A few years ago, I gave a presentation on cyber risks in Las Vegas for Black Hat, a group of white hat hackers. Even in an audience of 3,000 hackers, I suggested that even might not fully appreciate how disruptive digital technology had become to our lives – how it has changed human existence, thought and behavior. For companies to remain safe in cyber space, they need to shift both their practices and the basic ways they think about how to protect themselves.
I compare the internet to the European discovery of the rest of the world in the 1500s. During the “Age of Sail,” as that period was called, autonomous societies suddenly became interconnected. As a result, we had the greatest explosion of science and commerce. But we were also plagued by new diseases and the global slave trade.
The internet is fostering another great era of globalization, which brings both empowerment and risk. The internet is awesome, but dangerous. Richard Danzig, former Secretary of the Navy, called cyber systems a security paradox: "Even as they grant unprecedented powers, they also make users less secure… Cyber systems nourish us, but at the same time they weaken and poison us.”
The new domain of warfare
Let me tell you how the military thinks of cyber threats: The Pentagon has formally recognized cyberspace as a "new domain of warfare." In the past, there were four domains where war was conducted – in the land, air, sea and space. Unlike warfare domains of the past, cyber is entirely man-made.
There are four ways – what I call the four "sins" – in which things can go wrong on the internet:
- Stealing your stuff
- Corrupting your stuff
- Hurting your network
- Creating physical destruction
The initial wave of cyber threats focused on the first category, such as theft of credit card data and intellectual property. But the longer we live in this domain, the more prominent the other three "sins" become.
Stealing your data is not usually as damaging as corrupting your data. And we are seeing an altogether new type of cyber warfare: using the internet to create damage in the physical world. In 2014, the world experienced the first digital weapon in the STUXnet virus. This computer worm made the centrifuges used to enrich uranium gas at the Natanz uranium enrichment plant in Iran spin so fast they were completely destroyed.
Large iconic institutions have been attacked simply because they were large iconic organizations. Sony Pictures suffered an attack because of a film the studio made – and the attack committed three of the cyber sins and threatened the fourth.
The three types of cyber sinners
Where there are cyber sins, there are also sinners. There are three classes of cyber miscreants:
- Nation states
- Criminal gangs
When people ask me which countries are engaged in cyber espionage, I respond "everyone." China has scale. Russia has skill. North Korea has attitude. But the best of all practitioners of cyber espionage is, without question, the United States. The difference between us and other nations is that we spy to keep our citizens safe, not to make them rich.
Criminal gangs and individuals threaten us with a degree of destructiveness we used to associate only with malevolent nation states. But there are many interconnections. For example, Russian gangs are allowed to operate in Russia as long as they do the occasional favor for the Russian government.
I think of it like the first scene in “The Godfather” when the undertaker comes to the godfather at his daughter's wedding. The godfather grants his help, but tells the undertaker he might ask him for a favor later.
Why it will get worse
The internet was designed to connect a few universities and a few research labs; it was built to be easy, quick and to handle things in volume.
Security was an afterthought. And as bad as cyber security has been, it's going to become worse. Right now, most internet activity is centered in the most law-abiding places on earth. But places where the rule of law is weaker – like Nigeria, Chad and the Central African Republic – have not yet been hot wired for widespread internet use. When they are, we'll likely see more attacks.
Beyond the government
The U.S. government has difficulty dealing with all this for a number of reasons. The rate of change in government is nowhere near as quick as in Silicon Valley, so the speed of government is well behind everything that is happening in cyber space. We are, as a nation, rightly sensitive about the Fourth Amendment. We have not, as a people, decided what we want or will allow the federal government to do to keep us safe.
The key message is: The cavalry isn't coming. In cyber space, you will be more responsible for your personal safety than at any time since the closing of the American frontier in the 1890s.
What steps do you need to take? There are five.
Step 1: Do the easy stuff
We often talk about the “V factor.” This refers to reducing vulnerability risks by using passwords, patches, firewall and similar steps. That can sweep the bottom 80 percent of the risk off the board.
The history of cyber security has been vulnerability reduction: stopping the bad guys from getting in. But today, we know they're going to get in, so the answer is to discover the breech and respond faster.
Step 2: Hire a cyber translator
The corporate world faces the same problem as the government world. Cyber immigrants are making decisions, and cyber natives are trying to explain the situation to them. In my book, “Playing to the Edge: American Intelligence in the Age of Terror” I talk about how we conducted a U.S. government cyber operation that was technologically magnificent but presented geopolitical challenges. You need a chief security officer who is a storyteller rather than a technologist who speaks in that patois, so the board understands what's going on.
Step 3: Run your own war games
Senior leadership should engage in multiple-step war games and penetration testing to ensure their cyber systems are protected. You should send out fake emails and see if your people click on the attachments, and then schedule the people who do click for training.
Cyber criminals are clever. The Target data breech, which made headlines, was the result of criminals targeting the computer-controlled Heating Ventilation Air Conditioning (HVAC) systems, and patiently using that to attack the point-of-sale systems. But most attacks aren't the result of super-sophisticated technology, but of sophisticated social engineering, like an email that looks like it came from your daughter-in-law.
Step 4: Explore cyber insurance
Cyber insurance is a growing field and it will impact companies in the same way that health insurance impacts our physical health. We’re more inclined to lose weight or stop smoking if such steps make our premiums go down. In the same way, cyber insurance will incentivize people to embrace business best practices that guard their data and networks.
Step 5: Lobby for more power
The government should accept that the private sector is both the target and the solution to cyber threats. In doing so, the government would liberate the private sector to provide good cyber security, such as changing anti-trust laws so industry can share information more easily. Today, corporate cyber experts are hampered against making legitimate defensive actions by the Computer Fraud and Abuse Act.Laws and government structures aren't designed for this era of threat. Companies need to take a larger role in this space, because industry can be both target and protector.