Welcome to the Capital Note, a newsletter about business, finance, and economics. On the menu today: the hackers that halted meat production, institutional investors adapt to new a macro landscape, Dogecoin rallies, and the White House CEA on how to combat cyberattacks. To sign up for the Capital Note, follow this link.
If the ransomware attack on Colonial Pipeline Co. — which spurred a mea culpa from hacker syndicate DarkSide for “creating problems for society” — represented a kinder, gentler form of cybercrime, yesterday’s attack on Brazil-based beef producer JBS marks a return to normalcy. The shutdown of a quarter of the United States’ beef production is not the work of environmental activists; REvil, the group believed to be responsible for the attack, is among the most belligerent hacker syndicates in the world.
The group, which is based in a former Soviet republic and is said to be harbored by the Russian government, has reportedly collected $100 million in payments by targeting the likes of Donald Trump, Lady Gaga, Madonna, and Apple, Inc. REvil’s predecessor, GandCrab, wrote in a 2019 farewell message, “We are a living proof that you can do evil and get off scot-free.” The group is believed to have reconstituted under the name REvil after GandCrab shut down. Despite the new name, the hackers have maintained their core competency in doing evil.
Most recently, REvil breached Taiwan-based Apple supplier Quanta Computer, threatening to leak Apple’s designs if the company did not pay a hefty ransom. After initially leaking some of Apple’s designs, REvil removed the threat from its website. While it is unclear how the extortion attempt was resolved, experts told CNBC that the attack could “presage a new era of emboldened ransomware attackers who are protected by Russian leader Vladimir Putin and empowered to take on the biggest companies in the world.”
Indeed, REvil has escalated the ransomware game in a string of “big game attacks” against multinational corporations including Acer, Pierre Fabre, and Asteelflash, demanding as much as $50 million, a significant increase from the roughly $700,000 it demanded in the past. Such large ransom requests mark a shift in so-called Ransomware-as-a-Service (RaaS) operations, which historically requested payments immaterial to large corporations.
It also explains why ransomware attacks, long kept quiet by targeted firms for fear of reputational damage, have started making headlines. Growing ransoms mean that paying off hackers is no longer the default choice, and companies such as JBS and Colonial whose business functions are compromised by hacks are forced to halt operations irrespective of whether they plan to pay the ransom.
JBS said it expects most of its plants to resume operations on Wednesday, and while the halt pushed up the prices of beef and pork, it is unlikely to have a lasting impact. For its part, the White House issued a statement saying it was “engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”
While policy-makers face an uphill battle in shoring up private-sector cybersecurity, they scored a victory last month when DarkSide reportedly shut down after losing access to servers. The group’s website was taken offline in the days following the Colonial attack. In the long run, though, action against criminal groups will not shore up systemic vulnerabilities. Congressional representatives and chief executives will have to take preventative measures to ensure that these attacks do not become commonplace.
“Falling interest rates were the engine of a twin bull market. You couldn’t lose for 40 years. But that game is over now, so what do you do?” said Stan Miranda, chair of Partners Capital, which manages $40bn on behalf of endowments, family offices and charities . . .
Most investors are increasing allocations to alternatives to counter the dimming outlook for mainstream markets, notes Mohamed El-Erian, a former head of Harvard’s endowment. “The reasons these vehicles have gotten so popular is that they allow you to use leverage without showing that you’ve used leverage, because it is within the vehicle itself,” he says. Some industry insiders fret that doubling down on trendy areas will at best erode their returns, and at worst prove dangerous, fuelling bubbles.
Dogecoin got a new lease on life Wednesday, with the price rallying sharply after Coinbase Global Inc. said it would allow users to trade the joke cryptocurrency on a platform that is geared toward more experienced investors. Fresh tweets from Tesla CEO Elon Musk also provided a catalyst.
The price of dogecoin jumped 21% from its Tuesday 5 p.m. ET level to trade near 41 U.S. cents, its highest in about two weeks, according to CoinDesk. That gives the cryptocurrency, which was designed to serve no real purpose, a market value of about $53 billion. Still, it has lost almost half its value from its May peak.
A 2018 report by the White House Council of Economic Advisers explains why the private sector remains vulnerable to cyberattacks:
Cybersecurity is a common good. Thus, weak cybersecurity carries a cost not only to the firm itself but also to the broader economy through the negative externalities imposed on the firm’s customers and employees and on its corporate partners. When the PII of a firm’s employees and customers is stolen, in the absence of penalties and mandatory customer protections, the burden of the costs falls on customers. A malicious cyber activity directed against a particular firm could also have a negative spillover effect on other firms connected to the firm through the supply chain, business partnerships, or other firms with similar business models. Because the costs are not borne by the compromised firm, they represent negative externalities.
The CEA found that, in addition to law-enforcement measures against criminals, the government should implement regulations to incentivize firms to prevent breaches, as well as setting cybersecurity standards and fostering international cooperation on cyber protection:
Government involvement in improving cybersecurity can take many forms. A number of regulations push firms to internalize the externalities associated with lax cybersecurity, for example, by mandating disclosure and by penalizing firms for certain data breaches, as exemplified by the SEC 2011 Cybersecurity Disclosure Guidance, DOE’s Electric Emergency Incident and Disturbance Report (DOE 2017), and the EU’s General Data Protection Regulation (GDPR 2017). The government can also facilitate information sharing, such as through the Department of Homeland Security’s Automated Indicator Sharing (AIS) Program (DHS 2016).
Standard-setting is another path to ensure that companies are aware of best cybersecurity practices. The NIST Cybersecurity Framework, which recognizes five critical functions for managing cybersecurity risk: to identify, protect, detect, respond, and recover from cyber risks, creates a common lexicon for cybersecurity issues. It is an example of a standards tool that was originally targeted for critical infrastructure but then adopted by the broader government community (including other counties, such as Italy) and increasingly by the private sector (NIST 2017).
To sign up for the Capital Note, follow this link.