Professional Documents
Culture Documents
BG1803 PDF ENG Rev
BG1803 PDF ENG Rev
BIG
IDEA
REPRINT BG1803
PUBLISHED ON HBR.ORG
MAY 2018
THE END OF
CYBERSECURITY
NO AMOUNT OF INVESTMENT IN DIGITAL DEFENSES CAN
PROTECT CRITICAL SYSTEMS FROM HACKERS. IT’S TIME FOR
A NEW STRATEGY.
BY ANDYBOCHMAN
This document is authorized for use only by Raul Diaz (RAULOSJ@GMAIL.COM). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or
800-988-0886 for additional copies.
THE END OF CYBERSECURITY
INTERNET
INSECURITY
NO AMOUNT OF SPENDING ON DEFENSES WILL SHIELD YOU COMPLETELY
FROM HACKERS. IT’S TIME FOR ANOTHER APPROACH.
BY ANDY BOCHMAN
Here’s the brutal truth: It doesn’t matter how much your organization
spends on the latest cybersecurity hardware, software, training, and
staff or whether it has segregated its most essential systems from the
rest. If your mission-critical systems are digital and connected in some
form or fashion to the internet (even if you think they aren’t, it’s highly
likely they are), they can never be made fully safe. Period.
This matters because digital, connected systems to the U.S. economy and national security can best pro-
now permeate virtually every sector of the U.S. econ- tect themselves against cyberattacks. We’ve focused
omy, and the sophistication and activity of adversar- on those that rely on industrial control systems — such
ies — most notably nation-states, criminal syndicates, as the ones that regulate heat and pressure in electric
and terrorist groups — have increased enormously in utilities and oil refineries — and have come up with a
recent years. Witness the attacks in the United States solution that flies in the face of all conventional reme-
on Atlanta’s municipal government and on a data net- dies: Identify the functions whose failure would jeop-
work shared by four operators of natural-gas pipelines, ardize your business, isolate them from the internet
the theft of data from Equifax, and the global WannaCry to the greatest extent possible, reduce their reliance
and NotPetya malware attacks. In many of the most no- on digital technologies to an absolute minimum, and
torious incidents of recent years, the breached compa- backstop their monitoring and control with analog de-
nies thought they had strong cyber defenses. vices and trusted human beings. Although our meth-
I am a member of a team at the Idaho National Lab odology is still in the pilot stage, organizations can
(INL) that has been studying how organizations critical apply many elements of the approach now.
THE AUTHOR
adox posed by digital technologies: policy. And most often they don’t find the breach
themselves; they are notified by third parties.
Even as they grant unprecedented powers, they
Despite the ever-expanding number of damaging,
also make users less secure. Their communi-
high-profile cyberattacks throughout the world, on
cative capabilities enable collaboration and
companies such as Target, Sony Pictures, Equifax,
networking, but in so doing they open doors to
Home Depot, Maersk, Merck, and Saudi Aramco, busi-
intrusion. Their concentration of data and ma-
ness leaders have been unable to resist the allure of
nipulative power vastly improves the efficiency
digital technologies and the many benefits they pro-
and scale of operations, but this concentration in
vide: greater efficiency, lower head counts, the reduc-
turn exponentially increases the amount that can
tion or elimination of human error, quality improve-
be stolen or subverted by a successful attack. The
ments, opportunities to glean much more information
complexity of their hardware and software cre-
about customers, and the ability to create new offer-
ates great capability, but this complexity spawns
ings. Leaders spend more and more every year on new
vulnerabilities and lowers the visibility of intru-
security solutions and high-priced consultants, con-
sions….In sum, cyber systems nourish us, but at
tinuing with conventional approaches to cybersecu-
the same time they weaken and poison us.
rity and hoping for the best. That is wishful thinking.
The fact is that these technologies are so mind-bog-
glingly complex that even the vendors who create and THE LIMITATIONS OF “CYBER HYGIENE”
know them best don’t fully understand their vulnera- These conventional approaches — or “hygiene” in the
bilities. Vendors typically sell automation as a way to cybersecurity trade — include:
• creating comprehensive inventories of a company’s Technology’s (NIST) cybersecurity framework and the
hardware and software assets SANS Institute’s top 20 security controls. These entail
• buying and deploying the latest defensive hardware continuously performing hundreds of activities with-
and software tools, including endpoint security, fire- out error. They include mandating that employees use
walls, and intrusion-detection systems complex passwords and change them frequently, en-
• regularly training employees to recognize and avoid crypting data in transit, segmenting networks by plac-
phishing emails ing firewalls between them, immediately installing
• creating “air gaps” — in theory, separating import- new security patches, limiting the number of people
ant systems from other networks and the internet — who have access to sensitive systems, vetting suppli-
though in practice, there are no true air gaps ers, and so on.
