Today, Yahoo is in damage control mode, trying to limit the impact of an extraordinary breach which saw 500 million user accounts exposed. The company’s natural instinct is reactive: Find the problem and isolate it.
But the fact is, attackers were inside the Yahoo network for weeks, maybe months, before anyone knew it.
Any campaign, business or organization should expect they will be targeted. It’s a harsh reality, but one we need to admit. Being a bad guy on the internet is an enticing business. Even with defensive measures stopping attacks midway through, it’s estimated that cyber attacks still cost more than $300 billion globally.
If we’re really serious about cyber security, we need to try something new.
What should we do about it?
Act preemptively. Clearly, our traditional defensive measures alone will not prevent attacks. To change the bad-actor business model, we need to enter the age of preemptive cyber security.
In medicine, we routinely try to head off the catastrophic consequences of disease by eliminating the conditions or pathogens that cause those diseases. Rather than perfecting an iron lung to treat the symptoms, we have developed a vaccine that targets the source. Every year, scientists tap into predictive analytics to develop flu vaccines. We engineer cures by advancing in our understanding of what causes these outbreaks in the first place.
For us to have cyber security truly worthy of the name, we must be able to stop these attacks the moment they start, if not before. To some, this might sound like retaliation. It’s not. It’s an active approach. The way to create and maintain a preemptive posture is to engage when and where attacks originate, rather than waiting to clean up the mess. This means gathering relevant information in cyberspace, analyzing it to learn the early signs of attacks and using that information to predict and stop new attacks before they begin.
How should we engage?
Aggressively. Building the cyber equivalent of an early warning system, like meteorologists do with weather and climate systems, allows us to respond more effectively. We better understand attacker origins, identify threats at their source and monitor their activity before they become full-blown attacks. You’d be surprised by how many attacks are carried out using the same recycled pieces of malicious code, taking advantage of the same kind of vulnerabilities, delivered by the same phishing tactics.
When should we engage?
Earlier than anyone might imagine. When a cyber attack is being planned or launched, it should be cut off immediately and completely. Often, these attacks are planned over the course of months, if not years. We need to be thinking ahead.
Where should we engage?
At any time and place we choose — including, but not limited to, the source from which the attackers relay their campaigns. Being able to pick the time and place of the engagement shifts the element of surprise of an attack from the victims to the attackers.
To a society that focuses on passive detect-and-block cyber security, preemption might sound like a good but unrealistic idea. It is possible, however; it’s being done now. It won’t be the only method to stop cyber attacks, but it’s a vital addition to the arsenal.
Yahoo is the latest in a long line of companies on the defensive when it comes to cyber security. The industry needs to finds ways to thwart the attackers well before they strike.
We are not powerless in the cyber security fight. But for our efforts to work, we must get preemptive. We have everything to gain.
Ted Schlein is a managing partner at Kleiner Perkins Caufield & Byers focused on investments in enterprise software and security. He currently serves on the board of overseers for the Engineering School at the University of Pennsylvania, and sits on the board of trustees at InQTel. Reach him @kpcb.
This article originally appeared on Recode.net.