If you follow cybersecurity issues you cannot have missed all the talk over the last few months about how businesses that have been victims of cyber attacks have grown “tired of playing defense.” If you didn’t know any better you’d think we were on the cusp of a new era where online bad guys were finally about to get what fer’.
Don’t bet on it.
Let’s set aside the substantial legal issues surrounding private institutions “hacking back” against those who hack them. Let’s instead look at what we know about private organizations and cyber defense, which is what they’ve been doing for the past few decades. Let me know if any of this sounds familiar:
- “Security is a cost center.”
- “My security budget is a fraction of a fraction of the IT budget, which is a token amount of what every revenue-producing business unit gets.”
- “No matter how much we spend on security, we still get breached and still have to pay for incident response, credit monitoring, etc.”
Security products and services are expensive and they don’t always work. Security is not a core element of any commercial enterprise, so it is not respected or invested in as much as just about anything else the business does. Good security – sound policies and practices that do not impede business functions – is exceedingly difficult. All of these things are true, understood and accepted by both the business and those they hire to defend them online, but somehow we are to believe that private enterprise is going to readily accept the additional cost and labor (and liability) associated with building and maintaining an OFFENSIVE cyber capability?
Companies do cyber defense because they have to. There are laws and regulations that mandate certain types of enterprises meet minimum compliance standards (reminder: compliance != security). If there were no such requirements how many businesses would do cyber defense? How many would spend as much as they do now? There is no “castle doctrine” for businesses online, but despite decades of evidence to the contrary, we’re to believe they’ll willingly and voluntarily accept the costs – and liabilities – of taking the fight to the enemy.
We have seen this before. Not on this scale, and not so public, but this “I’m not going to take it anymore/going to do what’s right” sentiment has been heard in board rooms across the country for years. It lasts about as long as it takes for the Corporate Counsel to discretely cough, raise his hand, and point out the legal nightmare associated with such activities. There is a reason why “wipe and rebuild” is the default setting to any breach of any scale: business exists to make profit, not find and prosecute bad guys.
To recap: Compliance is done begrudgingly; there is no business case for fighting back.
Now, I am an advocate for a different way forward as far as offensive activity in support of national interests are concerned, but I harbor no illusions that BigCo, Inc. is suddenly going to start kicking digital *** and taking names. Such an approach is in fact a terrible idea, if for no other reason that it simply makes BigCo a target for retribution. And as a reminder: there are lot more bad guys out there than there are good guys, and your cyber defenses can’t handle the onslaught you have to face before you started antagonizing them.