Burning Down the House: Why is a Cyber Attack Different from a Fire Under the Law?

This article was written by Daniel B. Garrie and Richard Borden.

You are sitting at your desk and the fire alarm goes off. At first, you are annoyed at the latest interruption, but then someone comes on the speaker and says that there is smoke in the building and that everyone must go to their location of safety. You walk out of your office, and you see people moving towards individuals with red hats, pointing towards the stairwell that you forgot existed. People are moving quickly, but with purpose. You recall the drill you were forced to do a few months ago. At the entrance to the stairwell, another person with a red hat, Judy, the receptionist, is standing with a chart and tells everyone that they should continue downstairs, leave through the door on the B Level, and walk to parking lot C across the street. You smell some smoke in the stairwell, but everyone is moving steadily towards the exit. When you leave the building, there is another person with a red hat, Steve, from accounting. He points to parking lot C and makes sure that everyone is going there. At the parking lot, Joe, from a department you can't recall, is checking people in against a list of people who had swiped into the building that morning. You turn around and look at the building. You see flames on the floor above yours, and water from sprinklers on the windows. The fire trucks are arriving and the firemen are pouring out and moving inside with purpose. You see the captain at one of the trucks with a blueprint of the building. The police have arrived, along with the ambulances. Hopefully, no one was injured. You know that anything that was damaged by the fire will be covered by insurance. Even the interruption in your business is covered. Joe is calling out names from the list. 4 people are unaccounted for. You see 2 people being brought out on stretchers and two others being escorted to the ambulances. You hope that they are okay.

You are sitting at your desk and the screen goes blank. Then a skull and crossbones comes on the screen, along with something that says that your company's information will be destroyed unless a ransom is paid. You get up and walk out of your office and see people looking at their screens, confused. People are milling about, asking each other what is happening. You go back in your office and pick up the phone to call IT. The phone is silent. No dial tone, and you can't call anyone inside or outside. You were working on some very important, and highly confidential, materials for a client. There is an announcement on the loudspeaker with someone yelling for everyone to turn off their computers immediately. Then, there is silence. You press the power button on your computer and walk out of your office again. There is no one there to provide guidance. You have no idea what is happening. A few hours later, you are sitting with some colleagues in the Starbucks across the street. The badge scanners aren't working, so no one is allowed back in the building. Suddenly, someone at another table shouts something. All you hear is "No!!" Everyone crowds around the table. One of your friends is staring at her laptop. "They have my information. I haven't even told my husband yet." She is crying. By now, everyone knows that she was diagnosed with breast cancer two days ago. Everything freezes. Your sight dims. You were just diagnosed with esophageal cancer yesterday. Your wife knows, but your kids don't. Does everyone in the world now know? What else do they know? You sit down and listen to the babble in the room, but outside, the building is quiet. There are no lights flashing on top of emergency vehicles. There is no one there to help the injured.

Why are these situations so different? In the case of the fire, someone could have set the fire, or it could have been an accident, but that doesn't matter. There are regulations that cover fire safety, at the Federal and State level. The US Department of Labor's Occupational Safety & Health Administration (OSHA) has hundreds of pages of regulations and best practices, which have been adopted by and coordinated with state agencies. 28 States have OSHA-approved State health and safety plans. There is infrastructure at the Federal, State and local levels to address fires of different sizes. There are company policies that designate people to be responders within the organization to make sure that everyone is safe and accounted for, and that the rules for responding to the fire emergency are followed. The regulations, and the concern for safety of employees and visitors, require companies to have plans and test them regularly. There is a 911 system for contacting the authorities, so that they will respond immediately, with the proper information, and bringing the resources necessary to protect the people, the building, and the company. The insurance company is at the ready to respond to the loss and even assist in the recovery. Fire insurance is required by regulation, lenders, or just plain common sense.

A cyber incident is no less dangerous than a fire. Yet, it is treated by the government, companies and individuals as if it does not pose the same risks. This is a dangerous proposition, and one that needs to change. In the same way a fire poses threat to assets and individuals, cyber events can damage a company or a person in ways that may be difficult, or even impossible to fully recover from. Some types of cyber attacks, against dams or electrical utilities for example, may result in property damage, or even physical injury or loss of life.

When a cyber attack occurs, there is no 911 system. The government does not respond to put the fire out. There may be some assistance in determining where the attack, if it was an attack, came from. However, companies are on their own in trying to beat the attack. Even worse, it is against Federal law for a company or individual to take many actions that would stop the attack while it is going on. There isn't clear guidance or regulation on what is required to prevent a cyber incident.

Companies must face the fact that in cyber, they have to pull together all of the pieces that are a part of daily life in a fire situation. This requires trained technical talent, lawyers who understand the technical, legal, and risk aspects of protection from and response to cyber attacks, consultants who can help plan the protection and response to an attack, and insurance that provides the same types of protections as other casualty insurance. Modern companies facing cyber attacks do not have the structure and support that the country and community have devoted to fire prevention and response. As a society, we need to reconsider this model.