ISACA Journal - 2012 Volume 6

Steven J. ross, CISA , CISSP, MbCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal ’s most popular columns since 1998. He can be reached at stross@riskmastersinc.com.

The Cost of Cyberattacks

At the end of a previous article, I passed along a question asked by a correspondent with regard to the inhibitors to effective security: “Are there other explanations (to poor security) that we are not exploring?” 1 In response, I received a message from Daniel Tan in Kuala Lumpur, Malaysia. Tan made the point that “the key issue lies in the difficult task of quantifying the true cost of an information breach.” As difficult as it may be, there have to be sources of information. The most widely quoted figures come from the Ponemon Institute. Its most recent survey on the cost of data breaches that I am aware of was released in 2011 with data gathered in 2010. The report states that:

Actual costs varied widely by country, but last year’s relative rankings remained unchanged. The US had the most expensive average cost of US $7.2 million. Germany came in second with US $4.7 million. The United Kingdom and France had nearly identical average costs at US $3.1 million apiece. Australia had the cheapest average cost of US $2 million. 2

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

Now, US $7.2 million is a lot of money and US $2 million is still a lot. But in the great scheme of things, any organization that had enough capital tied up in data to lose that much money could probably withstand the financial impact of a loss of that magnitude. However, I submit that considering the cost of an information breach on individual organizations misses the most frightening point: What would be the cost of an attack that targeted an entire economy?

Let me say right here that I have no specific answer. But I do not think that the issue is an idle or hypothetical one. Without delving into the question of who wrote and released the Stuxnet worm, it is clear that it was intended to cause damage to Iran’s nuclear capabilities and that it was effective in doing so. 3 Worse yet, an element of Stuxnet accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.4

WHAT WOuLD A CyberATTACK LOOK LIKe?

So, from a purely financial standpoint, what would a widespread cyberattack look like should it be broadly targeted on the economy of an entire nation?

In trying to anticipate the moves of economic cyberwarriors, I would expect them to start by cutting the sinews that hold together commerce. In a digital sense, that would mean taking down the Internet. The decentralized nature of the Internet makes this particularly difficult to achieve on a wide scale, although local outages could be quite devastating. However, the features of the Internet that make it useful are more vulnerable. I am referring specifically to a so-called Domain Name System (DNS) 5 bomb, which evidently is not just a theoretical threat. The US Federal Bureau of Investigation (FBI) recently announced action against a class of malicious software (malware) called DNSChanger, which changes a computer’s DNS server settings to direct World Wide Web searches to rogue servers operated by an attacker. The FBI stated that it had, in fact, uncovered a network of rogue DNS servers and has taken steps to disable it. 6

Were such a DNS bomb or other malware to become widespread, e-commerce would come to a halt. Even assuming that it could be cleared away in a day, it is quite likely that many more organizations would lose much more than the US $7.2 million reported by the Ponemon Institute. Just to give a hint of the potential economic impact, if only 1,000 organizations lost only(!) the Ponemon figure, the losses could be more than US $7 billion in just one day.

It is even more likely, to my mind, that cyberwarriors would attack the central nervous system of an economy, those institutions that enable the flow of money and goods that keep society running. These would include central banks, clearinghouses, centralized freight tracking systems and air traffic control systems. If banks could not transfer funds and transportation systems could not move merchandise, the cost would be incalculable.