In May 2013, an Australian Broadcasting Corp. news program reported an unnamed source claimed Chinese hackers had accessed the computers of "a prime contractor" and stolen floor plans, communications-cable layouts, server locations and security-system designs for the Australian Secret Intelligence Organization's new headquarters in Canberra, which was still under construction. Security experts feared the leak compromised the building's physical and network security, but government officials clammed up, revealing nothing.
Whatever happened on the ASIO project, the construction industry gained no insight into what may have gone wrong, and that has been a pattern now for years. Cyberattack incidents, including attacks against construction industry firms, are hushed up to protect reputations and very little learning is shared. Federal officials in the U.S. now are taking steps to revise compliance and reporting standards to change that.
In the Australian incident, officials say only that the report "contains inaccuracies." But the then opposition-party "shadow" attorney general and now current attorney general, George Brandis, confirmed in a statement shortly after the story aired that he had been briefed on the matter and "these events did take place."
ASIO's managing contractor, Lend Lease Project Management and Construction (Australia) PTY Ltd., when asked about the project, says, "Contractually, we are unable to comment," and refers questions to the Australian Dept. of Finance, as owner. A January 2014 report, issued by the Australian small-business commissioner on payment complaints by subcontractors, says the ASIO project's duration was about five years, ending in spring 2014, and involved more than 7,000 construction workers. According to media reports, security practices included the contractor's employing only government-supplied "sanitized" computers on the jobsite, checking all mobile phones at the gate, and using only hard-copy prints and plans, which were not allowed to leave the site.
The unsanctioned release of sensitive plans is not unheard of. In July 2013, Forbes magazine published unclassified "for official use only" plans for data halls within the U.S. National Security Agency's Utah data center while it was still under construction. The undisclosed source for those diagrams, according to the article's author, was not the NSA.
Experts say cyberattacks can cause extensive economic damage to construction firms, and not only on top secret government projects. But the experts say that few companies report incidents, and few know enough about the risks to mount a suitable defense.
Federal agencies are beginning to address the threat with new regulations for contractors. Unfortunately, experts say, new threats pop up more rapidly than technicians can fix the old ones.
The data-driven insurance industry remains largely in the dark. It lacks data on which to base calculations of risk and loss for different types of cyberclaims.
At a Dept. of Homeland Security workshop last July on insurance for cyber-related critical infrastructure loss, insurance industry representatives disagreed on the definitions for "cyber incident" and "critical infrastructure" and how to categorize incidents.
They did agree that creating a cyberrisk data repository would help the industry to predict losses better, encourage risk-mitigation best practices among policyholders and illustrate the rippling effects of cyber incidents across numerous industries.
The range of risks "makes me nervous," says Ronald F. Dellaria, chief compliance officer for architect-engineer and design-builder Astorino, Pittsburgh. Dellaria spoke with a representative of insurance brokerage firm Marsh USA last year about Astorino's exposure and the types of
attacks, from technology errors and omissions to business interruptions, that Marsh views as part of the standard cyberrisk policy. The trend for firms such as Dellaria's to move to paperless operations—with the resulting need to rapidly exchange this information with internet-based technologies—"will undoubtedly exponentially increase our exposure to cybersecurity risk," he says.
A Nebulous Threat
Cyberrisk experts say attackers target businesses frequently but admit that no one knows for sure how often because companies prefer not to report attacks when detected—and they are not required by law to do so. The scarcity of actuarial data is a problem. "The data set is so small. The quantity of claims is not there yet, but the reason is [that]—at least on the construction side—you have very few contractors buying the coverage," says Lawrence Lejfer, vice president and senior underwriter of construction professional and pollution lines for XL Group Plc.
Figuring the most common cause of cyber- emergencies and the relative value of losses they cause also is complicated by the lack of data. "The industry is probably only good at valuing—at the moment—data associated with [compromised] privacy," says Robert Parisi, managing director and national cyberrisk product leader at Marsh USA.
As difficult as they are to quantify, delays caused by first- and third-party losses could easily put a construction firm out of business, says John Voeller, senior vice president of construction at Black & Veatch. "At a 400-megawatt powerplant, every hour that we missed the start-up date cost $60,000—and that counts up really quick on a 24-hour clock," he notes.