Related Articles

Digital Innovations—Pinpointing Fixed Income Credit Risks
Long-term investors using short-term strategies
Why benchmarks matter
Quantitative Science – Actively Adding to Fixed Income Decisions
Railpen and Nest warn on cyber risk
Wisconsin’s data solution
How to build innovation
More investors mull outsourcing CIO

Global Macro Editions

An update on our ESG scores
Adrift – Has US monetary policy become unanchored?
Emerging markets come of age
Environmental, Social and Governance Factors in Global Macro Investing

A wide range of targets

On the infrastructure grid, we now have high-tech digital power plants and meters, traffic signals, semi-autonomous vehicles with web-connected sensors, pollution sensors, sewer-management systems, dams and flood-detection devices—all hackable. Even when just a single Internet of Things (IoT) sensor or government employee’s computer is breached, the damage can cause a chain reaction through the system as the opportunities for hackers to inflict harm grow exponentially.

Exhibit 1: Types of cyber attack

Exhibit 2: The average annual cost of cybercrime by organization (industries)

Exhibit 3: The average annual cost of cybercrime by organization (countries)

Source: Accenture. The Cost of Cybercrime. March 2019. Based on data from 355 participating organizations.

Security researchers have also identified the ability to hack medical devices, including pacemakers and insulin pumps. In 2017, the US Food and Drug Administration issued its first cybersecurity-based recall, having discovered select wireless pacemakers exhibiting weak defenses against hackers. When manifested in telecommunications equipment, government officials fear it could be used to spy on the internet and on communications traffic that it carries.

Modern vehicles ride on millions of lines of code that have been provably hacked and manipulated from afar. Malicious software can unencrypt sensitive data and remotely sabotage complex supply chains.

Many people like to think digital currency “hot wallets”—a type of bitcoin wallet that is connected to the internet and protected by sophisticated blockchain technology and cryptocurrency exchanges—can’t be comprised. However, they may now be imbued with a fading, false sense of security as new tools are created to circumvent their user application programming interface (API) keys and two-factor authentication (2FA) codes.

“There are two types of company: companies that know they have been hacked and companies that do not know they’ve been hacked.”

Misha Glennyn, Journalist and Author

Fighting back: The role of cybersecurity

In an interconnected world, cyber has become the fifth frontier of war (after land, sea, air and space).

As an example, around three-quarters of Americans see cyberattacks from other countries as a top threat to the United States, according to a 2019 survey from the Pew Research Center.⁵ When asked to choose what they saw as a top threat to the United States among a list of potentials, more Americans chose cyberattacks than Islamic State, climate change, North Korea’s nuclear program, Russia, China or the condition of the global economy.

For better or worse, “smart cities” are coming—the more connected to the physical world they are, the more vulnerable they are to cyberattacks. If a government can lose control of the systems controlling its dams, nuclear reactors and power systems, it can lose its country. That becomes an existential issue.

Where lies the responsibility?

So, who’s responsible for cyber defense?

For many countries around the world, the responsibility lies with a branch of law enforcement services. In the United States, for example, until recently, it was the responsibility of the Federal Bureau of Investigation (FBI). Typically, law enforcement officers are trained to watch events unfold, take very detailed notes and then to indict the people responsible afterward.

As Alex Stamos, Stanford University professor and former Facebook security chief, explained at a Franklin Templeton-hosted seminar earlier this year, that model does not work for preventing cyberattacks. He urged governments around the world to be a lot more thoughtful about engaging with necessary trade-offs.

“We can no longer have people saying that we want everything all the time. Instead, we need to highlight the specific trade-offs we want to make and identify what we’re willing to give up to get them.”

“That’s something that has to start with citizens. Citizens have to think about who they want to be responsible. If they say they want tech companies to fix something, then they will have to give them the power that is inherent in that.”

“Anytime the pace of change externally is greater than the pace of change internally, you’re falling behind.”

Daniel Schulman, Chief Executive, PayPal

Who guards the guards?

But Alex Stamos warned that while it may be easy to hand over responsibility, taking away those controls later can be more difficult.

“I think one of the things we’re not really engaging in with too much is, as we create a little bit of a nanny state, these nannies are not going away. And we’re setting a precedent for these half-trillion or trillion-dollar corporations to be embedded in our lives.”

“We want the outcomes, but we’re not thinking through what we need to do to get there. I think this is going to be one of the biggest political discussions once people start to realize the kinds of trade-offs that they’re dealing with.”

The threats have been significant enough for the US government to launch the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency. Nation states, with ample resources, are aggressively launching attacks to steal secrets and for financial gain. In tandem, the increasing availability of attack tools—including their very own dark-web “hacker networks” and cloud services—allow even novices to wreak havoc.

The corporate response to cybersecurity

At our recent conference, PayPal’s Chief Executive Daniel Schulman told delegates his mantra: “Anytime the pace of change externally is greater than the pace of change internally, you’re falling behind.”

And Schulman also had words of warning: “Change is incredibly difficult for any corporation to do constantly. You can’t stop for a second. I think if we really want to be great leaders, or invest in the right leaders, we really need to define this reality very brutally and then figure out how do we use these trends to do good things in the world.”

Regulation will likely have a role to play. Schulman told Franklin Templeton’s audience that companies could potentially garner a competitive advantage by thinking about how they value consumers’ right to privacy.

