With cyber security achieving an increasingly important position in the world, many companies have found that their initial measures have not held up well enough in the face of novel cyber-attacks. This issue stems from factors such as failure to seriously consider cyber security, as well as an inability to implement security effectively.
Possibly the most difficult-to-grasp aspect of defense in cyberspace is the need to escape notions that are true for the physical world, but are not necessarily true for cyberspace. One example of this is common understanding of borders and proximity. In the physical world, borders are observable, placed and maintained by the people around them with clear dimensions. Location and distance are very different in cyber space, as Michael Daniel, president of the Cyber Threat Alliance, states in an article in the Harvard Business Review. “Proximity is a matter of who’s connected along what paths, not their physical location.”
Daniel also points out the flaws of relying on physical jurisdictions – a cyber-attack can be purported from any location to any network, using an array of hacker tools. It is thus not reasonable to mandate jurisdiction based on physical location. Laws and policies regarding cybersecurity need to be approached with a new mindset, one that acknowledges the need for flexibility in securing the networks of the world.
The responsibility for the protection of companies and consumers lies not only with governments, but with those individual entities and end users as well. For a field in which designating areas of jurisdiction is so asymmetric, the division of accountability cannot afford to be rigid. Daniel suggests employing the same strategy taken by disaster response planners.
“In disaster response, preparedness and initial response reside at the local level; if a given incident overwhelms or threatens to overwhelm local responders, then steadily higher levels of government can step in. We could apply these principles to allocating responsibility in cyberspace -businesses and organizations remain responsible for securing their own networks, up to a point. But if it becomes clear that a nation-state is involved, or even if the federal government merely suspects that a nation-stat is involved, then the federal government would start bringing its capabilities to bear.” (Michael Daniel, 2017)
Daniel’s statements echo Trillium’s beliefs, that no business or organization should lack preparation for a cyber-attack. Waiting defenseless until an incident occurs and then depending on the government to take care of the situation is not only risky, but irresponsible. If the damage caused by the initial infiltration is severe enough, loss of wealth, privacy, and even life can occur. To this end, it is imperative that the world prepare itself for the future, for in an invisible environment in which countless threats lurk, no shelter is not an option.