Stopping the Next Cyber-Attack
Cybervandalism, cyberterrorism, cyberwarfare. No matter what you call the recent attacks against Sony Pictures, we weren't ready. And we won't be ready until our nation -- with the government and industry working together -- takes action to defend itself.
Cyber-attacks against the U.S. are certain to increase. Countries that cannot or would not attack us physically will turn to cyber as a viable and lucrative alternative. Such attacks are easy to deny and extremely difficult to attribute. Sony is the latest and most explosive example of this trend, but it won't be the last.
Cyber-attacks are also transitioning from disruptive to destructive. In 2012, more than 30,000 Saudi Aramco computers were destroyed by a wiper virus. Less than a year later, similar malware permanently deleted the data on thousands of computers belonging to South Korean media companies, financial institutions and government agencies.
These attacks are inexpensive and easy to pull off, yet the cost to the victims can easily reach hundreds of millions of dollars, not including reputational damage, loss of customer confidence, and increased scrutiny by regulators and oversight agencies.
The U.S. must learn from the attack on Sony, and use this opportunity to take the steps necessary to protect ourselves from such intrusions going forward. To that end, the country should focus on three major objectives in cyberspace: Improve our network infrastructure, pass cybersecurity legislation and work closely with our allies to defend against a global threat.
Our current approach to cyberdefense is like the Maginot Line: a costly illusion of security that's proving obsolete against sophisticated assaults. Attacks against companies from Target to eBay to JPMorgan Chase -- combined with intrusions at the White House, U.S. Postal Service, State Department and other government targets -- is clear evidence of this. We must invest in infrastructure that is designed from the ground up with cybersecurity in mind.
The first step is for corporations to have situational awareness of their networks, and better assessments of threats both within and among networks. Companies today typically have only a limited view of their networks, and seldom have a real-time awareness of their vulnerabilities -- which is why it takes an average of more than 220 days to detect a threat.
As threats change and evolve more rapidly, the current "signature-based" approach to security -- which basically relies on a database of known malicious threats -- is proving increasingly unreliable. What's needed instead are cyberdefenses that provide near real-time updates, employ behavioral models that automatically detect anomalous activity on a corporate network, and can automatically respond to potential attacks. (Full disclosure: My company, IronNet Cybersecurity, was founded to help businesses improve their defenses.)
Training and education must also be a priority, so that those charged with protecting corporate and government networks are qualified and well prepared.
Together, these elements will help create the foundation of a defensible architecture as cyberspace continues to develop.
The second major objective is to make it possible for industry and government to cooperate on cybersecurity. We would never expect companies to act alone in fending off physical attacks from nation states. We shouldn't expect them to act alone in cyberspace, either.
Unfortunately, current laws and policies impede this kind of cooperation. Companies can't easily share information with the government about cyber-attacks. And the government often can't assess attacks against companies and provide timely assistance.
To counter this, we need clear legislative guidelines for sharing cybersecurity information between the government and the private sector, and liability protection for companies that do so. Along these lines, a bipartisan bill introduced in the last Congress, known as the Cyber Intelligence and Sharing Protection Act, is a good start.
The third major objective is to overcome some of the recent international tensions over cybersecurity and to work more closely with our allies to identify threats and share information about attacks. The simple truth is that cyber-attacks don't recognize borders, and the more closely we work together, the stronger all our defenses will be.
In addition, we need to ensure that our companies aren't punished or put at a competitive disadvantage for doing what our governments ask them to do to improve cybersecurity. Following the leaks of NSA information by Edward Snowden last year, some companies were blamed for their lawful cooperation with the government. Corporations shouldn't stand alone when they work with the government for our common security.
For any of these steps to work, we also have to make sure that the public is confident that their privacy and civil liberties aren't being violated. That means having an open and transparent discussion about what protections are needed for any information-sharing plans between the public and private sectors, as well as the privacy risks the public now faces from cyber-attacks.
The attack against Sony was an attack against all of us. And our response should reflect this fact. We should use this opportunity develop our cybersecurity framework and pass legislation to improve our ability to defend against future attacks.
We are the nation that created the Internet, we should be the first to secure it and ensure the protection of those who use it.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Keith B Alexander at email@example.com
To contact the editor on this story:
Timothy Lavin at firstname.lastname@example.org