Undergraduate, graduate, and professional students of cybersecurity from around the world gathered earlier this year to participate in a cybersecurity competition that simulated the international policy challenges associated with a global cyberattack. While the goal was to practice sound policy decisions, the majority of competing teams unintentionally led the U.S. into starting an international war. Given a variety of diplomatic and other means of responding to cyberattacks, participants largely took the aggressive approach of hacking back in response to cyberattacks from China, and to disastrous consequences.
While the competition’s participants are all students today, they may well go on to be corporate directors and government leaders of tomorrow. Based on current debate about how organizations in the private sector should respond to cyberattacks, it seems the actions taken by these students may well be representative of a broader trend. In fact, there is enough of a push for organizations to be legally authorized to “hack back” that earlier this year a member of Congress proposed a bill to empower people “to defend themselves online, just as they have the legal authority to do during a physical assault.”
As a business leader, I believe this measure would do more harm than good.
What Is Hack Back?
Hack back, which is sometimes called counterstrike, is a term used to refer to an organization taking offensive action to pursue, and potentially subdue, cyberattackers that have targeted them. For the purposes of this article, I am specifically talking about action taken by private sector organizations that affects computers external to their own network. We are not discussing government actions, which tend to occur within existing legal frameworks and are subject to government oversight.
Hack back activities go beyond defensive measures that organizations may put in place to protect their environments. It is generally understood that hack back activities extend beyond the victim’s own network, systems, and assets, and may involve accessing, modifying, or damaging computers or networks that do not belong to the victim. Directors should note that today it is illegal under the Computer Fraud and Abuse Act for private parties to access or damage computer systems without authorization from the technology owners or an appropriate government entity, even if these systems are being used to attack you. That is what proponents of hack back want to change, and the proposed bill goes some way towards doing this.
The Case for “Self Defense”
In response to the legal restriction, proponents of a law to legalize hacking back at cyberattackers often argue that the same principle should apply as that which allows US citizens to defend themselves against intruders in their homes—even with violent force. While it may sound reasonable to implement equal force to defend a network, the Internet is a space of systems designed specifically for the purpose interacting and communicating. Technology and users are increasingly interconnected. As a result, it’s almost impossible to ensure that defensive action targeted at a specific actor or group of actors will only affect the intended targets.
The reality of the argument for hacking back in self-defense is unfortunately more akin to standing by your fence and lobbing grenades into the street, hoping to get lucky and stop an attacker as they flee. With such an approach, even if you do manage to reach your attacker, you’ll almost certainly cause terrible collateral damage. Can your organization afford to clean up such a mess? What would be the repercussions for your reputation and position in the marketplace?
Another significant challenge for private sector organizations looking to hack back is that, unlike governments, they typically do not have the large-scale, sophisticated intelligence gathering programs needed to accurately attribute cyberattacks to the correct actor. Attackers constantly change their techniques to stay one step ahead of defenders and law enforcement, including leveraging deception techniques. This means that even when there are indications that point to a specific attacker, it is difficult to verify that they have not been planted to throw off suspicion, or to incriminate another party.
Similarly, it is difficult to judge motivations accurately and to determine an appropriate response. There is a fear that once people have hack back in their arsenal, it will become the de facto response rather than using the broad range of options that exist otherwise. This is even more problematic when you consider that devices operating unwillingly as part of a botnet may be used to carry out an attack. These infected devices and their owners are as much victims of the attacker as the primary target. Any attempt to hack back could cause them more harm.
The Security Poverty Line
Should hack back be made a lawful response to a cyberattack, effective participation is likely to be costly, as the technique requires specialized skills. Not every organization will be able to afford to participate. If the authorization framework is not stringent, many organizations may try to participate with insufficient expertise, which is likely to be either ineffective or damaging, or potentially both. However, there are other organizations that will not have the maturity or budget to participate even in this way.
These are the same organizations that today cannot afford a great deal of in-house security expertise and technologies to protect themselves, and currently are also the most vulnerable. As organizations that do have sufficient resources begin to hack back, the cost of attacking these organizations will increase. Profit-motivated attackers will eventually shift towards targeting the less-resourced organizations that reside below the security poverty line, increasing their vulnerability.
A Lawless Land
Creating a policy framework that provides sufficient oversight of hack-back efforts would be impractical and costly. Who would run it? How would it be funded? And why would this be significantly more desirable than the status quo? When the U.S. government takes action against attackers, they must meet a stringent burden of proof for attribution, and even when that has been done, there are strict parameters determining the types of targets that can be pursued, and the kind of action that can be taken.
Even if such a framework could be devised and policed, there would still be significant legal risks posed to a variety of stakeholders at a company. While the Internet is a borderless space accessed from every country in the world, each of those countries has their own legal system. Even if an American company was authorized to hack back, how could you ensure your organization would avoid falling afoul of the laws of another country, not to mention international law?
