Jeremy Wittkop - Building a Comprehensive IT Security Program: Practical Guidelines and Best Practices

Boulder, Colorado, USA

A problem clearly stated is a problem half solved.

Dorothea Brande

According to the Associated Press, U.S. intelligence officials have said that cyber-crime currently trumps terrorism as the biggest threat to the countrys security. ( http://blog.trendmicro.com/cyber-attacks-considered-top-national-security-threat/ ) Take a moment to let that statement sink in. While news reports are dominated by Al Qaeda, ISIS, Hamas, and countless other terrorist groups, the largest threat to U.S. national security is cyber-crime. The problem is not limited to the United States either. In fact, the World Wide Web has removed the proximity requirement from crime. Before the globe was truly connected, if I wanted to steal your credit card, I would have to be physically close enough to you to remove the said card from your possession. Not only did that significantly limit the people that could attempt to steal that credit card, but it also limited each criminal to attempting to steal a single card at a time. Now, criminals can steal millions of credit cards and attack thousands of organizations while drinking a cup of coffee in their pajamas. Further, there is an entire illicit marketplace that exists on a part of the Internet that most people do not even know exists. This side of the Internet is sometimes referred to as the Dark Web. The Dark Web is a digital black market where all manners of illicit activity take place and stolen goods, services, and information are bought and sold. The anonymity provided by the Dark Web is one of the many ways that hackers, crackers, and programmers leverage the significant knowledge gap between them and the general public for their own personal gain. These technically savvy individuals may be operating independently or as part of a group.

Removing proximity and simultaneous attack limitations presents a major opportunity for countries, groups, or individuals who possess superior technical skills to transfer wealth from less skillful individuals who have access to financial instruments, identities, and other pieces of information that may be of value on the Dark Web. When information is stolen from a business in a certain country, it impacts every individual in that country, as individuals inside economies are interconnected.

According to McAfees Net Losses: Estimating the Global Cost of Cybercrime ( http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf ) report, the United States loses about .64 percent of GDP annually to cyber-crime. In 2013, the U.S. Gross Domestic Product was $16.77 trillion, which means that approximately $107 billion dollars was lost to cyber-crime in the United States alone during that year. As a percentage of GDP, that corresponds to roughly 400,000 of the roughly 150 million jobs (According to Current Employment Statistics) that are occupied currently would be lost in a single year using the same percentage. Cyber-crime is a global problem, but there is no doubt that it affects more developed countries disproportionately. Terrorism, like the events of September 11, 2001, has a significant and lasting effect on the U.S. economy and captures attention due to the loss of life and shock value of the images of death and destruction. However, cyber-crime is far more prevalent and far more likely to directly impact an individual or organization than violent extremism or terrorism. Additionally, there is very little that individuals can do to protect themselves from a terrorist attack. With respect to terrorism, I am reminded of a saying I used to repeat to my mother when I was deployed to Iraq: Worrying is like a rocking chair, it will give you something to do, but it wont get you anywhere. This is not to say that terrorism shouldnt be a concern to the average individual, as Im sure my time in Iraq was concerning to my mother, but spending significant time worrying about circumstances outside of your control is not necessarily helpful, and can be destructive to both individuals and organizations. However, for business leaders, cyber-security is something that they can realistically defend against. As such, it is important to understand the threat landscape and take measures to protect themselves and their organizations from harm, which can be catastrophic.

From a macroeconomic perspective, the growing prevalence of cyber-crime leads to a reduction in the rewards and therefore motivation for innovation on the supply side, and a reduction in consumer confidence that results in a reduction in the demand side of the economic equation. In short, a reduction in consumer spending and a reduction in the amount of Intellectual Property generated translate to a major indirect impact to the American economy that is much more difficult to measure than the easily measurable direct impact of breaches as compared to Gross Domestic Product. Similar stories can be told about other prosperous economies and wealthy individuals throughout the world. Developing nations such as many of the growing economies in South America and portions of Africa risk emigration to other countries if they fail to protect the ideas and ability to profit from those ideas of their citizens. Such failures result in stunted economic growth and a lower quality of life for all of their citizens.