• building a large cybersecurity staff supplemented Many CEOs seem to believe that by hewing to
with various services and service providers to do all cyber-hygiene best practices, they can protect their
of the above organizations from grievous harm. The numerous
Many organizations adhere to best-practices frame- high-profile breaches amply demonstrate the error
works such as the National Institute of Standards and of this presumption. All the companies previously
mentioned had large cybersecurity staffs and were last year with the Wall Street Journal, Bob Lord, the
spending significant sums on cybersecurity when they former head of security for Yahoo and Twitter, said,
were breached. Cyber hygiene is effective against run- “When I talk to corporate security officers, I see a little
of-the-mill automated probes and amateurish hack- bit of this fatalism, which is ‘I can’t defend against the
ers, but not so in addressing the growing number of most sophisticated nation-state attack. Therefore, it
targeted and persistent threats to critical assets posed is a lost game. So I’m not really going to start to think
by sophisticated adversaries. deeply about the problem.’”
In asset-intensive industries such as energy, trans- One case in point is the 2012 Shamoon virus attack
portation, and heavy manufacturing, no amount of on Saudi Aramco, which had good defenses in place.
talent or money can accomplish all the prescribed best The attack, which U.S. officials suspect was carried out
practices without error. In fact, most organizations by Iran, erased data on three-quarters of the oil com-
fail at the first of the recommended practices: creating pany’s corporate PCs. A more recent attack, in March
comprehensive inventories of the company’s hard- 2018, was designed to trigger a blast at a Saudi petro-
ware and software assets. That is a huge shortcoming, chemical plant by interfering with safety controllers.
because you can’t secure what you don’t even know It might have succeeded had the attacker’s code not
you have. contained an error, according to the New York Times.
Then there are the trade-offs inherent in the best “The attackers not only had to figure out how to get
practices. Security upgrades usually require that sys- into that system, they had to understand its design
tems be shut down for installation, but that’s not al- well enough to know the layout of the facility — what
ways feasible. For example, utilities, chemical compa- pipes went where and which valves to turn in order to
nies, and others that put a premium on the availability trigger an explosion,” the Times wrote.
and reliability of their industrial processes or systems
can’t stop them every time a software company is- INL’S RADICAL IDEA
sues a new security patch. So they tend to install the It’s time to embrace a drastically different approach:
patches periodically, in batches, during scheduled a highly selective shift away from full reliance on dig-
downtime, often many months after a patch is re- ital complexity and connectivity. This can be done by
leased. Another issue is protecting widely dispersed identifying the most essential processes and func-
assets. Larger utilities, for example, operate thou- tions and then reducing or eliminating the digital
sands of substations, which often are spread out over pathways attackers could use to reach them.
thousands of square miles. Refreshing them presents a The Idaho National Lab has developed a step-by-
quandary: If you can access the software via a network step approach: its consequence-driven, cyber-in-
to implement updates, a talented adversary may just formed engineering [CCE] methodology. The objec-
as easily tap into the network to access the software for tive of CCE is not a one-time risk assessment; rather,
nefarious purposes. But if your own employees physi- it is to permanently change how senior leaders think
cally update the software at all those plants, the effort about and weigh strategic cyber risks to their compa-
can be prohibitively expensive. And if you subcontract nies. Although it is still in the pilot stage, we’ve seen
that work to independent outfits, you can’t hope to great results. We plan to have CCE fully ramped up
sufficiently vet them all. in 2019 and to have several services firms licensed to
Even if the best practices could be implemented implement the methodology by 2020. But even today,
perfectly, they would be no match for sophisticated the core precepts of the CCE approach can be adapted
hackers, who are well funded, patient, constantly by any organization. (The lab has also developed a
evolving, and can always find plenty of open doors to companion framework: cyber-informed engineering
walk through. No matter how good your company’s [CIE], which, while similar to CCE in many respects,
hygiene is, a targeted attack will penetrate your net- describes methods for integrating cyber risk mitiga-
works and systems. It may take the hackers weeks or tions across the entire engineering life cycle.)