What Directors Can Do
The discussion around hacking back so far has largely been driven by hyperbole, fear, and indignation. Feelings of fear and indignation are certainly easy to relate to, and as corporate directors, powerlessness does not sit well with us. It is our instinct and duty to defend our organizations from avoidable harm.
The potential costs of a misstep or unintended consequences from hack back should deter business leaders from undertaking such an effort. If another company or a group of individuals is affected, the company that hacked back could see themselves incurring expensive legal proceedings, reputational damage, and loss of trust by many of their stakeholders. Attempts to make organizations exempt from this kind of legal action are problematic as it raises the question of how we can spot and stop accidental or intentional abuses of the system.
It’s one thing for students to unintentionally trigger war in the safe confines of a competitive mock scenario, and another thing entirely to be the business leader that does so in the real world. Directors of companies must instead work together to find better solutions to our complex cybersecurity problems. We should not legitimize vigilantism, particularly given the significant potential risks with dubious benefits.
Corey Thomas is CEO of Rapid7. All opinions expressed here are his own.
Organizations face a radically shifting context for the workplace that includes cognitive technology, intelligent automation, and machine learning. These technologies are disrupting and threatening many companies across many industries. As a result, organization designs and business models are being updated to defend existing market position and proactively seek the new opportunities that “digital” can offer.
Mercer’s 2017 Talent Trends study found that 97 percent of executives say that becoming a digital organization is important to their future, with 77 percent stating that their company is on a digital journey already. However, as few as 8 percent of CEOs believe their organizations are as digital (or even anywhere near as digital) as they must be to ward off emerging competitors.
This same study also uncovered striking discord between the digital strategy and people strategy. While most CEOs are focused on designing a more digital and agile organization to compete for the future, only 15 percent of human resource (HR) departments have organization and job design as key elements of their people strategy. Only 37 percent of HR respondents have change management on their radar screen. The risks created by this disconnect are significant. Without a culture open to change and a workforce willing and able to adopt new technologies, digital change efforts will rarely be as impactful as they need to be.
The Board’s Role in Elevating the Digital and People Agenda
Boards are custodians of organization strategy. They also play a key role in overseeing the talent strategies required to execute and deliver on business objectives. By reviewing the organization’s talent strategy through the lens of digital disruption, directors can help uncover risks and ensure better alignment between their companies’ digital and people agendas that will be necessary for future success.
Here are five sets of questions to get started.
1. Does the executive team possess digital competence and diversity? Digital strategy should be born from the vision of the CEO and executive team. In combination, does the executive team have the digital competence to appropriately prioritize and drive development of transformational digital strategy? Will they think beyond technology to people capabilities and a culture of agility? And, beyond digital capabilities, is there enough diversity to help foresee the range of potential future business scenarios and support the creativity and agility that will be needed to adapt to changing business circumstances?
2. Do our succession planning and leadership development goals emphasize the capabilities needed in a more digital world? Organizations need to revisit their leadership development programs because the competencies that have reliably predicted leadership potential and success in the past, even just yesterday, are not the same as those needed for tomorrow. Are leaders self-aware such that they are not blindsided by emerging risks? Are leaders sufficiently curious to sense more than the obvious trends that will impact business success? Are leaders creative and entrepreneurial enough to create advantage from new technologies and business design possibilities?
3. Is there a balance between the company’s strategy to build talent and buy? Many organizations have a bias to build talent from within, particularly as they plan their succession pipeline for the executive team. However, buying digital experience (within or outside the organization’s industry) is a much quicker way of building digital competence and diversity of thought. Is there a discipline of building executive “succession slates” that includes curating external candidates who offer capabilities different from those gained through internal experience?
4. Has the workforce plan considered the impact of digital disruption on jobs?
In The Future of Jobs report, the World Economic Forum projected that 35 percent of core skills will change between 2015 and 2020. Current jobs will require a different skillset in a few years; skills instability will be high in all industries regardless of employment outlook; and, if current roles are already difficult to recruit for, it certainly won’t get easier as demand for new skills emerges. Does the organization have a workforce plan that forecasts which skills will be needed in the future and which will be less in demand? Is there a talent plan that aligns with this changing pattern of skill demand? And is there transparency with the workforce, so that those whose jobs are most at risk of disruption are able to take proactive steps to build a skillset that will be relevant tomorrow?
5. What thought has been given to employer brand and the company’s role in society? Digital disruption goes hand-in-hand with job disruption. It is likely that tomorrow’s business models will require a smaller core workforce and that digital technology will destroy more jobs than it creates. It is likely that unemployment and underemployment will rise. How will the organization maintain an attractive employer brand and contribute to the health and welfare of broader society? What plans, tools, and programs does the organization have in place to manage the transition of all members of its workforce (executive and non-executive) who will not be able to adjust to the workforce of the future?
Without a robust people agenda, an organization’s transformation efforts to address the challenge of digital disruption will struggle. By applying a digital mindset to the talent strategy and asking questions like those above, directors can play an important role in ensuring the alignment between people and digital strategy, and better position the organization for success.
Ilya Bonic is president of Mercer’s Career business.
