Cybercrime confusion-not helped by this post

Hi there fellow Fools!

The recent SolarWinds hack has amped up my already strong belief that cyber security was going to grow robustly for years to come…and is why I normally tell young people studying Computer Science, Math, or Game Design to consider this for their future career.

So how big is it? Don’t know but it’s gotten a lot of press lately. The commonly quoted numbers are $3 Trillion per year in 2015, $6 Trillion in 2021 and >$10 Trillion per year by 2025. If true those numbers are mind-numbing! Note that these costs include direct theft, IP loss, costs due to loss of internet service, etc. They do not include cyberbullying, youth predation or a host of other cybercrimes. Only the US and China have a bigger GDP than $6 Trillion per year (Japan is third at $5 Trillion/year). So these numbers would mean that cybercrime is already the third largest economy in the world…if only it had borders.
https://www.investopedia.com/insights/worlds-top-economies/

When I’ve tried to find the original sources for these numbers I failed. Many cybersecurity companies make these claims, and newspapers repeat them. One report claimed that the World Economic Forum (group that puts on Davos) was the source. Here they say something similar but then point back to Cybersecurity Ventures which points back at the World Economic form as being the source.
https://www.weforum.org/projects/partnership-against-cyberci…
https://cybersecurityventures.com/cybercrime-damages-6-trill…

Two groups quoting each other seems less than rigorous to me.

The best number I can come up with was calculated by Accenture which reported in 2019 that the aggregate world cost from 2019-2023 would total $5.2 Trillion. Toward the bottom of this page is a link that will get you a copy of the report:
https://www.accenture.com/us-en/insights/cybersecurity/reinv…

These are the numbers actually reported by the World Economic Forum’s Partnership against cybercrime. This looks to be a pretty serious group involving lot of competent companies. You can download their ‘Insight Report’ dated Nov 2020 here:
https://www.weforum.org/reports/partnership-against-cybercri…

So this cuts down the cost of cyber crime considerably, by a factor of 5, but still…it’s a big number…which implies to me that the TAM associated with the cybersecurity companies we study is probably much larger than currently thought.

The SolarWinds Hack has caused a great deal of turmoil. As a result, US politicians are pushing for government oversight, regulation and perhaps even using it as a central source of appropriately tested software.
https://www.politico.com/news/2020/12/19/how-federal-hack-ha…

The US Government organization most centrally focused on cyber security (not including FBI, NSA, etc. which have substantial capabilities) is the Cybersecurity & Infrastructure Security Agency https://us-cert.cisa.gov/
Their assessment of the SolarWinds hack is available here: https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/ci…
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/#supplemental-guidance

Here are several points as I understand them (as a physical scientist, not as a computer scientist…so please recognize that I’m WAY out of my pay grade in this posting).
-They don’t actually know who did the hacking, or how many groups were involved…although there is a favorite suspect. Apparently cybercriminals were selling access to SolarWinds computers through underground forums which might mean that there was a school of predators feeding rather than just a single government entity (https://www.reuters.com/article/global-cyber-solarwinds/hack…)
-They don’t know the extent of the hacking but it is almost certainly much larger than reported and we’ll learn part of that in the coming months. It also isn’t clear whether other software systems had vulnerabilities were hacked as well…meaning that we don’t yet know if the companies we’ve invested in are fault free.
-The exploited vulnerabilities existed largely in legacy systems…which strengthens the call for Cloud-based security products, software update, and data storage.
-Government software releases will be tested a lot more before release in the future, which will slow and limit government software procurement. For example: NASA’s JPL restricts software distribution until approved, and has done so for a long time. Any growth of government regulation/testing will mostly impact the companies that have a large part of their revenue coming from the government.
-More scrutiny will be given to corporate cybersecurity and software procurement…which probably favors the incumbents (as in: nobody ever got fired for picking IBM).

In summary I think we can anticipate a LOT more turmoil for some months to come…that will provide both risk and opportunity for the companies we follow. Also, I think the cybersecurity TAM has been grossly underestimated (5x, 10x?)…and public exposure from the SolarWinds hack is likely to provide big tailwinds to the growth of Cybersecurity and data analytics companies.

Sorry for being so longwinded. I’m hopeful that it adds more data than noise to the conversation.

Larry (Cloudstrike is my largest holding, so I’m very much hoping that they prove to be a solution rather than a problem)

Hi Larry,
Thanks for the thoughtfully crafted post. I’m also in CRWD, at 24% of port. My also being in NET for 20% I found this interview with Cloudflare CEO/Founder Prince thought provoking, in that so many Fortune 500 are not utilizing zero trust and need to be.

Scroll down to the bottom for a fuller portion of the interview.

https://www.cnbc.com/2020/12/18/cloudflare-ceo-says-zero-tru…

Jason

-The exploited vulnerabilities existed largely in legacy systems…which strengthens the call for Cloud-based security products, software update, and data storage.

Legacy systems are very immune, by Legacy I’m talking about systems like IBM Z/OS which cam from 390/OS, VMS and a host of others. Linux is fairly immune however right now hackers are starting to attack it since it runs many NAS/SAN (consolidated storage for all your servers in one bucket). If you want to be safe run old Legacy systems or unplug - it’s that simple. A lot of our data and the Governments does NOT need to be connected to the internet. Would you plug a wire from your house to the internet allowing hackers to control your windows and doors? If you said yes, sorry you are a “fool” pun intended. It amazes me how many people, companies etc. allow a few wires or clear tiny fiber tubes give access to anyone on the planet to that information.

