With gasoline once again flowing through the Colonial Pipeline network, consumers will soon forget about the ransomware attack that disrupted gas supplies on the East Coast for about a week, starting May 7. But Americans are increasingly paying the cost of ransomware attacks and other types of cybercrime, as a sort of hidden tax that would generate outrage if it showed up on a bill in the mail.
After a group called DarkSide disabled Colonial’s computer network, the company reportedly paid nearly $5 million in ransom for tools to unlock their system, according to Bloomberg. So what? It’s a big company with plenty of cash that can afford to pay for its own mistakes. It may even have had cybercrime insurance that covered the cost.
The so-what, however, is that companies pass on costs to consumers whenever they can. And the costs of cybercrime are mounting, for everybody. Holding businesses digitally hostage is now so lucrative that it’s a whole new field known as “ransomeware as a service,” or RaaS. In 2020, there were nearly 2,400 ransomware attacks on government agencies, schools and health care facilities. That doesn’t include businesses. Much of the time, victims pay up without acknowledging the breach, to avoid revealing a vulnerability, or plain embarrassment.
Data theft is big business
Ransomware, data theft and other types of digital crimes have grown from a niche activity into a giant industry that will cost the world economy about $6 trillion this year, according to Cybersecurity Ventures. The United States accounts for 24% of world GDP, so if we bear the same portion of the world’s cybercrime burden, that’s $1.4 trillion per year, or $5,400 per every American adult.
That’s not $5,400 that comes out of everybody’s pocket, but it’s money companies spend on cybersecurity and remedial efforts and, occasionally, ransoms. Some of that is money companies would have to spend anyway, to keep computer networks up to date. But some of it is money they might invest more productively, if they weren’t fending off criminals at every node. This kind of preventive spending typically lowers growth and job creation. The cost is hard to spot because it amounts to jobs not created and wages that don't rise.
The DarkSide hackers are supposedly shutting down their operation, for reasons that are unclear. President Biden said the group operates out of Russia, and it's possible the U.S. government leaned on Russia to exert pressure on the group. It's also possible DarkSide didn't want the publicity associated with the Colonial hack, and is simply going underground for a while. Hacking groups excel at Whack-a-Mole, often disbanding and resurfacing in slightly different form.
Cybercrime will boom, regardless. It's so routine now that DarkSide operated like a normal business, promoting its hacking tools on the dark web to “clients” and taking a cut of 10% to 25% of whatever ransoms those clients collected. One analyst likened it to McDonald’s, in the way it provided core products to franchisees who do the actual hacking, while assisting with web hosting and other services.
It’s not clear if Russian authorities could shut down DarkSide if they wanted to. And they may not want to. Russia actively promotes chaos in the societies of its democratic adversaries, and it may not mind at all if Russian hackers are sticking up American and European companies. DarkSide also seems to avoid targeting Russian firms, to stay on the right side of its host government. So if the Russian government is suppressing the group, it might tacitly allow its resurgence, once the Colonial incident blows over.
Biden signed an executive order on May 12 meant to improve cybersecurity throughout the U.S. economy. That was in the works for some time and wasn’t directly related to the Colonial Pipeline hack. In response to recent attacks such as the 2020 Solar Winds breach, Biden has placed new emphasis on cybersecurity.
The new order will establish cybersecurity standards software vendors such as Microsoft and many others will have to meet to sell to the federal government. The White House hopes those same improved security features will appear on consumer versions of the software, patching holes nationwide. There will also be new federal efforts to probe breaches and recommend fixes.
That could help, but it won’t have the force of law requiring businesses and other organizations to beef up cybersecurity. Congress has tried to do that before, and failed, with some businesses saying it would impose unnecessary costs. But we’re all bearing unnecessary costs, from pricier goods to disrupted routines. Those costs seem likely to keep rising.
Rick Newman is the author of four books, including "Rebounders: How Winners Pivot from Setback to Success.” Follow him on Twitter: @rickjnewman. You can also send confidential tips, and click here to get Rick’s stories by email.