What do you think?
Rate this book
You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches
What we can learn from the aftermath of cybersecurity breaches and how we can do a better job protecting online data.
Cybersecurity incidents make the news with startling regularity. Each breach—the theft of 145.5 million Americans' information from Equifax, for example, or the Russian government's theft of National Security Agency documents, or the Sony Pictures data dump—makes headlines, inspires panic, instigates lawsuits, and is then forgotten. The cycle of alarm and amnesia continues with the next attack, and the one after that. In this book, cybersecurity expert Josephine Wolff argues that we shouldn't forget about these incidents, we should investigate their trajectory, from technology flaws to reparations for harm done to their impact on future security measures. We can learn valuable lessons in the aftermath of cybersecurity breaches.
Wolff describes a series of significant cybersecurity incidents between 2005 and 2015, mapping the entire life cycle of each breach in order to identify opportunities for defensive intervention. She outlines three types of motives underlying these attacks—financial gain, espionage, and public humiliation of the victims—that have remained consistent through a decade of cyberattacks, offers examples of each, and analyzes the emergence of different attack patterns. The enormous TJX breach in 2006, for instance, set the pattern for a series of payment card fraud incidents that led to identity fraud and extortion; the Chinese army conducted cyberespionage campaigns directed at U.S.-based companies from 2006 to 2014, sparking debate about the distinction between economic and political espionage; and the 2014 breach of the Ashley Madison website was aimed at reputations rather than bank accounts.
Cybersecurity incidents make the news with startling regularity. Each breach—the theft of 145.5 million Americans' information from Equifax, for example, or the Russian government's theft of National Security Agency documents, or the Sony Pictures data dump—makes headlines, inspires panic, instigates lawsuits, and is then forgotten. The cycle of alarm and amnesia continues with the next attack, and the one after that. In this book, cybersecurity expert Josephine Wolff argues that we shouldn't forget about these incidents, we should investigate their trajectory, from technology flaws to reparations for harm done to their impact on future security measures. We can learn valuable lessons in the aftermath of cybersecurity breaches.
Wolff describes a series of significant cybersecurity incidents between 2005 and 2015, mapping the entire life cycle of each breach in order to identify opportunities for defensive intervention. She outlines three types of motives underlying these attacks—financial gain, espionage, and public humiliation of the victims—that have remained consistent through a decade of cyberattacks, offers examples of each, and analyzes the emergence of different attack patterns. The enormous TJX breach in 2006, for instance, set the pattern for a series of payment card fraud incidents that led to identity fraud and extortion; the Chinese army conducted cyberespionage campaigns directed at U.S.-based companies from 2006 to 2014, sparking debate about the distinction between economic and political espionage; and the 2014 breach of the Ashley Madison website was aimed at reputations rather than bank accounts.
334 pages, Hardcover
Published November 13, 2018
27 people are currently reading
283 people want to read
About the author
Josephine Wolff
9 books3 followersJosephine Wolff is Assistant Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University. Her writing on cybersecurity has appeared in Slate, the New York Times, the Washington Post, the Atlantic, and Wired.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 9 of 9 reviews
March 13, 2022
Following Isiah Berlin's analogy, it has been argued cybersecurity is a fox subject and not a hedgehog subject meaning that it can only be navigated via many specifics rather than over-arching theories. To an extent that is true, each attack displays subtle differences in network environments and threat actor's capabilities/tools/motivations. Often these idiosyncrasies are what allow the attack to happen, and so we cannot have a general theory of security. This often manifests as InfoSec practitioners criticising journalists for inaccuracies. Generally this prevents high-level work on cybersecurity.
Wolff masterfully side steps these problems. She acknowledges the idiosyncrasies that allowed each breach and then explores the hypothetical in which that idiosyncratic vulnerability was fixed, concluding another vulnerability would have been exploited. This shifts the frame away from mono-causal analysis (the breach was caused by weak Wifi credentials) towards identifying which part of the attack could've been most easily prevented. Generally, Wolff endorses a nihilistic take on security that says ex-ante measures are impossible to do perfectly and so we should re-orient to post-breach interventions, where there is more scope for deterring attackers.
