The alleged GoDaddy cyber-terrorist attack, which happened on September 10, 2012, brings to the forefront how easy and realistic it is for hackers or cyber-terrorists of any association to negatively affect a massive amount of people. Despite the statements from GoDaddy that they were not brought down by the hackers:
“The service outage was not caused by external influences…It was not a ‘hack’ and it was not a denial-of-service (DDoS) attack. We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again.”
The group ‘Anonymous’, the online terrorist organization, claimed responsibility on Twitter. The struggle that the United States Securities and Exchange Commission (SEC) faces now, and in the future, is trying to design new policies for internet businesses that protect investors. This presents many new challenges for regulators and publically listed internet companies.
GoDaddy, a webhosting service that hosts domains and emails, was down for several hours Monday afternoon that affected 10.5 million customers. The alleged GoDaddy attack by the cyber terrorist organization, known as Anonymous, was a topic of recent discussion on The George Jarkesy Show. Whether this was an attack or a glitch it’s a good time to discuss the issues that are facing internet companies and the investors who may buy their stock.
According to General Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference, cited data that cyber-attacks on U.S. computer networks rose 1700% from 2009 to 2011. Additionally, global businesses spend $10 billion a year to fight cyber-attacks according to a study by experts recruited by the British Ministry of Defense, “Measuring the Cost of Cybercrime,” that was presented in June.
The SEC is responsible for enforcing federal securities laws regulating the securities industry. They are typically viewed as an organization whose purpose is to make sure that investors are informed when making investment decisions. As the global economy becomes more competitive and as technology changes the business environment, this increases the challenges for the SEC at a rapid pace. It is becoming increasingly more difficult to balance informing investors, protecting trade and business secrets, protecting system information and manipulation from unknown cyber-terrorists.
The perceived need for the disclosure of risks has evolved into de facto rules from the SEC for many Internet companies. Companies like Google (GOOG), and Amazon (AMZN) that have now been compelled by the SEC to disclose when their systems have been hacked. This poses many issues for the SEC, the companies, and their shareholders. Let’s start with what is a material breach? It would probably be different for Google than a small cap company or it may be levels of risk, like a lower level breach which is not as important, and doesn’t carry as much financial risk as a customer information breach.
Then there are the issues of corporate espionage from companies that don’t play by the same rules as companies based in the United States.
This clearly gives foreign competitors strategic targets and maps as to the weaknesses in a company’s systems. There is also the risk to companies that hackers are hard to find; our government secrets are not even safe from hackers. Hackers could attack systems just for the purpose of financially weakening the company against competitors or foreign governments. Hackers could also attack the company to manipulate the stock and short it. When the breach is disclosed and the stock or the sector experiences selling pressure the hackers cash in for profits.
There is real increased financial and operational risk from cyber-attacks and security breaches, and investors need to have good disclosure so that they can make informed decisions. It is clear there is risk, what is unclear is how big the risk is and how much should be disclosed for an investor to make an informed decision.
What is equally unclear is the long term impact these disclosures will have on the business of U.S. Internet companies. The two edged sword is protecting investors is positive; at the same time; it also exposes U.S. Internet companies to new threats and challenges.