In 2020, a hack believed to have been perpetrated by the Russian intelligence service compromised more than 100 clients of the SolarWinds network management company. Affected organizations included tech giants Microsoft, Cisco, and Intel, as well as the Pentagon and the Cybersecurity and Infrastructure Security Agency—the very agency tasked by the Department of Homeland Security with protecting federal computer networks from cyberattacks.
Then, this past spring, hackers from the criminal organization DarkSide demanded 75 Bitcoin—the equivalent of about $4.4 million—to restore operations of the Colonial Pipeline, which supplies gasoline and jet fuel to the southeastern United States. It was the largest cyberattack on U.S. fuel infrastructure in the country's history.
As these high-profile attacks indicate, cybersecurity is an issue of increasing importance to public and private organizations. But despite the increasing online presence of these organizations, many of their systems simply do not have good protection mechanisms in place.
For insights into the ongoing problem of securing online networks, the Hub spoke with Gregory Falco, assistant professor in the Whiting School of Engineering's Department of Civil and Systems Engineering and the Institute for Assured Autonomy, in advance of the publication of his book, Confronting Cyber Risk: An Embedded Endurance Strategy for Cybersecurity (Oxford University Press). Falco co-authored the book with Eric Rosenbach, director of the Belfer Center for Science and International Affairs at the Harvard Kennedy School.
What is the first thing that you recommend organizations address to increase their protection against cyber-attacks?
Think about cybersecurity not as an IT issue, but as a senior executive and leadership issue. Cybersecurity and cyber protection are often thought of as reactive measures, but organizations need to start seeing cyber protection as a way of planning. Similar to financial planning, cybersecurity should be incorporated as a part of everyday business. It's not an add-on; it should be embedded in the organization, which is why we used the term "embedded endurance strategy" when writing the book. The term shows that we view cybersecurity as an endurance exercise. Even if measures are embedded in the organization, cybersecurity issues are going to be happening for the entirety of its existence. It's important to think about strategy and risk mitigation from a long-term marathon endurance standpoint.
Why is an embedded endurance strategy important?
Addressing issues as they arise will probably cost an organization more money because they'll be paying for consultants to troubleshoot things as they happen. Using a comprehensive approach means shifting the way of viewing this challenge as ongoing rather than a single instance. When long-term prevention becomes a part of an organization's culture, it requires leaders to think through every aspect of a potential event. This forethought allows them to move swiftly, while also maintaining the integrity of their organization's efforts in the event of an attack.
Knowing who your attacker is and what they're going to want will help an organization formulate their strategy. Does your attacker want to create chaos in the system? Do they want cash? Are they a competitor who wants to steal your IP? By answering these and other questions, companies can figure out ways to act both during and after the attack.
My co-author and I propose a holistic approach to help organizations think through cyber issues. Through anecdotes and case studies, we help leaders consider the pre-event, during-event, and post-event components of an organization's cyber experience.
Considering that the cyber protection methods are always evolving, are there any actions that you recommend to leadership teams as they build and revise their embedded endurance strategy?
Read the news to see how other organizations are handling their cyber events. Even non-technical news can provide insight as to what exactly happened during a cyber event, as long at the organization is transparent in their reporting. There's still a stigma regarding being hacked. If organizations choose to be transparent about what is happening—and who is affected—when they are hacked, they can use their event as a case study of sorts for other leadership teams. Especially in instances of ransomware attacks, it's helpful to know details like how much the company was charged and did they negotiate with the attacker.
These are not new problems. The more that people are reading and learning about them, the more cognizant leadership teams should be of their actions when it comes to cyber safety. Our hope with the book is to encourage more proactive measures through the embedding of preventative thoughts, actions, and processes into every aspect of an organization's operations. This allows for long-term planning and a more organized, comprehensive strategy for dealing with cyber events when they occur.