Martin Knuth is one of Home Depot’s most loyal customers. But after the home improvement giant revealed last month that hackers had accessed the confidential credit card information of 56 million North American customers, the Regina retiree became concerned enough to help launch a class action lawsuit against the retailer.
So far, Mr. Knuth hasn’t found any fraudulent charges on his account – and he still shops at Home Depot. “It hasn’t changed my buying, per se,” said Mr. Knuth, who estimates he shops at his nearby Home Depot 10 times more than the average person. However, he acknowledged that the risk of his data being compromised “is still fairly high.”
Massive data breaches affecting tens of millions of people like Mr. Knuth are occurring with alarming frequency. In the past few months, a slew of hacks have taken place at companies such as Kmart, Staples, Dairy Queen and JPMorgan, where more than 80 million accounts were exposed. Three of the top 10 data breaches in history happened this year and experts say 2014 will be the worst on record, surpassing last year’s tally of 822 million exposed records worldwide, according to cybersecurity firm Risk Based Security. That’s almost double the number from 2011 and the actual figure could be far higher since experts say most breaches are kept quiet.
Up to now, data theft has been little more than an inconvenience for most victims, something consumers have more or less gotten used to. But the threats are accelerating. Data raiders have become more sophisticated and organized, and their attacks so crafty that breaches can go undetected for months. And they aren’t just pilfering credit card information, but stealing corporate secrets and in some cases threatening to lock users out of their computers unless they pay digital ransoms.
“We’ve created this perfect platform of evil,” with increasing reliance on the Internet that ties together mobile computers, social networks, cloud and websites, said David Dewalt, chief executive officer of FireEye Inc., a security software company in Milpitas, Calif. “You throw all that in a petri dish with no governance model, complete anonymity and a lot of intellectual property one click away. That creates a very interesting model for attackers to use to get into systems that we now completely rely on – our critical infrastructure, our smart grid, our transportation industry, our financial systems, our military.”
In response, data keepers, ranging from hospitals to governments and corporations, which now spend tens of billions of dollars a year on corporate security globally, have realized their main defences are ineffective at stopping the bad guys, and they will have to spend much more on newer more powerful tools in the coming years. The digital data arms race has just begun, and “it’s possible that it will go on for many decades,” said Larry Ponemon, whose Ponemon Institute tracks trends in the cybersecurity market. “At this point … it looks like we’re losing this battle.”
‘It’s about being resilient’
Visitors to CGI Group Inc.’s security operations centre in east-end Ottawa are greeted by an alarming sight: A digital world map engulfed in what looks like real-time nuclear war. Coloured missiles fire across the Atlantic Ocean from origin points in China and Eastern Europe. When they land in the United States, a ring expands out from the impact point, like a bomb going off. It’s a Thursday afternoon in mid-October, and the U.S. appears to be under full-on attack.
That’s exactly what’s happening, but the missiles are virtual and armed with ones and zeros. This is a “live threat map,” produced by security software firm Norse, and at this moment there are 770 live cyberattacks happening in the United States. In Canada, there are 50 cyberattacks ongoing.
More unsettling is that this map likely only shows a fraction of the cyberattacks actually under way, according to Chris McEwan, CGI’s vice-president of global cybersecurity services. “We don’t use this for anything” except for media and client visits, he admitted.
The building is one of 10 security operating centres deployed by Montreal-based CGI, an information technology service provider, and it’s feeding one of the company’s fastest-growing businesses, cybersecurity. CGI monitors data traffic for an undisclosed number of customers (clients include 40 Canadian government departments, the Canadian Payments Association and National Bank of Canada).
Market research firm Gartner Group has estimated that worldwide information security spending will grow to $86-billion (U.S.) by 2016 from $62-billion in 2012. But business is even better for the bad guys: According to the Washington-based Center for Strategic and International Studies, the annual cost of cybercrime to the global economy exceeds $400-billion.
CGI’s centres are staffed around the clock by 1,400 employees, looking for suspicious activity on behalf of their clients. Overseeing the cybersecurity division is John Proctor, a British-born ex-military man who has served as a hostage negotiator for Canada. “It’s not about having the best defences,” Mr. Proctor said. “It’s about being resilient, about being able to respond in the correct way when bad things happen.”
