Published on September 19th, 2018 | by Kevin McTiernan
The Powerful Tool we’ve Handed to Criminal Groups and Nation-States
In the reporting of the British Airways breach, one point makes many of the headlines – BA is facing a £500m fine related to the European Union’s General Data Protection Regulation (GDPR). I believe that information needs to be protected; I believe that organizations that do not take that responsibility seriously should be punished; and, I believe that the “stick” to wield against a for-profit entity is its profits. However, I think that the violation/fine parts of regulations like this assume that everyone is a logical and ethical actor; and, most importantly, everyone is under the enforcement regime. While there are hacktivists who might be acting from a moral compass and white-hat hackers who trying to improve security, the majority of breaches are criminal and/or malicious. And, such actors are masters of keeping themselves hidden, leaving them outside of enforcement. This powerful tool we’ve handed to criminal groups and nation-states, is why I believe that the violation/fine regime may start to serve as a tool for the more ambitious, malicious and criminal hackers.
Noting a few of today’s trends: increased regulations with teeth (such as GDPR and the CPA in California); hackers looking for new ways to make fast money; cryptocurrencies offering ways to be paid with no ability to track; and, the ransomware attacks that made headlines in recent years, the intersection of these trends is a troubling thought – hackers, breaking into a large organization and stealing heavily regulated information, the theft of which would result in a fine. But, instead of selling the information on the dark web, they ransom the evidence of the act (the full play-by-play of the breach and security lapses). Could it work? First, let’s look at the numbers.
The £500m in fines that people mention when they discuss BA are related to GDPR. A company can be assessed a fine of up to 4% of sales. BA registered £12,200m in sales in 2017 (4% of that is £488m). The fines BA faces could be less than the maximum.
BA (or their parent company, IAG) won’t go out of business from a fine like this, but it would most definitely hurt. IAG made £2,655m in profit last year (an ~18% increase over the previous year). £500m would represent roughly the entirety of similar growth this year, leaving their growth flat. Which is why from the day before the announcement (9/5) through this morning’s open (9/13), they have lost roughly £395m in market cap. Between the maximum fine and the market cap loss, you are talking nearly £900m in losses ($1.17B). Then there’s the compensation to the victims and the huge monies being spent now and in the medium term in both investigating and plugging the breach. All-in-all, this could cost upwards of £1,500m ($2B).
What would a business pay in ransom to not have that kind of event go public – to not be levied the fines and take the stock hit? On $2B in losses, would a business pay 10% of losses ($200M)? 1% ($20M)? 0.1% ($2M)? Successful organizations today are masters of risk and would consider the cost of not paying the ransom. Estimates are that one ransomware group made nearly $20M in a year (https://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-cybercriminals/). Would targeting a handful of corporations with big pocket be more profitable than hitting hundreds of thousands of Internet users? I don’t know the answer, but it is an interesting question. The counter argument is that organizations are in a constant state of hack. Once they went down this road, they would be paying out monies to many groups, the sum of which would eclipse the losses. A very valid point.
Another Angle to Examine
What if instead of holding that information for ransom, it was used against a competitor? Consider the scenario of one organization hacking into another and stealing information. Instead of stealing proprietary research and development, they steal heavily regulated information (such as that which would be a violation of GDPR). The stolen records and the evidence of the hack is made public. And, probably done so before the victim organization even knows about it.
That act could have a major impact on the victim organization. In the face of stiff penalties, such a move could derail or delay entry into new markets, product launches, expansions or strategic initiatives. How much would the offending organization be willing to pay for a decade of dominance in their market?
Whether that organization used their own hackers or used a criminal group, word would get out, eventually. As the saying goes, the only way for three people to keep a secret is if two are dead. But even if it does get out, what will happen? I would point to what happened with Jawbone – just this summer, two Fitbit employees were indicted for stealing secrets while employed at Jawbone (https://www.cnet.com/news/fitbit-employees-indicted-for-stealing-jawbone-trade-secrets/). Yes, these employees are facing 10 years, but Fitbit is a $1.4B company and Jawbone is out of business.
Taking this thesis a step further… We all know how nation states are funding hacking of all manner of industry in the US and the western world. What if an organization ran afoul of a country with a nation-state sponsored team of hackers. Could that government anonymously release that heavily regulated information and evidence to retaliate? Could that government hold the same as leverage to force the organization to give in to the nation-state’s demands?
This is where the concepts begin to look like a William Gibson novel.
How SS8 Can Help
If you are worried about identifying malicious behavior, insider threats and network visibility check out SS8’s Advanced Threat Detection solution. SS8 Advanced Threat Detection (ATD) monitors every byte from every flow on your network at key aggregation points, providing visibility to all communications on your network. ATD detects malware, identifies compromised computers and the stealthiest hackers moving around your network, all in real time. Every event is stored in our Security Analytics engine to provide years of hi-fidelity history and recursive analytics as new threat definitions arrive. The Intuitive search and visualizations provide your investigators with the insight to act. SS8’s nearly twenty-year legacy in the law enforcement and intelligence space is reflected in the optimized workflows and analytics in SS8 ATD.
Contact us today to see what you are missing on your network.
Kevin is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio compliance portfolio. His deep knowledge of the telecommunications and network security industries spans 20 years, with extensive experience in the areas of cyber security, network forensics, big data, fraud detection, and network monitoring.