There's also a very good theme on the blame game following an attack. The best example of which is the OPM breach person (CISO maybe?) who claims she turned the organisation's security around, as evidenced by detecting the breach. This can also be seen in all the lawsuits launched post-breach.
I agree with the other review that says the first part of the book was best. The parts about policy interventions needed more exploration. In the section on responsibilities for developers, she suggests computer systems should reduce functionality and configurability, tending towards secure defaults. I can see the argument behind this, but it imports an assumption that solutions come from the top-down and doesn't acknowledge the responsibilities for users acting with local information. For example, the push for "secure passwords" often led to insecure password practices on the part of users (e.g. post-it notes). If you remove the ability of local actors to configure technology, you risk running into similar problems. Similarly, she discusses the need for data to identify which security controls are effective without really exploring what this means. Can we do it with observational data or do we need RCTs? How long will the evidence be valid for? Would everyone adopting the "most effective" control create a homogeneising force that increases systemic risk? These kind of questions are why the cybersecurity policy content needed a whole book.
Overall, a solid cybersecurity book. It was refreshing to read about something other than poorly sourced books on nation-state operations, which seem to comprise the bulk of popular cybersecurity books.
Wolff masterfully side steps these problems. She acknowledges the idiosyncrasies that allowed each breach and then explores the hypothetical in which that idiosyncratic vulnerability was fixed, concluding another vulnerability would have been exploited. This shifts the frame away from mono-causal analysis (the breach was caused by weak Wifi credentials) towards identifying which part of the attack could've been most easily prevented. Generally, Wolff endorses a nihilistic take on security that says ex-ante measures are impossible to do perfectly and so we should re-orient to post-breach interventions, where there is more scope for deterring attackers.
There's also a very good theme on the blame game following an attack. The best example of which is the OPM breach person (CISO maybe?) who claims she turned the organisation's security around, as evidenced by detecting the breach. This can also be seen in all the lawsuits launched post-breach.
I agree with the other review that says the first part of the book was best. The parts about policy interventions needed more exploration. In the section on responsibilities for developers, she suggests computer systems should reduce functionality and configurability, tending towards secure defaults. I can see the argument behind this, but it imports an assumption that solutions come from the top-down and doesn't acknowledge the responsibilities for users acting with local information. For example, the push for "secure passwords" often led to insecure password practices on the part of users (e.g. post-it notes). If you remove the ability of local actors to configure technology, you risk running into similar problems. Similarly, she discusses the need for data to identify which security controls are effective without really exploring what this means. Can we do it with observational data or do we need RCTs? How long will the evidence be valid for? Would everyone adopting the "most effective" control create a homogeneising force that increases systemic risk? These kind of questions are why the cybersecurity policy content needed a whole book.
Overall, a solid cybersecurity book. It was refreshing to read about something other than poorly sourced books on nation-state operations, which seem to comprise the bulk of popular cybersecurity books.
January 28, 2023
This book explores the topic of cybersecurity and the potential risks and consequences of a cyber attack on critical infrastructure. The author, Josephine Wolff, provides a detailed examination of the current state of cybersecurity and the potential threats that individuals and organizations face in the digital age. The book also examines how the readers increasing dependence on technology and the internet has made us vulnerable to these types of attacks, and the steps that can be taken to mitigate these risks. Additionally, for context, the book opens by providing a brief history of cybersecurity and the evolution of cyber attacks, as well as the role of government, private industry, and individual users in protecting against them. The book targets a general audience with an interest in technology and cybersecurity and aims to educate readers on the risks and best practices to remain safe online.
