Where the money is… or was
Yesterday was Tax Day in the United States, when we file our federal income tax returns. This has been an odd tax season in America for reasons that aren’t at all clear, but I am developing a theory that cybersecurity failures may shortly bring certain aspects of the U.S. economy to its knees.
I have been writing about data security and hacking and malware and identity theft since the late 1990s. It is a raft of problems that taken together amount to tens of billions of dollars each year in lost funds, defensive IT spending, and law enforcement expenditures. Now with a 2014 U.S. Gross Domestic Product of $17.42 trillion, a few tens of billions are an annoyance at most. Say the total hit is $50 billion per year, well that’s just under three tenths of one percent. If the hit is $100 billion that’s still under one percent. These kinds of numbers are why we tolerate such crimes.
One summer when I was in college I worked in the display department of a Sears store, helping a Latvian carpenter named Joe Deliba. When we needed more nails Joe sent me to take them from the hardware department. We stole as many of our materials as we could from the store, which chalked the losses up to shoplifting even though they were really going into a new display in Ladies Dresses. The store expected a certain level of losses, I was told, and as long as they stayed under about five percent it didn’t matter. I suspect that five percent number shows up in a lot of financial statements at places like banks and credit card companies where it is considered just a cost of doing business.
When PayPal was getting started back in the Peter Thiel and Max Levchin era the company had to absorb a significant amount of theft losses as they figured out their payment business, which ultimately came to be a huge security software suite with some money attached. At one point I was told PayPal had absorbed $100 million in losses, which for a company bankrolled by Sand Hill Road is a lot of moolah. But they figured it out and made it through.
The question I have today is whether we as a nation are at risk of not figuring it out or not making it through?
The past 12 months have been brutal in terms of personal and corporate financial information losses in America. There have been so many hacking cases -- from Anthem to Target and a hundred others in between -- that their names no longer matter. What matters to me is in the past year I have had to replace half a dozen credit or debit cards and received four offers of identity theft protection services paid for by affected companies or government agencies. Government agencies!!!
Now factor into this what we’ve learned so far from Edward Snowden -- that our own government also takes our information and their methods of controlling access to it are pretty pathetic.
We know from all these hacking cases a lot more than we used to about when and how our data can be taken. We still don’t know much about the extent of actual financial damage because to date it’s been beneath that five percent limit set down at the Sears store. Banks are presumably losing billions every year but that’s okay, I guess, because they are making even more billions. It makes me wonder, though, how easy it might be to say something was a theft when it’s really some banker’s second home in the Hamptons. It’s just a thought.
There is definitely something going on that’s different this year. It’s not just the increased number of ID thefts reported (two million I’m told -- just since February 15th!).
The Sony hack showed the sophistication of these attacks is well beyond the technical skills of most companies and government agencies. Cyber criminals can purchase the code and assistance they need over the Internet. The currency of choice is Bitcoin, because it is anonymous. These are significant -- and disturbing -- changes. But there’s more.
I get an inkling of it in my own dealings with the Internal Revenue Service. It’s not just that Congress has so cut the IRS budget that they can’t effectively enforce the tax laws anymore: I think the game has changed or started to change and the feds are scared shitless as a result. Here’s the least of it from a credible source: "It now seems very possible they stole data directly from the IRS and/or Social Security Administration. This attack appears to be huge. We could all be getting new tax ID numbers this year and next year we may all be filing our taxes by mail again".
But wait, there’s even more! The traditional cyber theft mechanisms are hacking the system to steal minute amounts from many transactions; using identity theft to get false credit cards or file bogus tax returns with refunds, or; gaining account numbers and passwords and simply draining bank accounts. The techniques for all these are well known and the loss thresholds have evidently been acceptable to the government and the financial system -- again below five percent.
It’s simply too difficult to do enough of these thefts to exceed five percent before being detected and shut down. And so the system has long had an awkward equilibrium.
Willie Sutton, the famous bank robber, said he robbed banks because "that’s where the money is". For the most part cyber theft to this point hasn’t been where the money is. It has involved relatively complex frauds involving not very big amounts of money.
What if that has somehow changed?
One fear I heard expressed many times last year was that this year we’d see a tsunami of fraudulent tax returns in January, but the IRS claims that hasn’t happened. But something else has happened, I assure, you, because people I talk to in this area on a pretty regular basis are suddenly even more paranoid than usual.
At this point certain readers will come to the conclusion that I don’t know what’s happening, that possibly nothing is happening, that I’ve jumped the shark and it’s time to stop reading old Cringely. Maybe so. But all that I can say in defense is that Snowden showed we have an extensive and fairly incompetent cyber security bureaucracy dedicated as much to keeping us in the dark as keeping us safe as a people. If something were going terribly wrong -- if something is going terribly wrong -- would they tell us?
Forget about bad tax returns and fake credit cards. What if what’s been compromised are the real keys to the kingdom -- literally the accounting records of banks, sovereign funds, and even governments? A criminal could steal money, I suppose, or they could simply threaten to destroy the accounting data as it stands, casting into doubts all claims of wealth. What makes Bill Gates richer than you or me, after all, but some database entries?
I have reason to believe that the game has been compromised and significant change has to follow. Whatever tools we use today to determine who owns what and owes what are probably in danger which means new tools are coming. And with those new tools the financial system and the financial regulatory system and the data security system will probably change overnight.
I tell you it’s happening. I’m sure there are readers here who know about this. Please speak up.