In a threat report published by the U.S. director of National Intelligence earlier this year, cyberattacks were listed first among global threats, above both terrorism and weapons of mass destruction. “We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security,” the report reads. “During 2014, we saw an increase in the scale and scope of reporting on malevolent cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information (PII) compromised, or remediation costs incurred by U.S. victims.” According to the security firm Gemalto, an estimated 1 billion records worldwide were compromised in 2014.
David Burg, the head of global and U.S. cybersecurity at PricewaterhouseCoopers, says that public data breaches—like the high-profile hacks of Ashley Madison, the Office of Personnel Management, and Sony Pictures over the past year—comprise just a small portion of the hacking activities that take place. Attacks that relate to payment cards, PII, or protected health information are publicized because of mandatory breach-disclosure laws, but “most of the cybercrime that occurs, which is of the economic-espionage variety, is never made public,” he says. “Attack activity is very big business. You’re talking trillions of dollars in wealth being transferred globally.”
In response, some large companies have increased allocated more money to protect themselves against hacks. According to a PwC report, American companies’ cybersecurity budgets have grown twice as much as their information-technology budgets over the past two years. Some companies hire external information-security professionals like Rock to undertake what’s known as penetration testing—attacking their software systems, as malicious hackers would do, in order to expose weaknesses. Others use “bug-bounty” programs, which pay freelance hackers for each previously unknown software vulnerability they uncover.
These programs may be run in-house—Google, for example, has had its own bug-bounty system since 2010 and pays up to $20,000 for a single bug—or outsourced to separate companies like HackerOne and BugCrowd, which connect hackers with clients and take a cut for each bug found.
Alex Rice, the chief technology officer of HackerOne and the founder of Facebook’s product-security team, says that HackerOne’s global network includes just under 2,000 paid hackers, many of whom hold full-time jobs and pursue their hacking projects on the side. And Jay Kaplan, the CEO of Synack—which offers clients a subscription-based system of protection—says his hacker base, which spans 35 countries, is mixed: Some are moonlighting, but others support themselves entirely from white-hatting, especially in less developed places like China, India, and eastern Europe. Payments for hackers, Kaplan explains, can vary widely depending on the project: “The market rate is dictated by how widespread an issue is and what the relative impact is to an organization.”