The Components of Malicious Cyber Crimes - Rawan For Media Artistic and Production
- Direct financial loss from cybercrime.
- The loss of sensitive business information (such as negotiating strategies), including possible stock market manipulation.
-
Opportunity costs, including service disruptions, reduced trust online,
the spending required restoring any “lead” from military technology
lost to hacking, and the realignment of economic activity as jobs flow
out of “hacked’ companies.
- The additional cost of securing networks and expenditures to recover from cyber attacks.
- Reputational damage to the hacked company.
Intellectual Property Losses
The
most important area for loss is in the theft of intellectual property
and business-confidential information—economic espionage. It is
difficult, however, to precisely estimate the losses. This is in part
because cyber spying is not a zero-sum game. Stolen information is not
really gone. Spies can take a company’s product plans, its research
results, and its customer lists today, and the company will still have
them tomorrow. The company may not even know that it no longer has
control over that information. There are many ways to determine the
value of intellectual property. One is to estimate what it would fetch
on the market if offered for sale or for licensing. Companies can value
their intellectual property by determining the income streams it
produces and is expected to produce in the future.
Companies
can also estimate what it would cost to replace intellectual property
as a means of estimating its value, although a reliance on inputs for
estimating value can be very misleading.7 The actual value of
intellectual property can be quite different from the research and
development costs incurred in creating it. If a company spends a billion
dollars on a product that fails in the market, and a foreign power
steals the plans, the loss is not a billion dollars but zero—the
invention’s market value. .Extracting information from a computer
network does not always mean there is immediate benefit to the
acquirers. They may lack the advanced manufacturing capacity or skill
needed to produce military or high tech products. For some advanced
technologies, there may be a lag of five to ten years between the theft
of the IP and when it appears as a competing product. This lag in the
use of pilfered intellectual property complicates the estimation of loss
from malicious cyber activity.
The
rate at which a competing product based on stolen intellectual property
appears varies from sector to sector. Some take years. Others, such as
high speed trains or wind power generators, appear rapidly. In some
cases, acquirer of the technology has been able to put a product on the
market before the victim can introduce their own, legitimate version.
One
way to put these possible losses in context is to consider a US company
with $1 billion in intellectual property, all of which is extracted by
foreign hackers and given to a competitor. This competitor now has the
advantage of access to valuable intellectual property for which it did
not have to pay. However, if the competitor that illegally acquired the
intellectual property is unable to develop a competing product, the
theft does not create additional risk for the victim. To suffer loss,
the acquiring company would have to use the IP in a way that harms the
victim, by offering a competing product or by improving their bottom.
Making
high tech products requires “know-how” as much as blockbuster
IP—knowing how to run a manufacturing process, where to buy the cheapest
inputs, which customers are most interested, what designs actually move
product, etc. All of those things hold back companies that rely on
cyber espionage. But if the company can ask each time they hit a
roadblock, “How did the victim get over this barrier?” and then go back
find the answer in the victim’s files, then they can quickly acquire the
practical know how to use the stolen IP.
Historically,
state sponsored commercial espionage has focused on areas of great
interest to governments, such as military and advanced technologies.
More recently, some countries seem to use cyber espionage as a normal
part of business. Cyber espionage by nation states to benefit their
companies is a kind of state aid to those companies that is cheaper than
traditional subsidies. This privatized espionage can be deployed
against a much broader swath of companies. One interview with
intelligence officials told of a US furniture company being hacked and
losing its IP, only to see furniture made from its designs being offered
online to wholesalers. There are similar stories involving efforts to
use cyber techniques in attempts to acquire breakfast cereal recipes,
running shoe designs, automobile part technologies, and soft drink
formulas. These are not “strategic industries,” but their losses from
cyber espionage can still be significant.
The
victim company still has access to the intellectual property. It has
not lost the ability to make the product; what has in fact happened is
that it now faces a new competitor. The risk of this competition is
increased if the new foreign competitor has access to other government
subsidies that allow it to sell at a lower price or if it is supported
in its domestic market by barriers that hamper outside companies from
competing.
We
need, in our assessment of the cost of cyber espionage, to put it in
the larger context of national economic and trade policy to understand
the possible consequences.
Business Confidential Information
The
line between Business Confidential Information and IP is inexact.
Business Confidential Information can include trade secrets or “know
how.” These categories are similar to IP and their loss imposes similar
costs. We distinguish between IP—information that makes it easier to
produce a competing product and Business Confidential
Information—information that give an advantage in commercial
negotiations or in developing competing business strategies.
While
it may take years for stolen IP to show up in a competing product,
there is no delay in monetizing stolen confidential business
information.
Theft
of oil exploration data, sensitive business negotiation data, or even,
insider stock trading information can be used immediately by the
acquirer. The damage to individual companies can be great. Measuring
this category of loss is very difficult since the victim may not know
the reason they were underbid, a negotiation went badly, or a contract
was lost.