Probably the last thing Uber needs right now is to have anyone recount their recent setbacks, but the company’s quick, Icarus-like fall from grace tells us much about how technology companies going through hyper-growth can go wrong. By 2016, the ride-sharing firm was a segment leader, present in 570 cities worldwide and with 12,000 employees. Yet just since the beginning of the year, Uber’s company culture, marked by “sharp elbows,” has rapidly become a liability.
The key is to preserve the great parts of the culture that drove Uber’s market leadership, including the company’s relentless focus on results, and now augment the culture for a larger scale. Specifically, it would be wise to add an appropriate level of processes and gender rebalance to the company’s board.
For Uber, the hits have just kept coming. First there was the video of CEO and founder Travis Kalanick chewing out one of the company’s own drivers. This was followed by lawsuits and first-person stories alleging a toxic company culture of sexual harassment. For good measure, long-time board member David Bonderman resigned after allegedly making sexist remarks at a meeting to unveil plans for reforming Uber’s sexist culture. Then, Kalanick resigned, Uber investor Benchmark Capital is suing him and the company, and Uber agreed to audits for the next 20 years by the Federal Trade Commission (FTC). The FTC’s actions demonstrate the level of long-term damage cultural problems can inflict.
Now that Uber has selected Dara Khosrowshahi to lead the company, and is likely to become a publicly-traded company in the year and a half to three years, the board has even greater impetus to change the direction of the company’s culture.
As a woman who’s served on many major tech company boards, much of this sounds like old news. Women in technology industries still push against a silicon ceiling when it comes to career advancement and cultural issues. Research from the Society of Women Engineers found that 20 percent of today’s engineering school graduates are women, yet just 11 percent continue working in the field. Women in information technology leadership roles (such as chief information officers or technology vice presidents) are just nine percent of the total, according to a survey from Harvey Nash and KPMG.
The numbers are also bleak in other Silicon Valley boardrooms. Among the Valley’s 150 largest tech firms, only 15 percent of board members are women (versus 21 percent in the S&P 500). A Korn Ferry study of the top 100 U.S. tech firms saw just three with women as CEO/chair, and five with a woman as the board’s lead director.
Changing any corporate culture is a challenge, but I’ve found bringing diversity to the tech industry is even trickier. Fast-growth “unicorn” companies can quickly outgrow their founding, venture-based startup corporate governance, and find themselves facing Uber-like crises with too few seasoned, level-headed business people in the boardroom. Yet in my own experience, I’ve seen technology companies nurture diverse, inclusive cultures, starting with a few one-on-one approaches from the boardroom.
Build internal career networks. At Volvo Car AB, where I serve on the board, we’ve launched a regular program where I have the opportunity to meet with senior and mid-level women executives on personal career development. We work with these executives to build on their strengths, clarify their career aspirations, and offer advice on advancement. This is a new program, but it is already proving a success in energizing and motivating the paths of these current and future female leaders.
Make mentoring personal. On the board of Schneider Electric, I make it a point to directly mentor a number of women on the company’s senior executive team. Women in management find it tremendously helpful to have someone in the boardroom take a personal interest in their career strategy and development. At Uber, new board member Ariana Huffington will be in an ideal position to put her mentoring and career savvy to work in helping rising women execs rebuild the company. The key is a regular ongoing program of mentoring and support.
Go beyond mentoring. The tech industry, in particular has too few role models for rising female talents. The mentoring aid above is helpful, but why not go one step better? Companies can ask their male and female executives and board members to either mentor or sponsor promising female executives. There is a big difference between mentoring which is periodic advising and coaching and sponsoring where you take ownership for introducing and more actively helping sponsor an individual for their next step up in their career. Women who are already senior managers or board members can kick mentoring up a notch by sponsoring high-potential women. Take personal ownership of career coaching for the top talent in your organization. Give them advice, introduce them to the people they need to sharpen their skills, and introduce their names at strategic moments.
Recognize the women making a difference. When I served as chair of the board’s compensation committee at tech firm Polycom, we were active in the annual recognition event for sales staff. I noted that women were leaders in sales, making up less than 10 percent of the sales force, but were 34 percent of our “President’s Circle” top sales performers. Making an added effort to celebrate and promote this talent is crucial in sending the message that sales is not just a “guy thing” in the company.
The news emerging from Uber can serve as a spark for making the support and advancement of women in your company a boardroom mission. The talents of these women are a strategic asset to companies, and there is a growing body of research proving that firms who nurture and empower their gender diversity gain in revenues and adaptability. In any company, balance sheet results are always found downstream from company culture. When it comes to reshaping that culture to be welcoming to women, the boardroom is the ideal place to start.
Betsy S. Atkins is a three-time CEO, serial entrepreneur, and founder of Baja Ventures. She has co-founded technology, CPG, and energy companies, and currently is director of Cognizant Technology Solutions Corp., HD Supply Holdings, Schneider Electric SE, SL Green Realty Corp., and Volvo AB. A version of this article appeared in June on TechCrunch’s Crunch Network.