Opinion: After high-profile hacks, it's time for a bolder approach to cybersecurity

Among the lessons from the Sony hack was that conventional cybersecurity measures don't always stop intruders. What more corporations need to apply is an active defense to better understand and stop future threats. 

The cybersecurity firm FireEye said the Sony hack shows that corporations can't afford to wait for attacks, but they have to "take a lean-forward approach that actively hunts for new and unseen threats."

Eugene Hoshiko/AP

February 27, 2015

In the wake of the Sony Pictures hack, the cybersecurity firm FireEye demonstrated that the sort of breach that Sony experienced is not likely preventable with conventional network defenses.

Instead, the firm noted that “organizations must consider a new approach to securing their IT assets ... [they] can’t afford to passively wait for attacks.  Instead, they should take a lean-forward approach that actively hunts for new and unseen threats.”

But what constitutes a "lean-forward" approach to cybersecurity, and why are more organizations not already taking one?

Democrats begin soul-searching – and finger-pointing – after devastating loss

The emerging field of proactive cybersecurity is complex, encompassing a range of activities also referred to as “active defense.” While “hacking back” – or using technology to pursue culprits, retrieve stolen data, and potentially even shut down the bad guys – is a point of contention when discussing the role of private sector defense, it is one that more firms seem to be considering despite the legal consequences of breaking into other networks.

Still, it's just one facet of the larger proactive cybersecurity movement, which includes technological best practices ranging from real-time analytics to cybersecurity audits promoting built-in resilience.

To gain insights into commonly accepted and utilized means of proactive security, my coauthors (Amanda Craig, senior cybersecurity strategist at Microsoft, and Prof. Janine Hiller at Virginia Tech) and I reviewed the descriptions of 27 cybersecurity products offered by 22 firms.

Some of our findings confirmed our expectations. For example, all but one of the surveyed firms (96 percent) offer cybersecurity auditing services, which is perhaps partly in response to the growing importance of the cyber-risk insurance industry.

More surprising, though, were the relatively few companies that offer mobile security products or services designed to counter insider threats, even though the latter is deemed to be up to 20 percent of the overall threat.

They took up arms to fight Russia. They’ve taken up pens to express themselves.

“Amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders,” says Michael DuBose, head of cyber investigations at Kroll Advisory Solutions and former chief of computer crime at the US Department of Justice. 

These data provide only a snapshot of the rapidly evolving proactive cybersecurity industry, but they do underscore that firms have developed a range of proactive products and services designed to better safeguard their customers from cyberthreats.

The prevalence of advanced detection systems, data mining, and analytics products implies that the private sector is undertaking innovative measures based on big data to understand future vulnerabilities, aggregating information to thwart attacks. Hack back is just the tip of the iceberg.

So far, many regulators have been relatively slow to catch on to the trend toward proactive cybersecurity. US laws such as the Computer Fraud and Abuse Act, a dated instrument that criminalizes the unauthorized access of computer systems, may be compared to similar laws in other nations. Every G8 nation, for example, has a law on the books that regulates “unauthorized access” to a greater or lesser extent.

More recent efforts, though, such as the NIST Cybersecurity Framework, which emphasizes measures related to proactive cybersecurity, could help to encourage private firms to become market leaders in identifying and spreading proactive cybersecurity best practices. President Obama’s recent announcement of new information sharing mechanisms may help spur such diffusion.

Over time, as more private actors "lean forward" and embrace proactive cybersecurity, new industry norms could emerge. For instance, more stakeholders engage in collective proactive cybersecurity measures.

One example of this is Operation SMN, during which a group of private firms engaged in “the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group” allegedly based in China. Ultimately, the group was able to detect and mitigate the damage to some 43,000 infected systems. This experience could be leveraged to help generate positive network effects and encourage more firms to proactively participate in such endeavors.

Ultimately it is critical for firms to move beyond reactive postures and take an active role in securing their systems. With Sony joining the list of Target, Home Depot, and JPMorgan Chase to name just a few of the cyber attacks in 2014 resulting in more than a half billion total records stolen, the time is ripe for more firms to take a proactive stance.

Yet just 13 percent of respondents to a 2012 PwC survey measured and reviewed their cybersecurity policies annually, had “an overall information security strategy in place[,]” analyzed the types of cyberattacks hitting their networks, and had a CISO or equivalent reporting to “the top of the house.”

Changing this state of affairs involves leveraging tools such as cybersecurity analytics, compiling comprehensive enterprise risk management schemes that include cyber, and conducting regular audits and penetration testing to double check preparedness, among rather a lot else. There’s also a lot of low-hanging fruit out there.

The Australian government, for example, has reportedly experienced an 85 percent decrease in successful attacks by taking three simple steps that also have salience to firms: (1) application whitelisting (i.e., creating a list of preapproved applications); (2) automating application/operating system patching; and (3) minimizing local admin privileges.

Cybersecurity doesn’t have to be rocket science. Just computer science.

Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy, sustainability, and international business law among other courses. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at Stanford University’s Hoover Institution, and a term member of the Council on Foreign Relations.

The full paper on proactive cybersecurity from Shackelford, Amanda Craig, and Janine Hiller can be found here.