It wasn’t that long ago that when corporate executives considered cyber risk models to gauge the potential impact on their business, the threat scenarios typically involved cyber-vandals, hackers, or criminal groups looking to profit from the sale of stolen sensitive commercial and consumer data on the deep Internet. One need only look as far as Target and Home Depot to understand the magnitude of financial harm and damage to a company’s brand that can occur when its data security systems are breached and its customers’ personal financial information is auctioned to the highest bidder.
While corporate executives and board members need to continue to remain vigilant against financially motivated cybercriminals, a far more formidable threat has now emerged in the form of nation-state cyber threat actors. Not usually interested in financial gain, nation-states view the immense wealth of information stored in corporate data systems as a target-rich environment for intelligence gathering and espionage. From a threat perspective, this is a paradigm shift. Companies, government agencies with national security responsibilities, and in the case of regulated industries, their regulators, are having to consider new risk profiling models that incorporate identification, protection detection, response, and recovery of information for which the threat to data may not be known for years.
The threat of nation-state cyberattacks first became a publicized reality in early 2014 when the U.S. Department of Justice indicted five officers of the Chinese People’s Liberation Army for hacking into and stealing intellectual property from corporations like Westinghouse Electric and U.S. Steel. That event marked the first time that officials of a foreign government had been accused of malicious cyber-activity against the United States. In late 2014, Sony Pictures Entertainment was compromised and its infrastructure and data was damaged and stolen by the North Korean government. In 2015 there have been a series of serious cyberattacks directed against health insurance corporations, and once again the finger is being pointed directly at nation-state actors. These events must be examined with serious concern at the highest levels of corporate management — including the board of directors — to analyze what is being done to protect the enterprise, its customers, and shareholders from this new and very different type of threat. The proverbial “genie in the bottle” has been released as nation-states have come to grasp the power of conducting asymmetrical warfare and data theft against the information systems of multinational and national corporations.
“Nation-state cyberattack” conjures up action movie images of shady-looking characters with vaguely foreign accents and sophisticated hacking skills, hijacking data systems to derail trains and destroy buildings. In a case of real life imitating art, this is closer to reality than most corporate leaders can imagine, or many national security experts would care to admit publicly. A large number of nation-states are quickly developing the capability to conduct cyberattacks against governments and private businesses, threatening infrastructure, financial systems, and national economies. Nation-states that lack this capability are using freelance “cyber mercenaries” who can provide the skills needed to conduct cyberattacks.
The threat of a nation-state cyberattack against a corporation and its potential impact has been discussed in government circles and corporate think tanks for many years. The prevailing view is that attempts are ongoing to create a digital “Pearl Harbor” event in which mission critical infrastructure will be attacked and services such as the power grid or telecommunications will be intentionally damaged or crippled. In November 2014, Admiral Michael Rogers, Director of the National Security Agency (NSA), testified before the House Intelligence Committee and said, “Several foreign governments have hacked into U.S. energy, water, and fuel distribution systems and might damage essential services. Those intrusions have left the U.S. vulnerable to a cyberattack that will cause significant loss of life or physical damage one day.”
Statistics from the U.S. Department of Homeland Security’s Computer Security Emergency Response Team continue to identify ever-increasing attacks against systems that are the backbone of our nation’s critical infrastructure. In the United States, approximately 85 percent of the critical infrastructure is privately owned.
In response to recent attacks, the Obama Administration issued an executive order directing an assessment of potential economic sanctions against nation-states and individuals in those states that are identified as having been involved in cyberattacks against U.S. corporations. Critics of the Administration complain that it has been slow to retaliate against known nation-state actors. At the same time, others urge caution, arguing that economic or other sanctions would trigger a counter-sanctions attack against the United States that would damage its economy. Irrespective of which policy direction the Administration chooses to take, it is unlikely to change the behavior of these nation-state threat actors.
As businesses continue to leverage the power of the Internet and technology to maximize efficiencies in the marketplace, these same avenues can and are being exploited by adversarial nation-states. The electricity grid that provides power to businesses, ATMs that are utilized by customers, and the transportation system that provides goods and services are only some of the businesses/services that have been disrupted by cyberattacks. In the same manner that reliance on technology has spurned new business ventures and increased profitability for Old and New World corporations, new technology has created vast new opportunities for thieves, nation-states, and terrorist organizations interested in gathering intelligence or conducting sabotage against the nation’s infrastructure. The magnitude of this threat demands a new way of thinking that should be taking place at the board and senior management level to ensure that risk is understood and measures are taken to minimize the impact from these threat actors.
