In the contemporary business environment, we are surrounded by labels and keywords which refer to various cyberthreats. It is hard to find a business owner, CEO, board member, or an employee who has never heard of a hacking attack, identity theft, or a computer virus. But what are cybersecurity threats? Are they different from cybercrimes? And if so, how?
A “threat” in general terms is always related to two important constructs—“chance” or “probability” and “harm”. A threat in a general business sense implies a chance of an event which leads to harm, loss, or damage. This “negative” or “adverse” event may be due to action or inactivity.1 In non-cyber environments, a threat may be man-made (inflicted by human or a group of humans) or be a consequence of non-human factors (e.g., natural phenomena such as earthquake, tornado, flood, etc.).
How do cyberthreats differ from threats a business is facing in non-cyber environments? There is no consensus among experts on the definition of cyberthreat. The Oxford English Dictionary provides a very general explanation of the meaning of the term as “the possibility of a malicious attempt to damage or disrupt a computer network or system”.2 This definition is rather dated and quite incomplete, and yet it is helpful for understanding the cyberthreat phenomena. The useful part of the definition highlights that threat is related to risk (“possibility”) and harm (“damage”). However, the second part which says that harm relates to a “computer network or system” does not reflect reality. The contemporary adverse effects of malicious cyber activities may influence an individual’s well-being (harm to individual), business profitability and survival (harm to property ), national and international security (harm to government ), and even break ethical and moral code (harm to morality), not only in cyberspace, but also in the “physical world” [1, 2]. Therefore, when we talk about cyberthreats, we need to consider a range of very complex phenomena which imply the use of unconnected computing devices, data, Internet-connected technology (ICT), and computer networks to cause damage in cyber and/or physical dimensions.
Even though scholars have grappled with the topology of cyberthreats for many years, there is no unified classification of threats. Below, we attempt to provide a topology of cyberthreats most relevant for the business environment, yet it is important to keep in mind that with the rapid development of technology and, as a result, the emergence of new threats on a daily basis, this topology does not pretend to be exhaustive or complete.
In relation to any business activity, cybersecurity threats can be broadly divided into two categories. First, there are threats due to simple technical faults such as system failures, where unexpected, unintended, non-malicious things can happen to computer systems and, as a result, affect business operations causing damage. These faults may happen due to the failure of technology, human error, human negligence, or failure of organizational procedures. While these threats are, of course, very important, in this book we concentrate on threats related to the malicious attempts by other people or organizations (which we call “adversaries”) to infiltrate organizational computer systems and cause financial or non-monetary (e.g., reputational) damage. In the cybersecurity literature, such threats are often related to criminal activities in cyberspace, or cybercrimes.
But what are cybercrimes? Are they “traditional” crimes committed in cyber space or are they something special, “an animal of its own kind”? Susan Brenner, an expert on cybercrime history who has written extensively on this topic, asserts that “Cybercrime, like crime , consists of engaging in conduct that has been outlawed by a society. Cybercrime differs from crime primarily in the way it is committed: where real-world criminals use guns to commit crimes, cybercriminals use computer technology to engage in socially outlawed conduct” [1, p. 706]. Professor Brenner argues that much of the criminal activity in cyberspace is a reincarnation of traditional crime (such as fraud, theft, extorsion, acts of terrorism, etc.) in digital environments. Yet, she also accepts that cybercrimes go beyond “computer-facilitated commission of traditional crime” [1, p. 706].
In popular culture, the term “cybercrime” is incredibly controversial and even paradoxical. On the one hand, for many, “cybercriminal” is synonymous with “hacker”. Yet, while the term “cybercriminal” has a definite negative flavor, “hacker” is rather a positive term. We may blame Hollywood for this as hacker figures were popularized by many movie productions such as The Matrix trilogy (1999, 2003), Swordfish (2001), BlackHat (2015), etc., where a hacker is usually someone smart and incredibly cool. There was even a film those of us under 40 would probably never have heard of—War Games—which is believed to have inspired many hackers of the past when it came out in 1983. In fact, the roots of the positive connotation associated with “hackers” go a lot deeper, as the term dates back to 1950s when Massachusetts Institute of Technology (MIT) students coined the term to denote inventive college prankers [1]. By the late 1950s, through the MIT Intelligence Laboratory the term “hacking” spread into the information technology and computing community and generally referred to creative and innovative computer programming [1, 2].