months, but they will get in. The methodology comprises four steps that should
That’s not just my view. Michael Assante, a former be performed in a highly collaborative fashion by the
chief security officer of American Electric Power and following:
now a leader at the SANS Institute, told me, “Cyber • a CCE master — now someone from the INL, but
hygiene is helpful for warding off online ankle biters” in the future people at engineering services firms
and “if done perfectly in a utopian world, might thwart trained by the INL
95% of attackers.” But in the real world, he said, it reg- • all the leaders responsible for regulatory compli-
isters as “barely a speed bump for sophisticated attack- ance, litigation, and mitigating risks: the CEO, the
ers aiming at a particular target.” And in an interview chief operating officer, the chief financial officer, the
2. Map the Digital Terrain all the necessary physical or data inputs into the func-
The next task, which typically takes a full week but tion or process. These connections are potential path-
may take longer, is mapping all the hardware, soft- ways for attackers, and companies often are not aware
ware, and communications technologies and the sup- of all of them.
porting people and processes (including third-party Existing maps of these elements never fully
suppliers and services) in the company-ending scenar- match the reality. Questions such as “Who touches
ios. It entails laying out the steps of production, doc- your equipment?” and “How does information move
umenting in robust detail all the places where control through your networks and how do you protect it?”
and automation systems are employed, and capturing will always turn up surprises. For example, the team
WHAT YOU CAN DO TODAY the backup system should not rely on digital technol-
Learn to think like your adversaries. You might go as ogies and should not be connected to a network — par-
far as to build an internal team charged with continu- ticularly the internet. But at a minimum, it should not
ally assessing the strength of your defenses by trying exactly replicate the one in question, for an obvious
to reach critical targets. The team should include ex- reason: If attackers were able to breach the original,
perts in the processes in question, control and safety they’ll be able to easily invade one identical to it.
systems, and operational networks.
Even if you can maintain consistently high levels of ...
cyber hygiene, you must prepare for a breach. The best
way to do that is to create a cyber safety culture sim- Every organization that depends on digital technol-
ilar to those that exist at elite chemical factories and ogies and the internet is vulnerable to a devastating
nuclear power plants. Every employee, from the most cyberattack. Not even the best cyber hygiene will
senior to the most junior, should be aware of the im- stop Russia, North Korea, and highly skilled, well-re-
portance of reacting quickly when a computer system sourced criminal and terrorist groups. The only way to
or a machine in their care starts acting abnormally: It protect your business is to take, where you can, what
might be an equipment malfunction, but it might also may look like a technological step backward but in re-
indicate a cyberattack. ality is a smart engineering step forward. The goal is
Finally, a Plan B should be ready for implementa- to reduce, if not eliminate, the dependency of critical
tion if and when you and your team lose confidence functions on digital technologies and their connec-
in systems that support your most critical functions. It tions to the internet. The sometimes higher cost will
should be designed to allow your company to continue be a bargain when compared with the potentially dev-
essential operations, even if at a reduced level. Ideally, astating price of business as usual.
WEBINAR
HOW TO REFRAME YOUR CYBERSECURITY STRATEGY
Featuring Andy Bochman, Senior Grid Strategist, National & Homeland Security,
Idaho National Laboratory
Watch the recorded event here.
► PLAY 58:12
I f your mission-critical systems are a new methodology when designing LEFT: STEVE PROKESCH, SENIOR EDITOR
AT HBR; RIGHT: ANDY BOCHMAN, SENIOR
digital and are connected in some cybersecurity plans. That approach GRID STRATEGIST, NATIONAL & HOMELAND
SECURITY, IDAHO NATIONAL LABORATORY
form or fashion to the internet (even includes identifying the functions whose
if you think they aren’t, it’s highly likely failure would jeopardize your business,
they are), can they ever be made fully figuring out how to disconnect them
safe from cyberattacks? from the internet to the greatest extent
Cybersecurity expert Andy Bochman possible, reducing their reliance on
says the answer is no — and that your digital technologies to the absolute
company needs a new strategy. minimum, and backstopping their
In this webinar, Bochman monitoring and control with analog
describes how companies can use devices and trusted human beings.
The only way to keep the cheese company safe is to take systems
oThine — a huge blow to efficiency. What should the CEO do?
by Scott Berinato and Andy Bochman
This is a fictionalized
case study based on
a situation faced by
the leader of a real
company.
