This week’s news that Microsoft, Facebook, FireEye, and Google disrupted ongoing Russian and Iranian influence campaigns should garner significant attention in corporate boardrooms. The revelation of this fresh round of foreign hacking highlights important points about the intersection of business, geopolitics, and hacking that too often go overlooked — points that are especially important for platform businesses.
Even if geopolitics is the root cause of hacking attempts, corporations may find themselves on the front lines — both as victims but also, increasingly, as defenders. The coordinated action by Microsoft and the cybersecurity company FireEye, coupled with similar action by Facebook and, later, Google, demonstrates as much. The role of the U.S. government in pushing back against these foreign intelligence operations remains at best uncertain, though we can assume that classification and secrecy hide some actions from the public. Nonetheless, as Eric Rosenbach, then a senior cyber policy official at the Pentagon, testified in 2015, “The Department of Defense is not here to defend against all cyberattacks — only that top 2% — the most serious.” Far more frequently, the government isn’t rushing to the rescue.
Traditional corporate cybersecurity efforts have been aimed at foiling hackers intent on gaining access to proprietary information or customer data for personal financial gain. They’ve also been focused on the dangers of software vulnerabilities, leading executives to invest in finding and fixing weaknesses in their systems before hackers could take advantage of them. This is all well and good, but against increasingly powerful and motivated perpetrators like foreign intelligence services, it is likely to be woefully insufficient.
Against these kinds of foes, executives and network defenders have to assume that adversaries will be able to penetrate their defenses. If experienced and well-funded foreign intelligence agencies are interested in hacking a business, it is a good bet that at least some of the time they will succeed. How the business prepares for that scenario — before it happens — is vital. Many big companies may choose to redirect their defense teams and analysts away from perimeter protection and toward proactive detection and response. Focusing only on one’s own technical vulnerabilities is likely to be insufficient.
There are many ways to detect a malicious presence in a computer network — Sergio Caltagirone and Robert M. Lee recently provided a good overview — but having an understanding of adversaries’ motivations, capabilities, and techniques certainly helps. The most powerful of these detection capabilities have one thing in common: They involve human analysts proactively investigating threats and exploring one’s own network for anomalies and potential compromise. Even after billions of dollars of investment in cybersecurity, there is no single product or solution that obviates the need for well-trained and empowered analysts.
Companies in the platform business are in an especially vulnerable position. They can suffer harms without suffering a traditional breach at all. When companies create flexible, engaging platforms that give customers the freedom to engage at they wish, they create conditions that allow adversaries to log on as well. Russian operations in 2016 relied heavily not just on hacking — placing malicious code on targeted computers — but also on using social media platforms in ways that were contrary to their intended use. This week’s revelations show that the threat has only expanded: Russia has not been deterred, and now other nations are getting in the game as well. Winning this cat-and-mouse game involves proactively thinking about how adversaries might act and understanding the weaknesses of one’s own platforms, not just at a technical level but also at a social one. It involves asking questions that are hard to answer and even harder to quantify, while giving analysts the freedom to investigate leads, even somewhat speculatively. The pattern revealed by this week’s operations is simple: Even if they are not always the most sophisticated efforts, they are targeted squarely at sowing discord in the United States, and seek to exploit the reach of American technology platforms in that effort.
All of this leads to one final overarching point: Businesses are interconnected, and therefore threats are, too. Firms should take care to understand how their systems depend on the products and services of other firms; often a close examination will find many more critical dependencies than expected. Just as a Minecraft-inspired cyberattack in 2016 prompted widespread web outages for key companies including Twitter, firms may find that a geopolitically motivated operation against one of their suppliers or providers has significant unanticipated consequences for their business. Companies should expect to be targeted, develop means of detecting interference as soon as it begins, and find ways to mitigate and expose foreign attacks as they occur.
This week’s events make it clear that the threat to corporations is real and that, uncomfortable or expensive as it might sometimes be, preparation is essential.[“Source-hbr”]