(WSJ): How Companies Can Ward Off the Hacker Hordes

Given the Sony and Anthem hacks, the corporate cybersecurity summit is long overdue.

By

HERBERT LIN

Feb. 12, 2015 7:05 p.m. ET

Stanford University will host a White House summit on cybersecurity and consumer protection on Friday. The gathering comes at a time of increasing public concern, even urgency. Thefts of sensitive information, large and small, occur with depressing regularity.

In November Sony Pictures Entertainment was hacked, a lot of the company’s data were made available on the Internet, and many of its computer systems were wiped clean. Last week hackers hit Anthem, the health-insurance giant, and potentially compromised 80 million records containing personal information, including Social Security numbers, that could be used to steal identities.

Modern life increasingly depends on information technology, and this dependence is for the most part irreversible. The networks and systems of the digital world are also unavoidably complex. Internet service providers, software vendors, credit-card companies, computer manufacturers, content-delivery networks, certificate authorities all work together to make the Web function for the benefit of society—but every one of these elements is a potential target.

The complexity of information technology has technical significance, because complexity is one of the greatest enemies of good security in system design and development. But it also has policy significance: Complex systems are very difficult to manage properly through a top-down, government-driven approach.

So what to do now? In the short term, companies and organizations can adopt the current best practices and existing security technologies that are known to improve cybersecurity.

Companies, for example, can conduct frequent, unannounced tests of their cybersecurity and report the results to investors as well as the general public. Businesses may adopt plans and policies to reduce their vulnerability to attack—but only independent testing can reveal actual operational vulnerabilities.

PHOTO: CORBIS

Such testing today is often performed by teams of “ethical” hackers—individuals with the skills to penetrate company defenses but who do so only with the goal of improving the security of those companies. The companies do not report on the results, but they should. The reports need not reveal details of security breaches; but public reporting of test results is likely to enhance security because the senior leadership of a company has strong incentives to fix problems that may affect how its customers and potential stockholders view it.

Companies could also practice operating their systems under the assumption that they have been compromised. The so-called M&M defense, in which an organization is hard on the outside but soft on the inside, assumes that presenting a difficult-to-penetrate perimeter is sufficient. But in practice, attackers will eventually get in, and if the inside is unprotected, they will have free rein.

Security measures on the inside—such as encrypting data resident on a company’s networks—can be inconvenient. But they increase the likelihood that the organization can operate effectively even while it is under attack.

These measures can tempt managers into placing too high a value on the immediate costs of improving cybersecurity and too low a value on the potential future benefits, and more precisely the avoided costs, of preventing cyber disaster. The question arises as to how the market might improve these valuations.

One way is through insurance. Buildings today, for example, are much more resistant to fire damage because of changes driven by careful underwriting.

Meanwhile, the Securities and Exchange Commission has advised public companies to disclose information about cybersecurity risks and incidents as part of their filings. Turning such advice into a regulatory requirement is one minimal step that the federal government could take to improve information flows in the market.

In the long term, we will need to better protect the digital world from attacks—and this is the sweet spot for academia. Researchers in universities are well placed to develop new cybersecurity technologies, policies and procedures useful against tomorrow’s cyberthreat, as well as the ways to roll out these technologies in the most cost-efficient manner.

But in today’s hypercharged political environment, the greatest challenge will be how market mechanisms, and careful regulations, can best promote cybersecurity.

Mr. Lin, a physicist, is senior research scholar for cybersecurity at Stanford’s Center for International Security and Cooperation and a research fellow at the Hoover Institution.