Securing computer networks has become paramount in the new digital age. Computer and network security, most often referred to as cyber security, involves safeguarding Americans private information, securing financial data, protecting national military secrets, and creating a bulwark around our most important intellectual property secrets that drive our economic growth.

The Internet was founded on the principal of information sharing. But it is the interconnectedness of everything that has made us more vulnerable to our enemies. As President Obama stated,

It's the great irony of our Information Age -- the very technologies that empower us to create and to build also empower those who would disrupt and destroy.  And this paradox -- seen and unseen -- is something that we experience every day.

The annual costs of Cybercrime have recently been estimated by McAfee at over $400 billion. The McAfee study noted that cyber crime costs about 15% of the Internet revenues, a lofty sum. Most businesses would certainly categorize a risk of 15% to their business as substantial, and even develop strategic initiatives to address such a large risk.

However, studies also show that most businesses are not dealing that issues that online crime create effectively enough. According to the 2014 Verizon Data Breach Investigations Report, the gap between the amount of time it takes to hack systems versus the time responders are able to discover the hacks is widening. This does not account for the extra time it takes to resolve the network security issues and put in place future preventative measures. The trend shows that the increased efficiency of the attackers is overwhelming current incident response teams and creating chaos on the Internet.

Figure 1: Discovery time versus breach time

Given the spate of point of sale (POS) related attacks within the last two years, cyber crime is threatening not only to cost businesses more and more of their online profits, but to create uncertainty in the American marketplace. This uncertainty is an unwelcome addition to the current list of concerns regarding our economy. While Americans can endure certain amounts of financial shocks, cyber crime’s relentless advance threatens to derail the digital economy we are counting on more and more for economic expansion.

Our current approach to addressing cyber crime is simply not working. Having worked in the field for several years, the problems relate to lack of awareness by company leadership, lack of cohesion to leading security practices, lack of funding of security projects, and not enough information security workers to address the current problem.

In addition, the effort will require foundational changes to the way systems communicate openly on the Internet as well as cultural changes in the way Americans trade with each other. Good security necessitates a closed ended, zero-trust model where you don’t inherently trust your neighbor to do the right thing with your information because the Internet simply allows anybody can be your neighbor online.   

Investors need to be aware of the risks that Cyber Security imposes on companies. To that end, the SEC is encouraging companies to report risks related to cyber crime in their official filings. In addition, costs specific to cyber-crime must be enumerated in public financial records.

This is a good first step to provide the market with usable information on cyber risk. However, companies have little incentive to truly report the costs of cyber crime. The public perception of security risk often outweighs the actual costs to the business, so companies are not likely to highlight all of their issues in public documents. Further, most companies don’t truly know what their costs are because most are struggling to identify and resolve breaches on their systems that they may not even be aware of yet.

And how does the investor quantify the costs of stolen intellectual property (IP) ? According to a former senior security official with Nortel, Chinese hacking over a 10 year period was so extensive as to be a major cause in the eventual downfall of the company. The end result of so much stolen IP was to force Nortel to compete with a cheaper version of itself in the same market. Indeed, many of Nortel’s former customers now procure the same services from the Chinese company believed to be behind the cyber attacks on Nortel’s most important company secrets. Even though Nortel management was told about the breaches, they did very little to address them as they were occurring.

There are many things we do not know about the strength of individual companies. Indeed, prognosticating the future state of the economy is also very difficult. Both the current costs and unknown future consequences of lost IP should give every investor pause while examining the market. Investment assumptions we make today could be turned on their head once new cyber security issues are discovered and reported on. As well, we should be careful in making long term assumptions about the future of the American economy until we have learned to deal with the current cyber crime threat in more proactive and effective ways and reduce the risks to manageable levels.