Lessons from Sandy: Clarity in the eye of a cyberstorm

The advocacy challenge to prevention spendingAs the East Coast continues to recover from Superstorm Sandy, talk has already begun about better protection for New York City from future tidal surges and flooding.

New York is the global financial nerve center, yet Wall Street closed down briefly from flooding. In broad terms, it is not acceptable to risk global market disruption when prevention systems could have stopped or mitigated the damage; and it is equally unacceptable with respect to the human and business toll on a world-class city of 8 million people. The financial loss from Sandy, by some estimates, could be as high as $100 billion. Yet, according to some experts, a system of dikes and barriers could have prevented most of the damage from the flooding. The cost? Reportedly in the range of $5-10 billion. While that is a hefty price tag, in hindsight it seems like a worthwhile investment. The Stony Brook Storm Surge Research Group has been advocating a prevention system for years. Only after the destruction in New York caused by Sandy has the group found renewed interest in its prevention concept.

Related content: " Surviving Sandy"

The story of the Stony Brook Storm Surge Research Group and its advocacy challenge for a dike and barrier protection system around New York underscores the obstacles in "selling prevention." Sometimes, no matter how persuasive and compelling one's case is for a proposed solution, decision-makers remain unwilling to address the risk. Today, selling prevention from cataclysmic risk shares a cousin -- the Internet environment. We currently face a critical challenge of improving cybersecurity across society. If Sandy becomes the "poster child" that mobilizes support for a prevention system in New York, what must occur in the cybersecurity marketplace for an "all of society" mobilization? There have arguably been a number of poster child breaches and incidents in cyberspace already: Heartland, Sony, and Stuxnet, to name just a few. And Stuxnet was even labeled in Congress as a "game changer." Not so fast!

The known risk environmentIn America today, there is a very slow pivot toward a changed cybersecurity mindset. It is moving too slowly, however. The average citizen has not heard of Heartland, nor do they know very much about Stuxnet, Flame, Duqu, or the Iranian Quds Force. Those in the cybersecurity field are well aware of the present threat, but the American public is largely oblivious. Yet, the threat is not that new. Long before today's media hype of cyberwar and talk of Iran, China and Russia, there was Titan Rain and other extremely grave compromises of national security.

Today, General Alexander of the National Security Agency calls the cyber threat the "greatest transfer of wealth in history." Defense Secretary Leon Panetta openly discussed in recent weeks his fear for a " Cyber Pearl Harbor," calling today's predicament a "pre-9/11 moment."

These bold pronouncements are not mere rhetoric. As outlined in the White House 60-day Cyberspace Review, our nation's security and economic competitiveness on the world stage are at risk. China's grand strategy is to steal American technology and know how, rather than invest themselves in research and development. It is simply easier to steal secrets through the Internet.

Selling prevention in the cyber realm should not be so difficult. Whereas few could have predicted Superstorm Sandy, leaders ARE predicting a cyber Pearl Harbor. Moreover, the data points already exist regarding cybersecurity risk. Ponemon, Symantec, McAfee and many others report cybersecurity cost data regularly. Attacks on critical infrastructure HAVE occurred. The Nasdaq HAS been attacked by hackers. The CIA HAS confirmed power outages caused by cyberattack. And business losses, fraudulent financial transactions, and trade secret theft HAS been occurring for years, with annual costs in the hundreds of billions of dollars! We are facing a known risk, not a hypothetical risk. Unlike Superstorm Sandy, the cybersecurity landscape today is really not about "selling prevention" as some business owners perceive it. Cybersecurity is about business continuity and risk management.

Counterpoint: " Security experts push back at 'Cyber Pearl Harbor' warning"

Leaders Take NoteCybersecurity is a leader problem. It is a boardroom fiduciary responsibility. Liability lurks for the negligent avoidance of a foreseeable risk. Lack of awareness of the risk is indefensible today -- not when leaders are calling the risk a "pre-9/11 moment" and not when the loss of data makes headlines. Instead, many organization leaders today fail to take sufficient time to apprise themselves of the risk. That is not adequate due diligence. And failure to engage in due diligence is a potential negligence lawsuit waiting in the wings.

The SolutionAvoiding negligence in the cyber realm is not difficult. Granted, true security online is likely impossible. If an attacker is determined to get in, a network compromise will occur. As FBI Director Mueller declared: "There are only two types of companies: Those that have been hacked, and those that will be." Faced with this predicament, what's an executive to do? While the detailed answer entails an implementation that may take time, effort, and money, the short answer is that leaders need to take measures that manage risk.

The challenge in managing cyber-risk is to first identify all risks. Identifying risk is not always easy. Leaders often -- indeed usually -- delegate this role to the CIO, CISO, CSO, or the "IT guy" in the firm. The problem with this approach is that cyber-risk often results from business practices rather than solely network deficiencies. It's the risk to the small business' financial resources through the use of online banking practices without sufficient technical and policy controls; it's the traveling salesmen who logs on to unsecure hotel WiFi connections and then plugs back into the home network without a malware scan. Only leaders can identify all the risks associated with the organization's business practices. Still, cyber-risk identification is the first step toward avoiding negligence.

The Fundamental PointIn my next writing I will further discuss foreseeable risks and the due diligence steps needed to avoid negligence claims. Still, for now it's important to point out that most leaders are failing to take account of foreseeable risk. They aren't even looking at cybersecurity as a leader problem, despite the many substantial organization and personal risks. The point of this writing is to highlight that diligence efforts are a necessity to shield against potential liability. With the risk so prevalent, cyber-risk presents a modern day "slip and fall" scenario that can no longer be avoided.

ConclusionNew York City did not bite the bullet and invest billions in order to avoid tens of billions of dollars in damage. In cyberspace, we have already suffered hundreds of billions of monetary losses nationally. Leaders face a cybersecurity risk that is far more likely than Superstorm Sandy. Most organizations do not have to build an expensive and robust barrier system to secure their enterprise, they merely have to take reasonable precautions to avoid known and foreseeable risks.

Read more about emergency preparedness in CSOonline's Emergency Preparedness section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Business Continuity | Emergency PreparednessDigital Pearl Harbordisaster recoverySuperstorm SandySandyapplicationscyber Pearl HarborsoftwareBusiness Continuity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Doug DePeppe

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts