A recent report released by the US Government Accountability Office highlighted a critical aspect of our ever-changing world — the USA is under a full-scale foreign invasion and we are losing our battles on all fronts. Not because we are incapable of solving the problems that we face; in fact, we are more than capable of rising to this technical challenge. Our issue as a country and as a culture is an unwillingness to admit that we have a cybersecurity problem.
We live in a new age of piracy, where rather than the tall ships of the age of piracy bearing a letter of marque, we have state-funded hacking groups conducting non-attributional cyber operations. Rather than plundering treasure from trade ships at sea, these pirates are plundering intellectual property and ransoms straight from our economy and causing wide-spread economic disruption that directly affects our communities.
Much like the piracy of the Age of Sail, the gains and losses are hard to quantify. While there is clear loss from those that are plundered, piracy is leveraged by nation-states to quickly force the development and adaptation of new technology as well as gain advantage against larger or more powerful opponents at a reduced risk of loss. This is no different in modern contexts when compared to those from the 17th and 18th centuries, when giant corporations like the Dutch East India Company (VOC) would quickly develop and deploy new shipping and trading technology to gain an edge, while foreign states would attempt to steal, subvert, or re-develop these technologies by funding pirates to do the plundering on their behalf.
There is one famous example found within the Sino-Dutch conflicts, which was a series of battles and trade disputes between the Dutch East India Company (VOC) and several Chinese nation states. These conflicts were defined by the use of pirates on either side of the conflict. The legendary pirate Zheng Zhilong is one such famous example of a “pirate lord” who played both sides of the conflict for personal gain. The VOC initially collaborated with Chinese pirates due to the refusal of the Ming empire to trade with Europe. Zheng Zhilong became employed as a privateer by the VOC and, throughout his career, amassed an advanced fleet using European technology. He would later turn on the VOC at the Battle of Liaoluo Bay, using their own technology and knowledge against them to cement Ming dynasty sovereignty over Chinese trade.
In modern contexts, we see the same give-and-take today between American mega-corporations like Microsoft and Amazon developing bespoke computing solutions to solve technical hurdles and ensure advanced security, privacy, and data sovereignty protections, while foreign nations fund their own efforts to subvert or otherwise steal these technologies.
Myth 1: Piracy is bad and all piracy is illegal
We have centuries of precedent that demonstrate the usefulness of pirates to nation states. Without the pirate Zheng Zhilong, it is without question that the Ming Dynasty would have struggled to retain its economic and maritime superiority over the VOC through the Sino-Dutch conflicts. In more familiar contexts, Apple itself was launched via piracy, through Jobs and Wozniak’s development of the blue box which was used to hack into Bell telephony systems and then mass produced for the underground hacker community of the 1970s. Some of our capitalist heroes in the tech industry began their careers and their companies operating as pirates on the fringes of society and technology.
This effectively means that piracy will be a persistent economic threat and capitalist advantage that can be beneficial or harmful depending on how our technology and law adapts in response to actions taken within these grey areas. Where we stay ahead of piracy and do everything we can to protect ourselves from these foreign actors, we will spur technological innovation. Where we fall behind, it benefits only the hackers and the foreign governments that employ them. It is important to remember that these hacking groups are well-funded and operating legally within the countries that employ them.
Myth 2: Cybersecurity is expensive
While this may be anecdotal, it is perhaps the most common argument made by opponents of adopting cybersecurity practices. NIST released a report in 2018 that detailed the economic impacts of the Advanced Encryption Standard (AES). AES is currently used as one of the most secure forms of encryption. It was estimated that the economic benefit-to-cost of developing and deploying AES was $250 billion. Beyond the overall macroeconomic benefits of developing new technologies, showing the cost benefits of the small business is straightforward.
Consider a manufacturing company with an AGI of $12,000,000. Across the 261 working days of the year, this equates to a revenue stream of approximately $46,000 per day. Consider further an operational budget of approximately $6,000,000, which across 365 days equates to a daily operating cost of $16,438. Now, consider a ransomware event that causes a downtime of 5 days, across one weekend. The cumulative resultant loss of revenue and operational costs of 5 days of sales and 7 days of operations in its worst case would be $345,066.
With 50% of businesses in the US reporting that they have been hit with a ransomware attack, it is only a matter of time for a company that does nothing to protect themselves. Let’s assume that there is a 20% chance per year that the event will happen. Some quick napkin math shows that you could expect to budget $69,000 per year for this single attack. This does not take into consideration the other types of malware, and attempted theft of sensitive data or intellectual property that happens as a result of international piracy.
What this does show is that small businesses can expect to pay, no matter what, $5,750 per month in cybersecurity costs, either as an investment in the business or in economic damages to these bad actors for this single attack vector alone.
Unintentional sabotage is the basic premise of the ransomware attack, but basic cybersecurity hygiene greatly reduces the likelihood of human error that results in a breach. Adopting a publicly vetted cybersecurity standard like the NIST Cybersecurity Framework helps ensure that resources allocated for security are an investment in the business and not a throwaway to digital pirates.
While the US has been slow to adopt policy to encourage or require basic cyber hygiene for American business interests, many large corporations have invested heavily in mitigating modern security risks. There is still a substantial gap to close when it comes to the small businesses at the heart of the American economy. The US Department of Defense, tired of hemorrhaging intellectual property to adversaries from small businesses in their supply chain, recently launched the Cybersecurity Maturity Model Certification (CMMC) program, directly aimed at mitigating these risks.
Many companies, including Steel Root, have surfaced as a direct response to combat the existential threat of unmitigated cyber warfare. Staying ahead of this new breed of pirate is not only necessary for doing business but, when applied properly, it can actually be a vector for business growth and competitive advantage. The real trick to overcoming modern security threats is to make sure that it is not profitable for state actors or adversaries, and take what profits are available to use in our own technological advances.