The Hacker’s Market: Cybersecurity Risk in the U.S. Economy

Font Size:

PPR seminar focuses on threats facing both corporations and the government.

Font Size:

Every day, the U.S. Defense Department wards off 10 million cyberattacks to its military networks.

According to Richard Falkenrath, a Principal with The Chertoff Group, cyberattacks like these pose a constant and major threat to government agencies, businesses, and individual citizens in the United States. At a seminar sponsored by the Penn Program on Regulation earlier this year, Falkenrath shed light on the nature of this threat, assessing current cybersecurity risks and analyzing policy options for managing these risks.

Falkenrath, who has previously served as the White House Deputy Homeland Security Advisor as well as the Deputy Commissioner for Counterterrorism for the New York City police department, went into detail about both the personal and economic effects of cyberattacks.  At a personal level, these attacks invade individual victims’ privacy.  The extent of harm can vary from individual to individual, but while the nation as a whole may not suffer from such events the affected individuals may feel palpable embarrassment and shame. Such losses are real – at times personally devastating – even if the damages are not readily quantifiable.

The economic effects of a cyberattacks can range widely too – and even though the damages can be high, they too are not easy to calculate.  These harms range from minor acts of fraud to breaches of corporate computer systems that threaten a company’s survival – as well as to the large costs associated with expensive cybersecurity systems and personnel that companies now must pay to protect their digital infrastructure.

Falkenrath traced the history of the cybersecurity problem.  At its conception, the Internet had no real commercial application, thus it was not something that was tightly regulated by the government. Its commercial worth changed with the explosion in private sector use in the 1990s as well as the capital market growth from funding startups.

As Falkenrath noted, “As a nation we are now highly dependent on computer information systems.”

According to Falkenrath, starting around 1990 some officials in the U.S government began to pay much attention to the likelihood of cyberattacks, with many beginning to worry about the potential for a cyber-apocalypse. However, the emphasis on cybersecurity generally reached the highest levels of government only as of the mid-2000s.

During the past decade and a half, the U.S government has gathered extensive data on the vast volumes of digital information that are constantly being stolen. Falkenrath said the volume of misappropriated data from the current system can be estimated but valuing the economic harm from data losses is much harder.

“It’s not like calculating the harm from an environmental disaster or doing a calculation as to the economic losses of air pollution,” Falkenrath noted.

One of the major issues in cybersecurity today is the theft of intellectual property and corporate data. Falkenrath observed that many of these threats originate from overseas, particularly from China.

He explained that companies are generally not required to disclose breaches. There is no uniform governmental requirement for companies to report attacks if they have been hacked.

“A lot of these viruses are just like a vacuum cleaner that takes [corporate] data and stores them, without any signs that the hackers are even going to use them,” Falkenrath said.

Falkenrath noted that utilities, banks, and phone carriers have to spend a lot of money on cybersecurity to prevent a digital disaster that would plunge millions into darkness, cripple the financial system, or cut communications – threats that so far have been avoided.

To date, cyberattacks have rarely resulted in physical damage to people or tangible assets. An exception, according to Falkenrath, was the Stuxnet attack on Iran’s centrifuge program, which apparently destroyed a few thousand centrifuges.

When the U.S. government responds to cyberattacks, it may itself employ viruses that target specific pieces of information. For example, the government sometimes uses a technique called a “honey trap,” where data are left exposed. This information functions as bait and contains viruses that activate when the computer system containing the data is infiltrated.

Falkenrath believes that both offensive and defensive information operations will be a ever-present feature of future conflicts between nations.