A
more insidious form of hacking is the equivalent of insider trading. In
this case, the individual extracting non-public information about a
future financial transaction is not an insider, but the effect is the
same. Insider trading, or its hacking equivalent, may look like a
victimless crime but it reduces social welfare and harm financial
markets. An astute hacker may manipulate stock prices or automated
trading systems, putting out false news that could affect a price or the
market. The effect may be short lived, but a hacker could execute
trades planned in advance. In the case of stock manipulation, the cyber
crime resembles insider trading which can be notoriously difficult to
detect. The information acquired could be used to make trades on another
exchange, complicating enforcement efforts.
Cybercrime
While
losses due to cybercrime are troubling, they do not directly threaten
national security, except to the extent that international cybercrime
allows potential opponents to train and maintain proxy forces at others
expense. Direct losses to consumers may be the smallest component of the
cost of malicious cyber activity. These are usually based on
impersonating individuals to gain access to their financial resources or
other forms of fraud, such as impersonating an antivirus company in
order to persuade individuals to pay to have their computers cleaned.
The
UNODC estimates that identity theft is the most profitable form of
cyber crime, generating perhaps $1 billion per year in revenue on a
global basis. The same UNODC report estimated that the cost of identify
theft using cyber techniques in the US was $780 million (data for other
countries was not readily available). Data on other kinds of losses by
banks is not readily available, but may total in the US, somewhere
between $300 million and $500 million a year. This is not an
insubstantial loss and if it occurred on our streets there would be an
immense outcry. However, financial institutions have regarded this as
the cost of doing business in cyberspace.
Service
disruptions, such as denial of service attacks, may have only a limited
cost on a national economy (although they can be disruptive for the
company that experiences them). If the website of an online retailer is
taken offline, they will lose sales, but the actual economic effect may
be muchsmaller. Consumers may simply defer a purchase, or they may go to
another retailer. Even a relatively large denial of service attack,
such as those launched against Estonia in 2007, may have only a minimal
economic effect. The same is true for extortion schemes where a criminal
threatens a denial of service attack or penetrates a network, encrypts
data, and then charges a fee for decryption.
By Alula Berhe Kidani, 15 hours 45 minutes ago
In
this initial report we attempted to scope the problem and discuss what
to count in estimating losses from cybercrime and cyber espionage. We
looked at physical analogies—pilferage rates for example—to help us in
measuring the loss from malicious cyber activities. We attempted to
break malicious cyber activity into component parts. The aggregate of
these parts would let us measure the total cost to societies of
malicious cyber activities, but for each of the components of the cost
of malicious cyber activities category, data is weak or nonexistent and
any estimate must be approaches with this limitation in mind. The
components are:
- The loss of intellectual property.
this initial report we attempted to scope the problem and discuss what
to count in estimating losses from cybercrime and cyber espionage. We
looked at physical analogies—pilferage rates for example—to help us in
measuring the loss from malicious cyber activities. We attempted to
break malicious cyber activity into component parts. The aggregate of
these parts would let us measure the total cost to societies of
malicious cyber activities, but for each of the components of the cost
of malicious cyber activities category, data is weak or nonexistent and
any estimate must be approaches with this limitation in mind. The
components are:
- The loss of intellectual property.
- Direct financial loss from cybercrime.
- The loss of sensitive business information (such as negotiating strategies), including possible stock market manipulation.
-
Opportunity costs, including service disruptions, reduced trust online,
the spending required restoring any “lead” from military technology
lost to hacking, and the realignment of economic activity as jobs flow
out of “hacked’ companies.
- The additional cost of securing networks and expenditures to recover from cyber attacks.
- Reputational damage to the hacked company.
Intellectual Property Losses
The
most important area for loss is in the theft of intellectual property
and business-confidential information—economic espionage. It is
difficult, however, to precisely estimate the losses. This is in part
because cyber spying is not a zero-sum game. Stolen information is not
really gone. Spies can take a company’s product plans, its research
results, and its customer lists today, and the company will still have
them tomorrow. The company may not even know that it no longer has
control over that information. There are many ways to determine the
value of intellectual property. One is to estimate what it would fetch
on the market if offered for sale or for licensing. Companies can value
their intellectual property by determining the income streams it
produces and is expected to produce in the future.
Companies
can also estimate what it would cost to replace intellectual property
as a means of estimating its value, although a reliance on inputs for
estimating value can be very misleading.7 The actual value of
intellectual property can be quite different from the research and
development costs incurred in creating it. If a company spends a billion
dollars on a product that fails in the market, and a foreign power
steals the plans, the loss is not a billion dollars but zero—the
invention’s market value. .Extracting information from a computer
network does not always mean there is immediate benefit to the
acquirers. They may lack the advanced manufacturing capacity or skill
needed to produce military or high tech products. For some advanced
technologies, there may be a lag of five to ten years between the theft
of the IP and when it appears as a competing product. This lag in the
use of pilfered intellectual property complicates the estimation of loss
from malicious cyber activity.
The
rate at which a competing product based on stolen intellectual property
appears varies from sector to sector. Some take years. Others, such as
high speed trains or wind power generators, appear rapidly. In some
cases, acquirer of the technology has been able to put a product on the
market before the victim can introduce their own, legitimate version.
