It seems that everyone and their brother are now saying that the U.S. is in the midst of a recession. The market analysts are predicting that the U.S. GDP will actually go negative this year. It must be official now that even the White House has acknowledged it. This got me to thinking about the effect a recession might have on my industry (IT security). My first thought was that if the profits of companies start dwindling then their IT budgets will predictably follow suit. If IT budgets dwindle then my experience tells me that the security budgets will take an even larger percentage hit than IT overall. When fighting for IT dollars in many cases security gets lost, put on hold, and brushed under the carpet. Thankfully, we now have a proliferation of compliance/regulations (PCI, HIPAA, SOX, etc.) that can compel organizations to focus some budget on security projects.
So, if a recession will force security budgets to shrink at a greater percentage rate then the IT budget as a whole, what does that mean for an organizations ability to defend itself? Well let’s see how a future scenario might play out. Company XYZ will be consolidating their operations into a new location. They must purchase new IT gear for the new location. During the design phase it is highly likely that security controls (FW, IPS, Host, etc) will be reduced or eliminated altogether because of budget restraints. The end result is Company XYZ has just reduced their security posture and ability to defend them selves.
As if the hypothesis that a recession will decrease the security effectiveness of organizations isn’t bad enough; there is precedent that low GDP growth tends to increase the proliferation of new, highly effective cyber attacks. Why is that? Well, I have a theory on it.
Negative GDP growth and a recession bring with them job layoffs and losses. This produces a large skilled IT labor pool that is out of work and has time on their hands. So this brings up a question: Is their a correlation between the number of out of work IT professionals and the number of cyber attacks? I did some research to find out. The bursting of the dot com bubble in late 2000 and 2001 was a horrible time to be in IT. During that time we saw massive IT job loss that resulted in the creation of a large pool of unemployed skilled IT workers. So I used this timeframe for my research.
During this time the U.S. economy saw a large weakening in the GDP growth of the country (as shown in the diagram below).
Image Source: Lombard Street Research
Note that the red circles above indicate economic recessions.
What I found out in my research was that during this 2000-2001 timeframe we saw the proliferation of some of the most notorious cyber attacks ever seen. Here are some examples:
Based on this, my research suggests that there is indeed a relationship between slower GDP growth/recessions and an increase in cyber attacks. It might be a result of the mass IT unemployment that recessions trigger. Skilled IT folks who have just been fired, can’t find a job, and have extra time on their hands, seems like the perfect ingredients for whipping up a batch of cyber anarchy to me.
Do you believe there is a strong correlation between recession and cyber threats?
So, will our current economic recession trigger the same cyber assault cycle that previous recessions have? Will we see new, more powerful worms propagating the world in the coming months? Let’s hope not!
The opinions and information presented here are my personal views and not those of my employer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Not necessarily
Interesting conjecture, however your data set isn't conclusive.
To show a correlation you need to graph all attacks for not only the time period in question (the economic slowdown) but also the time between them and then and now. Then you can see whether there were more at the time of the slowdown than any other time.
Didn't Melissa come out in the early '90s? :)
G.
Agreed
Agreed, glashoppah. The sample is small enough that a coincidence is possible, and even likely. I also think it is a stretch to think that unemployed technical people with too much time on their hands will resort to unethical, illegal, activities.
If my memory is correct, typical attacks and worms in the early 2000's were performed by young people looking to make a name for themselves or increase their reputation. Off the top of my head, I can't think of any laid off programmers or security professionals launching worms.
Statistics
I agree the sample size I have available is too small to show a statistically significant result. But we have only had one recession to pull data from that is recent. My purpose was not to show statistical significance but rather put forward the theory that a recession might cause more cyber attacks. Research does show a significant decrease (as compared to 2000-2001) in the number of devastating, high visibility, attacks launched as the economy recovered from the 2000-2001 recession.
But I'd also agree that the attack vectors have changed, from a "look at me" worm to a "I'm gonna hide and you'll never know I'm here" spyware.
-Jamey
Statistics
Jamey,
Isn't also possible that the origin and nature of these attacks have change thus reflecting a variance? In the past (as you stated) attacks were performed for ego and prestige and to be totally honest most were annoyances relative to what we have been seeing over the past 3 years.
It seems to me that the bulk of attacks today are monetarily centered and well organized. The old days of a high profile website defacing have given way to the stealing of PI and financial information, selling stolen identities, etc... A single attack netting 300,000 credit card numbers or 500,000 SSN's would be far more detrimental than the defacing of a corporate website.
This isn't to say that the ego junkies are gone but that their impact may be considered minor relative to a single compromised server/database where all of a companies customer data resides.
Your conjecture may pan out - if the economy turns into a recession and security budgets are cut then this would make prime fodder for the 'new' organized cyber crime syndicates.
Thanks for opening this topic.
Attacks have changed
I absolutely agree that attacks have changed. But my postulation that the attacks will get worse are not necessarily tied to only high visibility worms/viruses. It just happened that during our last recession those were the types of attacks reaking havoc. I would postulate that during this recession, if my theory becomes validated, we would see an increase in the number and effectiveness of spyware, malware, and targeted for profit attacks. Maybe it is already starting? See here
http://www.snpx.com/securitynews/article.php?title=Thousands_of_Clean_and_Pirate_Websites_Affected_by_Massive_Web_Attack
-Jamey