N
“ ever again!”
Chadwick Robert
Newhouse raged at his
executive staff, few of whom were
making eye contact. They were
claimed to have accessed sensitive
files — cheese recipes passed
down through the family for more
than 200 years and still a mainstay
of the business. If they put them
his family’s legacy. His team could
hear the fear beneath his harangue.
He had no idea whether the
hackers would honor their word
and stop attacking.
gathered around a farmhouse table on the internet — he couldn’t even
in the tasting room at Newhouse entertain the idea. “FROM WALES WITH LOVE”
Cheese Company. Crackers and Chad had paid the ransom on the Chad Newhouse was a fifth-
cheese had been set out, as at all advice of his lawyer and the local generation cheese maker. In 1811
staff meetings, but no one was FBI office. He didn’t care about the his great-great-grandfather Cole
partaking. money; the hackers had guessed Brian Newhouse had emigrated
Chad had just wired $49,999 to — correctly about that. (And they to Connecticut from Caerphilly, a
to whom? Some teenagers halfway would have known that if they’d region in Wales that was famous
across the world? All he knew for asked for more than $49,999, the for its cheese. Cole had brought
sure was that someone had used attack would have been a more recipes for the eponymous
“ransomware” to shut off one of serious crime.) He cared about local cheese along with ones for
the factory’s temperature control eradicating the punksGE
S
from his cheddars and blues — and little
systems for two minutes, as a systems and pluggingIMwhatever else. But he went from having a
A few pennies in his pocket to being
demonstration. The hackers also holes had allowed themY to threaten
T
GE
T
the most popular cheesemonger in Someone tossed out a figure: $6 million. into his mouth, savoring the taste,
New England and New York, providing “How much have we reduced breaches then wiped his hands and stood up
artisanal cheese to all the finest by?” He knew the answer: Breaches had to leave. Looking straight at Sara, he
restaurants. increased. And for the first time, they commanded: “Make the call.”
Things went smoothly until the Great had paid the bad guys to make them
Depression, when restaurants looked go away. “We all know the definition of “BUT IF SOMEONE DID GET ACCESS?”
to industrial cheese makers for cheaper insanity,” he said. “I don’t see how more Three weeks later Chad, Frank, and Sara
alternatives. Chad’s grandfather, boxes doing the same thing will help.” stood beside three massive pasteurizing
Monty, bet the family fortune on After an uncomfortable moment, vats fronted by a computer workstation.
industrializing to compete. He kept someone standing in the back of the Charts and numbers moved across the
serving restaurants, but he also got room asked, “Um, why are our control screen. The consultant they had hired,
in on an emerging trend at the right systems even online?” Jack Parem, was peppering a tech with
time, brokering deals with King Kullen Everyone at the table wheeled around questions.
and other new “supermarkets.” The to see who would say that to the CEO — “Sensors in the tanks send us real-time
company’s tagline, “From Wales with the man who had driven the digital data about everything — temperature,
love,” became a household phrase transformation. density, impurities, bacteria,” the tech
among shoppers in the Northeast. It was Sara Wilund, deputy to the said. “It’s saved millions of dollars, and
In the early 2000s Chad took on the COO. Her boss, Bruce Boyle, began the number of batches we have to get
third great transformation of Newhouse apologizing for the interruption, but rid of has gone down dramatically.”
Cheese. He sank massive amounts of Chad waved him off with his chunk of Parem seemed unimpressed. “And the
capital into a fully digital, precision- cheese. “I mean, shouldn’t the family system is networked?” he asked.
controlled factory. With the savings recipes just be locked up on paper “Of course. Otherwise someone would
afforded by the digital infrastructure, somewhere?” Sara asked. “Why do we have to be here whenever the process
the company scaled up nationally. need to access them digitally? And the was happening. This way, we just get
Growth came fast and had continued for pasteurization equipment and all that — alerts if something is out of whack.
more than a decade. But the hack had it’s more hardware to hack.” Disdainful That’s crucial to the cost savings.”
pulled him up short. laughter rippled around the room. “Who has access?”
“Go on,” Chad said evenly, and the “Anyone with a login, but we only give
“WHO INVITED HER?” laughter halted. it to, I don’t know, two or three people.
