On January 21 the Cyber Statecraft Initiative kicked off the 2015 Cyber Risk Wednesday event series with the new exclusive media partner for the series, Passcode, the new outlet of Christian Science Monitor. Shane Harris, senior intelligence and national security correspondent for The Daily Beast, and Dmitri Alperovitch, co-founder & chief technology officer of CrowdStrike, discussed the lessons learned in cybersecurity after a year of massive intrusions at some of America’s most trusted companies and the challenges ahead in 2015. The event was moderated by Dan Chiu, Deputy Director of the Brent Scowcroft Center on International Security.
These are three things we learned:
- Hacking back will be a big debate. Are malware traps for hackers considered appropriate self defense measures for private companies, and should they have the right to hack back to retrieve their information? Those are policy questions Mr. Harris would like to see addressed.
- Companies may know about breaches but not take action because they don’t want want to risk disrupting their business. Companies named as victims of Chinese hacking are sometimes unhappy with being outed for that reason, Alperovitch said. “Companies are getting hacked and know they are getting hacked in China… and they are making a judgment that, yes, they stole a billion dollars but we’re making $4 [billion] so we’re still ahead.”
- “Cyberwar” is a flawed term to describe the current landscape of breaches. The chief online threats, so far, are to businesses, not states, Harris said. War implies attacks having physical damages – and what’s going on is more like cyber-espionage. As Alperovitch put it: “You can count the instances of physical damages on the fingers of one hand.”
- “The really outrageous thing, from my perspective, was that other movie studios decided producing movies on North Korea was now unacceptable,” said Alperovitch of the delayed release of “The Interview” after the Sony hack. “The thing that I really worry about is folks in Moscow, folks in Tehran that are looking at this and saying, ‘Wow that was interesting, and if we want to impact US policy or the policy of a particular company, maybe that’s the blueprint.'”
- On whether the US has a responsibility to warn Sony if an attack is imminent: “The NSA is looking in North Korea’s networks to find out about nuclear weapons programs and existential threats in the region,” Harris said, “not about whatever grievance Kim Jong-Un has a with a Seth Rogen movie… . There are bigger fish to fry from the NSA’s perspective.”