With each passing minute, emails, copies of unreleased Sony films, executive salary information, and personal information about Sony employees and their families were being stolen and then deleted from Sony’s servers.

It was a terrifying moment, Seligman recalled during a panel at the International Conference on Cyber Security. Moderated by Preet Bharara, U.S. attorney for the Southern District of New York, the panel included Seligman, David Hickton, U.S. attorney for the Western District of Pennsylvania, and Denise Zheng, senior fellow and deputy director at the Center for Strategic and International Studies.

It was not the first time Sony had been attacked, however—in 2011, the PlayStation network was hacked, compromising tens of millions of users’ data. This time around, a Sony executive made the quick decision to shut down the corporation’s entire network.

“We knew something big was happening, and we were aware we were losing a lot of data, so we immediately went offline,” Seligman said. “As a result, half our servers survived. Otherwise everything would have been gone, because this was an attack in which they were stealing data and then executing a command to destroy.”

Going dark spared the company further intrusion, but left everyone with the resounding question of, “Now what?” No one had access to email or voicemail. Calendars and contacts were lost. People were “sitting at their desks trying to do their job with a pen and paper,” as one staff member was widely quoted immediately after the hack.

Logistical issues were just one of the lessons Seligman said the corporation learned from the 2014 hack. She urged that all companies have business continuity plans in the event that networks become suddenly unavailable. Back up information on other servers, she said, or print files and keep hard copies.

In addition, companies ought to establish clear lines of authority with regard to company networks. If a hack occurs, Seligman said, you do not want to spend precious minutes trying to figure out who is the right person to make the call about going offline.

Similarly, there must be frequent conversations about cybersecurity at the highest levels of the company.

“If you have trade secrets and corporate information, how do you secure it? What kind of threat do you assume—a hacktivist, or some kid sitting in a basement?” Seligman said. “You need to do a cost/benefit analysis about what data you need to guard, how much you’re going to spend to secure it, and how much that will interfere with operations.”

Most important, Seligman said, is to establish ongoing relationships with law enforcement. In Sony’s case, the FBI not only responded to the immediate threat, but also helped guide the corporation through the recovery process.

“It’s very lonely when you’ve you been attacked and you’re offline,” she said. “There is an assumption that with just a little bit of money and savvy you could’ve prevented an attack. So you’re in a position where you’re a victim, but somehow you’re also the wrongdoer.

“In our case, the FBI stepped into that void and acknowledged that we were the victim here.”

Follow Fordham News for coverage of ICCS 2016.

Speaking at the Lincoln Center campus on July 28 at a conference held by Fordham and the FBI, Mayorkas said cyber threat indicators—information used to identify cyber security threats—need to stop being traded by security firms as if they were common commodities.

“Look, we’re all in this together. Some of us are in it as a calling, some of us are nonprofit, and some are for profit. For those of you who are for profit, you have many streams of revenue. The cyber threat indicator should not be one of them. That needs to be a public good,” he said.

“Hopefully, we’ll get to a point where that become a public good and is no longer a for-profit commodity, and we can raise the bar of the entire cyber ecosystem in terms of our defense mechanisms.”

Mayorkas noted that the “seminal announcement” by the White House on Tuesday at Fordham detailed the government’s new approach to responding to significant cyber incidents. The directive features a framework with two priorities: a threat response, which is an effort to identify perpetrators and hold them accountable, and an asset response, in which the goal is to identify the nature of the attack, identify and help expel the perpetrator, identify the vulnerabilities that permitted the intrusion, and identify if there are other victims who need help.

The challenge, he said, is that a core principle of asset response is the dissemination of information as broadly as is needed. It’s extraordinarily important do this at network speed because attacks can be replicated with the click of a button, but he acknowledged that a trust deficit exists between the cyber community and the government, thanks in part to 2013 revelations by former National Security Agency contractor Edward Snowden.

“The idea of voluntarily providing information to the government still requires a bridge for many to cross, and I hope that we will all work very hard to overcome that trust deficit,” he said.

