Big Data: An Alternate Reason for Hacks Past and Future?

[Fracking sites, location unknown (Simon Fraser University via Flickr)]

[Fracking sites, location unknown (Simon Fraser University via Flickr)]

On Monday, MIT’s Technology Review published an interesting read: Big Data Will Keep the Shale Boom Rolling.

Big Data. Industry players are relying on large sets of data collected across the field to make decisions. They’re not looking at daily price points alone in the market place, or at monthly and quarterly business performance. They’re evaluating comprehensive amounts of data over time, and some in real time as it is collected and distributed.

Which leads to an Aha! moment. The fastest entrant to market with the most complete and reliable data has a competitive advantage. But what if the fastest to market snatches others’ production data, faster than the data’s producer can use it when marketing their product?

One might ask who would hack fossil fuel companies’ data. The most obvious, logical answers are:

— anti-fossil fuel hackers cutting into production;
— retaliatory nation-state agents conducting cyber warfare;
— criminals looking for cash; and
— more benign scrip kiddies defacing property for fun.

But what if the hackers are none of the above? What if the hackers are other competitors (who by coincidence may be state-owned businesses) seeking information about the market ahead?

What would that look like? We’re talking really big money, impacting entire nation-state economies by breach-culled data. The kind of money that can buy governments’ silence and cooperation. Would it look as obvious as Nation A breaking the digital lock on Company B’s oil production? Or would it look far more subtle, far more deniable?

Technology Review’s article on Big Data discusses how the shale oil and gas sector relies on increased efficiencies when oil prices have tanked. Shale oil producers find cost savings, or lose all their sunk costs in production to date. Shareholders will pitch a fit over the latter.

But OPEC and other non-shale oil producers must optimize their pricing. They must drop low enough to make shale oil (and fracking) untenable, while ensuring they make as much profit as possible. The break-even for shale is somewhere between $60 and $80 per barrel, depending on production location, financing, and facility’s age. Over the last year, oil prices have fluctuated from more than $95 per barrel last July, to less than $50 per barrel this past March. The plummet in prices knocked much U.S. shale production offline to avoid operating at a loss.

It’s easy to see how a nation-state oil producer can use asymmetric warfare — in this case, simple economics — to punish a competitor. A larger producer with more cheap oil can simply lower their prices or flood the market, knocking out highest-cost producers.

But what if the highest-cost producers are dependent on Big Data analysis to reduce their costs? And what if the larger producer is running low on cheaply-produced oil, or needs more cash to keep production partners happy? The temptation to get as much information about the competitor is strong, and the potential for hacking is likely.

The amount of money in play makes this a foregone conclusion. At 10 million barrels per day, multiplied by $60 per barrel (the rough two-month average daily unit price), the daily gross revenue is $600 million. For relative comparison, this is two-thirds of Samoa’s annual GDP; this scale of money makes or breaks countries.

At the same rate, a year’s shale oil production is $219 billion. General Motors’ multi-year $2.8 billion contract with its IT service provider looks like a bargain. Or even the federal government’s one-year $1.2 billion contract with IBM (Y2013) looks cheap. Why wouldn’t a producer (or even a well-capitalized trader!) with some loose cash pony up tens of millions to obtain hacked data?

If the stakes were higher — let’s say $100 per barrel — how much incentive would there be to hack a competitor?

This is all pretty elementary; what’s new is the proposition that data, not oil, has value worth fighting for. Data is what props up or crashes profits, makes or breaks a market.

The next new proposition is targeting: who else may be important to fast analysis of competitors’ place in the market?

How about the companies safeguarding the data?

Which brings us to Eugene Kaspersky’s op-ed in Forbes yesterday — published after his information security firm disclosed their Duqu infection. Whatever entity hacked Kaspersky was looking for data. It wasn’t destructive cyber weapon Stuxnet launched on the firm’s computers. It was reconnaissance malware, designed to seek-collect-report.

Kaspersky is direct: “This was a case of industrial espionage, plain and simple.”

To him the hacking doesn’t make sense. Kaspersky guesses the hackers motives were to:

1) “steal our technologies, source code, know-how and ideas,”
2) obtain information about “the inner workings of our company,” and/or
3) “ego-tripping…vengeance,” in response to hackers being previously exposed by Kaspersky.

Kaspersky fumbles on customer information, though he calls their customer-related data part of the firm’s “crown jewels.” What clients Kaspersky protects and the status of content including Big Data stores is valuable. Such information may exist not in technical work files on air-gapped machines, but in networked accounting systems.

(This may explain why a “non-technical employee” in Asia-Pacific area was the index case of infection.)

The infosec company is willing to license their technology, Kaspersky points out. The hackers could simply buy the technology they need to subvert. But that’s not what they want — the desired info is something Kaspersky wouldn’t share if hackers had to breach their systems to access it.

Perhaps Kaspersky’s right about the motives for hacking his firm. But with potential billions of dollars at stake —and we do know fossil fuel companies’ networks have been breached — it’s worth considering another possibility. Hackers may want something more valuable than Kaspersky’s accounts receivable.

They may want to know much time and resources it will take to hack their targets’ Big Data. How long before they hit digital pay dirt — whether billions of dollars in fossil fuel revenues, or crushing a competitor into exiting the market?

