Disruption vs. Destruction: An Important Distinction

Do cyber-intruders coming into your business want to temporarily or partially disrupt your business or are they trying to destroy it altogether? This is the question which remains on my mind as we consider the fallout from the Liberty Reserve incident and see an uptick in interest in the mainstream media about cyber-attacks over the past 6-12 months.

Yet, to do this question justice, it’s not entirely clear what motivates this assortment of groups that fall under the “cyberattacker” moniker. After all, the fact is that they’re not the same thing and don’t typically coordinate their efforts; more specifically, (1) what hacktivists do might be politically-motivated, (2) what cybecriminals try to do is typically financially-motivated, and (3) what nation-states attempt is frequently diplomatically-motivated and/or politically-motivated. Thus, the core question being asked above about disruption vs. destruction remains a more complex one than is initially obvious.

For the sake of this blog, let’s assume that the attacker is not trying to insert itself, do its nefarious business, and then be on its way in a silent manner that they hope you don’t notice. Let’s instead assume that the attacker has a motivation to more forcefully and explicitly cause harm to your organization rather than “just” silently stealing your corporate IP.

It’s on this basis that the disruption vs. destruction question arises. And it’s on this question that I’d like to pose a few questions.

• What’s worse for your business? Is total destruction more likely to engender feelings of compassion and flexibility among your clients and therefore something you might prefer over a disruption in a single line of business or within a single process that is core to your organization (e.g. processing, manufacturing, reporting, etc.)? Then again, could you even recover from a total “wipe” if one was logistically feasible?
• Which is harder to recover from – disruption or destruction? Whether it’s putting a business continuity plan into action or recovering from a cyber-shutdown, is all-out destruction in any ways worse than “mere” disruption of some temporary nature?
• Which one will get faster response time from law enforcement and/or regulators? Law enforcement and the regulatory community don’t have limitless resources and therefore focus their efforts on the key cases in which new technologies, new schemes, new industries, or unique situations arise … not to mention big monetary amounts are involved. All that being said, the outright destruction of an exchange or a payments processor or a cloud service provider would be something that would turn heads and most likely generate tremendous interest from the law enforcement and regulatory communities, not to mention those concerned with protecting critical infrastructure in your nation.
• Which one will the media cover more favorably? Yes, this has to be considered. The media is perhaps more likely to cover a story having to do with outright destruction in a manner that is more favorable than a partial interruption or disruption that is perhaps more likely to provoke observer to make fun of an organization, etc. However, in this scenario much rests on how the impacted organization’s leadership responds to media inquiries, is opaque or transparent, etc.

I don’t pretend to have answers to the questions above, but do believe that presenting them and struggling to identify responses to them BEFORE an incident occurs is something that would probably behoove you and your organization. Contemplating the worst-case scenario next to the “partially problematic” scenario is something that good risk managers spend their time doing and measuring. Providing this level of visibility and transparency to the business as a whole is an important exercise.