Modern field guide to security and privacy

Opinion: After high-profile hacks, it's time for a bolder approach to cybersecurity

Among the lessons from the Sony hack was that conventional cybersecurity measures don't always stop intruders. What more corporations need to apply is an active defense to better understand and stop future threats. 

Eugene Hoshiko/AP
The cybersecurity firm FireEye said the Sony hack shows that corporations can't afford to wait for attacks, but they have to "take a lean-forward approach that actively hunts for new and unseen threats."

In the wake of the Sony Pictures hack, the cybersecurity firm FireEye demonstrated that the sort of breach that Sony experienced is not likely preventable with conventional network defenses.

Instead, the firm noted that “organizations must consider a new approach to securing their IT assets ... [they] can’t afford to passively wait for attacks.  Instead, they should take a lean-forward approach that actively hunts for new and unseen threats.”

But what constitutes a "lean-forward" approach to cybersecurity, and why are more organizations not already taking one?

The emerging field of proactive cybersecurity is complex, encompassing a range of activities also referred to as “active defense.” While “hacking back” – or using technology to pursue culprits, retrieve stolen data, and potentially even shut down the bad guys – is a point of contention when discussing the role of private sector defense, it is one that more firms seem to be considering despite the legal consequences of breaking into other networks.

Still, it's just one facet of the larger proactive cybersecurity movement, which includes technological best practices ranging from real-time analytics to cybersecurity audits promoting built-in resilience.

To gain insights into commonly accepted and utilized means of proactive security, my coauthors (Amanda Craig, senior cybersecurity strategist at Microsoft, and Prof. Janine Hiller at Virginia Tech) and I reviewed the descriptions of 27 cybersecurity products offered by 22 firms.

Some of our findings confirmed our expectations. For example, all but one of the surveyed firms (96 percent) offer cybersecurity auditing services, which is perhaps partly in response to the growing importance of the cyber-risk insurance industry.

More surprising, though, were the relatively few companies that offer mobile security products or services designed to counter insider threats, even though the latter is deemed to be up to 20 percent of the overall threat.

“Amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders,” says Michael DuBose, head of cyber investigations at Kroll Advisory Solutions and former chief of computer crime at the US Department of Justice. 

These data provide only a snapshot of the rapidly evolving proactive cybersecurity industry, but they do underscore that firms have developed a range of proactive products and services designed to better safeguard their customers from cyberthreats.

The prevalence of advanced detection systems, data mining, and analytics products implies that the private sector is undertaking innovative measures based on big data to understand future vulnerabilities, aggregating information to thwart attacks. Hack back is just the tip of the iceberg.

So far, many regulators have been relatively slow to catch on to the trend toward proactive cybersecurity. US laws such as the Computer Fraud and Abuse Act, a dated instrument that criminalizes the unauthorized access of computer systems, may be compared to similar laws in other nations. Every G8 nation, for example, has a law on the books that regulates “unauthorized access” to a greater or lesser extent.

More recent efforts, though, such as the NIST Cybersecurity Framework, which emphasizes measures related to proactive cybersecurity, could help to encourage private firms to become market leaders in identifying and spreading proactive cybersecurity best practices. President Obama’s recent announcement of new information sharing mechanisms may help spur such diffusion.

Over time, as more private actors "lean forward" and embrace proactive cybersecurity, new industry norms could emerge. For instance, more stakeholders engage in collective proactive cybersecurity measures.

One example of this is Operation SMN, during which a group of private firms engaged in “the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group” allegedly based in China. Ultimately, the group was able to detect and mitigate the damage to some 43,000 infected systems. This experience could be leveraged to help generate positive network effects and encourage more firms to proactively participate in such endeavors.

Ultimately it is critical for firms to move beyond reactive postures and take an active role in securing their systems. With Sony joining the list of Target, Home Depot, and JPMorgan Chase to name just a few of the cyber attacks in 2014 resulting in more than a half billion total records stolen, the time is ripe for more firms to take a proactive stance.

Yet just 13 percent of respondents to a 2012 PwC survey measured and reviewed their cybersecurity policies annually, had “an overall information security strategy in place[,]” analyzed the types of cyberattacks hitting their networks, and had a CISO or equivalent reporting to “the top of the house.”

Changing this state of affairs involves leveraging tools such as cybersecurity analytics, compiling comprehensive enterprise risk management schemes that include cyber, and conducting regular audits and penetration testing to double check preparedness, among rather a lot else. There’s also a lot of low-hanging fruit out there.

The Australian government, for example, has reportedly experienced an 85 percent decrease in successful attacks by taking three simple steps that also have salience to firms: (1) application whitelisting (i.e., creating a list of preapproved applications); (2) automating application/operating system patching; and (3) minimizing local admin privileges.

Cybersecurity doesn’t have to be rocket science. Just computer science.

Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy, sustainability, and international business law among other courses. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at Stanford University’s Hoover Institution, and a term member of the Council on Foreign Relations.

The full paper on proactive cybersecurity from Shackelford, Amanda Craig, and Janine Hiller can be found here.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: After high-profile hacks, it's time for a bolder approach to cybersecurity
Read this article in
QR Code to Subscription page
Start your subscription today