The “cloud” - really dislike that term, it’s the INTERNET - will be hacked, has been hacked.
For example - MS Azure Hacks https://www.hackread.com/microsoft-azure-hosted-subdomains-h…

As more and more data moves to these “secure services AKA the cloud” they will become prime targets. I have heard of peoples AWS data being hacked and it created a huge bill from Amazon. Some were able to negotiate it down however others had to pay in full. Amazon does not cap their charges so hackers can run up a nice bill for you.

Here is a finger pointing game between AWS and Capital One:
https://www.usatoday.com/story/tech/talkingtech/2019/07/30/a…
Who knows what really happened but just because you use AWS or some other wonderful online service does not make your information safe.

How many of you are using a computer to visit this message forum and are on a company network, or a home computer that houses some documents with sensitive data? Guess what - it’s not safe. One of my favorite companies for security unfortunately is not Public. Bitdefender. Should it go public I’ll be in line to buy. Their managed Gravity Zone product is unusual and great stuff - however again nothing is immune.
There are many companies in the security realm, however focus has changed from security to how can I backup up my data quickly as much as possible keeping several versions safe that I can restore form quickly. Companies like Pure, Nimble, Veeam and a host of others is where I would pay close attention when investing in this realm. Look for companies developing proprietary file systems that are “immutable”. These companies will gain traction quickly however at some point adopted so quickly they could also become a commodity. In the end whenever you jump ahead of the hackers you are only safe until they figure out how to defeat it.

Somewhere I saw a file system replacement driver someone developed for windows that made a copy of the file “on write” that would put an end to this from what I understand. Even with this I can see the copies being made endlessly until you run out space and crash the system but at least your data is safe. Can’t find the link right now.

A lot of our data and the Governments does NOT need to be connected to the internet.

This is what I dont understand. Why is our most critical infrastructure on the internet. Why not run dedicated fiber or whatever and make it an intranet for that system.

eric2800

This is what I dont understand. Why is our most critical infrastructure on the internet. Why not run dedicated fiber or whatever and make it an intranet for that system.

Hopefully we can discuss this a little without getting the thread locked so I’ll say something here.

Some of our systems are like that, some are “air gapped” meaning no physical connection to another network or internet. In this case someone has to be physically present to contaminate the data. There isn’t any wifi either.

We are lazy creatures of convenience and profit for the most part (generalizing here, not everyone). I want email at my desk, ability to surf the web, access to our ERP systems, payroll and while I’m in Tibet I expect to have remote access to all of that via my cellphone, tablet and desktop computer. This is a recipe for disaster but it’s very convenient.

How many of you are using a computer to visit this message forum and are on a company network, or a home computer that houses some documents with sensitive data? Guess what - it’s not safe.

Hi Canonian,
I think that’s the whole point though. WFH, E-commerce, self-driving cars, gaming, earthquake detection, astronomical observations from a central telescope (my point here is that the use cases are hugely varied) all depend on the ability to communicate with disparate systems between varied locations. I’ve worked on many projects where 3 or 4 dozen countries made substantive intellectual contributions…and so large amounts of data (many Terabytes) were exchanged or made available to all in the consortiums. There is so much money/opportunity enabled by these capabilities that they will grow rapidly…and so vulnerabilities will exist. Hence the spy vs spy competition to find new weaknesses and to fix them. Legacy systems, and siloing, simply isn’t sufficient.

I don’t see this as a problem for highly classified systems. All of the ones I’ve worked on are completely cut off from the rest of the world (or any other part of the same organization for that matter). Rather, it is civilian systems and the open government ones where the ability to connect to anyone at anytime is the central enabling capability for their existence. That’s there is a huge opportunity for companies that can protect these exchanges of information.

The Amazon hack was at least partially enabled by an employee who shared legitimate credentials with criminals. Whether through ignorance, stupidity or venal intent, this is always going to be a risk. The cybersecurity goal in that case is to recognize inappropriate behavior by the individual who’s credentials were used as quickly as possible. People are nearly always the weak link in the end.

Will these changes to both market needs and procurement processes help or hurt the companies I’ve invested in? How will corporate procurements change due to the realization by senior managers that their very livelihood is at risk? Government procurements will likely be significantly affected with centralized distribution (hence the article’s reference to moving everything to the cloud, and my repetition of it). Doing this allows organizations to reach into every devise and force updates as soon as they have been approved. This later capability can even modify the software more fundamentally. As an example: I can receive, but no longer schedule, Zoom meetings on my government funded computer, after they stripped that capability away during an update a couple of months ago. Will these changes to both market needs and procurement processes help or hurt the companies I’ve invested in?

As you note, there are a bunch of companies (like Bitdefender) that are going to find opportunity, and successfully compete with the ones we are already invested in. As you also noted ‘In the end whenever you jump ahead of the hackers you are only safe until they figure out how to defeat it.’ and therein lies opportunity.

Living in interesting times,
Larry
Long (I hope)in Crowdstrike, Cloudflare, etc.