Importantly, it also demonstrates how victim organizations struggle in response, experiencing the four stages of cyber security grief. Perhaps the most impactful breach since Sony was hacked, the DNC cyber attack is a unique convergence of digital technology, politics and market opportunities.
Detecting the Intrusion
While news of this cyber breach was first reported on June 15th, the FBI had warned the campaign of a potential intrusion as early as last November, months before the DNC took action. The deferment of action is a characteristic behavior of victimized institutions, as they simply do not have the resources or information to mount an adequate response. In fact, 80% of cyber-attacks are not even detected for a week or more after the incident. This lack of awareness is one of the reasons a cyber-breach can be so economically costly.
Only in April did the Democratic National Committee turn to private security firm Crowdstrike. This delay reflects the uncertainty, almost a “fog of war,” decision makers must contend with following a data breach. Moreover, the decision to turn to external security consultants is not uncommon, as an organization that cannot detect a breach invariably does not have the expertise to expunge cyber threat. In fact, only one in five IT bosses within major corporations are confident they are fully prepared for a cyberattack; this lack of internal resources represents a compelling opportunity for cyber security providers.
After exhaustive efforts, by June the security analysts were able to evict the malicious actors from the DNC networks. For nearly a year, malicious actors enjoyed full access to all DNC emails, communications and documents, operating utterly unopposed for the majority of that time. Indeed, the sophistication of the attack suggests the direct involvement of foreign nation-states. The tragedy, however, of relying on ex post facto cybersecurity investment, is that it cannot restore the value of compromised Intellectual Property or trade secrets. While 93% of cyber-attacks take only minutes or less to perpetrate, the resulting economic damage is enduring.
The final act of this cyber catastrophe played out when over 27,000 documents from the breach were released by the mal-actors via WikiLeaks on July 22nd. Often a critical decision of a cyber-vandalized organization is whether, and when, to issue a statement disclosing the nature and severity of the data breach. While commercial organizations may frequently notify the public immediately, often data breaches of governing institutions are announced only months after control has been restored, if at all. In this case, however, the hackers preempted the DNC’s ability to provide a full and complete disclosure. Additionally, on August 12th private information from 200 Democrat officials was published online, suggesting their networks have been penetrated as well.
The Market Opportunity
Throughout the stages of a cyberattack, a recurring theme is how feeble and under-resourced the targeted institution is. With these realizations, investment into cyber security has undergone a renaissance recently. Over the last month, Venture Capital activity in cyber has accelerated, with startups Guardicore, Skycure and Indegy raising a collective $48.5 million. On July 25th, StackPath raised an impressive $150 million in Series A financing, one of the largest deals in the industry’s history. For these companies, cyber-defense may be about more than just security; it may also represent opportunity.
Editor’s note: ETF investors looking to gain exposure to the cybersecurity sector should consider the PureFunds ISE Cyber Security ETF (NYSE:HACK). HACK has an expense ratio of 0.75% and has gained about 4% year-to-date. Launched in 2014, HACK has gathered more than $767 million in assets, and offers exposure to a wide swath of the cybersecurity sector.
About the Author: Ryan Giannotto
Ryan Giannotto is the lead research analyst at PureFunds®, where he focuses on research into the industries underlying the firm’s ETFs. Giannotto has worked as an analyst at Tudor Investment Corporation, and he earned his bachelor’s degree in Economics and Philosophy from Boston College.