According to published news reports this morning covering a press conference by Attorney General Eric Holder, “The United States has for the first time filed criminal charges against foreign government officials in connection to cyberspying allegations.” The grand jury indictment charges five men with “conspiring to commit computer fraud and accessing a computer without authorization for the purpose of commercial advantage” according to the New York Times. In the press conference, the Assistant Attorney General provided specifics related to the case examples of companies affected and the types of information stolen from them.
Officials mentioned the Mandiant Report, last year’s watershed public exposure of this type of activity. In that report, Mandiant describes the theft of hundreds of terabytes of data from more than one hundred companies in twenty major industries since 2006. On average, a target company was attacked and then remained exposed for a year or more while information such as technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists were targeted. Many of the targets turn out to be major companies such as Westinghouse, US Steel and Alcoa.
But this is just the tip of the iceberg. In the U.S., much of the innovation and many of the jobs come from small or startup companies who don’t grab the headlines and who may not know that they are targets. In the manufacturing sector, for example, data from the NIST Manufacturing Extension Partnership (MEP) indicate that something like 80% of current U.S. manufacturing jobs are with companies of fewer than 50 people. Most of these companies spend a large majority of their time simply trying to grow the business and stay ahead of the competition through innovation, and may not have either the expertise or resources to adequately protect their intellectual property from cyber attack. These companies are perhaps the most underserved segment of the industrial base with current large enterprise cybersecurity solutions, and the largely invisible damage inflicted here represents a particularly corrosive threat to legitimate areas of competitive advantage for the country.
Indeed, we know they are a target. According to the NetDiligence 2013 report Cyber Liability & Data Breach Insurance Claims, 63% of US Secret Service forensics investigations are at companies of fewer than 100 employees, and 45% of insurance claims paid are to companies in the small-cap (less than $2B revenue) or nano-cap categories (less than $50M revenue), split about evenly. According to Rep. Frank Wolf (R-VA), chairman of the House Appropriations subcommittee that funds NASA and many of the nation’s science programs, “I have seen up close how certain countries…have targeted federal agencies, contractors and law firms to steal billions of dollars of cutting-edge technology that diminishes our national security and undermines job creation.”
There may be some hope however, creating sector-focused markets of small and mid-tier companies for a new generation of emerging cybersecurity solutions such as those at Mach37. We are in active discussions with manufacturing organizations and other industry alliances, regional threat-sharing groups, and similar partnerships that can bring appropriately scaled technologies to groups facing a common set of threats. We are also fostering a set of potentially disruptive technologies that can help fill this dire need. To name a few:
– Pierce Global Threat Intelligence provides a new mechanism for real-time sharing of threats
– Identia provides one approach to securing supply chains by simplifying identity management across organizations
– MSB Cybersecurity provides support for cybersecurity standards compliance along with actionable recommendations
– Axon Ghost Sentinel detects unusual behaviors in distributed device environments
– Disrupt6 is on the leading edge of new security paradigms for the emerging world of the production internet (IPv6)
To be sure, nobody has the silver bullet to “fix cybersecurity”. But, active promotion of the next generation of cybersecurity solutions and companies, and accelerated connection of those solutions with the groups that need them most, can go a long way to effectively dealing with the high stakes world of cybersecurity in which we live.