The writer is a fellow at the American Enterprise Institute, a think-tank
Cyber attacks frequently cause the share price of companies to fall. That has long made criminals salivate at the prospect of cyber attacks accompanied by short selling. Now they may be getting their chance. Cyber weapons — often deployed by hostile states — are becoming extremely sophisticated, and governments struggle to contain them. Shorting accompanied by hacking is a now real threat to business.
Seven years ago, Andrew Auernheimer — who had just had a conviction for hacking overturned by a US appeal court — announced that he was launching a hedge fund to target companies with “information security liabilities”. It would flag up liabilities, allowing investors to short stock ahead of apparently inevitable hacks. At the time, hacking didn’t bring big scalps and thus gave little room for shorting.
Today, cyber weapons operate in a different league. Countries have developed offensive skills and tools so exceptional that last year a group allegedly linked to the SVR, Russia’s Foreign Intelligence Service, infiltrated large parts of the US government through a hack on IT company SolarWinds. Many western governments have similarly sophisticated tools and operators that they use against rival governments.
Unfortunately, the skills are unlikely to remain fully under government control. “States beyond the four that have posed the most significant threat so far [Russia, China, Iran and North Korea], or criminal groups, will seek to acquire and use potent cyber attack capabilities recklessly,” Ciaran Martin, then chief executive of Britain’s National Cybersecurity Centre, wrote. He said that prospect kept him up at night.
Professor Martin, now at Oxford university’s Blavatnik School, told me: “The proliferation of dangerous cyber weapons is a serious risk that doesn’t get enough attention . . . Some companies can already sell quite dangerous services quite legally to anyone willing to pay. And state [cyber] capabilities can be leaked, lost, sold or stolen more easily than most physical weapons.”
Indeed. Compared with nuclear proliferation, cyber is easy. While western governments’ cyber operators are unlikely to go rogue, experts working for an authoritarian state could well defect to the dark side. In 2016, an Isis-linked group calling itself the Cyber Caliphate claimed to have hacked France’s TV5 Monde, leaving security services perplexed at Isis’s sudden skills. Then they discovered the tools were Russian. The group had apparently bought them from a rogue Russian. Though French investigators suggested Russians could have perpetrated the hack, either way it caused alarm about such weapons in the wrong hands.
Now consider the damage to companies’ share price when they are attacked in cyber space. When the SolarWinds hack was discovered, the company’s share price plunged 22 per cent in days. Short-sellers make money betting on corporate misfortune and resulting share-price tumbles. Last year, short-sellers made $2.6bn when the German finance firm Wirecard’s share price nosedived. Short selling may make some people uncomfortable but, as long as it doesn’t involve insiders, it is legal.
Shorting obviously has potential for cyber criminals. The next step after flagging up potential corporate misfortunes is to cause those misfortunes oneself — and pocket the money, short-seller-style. That is undeniably a crime, but could law enforcement keep up? It would not only need to trace attackers but also link them to shortened stocks.
Cyber proliferation is in no state’s interest, not even that of North Korea. Criminals could, for example, hack the country to retrieve funds its hackers have stolen from abroad. Even as governments battle one another in cyber space, they should start taking cyber proliferation as seriously as most of them do nuclear. And not just because of the shorting risk.