The volume of cyber incidents that have impacted the United States has caused more than just economic damage, it has become so mainstream that it has become a daily reality and accepted course of action. A recent article posed the question if advanced persistent threat activity – a sloppy term that refers to suspected nation state or nation state-sponsored cyber operations – has become the new normal. The sheer volume and magnitude of cyber espionage activity attributed to these groups has escalated to such a degree that they are ceasing to instill the same concern as they did just a few years earlier.
The problem is that the frequency of these events, the escalating damages and data stolen, and the lack of the perpetrators suffering any real consequences is causing calls to improve cyber security procedures to fall on deaf ears.
Instead of focusing on trying to actually improve security, which means having dedicated professionals engaged in daily activities of mitigating cyber threats, we seek to develop advanced cyber weaponry and instill a cadre of “cyber warriors” to take care of the bad guys. There seems to be growing support for this hacking-back approach as part of a cyber war pre-emption plan to bolster our cyber defenses. The idea is that while it is generally believed that the United States has advanced cyber weapons, until they are actually deployed, their deterrence value won’t be realized. In other words, when a bully sees how hard we punch, he may move on to someone else.
However, such an approach, while aspirational, is actually limited. The diverse threat actor landscape consists of various levels and numbers of state and non-state actors. And while it may make sense on a political level to go after those individuals who conduct high-profile attacks that steal millions of dollars or puts millions of personal identifiable data at risk, improved cyber weaponry at the national level cannot be leveraged by most organizations and individuals. At best, we can “strike back” at the perpetrators, destroying the computer systems that launched the attack (assuming of course they only have one), or if we’re lucky, be able to track him down and with the help of international law enforcement, arrest and prosecute those responsible. That’s a lot of effort and investment of time, resources, and if necessary, facilitating collaborative strategies.
While this certainly seems appealing, particularly in reducing the helplessness that we all feel when our computers, e-mail accounts, social media presences are hacked, it does little to actually ensure our security. If an organization is vulnerable prior to a breach, and does little to actively ensure that it will be more difficult for future breaches to occur due to the implementation of improved cyber security strategies and practices, it will likely be exploited again by another of the millions of hostile actors operating in cyberspace.
That leaves the majority of businesses, non critical-infrastructure organizations, and individuals to fend for themselves. If a small bank gets exploited, does it really think that the government will mete cyber justice via a hack-back to punish the wrongdoers? In the end, it will still have to be prepared to engage in breach response, intruder eradication, and customer outreach. It will still in all likelihood have to provide credit monitoring and launch effective communication strategies to retain consumer confidence.
There is already mounting evidence that smaller organizations are being targeted. Recent reporting indicates an uptick of cyber criminal activity targeting small-to-medium businesses, Continuing to operate beneath a threshold that would illicit a retaliatory action may become more common place if hacking back actions were ever considered a viable option. One thing that criminals have consistently demonstrated is their ability to innovate and adapt their environments.
The government is currently juggling many facets of cyberspace to include trying to develop domestic and international legislation; manage ongoing and increasing hostile cyber activity; develop offensive cyber dominance; and improve cyber security. Unfortunately the latter always seems to perpetually lag behind the other areas. The risks of not aggressively promoting and enabling cyber security in both private and public sectors is what we face now – a mounting complacency to the times where attacks are expected, cyber insurance is being peddled to offshoot any security mishaps that may result in class action law suits, and phishing remains a known favorite tactic among the bad guys and still is vastly successful.
Cyber security may be the thankless job of the 21st century. The cyber domain favors and should continue to favor adversaries over defenders for the considerable future. Organizations must support the work of network defenders actively monitoring for threats on a 24x7x365 basis. Expecting that cyber attacks are going to occur and will be successful should not be surrendering to the inevitable but an acknowledgment and anticipation of what will happen. Being ready for it, and demonstrating expeditious resilience and recovery is the reality organizations need to be prepared for. That is not a defeatist attitude; it’s a call to action.