Finally, Chad wound down his tirade. He Sara explained that she had read Mostly it’s me. When I was on vacation
picked up a chunk of cheddar and held about a new risk-assessment process last month, I logged in from my hotel to
it between his thumb and forefinger. that challenges companies to face check on things.”
Contemplating that little piece of family up to vulnerabilities created by The process had been going on for
heritage moved him from anger to the combination of overly complex three arduous weeks: The team would
determination. “So,” he said. “What software-based systems and an stop at a station in the factory while the
do we do.” It was a directive, not a addiction to convenience in the tech explained what happened there.
question. Give me ideas. pursuit of ever-greater efficiency. It’s Parem usually said little in response; he
Frank Armen, the chief information not just automation that’s opening mainly just scribbled notes. But Chad
security officer, spoke first, suggesting up new risks, she pointed out; it’s remembered that at the thermization
an increase in the budget for intrusion- anywhere-anytime access, too. “In a tanks, where milk is sanitized, he had
monitoring systems. “There’s some lot of cases, consultants recommend pressed the tech: What could happen if
good new stuff on the market,” he said. that companies unplug,” she said. “Put someone gained access to the system?
“Of course, we’ll review our incident humans back into the process. I have “Oh, they won’t,” the tech had said.
response protocol, because the SEC no idea what a consultant would cost “It’s just me and a couple others who
will probably come knocking, wanting us, but seems like,” she gestured at the have the login.”
to see all our plans and procedures. cheese between Chad’s fingers, “the Parem had persisted. “But if someone
They’ve been more active lately.” stakes are too high not to find out.” did get access?”
“How much have we already spent More laugher ensued; Chad heard the “I suppose they could shut down the
on security systems?” Chad asked head engineer mumble, “Who invited system, which would make the milk
sharply; the rote answer grated on him. her?” He popped the piece of cheese unsafe. We’d have to get rid of it.”
“What if they shut it down but made “RANSOMWARE DOESN’T SCARE ME; “Look, I came here because you were
it look like everything was fine?” LISTERIA DOES” hit by a ransomware attack, but frankly,
“I don’t see how they — they can’t In the boardroom the following ransomware doesn’t scare me,” Parem
do that, can they?” Parem waited for Wednesday, Parem was met by said. “Listeria does. I’ve been over every
an answer. “Well, if they did, it could crossed arms and stony faces. He had system here. These are points of failure
be bad. Like, listeria bad.” Chad had submitted his report at the beginning of that could lead to a catastrophe — a
been hanging back, but now he pushed the week. It was a sobering document: public health catastrophe. And the odds
forward, wedging himself between He had found four pathways into the that they’ll be compromised are far
Sara and Frank. “That can’t happen!” network that no one knew about. One greater than one in a million. I’m sure
he exclaimed. system had been compromised by a you’ve heard about what’s happened at
Today they were working on step bot. Another could give hackers access other companies lately. It’s not pretty.”
three of Parem’s four steps. The first to the industrial control systems. He ticked off several instances of
step was identifying the most critical “I see three points of failure that industrial hacks: A nuclear plant in
information and processes. That require immediate attention,” Parem Ukraine. Tornado sirens in Texas. A
had been exhausting; Chad hadn’t told the group. “One, the thermization sewer system in Australia. “Plus, we
realized just how much complexity process. I recommend taking it oThine hacked into your systems ourselves; we
the digitization initiative had created. right away and having people monitor did a pen test,” he said, using industry
The next step was mapping the digital the system when it’s in use. Two, slang for an authorized penetration
terrain upon which those processes pasteurization. Remove the networked meant to identify vulnerabilities. “We
rested: all the hardware and software temperature controls and the were able to take over the control
elements in detail, every way into the automated temperature adjustments. systems and access all your recipes.
network, every way out. And human Or keep them but have people do the That’s number three, by the way: Take
procedures, including contractor monitoring here, too. You can still use the recipes oThine.”
access and supply chain matters. Step digital thermometers, but—” The room went silent. “I signed off on
two made Chad anxious. He couldn’t “Those systems have never failed,” the pen test,” Chad said, “and I was
believe how many access points were Frank said. “Why take them oThine?” shocked by how easy it was. Something
open and how little they knew about Bruce piled on. “We have to add has to change.”
some of their tech systems. headcount for monitoring?” he asked.
