One of the most repeated phrases in the war on terrorism is that we have to get it right 100% of the time, while the terrorists only have to get it right once. As then National Security Advisor, Condoleezza Rice put it this way in testimony before the 9/11 Commission:
“And let's remember that those charged with protecting us from attack have to be right 100 percent of the time. To inflict devastation on a massive scale, the terrorists only have to succeed once, and we know that they are trying every day.”
This is actually a rehash of a statement the Irish Republican Army made after a failed bombing attempt on the life of Prime Minister Margaret Thatcher. After the unsuccessful attack, the IRA left a taunting note saying “You have to be lucky all the time. We only have to be lucky once.”
That sentiment lives on today, especially when combating cyber threats. The thinking goes that a failure to stop every cyberattack means that someone failed in their job, and that cannot be tolerated.
We need to get something straight if we are going to deal honestly with the cyber threat: failure will occur. Attacks will succeed. Period.
Accepting that is the first step in honestly dealing with the cyber problem.
First, let’s be realistic: expecting cybersecurity perfection sets one up for bitter disappointment. The threat is simply too complex, too multifaceted, and too advanced to expect that cyberattackers can be thwarted every time. It is the equivalent of going through life and expecting never to catch a cold. At some point you will get sick, and the best thing you can do is try to minimize your exposure to viruses (pun intended) and get healthy as soon as you can.
Part of the reason we have to expect that some attacks will succeed is because the numbers do not work out in favor of potential cyber targets – tens if not hundreds of thousands of cyberattacks occur on a daily basis. The cost to conduct an attack is incredibly cheap. It only costs $2 per hour to take down a website through a distributed denial of service attack. Or, if you want to be incredibly devious, on the cyber black market you can purchase a custom crafted piece of malware starting at $5,000. That custom malware likely will not be detected by standard cyber security tools, making them that much more dangerous.
Heck, stories even abound about cyber criminals setting up “help desks” to help their customers better conduct illegal actions. In the face of those numbers, one can see why attacks are likely to succeed.
Second, we have to recognize and appreciate where many of these attacks originate from: nation-states. It is an open secret now that our enemies, ranging from the Chinese to the Iranians and even the North Koreans, devote resources of their military and intelligence networks into cyberattacks. And we are not talking about the kind of “attacks” alleged to have been conducted by the NSA or other branches of the U.S. government. Instead we are talking about foreign militaries, paramilitary organizations, and intelligence agencies using governmental funding and personnel to conduct economic espionage, as well as potential attacks on our critical infrastructure.
The unfortunate truth with such attacks is that the private sector is really in no position to completely defend against them. In fact, I would dare say it is unrealistic to expect the private sector to defend itself from such attacks. Put it this way: if the Chinese military launched a bombing run on an American factory, would we expect the factory owner to conduct a successful air defense campaign? Absolutely not. We would however, expect that the factory to have a plan to mitigate the damage and recover operations as quickly as possible.
Third, every company is stuck with the ultimate cyber-weakness: people. Careless, disgruntled, or malicious employees have the ability to conduct some of the most serious cyberattacks possible. They can covertly install malicious programming, fail to secure systems, fall for “spear-fishing” campaigns, or even secret away troves of sensitive or classified information. Arguably the most damaging cyberattack of all time was carried out by Edward Snowden, who was nothing more than an employee with an agenda and aura of self-righteousness. Since we all have to have employees who are allowed access to sensitive networks and information, ultimately the system will fail and an employee will cause a breach or allow an attack to succeed.
One could go on and on, but it is sufficient to say that companies have to prepare for failure. And they also have to understand that because failure is inevitable, it does not necessarily mean someone has “failed”. Rather at a certain point only so much can be done about cyberattacks, especially if the perpetrator is a nation-state. Beyond that, companies also have to recognize that not all breaches and attacks are created equal. A distributed denial of service attack that shuts down a website for a few hours is embarrassing, but not fatal by any measure. Similarly, if a piece of malware successfully penetrates a system but is quickly caught and mitigated, that should be viewed as a success.
When all is said and done, we have to restrain ourselves and our urge to blame someone every time a cyberattack succeeds. Instead, we need to determine what we can stop, what we can’t, and how best to triage an attack. If we can get to that point, we will be in a much stronger cybersecurity position as a country.
Brian E. Finch (@BrianEFinch) can be reached at firstname.lastname@example.org
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at email@example.com.