But how far does the public view of cyberthreats and cybercrime differ from what they actually are? Of course, modern cyberthreats are a lot more diverse than hacking. They include a long list of things which vary significantly in their severity, volume, impact, and wider consequences.
Cyberthreats and Their Varieties
Periodic table of cybersecurity threats
Monomers are “basic” threats which can cause damage on their own or, more often, can be combined into polymers and act as part of a more complex threat structure. Monomers can be of two varieties: basic and malicious. The difference between the two is that basic monomers can be either benign or malicious dependent on how they are applied, while malicious are designed to cause harm. Basic monomers include, for example, executable files and exploits which, in principle, may be perfectly harmless or may be designed to cause serious damage. Malicious monomers, however, exercise “damage by design”. For example, backdoor implies gaining access to systems through bypassing the usual authentication; social engineering refers to using psychological tools in malicious way to trick users into doing something they otherwise would not, etc.
Polymer threats are more complex threats which usually include several monomers. Dependent on the way in which polymers infiltrate and compromise systems, they can be partitioned into four varieties: malware polymers; technical stealth polymers; email or messaging polymers; and hybrid polymers. Malware polymers refer to various type of malicious software (or malware) and include viruses (user-activated malware), worms (self-propagating malware), etc. Technical stealth polymers represent threats which utilize various technical (e.g., programming) means and include (distributed) denial-of-service (DoS) attacks (malicious attempts to cause the victim, site, or node to deny service to its customers), password brute force (a trial and error method used to decode encrypted data), etc. Email and messaging polymers such as phishing (untargeted messages aimed at tricking users into revealing valuable information or taking actions advantageous to the cyberthreat instigator) spread through electronic communication. Finally, hybrid polymers usually involve a mixture of infiltration mechanisms from purely psychological to highly technical.
Polymers usually combine into composites, and composites, in turn, may be integral parts of complex composites. To illustrate the relationship between monomers, polymers, and composites, consider the following example. Monomers backdoor and exploit may be integral parts of such polymers as a virus or worm , and payload is a composite which may include viruses and worms. In turn, payload may be a part of a complex composite such as ( cyber ) theft.
From the security standpoint, it is easier to deal with monomers than polymers, and it is easier to deal with polymers rather than composites. Since the complexity of the threat elements increases from monomers to polymers and from polymers to composites, the complexity of solutions should also increase between these three categories.
Brief History of Cyberthreats
Brief chronology of cyberthreats
It is not our goal to provide a comprehensive and detailed history of Internet and cybersecurity.4 Yet, a very brief account of events is useful to understand how various threats emerged, developed, and how this development led us to today’s situation.
The Emergence of Cyberthreats (1950s–1979):
Cyberthreats in general, and computer crime in particular, have grown out of their historic predecessor—“phone phreaking”—where telephone systems were studied and “attacked”. These “attacks” were nothing of the kind you might imagine—essentially, phone phreaks carefully researched telephone networks and then made those systems do something they are not designed to do. For example, phone phreaks would be able to exploit the system to make free phone calls in the era when all calls had to be paid for.
In some sense, these were “romantic” times in the history of cyberthreats, where the majority of people exploring telephone or computer systems were doing so out of intellectual curiosity rather than with the goal of benefiting (for example, financially) from these systems. In 1974, a 13-year-old teenager, David Dennis, invented and tested the first DoS attack. David went to the University High School located in close proximity to the Computer-based Education Research Laboratory (CERL) at the University of Illinois Urbana-Campaign. He discovered that CERL operated PLATO—a shared multi-user computer network— and learned that the “external” (or “ext”) command allowed external devices to connect to the terminals on the network. Yet, when the command was entered without an external device present, it would cause the terminal to lock up, requiring rebooting. David wrote a simple code that allowed him to send the “ext” command to multiple terminals. He then tested his code with 31 CERL computers, which powered off all affected users in the PLATO lab at once. The principle of this simple experiment conducted by a teenager now underpins every single DoS attack.