One of the strengths of the book is the author's ability to make complex technical concepts understandable to the layperson. She explains the intricacies of hacking and cyber attacks in a way that is easy to understand, without dumbing down the material. This easy to understand language makes the book accessible to a wide range of readers, from those with a background in cybersecurity to those who are simply curious about the topic. The book begins with an overview of the history of cybersecurity, tracing its origins back to the Cold War and the development of the first computer networks. Wolff then delves into the various types of cyber attacks that exist today, including phishing, ransomware, and state-sponsored attacks. She also discusses the impact of these attacks on individuals, organizations, and governments, highlighting the devastating consequences that can result from a successful cyber attack.
Another strength of the book is the author's use of real-world examples to illustrate her points. She provides detailed accounts of past cyber attacks, including the WannaCry ransomware attack and the Equifax data breach, and uses them to demonstrate the potential consequences of such attacks. This helps to bring the book's message home and makes it feel more relevant and urgent.
One of the most striking aspects of the book is the author's emphasis on the importance of cybersecurity in our daily lives. Wolff notes that as we increasingly rely on technology for everything from communication to banking, we also become more vulnerable to cyber-attacks. She argues that we must take proactive measures to protect ourselves, including practicing safe online habits and investing in cybersecurity tools and software.
The book also covers the role of governments and international organizations in cybersecurity, including the challenges and limitations of international cyber-policy. Wolff highlights the need for international cooperation to combat cyber-crime and the importance of holding individuals and organizations accountable for their actions in cyberspace.
Overall, "You'll See This Message When It Is Too Late" is a well-written and informative book that provides a comprehensive overview of the current state of cybersecurity. The author's expertise and experience in the field make for an engaging read, and the book is suitable for both technical and non-technical readers. The book is a must-read for anyone interested in understanding the potential dangers of cyber attacks and the importance of cybersecurity in our digital world.
One of the strengths of the book is the author's ability to make complex technical concepts understandable to the layperson. She explains the intricacies of hacking and cyber attacks in a way that is easy to understand, without dumbing down the material. This easy to understand language makes the book accessible to a wide range of readers, from those with a background in cybersecurity to those who are simply curious about the topic. The book begins with an overview of the history of cybersecurity, tracing its origins back to the Cold War and the development of the first computer networks. Wolff then delves into the various types of cyber attacks that exist today, including phishing, ransomware, and state-sponsored attacks. She also discusses the impact of these attacks on individuals, organizations, and governments, highlighting the devastating consequences that can result from a successful cyber attack.
Another strength of the book is the author's use of real-world examples to illustrate her points. She provides detailed accounts of past cyber attacks, including the WannaCry ransomware attack and the Equifax data breach, and uses them to demonstrate the potential consequences of such attacks. This helps to bring the book's message home and makes it feel more relevant and urgent.
One of the most striking aspects of the book is the author's emphasis on the importance of cybersecurity in our daily lives. Wolff notes that as we increasingly rely on technology for everything from communication to banking, we also become more vulnerable to cyber-attacks. She argues that we must take proactive measures to protect ourselves, including practicing safe online habits and investing in cybersecurity tools and software.
The book also covers the role of governments and international organizations in cybersecurity, including the challenges and limitations of international cyber-policy. Wolff highlights the need for international cooperation to combat cyber-crime and the importance of holding individuals and organizations accountable for their actions in cyberspace.
Overall, "You'll See This Message When It Is Too Late" is a well-written and informative book that provides a comprehensive overview of the current state of cybersecurity. The author's expertise and experience in the field make for an engaging read, and the book is suitable for both technical and non-technical readers. The book is a must-read for anyone interested in understanding the potential dangers of cyber attacks and the importance of cybersecurity in our digital world.
July 6, 2023
Best book on cybersecurity I've read, you essentially get 4 semesters of grad school in one book. Accessible, easy to read, and incredibly useful analysis from the tactical to the strategic. I can't recommend this book enough to anyone with even a passing interest in cybersecurity.
September 23, 2021
The interesting parts were very interesting and engaging to read, but there is quite a bit of jargon to slog through if you have limited background in cybercrime and cybersecurity policy.