One
way to put these possible losses in context is to consider a US company
with $1 billion in intellectual property, all of which is extracted by
foreign hackers and given to a competitor. This competitor now has the
advantage of access to valuable intellectual property for which it did
not have to pay. However, if the competitor that illegally acquired the
intellectual property is unable to develop a competing product, the
theft does not create additional risk for the victim. To suffer loss,
the acquiring company would have to use the IP in a way that harms the
victim, by offering a competing product or by improving their bottom.
Making
high tech products requires “know-how” as much as blockbuster
IP—knowing how to run a manufacturing process, where to buy the cheapest
inputs, which customers are most interested, what designs actually move
product, etc. All of those things hold back companies that rely on
cyber espionage. But if the company can ask each time they hit a
roadblock, “How did the victim get over this barrier?” and then go back
find the answer in the victim’s files, then they can quickly acquire the
practical know how to use the stolen IP.
Historically,
state sponsored commercial espionage has focused on areas of great
interest to governments, such as military and advanced technologies.
More recently, some countries seem to use cyber espionage as a normal
part of business. Cyber espionage by nation states to benefit their
companies is a kind of state aid to those companies that is cheaper than
traditional subsidies. This privatized espionage can be deployed
against a much broader swath of companies. One interview with
intelligence officials told of a US furniture company being hacked and
losing its IP, only to see furniture made from its designs being offered
online to wholesalers. There are similar stories involving efforts to
use cyber techniques in attempts to acquire breakfast cereal recipes,
running shoe designs, automobile part technologies, and soft drink
formulas. These are not “strategic industries,” but their losses from
cyber espionage can still be significant.
The
victim company still has access to the intellectual property. It has
not lost the ability to make the product; what has in fact happened is
that it now faces a new competitor. The risk of this competition is
increased if the new foreign competitor has access to other government
subsidies that allow it to sell at a lower price or if it is supported
in its domestic market by barriers that hamper outside companies from
competing.
We
need, in our assessment of the cost of cyber espionage, to put it in
the larger context of national economic and trade policy to understand
the possible consequences.
Business Confidential Information
The
line between Business Confidential Information and IP is inexact.
Business Confidential Information can include trade secrets or “know
how.” These categories are similar to IP and their loss imposes similar
costs. We distinguish between IP—information that makes it easier to
produce a competing product and Business Confidential
Information—information that give an advantage in commercial
negotiations or in developing competing business strategies.
While
it may take years for stolen IP to show up in a competing product,
there is no delay in monetizing stolen confidential business
information.
Theft
of oil exploration data, sensitive business negotiation data, or even,
insider stock trading information can be used immediately by the
acquirer. The damage to individual companies can be great. Measuring
this category of loss is very difficult since the victim may not know
the reason they were underbid, a negotiation went badly, or a contract
was lost.
A
more insidious form of hacking is the equivalent of insider trading. In
this case, the individual extracting non-public information about a
future financial transaction is not an insider, but the effect is the
same. Insider trading, or its hacking equivalent, may look like a
victimless crime but it reduces social welfare and harm financial
markets. An astute hacker may manipulate stock prices or automated
trading systems, putting out false news that could affect a price or the
market. The effect may be short lived, but a hacker could execute
trades planned in advance. In the case of stock manipulation, the cyber
crime resembles insider trading which can be notoriously difficult to
detect. The information acquired could be used to make trades on another
exchange, complicating enforcement efforts.
Cybercrime
While
losses due to cybercrime are troubling, they do not directly threaten
national security, except to the extent that international cybercrime
allows potential opponents to train and maintain proxy forces at others
expense. Direct losses to consumers may be the smallest component of the
cost of malicious cyber activity. These are usually based on
impersonating individuals to gain access to their financial resources or
other forms of fraud, such as impersonating an antivirus company in
order to persuade individuals to pay to have their computers cleaned.
The
UNODC estimates that identity theft is the most profitable form of
cyber crime, generating perhaps $1 billion per year in revenue on a
global basis. The same UNODC report estimated that the cost of identify
theft using cyber techniques in the US was $780 million (data for other
countries was not readily available). Data on other kinds of losses by
banks is not readily available, but may total in the US, somewhere
between $300 million and $500 million a year. This is not an
insubstantial loss and if it occurred on our streets there would be an
immense outcry. However, financial institutions have regarded this as
the cost of doing business in cyberspace.
Service
disruptions, such as denial of service attacks, may have only a limited
cost on a national economy (although they can be disruptive for the
company that experiences them). If the website of an online retailer is
taken offline, they will lose sales, but the actual economic effect may
be muchsmaller. Consumers may simply defer a purchase, or they may go to
another retailer. Even a relatively large denial of service attack,
such as those launched against Estonia in 2007, may have only a minimal
economic effect. The same is true for extortion schemes where a criminal
threatens a denial of service attack or penetrates a network, encrypts
data, and then charges a fee for decryption.
By Alula Berhe Kidani, 15 hours 45 minutes ago
ليست هناك تعليقات:
إرسال تعليق