When I first saw the title of this book, I thought of the Warren Zevon song “Things To Do In Denver When You're Dead”. While it’s a typical sardonic Zevon tune, in You'll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches, (MIT Press 978-0262038850), author Josephine Wolff (professor of public policy at Rochester Institute of Technology), has written a different sort, and a most interesting analysis of how security breaches affect us.
She opens with the astute observations that cybersecurity incidents have a short shelf life. For example, when the FTC first investigated Wyndham Hotels a decade ago, the 50,000 breached records was a large amount. Then there was the CardSystems Solutions incident, the Sony breach, followed by the OPM breach, and then Equifax. Last year’s mega-breach is this year’s not so mega breach.
The premise of the book is that people (mistakenly) think there is nothing to be learned from the older, smaller breaches. They think the older breaches used older tactics, which have no relevance to the data security tactics of today. But that is simply not the case.
Yes, attackers are getting smarter and more sophisticated, but there is still a lot to learn from the older breaches, and those are the lessons Wolff showcases throughout the book. And perhaps more importantly, as Dr. Andy Ozment, former White House Senior Director for Cybersecurity of the National Security Council noted, that “it is dangerous to confuse sophistication with effectiveness”.
In the book, Wolff looks at a number of breaches and security incidents from 2005 to 2015 and details the lifecycle of how the breach occurred. While the T.J. Maxx data breach of 2007 was blamed on an unpatched wireless router, she writes that to blame an extended, international, multistage financial fraud operation on a single, poorly protected wireless network is to fundamentally misunderstand how many different steps are involved in carrying out what the perpetrators achieved, and to vastly oversimplify the task of defending against such breaches.
A lot of what Wolff does is clear the air about some of the bigger breaches, and details what really happened. As to the Sony breach, she writes that Sony was as victim of numerous breaches and repeatedly didn’t learns any lessons year after year in which they were breached. With the 2014 breach that brought them to their knees, they decided to paint the breach as the cybercrime of the century and its perpetrators as brilliant, cutting-edge, relentless criminals. While some part f that might be true, Wolff rightfully lays most of the blame on Sony for repeatedly not securing systems to an adequate level.
Every breach has lots of lessons that can be leaned in their aftermath. While Sony PlayStation Network chief Tim Schaff described his breach as “highly sophisticated” and “unprecedented in its size and scope”, there was more hyperbole than fact.
Wolff adds a lot of new light and an interesting perspective to some of the biggest (and not so big) breaches of the last 14 years. This is a most interesting read and will change the way you think about information security, and how firms should deel with the investible data security breach that will certainly hit them.