Why We Don’t Need Another Cyber ‘Wake-Up Call’

The title of this post isn’t mine. It’s the title of an article written by Mark Weatherford that Kevin Perry forwarded to me this week. Mark, as you may know, is the former VP and CSO of NERC and former DHS Deputy Undersecretary for Cybersecurity (and I believe he was the first officer at DHS who had “cybersecurity” in his title). He’s currently CISO at AlertEnterprise and Chief Strategy Officer at the National Cybersecurity Center. He also is the moderator of the panel I’ll be participating on in this year’s virtual RSA Conference.

I’ll let you read it, but Mark makes a great point: It’s way past time that we should stop calling each new cyberattack a “game-changer”, “wake-up call”, “watershed moment”, etc. All of these phrases subtly convey the idea that this latest cyberattack could never have been properly prepared for. Furthermore, nobody is really to blame for it happening (other than the attackers), since it was so unprecedented that it would have been almost impossible to defend against it.

The problem with this idea is that there’s literally no end to possible cyberattack types. There will always be “game-changing” attacks, since the game is always changing anyway. I’ll grant that nobody (that I know of) predicted that the software build process itself could be compromised and malware planted without the developer having any idea this was happening, as about 1,000 Russians did in the case of SolarWinds, just as nobody (again, that I know of) predicted that a fired AWS employee would be able to penetrate the cloud environments of at least 30 AWS customers and cause serious damage to one of them, Capital One…etc.

In fact, I’d say the only real game-changing cyberattack was the Morris Worm of 1988. This infected a few thousand computers, crashing a large number of them. The crashes were due to a coding error by Morris, the perpetrator. He actually didn’t intend to cause harm. In fact, he considered this to be a wake-up call! It was certainly that. In fact the CERT-CC was founded at Carnegie-Mellon as a result of this attack. And if you think a few thousand computers isn’t a lot, consider that there were only about 60,000 computers connected to the internet at the time.

Ever since the Morris Worm, the internet community should have been not only protecting against whatever led to the last big attack, but trying to anticipate what the next one will be. But we all have suffered from a failure of imagination, which is why we continue to have game-changing attacks, and probably will until human nature changes.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.