Around the same time, the first attempts to develop viruses and instigate powerful attacks emerged. For example, in 1975 John Walker wrote the Pervade virus, which infected UNIVAC systems and was transferred between terminals using magnetic tape. In 1979, Kevin Mitnick designed and implemented the first large-scale hacking attack on The Ark, the computer system of the Digital Equipment Corporation (DEC). Mitnick used a combination of his technical skills and social engineering to infiltrate the system. Specifically, impersonating one of the DEC’s top developers, he called the system administrator and pretended that he was unable to “log in”. The system administrator simply gave away the precious password to Mitnick over the phone, which allowed the hacker to access The Ark.
The Development of Cyberthreats (1980–1989):
In the 1980s, cyberthreats underwent a rapid development. There were many “firsts” during this time: first virus which affected personal (rather than industrial or institutional) computers; first worm; first hacker groups; first hacker wars; and even first convictions related to hacking activity. In this period, the global community came to the realization that cyberthreats were real and may potentially cause much harm. In 1982, Richard Skrenta, a 15-year-old ninth-grader from Pittsburg, created the first personal computer virus, which targeted Apple II computers. The Elk Cloner virus spread via infected disks. Interestingly, the term “virus” appeared only in 1984 when Fred Cohen used the term to describe “self–propagating code”.5 This definition was, of course, in many ways confusing because a virus required user activation—i.e., in order to set the malicious code in motion, the user needs to do something (e.g., open a file containing malicious software).
In 1986, the first “vengeful” virus was created by the Farooq Alvi brothers.6 Basit Farooq Alvi and Amjad Farooq Alvi, who were, respectively, 17 and 24 years of age at the time, were running a computer shop in Lahore, Pakistan. They spotted that software for an MS-DOS operating system they had written and sold to their customers was being pirated and circulated for free. To prevent the piracy, the brothers developed the Brain virus, which only targeted machines with pirated software. The logic behind the virus was simple: it affected IBM computers by replacing the boot sector of the floppy disk with the pirated software which contained a copy of the virus. The brothers had developed a built-in counter in the software which allowed it to quickly and reliably diagnose whether the copy was genuine. Even though the initial motivation behind the development of the Brain virus was benign—i.e., stopping piracy—the consequences were not as positive as the Farooq Alvi brothers had hoped. When the virus information got out into the public domain, Brain “mutated” as malicious versions of the virus were developed based on the initial code.
In the 1980s, many young people became influenced by the movie War Games (1983). As a result, several hacker groups and cybergangs appeared during this time, including the 414s, Legion of Doom (LOD), Masters of Deception (MOD), Chaos Computer Club, and others [1]. Unlike the “noble hackers of the past”, these groups often had mixed motives. They engaged in both intellectual and gainful activities, most probably due to the growing rivalry between the groups. One of the most notorious hacker wars was between LOD and MOD, which became progressively more dangerous as they tried to outperform and outsmart each other [1].7
This period also saw the first global ransomware attack, which was labelled the AIDS Trojan or the PC Cyborg attack.8 In 1989, a postdoctoral AIDS researcher, Joseph Popp, sent out 20,000 floppy disks to AIDS researchers in more than 90 countries around the globe. Each disk was said to contain a risk-assessment questionnaire and a program which would estimate the risk of a particular individual contracting AIDS. The problem was that the disk contained ransomware with lagged activation (it activated after the computer terminal was powered on 90 times). After activation, the ransomware showed a message demanding a payment of $189 and $378 in exchange for the “software lease”.
This period also saw the first convictions related to computer crime. Researchers [1, 2] often name Ian Murphy (aka “Captain Zap”) as the first person ever to be convicted of “hacking”-related crime, in 1981. However, it is important to note that at the time, computer crime did not exist in the legal language and Murphy was prosecuted on theft charges. Therefore, Captain Zap’s title of the first prosecuted hacker is often contested by the case of Gerald Wondra and two other members of the 414s hacker group, who, in 1983, were convicted for “harassing telephone calls” and received two years’ probation. Strictly speaking, if we agree that phone phreaking was the predecessor of hacking, the 414s can probably claim to be the first convicted hackers as they were formally charged with phone phreaking rather than theft.
