Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
1. Complacency in the Face of Evolving Cybersecurity Norms is
Hazardous (Part 1)
Ethan S. Burger
and
Thomas W. Welch, Legaltech News
March 21, 2016
Image by Yuri Samoilov
The following is part one of a two-part series.
Summary
Given the constantly evolving legal requirements and changing technology, the business
executives and board of directors members are often reluctant to adopt policies that require a
high-level of corporate-wide commitment. Expenditures on cybersecurity may not have concrete
and identifiable benefits nor generate revenues. Corporate inertia with respect to implementing
rigorous cyberdefense is understandable.
There are very large number of unknowns. Corporate decision-makers often receive a great
amount of contradictory advice. The C-suite needs to think and act strategically. Cybersecurity
2. challenges will not go away if ignored. The threat demands action and policies consistent with
the corporation’s profile and its sector's norms.
Failing to take such action means greater regulatory and litigation risk, irrespective of whether
the cybersecurity posture adopted will be effective in defending against cyberattacks.
Noncompliance with cybersecurity norms are likely to damage the corporation’s reputation in
the marketplace and with customers, suppliers, and other business partners. The corporation
needs well thought out policies that include plans to respond to cyberattacks and to recover from
them.
These policies should be responsive to regulatory requirements and not have negative
consequences should the company become a defendant in a lawsuit. It should not be overlooked
that victims of cyberattacks may have claims against persons other than the attacker, who is
unlikely to be apprehended or even identified.
The private sector’s rather limited experience with cyberattacks, may lead to some corporations
overly relying on information and recommendations supplied by persons who are likely to
promote their agenda rather than be concerned with what its best for the corporation, especially
in the case of small and medium enterprises.
Introduction
In 2015, global losses due to cybercrime have probably exceeded $400 billion. Admitted
cyberattacks have been directed against retailers (Home Depot and Target), financial and
insurance institutions (Anthem, Bank of
America, J.P. Morgan, and Wells Fargo), governmental bodies (FBI, IRS, and the FBI), hospitals
(Boston Children’s Hospital and Hollywood Presbyterian Medical Center), and infrastructure,
including vital communications, energy distribution, and transportation networks.
There is a general consensus in both the private and public sectors that the cybersecurity problem
is acute and getting worse. The many publicized reports and warnings are just the tip of the
proverbial iceberg, however, as many companies are reluctant to acknowledge their exposures.
Nonetheless, many businesses do not seem to be aware of the risks, or the potential consequences
for not taking basic precautions. Inaction increases their exposure to liability for harm caused to
third-parties and susceptibility to government-imposed sanctions for failing to observe legal
norms or generally-accepted practices.
Those carrying out cyberattacks vary in motivations and capabilities. Managers must prepare
their organizations for what seems to be the inevitable and diverse types of cyberattacks. For
institutional and other reasons, many enterprises have not responded in a systematic manner to
the threat.
Comprehensive, viable approaches must be developed to deal with a wide range of potential
threats. Executives and board of directors members may have been understandably reluctant to
adopt comprehensive defensive measures against cyber-attacks, but they must – and right now.
3. This article explores some practical and legal issues that corporations are likely to encounter in
this rapidly changing environment.
Cyberattacks and their Motivations
Cyberattacks are very difficult to defend against; in particular: denial of service (DoS); and,
distributed denial of service (DDoS) attacks. Cyberattacks can be used as a weapon to degrade,
disrupt, steal data used for the commission of financial crimes including espionage, identity theft,
and of greatest concern seizing control of their target’s computer and IT systems. They may also
have political motivations.
The goal of a DoS attack is to flood a website so that it is not able to accept legitimate traffic. A
DDoS attack is more complex. While the objective to some extent it similar, here the incoming
traffic is sent from many different sources making it more difficult for the target website to
identify and block incoming traffic.
DDoS involves sending a huge volume of incoming contacts to the website, often the hundreds
of thousands, so that it is impossible to defend against the attacks. In DDoS attacks it is not
possible to identify and block the large number of attackers since they have different IP
addresses.
