Picture: Globe License: Public Domain
2017 Cybersecurity Statistics
As expected, 2017 brought more cybersecurity incidents than any
previous year. Apart from a reduction in the average cost to
organizations for each lost or stolen data record (down from $158 in 2016 to
$141 in 2017), the social and economic costs of cybersecurity vulnerabilities rose
significantly across the board. Here are the numbers:
- In the first half of 2017, over 900 data breaches led to almost 2 billion compromised data files, an increase of 164% from the last six months of 2016. (link)
- By the end of 2017, the Identity Theft Resource Center and CyberScout reported a record year-end high of 1,579 record breaches. This represents an overall increase of 44% from 2016. (link)
- These breaches largely stem from an uptick in cyber-attacks targeting businesses, climbing from 82,000 in 2016 to nearly double that figure at 159,700 in 2017. This increase is, in part, due to the rise of mass ransomware-based attacks. (link)
- In the United States alone, 16.7 million U.S. citizens were subject to identity fraud in 2017, an 8% increase from 2016. (link)
- Worldwide spending on cybersecurity rose 7% to a record setting high of $86.4 billion in 2017 compared to 2016. (link)
Despite the persuasiveness of these statistics, not all
cyber-incidents are created equal. In addition to the sheer increase in overall
cyber-attacks, 2017 saw some of the most devastating single-origin
incidents in terms of both geographic reach and overall costs.
Major Cyber-Attacks
While firms spent massive amounts of resources attempting to
reduce their cybersecurity vulnerabilities, cybercriminals spent 2017 finding
and refining innovative
and powerful ways to extort their victims at scale. The global criminal
hacking community (including
certain nation-states) used these new methods to carry out last year’s
largest breaches. A few examples:
- WannaCry – In May, the WannaCry ransomware infected over 150 countries worldwide. The ransomware, built using leaked U.S. Intelligence spyware, targeted businesses running outdated Windows software. Once the ransomware infected a system, the hackers demanded money, most often in the form of the cryptocurrency, to unlock the system’s files. An estimated 300,000 systems were infected, including hospitals, car companies, and public utilities. In December, U.S. officials placed blame on North Korea for the attack.
- NotPetya – Just a month after WannaCry, in June, a malware dubbed “NotPetya” began infecting businesses across the globe. Though initially targeting Ukrainian businesses, the malware spread to multiple major global business including several advertising, shipping, and energy giants. In early September, Fedex claimed to have faced losses of $300 million as a result of the attack. The U.S. recently announced that it believe Russia was responsible for the attack.
- Equifax – In September, major U.S. credit reporting agency Equifax announced that criminal hackers leveraged vulnerabilities in open source code used by the company to steal information on 145 million U.S. Citizens. Although less globally significant than WannaCry and Notpetya, the Equifax breach is significant because the records involved contained powerfully sensitive information.
In response to a growing number of attacks connected to
nation-states, 2017 saw some
experts call for an international response to the global cybercrime crisis.
Despite important steps forward, efforts largely failed to coordinate agreement
on a viable international cyber law regime.
[Inter]National Cyber Law
Hopes were set high for international cooperation following the
release of the Tallinn
Manual 2.0, in early 2017. The
manual, a collective effort of internationally
renowned cybersecurity experts, serves as a cyber resource to international
actors. Specifically, the manual addresses the international norms of
state-sponsored cyber operations as well as more
common cyber incidents.
Despite the early success of the Tallinn Manual 2.0, 2017 ended
without international agreement. In Summer 2017, The U.N. sponsored Government
Group of Experts (GGE) announced
they had failed to reach a consensus on the status of international laws and
norms in cyberspace. The announcement marked the unsuccessful end to a nearly seven-year
process to write the rules on state activity in cyberspace.
Much, if not all, of 2017 is defined by the failure of
cybersecurity efforts to fend off malicious attacks by both private and public
actors. Without international agreement on a viable legal framework or innovate
tech-based solutions, the global population remains vulnerable. But maybe
things will get better. After all, there’s always next
year.
0 comments:
Post a Comment