Yet, probably the most important event in the 1980s was the release of the “Morris Worm” by Robert Tappan Morris on November 2, 1988. This day was labelled in computer technology history as “Black Thursday” [2]. In contrast to the existing virus malware which required user activation, Morris released a self-propagating malware—a worm—which spread through the ARPANET (the predecessor of the Internet) and affected many9 of the 60,000 computers which were connected to the network at the time, mostly belonging to NASA and the Pentagon, as well as to MIT, Stanford, Berkeley, and other universities. Morris was the first person convicted under the 1986 Computer Fraud and Abuse Act and sentenced to three years’ probation, 400 hours of community service, and a fine of $10,050. In his defense, Morris argued that he was motivated by intellectual curiosity and did not benefit from his actions financially. Even though Morris was the first to conduct a “live test” of the worm malware, the term “worm” had been coined by Xerox in 1982—six years earlier [2]. Another interesting fact about the Morris worm is that the first official definition of the term “Internet” in its contemporary sense was documented in the case of “The United States of America v. Robert Tappan Morris” in 1991, which explained that: “Morris released the worm into INTERNET, which is a group of national networks that connect university, governmental, and military computers around the country” [2].
The Era of Charismatic “Despicable MEs” (1990–1999):
The 1990s was one of the most interesting periods in the history of cyberthreats as it was a period dominated by individual hackers. The names of these individuals are known to the majority of those interested in cybersecurity. Let us remember several examples. In 1994, Kevin Poulsen (aka Dark Dante) was prosecuted and convicted for hacking into the Pacific Bell Telephone company system. He received a 51-month jail sentence and was ordered to pay $56,000 in restitution. In 1995, Kevin Mitnick (aka The Condor, The Darkside Hacker) was convicted on 5 of 21 counts of access to device fraud, wire fraud, computer damage, and wiretapping. In 1996, a 21-year-old, Julio Ardita, was charged with hacking into the Harvard University computer system. It turned out that Ardita had used the university system to instigate further attacks on other systems.
In March 1999, David L. Smith (aka Kwyjibo) released the Melissa virus, which affected Microsoft systems and spread via email attachment. This was the first mass–mailing computer virus. When the Melissa attachment was opened, the virus would be resent to the first 50 contacts in every affected user’s Microsoft Outlook address book. Even though the virus did not cause any harm to the affected computers’ data, it created serious disruptions to the global computer networks by sabotaging the email traffic, leading to over $80 million worth of damages. Smith was sentenced to ten years and ordered to pay $5000 in restitutions. He ended up serving 20 months.
The Proliferation of Cyberthreats (2000–2009):
The early 2000s was the period when cyberthreats spread and became (i) more harmful and (ii) more impactful. With the development of the Internet and ICTs, the means to access information became available to large numbers of people. Equally, information about cyberthreats as well as malicious code became more accessible.
The year 2000 hit the global computerized community with several new challenges. In May 2000, the ILOVEYOU virus spread throughout the global computer network affecting Microsoft systems. The email subject of the spreading email was “ILOVEYOU” and it carried an attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. Even though the virus in its essence was very similar to Melissa and spread via an email attachment, it damaged files on the victims’ machine and sent itself to all contacts in the Microsoft Outlook address book. The investigation led to the Philippines, where two programmers, Reonel Ramones and Onel de Guzman, became suspects. However, the Philippines did not have suitable laws to prosecute computer crime and eventually all charges against Ramones and de Guzman were dropped.
The year 2000 showed that malware was not only for grown-ups but also for kids. The Pikachu virus (named after the famous Pokémon series character) spread via email attachment and replicated itself in the same fashion as ILOVEYOU. In addition, it also attempted to delete several important Windows directories. However, the victims were given a deletion prompt, which is why the virus did not cause as much damage as ILOVEYOU.
The same year also saw the emergence of the Global malicious bot (self-propagating malware used to infect a host and connect it to a central server acting as command and control). It also brought about the Millennium bug problem: many programs used the last two digits to represent calendar years and there were wide concerns that the year 2000 would be indistinguishable from 1900, causing overwhelming computer failures due to the incorrect display of dates. Yet, the global community had prepared for the problem and addressed it with updates prior to 2000.
