Despite the increased frequency and severity of online crime and espionage in 2011, many American corporations and consumers are still not taking the threat seriously, the FBI’s top cyber official said Thursday.
The risk posed by criminal hackers is “existential, meaning it could eliminate whole companies,” said Shawn Henry, the FBI’s executive assistant director. If hackers were able to tamper with critical infrastructure such as the power grid, “it could actually cause death,” Henry said in remarks at the International Conference on Cyber Security in New York.
To highlight the growing threat, Henry cited several recent FBI investigations, such as one involving a smaller company that went out of business after hackers stole $5 million from accounts, another concerning a larger firm that “virtually overnight” lost a decade of research and development worth $1 billion, and still another regarding hackers who encrypted millions of records of a health services company and demanded money for the password.
“We’ve seen the number and sophistication of the attacks by these cyber actors increase dramatically,” Henry said.
“Hundreds of millions of dollars have been stolen, primarily through the financial services sector, just in the last couple years,” he said. An organized crime ring in Eastern Europe, for example, earned about $750,000 per week from cyber theft, he added.
Henry’s warnings came after what some have called the Year of the Hacker. Numerous major organizations, from Sony to the U.S. Chamber of Commerce, revealed last year that hackers had infiltrated their networks to steal corporate secrets or leak sensitive customer data.
Many security breaches last year were attributed to the hacker group Anonymous, which claimed responsibility over the holidays for bringing down the servers of global intelligence firm Stratfor and stealing thousands of credit card numbers and other customer information.
But Henry made no mention of the group in his remarks. Instead, he said today’s most dangerous hackers generally fit three profiles: nation states targeting research and development, intellectual property and corporate strategies of American companies; terrorists who have shown a growing interest in using cyber attacks against critical infrastructure; and organized criminals wielding botnets (or networks of zombie computers) to attack corporate computer networks.
The FBI is also noticing more “persistent threats,” hackers who access a company network “for many months, in some cases years” without detection, Henry said.
In one case, Henry said, “the administrator of a network … had no concept or understanding that an adversary had been pilfering data, viewing data and all the transactions within that organizations for a very long time.”
To combat rising cyber-crime, Henry said, the FBI has taken several new measures, such as embedding agents with police departments across Eastern Europe, including Estonia, Romania and Ukraine. Such efforts have paid dividends, he said, citing Operation Ghost Click, a two-year FBI investigation that led to the arrests of six men from Estonia for allegedly running a sophisticated Internet fraud ring that netted more than $14 million in online advertising revenue.
The growing cyber risks threaten not just corporations but also consumers, Henry said. The advent of new technology, particularly smartphones, has opened up new attack vectors for hackers. Many Americans now conduct personal banking by accessing Wi-Fi hot spots on their smartphones, which can lead them directly into traps set by cybercriminals.
“We’ve seen adversaries who set up these Wi-Fi hotspots intentionally to pilfer data,” Henry said.
Hackers working within organizations, or “insider threats” have also become a growing risk, he said. In February an Apple employee was convicted of transmitting confidential information to Asian suppliers of iPhone and iPod accessories in return for more than $1 million dollars in kickbacks, he said.
Yet despite the growing cyber-security threats, many organizations continue to ignore it, Henry said: “Either they don’t recognize it, they don’t understand it or they don’t care.”
Said Henry: “They look at many risks but they don’t see this risk — the loss of all their intellectual property, the loss of all their corporate strategies into the ether.”