After the series of data breaches that dominated the 2014 security landscape, the Sony security breach was the last straw. Not only did it turn the movie world on its head, but it become a "serious national security matter" that pushed cybersecurity to the top of President Obama’s 2015 agenda.
"With the Sony attack that took place, with the Twitter account that was hacked by Islamist jihadist sympathizers yesterday, it just goes to show how much more work we need to do - both public and private sector - to strengthen our cybersecurity," the president said earlier this month, following a White House proposal for toughened laws on cybersecurity.
The proposal was a call to revive older legislation plans that got stalled due to liability and privacy concerns raised by companies and civil liberties groups. As such, the new proposed plans seek a balance – they would encourage sharing cyber threat information (stripped of any personal data) between the private sector and the government, with protection from liability. They would also “allow for the prosecution of the sale of botnets, criminalize the overseas sale of stolen US financial information like credit card and bank account numbers, expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity."
Clearly, this proposal would provide law enforcement agencies with more tools and avenues to pursue cybercriminals.
By sharing information about how a data breach took place – intrusion method, security infrastructure before the attack, malware analysis – the companies affected could help build a centralized data base that would enable building criminal profiles and tracking down hackers more quickly. Organized efforts might even result in a legal framework that might deter some cybercriminals from continuing criminal activities. But only some. As Obama himself underlined “even as we get better, the hackers are going to get better, too.” And they’ve proven time and time again how skilled they are at bypassing defenses and working around law enforcement.
So the question is: will new, stricter cybersecurity laws actually protect organizations like Sony against hacks?
The answer: not really. While new laws may, in fact, improve cybersecurity practices, and result somewhat beneficial in terms of security awareness, they will not prevent actual breaches. Regulation against “offline” crime exists for quite some time, but so does “offline” crime – it continues to happen. And the “online” crime landscape works pretty much the same way.
If an organization can be considered a high value target, then it should expect to be become one at some point. Which only highlights the need for the organization to toughen up their security shields and close all possible malware entry points. Multiple-layers of security at endpoint level, server level, and network level are crucial, as well as regular vulnerability assessment and constant monitoring of network activity to be able to detect early on abnormal behavior that may result in a breach.
The reality is – it’s not a matter of “if you’ll get hacked”, but “when you’ll get hacked.” And how quickly you can figure it out in order to contain the damage.