U.S. Government and private-sector computer networks present a very attractive target for illicit activities. Computer intruders can move freely without reference to state or national borders and can perform their tasks without gaining physical access to the system under attack. These factors make it more difficult to detect the theft of information and the origin of the intruder.
Hacking U.S. Government Computers from Overseas describes four cases of foreign hackers, operating from overseas, who made significant intrusions into U.S. military and other government computer systems.
The Computer Security Institute in conjunction with the San Francisco FBI field office conducts an annual Computer Crime and Security Survey. The 2004 survey received 486 responses from a diverse sample of organizations in both the private and the public sectors. Seventy-eight percent of the respondents reported having detected at least one incident of a computer attack or costly computer misuse during the previous year. Most reported multiple incidents, and 12 percent reported being aware of 10 or more such incidents.1
The types of incidents, percentage of organizations reporting each type of incident, and the financial costs of these incidents are shown in the table below. It is noteworthy that most organizations were either unable or unwilling to estimate the dollar costs of these incidents, so the dollar figures in the table are summary costs for just 269 organizations.
There can be considerable variation in these figures from one year to the next. In previous surveys since 1999, theft of proprietary information accounted for the greatest loss. In the 2003 survey, for example, the theft of proprietary information was valued at $70,195,900, or an average of approximately $2.7 million per reported loss.
It is impossible to know the extent to which foreign governments and other foreign organizations or individuals are behind these incidents. The 2004 survey report does not cover that topic, but the report on the 2003 version of the same survey does have the respondents' views on the "likely sources of attack." Twenty-eight percent of respondents attributed attacks to foreign governments, 25% to foreign corporations, 82% to independent hackers, 40% to U.S. competitors, and 77% to disgruntled employees. This adds up to over 100% because most respondent organizations had multiple attacks.
The 2004 survey showed that only 20 percent of the respondents that experienced computer intrusions reported these crimes to law enforcement authorities. There is reluctance on the part of the private sector to report allegations of computer and economic crime to law enforcement authorities. A large number of these crimes go unreported because of a company's fear of undermining the confidence of their shareholders, negative publicity, and further exposure of trade secret information during prosecution.
Similar results were found by the Deloitte & Touche accounting firm when it conducted face-to-face interviews with senior information technology executives of the top 100 global financial services organizations. Eighty-three percent of these firms had had an external attack on their information technology systems within the previous year, which was up from 39% a year earlier. Of this group, 40% said that the security breaches had resulted in financial losses to their organization.2