Opinion: After high-profile hacks, it's time for a bolder approach to cybersecurity
In the wake of the Sony Pictures hack, the听cybersecurity firm FireEye demonstrated that the sort of breach that Sony听experienced is not likely preventable with conventional network .
Instead, the firm noted that 鈥渙rganizations must consider a new approach to securing their IT assets ... [they] can鈥檛 afford to passively wait for attacks.听 Instead, they should take a lean-forward approach that actively hunts for new and unseen threats.鈥
But what constitutes a "lean-forward" approach to cybersecurity, and why are more organizations not already taking one?
The emerging field of proactive cybersecurity is complex, encompassing a range of activities also referred to as 鈥渁ctive defense.鈥 While 鈥渉acking back鈥 鈥 or using technology to pursue culprits, retrieve stolen data, and potentially even shut down the bad guys 鈥 is听a point of contention when discussing the role of private sector defense, it is one that听more firms to be considering despite the legal consequences of breaking into other networks.
Still, it's just one facet of the larger proactive cybersecurity movement, which includes technological best practices ranging from real-time analytics to cybersecurity audits promoting built-in resilience.
To gain insights into commonly accepted and utilized means of proactive security, my听coauthors (Amanda Craig, senior cybersecurity strategist at Microsoft, and Prof. Janine Hiller at Virginia Tech) and I reviewed the descriptions of 27 cybersecurity products offered by 22 firms.
Some of our findings confirmed our expectations. For example, all but one of the surveyed firms (96 percent) offer cybersecurity auditing services, which is perhaps partly in response to the growing importance of the cyber-risk insurance .
More surprising, though, were the relatively few companies that offer mobile security products or services designed to counter insider threats, even though the latter is deemed to be up to 20 percent of the overall听.
鈥淎midst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by听,鈥 says听Michael DuBose, head of cyber investigations at Kroll Advisory Solutions and former chief of computer crime at the US Department of Justice.听
These data provide only a snapshot of the rapidly evolving proactive cybersecurity industry, but they do underscore that firms have developed a range of proactive products and services designed to better safeguard their customers from cyberthreats.
The prevalence of advanced detection systems, data mining, and analytics products implies that the private sector is undertaking innovative measures based on big data to understand future vulnerabilities, aggregating information to thwart attacks. Hack back is just the tip of the iceberg.
So far, many regulators have been relatively slow to catch on to the trend toward proactive cybersecurity.听US laws such as the Computer Fraud and Abuse Act, a dated instrument that criminalizes the unauthorized access of computer systems, may be compared to similar laws in other nations. Every G8 nation, for example, has a law on the books that regulates 鈥渦nauthorized access鈥 to a greater or lesser extent.
More recent efforts, though, such as the , which emphasizes measures related to proactive cybersecurity, could help to encourage private firms to become market leaders in identifying and spreading proactive cybersecurity best practices. President Obama鈥檚 recent announcement of new information sharing mechanisms may help spur such diffusion.
Over time, as more private actors "lean forward" and embrace proactive cybersecurity, new industry norms could emerge. For instance, more stakeholders engage in collective proactive cybersecurity measures.
One example of this is , during which a group of private firms engaged in 鈥渢he first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group鈥澨齛llegedly based in China.听Ultimately, the group was able to detect and mitigate the damage to some 43,000 infected systems. This experience could be leveraged to help generate positive network effects and encourage more firms to proactively participate in such endeavors.
Ultimately it is critical for firms to move beyond reactive postures and take an active role in securing their systems. With Sony joining the list of Target, Home Depot, and JPMorgan Chase to name just a few of the cyber attacks in 2014 resulting in more than a half billion total records , the time is ripe for more firms to take a proactive stance.
Yet just 13 percent of respondents to a 2012 PwC survey measured and reviewed their cybersecurity policies annually, had 鈥渁n overall information security strategy in place[,]鈥 analyzed the types of cyberattacks hitting their networks, and had a CISO or equivalent reporting to 鈥渢he top of the .鈥
Changing this state of affairs involves leveraging tools such as cybersecurity analytics, compiling comprehensive enterprise risk management schemes that include cyber, and conducting regular audits and penetration testing to double check preparedness, among rather a lot else. There鈥檚 also a lot of low-hanging fruit out there.
The Australian government, for example, has reportedly experienced an 85 percent decrease in successful attacks by taking three simple steps that also have salience to firms: (1) application whitelisting (i.e., creating a list of preapproved applications); (2) automating application/operating system patching; and (3) minimizing local admin privileges.
Cybersecurity doesn鈥檛 have to be rocket science. Just computer science.
Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy, sustainability, and international business law among other courses. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at Stanford University鈥檚 Hoover Institution, and a term member of the Council on Foreign Relations.
The full paper on proactive cybersecurity from听Shackelford, Amanda Craig, and Janine Hiller can be found .
听