The emergence of large social media networks (such as Facebook in 2004) led to the increase in global communication. This, among other things, led to the further development of various hacker groups, including cybergangs. Better and faster access to information and the ability to quickly make a global impact also led to the emergence of hacktivist organizations such as The Anonymous in 2003.10 Open web sources for hacktivists (such as Wikileaks.org in 2006) also appeared during this time.
The early 2000s also saw the emergence of the Dark Web, also known as the Dark Net—a portion of the World Wide Web where users remain anonymous. In the mid-1990s, the US navy created Tor—the “Onion Router” or “Onion Routing Browser”. By 2002, the onion router technology became known to a limited number of users and in 2004 the Tor was open-sourced. Since Tor allowed for anonymous surfing of the Internet, it became the main Dark Web browser. On a daily basis, the Dark Web is surfed by a large number of users, who may range from curious teenagers to cybercriminals and cyberterrorists. The emergence of the Dark Web also allowed cybercriminal organizations to solicit services, communicate, and execute transactions at a global scale.
In 2007, the first global scale botnet attack, which became known as the Storm botnet or Storm worm botnet, affected millions of computer systems. The botnet spread via an email spam and allowed the instigators to remotely control a network of affected computers. To date, the adversaries behind the Storm botnet remain unidentified.
Another important event during this period was the invention of blockchain technology (a public ledger consisting of a growing number of blocks linked using cryptography) by Satoshi Nakamoto. The main idea behind blockchain is that it is a distributed and decentralized public ledger which is kept in the digital form. Since the ledger is used to record transactions live and across many computers simultaneously, the records on the ledger cannot be changed or tampered with retrospectively without attracting attention. To date, it is disputed whether Nakamoto is one person or a group of people. It is also unknown whether Nakamoto is actually from Japan or if it is an alias used by someone from another country. Between 2008 and 2009, Nakamoto published two papers [3, 4] explaining how a distributed ledger can be used to form a peer-to-peer electronic cash system, which gave rise to the bitcoin cryptocurrency. In 2009, Nakamoto publicized the first bitcoin software and launched the first bitcoin network. Even though blockchain technology generated a lot of positive outcomes and is currently employed by millions of individual users and organizations for a variety of purposes (e.g., tracing the diamond origins for blood diamond smuggling prevention; smart contracting, etc.), cryptocurrencies in general and bitcoins in particular remain the important means of payment and transaction for cybercriminals.
The Cyberthreat Renaissance (2010–Present):
The period of the 2010s can be described as the rebirth or renaissance of cyberthreat activities. With much code being openly available and any teenager being able to access information about how to create a “nuclear cyberbomb” online in several clicks, it becomes very easy to access the means to infiltrate complex cyber systems.
In recent years, cybersecurity breaches became widespread and started to target a large number of businesses and individuals primarily with the aim of financial gain [5–7]. The further development of technology not only allowed systems to be infiltrated, but also to do this very rapidly. Examples of such activities include the massive data breaches which affected 6.5 million LinkedIn users in 2012 and 65 million Tumbler accounts in 2013; concerted attacks on blockchains and cryptocurrencies in 2014 and 2016; the WannaCry and Petya virus attacks in 2017 which paralyzed not only individual businesses but industries and entire countries. This period also saw the first ever conviction for both hacking and cyber terrorism.
Overall, the variety of tools and availability of information since 2010 has led to a situation in which the attacks have become more and more common, progressively powerful and less easy to cope with.
Distinguishing Between Vulnerability, Threat, and Risk in Cyberspace
As we can see from the previous subsections, cyberthreats are multifaceted and widespread. So far, we have looked at the various types of cyberthreats and tried to sketch how some of those threats came about. However, when we talk about businesses and their ability to build safe cyber spaces, we often consider not only cyberthreats, but also vulnerabilities and risks. And this is where the terms start getting confused. This confusion comes from the fact that all three terms (cyberthreat, cyber vulnerability, and cyber risk) relate to “harm” and “chance” or “probability”, yet, they do not mean the same thing. The easiest way to understand the difference between the three terms is to imagine cyber risk as an overlap between cyberthreat and cyber vulnerability. Let us look at this issue more closely.
