This article has been written by Anjan Bandyopadhyay pursuing Diploma in Corporate Litigation and has been edited by Oishika Banerji (Team Lawsikho).
This article has been published by Sneha Mahawar.
Table of Contents
Introduction
The United States is one of the leading countries that is pushing the world towards the digital age. Innovation of computers, software, and the internet gave immense support to the US economy to grow at a rapid pace. The development of the software industry contributes to the US economy as well as helps almost all services have a digital presence be it e-commerce, banking, education, etc. People are habitual to accessing, storing, copying, changing, and transmitting information much faster and easier than it used to be through the internet. The rapid growth in the software industry and access to the internet also brings a new set of challenges such as security threats, privacy concerns, spam, identity theft, personal data breaches, phishing attacks, DDoS attacks, infringement of intellectual property, etc. The limited intellectual property protection can hamper the growth of research and development and the financing of small firms. This makes the United States one of the most targeted countries and incurs huge economic losses. According to the Federal Bureau of Investigation’s annual Internet Crime Complaint Center (IC3) report the cybercrime complaints were 8, 47,376 in 2021 up from 7,91,790 in 2020 which indicates a 7% increase. If the loss is considered in terms of money, it went up too from $4.2 billion to $6.9 billion in 2021. This article provides a detailed analysis about cybercrimes in regards to the United States.
Cybercrime in small and medium-sized businesses during the pandemic
Small and medium-sized businesses are the main pillar of the US economy. It garners two-thirds of new jobs in the workforce and accounts for 44% of US economic activity. Most companies scrambled to shift operations online during the pandemic. The increase in remote work means personal devices i.e. laptops, smartphones, and tablets have access to sensitive companies’ information. It has been seen for the last three to four years that rapid extensions in remote and online work fetch small and medium size businesses more vulnerable to cyber-attacks. Therefore, Covid induces lockdowns have paved the way for new challenges for companies to spend more money to protect companies’ sensitive information.
Suddenly, demand for security software and in-house security professionals rose which was insufficient as per increasing demand. This situation further weakens the cyber security infrastructure that postulates hacking. Barracuda Networks, a cloud security firm, has mentioned that small businesses are three times more prone to be attacked by cybercriminals. The RiskRecon, which assesses companies’ cyber security risk, estimated that the incidence of cyber-attacks will increase by 150% in 2020-21.
Cybercrime attacks through the supply chain
Large organisations collaborate with small companies in the US. In 2014 PwC reports explained that cybercriminals often target small and medium-sized companies where the security budget is nominal. Cybercriminals gain a foothold on the interconnected business of large organisations with which they partner. If cyber attacks are fed into supply chains then big businesses are also affected. Cybercriminals using legitimate credentials can blend in with regular network traffic. Additionally, small businesses are forced to move their products from supply chains and spend money on investigations, legal fees, and regulatory filings. Furthermore, small businesses suffer irreparable economic losses and are forced to close permanently. This leads to another significance, which is, increasing the rate of unemployment thereby, also, affecting the US economy.
State-sponsored cyber warfare against the US economy
The US’s strong economic prowess and extensive international soft power keep its position unchallenged. The prime threat to the US economy comes in the form of cyber attacks, avail through the lack of stringent rules and punishment. China and Russia have emerged as the two major hegemonic challengers to the United States. For the past decades, these states have competed with the U.S. for hegemonic superiority and adopted a planned strategy to steal and copy US technologies and trade secrets. They get success to some extent to establish tech companies in the same domain which are now justifiably competing with US tech companies in both innovation and market capitalization. Most of the manufacturing industries shifted from the US to China and the trade deficit in goods with China was approximately $2.4 trillion from 2003 to 2012. With the rising economic strength with proper cyber security policy, China extends and strengthens its ties with a large number of developing countries and erodes American hegemonic status globally.
DDoS attack
It is evident that China’s cyber warfare is properly planned; focused and continuously active targeting US companies and gradually weakening corporate networks. China does substantial harm to the economic interest of the US by targeting consumer-centric organisations with mandatory internet presence for Distributed Denial of Service attacks. A DDoS attack impedes an organisation’s online operations by overloading systems with requests, causing a loss of revenue during the period of interruption. So the customer does not get any online service and is compelled to switch to a competing organisation. In addition, such an attack can tarnish the organisation’s brand value, diminishing its future revenues and business opportunities.
