Hacker attacks such as the one on Hollywood Presbyterian Medical Center show how easily digital platforms can be turned against organizations, but taking 10 steps can augment security, write RANE founder David Lawrence and his co-authors in this opinion piece.
Imagine you are admitted to a hospital for treatment of a serious but treatable illness, and then your records are stolen. The medical staff is now at a complete loss about your care. While the doctors are scrambling to figure out what to do, they soon realize that all the hospital’s records are missing and that someone is demanding that the hospital pay a ransom in exchange for their release. Now imagine further that the hospital has no alternative but to pay the demand (in Bitcoins) in order to ensure the safety of its patients.
One has to look no further than the recent attack on Hollywood Presbyterian Medical Center and other headlines to realize how quickly and easily our digital platforms can be used against us. While the Internet has delivered on its promise of global access and efficiency, it also accelerates and scales the darker forms of human activity — theft, fraud, extortion, blackmail, espionage (state and corporate), terrorism, insider trading, property destruction and criminal mischief. Soon, the Internet of Things (IoT) will even more seamlessly connect our devices to everything we need — as well as everything we need to fear.
As we continue to learn, the Internet was built for connectivity and speed — not security and protection. For criminals, rogue states and mischievous actors, the digital world has become the “promised land” — low risk and high reward — offering a borderless reach, assured anonymity and defenseless victims who are not allowed to fight back.
“One has to look no further than the recent attack on Hollywood Presbyterian Medical Center and other headlines to realize how quickly and easily our digital platforms can be used against us.”
Foreign governments, state-sponsored actors, criminals, terrorists and lone actors are increasingly targeting our data systems and information networks. The finances, trade secrets and operations of our enterprises, as well as the identities and privacy of our citizens, are at constant risk. President Obama addressed the urgency and ubiquity of this security crisis in his recent Wall Street Journal op-ed.
Networks that control critical corporate and governmental infrastructure (power grids, manufacturing plants, and communications, health and transportation systems) are being probed for vulnerabilities with an eye toward future infiltration and disruption. The federal government — as well as our leading military and law enforcement agencies — have been repeatedly targeted by cyber criminals, including the intrusion last year into the Office of Personnel Management when the personal information of millions of current and former federal employees was stolen. Hackers in China and Russia are targeting U.S. defense contractors. North Korea’s alleged cyberattack on Sony Pictures in 2014 destroyed data, disabled thousands of computers and disrupted the executive suite. Distributed denial of service attacks have been launched against governmental agencies, the media, utilities, banks, hospitals and manufacturing firms, just to name a few.
With more than 100 million Americans’ personal data compromised in recent years — including credit-card information and medical records — it is no surprise that nine out of 10 Americans say they feel they have lost control of their personal information. These cyber-threats are among the most urgent risk to America’s economic and national security and the personal safety of its citizens.
As America’s cyber adversaries have grown more sophisticated and active — emboldened by their successes and the absence of consequences — the need to be proactive, nimble and resilient has increased. In this environment, it is easy for even the most sophisticated enterprises to feel overwhelmed. The federal government, which is obligated to protect the information provided to it by the American people, has a unique responsibility to lead. The fact is, though, that even the U.S. government does not have in place all the tools it needs, and in many areas it lacks safeguards that many businesses require.
Sharing Knowledge Matters
In cyber risk management, because information systems are, by design, interactive and interconnected, and threats come from a wide variety of sources, knowledge sharing is essential. Lessons can be learned from both our successes and failures, so it is essential to share our hard-earned collective wisdom. When it comes to the risks of cyberattacks, we are all in this together.
“For criminals, rogue states and mischievous actors, the digital world has become the ‘promised land.’”
Recognizing the magnitude of shared cyber exposures, President Obama recently announced the formation of a bipartisan Commission on Enhancing National Cybersecurity to focus on long-term solutions. It will be composed of top business, strategic and technology experts from inside and outside the government, and provide specific recommendations for bolstering cybersecurity awareness and protections across the public and private sectors over the next decade. (In June 2015, we shared the idea for the formation of such a commission in Knowledge@Wharton in an opinion piece titled, “We Don’t Need a Crisis to Act Unitedly Against Cyber Threats.”) While this is a significant step towards recognizing and responding to our exposures, the Commission’s first report is not expected until December 2016.
Fortunately, in the interim, there are proven and common sense steps that can be taken immediately. These “commandments” are presented below. As a caveat to the ‘Ten Commandments’ of cybersecurity, we remind our readers of the Mel Brooks movie A History of the World, Part I, where Brooks plays Moses. He returns from Mount Sinai with three tablets and announces: “I give you the Fifteen Commandments,” but then accidentally drops and shatters one of the stones. He quickly recovers and re-announces “The Ten Commandments.” Already, we are aware of important and emerging “commandments” that will need to be shared in the future.
In this vein — because no single sector, industry, enterprise or individual can have all the answers — we invite your continued thoughts and suggestions about a problem that must be addressed, collectively and collaboratively, before it grows to Biblical proportions.
- Develop and Practice Strong Cyber Hygiene
- Conduct full background checks of personnel to mitigate “insider” threats.
