Businesses don't talk about being victims of cyberattacks. That needs to change

Organisations that fall victim to cyberattacks are rarely willing to discuss incidents, but more transparency is needed says an ex-NSA chief.
Written by Danny Palmer, Senior Writer

Organisations need to have better plans in place to prevent cyberattacks – but they should be more transparent about when they do fall victim to hackers in order to prevent others from meeting the same fate, according to the former head of the US National Security Agency (NSA).

As director of the NSA and Commander of US Cyber Command from 2014 to 2018, Admiral Michael S Rogers oversaw cybersecurity during a period of time when the threat of cyberattacks from criminals and foreign government-backed hacking operations grew significantly.

And while companies can act individually to improve their own cybersecurity, Rogers believes that – for the best possible benefit – companies need to share strategies, techniques and best practices for defending against common cyber threats, particularly when attackers seem to be able to deploy the same techniques again and again to go after different targets.

SEE: A winning strategy for cybersecurity (ZDNet special report)

"One thing that really frustrates me – and I used to say this when I was in government with the senior leadership of our nation – I wanted that the pain of one should lead to the benefit of many," said Rogers, now an operating partner at Team8, a cybersecurity venture group, in an interview with ZDNet Security Update.

"Why do the same techniques keep working over and over and over again? We're talking years – the same techniques literally used for years. One of my takeaways was because we don't talk or acknowledge this activity. Most companies do not want to publicly acknowledge a cyber penetration," he said.

It's still uncommon for organisations that are hit by cyberattacks to go into detail about what happened, such as by explaining how cyber criminals were able to enter their network or what needed to be done to secure it after an attack.

That means that there isn't the opportunity for other companies to learn useful information about the incident that they can then use to prevent attacks. That's something Rogers says has to change – and he believes there's already a successful model to follow in the collaborative nature of how the aviation industry investigates incidents.

"In the US, we use a structure that says any time there is an aviation accident, the government steps in and there is a formal investigation," he said. "We determine the causes and the mitigating factors, we publish them and then we say, given that, what changes do we need to make?

"It's an indicator of the effectiveness of that methodology, they tend not to continue to recur, the same cause repeatedly over time, because we're able to address problems" Rogers continued

"That is not the case in cyber, so I'd like us to learn from some others," he said.

By learning from the mistakes of others, organisations can be provided with the information and guidance necessary to make their networks more resistant and more resilient to attacks. Because ultimately, if carrying out successful campaigns is more difficult for cyber criminals, they're going to find it harder to make money.

SEE: Ransomware: It's a 'golden era' for cyber criminals - and it could get worse before it gets better

"We've got to become much more resilient and able to continue to operate, because if we can continue to operate it buys us more time and, quite frankly, it also reduces disposition on the part of many companies to pay a ransom," said Rogers.

"If we make this less lucrative for criminals, you won't see as much criminal activity," he added.

For Rogers, the challenge now is for organisations to focus not just on keeping malicious intruders from gaining access to their network, but also on having plans in place to ensure they are able to continue operating in some capacity, even if hackers have breached the network.

"Cybersecurity needs to include, not only cyber defence, but we need to spend a whole lot more time thinking about cyber resilience. So if, despite my best efforts, an adversary is going to be able to penetrate my network structure, what are the tools, what are the methodologies, what are the capabilities, what can I do to try to maximize my ability to continue to operate?" he said.


Editorial standards