Recently I spoke on a panel hosted by Valley Forge Military College’s Center for the Advancement of Security Studies (CASS) with three other distinguished gentlemen to discuss our country’s outlook on cyber warfare, terrorism and our country’s defenses.
One comment made by yours truly got a bit more attention than I thought it would because to me and my colleagues, it’s an obvious statement, but to clients, media and others that we speak with on regular basis, it’s not as obvious.
There is “No Boom” in a cyber attack.
The question was: “When does a cyber attack become an act of war?” My answer began with, “The problem with determining an act of war in a cyber attack… There is no boom! The magnitude of destruction and its damage is in the eye of the beholder.”
Does this mean we won’t have a cyber Pearl Harbor one day? No, but it’s a matter of damage and destruction caused. In the case of America’s attacks, our financial and healthcare institutions take the brunt of attacks, along with cyber espionage to steal the Intellectual Property (IP) of our companies. We have already been sustaining a death of a thousand cuts, and they just keep coming. But… no boom.
There is no destruction of buildings, blood spilled, or launch of missiles in a cyber attack. At least not the kind we’re experiencing in America. In other parts of the world, the new rule of cyber warfare has created physical and property carnage, but barely any of that caught headlines in America to encourage change. Here we’re seeing our IP, trade secrets, personally identifiable information (PII), protected health information (PHI) and privacy exposed, which is enough to act nonetheless.
In America, we love Boom! We like movies with super heroes, battles and fast car crashes. We like the Daytona 500 (Murica!). Boom gets action. Boom gets headlines. We understand what’s transpired when Boom occurs.
And as the Bard tells us, therein lies the rub. Most our country’s leaders, both government and federal, don’t understand what a boom of cyber proportions looks like. Have you ever seen an attacker escalate privileges and become a root user on a computer or network? No boom.
Hollywood tried to glorify cyber effects for us and had to cast Hugh Jackman, Halle Berry, and Chris Hemsworth (Swordfish and Black Hat, respectively) to get the job done and those movies still flopped. Still not enough boom?
Here in the cyber realm, we see support from the federal government that encourages companies to share threat intelligence and data. Good start, not enough to stem the tide of attacks. We founded Cyber Command but, like the rest of the Department of Defense, that organization primarily operates overseas. Other three letter agencies have a role in cyber defense, but most of their action begins once the theft or attack has already occurred. Those with the most at stake are doing the most to stop attacks; our big banks. They have the drive, the need, and the money to create security teams that are scary good at proactively defending their networks, data, and money.
The headlines drive some business, but headlines don’t create business drivers.
If you want to understand what Boom looks like, ask a business owner or executive what it was like when they sustained a cyber attack. They’ll tell you about their Boom moment. I promise you there is one. Fortune 1,000 companies may lose an executive or two in the aftermath, their insurance goes up, and they lose some dollars off the bottom line.
For companies in the mid-market and SMB space; employees lose their jobs, balances sheets get zeroed out, your state attorney general litigates, civil suits get filed, the doors get shut and businesses close. Boom.
What should companies do to take proactive steps? Start taking a hard look at your business, its people, its assets, and think about proactive steps. Some are doing it but it’s a very slow drip. Create compliance requirements for yourselves and vendors or clients. Install a cyber risk framework. Think ahead about what you have at stake, and know where your assets are, who has access to them and how they’re classified. Then ensure someone watching your back understands how those assets are stored or transmitted.
Yes, this is work you haven’t done before. Yes, it costs money. But if you start now, you can spend the money at your cadence, doing the proactive measures on your own speed, ensuring you always try to stay to the left of Boom.