February 28, 2019
When I first saw the title of this book, I thought of the Warren Zevon song “Things To Do In Denver When You're Dead”. While it’s a typical sardonic Zevon tune, in You'll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches, author Josephine Wolff (professor of public policy at Rochester Institute of Technology), has written a different sort, and a most interesting analysis of how security breaches affect us.
She opens with the astute observations that cybersecurity incidents have a short shelf life. For example, when the FTC first investigated Wyndham Hotels a decade ago, the 50,000 breached records was a large amount. Then there was the CardSystems Solutions incident, the Sony breach, followed by the OPM breach, and then Equifax. Last year’s mega-breach is this year’s not so mega breach.
The premise of the book is that people (mistakenly) think there is nothing to be learned from the older, smaller breaches. They think the older breaches used older tactics, which have no relevance to the data security tactics of today. But that is simply not the case.
Yes, attackers are getting smarter and more sophisticated, but there is still a lot to learn from the older breaches, and those are the lessons Wolff showcases throughout the book. And perhaps more importantly, as Dr. Andy Ozment, former White House Senior Director for Cybersecurity of the National Security Council noted, that “it is dangerous to confuse sophistication with effectiveness”.
In the book, Wolff looks at a number of breaches and security incidents from 2005 to 2015 and details the lifecycle of how the breach occurred. While the T.J. Maxx data breach of 2007 was blamed on an unpatched wireless router, she writes that to blame an extended, international, multistage financial fraud operation on a single, poorly protected wireless network is to fundamentally misunderstand how many different steps are involved in carrying out what the perpetrators achieved, and to vastly oversimplify the task of defending against such breaches.
A lot of what Wolff does is clear the air about some of the bigger breaches, and details what really happened. As to the Sony breach, she writes that Sony was as victim of numerous breaches and repeatedly didn’t learns any lessons year after year in which they were breached. With the 2014 breach that brought them to their knees, they decided to paint the breach as the cybercrime of the century and its perpetrators as brilliant, cutting-edge, relentless criminals. While some part f that might be true, Wolff rightfully lays most of the blame on Sony for repeatedly not securing systems to an adequate level.
Every breach has lots of lessons that can be leaned in their aftermath. While Sony PlayStation Network chief Tim Schaff described his breach as “highly sophisticated” and “unprecedented in its size and scope”, there was more hyperbole than fact.
Wolff adds a lot of new light and an interesting perspective to some of the biggest (and not so big) breaches of the last 14 years. This is a most interesting read and will change the way you think about information security, and how firms should deel with the investible data security breach that will certainly hit them.
She opens with the astute observations that cybersecurity incidents have a short shelf life. For example, when the FTC first investigated Wyndham Hotels a decade ago, the 50,000 breached records was a large amount. Then there was the CardSystems Solutions incident, the Sony breach, followed by the OPM breach, and then Equifax. Last year’s mega-breach is this year’s not so mega breach.
The premise of the book is that people (mistakenly) think there is nothing to be learned from the older, smaller breaches. They think the older breaches used older tactics, which have no relevance to the data security tactics of today. But that is simply not the case.
Yes, attackers are getting smarter and more sophisticated, but there is still a lot to learn from the older breaches, and those are the lessons Wolff showcases throughout the book. And perhaps more importantly, as Dr. Andy Ozment, former White House Senior Director for Cybersecurity of the National Security Council noted, that “it is dangerous to confuse sophistication with effectiveness”.
In the book, Wolff looks at a number of breaches and security incidents from 2005 to 2015 and details the lifecycle of how the breach occurred. While the T.J. Maxx data breach of 2007 was blamed on an unpatched wireless router, she writes that to blame an extended, international, multistage financial fraud operation on a single, poorly protected wireless network is to fundamentally misunderstand how many different steps are involved in carrying out what the perpetrators achieved, and to vastly oversimplify the task of defending against such breaches.
