Cyber Attacks: Ashes, Ashes, We All Fall Down

11 October 2017

Once again a cyber attack, in this case targeting Equifax, has claimed the scalp of a chief executive.

Despite the alarming number of casualties that this ever evolving threat continues to claim, business leaders and those at the top of government remain reticent when it comes to taking the necessary steps to protect the interests of their customers, shareholders and stakeholders. Not to mention their own reputations and that of the organizations they lead and serve.

The world recently gathered at the UN General Assembly to discuss the most significant threats to the current world order. There is no shortage of options to choose from: Russian influence on our democracies and rule of law to North Korea’s penchant for lobbing ICBMs into the Pacific.

But in today’s world, the more terrifying threats are those we haven’t figured out yet how to face as a global community: threats such as pandemic disease, transnational criminal organizations, and cyber attacks. With Equifax continuing to dominate headlines, it’s disturbing that world leaders – and indeed business leaders – are not more focused on the immediate threat posed by cyber attacks.

Cyber attacks come in all shapes and sizes. For years now, governments and businesses have found themselves at the sharp end of the stick following news of a data breach and the loss of private and confidential information. Financial information is spilled onto the dark web and sold to the highest bidder. Personally identifiable information is available for compiling by rogue actors. Secrets are splashed in newspapers. In reaction to nearly every single incident, government and corporate leaders find themselves scrambling to respond.

The impact of this failure to be prepared is that the damage is compounded. We do not seem to be learning much from each successive incident. Rather, the incidents only become more spectacular in their impact. Even a proportionally small data breach can be disproportionally destabilizing.

Most recently, the world witnessed Russia supposedly call into question the legitimacy of the U.S. elections with little more than a handful of genuine compromises.

Cyber tools in the hands of rogue actors are particularly alarming. We have seen foreign state interference targeting the Ukrainian power grid. Iran is heavily investing in its social media, Internet and cyber welfare capabilities. North Korea's attack on Sony cost millions of dollars in repairs and untold reputational damage. But it’s not only state actors behind the attacks. Hacktivists, terrorists, organized crime syndicates and even tech-savvy adolescents can inflict significant cost on unwitting individuals, businesses and governments.

The UN General Assembly presents our only opportunity to build consensus among states on solutions to the thorniest of problems. Since World War I, we have drawn on multilateral institutions to counter the threat posed by malicious actors. But we haven’t successfully applied these institutions to the threats posed by cybercrime. States have agreed that international law applies; but beyond articulating broad principles, no one knows what to do in the face of a cyber attack. Is it an act of war? Is the remedy a military one? What if the target is a private actor, or the perpetrator a non-state actor?

At the same time, as a society, we have made ourselves significantly more vulnerable to attack.  We have consistently chosen innovation and ‘progress’ over security. The ability to link together systems and data brings tremendous power, but without the security policies and practices in place, we have made ourselves into one, big, shiny target for those who wish to do us harm.

We are most vulnerable because we are not prepared.

For too long, governments and businesses have relegated cyber attacks to the IT department, without recognizing that both proactive and defensive policies are needed from the top. A cyber attack is an attack on the institution. All businesses need policies in place and they need to define when and how they will share information with governments. Governments need clearly delineated and well communicated  policies over who will take the lead in responding to a cyber attack that results in a data breach. Governments must also take the lead in devising ways to respond collectively, particularly in the tough cases when a cyber attack cannot be classified as warfare.

The drip, drip, drip, of persistent, relatively low-level cyber-attacks can damage the trust and confidence in a state, President, business leader or business over time, without ever triggering the response needed to manage the attack.

To avoid being the next victim, leaders — not just the tech savvy — must be prepared for the next cyber attack. We must prioritize cooperation and information sharing between state and private sector actors, not only in terms of identifying the threat, but also in identifying solutions.

Until we do, the underlying risk is that we all fall down.

Receive our monthly newsletter

About the Author

Amy Pope

Partner

Formerly U.S. Deputy Homeland Security Advisor to President Obama, Amy helps clients to respond quickly to a myriad of reputation and privacy threats.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.


ATTORNEY ADVERTISING