The roll call is long and ugly: Target, Sony, J.P. Morgan, OPM and on, and on. As leaders we are constantly exhorted to beef up our cyber security defenses and policies. But is that all we can do? What about taking the fight back to our adversaries?
Not one day seems to go by without some spectacular hack with millions of important and/or embarrassing records stolen. The pressure on executives just seems to get worse. It has gotten so bad that now the FTC (Federal Trade Commission) can prosecute companies that fail to take action to protect customer data. Seems like all we hear is strengthen our defenses. But, doesn’t this seem like just building a Maginot Line in a world of fast moving attackers and rapidly developing weapons.
What about the other half of the equation – offense? People don’t talk as much about this for many reasons: Fear of unleashing weapons that will bounce back on us, the law governing it is unclear and not well established, unforeseen collateral damage, and so on. But don’t think it’s not being contemplated and may already be underway. Orwellian euphemisms like “active defense” swirl through the security community but most of us don’t come across them until it is too late.
The US government – both a major target and a major power – has been at it for a while. Few outside of a close circle really know the scope and scale – for a revealing set of insights check out “@War – The Rise of the Military Internet Complex” by Shane Harris. And, it looks like the government is shedding any pretexts or spin in its pronouncements with the recent opening of a $460M solicitation for: developing “Cyber Munitions” and supporting “Cyber Fire” exercises among the many tasks.
Maybe it’s time your organization got some offensive cyber firepower. The attacks are potentially devastating financially. Home Depot reported that they spent $43M on investigations, providing identity theft protection services to consumers, increased call center staffing, and other legal and professional services. Target’s data breach is reported to have cost it $148M. Then there is the professional toll. Here is another roll call from the headlines:
- “Target CEO Gregg Steinhafel resigns in wake of customer data breach” – May 2014
- “Amy Pascal, Sony Pictures executive, steps down in the wake of 2014 hacking” – February 2015
- “OPM Director Katherine Archuleta Resigns After Massive Personnel Data Breach” – July 2015
- “Ashley Madison CEO Noel Biderman resigns amid hacking scandal” – August 2015
Time to think about cyber security in a new way? Maybe it’s time to take the fight to the hackers?