When we talk about threats, vulnerabilities, and risks in cyber space, we always refer to “probabilistic” or “chance” events. In other words, events which may or may not happen. Therefore, a probability is usually defined as an extent to which a particular event is likely to happen. Probability is usually represented as odds (e.g., 1 in 10 chances of something happening) or, more often, as a percentage chance of something happening (e.g., 10% chance of something happening).
As we explained earlier, cyberthreat is the objective general probability of a malicious cyber act which results in cyber or physical harm damaging individuals (private or public), organizations, the international community, or moral code. This probability is objective and general because the malicious cyber act can happen in principle (or on average) with some positive probability (probability greater than 0). Cyber vulnerability is an objective specific probability with which a particular security system could be compromised. In other words, it is a probability with which a specific security system has a gap that, in principle, could be exploited. Cyber risk, therefore, is the precise probability with which a cyberthreat and a cyber vulnerability coincide at a specific place and time and result in harm.
To make these definitions less abstract, let us consider the following example. In October 2015, the telecommunication giant TalkTalk was hit by a major cyberattack, as a result of which thousands of customer online records that included identity information (names, email addresses, telephone numbers, as well as bank account numbers) were compromised.11 The global cybersecurity data collected from businesses shows that 63% of all data breaches around the globe target identity data [5] —i.e., the data that can help cybercriminals masquerade as a particular individual. This means that there exists a cyberthreat of identity theft which may occur with an objective general probability (equal to 63%), irrespective of the type of business you own, the type of security system you run, etc. In other words, cyberthreat probability tells you to what extent, on average, any business (including TalkTalk or your business) can become a victim of identity theft.
Now, cyber vulnerability tells you how likely it is that a specific business (TalkTalk or your business) has a gap or gaps in its security system through which identity information can be stolen. In theory, you can have an impervious system which makes extracting identity information impossible (e.g., you do not store any identity data digitally12) or almost impossible (you only store partial data digitally), or you can have a highly fragile system offering many opportunities for an attack. Again, in theory, if you analyze all the possible ways in which someone can get to the identity data you store, you should be able to come up with an objective and specific probability estimate which would tell you how vulnerable your system is.
You might ask—why can’t we just assume that cyber vulnerability is the same as cyberthreat? It would be incorrect to do this because cybersecurity is costly. If you assume that you have a 63% vulnerability to cyberthreats when in fact it is 5%, you would be directing valuable labor and monetary resources to something not very relevant to your business.13 Using our example, in theory, TalkTalk should be able to analyze various security gaps and come up with an objective and specific probability with which the identity data they store could be stolen.
Yet, because both cyberthreat and cyber vulnerability are “probabilistic” constructs—i.e., they depend on the realization of chance events—we need to introduce the concept of cyber risk, which shows the probability with which cyberthreat and cyber vulnerability are likely to coincide and result in harm. For example, you might have a cyber vulnerability but this vulnerability is highly unlikely to be exploited by a particular threat—then the actual cyber risk is low. At the same time, you can have a high likelihood of a cybersecurity threat but a very robust security system (low cyber vulnerability), in which case cyber risk will also be low. In other words, by analyzing threats versus existing vulnerabilities, in theory, one should be able to calculate precise value of cybersecurity risk. Going back to our example, in theory, TalkTalk should have been able to come up with a precise probability estimate of cyber risk related to identity theft given existing vulnerabilities in their cybersecurity system. In other words, they should have been able to estimate the probability with which the October 2015 attack could have occurred.
Notice that in our example we talk about the theoretical possibility of calculating precise probability estimates. We will see in the following chapters that what seems possible in theory is often not feasible in practice. This discrepancy between theoretical and practical cyber risk estimations is what makes the cybersecurity space so difficult to navigate, and this is why many businesses, much like TalkTalk in our example, fail to anticipate the oncoming attacks. But before we do this, let us consider who stands behind the various cyberattacks and why cyberattacks occur.