• United States



by Doug DePeppe

Lessons from Sandy: Clarity in the eye of a cyberstorm

Dec 13, 20127 mins
Disaster RecoveryIT LeadershipIT Strategy

Attorney and risk consultant Doug DePeppe on how the lessons of Superstorm Sandy can be applied to cybersecurity.

This writing draws a parallel between failures in Superstorm Sandy preparation and today’s cybersecurity landscape — and the many failures in establishing a more trustworthy Internet environment. My premise is that cybersecurity — while a virtual domain — presents a more tangible and compelling case for widespread corporate prevention and preparedness because the cyber-risk environment has known risks. The advocacy challenge to prevention spending Superstorm Sandy, talk has already begun about better protection for New York City from future tidal surges and flooding.

As the East Coast continues to recover from

New York is the global financial nerve center, yet Wall Street closed down briefly from flooding. In broad terms, it is not acceptable to risk global market disruption when prevention systems could have stopped or mitigated the damage; and it is equally unacceptable with respect to the human and business toll on a world-class city of 8 million people. The financial loss from Sandy, by some estimates, could be as high as $100 billion. Yet, according to some experts, a system of dikes and barriers could have prevented most of the damage from the flooding. The cost? Reportedly in the range of $5-10 billion. While that is a hefty price tag, in hindsight it seems like a worthwhile investment. The Stony Brook Storm Surge Research Group has been advocating a prevention system for years. Only after the destruction in New York caused by Sandy has the group found renewed interest in its prevention concept.

Related content: “Surviving Sandy

The story of the Stony Brook Storm Surge Research Group and its advocacy challenge for a dike and barrier protection system around New York underscores the obstacles in “selling prevention.” Sometimes, no matter how persuasive and compelling one’s case is for a proposed solution, decision-makers remain unwilling to address the risk. Today, selling prevention from cataclysmic risk shares a cousin — the Internet environment. We currently face a critical challenge of improving cybersecurity across society. If Sandy becomes the “poster child” that mobilizes support for a prevention system in New York, what must occur in the cybersecurity marketplace for an “all of society” mobilization? There have arguably been a number of poster child breaches and incidents in cyberspace already: Heartland, Sony, and Stuxnet, to name just a few. And Stuxnet was even labeled in Congress as a “game changer.” Not so fast!

The known risk environment Stuxnet, Flame, Duqu, or the Iranian Quds Force. Those in the cybersecurity field are well aware of the present threat, but the American public is largely oblivious. Yet, the threat is not that new. Long before today’s media hype of cyberwar and talk of Iran, China and Russia, there was Titan Rain and other extremely grave compromises of national security.

In America today, there is a very slow pivot toward a changed cybersecurity mindset. It is moving too slowly, however. The average citizen has not heard of Heartland, nor do they know very much about

Today, General Alexander of the National Security Agency calls the cyber threat the “greatest transfer of wealth in history.” Defense Secretary Leon Panetta openly discussed in recent weeks his fear for a “Cyber Pearl Harbor,” calling today’s predicament a “pre-9/11 moment.”

These bold pronouncements are not mere rhetoric. As outlined in the White House 60-day Cyberspace Review, our nation’s security and economic competitiveness on the world stage are at risk. China’s grand strategy is to steal American technology and know how, rather than invest themselves in research and development. It is simply easier to steal secrets through the Internet.

Selling prevention in the cyber realm should not be so difficult. Whereas few could have predicted Superstorm Sandy, leaders ARE predicting a cyber Pearl Harbor. Moreover, the data points already exist regarding cybersecurity risk. Ponemon, Symantec, McAfee and many others report cybersecurity cost data regularly. Attacks on critical infrastructure HAVE occurred. The Nasdaq HAS been attacked by hackers. The CIA HAS confirmed power outages caused by cyberattack. And business losses, fraudulent financial transactions, and trade secret theft HAS been occurring for years, with annual costs in the hundreds of billions of dollars! We are facing a known risk, not a hypothetical risk. Unlike Superstorm Sandy, the cybersecurity landscape today is really not about “selling prevention” as some business owners perceive it. Cybersecurity is about business continuity and risk management.

Counterpoint: “Security experts push back at ‘Cyber Pearl Harbor’ warning

Leaders Take Note

Cybersecurity is a leader problem. It is a boardroom fiduciary responsibility. Liability lurks for the negligent avoidance of a foreseeable risk. Lack of awareness of the risk is indefensible today — not when leaders are calling the risk a “pre-9/11 moment” and not when the loss of data makes headlines. Instead, many organization leaders today fail to take sufficient time to apprise themselves of the risk. That is not adequate due diligence. And failure to engage in due diligence is a potential negligence lawsuit waiting in the wings.

The Solution

Avoiding negligence in the cyber realm is not difficult. Granted, true security online is likely impossible. If an attacker is determined to get in, a network compromise will occur. As FBI Director Mueller declared: “There are only two types of companies: Those that have been hacked, and those that will be.” Faced with this predicament, what’s an executive to do? While the detailed answer entails an implementation that may take time, effort, and money, the short answer is that leaders need to take measures that manage risk.

The challenge in managing cyber-risk is to first identify all risks. Identifying risk is not always easy. Leaders often — indeed usually — delegate this role to the CIO, CISO, CSO, or the “IT guy” in the firm. The problem with this approach is that cyber-risk often results from business practices rather than solely network deficiencies. It’s the risk to the small business’ financial resources through the use of online banking practices without sufficient technical and policy controls; it’s the traveling salesmen who logs on to unsecure hotel WiFi connections and then plugs back into the home network without a malware scan. Only leaders can identify all the risks associated with the organization’s business practices. Still, cyber-risk identification is the first step toward avoiding negligence.

The Fundamental Point

In my next writing I will further discuss foreseeable risks and the due diligence steps needed to avoid negligence claims. Still, for now it’s important to point out that most leaders are failing to take account of foreseeable risk. They aren’t even looking at cybersecurity as a leader problem, despite the many substantial organization and personal risks. The point of this writing is to highlight that diligence efforts are a necessity to shield against potential liability. With the risk so prevalent, cyber-risk presents a modern day “slip and fall” scenario that can no longer be avoided.


New York City did not bite the bullet and invest billions in order to avoid tens of billions of dollars in damage. In cyberspace, we have already suffered hundreds of billions of monetary losses nationally. Leaders face a cybersecurity risk that is far more likely than Superstorm Sandy. Most organizations do not have to build an expensive and robust barrier system to secure their enterprise, they merely have to take reasonable precautions to avoid known and foreseeable risks.

Doug DePeppe is a partner with i2 Information Security, a published cybersecurity writer, and participated in two White House cybersecurity initiatives, including the White House 60-Day Cyberspace Policy Review.