IP theft
Over the last two decades, intellectual property theft is rampant in the US while companies working in research and development, such as high-technology companies, are more likely to be targeted for IP theft. If the company’s intellectual property has been stolen, the company no longer has a monopoly because the stolen secret potentially is utilised by a competing company. It is very difficult to find the perpetrator who is held responsible for IP theft. The legal process is still not sufficient to bring them behind the bar especially if the IP was stolen by a foreign national. As a result, the company is actually undersized and gradually shut down.
There is substantive evidence of IP theft in the US. In 2012, SolarWorld AG, a German solar energy company, started legal action against a Chinese solar manufacturer alleging that the Chinese company dumped products in the USA at prices below fair value. The SolarWorld network was also targeted for IP theft. In 2014, a federal court confirmed five Chinese nationals’ theft of trade secrets and hacking of the networks of six US companies including US subsidiaries of SolarWorld AG. Due to this cyber theft, SolarWorld AG lost 35 percent of its marketplace.
Business email compromise
Cybercriminals often hack the company email accounts of business leaders and CEOs. Attackers fetch important data such as names of the executives, travel plans, and other business credentials then use spoofed email accounts to trick them. It is also known as spear phishing and uses a targeted attack. Cybercriminals collect such secret information and supply it to rival companies in exchange for money. Cyber intrusion for purposes of stealing trade secrets, proprietary technology, and sensitive business information has been making the news. According to the FBI, the BEC scam was amounting to $1.8 billion of reported losses.
Ransomware attacks against companies
According to the Treasury’s Financial Crimes Enforcement Network, a report indicates that ransomware is an increasing cyber threat to US businesses. It was reported that $600 million was paid to cyber criminals for ransomware-related attacks. Ransomware is a malicious program that prevents access to one’s own data and files. Cybercriminals block computers and demand ransom in exchange for returning the computer data. Now it is really difficult to handle this type of cyber attack. US officials connected with companies and advised them not to pay the ransom to the cybercriminals as it fuels even more hacks to company resources. But few companies have no other option but to pay off the attackers who hold their sensitive information hostage.
Intimidation of business software
Technology companies are more vulnerable as cybercriminals exploit inadequately protected devices to launch external attacks against a third party. Devices that work with the Internet of Things are more prone and insecure as manufacturers aim to adopt it by cutting costs of security protection. Software is also vulnerable as cyber attackers often inject code and capture the system of companies. Innocent coding errors may make a program vulnerable to software exploits. This type of cyber attack happens in the IT industry as a system with minimal error is produced at several times the cost of ordinary software but ultimately will hopefully pay off through increasing software vulnerabilities. In addition, the different case study proves that in some cases open-source software is less secure than commercially licensed software. But most companies like to work with open-source software because it reduces the operating costs of the companies.
Effect of cybercriminals on the capital market and financial sector
Cybercrime affects the capital market as well and could impose substantial losses on the economy. If investors could no longer trust the securities on online transactions, financial assets would lose their attractiveness. Additionally, companies would no longer be able to view the stock market as a reliable source of raising capital. Consequently, the cost of capital would increase, reducing economic growth. Investors, having a foray into other investment assets, would likely incur higher costs associated with information gathering, and would lose the benefits associated with liquidity and risk sharing made by well-functioning capital markets.
The Defense Advanced Research Projects Agency, a division of the UN department of defence, recognized several areas of concern posed by cybercriminals to the financial sector. One of them is Flash Crash, named after the 2010 Flash Crash. The flash crash occurs when the sell order is manipulated to cause a rapid decline in the stock market index. It makes an economic loss for market participants because wealth is being redistributed among traders in an arbitrary manner. Investors are losing trust in the stock market due to this manipulation by cyber criminals. If a flash crash happens occasionally, big traders could not participate in the stock market resulting in low liquidity levels.
The problem of insufficient data causes financial loss
It has been reported that cybercrime incidents are inundated by insufficient data. Most companies have a decadal approach to reporting cybercrime incidents because companies face a negative aura that affects their market value when they approach relevant authorities. Cybercrime incidents could be minimised if data on past trade secret theft and cyber attacks were more readily shared across companies.