This part, step three, was illuminating “The whole point of going digital was to “A GIANT STEP BACKWARD”
the most likely paths of attack, judging save money. And without our precision The presentation was over, but the
by the assessment of what was critical controls, we’d have to scrap a whole lot argument wasn’t. The executive team
(step one) and open (step two). more cheese. It could kill the bottom was gathered in the tasting room later
Everything was graded according to line.” that day. “Any network is complex, and
the importance of the risks and the Chad uneasily recalled the days when we’ve been adding to ours for 10 years
consequences of failure. Step four contaminated batches were more than now,” Frank said; he’d been growing
would generate options on the basis an occasional event. Could they really more defensive by the minute. Ten
of those scores, targeting first the go back to that? years and $6 million, Chad thought
highest-risk, highest-consequence Parem said, “The goal isn’t to go wearily. Can we afford to throw all that
points. back to the Stone Age; it’s to reduce down the drain?
Chad had insisted on being present the digital pathways that are the most “It’s not just us; most organizations
throughout, but now he wondered likely vectors for a breach and then have these problems,” the security
about the wisdom of that choice. to backstop those that remain online chief continued. “You can’t tell me
Seeing all the vulnerabilities made with some analog and human controls. they’re all going to pull their systems
him think another attack was all but I’m just laying out options for the apart. A modest capital investment,
certain. He even started to question systems where there’s a chance of an and we can patch what he found.”
his decision to fully digitize. But incursion—” “No one is blaming you, Frank,” Chad
there was no sense in getting ahead “But what chance, exactly?” Frank cut said. “This is on me. I pushed for
of himself; he’d need to hear the in. “You want us to roll the business digitization. I wanted automation. The
consultant’s recommendations before back 20 years on a one-in-a-million question is, what do we do about it
making any changes. chance?” now?”
Bruce said, “We can’t go oThine. It will He raised his head abruptly and posed
raise costs all over — quality control, the question point-blank: “What would
personnel, maintenance. The savings you do?”
our digital systems generate and the Sara laughed nervously. “Oh, I don’t
benefits they bring our workers are understand the operations and costs
massive. Going even partially oThine enough to—” She stopped herself; none
would be a giant step backward.” of that was true. “I’d lock it down, Mr.
Making people sick from our cheese Newhouse. Take the most critical parts
would be more than a step backward, oThine, or at least backstop them with
Chad thought, but he wanted to let the analog systems that are much harder to
discussion play out. hack. And definitely add some trusted
“A hack won’t happen,” Frank insisted. humans. I know that’s not simple. It
“I’ll harden the systems. We’ll be fine.” goes against everything we think is
“We’d be sending a mixed message progress: automation, efficiency. It will
to investors,” Jenny Cruickshank, the cost money. But we keep spending and
CFO, said. She was just back from spending, and we’re not any closer to
maternity leave, so she’d missed the being safe.”
walk-throughs with the consultant, but “Thank you, Sara,” Chad said, and
Chad had brought her up to speed. she left. Again he took a bit of cheese
“On one hand, we’d be signaling that between his fingers, this time the
security is a high priority. On the famous Caerphilly — from Wales with
other hand, the cost of abandoning love. He popped it into his mouth. It’s
our digital investments would be huge. every bit as good, he thought, as it was
Investors might penalize us for being 200 years ago.
overcautious.” Should Chad implement the
She cleared her throat. “And I hate to consultant’s recommendations?
bring up a sore subject, but remember
that we just lost our account with About the authors: Scott Berinato is a
senior editor at Harvard Business Review and
Wholly Organic,” she added. “We’re not the author of Good Charts: The HBR Guide
exactly in a position to bring on more to Making Smarter, More Persuasive Data
people and revamp equipment.” Visualizations (Harvard Business Review
“OK, I get it,” Chad said, looking at Press, 2016). Andy Bochman is Senior Grid
his watch and waving them out. He Strategist, National & Homeland Security,
couldn’t dismiss Parem’s findings, but Idaho National Laboratory.
his team had made some good points
too. “Let me think about it.” As the
others left, Sara Wilund entered. Chad
saw the hostile looks they shot her.
“You’ve caused a lot of pain, you know
that?” he said, motioning her to sit.
“I’m sorry,” she said. “I thought I was
helping, but I’ve sent us into turmoil.
Everybody is angry.”
“Better that than have my family’s
legacy wiped out by—” he was reluctant
even to use the L word. “By listeria.”