“Words, of course will not do it, but action, and bringing benefit to different communities will achieve it, and it’s a privilege for me to be a part of that effort.”

That was the consensus of a panel convened on July 27 by veteran journalist Ted Koppel at Fordham’s Lincoln Center campus.

“Lights Out: The Critical Infrastructure of the Power Grid,” was the final panel of the second day of the 2016 International Conference on Cyber Security (ICCS). In addition to Koppel, it featured Keith Alexander, former director of the National Security Agency, and Steve Hill, political counsellor for the United Kingdom’s Mission the United Nations.

Koppel, who delved into the issue in Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (Crown, 2015), lamented that in the aftermath of 9/11, the country spent close to $3 trillion and started two wars, with the goal of defeating terrorism. But even after the 2003 Northeast blackout, which showed how much damage a major blackout could cause, and blackouts in the Ukraine and Estonia in 2007, which demonstrated how they could be caused by hackers, it’s barely a topic of conversation.

“There are 3,200 companies in this country, and the largest, biggest and wealthiest have extraordinary defensive capabilities. They are immune to cyber attack though. Quite the contrary. The problem is that all of these 3,200 companies are linked,” he said, noting that a successful attack on the weakest could allow a hacker to infiltrate larger systems.

“You can take out an entire grid, with hundreds of companies, affecting tens of millions of people over a period potentially of weeks or even months.”

At the moment, the best defense against attacks on the infrastructure such as the power grid is the ability to identify the perpetrator, and Alexander said the good news is that the United States improved it’s attribution capabilities by an order of ten times between 2006 to 2014.

“Now, the issue is, it wasn’t at network speed attribution. We can attribute who the offensive player is, but it takes time, and sometimes it can take weeks or a month,” he said.

Concerns about privacy and profits have made power companies resistant to working with the government, and Koppel pointed out that none that were invited to the conference chose to attend.

Alexander illustrated the conundrum by polling the audience, a mix of representatives from the private sector, academia and law enforcement, on whether it is the government’s responsibility to protect privately owned computer networks, the way it would defend against a missile attack, or whether companies should defend themselves. After some consternation, several members piped up that it should be both, a notion that Alexander seconded.

“If you believe it’s both, and that government and industry have to work together for defense, where industry has to reach a certain standard, and government has to have the ability to respond, you also say that they have to share information at network speed.

“We’re not discussing that, but that’s the issue that’s on the table. We have to go further, and the government and industry have to work together.”

The new policy delineates the role that government agencies will play going forward in preventing and responding to potential as well as active cybersecurity incidents, said Lisa Monaco, assistant to the president for homeland security and counterterrorism. She made her remarks at the opening session of the International Conference on Cyber Security (ICCS), cosponsored by Fordham and the FBI.

“[The policy] commits to unifying the government’s response across agencies, and it emphasizes that our response will be focused on helping victims of cyber incidents recover quickly,” Monaco said.

“This directive establishes a clear framework to coordinate the government’s response to such incidents. It spells out which federal agencies are responsible. And it will help answer a question heard too often from corporations and citizens alike—in the wake of an attack, who do I call for help?”

The FBI will lead responses to any immediate threat (just as it does in cases of terrorism, Monaco said) to find out whether those responsible are terrorists, other countries, or criminals.

The Department of Homeland Security will assist the victims of an attack or intrusion, supplying federal resources to aid recovery and providing technical assistance to protect the attacked organization’s assets, bring systems back online, and decrease vulnerabilities.

Finally, the newly formed Cyber Threat Intelligence Integration Center (CTIIC), which operates under the Director of National Intelligence, will serve as the point agency for all cyber-related intelligence. Having a single entity integrating and analyzing this information will allow for more rapid and streamlined efforts to disrupt threats, Monaco said.

