The year 2019 has been another dreadful period for cyberattacks. The most notorious lowlights include:
—More than 40 municipalities, including Baltimore, Albany and 22 cities in Texas alone, have seen their computer systems crippled by ransomware attackers demanding millions of dollars.
—In one of the largest data breaches ever, a hacker broke into a Capital One server with a misconfigured firewall and gained access to more than 100 million customer accounts.
—And, in the continuing saga of another massive breach, the Federal Trade Commission ordered Equifax to pay as much as $700 million to settle federal and state claims that the credit reporting company’s failure to take proper security steps led to a data breach in 2017 that affected 147 million people.
Year after year of these devastating attacks have led to a new wrinkle in trying to combat them: Suggestions that the best defense might be a good offense—pre-emptive attacks by a country or company to deter hackers.
Reps. Tom Graves, R-Ga., and Josh Gottheimer, D-N.J., reintroduced legislation earlier this year that would amend the 1986 Computer Fraud and Abuse Act to allow “hacking back.” This means companies could, in the name of “active defense,” access computers that don’t belong to them to disrupt incursions, retrieve stolen files, and monitor attackers’ behavior. There also are reports that the US government has been using similar tactics against Russia and Iran.
Is this legislation a good idea? No. While I’m hesitant to opine on such measures in a national defense context, I believe generally that “hacking back”—especially in the private sector—is a bad idea, for several reasons:
It feels like a junior high school tactic that escalates rather than de-escalates. Most companies are struggling hard enough to attract and retain the skilled professionals they need to defend their own systems, let alone launch incursions into others. Trying to find who’s behind a cyberattack is a job better left to the authorities, not individual companies.
I’m concerned that all this new attention to these methods could distract the nation from the hard work that needs to be done to shore up our cyber defenses.
Cybercrime will cost companies $5.2 trillion over the next five years, according to a recent report by Accenture. Among 1,700 C-suite executives surveyed by the consulting firm, four out of five said they believe “the advancement of the digital economy will be severely hindered unless there is dramatic improvement to internet security.”
The truth is, cybercriminals are becoming more sophisticated, and internet security is struggling to keep up. In light of digitization’s nearly incalculable effect on the economy and how we work, shop, and socialize, the internet’s instability from a security standpoint is one of the world’s most pressing issues.
Are we truly attacking the issue with the extreme urgency it deserves?
I have doubts. It’s folly, for example, to talk about spending billions on a wall at the US-Mexico border when we need better barriers against cybercriminals. And while I’m as strong a believer in the nation’s military preparedness as the next guy, I don’t understand why we still prioritize traditional defense spending over stronger cybersecurity protection in a world where hostile governments are increasingly projecting power through cyberattacks rather than direct military strikes.
I worry it will take a “cyber 9/11”—a catastrophic scenario such as a takedown of the nation’s financial system or a major power grid—to push cybersecurity to the top of society’s agenda. It of course should not come to that. We need to be proactive, not reactive. And now.
To be sure, the cyber threat is complex—composed of a disjointed, worldwide amalgam of individual hackers, crime organizations, and nation-states. However, the difficulty of the challenge should not obscure the necessity for a cohesive, more vigorous, multi-pronged strategy to stay ahead of attacks.
As Albert Einstein said, “the definition of insanity is doing the same thing over and over and expecting different results.” The status quo clearly isn’t working. Here are four things we could be doing better right now:
Close the cybersecurity skills gap. The shortage of cybersecurity professionals is an industry crisis and its No. 1 problem. Research by (ISC)², an IT security professional organization, estimates the deficit at just under 3 million workers worldwide, with about 500,000 of those positions in North America. As cyber threats keep multiplying, we need an army of new experts to deal with them.
But how? As with so many problems, money is seldom the only solution, but it sure can help. The government could funnel more dollars to universities to develop specialized cybersecurity training programs, and incentivize more young people to go into the field through no-interest college loans or even free tuition.
Though the Trump administration’s body of work in cyber defense has often struck me more as lip service than substantive action, a May 2 executive order was on target by calling for the creation of a rotational program that will “serve as a mechanism for knowledge transfer” across agencies. The private sector would do well to emulate this idea with similar skills development schemes inside companies.
Finally, every company should become more flexible in their hiring, abandoning the idea that a cybersecurity position requires a four-year degree. Hands-on experience through internships and coding camps is more important than a piece of paper.
Photo credit: Barracuda Networks
