Cyber Attacks: Ashes, Ashes, We All Fall Down
11 October 2017
Once again a cyber attack, in this case targeting Equifax, has claimed the scalp of a chief executive.
Despite the alarming number of casualties that this ever evolving threat continues to claim, business leaders and those at the top of government remain reticent when it comes to taking the necessary steps to protect the interests of their customers, shareholders and stakeholders. Not to mention their own reputations and that of the organizations they lead and serve.
The world recently gathered at the UN General Assembly to discuss the most significant threats to the current world order. There is no shortage of options to choose from: Russian influence on our democracies and rule of law to North Korea’s penchant for lobbing ICBMs into the Pacific.
But in today’s world, the more terrifying threats are those we haven’t figured out yet how to face as a global community: threats such as pandemic disease, transnational criminal organizations, and cyber attacks. With Equifax continuing to dominate headlines, it’s disturbing that world leaders – and indeed business leaders – are not more focused on the immediate threat posed by cyber attacks.
Cyber attacks come in all shapes and sizes. For years now, governments and businesses have found themselves at the sharp end of the stick following news of a data breach and the loss of private and confidential information. Financial information is spilled onto the dark web and sold to the highest bidder. Personally identifiable information is available for compiling by rogue actors. Secrets are splashed in newspapers. In reaction to nearly every single incident, government and corporate leaders find themselves scrambling to respond.
The impact of this failure to be prepared is that the damage is compounded. We do not seem to be learning much from each successive incident. Rather, the incidents only become more spectacular in their impact. Even a proportionally small data breach can be disproportionally destabilizing.
Most recently, the world witnessed Russia supposedly call into question the legitimacy of the U.S. elections with little more than a handful of genuine compromises.
Cyber tools in the hands of rogue actors are particularly alarming. We have seen foreign state interference targeting the Ukrainian power grid. Iran is heavily investing in its social media, Internet and cyber welfare capabilities. North Korea's attack on Sony cost millions of dollars in repairs and untold reputational damage. But it’s not only state actors behind the attacks. Hacktivists, terrorists, organized crime syndicates and even tech-savvy adolescents can inflict significant cost on unwitting individuals, businesses and governments.
The UN General Assembly presents our only opportunity to build consensus among states on solutions to the thorniest of problems. Since World War I, we have drawn on multilateral institutions to counter the threat posed by malicious actors. But we haven’t successfully applied these institutions to the threats posed by cybercrime. States have agreed that international law applies; but beyond articulating broad principles, no one knows what to do in the face of a cyber attack. Is it an act of war? Is the remedy a military one? What if the target is a private actor, or the perpetrator a non-state actor?
At the same time, as a society, we have made ourselves significantly more vulnerable to attack. We have consistently chosen innovation and ‘progress’ over security. The ability to link together systems and data brings tremendous power, but without the security policies and practices in place, we have made ourselves into one, big, shiny target for those who wish to do us harm.
We are most vulnerable because we are not prepared.
For too long, governments and businesses have relegated cyber attacks to the IT department, without recognizing that both proactive and defensive policies are needed from the top. A cyber attack is an attack on the institution. All businesses need policies in place and they need to define when and how they will share information with governments. Governments need clearly delineated and well communicated policies over who will take the lead in responding to a cyber attack that results in a data breach. Governments must also take the lead in devising ways to respond collectively, particularly in the tough cases when a cyber attack cannot be classified as warfare.
The drip, drip, drip, of persistent, relatively low-level cyber-attacks can damage the trust and confidence in a state, President, business leader or business over time, without ever triggering the response needed to manage the attack.
To avoid being the next victim, leaders — not just the tech savvy — must be prepared for the next cyber attack. We must prioritize cooperation and information sharing between state and private sector actors, not only in terms of identifying the threat, but also in identifying solutions.
Until we do, the underlying risk is that we all fall down.Receive our monthly newsletter