What is foreseeable is that cyber attacks often are not. A few years ago the Sony Pictures Entertainment (SPE) hack turned on its head the business world that was already trying to come to grips with the Target, Home Depot, Neiman Marcus, and many other data breaches.
There was one thing about the SPE breach that really had the cybersecurity community in quite a buzz. An internal email from SPE’s cybersecurity investigators was made public and some were taking it as saying “It’s ok, it could have happened to anybody and there was nothing Sony could have done to stop it. It’s not Sony’s fault.”
That inference came from statements in the email that referred to the attack as being unique and unprecedented with the malware being undetectable by industry standard antivirus software.
The kerfuffle that ensued brings to mind the bigger picture of cybersecurity. Things such as what I have been preaching about cybersecurity. What others have been preaching about cybersecurity. More directly, what our respective roles are when it comes to cybersecurity and where and how (or whether) we really provide value to our clients.
Without opining on the particular exculpatory statements relative to SPE or any other particular breach event, I invite you to join me in considering how words such as unique and unprecedented, and concepts such as industry standard antivirus software fit into the bigger picture of cybersecurity. For me, it began with a question:
But for the unique and unprecedented nature of most substantial cyber attacks, would there be a need for our professional experience, knowledge, and judgment in developing cybersecurity strategy?
As we sit here today, should we not anticipate that attacks against companies will be unprecedented, damaging, unique attacks that both steal data and do harm to the victim of the attack? Consider these excerpts from an article that I published in 2011 in which I argued that this is what we should anticipate:
* * *
Business and warfare are one and the same. That, we were told in the ‘80s by Gordon Gekko, and, after all, the object is the same: to win–to defeat your enemy. Borrowing from the lessons of a true warrior, he further elucidated that the key to winning was to plan ahead and think about the strategy before entering the battle, because “[e]very battle is won before it is ever fought.”
Gekko attributed this to the lessons of Sun Tzu, who indeed taught that preparation is the key to winning:
Now the general who wins a battle makes many calculations in his temple before the battle is fought. The general who loses a battle makes but a few calculations beforehand. Thus do many calculations lead to victory, and few calculations to defeat: How much more do no calculation at all pave the way to defeat! It is by attention to this point that I can foresee who is likely to win or lose.
Regardless of the source, the principle remains the same and is, almost without fail, a truism that applies equally to war, business, and litigation. Preparation is the key to winning.
In today’s business environment, businesses are in a perpetual state of warfare. Competition is the essence of business. Honest competition is beneficial, as it drives efficiency and innovation. Unfortunately, dishonest competition is not.
Corporate espionage, corporate sabotage, and corporate theft have become part of the business landscape as well; those that cannot prevail through honorable means of competition often resort to dishonorable means to take customers, employees, and information.
This has become a way of life in business and is frequently being accomplished through the use of computers to commit dishonest acts of deception, i.e., computer fraud.
The risks are certainly not limited to only those from corporate competitors. They also come from others engaged in computer fraud–thieves, hackers, anarchists, and inquisitive amateurs–who all pose a significant risk, and whose weapon of choice is also the computer.
Computer fraud is a rapidly growing threat to businesses.
Many nations are already convinced [that computer technology is the wave of the future] and have prepared their armies for war on the cyber battlefield. The world’s militaries have used computers for decades, and they are an integral component of virtually all modern military systems.
Despite this fact, society has now taken another quantum leap forward. The close of the first decade of the New Millennium saw a formal change in the art of warfare that, for the first time in history, moved the battlefield from the physical to the cyber arena.
One needs little imagination to suspect that the world’s militaries have been engaged in cyber warfare for as long as computers have been in use; however, it had not become official. The year 2010 saw the first weaponized computer virus used to hamper Iran’s nuclear ambitions. Though people knowledgeable of cyber warfare have expected such a cyber attack for years, it has finally happened: Stuxnet.
The Stuxnet virus has been called “the most sophisticated cyberweapon ever deployed.” Stuxnet was a computer worm designed to use a variety of “previously seen individual cyber attack techniques, tactics, and procedures, automate them, and hide its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring. Stuxnet was so sophisticated that it was designed to eliminate all traces of its existence. This is a serious weapon.
We are well over half a century into the Computer Age and we have seen the first change from the physical battlefield to the cyber battlefield. This is the first time since the dawn of mankind that battles have been fought somewhere other than on an actual battlefield–now in cyberspace.
While no nation has claimed responsibility for the Stuxnet attack on Iran, and no one knows for sure, many experts believe it was a joint operation led by the United States and Israel, with help from Germany, and perhaps others.
As Stuxnet has shown, over the past year, warfare has changed. There is a new weapon that has, at least on one occasion, replaced missiles, bombs, and ground troops: computers. Now, in the wake of Stuxnet, some security experts have begun to express fear that the attack has “legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.”
Just as the United States is vulnerable, so too are businesses within the United States and around the world. Just as the computer is increasingly becoming the weapon of choice for warfare, so too has it in business warfare.