By Mr. Proctor’s measure, bad things are happening constantly. Every week, the company spots about 30 million “events” or anomalies on its customers’ networks. CGI’s systems quickly boil those down to about 400 a week that “are attributable to some form of deliberate bad action,” he said. Once or twice a day CGI registers a truly severe event: a red alert breach, a compromised network. To put this in perspective, these statistics are for one IT company whose customer base is mostly Canadian.
South of the border, no one is exactly sure how big the problem is, but experts say data breaches are grossly underreported. Until legislation now before Parliament passes into law and makes data breach reporting mandatory, Canadian companies are not even required to reveal when their data have been compromised, unlike their peers in most U.S. states. “There are data breaches going on [in Canada] that are not reported because they don’t have to be … certainly dozens to my knowledge” in the past few years, Mr. Proctor said. One recent poll found 69 per cent of surveyed Canadian businesses had been cyberattacked over the previous year, but the fact that Canadian media are not awash in domestic breach stories suggests much goes undisclosed.
The motives of data raiders range from credit card fraud and intellectual property theft to sowing societal chaos. The perpetrators are not strictly freelance mischief makers of days past, but a shadowy mix of organized criminals, state-sponsored corporate spies and terrorists. In some cases, says Ray Boisvert, former assistant director of intelligence for the Canadian Security Intelligence Service, the interests of the cyberperpetrators converge, including allegations Russia tacitly blessed the recent attacks on JPMorgan Chase & Co and other U.S. banks by unknown hackers in retaliation for Western sanctions over its actions in Ukraine. Meanwhile, James Comey, director of the U.S. Federal Bureau of Investigation, recently said all major U.S. companies have been hacked by the Chinese.
Hackers are constantly changing their methods, and have proven particularly adept at launching attacks gradually and methodically, sometimes leaving malware dormant on unsuspecting computers for months before carrying out their missions. The tactics can be diabolical in their cleverness. “Spear-phishing” e-mails claim to be from UPS or FedEx about a package awaiting delivery and instead deliver malware in an attachment or link. Malware like “Flash” can capture keystrokes, network activity, screen-shots, audio files, Skype conversations and documents. Other types of “ransomware” lock your computer or network with an unbreakable encryption and then demand payment to release the data.
Most worrisome of all is that a majority of companies are not equipped to fight these new threats. Research firm Gartner recently found more than four out of five client deployments of firewalls and other anti-hacking programs did not encrypt data passing through their networks – meaning they are ineffective at blocking the new generation of malware. That rate is expected to drop to about 50 per cent by 2017, which means that even in three years, half of all cyberdefences will still fall short. Even a senior executive with security software provider Symantec acknowledged earlier this year that “anti-virus is dead,” referring to commonly used software. Meanwhile, a majority of data breaches aren’t even detected by the targets themselves but by banks, law enforcement agencies or cybersecurity researchers.
The stolen data feed an increasingly global and sophisticated black market. Stolen credit card information is sold in batches for as little as $2.50 per card, according to global security software firm Trend Micro. But credit card numbers are the bulk commodity of these black markets, according to a 2014 report by Rand Corp. More valuable are pre-built “exploit kits” used for cracking systems: They can sell for as much as $2,000.
Also popular are malware programs that enable rooting (a system for removing security protections from computers), denial-of-service attacks (whereby websites are flooded with dubious traffic), even proxy server and virtual private network hosting services to disguise the origin of attacks.
But by far the most valuable item in the cybercriminal world is the zero-day exploit, the blueprint to a previously unknown flaw in the code of a popular software program. Sometimes the opening has gone undetected for months, even years.
There have been two major “zero days” this year – Heartbleed and Shellshock, and even after their public disclosure, millions of systems were left undefended against attacks. Rand researchers estimate zero-day exploits can be sold for several hundreds of thousands of dollars on the black market.
In the face of such threats, data keepers are gradually waking up to the new reality, but many aren’t taking the threat seriously enough, according to several recent surveys.
“It appears that many are still not taking the key steps necessary to protect personal information despite believing [according to surveys] that protecting privacy is ‘extremely important,’ ” federal Privacy Commissioner Daniel Therrien said in a statement.
