The average time between an attacker breaching a network and its owner noticing the intrusion is 205 days. Like most statistics touted by the cybersecurity industry, such as the supposed annual $575 billion global cost of 90 million cyber attacks, it is little more than a guesstimate. But there is no doubt that criminals and pranksters are thriving by attacking computers and networks (see article), that companies are struggling to cope, and that businesses offering answers are charging fat fees.
The penalties for getting cybersecurity wrong are steep. Nortel, a Canadian telecoms giant, went bust in part because hackers stole so much of its intellectual property. Target, an American retailer, lost the credit-card details of 40 million customers. Some of them are suing. Its share price plunged, and the CEO stepped down. TalkTalk, one of the biggest phone and internet companies in Britain, is floundering after an attack last month which leaked customer information — which was apparently stored unencrypted, on a computer accessible through a public website.
Unsurprisingly, then, the cybersecurity industry is booming. A report by Bank of America Merrill Lynch reckons the market is $75 billion a year now and will be $170 billion by 2020. Not only is demand soaring, but barriers to entry are low. Anyone able to spout a bit of computer jargon can set up shop (it also helps if you can say you have a background in an intelligence service or the military). Unlike, say, businesses based on engineering or science, there are no standard qualifications, nor any established trade associations.
The range of products is bafflingly wide. Among those on offer are “threat intelligence” (finding out who is planning to attack your company and why); “end-point protection” (making sure that nothing is lurking on your computers or mobile devices); “penetration testing” (hacking into your systems to reveal their security weaknesses); “identity assurance” (making sure that only the right people get onto your network); “incident response” (dealing with the aftermath of attacks); and “anomaly detection” (spotting mischief by looking for peculiar movements of data).
Quality varies hugely. The worst products may appear to work perfectly, but do nothing against the real threats. Anti-virus software, for example, can do a splendid job against old malevolent software, but fail to spot new versions (especially because those who invent malware fine-tune it to evade existing defenses). And they defend against only one kind of attack. Other products do such a good job in spotting possible mischief that they create a plethora of false alarms. Keeping up-to-date is hard — malefactors who spot weaknesses quickly sell or share their knowledge.
Ropier providers are helped by the fact that customers, especially at board level, are usually ill-informed about what they are buying. Understanding how attackers work and what they are after is hard. Few senior executives have enough of a technical background to understand encryption or network design. Sharing data about attacks would help corporate buyers to become more informed but carries risks of its own — you may breach customer privacy by doing so, and publicizing an attack highlights what may look like incompetence. (New laws pending in America and the European Union should give some much-needed clarity on what disclosure is required when cyber attacks happen.)
All sorts of companies offer cyber-security services, from small, specialist outfits to giant arms companies such as BAE Systems (which TalkTalk has hired to sort out its mess). The biggest firms are finding it hard to keep staff. As in the public-relations and corporate-intelligence industries, if you know your stuff, you can make more money starting up on your own. Venture capitalists are not showering money on the industry as prodigiously as they did a year ago, but the fast growth rate means that raising capital is still easy. The big companies are still able to trade on their brand name (nobody gets fired for hiring IBM) but the mammals are beating the dinosaurs.
Purely technical solutions are also going out of fashion. Even the best technology doesn’t work if the humans who operate it are careless or ill-trained. Attackers often use a mixture of computer hacking and “social engineering” (in effect, confidence tricks) to gain access to their targets. People who obligingly click on links or open attachments in bogus e-mails are the single biggest security weakness: even the strongest front door is insecure if those inside open it to all comers.
Even the best cybersecurity products offer little protection against employees who are bribed or bullied to help the attackers, or who harbor a grudge against their bosses. Weeding out such people requires an approach more like that of the spy world. Training loyal staff to be sensible, while not infuriating them with restrictive rules or paralyzing them with fear, is hard. Naturally, there are up-and-coming consulting firms which stand ready to offer these sorts of service.
Security will get worse before it gets better. The “internet of things” — hooking up all sorts of appliances to the web — offers new opportunities for attackers. Many companies do not have a proper understanding of the threat they face. Eventually, they will become choosier and thriftier. But for now, cybersecurity companies of all kinds can feast on misfortune.
© The Economist Newspaper Limited, London (November 7, 2015)