I wrote a couple of weeks ago about the need for people to reveal
that they have been hacked and to tell the world how large a ransom they were
presented with and what they paid. I thought this time, we might dive into the
thinking of companies who are faced with this dilemma.
Basically, a company that has just received a ransom demand and discovered that not only are its files and backups encrypted, but also its data has been syphoned off and could be appearing for sale on the dark web any day soon, has two choices. Either they reveal all to the media and make the lessons they have learned available to other organizations to help them prevent similar breaches occurring. Or, they say nothing about it, pay the money, and carry on in business. They hope the criminals unencrypt their data and don’t put it up for sale. And they hope that their customers continue doing business with them as if nothing had happened – which, as far as customers are concerned, is what they believe. The reputation of the hacked company stays intact.
This is in many ways like the famous game theory of the prisoner’s dilemma. You may be familiar with this. Two prisoners are held in separate rooms and are now being interviewed by the police. They can’t communicate with each other. And they are told the following:
· If you confess and agree to testify against the other suspect, who does not confess, the charges against you will be dropped and you will go free.
· If you do not confess but the other suspect does, you will be convicted, and the prosecution will seek the maximum sentence of three years.
· If both of you confess, you will both be sentenced to two years in prison.
· If neither of you confesses, you will both be charged with misdemeanours and will be sentenced to one year in prison.
Imagine that you were one of the prisoners, which option would you choose?
As a bit of background, this game theory originally came from Merrill Flood and Melvin Dresher at the Rand Corporation in 1950. It was formalized and named by Albert William Tucker.
Let’s put some numbers on the options available. If neither confesses, they both get a year behind bars. If they both confess, they get two years. But if one confesses and the other doesn’t, the one who confesses goes free and the other faces three years inside. Think of it as 1,1; 2,2; 3,0; and 0,3.
If we add up the numbers, if a prisoner confesses, they either get two years or walk away. If a prisoner doesn’t confess, they get three years or one year. If you add those numbers together, it’s either 2 years for confessing or four years for not confessing. Because they can’t communicate with each other, confessing seems like the best strategy to minimize the amount of time spent in gaol. The ideal solution, if they could communicate is for both of them to stay silent, but they probably won’t do that for fear that the other prisoner has already confessed.
What I’m suggesting is that something like the prisoner’s dilemma could be used as a theory to see what would happen if a financial institution were to work out the result of revealing that it has been hacked or not.
The first financial institution to reveal that its mainframe has been hacked would definitely find that its reputation was dented and that customers would move to a more ‘trustworthy’ bank. No matter how they spun the information they were giving to the press. It just seems to me that the same people who panic buy at the drop off a hat would lemming-like rush to another financial provider. So, I can see why these kinds of institution would not reveal the information.
Suppose there was another scenario available, where two or three or more financial institutions not only revealed the details of the ransomware attack, but also the steps they took to ensure that a similar attack couldn’t happen ever again. Their PR teams would be busily spinning the information to show that it was only a small part of their business, and they were completely in control, and appropriate steps had been taken to prevent it ever happening again. And, as a result, customers would be less likely to rush to another bank or whatever because they all seemed to be equally vulnerable. Yes, the organizations would suffer a dent to their reputations, but that would soon be forgotten about.
The advantage of companies coming out with details of their breaches and the ransoms they have been asked to pay, as well as the amount that they did pay, is that other companies can put in place appropriate strategies to prevent similar attacks happening to them.
At the moment, you can picture the mainframe business world in much the same way as the first cowboys with guns felt when they saw herds of buffalo roaming across the plains of North America. It’s pretty much open season for the bad actors to take down any mainframe site that they like. The buffalo aren’t talking to each other.
So, how to get out of the prisoner’s dilemma where a suboptimal result occurs because each prisoner is looking after themselves and not communicating with the other. In the case of the mainframe world, there are lots of ‘prisoners’ and it is very easy to communicate with them. In my opinion, legislation and protection is the only way forward to get organizations using mainframes that have experienced a breach to reveal all. Legislation would compel them to reveal all, and protection would ensure that the loss of business for those first few companies that speak up doesn’t put them out of business.
No comments:
Post a Comment