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.” Schneier has testified on security issues before Congress and runs the popular blog Schneier on Security.

The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events — just more articles. Hacking for fun — like LulzSec — has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit — like the Citibank hack — has been around for over a decade. International espionage existed for millennia before the Internet, and has never taken a holiday. The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning. Then there was the probably espionage-related attack against RSA, Inc. and its authentication token — made more newsworthy because of the bungling of the disclosure by the company — and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec. None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous — just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name. It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

Tal Be’ery is senior web security researcher at the cyber-security firm Imperva. He has spent years in cyber security as a researcher in the private sector and a practitioner in the military.

It’s both. There are more hacking incidents and there’s more visibility to it – so the combined effect gets squared. But there’s much more to it. The economic drivers behind hacking have evolved dramatically over the years. In the past, before we put data online, hacking was done for amusement. First, hackers would attack Microsoft because they were big and Bill Gates had lots of money. As websites came online, they mainly presented information and conducted a small level of transactions. Hackers focused on defacement, aka hacktivism, to embarrass these organizations. In the cases where websites focused on transactions (in the early days, it was online gambling), hackers would blackmail site operators with attacks that brought websites down (a “denial of service” attack in geek speak). But eventually, the network firewall was invented to stop this. Then a crucial development took place: companies began digitizing data (credit cards, intellectual property, etc…). This data had tons of value on the black market, governments included. Consequently, the hacker focus shifted from denying service to stealing data. They’ve built a whole industry around it. Here’s where we reach a critical problem: companies are poised for the old cyber security model which

was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security, less than 10% goes to data protection. Here’s what this looks like in real life. When the small town of Pittsford, N.Y., was hacked and lost $139,000, the town supervisor said, “We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems. We thought we were pretty secure.” Did the same excuse get made at Sony, Epsilon…? Probably. We also see more hacking incidents which keeps it top of mind. Unlike in the past, hacking has grown and evolved as a discipline. There are three types of hacking that currently dominate headlines: Advanced Persistent Threat (APT): This refers to government-sponsored hacking. In this case, data theft can be either citizen data or intellectual property. Schematics for weapons are often targeted. APT is growing for several reasons. It evens the playing field. Suddenly, isolated North Korea can attack the U.S. government, as it did two years ago. APT can also successfully paralyze an opponent’s infrastructure. For example, Stuxnet highlighted how a government could hinder Iran’s nuclear development capabilities. Lastly, APT is not punished. When China attacked Google, what happened to China? Nothing. Industrialized hacking: These are commercial hackers who do it for money. It’s growing for a few reasons: good guys are putting more data/commerce online; and more legal business activity fuels more illegal activity. Also, industrialization makes hacking a more efficient business. Automatic tools help hackers attack thousands of victims in just hours. Just as armies became more effective when they evolved from single shot to automatic rifles, hackers are experiencing the same sort of technological progress. Education is also fueling growth. Hacker forums, for instance, exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data. Analysis of one forum, with 210,000 registered hackers, showed that approximately 25% of the discussions were focused on hacking tutorials and techniques—ensuring a consistent supply of expertise in the marketplace. “Hacktivism”: This relies on the same methods described above; the purpose however isn’t data theft but rather making a political statement. For example, you may take down a government website or deface it (as was done to Hugo Chavez when his picture was replaced with one of Austin Powers’s Mini Me). Hacktivism, however, only thrives with attention. Much like terror, it needs media coverage. No coverage, no terror. Hacktivism is the same.

Henry Harrison is the technical director for cyber security at BAE Systems Detica, an information-security firm. Harrison supports Detica’s work across government and commercial customers and helps steer investments toward new cyber-security capabilities.

