Hacker attack costs rise FBI, CSI: Verifiable losses due to poor security top $265M in 1999 March 22, 2000: 7:30 a.m. ET

SAN FRANCISCO (Reuters) - In a year that saw some of the Internet's best known sites seriously hit by hacker attacks, few computer users would question that cyber-security is a pressing concern.

In an annual survey issued on Wednesday, the FBI and the San Francisco-based Computer Security Institute showed just how pressing: total verifiable losses in 1999 more than doubled to up to top $265 million, while more than 90 percent of respondents reported detecting some form of security breach.

Security experts say a large number of attacks go unrecognized, and the total is hard to assess, with companies reluctant to admit they've been vandalized. But the annual survey gives a clear picture of a worsening problem.

"The trends are continuing in the same direction. It's going from bad to worse in terms of threats from the outside, while the threat from the inside doesn't go away," said Richard Power, CSI's editorial director.

The fifth annual survey of computer crime and security polled some 640 corporations, banks and government organizations about the state of their computer systems. Only 42 percent of these respondents could put a dollar figure on what the attacks cost them -- but this figure, at $265 million, was more than double the average annual total over the last three years.

While the most common threats -- computer viruses, laptop theft, or employee "net abuse" -- continued apace, at least 74 percent of respondents reported more serious security breaches including theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or "denial of service" attacks designed to take websites out of commission.

Information theft and financial fraud caused the most severe financial losses, put at $68 million and $56 million respectively. But "denial of service" attacks, like the ones that temporarily paralyzed Yahoo!, eBay, Buy.com, and several other websites in February, are also a growing problem, Powers said. Losses traced to denial of service attacks were only $77,000 in 1998, and by 1999 had risen to just $116,250. The new survey, which reports on numbers taken before the high-profile February strikes, showed quantified losses up at more than $8.2 million. "The denial of service showed that many sites are way, way understaffed and not adequately secured," Powers said. "Maybe a half a dozen sites were attacked in that attack, and 150 sites were hacked into to launch the attack. There is a widespread insecurity among corporate sites and government sites and the problem is not just technological, it is human. There are not enough people working on it."

Bruce Gephardt, in charge of the Federal Bureau of Investigation's northern California office, said the survey revealed how quickly computer security is becoming a major problem faced by law enforcement, and how more staff was needed to fight it. "If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen," Gephardt said in a news release.

Copyright 2000 Reuters All rights reserved.

http://cnnfn.com/2000/03/22/technology/wires/hackers_losses_wg/

-- Martin Thompson (mthom1927@aol.com), March 22, 2000