The Internet has delivered on its promise of social and economic progress. Unfortunately, it has also delivered unprecedented opportunities for scaling global conflict, terrorism, criminal activity, state and industrial espionage and vandalism. These risks continue to expand.
Cybersecurity is a multidimensional problem that transcends the risk management and response capabilities of any single enterprise, industry, or sector. No enterprise, industry or sector has an answer or even a claim to superiority regarding cybersecurity threats. There is a simple operational premise that informs expert thinking about our exposure to the risks of cyber-attacks. "If you can imagine it, they can do it. And even if you can't imagine it, they have -- and are working on it."
The costs of cyber attacks--financial, legal and reputational-- for organizations, businesses, and government agencies are growing at an alarming rate. The consensus annual cost of cyber-attacks to the global economy is around $445 billion. Even the most sophisticated enterprises know that it is not a matter of "if" they will be hit, but when and how bad. This means our money, intellectual property, private communications, market sensitive data, and identities remain at constant risk.
To paraphrase FBI Director, James Comey:
"There are only 2 kinds of companies left in the world--those that have been hacked and those that don't yet know they've been hacked. No one is safe. Unfortunately, there is no simple fix --no app for that--not even adequate insurance."
The fact of the matter is that the solution to the problem of growing cyber threats is not simply a technology "patch". Cybersecurity has never really been a technology question to begin with. Technology and its digital portals are simply the newest conduits for a widening range of individual, group and state-sponsored actors seeking the familiar criminal and geopolitical ends of theft, fraud, espionage, extortion and destruction. Playing only defense against the sources of cyber threats has proven to be an expensive zero-sum game of Whack-a-Mole.
In today's highly competitive global economy, it is not realistic to expect companies to stand idly by while their business interests are attacked and their resources are drained. Corporations may legally take defensive protective measures provided they are strictly defensive--and, hence, do not violate existing international or domestic law. These measures may also include remediation tools such as disinformation and so called "honeypots" Explain honeypots.
It must be reiterated, however, that a corporation has to take great care in conducting cyber operations as the law clearly does not allow a company to initiate cyber hostilities. As most corporate lawyers lack the technical aptitude to properly attribute a cyber incident or to understand the appropriate response, their advice in the face of hostilities should err on the side of caution. Given the legal restraints, the best and default response to cyber hostilities is for a corporation is to contact the government to respond on its behalf.
Of course this requires a strong partnership between the government and the private sector. Unfortunately, in the United States this partnership is in its infancy and is complicated by a host of problems including: distrust between the private and public sector, corporate reputational concerns, potential liability caused by a cyber incident, and sensitivity of operating in a global economy. This set of difficulties incentivizes both public and private actors to look only after their own interests, withhold critical information, and make decisions without consultation. As a result, the response to any cyber hostilities typically leaves the victimized corporation damaged, unsatisfied, and frustrated. See, e.g., Devlin Barrett & Danny Yadron, Sony, U.S. Agencies Fumbled After Hacking, WALL ST. J., Feb. 23, 2015, at B1.
The government is aware of this problem and has taken steps to better coordinate a response to hostile cyber activities, while simultaneously promoting information sharing between the public and private sectors. Already, we have witnessed the beginnings of a potential "game-change". Although exact details have yet to be revealed, the U.S. government has signaled a willingness to consider offensive counter-measures against a state or state-sponsored actor (as was the case with Sony), terrorist group, or other threat to industry and infrastructure. On February 25, 2015 the Director of National Intelligence, as ordered by the President, established the Cyber Threat Intelligence Integration Center (CTIIC). See Fact Sheet: Cyber Threat Intelligence Integration Center, whitehouse.gov .(Feb. 25, 2015). The CTIIC, intended to be "a national intelligence center focused on 'connecting the dots' regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests," has the mission of assisting "relevant departments and agencies in their efforts to identify, investigate, and mitigate those threats." Id. Additionally, on February 13, 2015 the President issued an Executive Order to promote private sector cybersecurity cooperation by authorizing greater intelligence sharing while protecting business confidentiality. See Executive Order--Promoting Private Sector Cybersecurity Information Sharing, Feb. 13, 2015
While these efforts are a significant step in the right direction, there is far more that needs to be done in responding to the ever-growing cyber threat to corporations.
Cybercrime remains a "virtually" perfect crime and act of war. It is low risk and high reward. It is agile, cheap and remotely scalable. It constantly evolves as technology evolves such that law enforcement officials wind up responding to outdated threats. Victims have little or no recourse. Cybercrime in many ways does not fit within our current legal and law enforcement framework for domestic and international crime. Laws, courts, treaties and international boundaries have little efficacy in limiting cyber tactics, weapons and the targeting of civilians. Easily disguised and launched from safe havens, cybercrime carries little risk of detection, prevention, apprehension or punishment. With so much to gain and so little to lose, why stop?