But as he spoke, an equally disturbing
thought lodged unbidden in his mind:
What if shifting course was just a
different way to destroy that legacy?
I
If we can’t stop the bad guys on the internet, should we take the fight to
them? by Scott Berinato
Dorothy Denning was an inaugural J. Strawser, “Active Cyber Defense: Tzu wrote, “Security against defeat
inductee into the National Cyber Security Applying Air Defense to the Cyber implies defensive tactics; ability to
Hall of Fame. A fellow of the Association Domain”: “Active cyber defense is a defeat the enemy means taking the
for Computing Machinery and a direct defensive action taken to destroy, offensive.” Centuries later Mao Zedong
professor at the Naval Postgraduate nullify, or reduce the effectiveness of said, “The only real defense is active
School, she has written several books cyber threats against friendly forces and defense,” equating it to the destruction
on cybersecurity, including Information assets.” of an enemy’s ability to attack — much
Warfare and Security. She also That sounds like offense, but Lee and as aggressive tactics in active cyber
coauthored a landmark paper on active Denning note that it describes a strictly defense aim to do. The term was
defense, which states, “When properly defensive action — one taken in reaction applied in the Cold War and, as Denning
understood, [active defense] is neither to a detected infiltration. Lee argues and Strawser’s paper makes clear, is
offensive nor necessarily dangerous.” that there’s a border distinction: Active a core concept in air missile defense.
Robert M. Lee is a cofounder of defense happens when someone crosses Tactics are tactics; all that changes is
Dragos, an industrial security firm. He into your space, be it over a political where they’re employed.
conducted cyber operations for the boundary or a network boundary.
NSA and U.S. Cyber Command from But Denning says that’s probably too That seems pretty straightforward.
2011 to 2015. In October 2017 his firm simple, and below we’ll see a case in So why the uncertainty around the
identified the first known malware which the line is blurred. Lee says, definition?
written specifically to target industrial “Most experts understand this, but it’s As noted earlier, hacking back —
safety systems — in other words, its important to point out, especially for a also not a new term — has confused
sole purpose was to damage or destroy general audience. You are prepared to matters. Properly used, it refers to
systems meant to protect people. actively deal with malicious actors who efforts to attack your attackers on
(The malware had been deployed that have crossed into your space. Sending their turf. But because people often
August against a petrochemical plant missiles into someone else’s space is fuse it with active defense, difficult
in Saudi Arabia, but the attack failed.) offense. Monitoring for missiles coming and sometimes frustrating disputes
When asked about active defense, Lee at you is passive defense. Shooting them over the merits of active defense have
sighs and asks flatly, “How are you down when they cross into your airspace ensued. One research paper went so
defining it?” You can tell he’s had this is active defense.” far as to equate the two terms, starting
conversation before. The number of its definition, “Hack back — sometimes
people co-opting the term seems to have Can you give some other examples? termed ‘active defense’…”
wearied him, and he’s happy to help Denning says, “One example of active The confusion multiplied in October
bring clarity to the idea. cyber defense is a system that monitors 2017, when Representatives Tom Graves
The following FAQ primer draws on for intrusions, detects one, and responds (R-GA) and Kyrsten Sinema (D-AZ)
interviews with Denning and Lee. by blocking further network connections introduced the Active Cyber Defense
from the source and alerting the system Certainty (ACDC) bill, which would allow
What exactly is active defense, also administrator. Another example is taking companies to gain unauthorized access
known as active cyber defense? steps to identify and shut down a botnet to computers in some situations in order
It depends on whom you ask. The term used to conduct distributed denial-of- to disrupt attacks. The lawmakers called
has almost as many definitions as it service (DDoS) attacks.” It’s the verbs this active defense. The media called it
does citations. NATO defines active “responds” and “shut down” that make the “hack back bill.” What it would and
defense this way: “A proactive measure these instances of active defense. An would not allow became the subject of
for detecting or obtaining information example of passive defense, in contrast, hot debate. The idea that companies
as to a cyber intrusion, cyber attack, is an encryption system that renders could go into other people’s infected
or impending cyber operation or for communications or stored data useless computers wasn’t welcomed. Some
determining the origin of an operation to spies and thieves. savaged the bill. The technology blog
that involves launching a preemptive, network Engadget called it “smarmy and
preventive, or cyber counter-operation Is active defense only an information conceited” and observed, “When you
against the source.” security concept? try to make laws about hacking based
A solid working definition can be Not at all. Some argue that it dates on a child’s concept of ‘getting someone
found in Denning’s paper with Bradley back to The Art of War, in which Sun back,’ you’re getting very far and away
from making yourself secure. It’s like gotten malicious code onto government emotional issue,” he says. “You feel
trying to make gang warfare productive.” computers in the country of Georgia. violated, and you want to do something
The bill went through two iterations and The malware searched for documents about it.”
