For the last decade or more — as cyber threats emerged from the shadows into broad public view — commentators and the media have told us we are losing a “cyber war.” Look at the headlines: “America Seen Losing Cyber War,” “Why Are We Losing The Cyber War,” “Why We’re Losing the Cybersecurity War,” and “How the United States Lost to Hackers.” The unintentional message is stark: abandon all hope, ye who cyber here. But these headlines are based on a false premise, because there is no bounded conflict to “win” or “lose.” Worse, the incessant drumbeat of panicky, defeatist rhetoric delivers a message that enables criminals and adversaries. Who could blame the average person for wondering why they should even try to secure their phones and computers if the most powerful nation in the world has already admitted defeat in the “cyber war?”
Of course, some very bad stuff has happened in our increasingly connected society. Criminals and nations have stolen billions of dollars; Russia took down parts of the Ukrainian power grid (at least twice); the East Coast had gasoline shortages when Colonial Pipeline shut down its operations after a ransomware attack; countless hospitals have been crippled for days or longer; Sony Pictures saw its deepest secrets published for the world. All of these incidents bring with them significant costs — physical, financial and psychological. Some are genuine disasters.
But there was no “Battle of Colonial Pipeline,” and the breach itself was not part of some grand conflict. In fact, Colonial was not specifically targeted; it was one of many companies that a relatively unsophisticated hacker tried to ransom, and he was only able to breach Colonial because it wasn’t using a basic security tool. If this was a battle in a grand cyber war, then our troops didn’t put up a fight. And if we continue to define “victory” as a complete absence of bad cyber things, then this is just another unwinnable war on a noun — like the “wars” on drugs, terrorism, and teen pregnancy. We continue down this path at our own peril.
All of us — individuals, governments and media (especially headline writers) — need to move past panic over cyber threats and accept that cyber incidents are endemic. Cyber insecurity will always be a significant problem, but it is one that we must work to manage, not eliminate. And the first step to managing the problem is to stop telling ourselves we’ve already failed. The next step is to recognize where we have made progress, whether managing cyber risk, stopping attacks, or punishing criminals. The constant evolution of cybercrime is perhaps the clearest example of our success — if the rampant “scareware” scams of ten years ago still worked, criminals would still use them. But they don’t, because defenses improved and potential victims wised up to them. So the criminals developed new attacks, which cost them time and resources (i.e., money). They spent those resources because we made them do it, not because they wanted to try something different. This cat-and-mouse game will continue, but cybercrime is a business, and we make progress when we drive up the criminals’ costs.
While a non-attack can be hard to prove (the classic dog that didn’t bark), it is noteworthy that Russia’s wartime efforts to cripple Ukraine via cyber-attack have been far less successful than most commentators expected, and the epidemic of high-profile ransomware attacks we saw in 2021 cooled in 2022. Improved defenses made a difference as governments, potential victims, and cybersecurity companies around the world stepped up to meet the threat. As for bringing criminals to justice, ask Denis Dubnikov, a cryptocurrency broker who recently pled guilty to laundering ransomware payments; or Yaroslav Vasinskyi, who is currently awaiting trial in Texas for allegedly launching the July, 2021 ransomware attack on Kaseya; or Vyacheslav “Tank” Penchukov, the leader of the “Zeus” cybercrime group, who was arrested in Geneva in November.
Recognizing our successes is about more than just feeling good — it shows that defenses can work, that individuals can protect their data and privacy, and that organizations can secure their systems and stop cybercriminals. It can be the foundation of a new message, one of empowerment and education. Cybersecurity will remain a priority for governments, companies, schools and individuals for the foreseeable future, which is why it’s essential our public conversation reflects the reality of the threats we face and the things we can do to counter them. Just as we cannot ignore the damage that attacks and data breaches can cause, we must also recognize that there are simple security steps that all of us can do to make those occurrences less frequent and less significant.
Jeff Greene is the Senior Director for Cybersecurity Programs at Aspen Digital; from March 2021 to June 2022 he was the Chief for Cyber Response & Policy in the National Security Council at the White House.