“I like challenging business models and understanding what really adds competitive advantage going forward. And I think sometimes we shouldn’t underestimate how important privacy is, and how important financial health is to our democracy,” Schulman said.

Fundamental trade-offs

Companies, now forced to continuously scan their technology and network traffic for anomalies, also spend huge amounts of time and money teaching employees how to guard against cyberattacks. Training is critical as these attacks can disrupt business operations, abscond with intellectual property, damage in-house technology and harm corporate reputations.

The typical enterprise has well over a dozen discrete cybersecurity solutions that create another glaring problem—the complexity makes it difficult to understand what’s working and what’s not. Turns out, building a commonsense defense isn’t easy, as hackers always seem to stay one step ahead of our collective effort to stop them.

Most corporate security teams are focused on putting out random fires and have little time for the strategic thinking and process improvement new threats require. As a result, cumbersome manual processes and blind spots expose many corporations’ networks.

Cyber escalation: Adapting to the growing threat

Cybercrimes are picking up speed. The response needs to as well. Hackers who seek to install malware use automated techniques to constantly prowl smartphones, home sensors, servers, Wi-Fi routers and other equipment for vulnerabilities.

With the advent of fifth-generation technology, the problem will likely intensify. And with consumers’ skyrocketing demand for IoT devices, manufacturers are often rushing new gear to market with inadequate security. While protections lag, cybercriminals race ahead.

Though it may seem counterintuitive given the benefits, automation itself is a threat. Rapid technological advances enable machines to perform a growing number of tasks traditionally done by humans using artificial intelligence (AI)—sophisticated computer programs that can learn from experience.

According to the National Bureau of Economic Research, from 1990 to 2007, robots replaced about 670,000 jobs in the United States alone, mostly in manufacturing; every robot introduced into a local economy claimed 6.2 jobs.⁶ But this isn’t a trend that’s confined to the United States, in our view.

That trend will accelerate over the next decade as advances in mobile technology, AI, data transfer and computing speeds allow robots and drones to act with greater independence. As these intelligent machines move beyond the factory floor and integrate more deeply with society, the need for robotic cybersecurity will become paramount as people seek to forestall the kind of worst-case-scenario that was once reserved for the surreal plotline of an Isaac Asimov sci-fi novel.

Quantum-computing researchers say they are developing revolutionary, ultrapowerful (and still experimental) machines that will have the ability to break current encryption within a decade. Security experts are in a critical race to come up with new ways to protect data before it’s too late. Foreign powers could crack a significant portion of the sensitive data we have in the not-too-distant future, and there may not be much we can do to change this outcome.

Exhibit 4: United States data breaches by industry

Source: Identity Theft Resource Centre.

Public-to-private developments

We have noticed mounting investor interest in the IT sector (indicated by rising market capitalizations among these companies), and we expect this trend to continue. Yet, one oft-cited benefit of productivity growth tied to workers’ ability to utilize emerging technologies and machines efficiently remains unimpressive. Investment opportunities may exist in companies and sectors (outside of IT) that can effectively deal with cyberattacks or use technology to help improve productivity growth.

It’s quite common for technological advances that originated as military applications to find their way into our everyday lives. For example, the military developed the finger-recognition technology that allows a smartphone owner to use his or her fingerprint as a password. (The technology went mainstream after a large smartphone company bought the firm that invented this technology.) We believe the facial-recognition technology currently employed by the military will likely end up allowing consumers to unlock their tablet computers with a faceprint in the near future.

Patching up the holes: Cybersecurity crisis is a key anxiety of the modern age

The job of security consultants is to test a company’s cyber defenses.

Along the way, they often find that the weakest link into our computers isn’t the software. It’s us. Hackers understand social engineering—the idea that you can break into a system by manipulating people rather than code. Ask any cybersecurity expert—it’s tough to get people to behave in a particular way.

To avoid becoming an unpleasant statistic, companies have begun training for employee awareness and protocol while cataloging, tracking and “penetration testing” all their technology. By using sophisticated security information and event management tools, they have begun to automate their enterprise cybersecurity defenses just as cybercriminals have automated their attacks.

As we head into the US presidential election in 2020, we expect much more scrutiny on the measures taken by US government agencies to improve their cybersecurity measures.

We believe established leaders in the cybersecurity space, including defense companies, could be poised to benefit from such an initiative—as could the private sector. The “military-grade” cybersecurity technology we expect will likely be developed in this endeavor may eventually become the standard for the private sector. We think this technology will likely be a boon to the financials and utilities sectors, which tend to be more vulnerable to cyberattacks than others.

Technological advances have been made across a variety of industries—and we think they are not likely to stop any time soon.

Contributors

Jonathan Curtis
Research Analyst,
Franklin Equity Group

James Cross, CFA
Research Analyst,
Franklin Equity Group

Endnotes

_{1. Source: Center for Strategic and International Studies (CSIS). Economic Impact of Cybercrime—No Slowing Down. February, 2018.}

_{2. Source: ThreatMetrix Cybercrime Report 2017: A Year in Review, January 2018.}

_{3. Source: Symantec 2019 Internet Security Threat Report.}

_{4. Source: FireEye “M Trends Report” for 2019.}

_{5. Source: Pew Research Center: Global Attitudes and Trends, February 2019.}

_{6. Source: National Bureau of Economic Research. Robots and Jobs: Evidence from US Labor Markets. March 2017}