As the U.S. economy is becoming increasingly reliant on information technologies, it faces growing threats from malicious cyber actors. The public was recently reminded of the scope of the threat by the brazen ransomware attacks against Colonial Pipeline and JBS SA, the world’s largest meat processing company, with both attacks raising prices and affecting consumers. It is no surprise that these particular companies were chosen as ransomware targets. In addition to having cash for sizable ransoms, these types of businesses value operational continuity. Healthcare, government and services sectors, where disruptions are either life-threatening or critical or both, are more likely to be hit by ransomware attacks than, say, real estate developers.
Despite recent news, the majority of adverse cyber events are never publicly reported. To preserve their reputation with customers and corporate partners, more often than not, companies try to hide from the public that their networks have been breached. While I covered cybersecurity at the President’s Council of Economic Advisers (CEA) at the White House in 2017 and 2018, I saw firsthand that the current disclosure rules for publicly traded corporations are too vague. It is quite easy for companies to avoid reporting malicious cyber intrusions.
While many companies often fail to report and even detect intrusions into their networks because of the sophisticated actions of nation-states and increasingly skilled cyber criminals, the FBI is able to independently detect some of the hacks. Through its victim notification program, the Bureau notifies the affected entities and also offers to help. I was surprised however to discover that companies frequently refuse the FBI’s offer. Some firms may honestly believe that they can adequately handle the investigation and recovery. But more nefarious reasons could be at play. (For example, if in the course of investigation the FBI discovers potential wrongdoing, it will be obligated to investigate further; hence, some victims may pre-emptively refuse the FBI’s help.)
To make the public aware of the full scope of the cyber threat, the FBI would do a great service to all by revealing — through the use of anonymized data — the targets of its victim notification program. Making public thousands of observations on cyber intrusions would serve to encourage companies to increase their cybersecurity spending and will help speed up the growth of the emerging cyber insurance sector. Moreover, releasing the anonymized data on the companies that refused the FBI’s help would help encourage socially responsible investing.
An FBI report would also help shed light on the nature of cyber threats. While ransomware attacks and the “distributed denial-of-service” attacks, which disrupt access to public websites, are relatively easy to detect and get oversized media attention as a result, they are generally not the most devastating for companies. In a 2018 report on the economic cost of malicious cyber activity, my CEA colleagues and I found the most devastating are cyber intrusions that result in the theft of a company’s intellectual property and confidential strategic plans. Such thefts are difficult to detect and most are never reported to the public. Typically, companies, universities, and government agencies working on strategically important and not-yet-patented technologies are the ones being targeted. More recently, COVID vaccine developers were being targeted for intellectual property theft. For small, single-product companies, a cyber theft of their intellectual property can be devastating and even result in bankruptcy.
Another type of data that cyber thieves target is personally identifiable information (PII), that is, customer and employee data increasingly collected by companies. Though, generally, corporations do not suffer significant repercussions when PII theft is discovered because by now most Americans have had their personal information stolen so frequently that they no longer consider it to be private.
The greatest cyber threat to the public today exists in companies and organizations where cyber and physical domains overlap, and where malicious actors may cause equipment damage and even deaths. A particular vulnerability lies in the so-called supervisory control and data acquisition (SCADA) software that controls physical equipment, and which is widely used by energy, transportation, manufacturing, and many other companies. SCADA systems are unfortunately quite vulnerable to cyberattacks. Luckily, unlike other countries, critical infrastructure systems in the U.S. have been spared so far from SCADA attacks despite known cyber intrusions, most likely because the hackers fear a punitive U.S. response.
When assessing the cost of malicious cyber activity to the U.S. economy, it is important to account for the negative spillover effects: The overall cost is larger than the sum of the losses suffered by the directly affected entities. Because the economy is so interconnected, the adverse shocks propagate through company networks, affecting other firms in the supply chain, and, as we saw in the most recent ransomware attacks, even reaching consumers in the end. In 2018, malicious cyber activity costs the U.S. economy up to 0.64 percent of GDP. One can easily imagine that, given the lucrative nature of the business and the low risk of being caught, the costs of malicious cyber activity to the U.S. economy will likely continue to grow.
