Six months ago, I reported the No. 1 security risk on Americans' minds is no longer terrorism; hackers and viruses outranked terrorism as the nation's No. 1 security threat. U.S. Defense Secretary Leon Panetta has been sounding the alarm on cyber war. In October, he stressed to Time magazine that, "We are facing the threat of a new arena in warfare that could be every bit as destructive as 9/11 -- the American people need to know that." Read on, and I'll explain the growing problem, how you can protect yourself, and the stock I think is best-positioned to gain from battling ever-expanding cybersecurity risks.
The huge rise of cyber attacks
It's no surprise Americans are scared. In just the past six months, we've seen:
- On August 15, Saudi Arabia's state-owned oil company, Saudi Aramco, was hacked with a copycat version of the cyberweapon Flame. The true extent of the hack was never confirmed, though the hackers claimed that 75% of Saudi Aramco's computers -- roughly 30,000 -- were destroyed.
- On September 4, hacker group Antisec leaked 1 million Apple (NASDAQ:AAPL) Universal Device IDs, and claimed to have an estimated 11 million more UDIDs, which they stole from the FBI.
- In September, U.S. banks were first attacked with distributed denial-of-service (DDOS) attacks by the Al-Qassam Cyberfighters, who many believe to be a front for the Iranian government. The attacks have been basically constant since then, with SunTrust, PNC, Bank of America, JPMorgan Chase, and US Bancorp among those affected.
- Also in September, the White House Military Office was attacked, though the White House said the network was unclassified and isolated.
- On October 26, South Carolina's Department of Revenue revealed it had been hacked, and had 3 million social security numbers taken from it.
- In November, after commencing air strikes on Gaza, Israel announced there had been more than 44 million hacking attempts on government web sites in the five days since the operation commenced.
- In December there was a scare, that was later proved to be unfounded, that Verizon had been hacked, and 300,000 customer records released. The data came from a third party marketing firm.
- In January, the New York Times (NYSE:NYT) and Wall Street Journal announced they were hacked by Chinese hackers starting in October, when the New York Times reported that the relatives of China's Prime Minister Wen Jibao had accumulated a fortune of several billion dollars.
- Also in January, Kapersky Labs, the Russian cyber security firm that uncovered the cyberweapon Flame, released a report detailing the cyber-espionage network "Red October," which has been actively stealing data since at least 2007
In just the past two-and-a half-weeks, we've seen:
- 250,000 Twitter accounts hacked
- The Federal Reserve hacked
- The release of account information for 4,000 bank executives by members of Anonymous
- Burger King and Jeep's twitter accounts hacked.
- Facebook (NASDAQ:FB) announced last week it had been hacked by a malicious mobile developer site
- Even Apple admitted this week it had been hacked
The scary part is that these are just the attacks that have been noticed and reported on. The true number and scope of the attacks on companies will likely never be known.
For the past few years, U.S. companies from Google to Northrop Grumman have been accusing China of waging a cyberwar against U.S. targets; but, without being able to prove 100% that the Chinese government was involved, the Obama administration has only been able to relay concerns to the Chinese government.
Within the U.S. government, Defense Secretary Leon Panetta has been sounding the alarm on cyber war for the past year. It seems that his cries have been falling on deaf ears, as the U.S. Senate killed cybersecurity legislation in November that would have created voluntary cybersecurity standards for companies that are essential to U.S. infrastructure. Not to be deterred, he continues to speak up on the issue noting earlier this month that:
I believe that it is very possible the next Pearl Harbor could be a cyber attack ... [that] would have one hell of an impact on the United States of America. That is something we have to worry about and protect against.
Other experts are more worried about low-visibility attacks. Former cybersecurity and cyberterrorism advisor for the White House Richard Clarke said last year:
Every major company in the United States has already been penetrated by China. My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it.
It looks like that "single event" has finally come to pass, but in the form of two publicly reported attacks.
