Cyber Attacks: Play the game not the occasion

Authored by Liberty Specialty Markets Strategic Assets Underwriting Manager Matthew Hogg and Underwriter Graham Preston

Is there such a thing as too many defensive measures when it comes to cyber security? Could an attack, no matter how sophisticated the defence, still break through? In some ways it is a bit like managing a team in sport; the opposition may be difficult, there is a balance between defence and attack, and the board will have a view on the investment.

Prior to Christmas an excellent article appeared in the Financial Times relating to the now infamous SolarWinds hack. The article was penned by Robert Hannigan, a former director of GCHQ, and it’s well worth a read. The main argument of the article is that such attacks are avoidable and come as a result of weaknesses that continue to be tolerated. It’s hard to argue with this point, especially coming from someone who has been on the front line in this emerging world of nation state cyber-attacks.

There are some other points that are worth considering in addition to the article. Speaking to leading cyber security professionals and reputable cyber security leadership, the consensus is that nation state attacks can be of such scale and sophistication, that it is inevitable that sometimes one will beat the defences of even the most sophisticated outfits. The focus then is on businesses to reduce the likelihood of an attack, being able to recover as quickly as possible, and to minimise the disruption. The limitations facing companies run across the scale of the threat, budgets and operational requirements.

In some ways it is a bit like managing a team in sport; the opposition may be difficult, there is a balance between defence and attack, and the board will want to know what the money’s being spent on.

In his article Robert Hannigan states that whenever one of these attacks occurs, it is described in language to “cover our collective embarrassment and imply that there is nothing we can do to prevent them”. This sounds like something in sport being described as ‘unstoppable’ or ‘unplayable’. Winding any series of events back far enough, regardless of the field, will reveal an action or inaction that can be identified as a mistake. Both the SolarWinds and NotPetya attacks may have been prevented by more careful auditing of a seemingly innocuous supplier. However, the question to ask is how reasonable would that step have been when scaled across hundreds or thousands of suppliers? A pundit recently criticised Manchester City during a Premier League game for giving an opposition forward too much space and then later for being too close to him. In the same way, a business risks cyber security breaches for not doing something and then being pilloried by other parties for doing too much of it. It’s a delicate balance.

We must also consider the competing demands of the business. A frequent comment from more forthright insureds is that they can never make their businesses 100% secure and there is a constant trade-off between enabling the business to trade and cyber security. It would be so much easier if the business would just focus on making their cyber posture secure at the expense of everything else. But businesses need to operate and so the trade-off will always exist between making systems functional for employees and customers, and making them secure. Just as if football teams focused completely on defending, there would never be any goals, if businesses took the same approach to their activities, they would do hardly any business. The fact that they need to do both at the same time is what makes it such a challenge, perhaps one that is unlikely to disappear soon.

The scale and intensity of nation state attacks would seem analogous to playing against the current English Premier League champions, Liverpool FC. Highly professionalised and well-drilled opposition packed with such skill, intensity and hostility that you have to be constantly on your mettle in order not to be overcome by them. With this persistent pressure it’s inevitable that the strain will tell and a mistake will occur. The key here is for the team to remain calm and not let a mistake become a crisis. This seems to be a significant focus for leading companies; conceding the first goal must not lead to a rout. This is key in reducing the severity of the attacks that are not stopped.

Finally, just as most coaches have limits on the talent they can bring in to their squads -imposed by the money available to spend- companies can only commit so much of their budget to cyber security versus another area of the business. Every pound spent here is one pound unavailable to spend on another area of the business. Every department will always want additional resources to aid their task. To quote Jose Mourinho, head coach of Premier League football club Tottenham Hotspur, in his own inimitable style, on this topic; "No eggs - no omelettes! It depends on the quality of the eggs……… some give you better omelettes. So when the class one eggs are in Waitrose and you cannot go there, you have a problem." The question here is; will companies invest in top class security or cut back and risk relegation and the accompanying mortal threat to the survival of the company?

Every company will draw the line on these delicate balances differently and that line will no doubt ebb and flow with the cyber security environment and the state of the economy. However, it’s important for all concerned to consider what really can be done to prevent and minimise the impact of nation state attacks and behave responsibly. Nothing will improve while the stock response to these events continues to be the equivalent of blaming the referee or the state of the pitch.