By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
A good defense is a good offense, or maybe it is the other way around. According to IBM’s Annual Cost of a Data Breach Report for 2022, the average total cost of a data breach to global organizations is rising. But what about the cost of generating a cyber attack? Or better yet, is the growing proliferation of proactive cybersecurity controls like artificial intelligence (AI) platforms, encryption, and employee training making it more costly for cyber criminals, i.e., changing a tactical mindset, to launch a successful attack to penetrate an entity’s cyber defenses, thereby driving down success rates? And to that end, to what degree are cyber attacks frustrated as a result of this subjective cost-benefit analysis rather than pointing to any specific defense control?
These are tough questions worth considering in light of companies around the world investing an enormous amount of financial resources to ward off the far-reaching effects of a breach with the expectation of avoiding an actual one and all its damaging collateral effects. It is also true that this subjective cost-benefit counterattack analysis has caught the imagination of the U.S. Intelligence Community, maybe not from an economic cost (counterstrategy) posture but certainly from a psychological one to frustrate cyberattacks in the form of predictive behavioral analyses, cognition, and to some extent predisposition theories in decision making.
The Technology Paradox
There are a few simple truths in business. One is that cost is a factor in any competent decision strategy. Another is that technology is constantly evolving and any organization must adapt with it to stay competitive. Steep up-front costs for computing applications like AI and quantum computing will eventually let up as a result of greater development and understanding. This diminishing cost allows corporations to afford more sophisticated cybersecurity controls for sure. It also allows cyber criminals at the same time to afford more advanced technology to set in motion a greater number of sophisticated attacks over larger surfaces at a lower cost. Attacks that have steadily matured and overcome initial simplicity. On the one hand, the decrease in costs of technology allows more organizations to implement greater and more sophisticated cybersecurity controls. On the other, these decreasing costs likewise serve as an avenue for cyber criminals to step up the complexity of their attacks against these same organizations in an effort to challenge and circumvent those controls.
Proactive vs. Reactive Remedial Cybersecurity Controls
The data may ultimately bear out that proactive cybersecurity controls with an offensive mindset have a greater subjective impact on the mindset of cyber criminals than reactive ones which are thought of as more defensive in nature. In other words, the enhanced proactive deterrent effect could be a primary behavioral driver in averting a cyber event in the first place. Understanding this effect of course will likely lead to an evolution of cybersecurity and the way organizations think about investing in a security and data protection program.
To be clear, one control is not necessarily better than the other, and each should be viewed as working synergistically instead of antagonistically. Plus, no one is credibly suggesting cyber attacks would be eliminated completely, only that the sharp increase in the costs of generating such an attack would in all probability lead to a measurable reduction in the number of successful ones. So not just reducing the average cost of a breach but knocking out a select percentage altogether. Cybersecurity controls also do not fit neatly into either an offensive or defensive mindset and can often be classified into both. Nevertheless, it is important to understand how to use each control, as well as its corresponding subjective effect on the source of the cyber attack, to achieve its most efficient application and outcome.
For example, according to IBM’s Annual Cost of a Data Breach Report for 2022, a key factor such as AI platforms are categorized as “cost mitigators” for the effect it has on decreasing the average total cost of a data breach and are arguably proactive in nature with some exceptions based on how its defined. In contrast, key factors from that same report like security system complexity, or presumably a lack thereof, and cloud migration lean toward “cost amplifiers” as a result of having the general effect of increasing the average cost of a data breach and can generally reflect a reactive posture with again some exceptions.
Some additional points of interest from the report include that the share of organizations with fully deployed security AI and automation has steadily increased by approximately four to six percent each year since 2020. In addition, the difference for last year in the average cost of a data breach for fully deployed security AI and automation ($3.15 million) and no security AI and automation deployed ($6.20 million) is $3.05 million. Moreover, the average time to identify and contain a data breach for security AI and automation that is not deployed is 323 days but drops to 249 days for one that is fully deployed. A difference of seventy-four (74) days, or over two (2) months.