- Implement robust passwords or other advanced means of multi-factor authentication.
- Ensure security of computing and communication devices, especially when traveling abroad.
- Train employees on email etiquette and “spear-phishing” schemes.
- Keep personnel up-to-date as to relevant incidents, causes and consequences.
- Increase and demonstrate cybersecurity common sense as part of performance reviews.
- Utilize surveillance and malware detection and “detonation” software.
- Assess the security needs for encrypted phones, laptops and smart devices.
- Know and Secure Vendors’ Networks
- Limit access in accordance to need.
- Conduct diligence on the backgrounds of vendors with access. Enterprise security is only as strong as its weakest link.
- Review existing contract language. Understand vendors’ cybersecurity protocols.
- Contractually bind vendors to security standards and protocols.
- Identify, rank, engage and audit third-party vendors in accordance with geography and business importance. Vendors must be willing to partner in maintaining your security.
- Require vendors that provide critical data to disclose cyber incidents within 72 hours of occurrence.
- Identify and Protect the “Crown Jewels”
- Identify and separately protect critical data and systems (such as customer data, IP, business strategy, market sensitive information and internal communications).
- Verify and update processes with business stakeholders, including the C-suite and board.
- Implement and regularly update appropriate controls, systems and processes to protect systems.
- Verify, validate and regularly test security systems to ensure the continued protection of critical data in the most effective manner.
- Practice Your Incident-Response Plan
- Engage the board of directors, as well as business, legal, marketing, insurance, human resources and technology departments to develop a cross-functional incident response plan and team.
- Retain outside technical, legal and public relations experts to be “on call” for the inevitable cyber incident.
- Identify appropriate contacts within law enforcement and applicable regulators before a cyberattack.
- Focus on range, motivations and objectives of potential attacks (i.e., theft, denial of service, ransom and publication).
- Comply with privacy laws, and work with counsel to protect the confidentiality of the work.
- Create and Develop a Global Communications and Messaging Framework
- Ensure that any communications plan covers all relevant constituencies — employees, consumers, customers, regulators and investors.
- Identify all regulators (federal, state, foreign) that will expect disclosure.
- Identify media, social media and source-channels for disseminating company information.
- Retain messaging experts to ensure a coordinated response when it is needed.
- Test the Incident Response Plan and Update Regularly
- Utilize a third-party firm to conduct annual penetration tests to identify weaknesses in IT networks, infrastructure and employee practices.
- Report the results to the board and C-suite on a regular basis.
- Modify the plan to reflect the results of testing.
- Develop a Robust Cyber-threat Monitoring and Sharing Team
- Monitor cyber-threats both internally and externally, and regularly probe systems for weaknesses.
- Monitor the Internet, social media and dark web for stolen data and information on key executives and business operations.
- Test employee practices and compliance with security procedures.
- Participate in industry cyber-threat sharing platforms, and ensure an organizational ability to act on the intelligence provided.
- Evaluate Cyber-security Insurance
- Assess the full range of risks and costs from disruption of services, data leaks, data ransoms and extortion schemes.
- Ensure that coverages map to the cybersecurity controls, process, vendors, and protocols in any incident-response plan.
- Stay abreast of the market. Cyber insurance is still in its infancy and continues to evolve; coverage and pricing remain works-in-progress.
- Regularly review policies for gaps, newly available coverage and price-competitiveness.
- Verify and validate that key partners have coverage: A vendor that is hacked can lead to your organization being compromised.
- Engage Privacy and Cyber-security Expertise for All Priority Jurisdictions
- Maintain industry contacts for information and threat sharing, including best practices and solutions.
- Use industry leverage to petition the government for needed information, assistance and liability safe harbors.
- Maintain and update this information on a regular basis.
- Consult privacy counsel to ensure that cyber-security solutions do not violate local laws.
- Maintain Government Relationships
- Know the key agencies and personnel in the jurisdictions in which you do business: The government can be a critical partner in prevention as well as in response. Their expertise and intelligence can be invaluable.
- The time to forge such relationships is before a crisis — not after a cyber-security breach.
About the Authors:
David N. Lawrence, founder of Risk Assistance Network and Exchange (RANE), is a former managing director at Goldman Sachs and has held various senior positions with the U.S. Attorney’s Office in New York.
Daniel Garrie is the editor-in-chief of the Journal of Law and Cyber Warfare, and the managing partner of Law & Forensics.
Jay Clayton is co-managing partner of Sullivan & Cromwell’s General Practice Group. He is also an adjunct professor at the University of Pennsylvania Law School.
Frances Townsend is executive vice president of MacAndrews & Forbes and was Homeland Security advisor to President George W. Bush.
Tim Murphy is the former deputy director of the FBI, and is the president of Thomson Reuters Special Services.
John Squires is a senior partner at the law firm of Perkins Coie, specializing in intellectual property and technology law.
Matthew Lawrence is a legal and IP researcher at Perkins Coie, and attends Fordham University Law School.
Note: The views expressed by the authors are entirely personal and may not reflect the opinions of their current or former organizations.