You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches

This book cover has small letters/numbers in the back that make up a skull, the background is all white, and the title is on the side. There is a blurb on the top that says, "You'll see this message when it is too late."

Book written by Josephine Wolff

Book review by Ben Smith

Bottom Line

I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.

Review

You’ve probably read articles or even entire books devoted to specific information security breaches — in our industry, this is typically gripping reading — but when you contrast that subject area with reading about how rules-based and standards-based frameworks and policies have failed the industry, well, you might be a little less excited to travel into a dry regulatory review. 

The good news: You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches combines both of these important areas together with color and clarity. This is a book where the cold reality of adversarial behavior, goals and attacks meets slow-moving institutions which are perpetually challenged when trying to create and implement timely and effective policy.

The author wisely starts us off with breach case studies of entities victimized for reasons of crime, espionage, or humiliation. And from there, the author paints in the context of how the entity got to that breach point, what happened during the attack, and what the aftermath looked like. While there are no easy solutions presented here, potential policy-based solutions, or at least compelling ideas worthy of public debate, are clear by the end of the book.

There are a few consistent threads running throughout the book, starting with the blame game. In the immediate aftermath of a breach, there is always a hunt for who was at fault, or what control was at fault for letting an adversary succeed. Sometimes it’s the victim who seeks to deflect their responsibilities, in an effort to divert attention from the reality that common-sense controls and policies may have been absent. Or perhaps it’s an industry group trying to insulate peer companies from a similar reputational hit. Or it’s an insurer reviewing the nature of an attack to determine if a claim should be paid through a cyber-insurance policy.

The blame game is present in every breach you read about today. A state government agency, targeted for personal taxpayer information which cannot be easily replaced, blames a federal agency for not requiring them to encrypt that data. The same state agency is discovered to have previously passed over the opportunity to bring in a multi-factor authentication solution for a low-five-figure investment - is it management or the budget who should be blamed? A federal agency, attacked by a foreign government which exfiltrates millions of especially sensitive personnel records, blames another agency for not requiring that data to be encrypted. As if any of these single controls would have prevented these highly-publicized incidents.

This brings us to the second thread: there is no magic bullet or single control guaranteed to prevent a breach. Do any of these “if only” scenarios sound familiar? If only encryption had been in place in any of the above incidents, we wouldn’t be reading about them as case studies. If only a major retailer had stronger wireless encryption in place at its retail stores, customer credit card information could not have been stolen. If only a manufacturer’s internal directory list of server names which clearly reflected critical business and operational functions had been obfuscated, the attackers could not have completed their mission. If only a certificate authority had implemented a cleaner, easier-to-manage security architecture, they would not have gone bankrupt.

Sure, it’s easy to point out that technologies or processes which are universally considered good cyber hygiene were missing from a victim’s arsenal of defensive tooling. But do we really think that a committed adversary will simply stop after running into one or more of these foundational defensive strategies? Isn’t it more likely that this adversary would continue to work to find some other path to get to the data they seek? The magic bullet talk track fails to consider this reality. It’s a theory which points a finger at “the one thing” the victim should have done, but there is rarely a single missing control which is to blame for a given breach.

At their essence, both the blame game and the magic bullet represent liability frantically trying to be assigned, somewhere, to someone or something. The author points to the concept of intermediary liability as a poorly-defined, possibly unenforceable concept. When it comes to information, almost everyone on the internet today is an intermediary of data, receiving it from upstream and/or passing it downstream. Is the highly publicized victim of a breach truly the only entity worthy of blame when there were other entities upstream whose own poor information security practices may have indirectly contributed to the breach?

An important question indeed, especially when money is at stake. And the author goes on to tie this concept to the incentives which exist (or are absent) for both the intermediaries and the victims. If my upstream ISP has the ability to passively monitor traffic destined for my company, traffic which could contain malware, is it incentivised to take action, or will it rather let that poisoned traffic pass through? This is an exceptionally thorny area containing not just incentives but legal, surveillance, and commercial concerns. But it’s still worthy for consideration, as one of the truisms both during and prior to the internet era is that incentives always drive behaviors. Sometimes those incentives arrive in the guise of an industry- or government-mandated regulation with teeth. Some bright vendors recognize lack of incentives as business opportunities to independently demonstrate to their downstream customers that the vendor can and will step up to address one or more problems found in other vendor solutions.

Don’t be scared off by the policy goals of this book — you’ll finish this reading much better informed not only about why action-based policy may be more effective than the pervasive outcome-based policy models we have today, but also how to do a better job securing your own organization, and how to recognize the right and wrong ways to react to a breach.

We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so! 

Tags: cyber security challengesCyber Crimecyber attacksPolicy and Law

More Books

"I Have Nothing to Hide" and 20 Other Myths About Surveillance and Privacy
If It’s Smart, It’s Vulnerable
Cyber Privacy: Who Has Your Data and Why You Should Care
Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks
Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks
The Brooklyn North Murder

Book Access