It is true that many cyber attacks go unreported by companies. The Center for Strategic and International Studies (2014) published that 3000 U.S. companies had been hacked in the US. The report further stated that Google was hacked in 2010, at the same time 34 other large organisations in the US were also hacked but only one of these companies reported officially that it had been the victim of a cyber attack.
It is difficult to estimate the financial loss of companies due to malicious cyber activity extending beyond the direct losses. It also affects economically linked companies, corporate partners, customers, and suppliers. Sometimes cybercrime goes undetected or even when it is detected is mostly unreported. Cyber insurance companies are possibly in the best position to collect proper information about cyber breaches. But insurance pricing data are considered its own and are not available publicly. Growing incidents of cybercrime compel companies to increase budgets on cyber security.
Finally, cybercriminals also steal the personal information of individuals from corporate entities and government offices. This happened multiple times in the US. It causes a negative impact on households that rely on the services provided by both corporate entities and the government. Sometimes individuals are direct targets of cybercrime committed through the internet and email.
Measures taken to control cybercrimes
Cybercrime at its core the US Government must protect its economy and information infrastructure by enhancing its security. If any of the aforementioned types of cyber crimes happen, then this can cause havoc on the economy. Cybercrime is a growing industry now with a wide range of services and techniques for criminals. These techniques are social engineering, distributed denial of service, malware, etc. Hacking tools and technical support become more widely available. As a result, cybercrime attacks have both broadened and deepened at the same time. Cyber fraudsters often flee to the dark web, where Tor and escrow payment methods hide their identities, escaping from law enforcement action.
While the US has been the focus of recent cybercrime activity, the Government has an important role in protecting the nation. The Government should invest in cyber security research, be well aware of the latest changes happening in this field, and increase cyber defence potentials by acquiring the necessary technology needed to combat crime. The government should include cyber security in the course curriculum so that students get interested in cyber security education and gradually become cyber security professionals. Doing so will protect the country from an economic loss that might result from cybercrime. Government is also responsible to protect essential infrastructures such as the power grid, weather forecast system, traffic control system, etc from malicious cyber attacks. Attacks on infrastructure can damage the entire economy.
A proper surveillance system with a dedicated department should be deployed in order to restrain the infrastructure from any cyber attack happening. A new cyber law and regulations should be framed that must comply with vigour. Banks, financial institutions, technology companies, and other small and medium-sized business establishments are subject to regulatory checks that include a review of their safeguards for protecting assets from cyber threats. The regulations will also impose on US-based organisations dealing with foreign clients. Companies subject to this regulation must inform their customers and other affected parties of cyber attacks.
The crime must be disclosed to the government, customers, and controllers within a certain time of the company’s becoming aware of the cyber attack. This new law will further increase the number of publicly reported cyber crimes. The lack of data makes it impossible to properly determine losses incurred by the US economy and further ascertain whether more active government involvement is required to limit cyber threats.
Another key concern is that organisations are reluctant to invest in cyber security or cut down the budget on cyber security. A strong cyber attack can cause a total revenue loss of business. Expenditure on information security could potentially have protected the business from any cyber threats. The company can spend money to buy security software and hire an information security professional who can identify the threats and correct them. The expert can spread cyber security awareness among the employees.
Technology companies should secure their products and software from any IP theft or code manipulation. Companies should run a test to check the security standards before it is delivered. During the test, creators should rectify any defects. These tests should be repeated until the product or software meets the proper security standards. Companies should be responsible for providing technical support and offering updated services to keep their product up to date and secure from any vulnerabilities after the product’s release.
Conclusion
Cybercrime is manmade and not solved fully by framing relevant law; it’s also necessary to grow human morality and ethics in a proper manner. However, the ever-shifting nature and scope of cybercrime suggest that constant effort is essential to mitigate it. To be precise, defending the US economy is not solely on the shoulders of government, corporate entities, and general citizens; it is a combined effort that all must participate in together to protect the US economy from cyber threats.
References
- https://www.heritage.org/cybersecurity/commentary/major-threat-our-economy-three-cyber-trends-the-us-must-address-protect.
- https://www.bbc.com/news/business-63260648.
- https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.