Keep in mind, too, that Kaspersky Lab is a Russian company, and may have far more Russian clients than any other infosec firm. Russia is also the world’s largest producer of oil, pumping 10.1 million barrels a day — more than second-place producer Saudi Arabia’s daily output of 9.7 million barrels.

The possibility of hacking for oil-related competitive info certainly puts a new spin on “data mining.”


11 replies
  1. galljdaj says:

    The criminals in the US gOVT, especially military and ex(es) to be the most likely to be your hackers. I began encountering such a person in the later 1990’s, a scumbag major. However, there are also scumbag generals that are producing huge sums of money for themselves immediately after ‘retiring.

    • Rayne says:

      I don’t think individuals can do this stuff if they aren’t in the 1%. Nation-states, yes, but they’re typically engaged in espionage to support asymmetric warfare, not purely economic improvement.

      It’s the players driven solely by economics who won’t appear as obvious threats. We’re already exposed to parties cashing in on technology to enable faster-than-light trades, either to get the jump on the market in one-off transactions (like announcements from Fed Reserve), or after collecting real-time trading intentions to trade on them before the rest of the market. We didn’t see them coming; we were left scratching our heads asking what the hell happened.

  2. orionATL says:

    one thing seems certain – computer security measures for organizations (and for individuals) are about to change drastically, or at least they should.

    so what will new security measures look like?

    for one, organizations are going to have to disaggregate their data so that critical data collections are held separately and accessed differently (and probably more slowly).

    for another, access rules for individuals have to be changed. remote access “verification” may become a lot more time-consuming than entering a password.

    organizations with dual obligations of allowing public access and and holding private/organization data, e.g., the u.s. census bureau, will need segregated data groups.

    none of these simplistic suggestions would have eluded kaspersky or u.s. opm and yet the latter suffered two major data breeches between march and dec 2014.

    the bottom line is that data hacking is now seems an easily accomplished objective and defending against hacking seems to be uniformly an afterthought.

    what seems missing is an articulated, reasonably successful (duqu’s malevolence is not likely to be countered by ordinary organizations) general strategy for opposing hacking efforts.

    for the individual, private computer system security options seem increasingly elusive in the face of organization and state hacking activity. computer storage of private information will have to decline even in the unlikely event stringent private security laws are enacted.

    for example, it occurred to me recently that information required for private international money exchanges is more safely exchanged over the phone than thru e-mail.

    • Rayne says:

      Want to read a comprehensive manifesto on cyber security?

      Granted, it was written with process controls in mind, but I can’t think of any other system dependent on digitized information transfers to which this can’t be applied.

      Our biggest problem is an effective, proactive governance process in order to implement solutions aligned with this kind of manifesto (or mission statement, whatev, just semantics). It’s the lack of such a governance process that got us in this mess.

      WRT phone vs e-mail on money exchanges: Nope. Don’t kid yourself. Still digital, still hackable, still hacked.

      • orionATL says:

        i don’t know beans about computer data security (outside my home computers), but i thought it was most definitely a topic entirely worthy of stirring up a discussion about.

        an idea whose time has come (say 5 years ago), and lingered, while we have sat and stared at our collective navels.

        thanks for the interesting cite.

  3. FightOrFlight says:

    I work in the “big data” sector as a storage/compute engineer for a VAR. The explosion in data storage capacity “needs” has forced my hand as far as pursuing it as a career path, but I often wonder what the logic is behind putting all your stuff in one place is. Customers want to load everything into Hadoop these days, even accounting packages and sensitive documents so they can data mine more easily and have a holistic view of their precious information. It’s like they’re unintentionally building the bestest honey trap ever, but without the trap part. They won’t listen to reason when you suggest reasons they might not want to do it either.

    • Rayne says:

      Nice to see someone with your background commenting on this topic. Having worked for a Fortune 100 co’s IT department, I’m sure the biggest single factor driving storage and Software-as-a-Service (SaaS) to a central repository, often managed by a third party, is cost to operate. Businesses can eliminate the cost of managing their own data farms and redundancies, by relying on a contracted provider to ensure greater up-time and improved business continuity, than if they continued to do it themselves. The cost to update applications is one of the biggest drivers, IMO — using SaaS, there’s much less disruption to business for any change to an application. Even the cost of desktop equipment can be reduced as long as SaaS can operate inside a browser window (fewer equipment upgrades to accommodate new software installation’s compatibility).

      But these businesses assume a risk on which they haven’t put a realistic price: complete exposure of their data, greater than if they did it in house.

      Until some mega-firm has a catastrophic loss due to hacking, they’re going to continue to outsource more and more data storage and SaaS because shareholders will see the results in dividends.

  4. Irfan A Khan says:

    The Fracking site photo is from Texas. The whole state is full of such sites.
    Check out this coordinate:
    101° 3’45.56″W

    • Rayne says:

      Thanks for the info. I wonder how many of the individual sites in that photo are actively generating both oil/gas and data? Seems as if it would be easy to find the point where field production data is fed to network and collect it in order to forecast production before the market “knows” about it.

      I’ll take a look at the coordinates you shared once I’m done editing my next piece, thanks again.

      EDIT: 11:06 PM EDT
      Ugly. What a mess we are making of this planet. That site looks awful. And I’ll bet there’s no law on the books, state or federal, requiring remediation of those myriad little sites scraped clean for fracking. But who cares, right? Site’s +7 hours NNW of Cheney’s buddy’s bird hunting ranch–out of sight, out of mind.

Comments are closed.