As corporations look at the future and see the possibilities of new products, services, and markets made possible through use of the Internet and new technology, commercial enterprises need a proactive, comprehensive, integrated data security risk management program designed to protect their most sensitive data from attack.
The minimum steps that every business should take to minimize its exposure to cyber risk include:
- Develop and Implement a Cybersecurity Framework – Organizations can no longer rely on the traditional and outdated security model of “IT being responsible for data protection.” Cybersecurity risk is a threat to the entire enterprise and needs to be addressed on an enterprise-wide basis. In many cases, boards of directors and corporate executives still do not understand the complexity of the information structures in their organizations, where they are most vulnerable to attack, or what is required to protect their data. The securing of customer and employee information is the responsibility of the board, management, and every employee. Each and every individual in the company must be trained and made aware of the duty to protect corporate data. A cybersecurity framework that incorporates and operationalizes policies, procedures, and standards must be developed and implemented — one that that every employee is required to follow, with consequences for noncompliance. The days of a “check box review” for compliance on cybersecurity should be relegated to the past.
- Manage Vulnerability – Businesses, large and small, often lack diligence in identifying and mitigating cyber risk to the organization. Boards and CEOs should make review of their company’s vulnerability management program a key reporting event so they understand where their vulnerabilities lie and the actions that need to be taken to mitigate those risks.
- Employ Threat Model and Detection – Forward thinking corporations are not waiting to be targeted. They realize that they have information or data that is of value to others, and they are proactively identifying those threats and minimizing or eliminating their potential impacts. Risk cannot be mitigated if it is unknown. The necessity to be “forward looking” in the changing cyber threat environment is critical. In the same manner that radar allows an airplane to identify a threat, threat detection will provide an organization with advanced warning of risk that may impact the corporation.
- Establish Supply Chain Controls – As businesses focus on their core efficiencies, outsourcing continues to grow at a rapid pace. Diligence is required to avoid exposing the company’s data by giving access to a vendor that has not taken appropriate steps to protect its own data infrastructure. A company is only as strong as its weakest link. If that link is an outsourced partner without controls in place to protect itself, that partner can easily become the point of entry for a determined threat actor. Measures must be taken to ensure that suppliers adhere to strict cybersecurity controls to protect data.
- Develop, Implement, and Test an Incident Response Plan – Commercial enterprises will continue to be targets for cybercriminals, and it is an established fact that a significant number of those attempts will be successful. A well-developed and -implemented incident response plan is absolutely essential to ensure that a company is prepared to react quickly and decisively in the event of a breach. The plan should be documented and tested on a regular basis. The board of directors and senior management should support and participate in testing the plan. The first time your CEO sees the company’s incident response plan in action should not be during an actual incident. Many examples of this failure have been publicized recently in the media, with attendant negative publicity.
The lesson to be learned is: Be proactive and prepared. Cyberattacks are here to stay — for the simple reason that they are relatively inexpensive to conduct and extremely effective. While attacks are impossible to prevent, companies can take reasonable, cost-effective measures to make themselves more difficult to penetrate and, when a breach does occur, enable senior management to act quickly to minimize the damage.
About the Authors
Art Ehuan is a Managing Director with Alvarez & Marsal Global Forensic and Dispute Services’ Cyber practice. He is a strategic information security specialist with more than 20 years of experience working with U.S. and international clients and governments.
Scott Harrison is a Managing Director with Alvarez & Marsal Insurance and Risk Advisory Services. He serves as a trusted advisor to insurance companies and their strategic partners seeking regulatory, compliance and corporate governance solutions.
Click here to learn more about A&M’s Disputes & Investigations services
 U.S. Department of Justice, Office of Public Affairs, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” May 19, 2014, http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-c...
 The White House, Office of the Press Secretary, “Executive Order – Imposing Additional Sanctions with Respect to North Korea,” January 2, 2015, https://www.whitehouse.gov/the-press-office/2015/01/02/executive-order-i...
 Justin Sink and Chris Strohm, “Hackers, Corporate Spies Targeted by Obama Sanctions Order,” Bloomberg, April 1, 2015,http://www.bloomberg.com/news/articles/2015-04-01/u-s-economic-sanctions...