How The Yahoo Hack Could Have Been Prevented

The Yahoo Mail logo on a smartphone screen, October 6. Oren J. Falkowitz writes that you should ask yourself a few simple questions about your cybersecurity policy. Are there preemptive measures everywhere you turn? Have you purged obsolete applications full of vulnerabilities you’ve got lying around? That’s like keeping a pile of oily rags in a corner. Dado Ruvic/reuters

The news that the internet giant Yahoo had 1 billion accounts hacked in 2013 may have been on the front page, but I'm guessing most users hardly raised an eyebrow.

Yahoo, as it announced earlier this year, has been hacked before. And this breach follows the hacks of numerous other companies like Sony, Target, Anthem and even the U.S. government. We are used to hacking headlines.

You may find yourself thinking that if Yahoo, which practically invented the Internet and has billions to spend on security, is vulnerable, who isn't?

Any conversation about cybersecurity seems to start from a place of defeatism. A lot of our failures as an industry stem from our outlook. We're fond of war metaphors in security, but maybe we should start by looking at house fires.

Big cities, like London, Chicago and San Francisco, sometimes used to burn to the ground. What changed, as John Elliot, a security expert at easyJet, pointed out in a recent speech, could teach us how to address cybersecurity, in an era when massive hacks are taking down whole companies.

Related: Why Vladimir Putin's Russia is backing Donald Trump

Here's what happened in Chicago: At around 9 p.m. on October 8, 1871, a kerosene lantern fell and broke, setting fire to a small barn on the west side of the city. The ensuing conflagration consumed more than four square miles, destroyed many lives and cost in excess of $200 million; over $4 billion in today's dollars.

Whether the lantern was knocked over by a group of young boys leaving the barn in a hurry after being caught playing craps, or, as has been traditionally believed, was kicked over by Mrs. O'Leary's cow, the result is the same. This one seemingly insignificant event ignited, literally, a historic calamity.

The list of catalytic events that fanned the flames in 1871 is long and not even particularly exotic, but here are the highlights:

1. Chicago was built almost entirely out of wood, including the sidewalks and many streets which, when they caught fire, led the flames from one neighborhood to another. Just for good measure, most of the roofs were coated with waterproof but highly flammable petrochemical: tar.

2. It hadn't rained in three months, and despite being situated on the shores of Lake Michigan, the city was tinder dry.

3. That night a strong southwesterly wind was blowing, driving the flames across what should have been a natural firebreak, the Chicago River, north and east into the heart of the city.

4. Firefighters couldn't reach the areas that were burning because of the mobs of people escaping the city.

5. Around 2 a.m., a flaming timber fell through the roof (also made of wood) of the city's only water pumping station, burning it to the ground.

So what does this tell us about cybersecurity and how can we use the lessons learned from Chicago's fire to stop the next big hack from happening?

For a start, preventing fires isn't about attributing blame. It doesn't matter whether a group of young boys knocked over a lantern, or whether a Russian hacker wanted to influence the U.S. election. Attribution doesn't help prevent cyberattacks and it certainly doesn't contain the damage.

Another lesson is that remediation, another favorite tool of the cyber security industry, is too little too late. A smoke detector by itself wouldn't have stopped Chicago's fire from consuming the whole city. By the time you realize you've been breached and your data has been exfiltrated and sold, it's too late to do anything but rebuild.

The biggest reason we no longer have to worry about Chicago burning down now is that fire preemption has come a long, long way. We don't build entire cities out of wood anymore. That's asking for trouble. Instead, we build them out of steel, glass and concrete.

We've also produced all kinds of safeguards like fire retardants, smoke detectors, building sprinklers and we require extinguishers in places that are prone to errant flames, like kitchens and welding shops.

We're willing to spend our time reducing the potential of fire, knowing it will stop devastating consequences down the line. Wouldn't it be great if we started approaching cybersecurity the same way?

Getting there will take a shift in how think about cybersecurity, and how we spend on it. Just as we started building cities with brick and metal we need to focus our efforts beyond firewalls and antivirus scanners.

Ask yourself a few simple questions about your cybersecurity policy. Are there preemptive measures everywhere you turn? Have your IT people made all the patches that need to be made? Have you purged obsolete applications full of vulnerabilities you've got lying around? That's like keeping a pile of oily rags in a corner.

Have you upgraded your cybersecurity software and tested it to make sure it's working? If the answer to any of those questions is, "Well, no, not really," you shouldn't be surprised when your organization ends up in news for all the wrong reasons.

A recent survey by audit, tax and consulting giant KPMG found that more than half—55 percent—of major retailers surveyed have invested no capital in cybersecurity in the last 12 months. One in five customers said they would stop doing business with a retail brand if the company had been breached.

In other words, there isn't enough free credit monitoring to keep consumers from losing trust after an organization has shown they haven't done enough to protect them.

Part of the lack of preparation is fatalism. We see breaches everywhere and assume we're not immune. Businesses can hardly be faulted for not investing more in cybersecurity if they think breaches are simply inevitable.

That brings us back to why we need preemption. If we are going to exist online, and it looks like that's the plan for the foreseeable future, then we better change what we consider to be acceptable in cybersecurity.

Cybersecurity that does not prevent breaches is no longer acceptable; it's as simple as that. Any more than it would be okay for an entire city to burn down because a cow kicked over a kerosene lantern.

Oren J. Falkowitz is a co-founder and the CEO of Area 1 Security. He previously held senior positions at U.S. Cyber Command and the National Security Agency focused on big data and computer network operations.

Read more from

- Republicans in Congress Break With Trump on Russia
- Putin was personally involved in election hack, say U.S. officials
- Why Putin Fearsed a Hillary Clinton White House