In a world where the question is not “if” a system can be hacked but rather “when,” what can we do to minimize the damage? On October 23, the Computer History Museum (CHM) hosted an event to address that question head-on. Ray Rothrock, chairman and CEO of cybersecurity analytics firm RedSeal and national security expert and Brunswick Partner Siobhan Gorman discussed Rothrock’s timely new book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
Rothrock is forthright about the problem: cybersecurity is failing us. The “whack-a-mole” strategy of trying to react to every threat does not work. His realism and lack of drama is refreshing but also chilling, as he explains that as the internet has grown the places that can be attacked have also expanded by huge orders of magnitude and that more and more money on the web attracts criminals. Sadly, the biggest problem of all is not technology, but humans. Social engineering that has conditioned people to click on links in their emails and on social media benefits bad actors who send phishing emails, enticing people to click malware links. Though there are technology products that can help, we undermine ourselves by failing to establish and implement effective cyber security strategies. Collectively, we’ve got our heads buried in the sand.
Russian interference in our elections is only one example of the many ways that cyber attacks can damage society and affect our lives. Rothrock offers a different perspective on this issue than that of news headlines. He says, “It’s a human thing more than a technology thing.” What keeps him up at night is not the hacking of a voting machine or two, but rather how cyber threats weaken the whole system, whether or not they actually succeed: What happens if someone claims that the winner of an election isn’t the winner because the system was hacked? A cyber attack can be difficult to disprove and the forensics can take a long time because to be credible multiple experts must examine data from many sources. What happens in the meantime?
People aren’t perfect and neither are cyber-security systems. Rather than try to prevent 100 percent of attacks, Rothrock recommends focusing on how to be resilient. That means being able to effectively respond to attacks and return to business quickly. It’s a key strategy for government agencies, corporations,and people.
Government agencies can usually spend what they need and have the time to put comprehensive, long-term plans in place. They often do not have the churn in security personnel that corporations do, where the average tenure of a chief security officer (CSO) is only 14 months. Consequently, despite having a huge “attack surface,” government security for some key agencies does fairly well. Indeed, it is government that Rothrock looks to for establishing the regulations and monitoring compliance that he believes are necessary to protect the public, just as government mandates sprinkler systems and elevator inspections. There’s nothing like that in the cyber world today.
Although corporations often have 50 or 60 cyber-security products, that doesn’t make a company resilient and doesn’t address a key philosophical problem. In his former career as a successful venture capitalist, Rothrock saw firsthand how CEOs and corporate boards considered security to be a cost center and any spending on it a “grudge buy.” He insists instead that digital resilience and robust security systems should be seen as investments in the company’s product and a way to build customer trust. That attitude might have helped prevent or minimize the damage to Target’s brand when a 2013 attack stole personal data from 40 million customers.
The law says that a company must report and disclose the theft of private information. Though companies are breached all the time, we don’t hear about it until the data is actually used by the bad guys. What if a hacker’s automated attack removes data bit by bit—a first name one day, the last name a week later—and then compiles it a year later?
Rothrock notes that you can’t manage what you don’t measure. He advocates a digital resilience score that can serve as a relative scale and alert management when it changes. Testing and training can boost a company’s score and risky behaviors, like the acquisition of another company, might lower it.
A digitally resilient company has prevention and detection systems in place, does background checks, trains and tests employees, runs frequent penetration tests of systems, and has a trained incident response team always ready to go. The good news is that some organizations are resilient. These include banks, and the New York Stock Exchange, which is attacked half a trillion times a day, with 30–40 attacks of consequence. Unfortunately, most corporations are not on the list and nor is the average person, many of whom have a penchant for, as moderator Siobhan Gorman notes, “extraordinarily guessable passwords,” or who do their banking on an open WiFi system at Starbucks.
So what can a person do? Rothrock says that to be resilient we should all decide what’s important to us and take steps to protect that data as best we can. We can also take steps to become more resilient. He offers some advice in an unpublished bonus chapter of his book. Check out “Digital Resilience—What You Can Do Now.”
The Exponential Center at the Computer History Museum captures the legacy—and advances the future—of entrepreneurship and innovation in Silicon Valley and around the world. The center explores the people, companies, and communities that are transforming the human experience through technology innovation, economic value creation, and social impact. Our mission: to inform, influence, and inspire the next generation of innovators, entrepreneurs, and leaders changing the world.