Computers are being used for corporate espionage (manipulating and stealing data), corporate sabotage (stealth attacks through computer viruses), or any number of other methods of attacking enemies’ (competitors) strengths or exploiting their weaknesses, including old fashioned theft.
While many of the illicit tactics that businesses use to attack each other are often classified as crimes and punishable by criminal law, in the civil realm they are generally classified as fraud. What is even more troubling is that these attacks come from inside, as well as outside, of the businesses that are attacked.
* * *
Substantial Cyber Attacks Often are Unique and Unprecedented – That is Why They Are Successful
Wasn’t the Stuxnet attack on Iran unprecedented in nature? Wasn’t the Target hacker’s strategy of using Target’s less well-defended HVAC vendor–Fazio Mechanical–to gain an entry point into Target’s network an unprecedented attack based upon what we knew at that time? Wasn’t the Heartland breach in 2008 an attack that was sophisticated and unprecedented in nature based upon what we knew at that time?
All were. At the time they were unknown-unknowns. They involved strategies and techniques that the victims did not yet know even existed. They did not know what they did not know. What we learned from this is that what is foreseeable is that cyber attacks often are not foreseeable. Thus, look for the unexpected.
Industry Standard Antivirus Software is Not Effective Against Unknown Unknowns
It is understood in the security industry that antivirus software, by design, will only defend against known-knowns; that is, the low hanging fruit kind of malware that is already known, with its signature identified and updated in the AV software databases.
Most significant cyber attacks are designed to be unique and unprecedented to enable them to circumvent and evade antivirus software. That is what makes them so challenging. That is exactly why cybercriminals use them in that way.
But, isn’t that also why the cost of antivirus software is in the hundreds of dollars while the cost for real-life security professionals is much more? Isn’t that the point that so many of us have been trying to make: simply installing and maintaining AV software is not enough. Indeed, is there any single tool that is enough?
The Nature of Cyber Security
Combatting the unique and unprecedented nature of business cyber risks is the essence of cybersecurity. Cyber risks are continuous and evolving, therefore, cybersecurity and cyber risk management must also be a continuous process that is always evolving to anticipate and defend against the threats. This work is never done. Such is the nature of cybersecurity.
When defending against cyber risks, there are known-knowns that we can prepare for and there are unknown-knowns that we can learn about and then prepare for to a certain degree. But, there are also unknown-unknowns that do not even exist at this moment but that are quickly becoming unknown-knowns. These are the real challenge.
Cybersecurity is a Lot Like Law – It Requires Experience, Knowledge, and Judgment to Be Effective
In his Introduction to The Nature of the Judicial Process, the great jurist Benjamin Cardozo explained the value of applying experience, knowledge, and judgment to solving problems in the law. This reasoning is equally applicable to cybersecurity:
[T]he work of deciding cases in accordance with precedents that plainly fit them is a process similar in its nature to that of deciding cases in accordance with a statute. It is a process of search, comparison, and little more. Some judges seldom get beyond that process in any case.
Their notion of their duty is to match the colors of the case at hand against the colors of many sample cases spread out upon their desk. The sample nearest in shade supplies the applicable rule. But, of course, no system of living law can be evolved by such a process, and no judge of a high court, worthy of his office, views the function of his place so narrowly.
If that were all there was to our calling, there would be little of intellectual interest about it. The man who had the best card index of the cases would also be the wisest judge. It is when the colors do not match, when the references in the index fail, when there is no decisive precedent, that the serious business of the judge begins.
Similarly, the ability to use experience, knowledge, and judgment to help clients prepare for and defend against unknown-unknowns is where our real value lies. It is where the serious business of the cybersecurity professional begins.
Indeed, this is the very reason why we invest so much time and effort into educating the Boards of Directors and the C-Suites of companies to help them understand that simply relying on AV software or any other tool de jure isn’t enough. This is why we tell them they need to take business cyber risk seriously and make a substantial investment in cybersecurity and their overall cyber risk management program, which must be continuously maturing.
If we are unable to help companies develop a cybersecurity strategy for unique and unprecedented cyber attacks, how does our experience, knowledge, and judgment provide any value to our clients? When asked about what helped him be so effective, the great Wayne Gretzky said, “I skate to where the puck is going to be, not to where it has been.”
Isn’t that what we are telling companies’ Boards and C-Suites that we can help them do? Not that we are here to report on and defend against what is already known–where the puck has been–but to use our experience and judgment to help them better predict what we believe could be unknown-unknowns–where the puck may be going? Isn’t that where our real value lies?
Cybersecurity is not a science, it is an art. It is not based on a formula. Often, there is no right answer and there is no wrong answer. It is a question of knowledge, experience, and judgment. And, there are times when we will fail.
But there are also times when we will prevail when many would not have. These questions of judgment are what distinguishes a professional from a technician and, while it is extremely challenging and many times thankless, that is the nature of the security process.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.