Let me restate what I think is being asked here. Why is there so much hacking being reported in the media of late? And is there actually more of it going on than there used to be? Let’s work backwards. Over the longish term, there is definitely more of every sort of cyber-crime and cyber-espionage going on than there used to be. Twenty years ago, the world was only very loosely connected (in an electronic sense) and still at the very early stages of dependence on I.T. — so the returns to be had from hacking and other forms of nefarious electronic activity were relatively limited. Since then, the world’s interconnectedness has grown quite astonishingly, meaning there are much greater incentives for those who want to hack into both corporate and personal I.T. systems. What’s more, the online environment presents very little in the way of disincentive for this sort of activity. There are numerous ways to obscure the source of an attack, meaning that it’s very difficult to work out who’s doing these things, and even if they do, not much likelihood that they’re going to do anything really painful in return. Of course, it’s not a completely deterrence-free zone: people do go to prison, and diplomatic pressure does get applied. But it’s really nothing comparable to the real world. I doubt we need any scientific studies to assess the relative adrenalin levels of someone hacking into a network compared with someone walking into a bank with a stocking over their head and a shotgun in their hand (though it would be an interesting comparison). So: increased incentives and relatively few disincentives. Over the longer term then, there is (a lot) more hacking going on than there used to be. Now to the first question. Definitely one of the factors that’s leading to more hacking being reported is that more of it is going on. But of course there’s a media cycle element to it as well. Because more is going on, cyber security in general is getting to be a bigger story; this means that hacking incidents get to be front-page news more often than they used to. They feed a developing storyline rather than being reported only as individual incidents. And this in turn means that for those whose motivation is publicity, incentives are strengthened. It would be a mistake though to think that this sort of publicity-seeking behavior is sufficient on its own to sustain the media attention. I think the media is sticking with this story because of the much more significant trend underneath it, as demonstrated by rarer, but occasionally reported, incidents such as RSA, Google (“Aurora”) and the oil companies (“Night Dragon”) — and by significant new government spending around cyber security in the U.S., U.K., and many other countries. On that front, we might just be beginning to see corporations open up a bit about reporting incidents that happen to them. But that really is at a very early stage. Through our work with customers, we run up against a much larger proportion of potentially high-profile incidents which have never been reported and probably never will be. There’s an awfully long way to go in terms of better disclosure and consequently more awareness of what’s really going on out there. What’s perhaps more surprising to many people is that there are even more incidents that have never even been detected, let alone reported. When the motivation for an attacker is to gain publicity, obviously the incident ends up being “detected” — because the perpetrator reports it. But if the motivation is to steal confidential information — intellectual property, or sensitive commercial data — then the whole objective is not to be detected. Most companies simply aren’t looking for this sort of covert infiltration today, and in various cases when we have started to look for it inside a new customer’s network, we have fairly rapidly found evidence of intruders who have had access into the network for some time, completely undetected by the victim organization. Extrapolating from that to the majority of organizations who — today — are still not looking for these covert activities inside their networks, we can be fairly certain that there are a significant number of hacking incidents which are successful but completely undetected. < p>What will happen next? I suspect that the current media cycle has a while to run and that we will continue to see a large number of high-profile incidents where the motivation is to gain publicity. But I know more about security than I do about media, so I’d probably take that with a pinch of salt and pay more attention to my second prediction: that more and more organizations are going to start asking themselves whether they ought to be looking for evidence of the sort of covert data-stealing that’s currently going undetected. As more organizations find out that this sort of hacking is going on, they’ll start feeling the urgency to report the incidents because of the material impact they can have on the business.

Julie Conroy McNelley is a senior analyst within Aite Group’s Retail Banking practice, covering fraud, data security, anti-money laundering, and compliance issues. She has over a decade of product-management experience working with financial institutions, payments processors, and risk management companies.

Hacking and malware attacks are on the rise, and that trend will only continue to grow. Many of the headlines about data breaches over the last several months reflect the concerted effort of a highly organized underground economy whose business is financial gain through cyber crime. We can’t pin all the blame for these attacks on organized crime, however; nation-states have also been implicated in a number of the high-profile attempts, such as the NASDAQ, Google, and IMF attacks. The uptick in attacks is spurred by a number of things: Technological innovation: The sophistication of the malware and hacking attacks is on the rise, and the innovation among the criminal element is further enhanced by the fact that they actively collaborate. The inventor of ZeuS, one of the more pernicious Trojans, licenses his software via underground bulletin boards, reinforcing the notion that cyber crime is now run like a business. True to the open-source model, licensees are free to modify ZeuS to make their attacks more difficult to detect and prevent. The rapid pace of technological innovation by legitimate businesses also provides an opportunity: as new technologies are deployed, the law of unintended consequences often means that there’s a security gap somewhere that hasn’t been fully thought through (until it’s too late). The success of PCI: Introduced mid-way through the last decade, PCI is an information security standard governing organizations that handle bankcard data. While it’s not a silver bullet for data security issues, it has significantly contributed to a decrease in breach events. The law of supply and demand dictates that as the number of credit card records that are available to the criminal underground decrease, the value of this data on the open market increases. The price for stolen card data is therefore on the rise, which means that the criminals are redoubling their efforts. Card data isn’t the only thing they’re after, of course. Online banking credentials, particularly those associated with business accounts, are also a hot commodity. Bad guys don’t require business cases: Whereas most businesses require a business case to deploy new levels of protection, bad guys are generally free from these constraints. Moreover, a criminal that is successful only in 1 of 100 attempts is still having a great day: in that one successful attempt, he was likely able to make off with thousands, if not millions, of data elements that can be monetized. Conversely, institutions and businesses that are trying to protect their data have to consistently bat 1.000 in their security efforts. It’s tough to be perfect in the face of the barrage of attacks, which is why we will continue to see these headlines for some time. Nation-states employ similar tactics to the organized criminal element, but their efforts more often target strategic information that can be used for diplomatic or economic gain. Cyberspace is the new battleground, and the battle is here to stay.

David Jevans is chairman of internet security firm IronKey. He is also chairman and founder of the Anti-Phishing Working Group, a leading non-profit dedicated to eradicating identity theft and fraud on the Internet.