So far, the cost to consumers has been mostly added stress and lost time. Credit card issuers typically cover fraudulent charges, and the cost is relatively tiny: Data from the Canadian Bankers Association show credit card fraud from e-commerce and related activities has risen sharply in recent years – but still cost card issuers just $299-million (Canadian) in 2013. That’s less than 1 per cent of the total profits earned by Canada’s six largest banks last year. Meanwhile, Visa Canada’s head of risk services, Gord Jamieson, says that while dollar amounts of fraud are growing, they are still less than 6 cents of every $100 spent globally. “Fraud itself has remained at historical lows for the most part,” Mr. Jamieson said.
“It’s a victimless crime like insurance fraud,” said Barclay’s banking analyst John Aiken. “The question is: Is this cost growing faster than everything else? What I don’t know is when it becomes a tipping point and becomes an unbearable cost.”
But Gartner analyst Avivah Litan says: “Most companies we work with take these breaches very seriously and don’t want to be the next one. But it’s not like these are agile organizations that can turn around on a dime.”
‘They’re definitely panicking’
When CGI’s Mr. Proctor visits new clients, one of the first things he does is ask the C-level executives when they last ran a “data breach exercise” – a corporate drill to deal with a major data breach. “It generally goes very quiet,” he said. “Very few of them have done a data breach exercise.” Many don’t even have the capability to know if their data have been breached because they don’t monitor their networks, Mr. Proctor said.
But Mr. Proctor says clients are gradually coming around. “They’re starting to ask, ‘Am I secure enough?’ They want to know if they’re doing what’s reasonable and how they compare to peers.”
A case in point is the breach of Target last fall: The retailer had invested in cutting-edge security tools but failed to act on red flags sent up by the programs that could have stopped the worst of the attacks. The resulting publicity hurt sales, cost the retailer more than $200-million (U.S.) in gross costs and likely cost CEO Gregg Steinhafel his job. CEOs “are scared they will be fired because of a breach,” Ms. Litan said. “That’s a good thing – if their jobs are on the line, it makes them take it more seriously. They don’t want consumers to panic so they don’t talk about it that much, but they’re definitely panicking.”
Still, they face a sobering reality: No defence can keep all the data raiders out. “Cyberthreats and data breaches are here to stay,” Mr. Proctor said. “Welcome to the world, because we all want to be connected to it. This is a cost that companies are never going to get rid of.”
Ms. Litan thinks companies need to forget about preventing cyberattacks and instead take a page from Israel’s hyper vigilance toward physical security. “Just focus on detection, rapid containment,” she said, “because even with all these prevention tools, they can figure out what you’re doing, and they can break your scheme.”
That’s the approach of FireEye, one of the most successful and promising sellers of a new wave of cybersecurity tools. Rather than try to stop malware from entering corporate systems, FireEye’s technology deals with threats that have already made it past the firewall. “We basically invite the adversary in, we study them for behaviour and we block them from coming in or going out,” said CEO Mr. Dewalt, who claims his software is more than 99 per cent effective. Nasty software thinks it’s attacking the corporate host – when in fact, it is causing no harm because it’s ensnared within a FireEye “virtual machine.” The FireEye software was installed at Target and detected the breach early enough to have prevented the retailer from losing most of the data. Unfortunately, Target’s IT department had switched off the function that would have destroyed the malware, according to media reports.
To avoid future Target or Home Depot-sized fiascoes, experts say the next big update needs to involve abandoning insecure magnetic stripe payment cards. U.S. financial institutions have set an Oct. 1, 2015, deadline for retailers to install chip card technology at physical points of sale (or risk losing liability protection), which should cut down some of the massive consumer data thefts.
As a positive if cautionary example, Interac, the network for Canadian bank debit cards, did its chip and PIN rollout over a decade of planning and slowly replacing equipment. This year, with over 4.5 billion transactions, debit card fraud has dropped to just $7-million (Canadian) from a high of $142-million in 2009. Some companies are also working to develop biometric security – using fingerprints or retina scans – to provide a unique physical signature that can’t be easily hacked, like alphanumeric passwords.
