Cleantech Market Intelligence
Are Cyber Security Attacks Really Multiplying?
The New York Times recently reported that there had been “86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases,” compared to 11 attacks in the same period a year earlier. Data came from the U.S. Department of Homeland Security (DHS). I’ve spent a week trying to decide whether or not this matters. Even with such small numbers, a 781% year-on-year increase must indicate something ‑ but what?
Are there really more attacks or have companies simply realized that that there is no shame in being attacked? Like temptation, being attacked is not a sin. Does anyone believe that our critical national infrastructure (CNI) would not be attacked? From my research it seems likely that some critical cyber assets (CCAs) are attacked 86 times per hour. If this is a cultural shift by CNI asset owners, that’s promising. It’s incredibly tough for the DHS to do anything about attacks that no one has told them about.
Alternatively, do companies now have better mechanisms to detect attacks? Perhaps. No new capabilities have been released in the past year that would obviously have increased detection eight-fold. Then again, deploying a detection tool where there had formerly been none can make a huge impact. This matters: undetected attacks have a higher success likelihood than detected. Increased detection should portend decreased success.
Or perhaps there are simply more people attacking? That is possible too: the DHS has warned that hactivist groups are now more likely to attack the CNI. That would spike the number of attacks in a hurry. On the plus side, hacktivists tend to use mass distributed tools that are more easily defended than a hostile nation-state attack. Cyber security recently enjoyed a Schadenfreude moment when it was discovered that an unknown hacker had tricked many hacktivists into downloading a compromised version of their attack tool. The compromised version also contained the ZeuS Trojan Horse, designed to steal the hacktivists’ banking credentials.
There may also be other causes but still there remains the question, “How big is an attack, anyway?” What am I measuring when I count the number of reported attacks? The answer – an attack is about the same size as a piece of string; it can be any size at all. This blog has previously discussed the dangers of metrics without thinking deeply about what is being measured. If the number of attacks had only increased from 11 to 12, we could truthfully say that there had only been a 9% increase in attacks and feel really good about things. And yet – that that one additional attack might have been Stuxnet, discovered a year after it had completed its mission.
So what does this all mean? Does it matter that reported attacks are up eight-fold? Absolutely. Even if we can’t be totally sure of the cause, it’s a reminder that we need action now. Regarding the Cybersecurity Act of 2012, currently in the U.S. Senate, Representative Jim Langevin (D-RI) recently wrote, “we must not allow the perfect to be the enemy of the necessary.”
When politicians feel more urgency than industry appears to feel… what does that mean?