In October, FBI director James Comey no doubt caused a sleepless night for many an executive when he told CBS' 60 Minutes that "there are two kinds of big companies in the United States … those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."
Comey was saying, more or less, that every U.S. corporation has already been attacked—a fact that lengthens the list of brands whose high-profile breaches have made news lately, among them Neiman Marcus, The Home Depot, Dairy Queen, Target and Kmart. According to research from cyber security firm Trustwave, large retail brands now make up close to half of the hacking targets out there.
But behind the headlines and the fear of stolen identities, observers say there's something even darker going on. In the old days, hacking used to be about making mischief and stealing money. Hackers who targeted "America" mostly attacked federal agencies. Today, increasingly, it's companies that symbolize America on the global stage, and attacking the U.S. means attacking its brands. Are we experiencing an age of brand terrorism?
Herjavec believes that hacking has entered a new stage in which the perpetrators are state actors whose goals have moved beyond mere larceny. "In the last 24 months, we've been seeing an absolute surge of state-sponsored cyber attacks," he said. "We're no longer dealing with individuals who want to steal your money. We're dealing with foreign national governments that want to hurt America." And in an age of viral content, there are few better ways to make the country look vulnerable than to cut down its famous brand names.
Nobody's arguing that money isn't behind at least some of the high-profile hacking. The malware implanted in Target's mainframe just before last year's holiday shopping season siphoned off as many as 40 million credit card numbers. The attack on The Home Depot two months ago affected 56 million. But according to Herjavec's data, only 40 percent of computer attacks are financially motivated.
Indeed, while stolen credit card data always makes for good-news copy, the motivations of several well-publicized breaches clearly ran deeper. The attack on JPMorgan Chase discovered this August has been linked to the Russian government. Experts also believe that Axiom, a state-sponsored hacker group based in China, was behind the 2010 attack on Google.
According to the FBI, state-sponsored cyber attacks are often launched to steal intellectual property, but the chaos caused by a breach has become an end in itself. Speaking at a symposium held at New York's John Jay College of Criminal Justice earlier this month, K2 Intelligence executive director Mitchell Silber observed that "the difference between where a cyber criminal hack ends and where some type of state or states-sponsored event begins" is becoming "murky."
Which isn't just bad news for the country, but doubly bad news for brands. Not only are they liable for the fiscal consequences of a hacking (some $34 million in The Home Depot's case), but their names also become linked to the public fear that inevitably arises from a high-profile breach. Rex Whisman, founder and chief strategist of the Denver-based BrandED Consultants Group, observed, "Security is going to increasingly be a part of the associations consumers make when they hear and see a brand name."
Facing that kind of pressure, it’s little wonder that marketers are scrambling to shore up their defenses—a task made more difficult, Whisman said, because "safety and data breaches weren't necessarily part of the [original] brand strategy." A recent Trustwave study suggests how much work remains to be done. Some companies are still using off-the-shelf software in frail hopes of detecting sophisticated malware. It doesn't help that a large number of IT departments still use laughably easy passwords to protect corporate information.
No brands can bolt all the doors that the Web permits entry to, but until they seal more of them, they'll be vulnerable to what Herjavec called "terrorist factions who attract young, idealistic, tech-savvy people" into their ranks. "What companies don't realize is that we're fighting a cold war," he added, "just like we did in the 1960s with the Russians."