[BreachExchange] Stop victim shaming in cyber attacks

[Audrey McNeil]

http://opensources.info/stop-victim-shaming-in-cyber-attacks-2/

Imagine if your neighborhood grocery store welcomed you with a fortified
perimeter—barbed wire, tanks and guard towers loomed tall while helicopters
and fighter planes scream overhead.  The idea that every business would
deploy a private army to defend its physical perimeter is, of course, a
ridiculous one. But that is precisely what is expected of businesses today
in the cyber arena.

Large U.S. businesses are probed by malicious actors all of the time.
Employees receive fake emails that look like they are sent by their banks
or their bosses, but actually contain malware. All the while, nation state
actors are increasingly stealing credentials from employees in order to
obtain trade secrets and intellectual property from U.S. companies.

Defending the American people and economy from hostile state or
state-sponsored actors is critical for both economic and national security
reasons. However, while our state and federal law enforcement agencies
vigorously protect people from criminals and assist victims of crimes,
companies that publicly disclose that they have been the victim of a
cybercrime are not treated like a typical victim by federal and state
regulators. Instead, they are investigated by numerous agencies, including
the Federal Trade Commission, the State Attorneys General, and the Security
and Exchange Commission,while often simultaneously sued by consumers,
business customers, and shareholders. In the face of the onslaught of cyber
threats, U.S. companies are charged with defending themselves in cyberspace
or facing legal liability. How did we arrive at holding those victimized by
a cybercrime liable for the damage inflicted upon them?

In the aftermath of a data security breach—unlike physical assaults or
property crimes—a company is likely to be treated as a suspect, not a
victim. Federal and state regulators not only examine how the company
responded to the attack, but they engage in a full review of its entire
data security infrastructure and approach, often dating back to years prior
to the inciting incident.  Rather than focusing on what the attackers stole
and working to find the stolen property and determine how the company can
protect itself, the aftermath of a breach sees companies forced to explain
whether they had enough “armed guards.” The investigations by enforcement
authorities can last for two to three years,costing a company millions of
dollars in the process and an untold amount of management attention spent
defending their existing data security practices. Thus, when the company
should be focusing on remedying any damage done by the attacker and working
to protect those who have been impacted by the assault, it instead must
spend countless hours, money, and resources defending its data security
practices and explaining away its status as a victim.

The basic legal requirement that companies must have “reasonable” security
is enforced by State Attorneys General and the Federal Trade Commission, as
well as other federal regulators and private litigants.In other words, a
company is expected to protect its business and customers against the types
of basic, foreseeable threats that can be reasonably managed by an
enterprise. But what is reasonable in the face of a foreign nation state
actor?

While regulators insist that all that is required is “reasonable” security
to combat reasonably foreseeable threats, their expectations have increased
as attacks have evolved. It was one thing when using passwords, basic
encryption, and Internet firewalls would stymie all but the best attackers,
and were effectively the equivalent of the store security guard. Today,
“reasonableness” rests on a faulty premise that each company can defend
itself on its own. No one expects a small town in the Midwest to be able to
defend itself against the army of another country, so why do we expect a
company to able to defend itself against national state cyber attackers?
What percentage of revenue is it reasonable for a company to spend to
defend itself? How many people should a small company be expected to employ
to run the network infrastructure in order to protect itself?  Given that
the federal and state governments seem unable to protect the information
they hold despite vastly greater resources and insight, why are companies
expected to do this on their own?  Companies are justifiably starting to
ask, “why isn’t my government protecting me?”

This approach by regulators fails to account for the increasing
sophistication and organized, strategic approach taken by the malicious
cyber attackers. Cyberattacks come in many forms — the attackers may be an
arm of a national government or a state-sponsored group, they may have the
encouragement or implicit support of a regime, or they may merely be
organized criminal hacking rings. The targets and modus operandi vary as
much as the threat actors. They include apparent cyber-espionage efforts
such as the theft of sensitive personal information held by U.S. government
agencies; stealing financial information (such as credit card numbers) held
by major retailers, restaurant chains, or hotels; theft of trade secrets
and intellectual property in order to gain an economic advantage; seeking
to embarrass or cripple an organization that shares a different ideology or
has offended a state actor; disrupting business operations by wrecking
enterprise computing networks; stealing or leaking sensitive operational
information; and even holding companies “hostage” for ransom.

Defending against these sophisticated threats requires dedicated efforts
and skilled personnel, significant funding, carefully designed networks and
controls, the deployment of sophisticated technologies, and the expertise
to govern these various threads together in an effective manner.  As the
reports regarding breaches in the last few years indicate, in spite of
formidable efforts and a thriving private cyber defense sector, both the
U.S. public and private sectors continue to be victimized.

Unlike regulators and litigants, we have seen a dramatic shift by federal
law enforcement in its efforts to stop re-victimizing the victim of a
cybercrime. In the past year, the FBI, Secret Service, and the Department
of Justice have made enormous strides in working with companies to share
information and gently gather the information they need to prosecute
malicious actors. Perhaps this is because federal law enforcement truly
understands what we are up against and the imperative that we work together
to stop the cyber criminals.

Regulators, however, fail to understand that the aftermath of a breach is a
tremendously chaotic, disruptive time for a company. The company may be
trying to stop or understand the nature of the attack (often with the
assistance of, or in coordination with, law enforcement agencies), trying
to reassure staff and customers, or simply trying to get the business up
and running again.  Being a suspect at the same time— meaning having to
respond to regulatory inquiries and deal with the threat of litigation or
stiff penalties—has deleterious effects. It is not only distracting, but it
curbs the willingness of companies to share information with law
enforcement.

Ironically, companies that know that they have been attacked and have
sufficiently sophisticated systems to detect a breach are likely the
companies with the best security. Thus, when regulators commence
enforcement actions based on a publicly announced breach, they are
typically investigating the companies that have the best security and the
best systems for identifying a problem.  Thus the regulators are going
after the wrong targets. This second guessing by regulators as to a
company’s security practices following a cyber attack creates an
adversarial relationship between the private companies and the government,
which is charged with protecting the nation and its citizens from criminals
and hostile nations, at exactly the time when companies should be able to
rely on the government for support and when the information that the
companies have is of most use to law enforcement.

While there is a lot that businesses can do to make it harder for hackers,
we are losing ground in cyberspace as a nation, and the spate of hacking
cannot be ended by regulatory changes or press releases reminding companies
of the importance of implementing good security practices.  Sophisticated
hackers abound—elite, dedicated teams that exist solely to wreak havoc to
further criminal, economic, political, or military strategic objectives.
The notion that it is reasonable for every company to successfully defend
itself from sophisticated cyber attacks is outdated and unhelpful.  Just
because a company has been the victim of a cyberattack does not mean that
it has unreasonable security per se. It means it was a victim. Enforcement
authorities in the United States should follow the lead of the FBI and the
Secret Service and treat companies that have experienced such breaches as
victims rather than suspects. Our only hope of stopping  cyber attackers is
if companies, law enforcement, and regulators work together effectively,
rather than passing around blame.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160916/743f4b02/attachment.html>