Often these attacks are from victims of prior successful attacks. The victims of a DDoS attack
include both the end targeted system and all systems maliciously used and controlled by the
hacker in the distributed attack. Generally, the attacker identifies and infects other vulnerable
systems using malware which can be instructed to attack a particular website.
There remains a paucity of reliable data in this area for management and boards of directors to
make decisions relating to cybersecurity. The data at present is fairly incomplete.
The most dangerous form of cyberattack are attacks against the organizations’ supervisory
control and data acquisition (SCADA) networks. SCADA are the computers and applications
that perform vital functions in providing essential services and commodities. In certain respects,
successful cyberattacks can cause damage traditionally caused only by kinetic weapons.
Like many others, federal experts believe that small and medium businesses (SMEs), particularly
those that possess a large number of records that include valuable information provided by
others, might be priority targets for criminals. SMEs represent attractive targets since they
frequently lack the necessary hardware and software (“tools”), personnel, practices, and
procedures for self-defense. The data obtained from such attacks may be precursors for
subsequent cyberattacks.
Ironically, SMEs often believe their risk of cyberattacks is low, even though they are more
vulnerable to cybertargets than larger entities. This may lead small and medium enterprises to
underestimate the cyberthreats they faced. Their defense posture may be limited given the
expenses involved.
4. Governmental Action and Inaction
Increasingly, government entities have made efforts to reach out to all types and sizes of
businesses. The government wants businesses to better understand the nature of the threats they
face, and actions they might take to reduce their vulnerability and the relevant rules they are
expected to observe.
At present, there seems to be divergences between the law as written and as carried out. The U.S.
National
Institute for Standards and Technology’s Framework for Improving Critical Infrastructure
Cybersecurity (Framework) clearly states that it is to serve only as “guidance” for the private
sector; yet the U.S. Securities and Exchange Commission, and U.S. Federal Trade Commission
in certain circumstances, has acted as if the Framework constitutes binding, official standards,
which if not followed can result in the imposition of sanctions. (See Federal Trade Commission
v. Wyndham Worldwide Corporation, where the FTC alleged that, at least since April 2008,
Wyndham engaged in unfair cybersecurity practices that, "taken together, unreasonably and
unnecessarily exposed consumers' personal data to unauthorized access and theft.")
State regulators, insurers and courts may soon act similarly. Consequently, enterprises may have
to identify deeper pockets for money to cover protective or remedial measures, or a portion of
their losses or expenses needed to comply with governmental dictates.
Of course, the government’s credibility on this topic is questionable given that they have
incurred a large number of significant cyberattacks. Certain agencies, such as the FDA, who
themselves have been hacked multiple times, (and continue to be attacked almost daily) have
only recently promulgated new standards for medical devices.
Exposure From Cyberbreaches and the Release of Personal or Confidential Information
As a result of breaches of cyberdefense, criminals and others frequently obtain personal data of
individuals held by certain companies. These cases have triggered a wave of litigation against
entities that released others’ private or confidential information; note that other countries’
requirements, such as those of the European Union, may be more demanding that the rules in the
U.S.
Often, it is difficult to predict the size of the damages that persons whose identities have been
compromised or entities whose intellectual property has been disseminated will be entitled to
compensation. The amount of money a company might be liable to third parties is very case
specific and unpredictable.
A victimized business should never be a complacent victim. Even if liability cannot be
established on the merits, in courts or in arbitral bodies, the defendant in any case may have
reasons to resolve a dispute for reputational or other reasons—such as the fear of losing business.
Part two of this article will explore the effectiveness of cyberinsurance and how to increase
cybersecurity.
5. Ethan S. Burger is a Washington-based attorney and academic, who is a senior fellow for
cybersecurity law at Kogod's Cybersecurity Governance Center.
Thomas Welch is an attorney, managing director of the American International Regulatory
Coherence Institute and a former associate director with the U.S. Food and Drug Administration.