“In all these efforts, the framework we apply when considering the use of cyber operations is quite similar to how we approach other operations in the physical world. Any actions we take must be consistent with our values, and after we assess the potential for collateral damage and consider other potential options. We consider the likely reaction of the target, our allies, and other countries who may be affected, and we consider whether the effects of a cyber operation could lead to escalation and greater conflict,” she said.

“I believe we can do this. Humans invented cyberspace and we can manage the challenges it generates. Over the past seven and a half years, we’ve made tremendous progress. The framework and actions we’re putting in place today are another strong step forward.”

Monaco’s announcement followed the keynote address from James Trainor, assistant director of the FBI’s cyber division, who stressed the importance of collaboration in the face of cyber threats.

Trainor cited the U.S. Intelligence Community’s annual Worldwide Threat Assessment, which for the last three years has ranked cyber threats as the No. 1 danger to national and economic security—a “bigger [threat]than standard forms of espionage and bigger even than terrorism,” Trainor said. “From where I stand, the issue is getting worse by the day.”

For this reason, it is critical to form strong partnerships among law enforcement, government agencies, and the private sector. The faster that a cyber threat or attack is reported to the FBI, the faster that those responsible can be caught and evidence preserved.

“We need to use indictments, engagements with foreign partners, diplomatic pressures, sanctions, technical disruption operations, and even actions taken at the World Trade Organization-level with trade operations,” Trainor said.

“In my view, pressure works… Our adversaries know we will come after them in more ways than one. The FBI is doing everything it possibly can at every level to make it harder for cyber criminals to operate. I believe that many of them are starting to think twice before putting their fingers on the keyboard.”

The sixth annual ICCS conference opened July 25 at Fordham’s Lincoln Center campus. Visit our news page for ongoing coverage, and read the full transcript of Monaco’s remarks here.

On Thursday, July 28, Rob Joyce, chief of Tailored Access Operations at the National Security Agency, and four others wrap up the 2016 ICCS conference with a distinguished panel discussion. Joyce, who joined the NSA in 1990, spoke about his presentation with Inside Fordham.

You appear on the panel called “Reverse Deception: Understanding the Real World of Hacking Back.” What must you focus on to get an audience to understand this “real world?”

There are a lot of companies and individuals where, once they get an intrusion or a hack, they feel almost viscerally intruded on. There’s a strong urgency to make it stop, and sometimes there’s a strong desire even to retaliate. We’ve gotten some proposals where people feel that they ought to be going back and hacking back against that intrusion, to either try to delete the data, or to go ahead and inflict pain on the people who are coming at them to try to deter them from further action.

I want to make sure that people understand that this is really not a good idea. Probably the easiest reason why is [that]it’s illegal. If you’re undertaking hacking against equipment or property you don’t own, that’s illegal, so that [a]hack back is fundamentally illegal even if you’re trying to argue that it’s self-defense.

We’re working very hard to establish some durable international norms that we’d like countries, companies, and individuals to behave by. Efforts to hack back can go against the work the State Department is working on right now to establish norms and expectations with our international partners, and even our international adversaries.

If it’s illegal, why would people do it?

It could be an emotional response. There are some people who consider it a much more strategic response. They hope to go and make the data that was stolen unusable; they’d like to go back, find it, and delete it. They also may just be going back for attribution. They’d like to hack back [into the networks that appear to be targeting the victim]and work their way backwards and try to understand who’s responsible for it. So it may not even be a response; it may just be trying to gather that intelligence.

Is there anything else from your presentation you’d like to share with us?

I’d like to point out that it’s really hard to understand who’s actually hacking your network. That presents a big danger, because if you’re trying to respond, retaliate, or go back, you run a serious risk of going against the wrong person. In hacker circles, there’s often mischief going on, and it may be that if people understand that a company or an entity is doing hack backs, you could actually be manipulated into attacking somebody who’s completely innocent in this space. So it’s these subtleties and nuances that make it tough, and likely ill-considered to hack back.

You run the risk of inflicting collateral damage, because often the hacks go through an unwitting third party. If you’re striking the network touching your infrastructure, you’re often striking the wrong target.