The U.S. Government Accountability Office has released findings from a cyber security study which focused on the economic espionage aspects of the cyber threat. Their report, available at: GAO-12-876T : Cyber Threats Facilitate Ability To Commit Economic Espionage provides an update and summary of several incidents in the private sector which underscore the nature of the threat, including:
• In March 2012, it was reported that a securitybreach at Global Payments, a firm that processed payments for Visa and Mastercard, could compromise the credit- and debit-card information of millions of Americans. Subsequent to the reported breach, the company’s stock fell more than 9 percent before trading in its stock was halted. Visa also removed the company from its list of approved processors.
• In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid out a settlement of $1.5 million to the U.S. Department of Health and Human Services arising from potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information of over 1 million individuals.
• In April 2011, Sony disclosed that it suffered a massive breach in its video game online network that led to the theft of personal information, including the names, addresses, and possibly credit card data belonging to 77 million user accounts.
• In February 2011, media reports stated that computer hackers had broken into and stolen proprietary information worth millions of dollars from the networks of six U.S. and European energy companies.
• A retailer reported in May 2011 that it had suffered a breach of its customers’ card data. The company discovered tampering with the personal identification number (PIN) pads at its checkout lanes in stores across 20 states.
• In mid-2009 a research chemist with DuPont Corporation reportedly downloaded proprietary information to a personal e-mail account and thumb drive with the intention of transferring this information to Peking University in China and also sought Chinese government funding to commercialize research related to the information he had stolen.
• Between 2008 and 2009, a chemist with Valspar Corporation reportedly used access to an internal computer network to download secret formulas for paints and coatings, reportedly intending to take this proprietary information to a new job with a paint company in Shanghai, China.
• In December 2006, a product engineer with Ford Motor Company reportedly copied approximately 4,000 Ford documents onto an external hard drive in order to acquire a job with a Chinese automotive company.
This is a good sample of the types of cyber-enabled economic espionage that is occurring and they illustrate the serious impact that economic espionage can have on our economy.
The report also contains reviews of defense in depth type approaches and pointers to other references on how to make things harder for the cyber thief. Some implications for government agencies that can help mitigate these threats are also provided.
Overall this is a basic review of information already known by the community, but GAO deserves credit for capturing things so succinctly. They include a great deal of previous work by reference so it is a good pointer for those who want to dig deeper into the topic.
And this is a very important topic that we should all be tracking, so GAO deserves credit for continuing to speak on and write about this subject.
- Cyber War and the Expanding Definition of War (ctovision.com)
- FBI fighting two-front war on growing enemy – cyber-espionage (cbsnews.com)
- UK Industry a Favorite Target for Cyber Espionage, Says MI5 (devicemag.com)