New York Times Attacked
On January 30, the New York Times published an in-depth account of its battles with Chinese hackers. After publishing an investigation of corruption in the Chinese government on October 25, the New York Times' network monitors noticed network "behavior that was consistent with other attacks believed to have perpetrated by the Chinese military." After unsuccessfully trying to expel the hackers over two weeks, the New York Times hired cybersecurity specialist Mandiant. After tracking the hackers' movements and actions for four months in January, Mandiant was able to expel the hackers for good from the New York Times' systems, at which point, the newspaper went public with its account.
Mandiant believed the attack to be the work of a Chinese Cyber Espionage Unit, which it refers to as Advanced Persistent Threat (APT) 12. For its part, China denied any attacks on media organizations with the Chinese Defense Ministry saying, "It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence."
Evidence of China's Cyber Espionage Organization unveiled to the public
On Tuesday, Mandiant came out with a report on APT 1, one of China's Cyber Espionage Units that Mandiant considers to be "one of the most prolific in terms of the sheer quantity of information it has stolen."
We've known U.S. companies are under siege: In the past five years, 27 of the 30 companies that make up the Dow Jones Industrial Average have been hacked or had data breaches. The Mandiant report on APT1 gives us a clearer picture of the threat to U.S. companies by showing the breadth of industries of the 141 organizations APT1 attacked over the past seven years.
Mandiant's report, which can be downloaded from Mandiant here, details APT1's attack infrastructure, command, and control, and tools, tactics, and procedures. Without getting into the specifics of the report, which I highly recommend you read, Mandiant concludes
We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.
Mandiant believes that ATP1 is PLA Unit 61398, which is known to be a unit in the People's Liberation Army's cyber-command. The gauntlet has been thrown down.
The Chinese Defense Ministry vehemently denied the accusations, and said the report "lacks technical proof." On the other side, the Obama administration has raised concerns with senior Chinese officials at the highest levels, and has come out with a comprehensive report titled "Administration Strategy on Mitigating the Theft of U.S. Trade Secrets." It remains to be seen if anything will come of all this.
In the meantime what can you do?
Eight simple tips to boost your cybersecurity
Many of the above hacks could have been prevented by some simple precautions.
1. Use long, complex, passwords. By that, I mean at least 12 characters with numbers, symbols, uppercase letters, and lowercase letters. I always suggest to people to read this brief article on passwords. It's frightening how many people use simple passwords such as "12345" or "password." A 10-character password with all the above would take the most powerful known brute force password breaker 5.5 years to break, compared to 5.3 hours for an eight-character password.
2. Use two-step authentication wherever possible.
3. Don't reuse the same password across multiple websites.
5. Use antivirus software.
6. Use BillGuard to monitor your credit card. BillGuard is a free monitor for your credit and debit cards (they use the crowdsourced data to create the most advanced fraud monitoring system, which they sell to credit card companies).
7. If you receive a suspicious email, do not open it, especially if it has attachments or links that seem suspicious.
8. If you receive a suspicious email from someone you know, especially if it has attachments or links that seem suspicious, call (do not email) the person to confirm that they sent it.
In the case of email phishing hacks of the variety that ATP1 does, there's not a lot you can do besides educating yourself. If interested, in the Mandiant report, you can read pages 27-30 to learn about the relatively simple tactics APT1 used.
My top stock for cybersecurity
Six months ago, I called out Check Point Software Technologies (NASDAQ:CHKP) as my favored way to invest in the cybersecurity space. While the stock is basically unchanged since then, I still like it as the story hasn't changed.
1) No. 3 in network security behind Cisco and Juniper Networks, with an $11 billion market cap.
2) Very profitable, $800 million in FCF.
3) Founded and run by Gil Shwed and Marius Nacht, each with roughly a 10% stake.
4) No debt, $3 billion in cash and bonds on the balance sheet, and buying back shares every quarter.
While there are other interesting stocks in the network security space, none have the low valuation, balance sheet strength, or insider ownership that Check Point does.
Final Foolish thought