Fifty years ago, a superhero leaped tall buildings in a single bound and used x-ray vision to catch evil criminals.   Today, some of the world’s most threatening criminals are computer hackers.  Superman may not be able to save us from cataclysmic cyber attacks, but we can rest a little easier knowing seven cyber guardians are holding keys to one of society’s most valuable commodities—the internet.  

ICAAN, the Internet Corporation for Assigned Names and Numbers, has provided “keys” to the internet to seven members of the global community. As discussed in prior posts, ICAAN is a non-profit watchdog group that helped establish Domain Name System Security Extensions,  or DNSSEC.   The DNSSEC—which just became enabled this year— is a critical security technology that lies at the core of the internet’s global addressing system.  It protects the very heart of the internet by ensuring that users reach the intended web address.

Read the rest of this entry »

Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.

Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.

The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.

Read the rest of this entry »

Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.

While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.

Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.

Read the rest of this entry »

Apparently feeling that they’ve resolved the longstanding issue of illegal immigration and can move on to the next crisis, Immigration and Customs Enforcement (“ICE”) and the U.S. Justice Department have identified a new enemy in their ongoing stuggle to protect truth, justice and the American way: Internet sites that sell counterfeit goods and pirated movies.

Indeed, just this month, government officials announced that they have shut down nine websites as part of their newly announced initiative, “Operation In Our Sites,” which is intended to protect Hollywood’s intellectual property. Officials estimated that nearly 7 million pirated movies and shows per month were downloaded from the offending websites.

The announcement was held on a soundstage at The Walt Disney Studios in Burbank, CA. Neither Johnny Depp nor Captain Hook reportedly was present.

Read the rest of this entry »

We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009?  Hotels.

To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry.  Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.

I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.

So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?

Read the rest of this entry »

It is tempting to think, with more sources of information instantly available to us than ever before, that people are much better informed on the issues of the day, especially those that have a major impact on world affairs. But is that the reality? Does this availability of information translate into a better informed, better educated world population? I speak of course, of people who have uncensored access to the Internet (unlike, say, the population of North Korea where many people do not even know of its existence – see the great article “Nothing Left“ in this week’s New Yorker by Barbara Demick).

I was led to muse on this topic while reading William L. Shirer’s The Nightmare Years, his book about his time as a journalist in Hitler’s Germany. Shirer recounts a brief visit to New York after a number of years based in Berlin. Full of the horrors of Nazi Germany, and Hitler’s recent renunciation of Versailles and Locarno, and the sending of troops into the Rhineland, he naturally expected that his fellow countrymen would be agog to hear his news and discuss the ramifications of what was happening in Europe. He was appalled to find that no-one was interested, that domestic concerns were of far more interest and that people thought he was exaggerating what was happening to the Jews in Germany.

People in the 1930s, Shirer’s fellow Americans, did not have the Internet, but they did not lack for sources of information. Foreign correspondents, like Shirer, sent daily reports by telegram. People had alternative sources that spun the news different ways – just like today. In fact one of the fascinating aspects of Shirer’s story is his telling of the great difficulty that the Berlin correspondent of the Times (the London one) had in getting his paper to print anything that was at all negative about Hitler’s Germany.

Read the rest of this entry »

Within the last week, two separate intellectual property search engines were launched, each of which has the potential to significantly palliate searches for patents, trademarks and other IP. http://www.wipo.int/wipogold/en/

Specifically, on June 1, 2010, the World Intellectual Property Organization (“WIPO”) introduced a free online public resource, “WIPO GOLD”  which aims to facilitate universal access to IP information. It promises “quick and easy access to a broad collection of searchable IP data and tools relating to, for example, technology, brands, domain names, designs, statistics, WIPO standards, IP classification systems and IP laws and treaties..” The site also includes a helpful translation option, should users wish to search results in a language other than the default, English. The news report can be viewed here: http://www.wipo.int/pressroom/en/articles/2010/article_0018.html

Meanwhile, the United States Patent and Trademark Office (USPTO) separately announced on June 2, 2010 that it has entered into a “no-cost, two-year agreement with Google to make bulk electronic patent and trademark public data available to the public in bulk form.” Under the agreement, USPTO will provide Google with “existing bulk, electronic files, which Google will host without modification for the public free of charge.” Examples of searchable items include: patent grants and applications; trademark applications and Trial and Appeal Board (TTAB) proceedings; and patent classification information. The USPTO and Google also will work together to make additional data available in the future, such as patent and trademark file histories and related data, the office said. The bulk data can be accessed at http://www.google.com/googlebooks/uspto.html.

In other words, as technology moves forward, so too does the ability to research and guard intellectual property ownership and interests… at least in the Western Hemisphere and other WIPO member countries. Now, if only the remainder of the world could come together to unify owners’ capabilities to globally protect their IP rights.

So, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In its 2009 10-K, released in late February, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. This revelation, contained in the “risk” section of Intel’s 10-K was intended to comply with U.S. Securities and Exchange Commission mandates which require public companies to disclose risks which could cause them to fall short of their profitability projections.

While Intel listed several such risks, the most intriguing was the one which stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google.”

While such disclosed risks may or may not have an impact on a stock’s trading price, the potential impact can not be ignored. Google (GOOG) is a perfect example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. As of the date of this publication, April 25, Google’s shares are trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyberbreach can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million. At the same time, other well-known companies like Adobe, Juniper Networks and Rackspace have been hacked and had their information and technology compromised.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

As the cyber war of words heats up between the U.S. and China, the rest of the world is taking notice….and proposing action.

Most recently, the head of the United Nations’ communication and technology agency, Secretary General Hamadoun Toure of the International Telecommunications Union, proposed a treaty whereby member countries agree not to precipitate a cyber attack against other member countries. “The framework would look like a peace treaty before a war,” he is reported to have said.

Secretary Toure’s proposal follows a series of concerns expressed at last month’s World Economic Forum in Davos-Klosters, Switzerland, including a harsh warning that cyber attacks could amount to a declaration of war. According to Secretary Toure, “[a] cyber war would be worse than a tsunami – a catastrophe.” Because of the potential devastating consequences of a cyber war, the Secretary strongly recommended that countries agree not to harbor cyber criminals and “commit themselves not to attack another.” Of course, nothing is quite as simple as that. For example, John Negroponte, the former director of U.S. intelligence, cautioned that intelligence agencies would “express reservations” about such a treaty. Given the breadth and scope of China’s, Russia’s and other countries’ intelligence operations and their reported limits on information disclosures, Mr. Negroponte’s remarks likely would be echoed by other nations.

Read the rest of this entry »

The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.

A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.

The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.

The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.

The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.

This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.