Financial institutions are also getting better at correlating where fraud activity has happened and notifying customers, said Mark Nunnikhoven, vice-president of cloud and emerging technologies at Trend Micro. “If they think your card was affected by a breach, they will freeze it.” Banks are also monitoring the black market to see what batches of credit card numbers are for sale. “We’ve seen banks go out and actively buy these numbers to get them off the market,” he said.
The best solution to stop the trade in zero days and other flaws in supposedly secure code may be if you can’t beat them, join them. Major software companies like Microsoft, Google and Facebook are trying to outbid the bad guys by increasing what they are willing to pay for “bug bounties.” Last year, Microsoft paid two bug finders $100,000 (U.S.) each.
There are signs that good old-fashioned investigation and prosecution by law enforcement, a strategy employed against organized crime for decades, are bearing some fruit. There have been five major stings on cybersyndicates in the past two years: notably the dismantling of the Liberty Reserve money laundering scheme and the arrest and shutdown of those suspected of organizing the Silk Road dark web black market.
These efforts are laudable, and they each tackle a separate part of the fraud challenge. Private industry may have the skills and the resources necessary to bend down the growth curve in data breaches. But there’s a growing sense that the international nature of the cybercriminals requires governments and business to work much more closely together to change the way we police the net.
McAfee’s Net Losses report on the cost of cybercrime estimated that “countries will tolerate malicious activity as long as it stays at acceptable levels, less than 2 per cent of national income.”
The increasingly large thefts, the need for constant vigilance, and the high cost of providing security that can be overrun seemingly at will, all create a climate where security analysts worry about the future of the free, open and unregulated Internet. The cost may be getting too high.
“I think it is now time to have cybercops co-operating with [Internet service providers],” said Barry Sookman, an author and lawyer with McCarthy Tétrault LLP who has written extensively on cyberlaw issues.
“There really needs to be some thought given to how you can have a more protected Internet, balancing the need for security and freedom. That’s the challenge for the next decade, to realize there really are a lot of bad criminal people out there who are increasingly trying to find ways to hack in.”
“There are laws and enforcement protecting the Brinks trucks. Without ramped-up enforcement and more thinking about how pro-actively we do it, we’ll have a virtual Brinks truck knocked over every single day.”
With files from reporter Marina Strauss.
Rachel Greenspan is a Fellow in Global Journalism at the Munk School of Global Affairs at the University of Toronto.
A GLOSSARY OF HACKING TERMS
Advanced persistent threat (APT): A strategic cyberattack that infiltrates a system and persists over a prolonged period of time, potentially undetected. APTs may be carried out by a nation state or criminal organization to steal sensitive data or compromise a target system.
Black hat hacker: A computer hacker who finds vulnerabilities in software systems and exploits them for personal gain or other malicious reasons. Black hat hackers can be amateurs or highly organized criminal organizations that spread computer viruses, steal personal information and carry out massive credit card breaches. This term comes from old Western movies where the good guys wore white hats and the bad guys wore black hats.
A large network of virus-infected computers that can be used to generate spam, spread viruses, perpetrate click fraud or conduct attacks on other systems.
Bug bounty program:
A program where software companies offer cash rewards to hackers to find and report exploitable vulnerabilities before they can be used by cybercriminals. Facebook, Google, Mozilla Firefox and Microsoft have been known to offer thousands of dollars in return for bugs.
White hat hacker: A computer hacker who finds vulnerabilities in software systems and reports them to system owners so the problem can be fixed before criminals exploit it.
of service (DDoS) attack:
An attack designed to disrupt a computer system or website service by bombarding the site with so much web traffic that it crashes. Botnets are often used to carry out DDoS assaults.
Heartland: A U.S. company responsible for passing payment data between consumers’ and retailers’ financial institutions during purchases. Heartland suffered one of the first enormous credit card breaches in January, 2009, when it lost data pertaining to an estimated 100 million credit cards.
Malicious software designed to block access to a system or account until a sum of money is paid.
Non-computer methods of manipulation to obtain sensitive personal information, such as birth dates, or social security numbers. Personal knowledge often used to bypass passwords.
An e-mail masquerading as being from a trusted source or person you know sent with the goal of obtaining sensitive information, often by downloading data-sniffing and computer-controlling malicious software.
A previously undetected software vulnerability that is used to hack into affected systems before developers or manufacturers can address or fix the problem.
Follow us on Twitter:,