A robust public-private cyber partnership is needed--one that will consider more radical ideas. For example, a corporation that is the victim of a cyber incident must feel comfortable disclosing information with the government. On the other hand, a corporation that shares information with the government may face irreparable damage to their reputation and immense present or future customer claims through their disclosure. Only by creating a confidential reporting mechanism coupled with limiting financial liability will corporations be willing to openly report a cyber incident.
One possibility is to adopt a regulatory regime similar to that imposed on financial institutions following the passage of the Patriot Act. Currently, a financial institution must notify the Financial Crimes Enforcement Network (FinCEN) of any transactions suggestive of criminal behavior, money laundering, or terrorist financing by filing a suspicious activity report (SAR). See The SAR Activity Review, By the Numbers, 8 FINCEN (June 2007) . To encourage this reporting the Bank Secrecy Act (BSA) was instituted to prohibit "financial institutions from disclosing the contents of a SAR or even its existence." See 31 U.S.C. §5318(g)(2)(A)(i)). Other banking regulations provide a "safe harbor" and "expand this confidentiality privilege and shield financial institutions from liability for reporting such activity." 12 C.F.R. §21.11(k) and 31 U.S.C. §5318(g)(3)
By shielding SAR reporting activity from "discovery in civil litigation" and limiting the financial liability of a corporation that reports suspicious activity, information sharing dramatically increased between financial institutions and regulators. This regulatory model is useful for those interested in increasing public-private information sharing involving cyber incidents as corporations have the same concerns as financial institutions when they file a SAR.
Another possibility is to expand the powers of the Federal Intelligence Surveillance Court (or FISC) to allow companies to petition for a government response to cyber offenses committed against their interests. Presently in the United States the FISC is responsible for issuing warrants for domestic surveillance of suspected foreign operatives in the United States. See Foreign Intelligence Surveillance Court, , ALLGOV.com.
But imagine a scenario whereby an American corporation in the aerospace industry is hacked and all investigations point to the responsible party being an agent of a sovereign nation. While the corporation may be able to recover fiscally through insurance policies, the damage caused by the hack to the company may be of permanent significance. Currently, there are few options for the victimized corporation. But with an expansion of the FISC, the aggrieved corporation would be able to petition a government body for redress. The government body, acting on behalf of the corporation, would make a special appeal for emergency action. If the expanded FISC agreed that action was necessary, the government actor would be permitted to take action against the sovereign nation with impunity. One possible variant of this idea would be to create a stand-alone cyber court to provide judicial oversight of the response rather than adding cyber jurisdiction to the FISC.
These two relatively unexplored recommendations are not intended to be a panacea for the corporate cyber problem but rather illuminate the need for creativity in developing a response strategy. It will take unorthodox solutions to remove the disincentives currently inhibiting the public-private partnership. Yet, the importance of enhancing this public-private partnership cannot be overstated and is of utmost importance for both corporations and the national security of the United States. Neither corporations nor the government can afford to remain static as the speed and ferocity of cyber hostilities, in particular those launched by state actors against private companies, are the new normal. Former U.S. Secretary of Defense Leon Panetta succinctly summarized both the opportunities and threats created by the increased dependence on cyber operations when he stated in New York City on October 12, 2012 to the Business Executive for National Security:
Cyberspace is the new frontier, full of possibilities to advance security and prosperity in the 21st century. And yet, with these possibilities, also come new perils and new dangers. The Internet is open. It's highly accessible, as it should be. But that also presents a new terrain for warfare. It is a battlefield of the future where adversaries can seek to do harm to our country, to our economy, and to our citizens. But the even greater danger -- the greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyber attack perpetrated by nation states [or] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.
While the importance of cyberspace is obvious, the sobering truth is that cyber hostilities discussed by Mr. Panetta are now a reality. This could not be more clearly demonstrated than by the actions of North Koreans against Sony or the attack upon the U.S. Office of Personnel Management (OPM).
It is time to stop reacting to these attacks and instead proactively develop a comprehensive response strategy built upon a corporate-government partnership.
David N. Lawrence, is the founder of the Risk Assistance and Network+Exchange (RANE) and former Associate General Counsel and Managing director at Goldman Sachs. Previously, he held various senior positions with the U.S. Attorney's Office, S.D.N.Y.
Daniel B. Garrie is the founder of Law & Forensics a global consulting firm and an adjunct Professor of Law at Rutgers School of Law and Cardozo School of Law. He is also an active investor and sits on the advisory board for a number of different companies, including: Get.it, Eccentex, and Bounce Exchange.