Prisoners Dilemma – How Undisclosed Cyberattacks Put Us All at Risk
According to the Wall Street Journal, an estimated 90 percent of cyber incidents at public companies went undisclosed in regulatory filings in 2018. That means that despite the habitual headlines we read concerning cyberattacks today, it’s only the tip of the iceberg. In fact, the practice of companies remaining quiet about such incidents has a long history. In 2012 for instance, a review of SEC filings found that the number of reported incidents failed to rise that year despite the SEC requesting that companies do so the year prior. The truth is that no one knows the actual number of attacks that go undisclosed every week, and it’s costing us dearly.
Companies Act in Their Own Self-interest
There are multiple reasons why companies neglect to report incidents such as ransomware attacks and other similar incidents that don’t fall under standard regulatory compliances. Doing so can result in reputational damage to a company’s brand which can erode revenue and stock prices. Many SMBs are swayed by the myth that paying ransomware will solve their problems or that these types of attacks don’t affect organizations of their size. They believe that paying a ransom will lead to faster recovery times or reduce remediation costs. Unfortunately, these ideas too often prove delusionary.
No one can blame a company for wanting to hide the shame and problematic predicament that an organization can find itself in during a cyberattack. However, while it may seem like silence is in the best interest of company executives, companies are really hurting themselves more in the long run. This irony is vividly demonstrated in the puzzle of “Prisoner’s Dilemma” a type of game theory that is commonly used to illustrate the proper balance between cooperation and competition.
What is Prisoner’s Dilemma?
The prisoner’s dilemma exemplifies the paradox that two or more parties working in their own self-interest may not produce an optimal outcome for themselves in the end. It centers on the premise that two criminals that worked together to commit a crime are now separated in solitary confinement. The authorities lack any hard evidence to charge them for the crime at hand, thus their case depends on one of the thieves turning on the other to testify. Each of the convicts can choose to remain loyal to their accomplice and stay silent during interrogation or betray their partner in crime and turn state’s evidence against them. Their decision will result in one of the following outcomes:
- Should they both cooperate as a team, both will be charged with a lesser crime that comes with a 1-year prison sentence. Both will collectively serve then 2 years. This represents the ideal situation.
- Should one of them betray the other and turn state’s evidence, that person will be set free while the accused will be forced to serve a 5-year prison sentence.
- Should they both decide to testify against each other, each will serve 2 years in jail for their part in the crime, resulting in a collective sentence of 4 years for both.
As one can see, the two of them benefit the most by working cooperatively with one another. But as the adage goes, there is little honor among thieves and neither can resist the temptation to work solely for their own self-interest, which in the end, proves more detrimental for both parties. Real life examples of this paradox can be readily found today. For instance, two political parties must often choose between working cooperatively with one another for the greater good of the country or operate solely for the benefit of the party’s next election.
The dilemma also presents itself for ransomware victims. Does a company choose to operate out of their own self-interest and keep a cyberattack under wraps so that no one finds out, or do they pursue a more virtuous path and report the incident so that the community at large may benefit from their open cooperation?
Cybersecurity and Prisoner’s Dilemma
As most anyone who has fell victim to having their car stolen or some type of property crime, most crimes are never solved. According to 2017 FBI data, over 70 percent of robberies and 86 percent of burglary offenses were never solved or cleared. One of the primary reasons is that a single incident is easy to get away with a single crime incident. A single murder incident is only solved 60 percent of the time. As criminals commit an increasing number of crimes, however, they start establishing patterns, and it’s those patterns that allow law enforcement to piece together the puzzle and bring the perpetrators to justice.
Similarly, it is extremely difficult to find the perpetrators behind a single cyberattack. Because of the ubiquitous nature of cyberattacks today, large scale law enforcement organizations have upped their game and increased the level of resources directed at solving digital crimes. The more data they can collect from multiple reported incidents, the better the chances of determining and locating the attackers to put them behind bars. Putting these ransomware gangs away so that they can’t continue their malicious endeavors presents itself as the ideal situation as 80% of ransomware victims report being attacked again. Cooperation is key to curing crime.
Greater Visibility is Needed
The idea that you can’t defend what you can’t see is a fundamental cybersecurity strategy. Visibility across your IT estate is essential to shore up blind spots and vulnerable exposures in your network. However, it’s also important not to be blinded by an attack. Zero-day attacks prove highly difficult to protect against because little to nothing is known about them. In fact, they remain zero-day attacks until someone steps up and reports that the designated vulnerability exists.
If neighbors are aware of break-ins within their local area, they will know to become more heedful about the increasing likelihood of a crime. In a similar fashion, if organizations will become more willing to report attacks in a timely manner, other entities within that industry or those that are susceptible to the same exploits can increase their vigilance in protecting against these types of threats. Ransomware is a global struggle and businesses must recognize that openness and cooperation help benefit everyone, including themselves.
Fortunately, the tide may be turning towards greater cooperative transparency. Some cyber insurance companies now require that a ransomware incident be reported to retain coverage for the incident. In addition, a growing number of regulatory agencies are now expanding the definition of a cyber incident beyond that of a traditional data breach. Those assigned to protecting the digital infrastructure of organizations today must be able to rely on better warning than a headline in the news. We must all take a more proactive approach to threat intelligence to protect ourselves and our community. When it comes to cybersecurity, cooperation is in your own self-interest.