The barrage of cyberattacks against U.S. companies continued in 2015. Some were spectacularly successful, costing the victimized companies — as well as their workers and customers — millions.
Americans can expect more of the same in 2016. The bad guys still want to steal commercial secrets, as well as your Social Security numbers, birth dates, home addresses, financial records, medical records and security credentials — anything they can use or sell.
In 2015, health care providers such as Anthem, Premera Blue Cross, CareFirst, UCLA Health, and Excellus were compromised. Financial institutions such as Morgan Stanley, Experian, and Scottrade were also victims. Hackers targeted banks across the globe in search of financial gains, meanwhile day-traders hired hackers abroad to steal proprietary information in an attempt to gain an edge on the stock market.
The Ponemon Institute surveyed 58 companies and found that cyberattacks had cost companies an average of $15.4 million in 2015, an amount 20 percent higher than the year before.
Universities and educational sites were targeted more frequently this year than before. Penn State identified a breach that had been open for almost two years. The University of Virginia, Rutgers University, and a number of testing sites in Florida, Minnesota and California were also victims of cyberattacks. Overall, Ponemon reports, fighting cybercrime cost institutions in the education and research sector an average of $11.4 million in 2015.
The number of Internet users continues to increase, and with the number of mobile phones and other portable devices and wearables increasing, the number of cyberattacks is expected to rise. However, we may see some changes in future attacks and how some of the personal information acquired may be used.
Cybersecurity firm McAfee Labs recently reported that cyberattacks on payment systems and cloud services will either hold steady or increase. They also noted a significant increase in ransomware attacks, where hackers effectively take control of an electronic device until the victim pays a price. Such attacks can be a matter of life and death when aimed at medical devices such as insulin pumps and pacemakers.
The Internet Crime Complaint Center has warned law enforcement and public officials about cyberthieves stealing and publishing their personal information. The same can be said for anyone whom cyberactors seek to intimidate, humiliate, or extort.
That being said, policymakers should avoid knee-jerk cybersecurity regulations as new attack patterns come to light. Setting standards, while admirable, would create complacency among large companies and turn them off of pursuing self-medicated — and potentially more effective — security measures. Small and medium-sized companies can't always reasonably afford to meet optimum standards, let alone comply with a slew of regulations. Even federal agencies have trouble meeting cyber and information security measures like those proposed by the Government Accountability Office.
But, unfettered by static and obsolete-as-soon-as they're-enacted regulations, companies often can address malicious threats much quicker and much more effectively.
Policymakers should continue to seek international partnerships and promote information sharing among government agencies and private companies. While neither is a silver bullet for stopping cyberthreats, they're valuable tools that shouldn't be ignored. Similar industries inside and outside of the U.S. may face the same type of cyberthreat; cooperatively preparing for future breaches will benefit both national and global security.
Finally, industry and government need to have a serious conversation about how to deal more effectively with new and growing cyberattacks — especially over how companies might be allowed to fight back. The private sector can do much more to defend itself. Congress should think about how far companies should be allowed to go in fighting cybercriminals.
Policymakers can help fight cybercrime, but passing rigid regulations isn't the answer. That approach simply stifles innovation in the name of security. Successful defense against a constantly evolving cyberthreat requires nimbleness, flexibility, creativity and plenty of information-sharing among the good guys.
-Riley Walters is a researcher in the Heritage Foundation's Allison Center for Foreign and National Security Policy Studies.
This piece was originally published in the Washington Times