BLUF

Our responses to crime are not sufficient to curb or deter cyber criminals. Never were. The historic perception of crime renders the options less effective as cybercrime has few, if any, physical components. To combat criminals, we need to adjust our thinking to seeing the actors as enemies and using proactive elements to counter behaviors deemed harmful to us, our organizations, and our clients.

Background

Criminals have been around for, well, ever. People willing to steal or cause harm to another for their own benefit are part of humanity. The existence of crime in some form has led to countless adaptations over time. The crime discussed here will primarily be theft – as the advent of cyber theft offered a plethora of new opportunities and items to steal. Without physical interaction from private or very public locations, data, money, and access to organizations could be stolen with limited repercussion. Without going into the various ways and means, just know there are many, some completely new to the domain, though many are simply new twists on old tricks.

So we adapt to the growing threat with response options from public and private sectors, internal and external. At least we try. Despite the varieties of elements within our defense in depth, including law enforcement options, information sharing arrangements amongst our peers, and countless other pieces not for the present discussion, we are still losing.

Why?

Partly it is about the loss based on the scope and scale of criminal operations versus our own. A large organization may have several hundred to several thousand people working in an aspect of cyber security. A single actor or small group may comprise the threat we are collectively defending against – but there may be millions of these actors outside our defenses. Where we spend millions of dollars to protect everything, they spend considerably less to find a profitable flaw – ironically not even having to be in our direct network (Target was originally compromised by an infected third party vendor).

We have to be right every time, they only need to be right once. A cost disparity.

Partly the trouble is our mental framework. We respond to these activities from a criminal perspective and largely after the act is observed. This limits our available options and certainly creates delays beneficial to the actors. Every potential victim needs and deserves better; as no matter who pays, a cost is incurred. Actors don’t care about who pays it – because they aren’t just criminals, they are enemies.

Enemies look to oppose something, sometimes with hostility. We could mince words about the degree of opposition and hostility cyber threat actors use, we don’t need to justify ourselves – rather we need to explore the wider spectrum of available responses stemming from simple verbal adjustment from criminal to enemy.

Culture changes are required to make a difference. This is not a comprehensive list, but it is a start.

1.   Cyber crime is not actions of a single or small set of criminals, but the work of a common enemy. An enemy who seeks to take from us and those we care about.

2.   Establish trust internally via open communications and transparency.

3.   Broaden the scope of who is considered on our side and how we interact with them.

4.   Explore what responses are acceptable to our side in fighting the enemy.

5.   Accept trial and error, failure, and innovative approaches as part of the arsenal of responses

6.   Use the wealth of business practice knowledge and development to counter the criminal business enterprise.

7.   Factor losses into our budgets and operations.

None of these is a small change. This fundamentally changes how we do business in cyber. It requires us to drop our traditional thought models and adjust our responses to the present and future circumstances.

-scl