It seems that everyone and their brother are now saying that the U.S. is in the midst of a recession. The market analysts are predicting that the U.S. GDP will actually go negative this year. It must be official now that even the White House has acknowledged it. This got me to thinking about the effect a recession might have on my industry (IT security). My first thought was that if the profits of companies start dwindling then their IT budgets will predictably follow suit. If IT budgets dwindle then my experience tells me that the security budgets will take an even larger percentage hit than IT overall. When fighting for IT dollars in many cases security gets lost, put on hold, and brushed under the carpet. Thankfully, we now have a proliferation of compliance/regulations (PCI, HIPAA, SOX, etc.) that can compel organizations to focus some budget on security projects. So, if a recession will force security budgets to shrink at a greater percentage rate then the IT budget as a whole, what does that mean for an organizations ability to defend itself? Well let’s see how a future scenario might play out. Company XYZ will be consolidating their operations into a new location. They must purchase new IT gear for the new location. During the design phase it is highly likely that security controls (FW, IPS, Host, etc) will be reduced or eliminated altogether because of budget restraints. The end result is Company XYZ has just reduced their security posture and ability to defend them selves. As if the hypothesis that a recession will decrease the security effectiveness of organizations isn’t bad enough; there is precedent that low GDP growth tends to increase the proliferation of new, highly effective cyber attacks. Why is that? Well, I have a theory on it. Negative GDP growth and a recession bring with them job layoffs and losses. This produces a large skilled IT labor pool that is out of work and has time on their hands. So this brings up a question: Is their a correlation between the number of out of work IT professionals and the number of cyber attacks? I did some research to find out. The bursting of the dot com bubble in late 2000 and 2001 was a horrible time to be in IT. During that time we saw massive IT job loss that resulted in the creation of a large pool of unemployed skilled IT workers. So I used this timeframe for my research. During this time the U.S. economy saw a large weakening in the GDP growth of the country (as shown in the diagram below).

[img=450x350]http://www.jheary.com/gdp.jpg[/img]

Image Source: Lombard Street Research Note that the red circles above indicate economic recessions. What I found out in my research was that during this 2000-2001 timeframe we saw the proliferation of some of the most notorious cyber attacks ever seen. Here are some examples:

2000 – IloveYou virus launched – Infected 10% of all computer connected to the internet in one day.

2001 – Anna Kournilova worm – Infected over 1 million computers in one day

2001- Code Red and Code Red II worms – In its day it was called the biggest worm incident in the history of the Internet

2001- Nimda – Damage estimated at over 2 billion dollars

Based on this, my research suggests that there is indeed a relationship between slower GDP growth/recessions and an increase in cyber attacks. It might be a result of the mass IT unemployment that recessions trigger. Skilled IT folks who have just been fired, can’t find a job, and have extra time on their hands, seems like the perfect ingredients for whipping up a batch of cyber anarchy to me. Do you believe there is a strong correlation between recession and cyber threats? So, will our current economic recession trigger the same cyber assault cycle that previous recessions have? Will we see new, more powerful worms propagating the world in the coming months? Let’s hope not!

The opinions and information presented here are my personal views and not those of my employer.