It would be naïve for anyone to believe that this is a war that can be won. It is likely that a whole series of battles will continue to be engaged, as technology becomes even more sophisticated.
A study conducted by the American Society for Industrial Security (ASIS) and PricewaterhouseCoopers reported that Fortune 1000 companies suffered losses of more than $45 billion in 1999 from the theft of proprietary information. This had increased dramatically from the estimates issued by the Federal Bureau of Investigation (FBI) in the mid-1990s of $24 billion per annum. The average Fortune 1000 company reported 2.45 incidents in the year with each incident costing $500,000.
A report released in mid-2001 by Computer Economics estimated that up to that time in the year, computer viruses had cost $10.7 billion in clean-up costs and lost productivity. This compared with costs of $17.1 billion in 2000, and $12.1 billion in 1999. According to Computer Economics, the Code Red virus affected one million servers and there were 2.3 million Sircam infections worldwide.
The Tip of the Iceberg
However, hacking activities and denial-of-service attacks that become known about in the public domain are believed to be merely the tip of the iceberg. Enterprises are very protective of their reputations, particularly banks and financial institutions, therefore the bad publicity that appears in the media is kept to a minimum. As a result, statistical data on security incidents is always hard to come by. However, anecdotal evidence indicates a growth in targeted attacks and analysis shows that attacks targeted at acquiring or destroying specific data are growing rapidly. This means businesses need to continually evaluate and update their security measures.
In 1998, President Clinton asked U.S. industries such as financial services, IT and telecommunications to form industry groups to share their information about security attacks and vulnerabilities. The benefit to be gained from the industry groups proposed by the Clinton administration was very much dependent on the trust that the member companies had that they were able to share information comfortably with each other. If there was any danger that information would be leaked, the companies would not share details of their problems. The proposal was that information about security holes or vulnerabilities would be distributed anonymously to members to both inform them of the problems and ask for assistance in resolving them.
However, President George W. Bush's administration is rewriting the U.S. government's plans for the protection of the U.S.'s critical technology infrastructures. It said that the existing plans were flawed and offered minimal help to companies looking to strengthen their IT security defenses. The thrust of the argument is that only when the threats to the infrastructure are translated into business concerns will companies respond effectively to them.
The plans of the previous administration were alleged to be short of the input of knowledge from the private sector. U.S. government officials began consultations with companies in various business sectors such as financial services, oil and gas, electricity, transport and technology. Following this period of consultation, the U.S. government intends to prepare a new national plan.
The European Outlook
In Europe, research has indicated that the annual losses suffered by business has been far less than that in the U.S. Hackers supposedly only cost European businesses $4.3bn in the 2000. Readers can decide for themselves whether the difference in the scale of the problem between the U.S. and Europe was due to Europeans being more reluctant to divulge their problems. Or maybe it was due to the U.S. being ahead in its use of e-business. On the other hand, perhaps the U.S. criminal fraternity is more advanced in its use of technology! A further study of 3,000 businesses worldwide came up with the staggering figure of between 5.7 percent and 7 percent of revenue lost through security breaches.
Some months ago, the U.K.'s National Crime Squad's National Hi-Tech Crime Unit (NHCU) was formed with the aim of improving incident reporting procedures and gathering of evidence on security holes. The U.K.'s business leaders have now warned the government about lack of action against cybercrime. It highlighted the fact that many companies are refusing to put their business online due to their fears of losing money and their reputation.
The Confederation of British Industry (CBI) and the Institute of Chartered Accountants of England and Wales (ICAEW) fraud advisory panel recently produced their Cybercrime Survey for 2001. It warned that the growth of e-commerce in the United Kingdom is suffering because of these worries. Two-thirds of the companies that responded to its survey had suffered a serious cybercrime attack in the previous year. The CBI and ICAEW defined such an attack as a company having experienced hacking, credit card fraud or a virus attack.
Response to the survey came from 148 U.K.-based companies across a range of industry sectors. It revealed that organizations are happier to take part in business-to-business (B2B) transactions rather than business-to-consumer (B2C) transactions. This is obviously because they feel that B2B is much safer than dealing with the general public on the Internet.
Threat to Global e-Business
Governments and industries must act to protect the total infrastructure upon which e-business is founded. Unless such high-profile action is carried out, the growth of e-business will be stunted and this will be detrimental to us all. This is a war which threatens the future development of business globally and in which it is imperative that every possible defense must be utilized. It is not a war that we shall be able to say that we have won, as when the enemies have been repulsed, they will return in a changed form to carry out further attacks. As with the war on bricks and mortar crime, we can only minimize the effects, not completely eradicate the problems.
John Holden is a research analyst with the Butler Group (www.butlergroup.com), a firm of IT industry analysts based in the U.K.