Asleep at the Laptop

Some cybercrime is aimed directly at our national security, imperiling our infrastructure, government secrets and public safety. But as the recent wave of attacks by the hacker collective Anonymous demonstrates, it also targets private industry, threatening the security of our markets, our exchanges, our bank accounts, our trade secrets and our personal privacy.

With all the attention paid to the so-called fiscal cliff approaching at year’s end, it is equally important to ask whether collective inaction has us simultaneously barreling toward a cybercliff of equal or greater height.

As the United States attorney in Manhattan, I have come to worry about few things as much as the gathering cyberthreat. Law enforcement is racing to respond, filling its ranks and fortifying its defenses against cyber-malefactors. Businesses should worry, too. But my experience suggests that they are not doing nearly enough to protect themselves, their customers and their shareholders.

Recently I met two executives from major companies who did not even know whom in law enforcement to contact in the event of a hack or intrusion. A few weeks ago, after a speech I gave about cybercrime, a board member of a significant Internet-based company took me aside and admitted, with some horror, that his company’s board had not spent a single minute discussing cybersecurity.

These troubling admissions reveal critically outdated thinking in the business community. But there is recourse, and the cliff can still be avoided.

For one thing, large and small corporations alike must adopt a culture of disclosure. A bank would never think to delay reporting to the police a conventional robbery by a masked criminal wielding a gun and a note. But that is what institutions are still routinely doing after being compromised by anonymous criminals operating through the Internet.

Corporations may wait days or even weeks and months, or never disclose the attacks at all, for fear of exposing proprietary information. But doing so makes it much harder to identify the perpetrator and prevent future economic injury. It also makes it harder to tell who the next victim might be, so that they might assess their own vulnerabilities and formulate solutions.

Businesses should be assured that law enforcement will operate with the utmost sensitivity toward victims of cyberattacks. Prosecutors and agents have developed techniques to minimize disruptions to daily operations and to safeguard proprietary information. Where necessary, we can seek judicial orders to protect confidentiality. But to the extent that businesses remain allergic to the idea of promptly reporting cybercrime to law enforcement, they need to get over it.

Second, every company needs to do a better job of creating and fostering a culture of security. A recent report by Verizon suggests that a stunning 97 percent of data breaches last year were avoidable. That’s because even well-intentioned companies that are already spending large sums of money on high-tech security are overlooking the most fundamental precautions.

In a way, they’re overthinking the threat. We have a false impression that all hackers are hyper-sophisticated, digital versions of Tom Cruise rappelling down a building, “Mission Impossible”-style. But the more mundane reality is that companies are most often breached by hackers walking down virtual hallways, looking for a single unlocked door. And the proverbial unlocked door can mean entry into the entire data network.

In response, companies must start thinking ahead of the hack and locking their doors. It is simply no longer enough for company leaders to take a hands-off approach, leaving these matters to a few “techies.” Such an attitude practically invites a hack. Even simple measures — like employee training and regular threat assessments — can help companies avoid becoming the easy target.

But the most important step is the most obvious and fundamental one: understanding the threat in a comprehensive, serious manner. Every member of a board or executive suite is duty bound to protect the institution against material risk, whether they currently possess particular expertise or not. And yet, how many companies have a concrete plan in place to deal with a hack? How many conduct independent audits of their cybervulnerabilities? The answer, many in my position fear, is too few.

Some say we are outgunned. But in my view, it is less a matter of being outgunned than being simply outdated — in our thinking and in our vision. Yes, there is an army of computer saboteurs, spies, thieves and nihilists who wish to do us harm. But we have an army, too, or at least the makings of one, which can draw from the best of law enforcement, intelligence, business and academia.

I have no doubt that we could find the collective will to amass and mobilize our army once a true catastrophe strikes — just as we did after Pearl Harbor and Sept. 11, 2001. The question is whether we can do so before that happens.