News stories about cyberattacks — SolarWinds, Colonial Pipeline, Capital One, Equifax, and many others — have become all too common. The stories usually focus on what happened, with little about the “how” and almost nothing about the “why.” But when the “why” isn’t examined, the circumstances that made the cyberattack possible are rarely addressed. What’s the rest of the story?1
Consider a simple example: A bank is robbed; that’s the “what.” The “how” might be that the burglar alarm failed to go off. And that’s usually the end of the story: There was an unfortunate malfunction.
Get updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
But digging deeper, we might learn that the alarm system was known to be old and unreliable. Funds had been allocated to replace it, but someone in management decided to instead use them for a marketing campaign to attract more customers.
I call this semiconscious decision-making, because someone made a decision — not to replace the burglar alarm — without considering the possible consequences of that choice, namely, losing all the cash. In essence, that decision created the circumstance for the robbery.
That isn’t just an interesting hypothetical example; our Cybersecurity at MIT Sloan (CAMS) research group studied many cyberattacks and found that every major attack was a result of semiconscious decision-making, which is rarely studied and thus rarely corrected.
Multiple Layers of Defense
There’s an adage that thieves have an advantage because they only have to find one way in, whereas the defenders must be sure that every entryway is locked. But actually, defenders often have the advantage.
In the case of a cyberattack, this is because the attacker must successfully complete multiple steps, each of which offers the defender an opportunity to halt the intrusion or at least mitigate its impact. Effectively, the attacker must find not simply a single way in but the precise sequence of steps that will enable the cyberattack to succeed.
What’s the rest of the story behind our bank robbery example? It might not be reported that the bank president had given the vault lock code to an assistant, written on a piece of paper left atop the assistant’s desk, which the burglars were able to find.
1. “The Rest of the Story” was a radio segment that aired for more than 30 years, ending in 2009. In each episode, host Paul Harvey presented the backstories of historical events and always ended his broadcasts with the tagline “And now you know the rest of the story.”