Admittedly, these numbers support the narrow conclusion for the effectiveness of this cybersecurity control as primarily a mitigator of cost rather than an outright blocker. It does however go a ways to support the thesis that this type of proactive control is frustrating the efforts of cyber attackers to execute a full scale cyber breach. To what extent remains to be analyzed. The corresponding question of course is the degree that the cyber attacker’s judgment is being altered, or more to the point is to what degree can an organization maintain its edge over the cost of executing a successful breach? Efficacy may not be the issue, but rather the sustained, efficient investment of resources by corporate decision makers in preserving strong cybersecurity and data protection in an effort to best ward off an expensive attack in the first place. There is little doubt that broader studies would be helpful. But for now, the argument at least that the growing proliferation of proactive cybersecurity controls like AI platforms are making it more difficult for cyber criminals, i.e., perhaps causing them to subjectively alter or plain abandon their initial attack strategy and vectors and move on to easier and less expensive targets, to launch a successful attack to penetrate an organization’s cyber defenses and plausibly diminishing success rates in the process, and not just post-breach costs, is worthy of further consideration.
Regulations Prioritize Both Proactive and Reactive Cybersecurity Controls
New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation Part 500 is one of many regulations that some organizations must potentially address when it comes to compliance. It sets forth the legal requirements for many of these proactive and reactive cybersecurity controls, or more accurately each control can arguably be a combination of both proactive and reactive application depending on the circumstance or employment in the lifecycle of a breach. Under Section 500.2(a) of the statute, “[e]ach covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems.” Among a list of several “core cybersecurity functions” pursuant to Section 500.2(b)(2), “[t]he cybersecurity program shall be based on the covered entity’s risk assessment and designed to perform the following[:] … use defensive [emphasis added] infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts[.]”
When it comes to a cybersecurity policy under Section 500.3, “[e]ach covered entity shall implement and maintain a written policy or policies, approved by a senior officer or the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the covered entity’s policies and procedures for the protection of its information systems and nonpublic information stored on those information systems.” The policy should be based on a risk assessment and address several areas of the covered entity’s operations. Additionally, for sections like “Application Security” where some of these proactive and reactive cybersecurity controls are read into the statute, Section 500.8(a) states, “Each covered entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the covered entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity within the context of the covered entity’s technology environment.”
So it appears that the answer may be a good offense sets up, rather than segments into, a strong defense. Corporate data protection and cybersecurity have a lot of moving parts, and experience and a practical mindset are necessary to overcome the sharp edges when it comes to regulatory compliance management. Proactive and reactive cybersecurity controls are able to be more readily defined than classifications based on offensive or defensive ones, which do not fit as neatly into discrete categories.
Building a data protection and cybersecurity program, writing policies, and/or implementing controls tend to work better beginning with a proactive mindset that feeds, i.e., informs, a reactive detection and response mentality. By the time detection has occurred, it is almost a certainty the corporate technology infrastructure and security have been incalculably compromised too. Reactionary, remedial decisions spiral from the start by primarily forcing the employment of defensive tactics, constricting tense decision makers to negotiate their next steps instead of managing it. Careening toward organizational weaknesses from the beginning likely means odds of successful mitigation, along with cost containment, will diminish exponentially. Employing proactive controls to start however marshals a strategic posture that girds or enhances the effectiveness of defensive ones. Rather than look at controls as a wall, maybe it needs to be viewed with a surgical chess-like attitude, not just rushing to see what can be blocked but how to strategically use economic levers or even predictive behavioral analyses to prevent a successful attack from occurring in the first place.
All in, it is worth considering the inverse calculus in this area of law and technology from a business standpoint. Therefore, what can be learned or used from the inverse calculus of increasing the expense of generating a cyber attack to influence a subjective behavioral attack mindset to then lower the probability of a successful breach using a proactive mindset to thereafter set up/support a reactive one? Offensive cybersecurity controls obviously cannot work alone. Breaches are neither academic nor theoretical exercises and need focused defensive measures to mitigate the damage. Defensive controls, on the other hand, contain all necessary components of an effective security and privacy program but likewise cannot be viewed in a vacuum, nor is it a stand-alone solution. These strategic decisions bring several areas to a crossroad, namely business, technology, science, and the law, and perhaps also highlight a simple truth about both corporate and legal risk – it might never be completely phased out but can certainly be mitigated by staying strategic.
Reprinted with permission from the May 10, 2023, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2023 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.