is currently stalled. using keywords such as “USA” and In a paper titled “Ethics of Hacking
“NATO,” which it then uploaded to a Back,” Cal Poly’s Patrick Lin captures
But is hacking back part of active drop server used by the hacker. The the sense of utter vulnerability that
defense? Georgian government responded could lead some to desire vigilante
Probably not. Lee says unequivocally, by planting spyware in a file named justice:
“Hacking back is absolutely not active “Georgian-NATO Agreement” on one
In cybersecurity, there’s a certain
defense. It’s probably illegal, and it’s of its compromised machines. The
sense of helplessness — you
probably not effective. We don’t have hacker’s malware dutifully found and
are mostly on your own. You are
evidence that attacking attackers uploaded the file to the drop server,
often the first and last line of
works.” Denning has a somewhat which the hacker then downloaded
defense for your information and
different take. “Hacking back is just to his own machine. The spyware
communications technologies;
one form of active defense,” she says. turned on the hacker’s webcam and
there is no equivalent of state-
“It might be used to gather intelligence sent incriminating files along with
protected borders, neighborhood
about the source of an intrusion to a snapshot of his face back to the
police patrols, and other public
determine attribution or what data Georgian government.
protections in cyberspace.
might have been stolen. If the attacker “Is that hacking back? I don’t think so.
For instance, if your computer
is identified, law enforcement might It was really through the hacker’s own
were hit by “ransomware” —
bring charges. If stolen data is found code and actions that he ended up with
malware that locks up your
on the intruder’s system, it might be spyware on his computer.”
system until you pay a fee to
deleted. Hacking back might also Note that the actions were taken by
extortionists — law enforcement
involve neutralizing or shutting down a government and occurred within its
would likely be unable to help
an attacking system so that it cannot “borders”; Georgia put the spyware on
you. The U.S. Federal Bureau
cause further damage.” its own computer. It did not traverse a
But Lee and Denning are defining the of Investigation (FBI) offers this
network to hit another system. It was
term differently. And Denning’s version guidance: “To be honest, we
the hacker’s action of illegally taking the
refers to actions undertaken with proper often advise people to just pay
file that triggered the surveillance.
authority by government entities. When the ransom,” according to Joseph
it comes to hacking back on the part If it’s probably illegal and ineffective, Bonavolonta, the Assistant Special
of businesses, the two experts are in why is hacking back getting so much Agent in Charge of the FBI’s
total agreement: Don’t do it. Denning press? CYBER and Counterintelligence
says, “Companies should not hack back. Companies are weary. “They are under Program.
The Department of Justice has advised constant attack and working so hard Do not expect a digital cavalry
victims of cyberattacks to refrain from and spending so much just to keep up, to come to your rescue in time.
any ‘attempt to access, damage, or and they can’t keep up,” Lee says. “This As online life moves at digital
impair another system that may appear is a moment when we’re looking for new speeds, law enforcement and
to be involved in the intrusion or attack.’ ideas. That’s why Bochman’s concept state responses are often too slow
The advice contends that ‘doing so of unplugging systems and not always to protect, prosecute, or deter
is likely illegal, under U.S. and some going right to the most efficient solution cyberattackers. To be sure, some
foreign laws, and could result in civil is starting to be heard. Hacking back prosecutions are happening but
and/or criminal liability.’” feels like another way to turn the tide. inconsistently and slowly. The
Cybersecurity loves a silver bullet, and major cases that make headlines
What’s an example of an aggressive this feels like one. CEOs are probably are conspicuously Unresolved,
form of active defense that some might thinking, ‘Nothing else has worked; let’s even if authorities confidently say
consider hacking back? fight.’” Lee has heard many business they know who did them.
Denning says, “One of my favorite leaders express these sentiments, What are the ethics of hacking back?
examples of active defense led to the especially if their companies have For the most part, experts say
exposure of a Russian hacker who had suffered damaging attacks. “This is an that hacking back without legal