OPINION:
Cyberspace, the human-made fifth domain, has proven to be a great force multiplier for free expression and commerce.
But it has also proven to be an unregulated playing field vulnerable to exploitation by bad actors like China, Russia, Iran and North Korea as well as criminal cartels and international terrorists.
It’s not just nation-states but private companies which are at risk.
Cyber-savvy companies rightly focus on prevention. But the first thing they should do is assume they will be successfully hacked and prepare accordingly.
When I served at the CIA, being in the incident-response phase — what we called “to the right of boom” — of a counterterrorism operation meant we had not collected enough intelligence or analyzed it properly to prevent the attack in the first place. In most cases, terrorists, like hackers, conduct reconnaissance before mounting an attack. Failing to detect enemy probing and learn about the threat hands the attacker the element of surprise.
Incident response entails limiting damage from the attack, as well as taking preemptive measures and learning from previous attacks.
Businesses can effectively reduce their weak spots, limit risk and respond more quickly and effectively by securing servers and routers, using firewalls and sophisticated web codes, and rigorously applying both patches and back-up protocols. The corporate board of chief information officer who treats cyberthreats as merely an IT challenge requiring only technical solutions risks neglecting threats resulting from human error and an inflexible strategy.
Far better, of course, is to head off threats in the “left of boom” pre-incident phase, to deny the enemy the opportunity to change, steal, or destroy data.
The first step is to know the battlefield. Cyberattacks do not occur from a cold start, without digital signatures. Plugging into networks and chat rooms where attacks are being planned and using cognitive computing to sift through the data can reveal the enemy’s attack plans. Companies should focus on who might be a potential enemy, the enemy’s associates or business partner, as well as whether business operations are taking place in a country where cyber sovereignty is practiced.
Second, strive for a 360-degree view of the threat. Getting security, human resources, and IT stakeholders to share information on vulnerabilities and threat data leads to the most effective countermeasures. Employees should have a secure channel for reporting social engineering and technical attacks. Businesses can reach out to the FBI to report highly sophisticated malware or persistent threat.
Third, protect against the threat from within, both from unwitting employees who don’t appreciate the threat and from malicious employees with ill intent. Applying the need-to-know principle with access controls and conducting regular internal security checks reduces the attack space. Linking human resources, IT and security to vet and engage employees creates a powerful ethos of security within the company. Focusing on the “skin behind the keyboard” is a robust strategy to protect the data, money and reputation on which commercial success relies.
Michael Hayden, the former director of both the CIA and NSA, has compared operating in cyberspace to swimming in shark-infested waters — where even the dolphins are a threat.
The U.S. government is crafting a cybersecurity policy with clear executive and legislative components. But even with assistance from the public sector, companies will always have to rely on their own resources and systems, tailored to their individual situation, in determining where they might be attacked, how long the attack might last, and what needs the greatest protection from the attackers.
• Daniel N. Hoffman is a retired clandestine services officer and former chief of station with the Central Intelligence Agency. His combined 30 years of government service included high-level overseas and domestic positions at the CIA. He has been a Fox News contributor since May 2018. Follow him on Twitter @DanielHoffmanDC.
Please read our comment policy before commenting.