A lot of what Wolff does is clear the air about some of the bigger breaches, and details what really happened. As to the Sony breach, she writes that Sony was as victim of numerous breaches and repeatedly didn’t learns any lessons year after year in which they were breached. With the 2014 breach that brought them to their knees, they decided to paint the breach as the cybercrime of the century and its perpetrators as brilliant, cutting-edge, relentless criminals. While some part f that might be true, Wolff rightfully lays most of the blame on Sony for repeatedly not securing systems to an adequate level.
Every breach has lots of lessons that can be leaned in their aftermath. While Sony PlayStation Network chief Tim Schaff described his breach as “highly sophisticated” and “unprecedented in its size and scope”, there was more hyperbole than fact.
Wolff adds a lot of new light and an interesting perspective to some of the biggest (and not so big) breaches of the last 14 years. This is a most interesting read and will change the way you think about information security, and how firms should deel with the investible data security breach that will certainly hit them.
June 17, 2019
The title of this book gives away the core message, but in a very subtle way.
During the first few chapters, the author, Professor Josephine Wolff, walks through a number of high-profile security incidents, affecting public and private sector organisations as diverse as the US Office of Personnel Management, the certificate authority, Diginotar, and the dating website, Ashley Madison.
In each case, she describes the technical details of the security breach, the political and organisational landscape of the affected organisation, the key stakeholders (employees, customers, interested parties) and, most importantly, how the incident was reported, mitigated and defended, the latter in the context of the personal, political and financial ramifications.
For me, as a technologist, whilst I initially thought that I was seeking a technical and deep-dive analysis of security breaches, this book made me appreciate the deeper impact of such a breach, especially in the way that organisations seek to spread the blame far and wide.
Additionally, Professor Wolff spends a fair amount of the book looking at the instigators of each breach, and explains how their motives vary from financial gain (perhaps easier to understand) to political and strategic aims (espionage and geopolitics).
This makes the book a very compelling read, and emphasises why this should be on the required reading list for anyone responsible for, or even just interested in, information security.
The book serves to provide a very credible alternative to the image of IT security portrayed by television and the cinema, and sits nicely alongside the reportage provided by the information security industry, and the journalists and analysts who report on it's trials and tribulations.
I sincerely recommend this to anyone with more than a passing interest in information security, and give it 10 out of 10 for breadth, depth and detail.
Review by Dave Hay
During the first few chapters, the author, Professor Josephine Wolff, walks through a number of high-profile security incidents, affecting public and private sector organisations as diverse as the US Office of Personnel Management, the certificate authority, Diginotar, and the dating website, Ashley Madison.
In each case, she describes the technical details of the security breach, the political and organisational landscape of the affected organisation, the key stakeholders (employees, customers, interested parties) and, most importantly, how the incident was reported, mitigated and defended, the latter in the context of the personal, political and financial ramifications.
For me, as a technologist, whilst I initially thought that I was seeking a technical and deep-dive analysis of security breaches, this book made me appreciate the deeper impact of such a breach, especially in the way that organisations seek to spread the blame far and wide.
Additionally, Professor Wolff spends a fair amount of the book looking at the instigators of each breach, and explains how their motives vary from financial gain (perhaps easier to understand) to political and strategic aims (espionage and geopolitics).
This makes the book a very compelling read, and emphasises why this should be on the required reading list for anyone responsible for, or even just interested in, information security.
The book serves to provide a very credible alternative to the image of IT security portrayed by television and the cinema, and sits nicely alongside the reportage provided by the information security industry, and the journalists and analysts who report on it's trials and tribulations.
I sincerely recommend this to anyone with more than a passing interest in information security, and give it 10 out of 10 for breadth, depth and detail.
Review by Dave Hay
March 8, 2019
The author does an excellent job reviewing and categorizing nine security breaches into three categories: financial gain, cyberespionage, and public humiliation. In each breach chapter, the author then covers the technical details of the breach (quite readable to a layperson), then the legal and economic costs of each breach. The author concludes with chapters talking about how the various stakeholders (application and software developers, organizations, policymakers, and public at large) can all make changes to enhance cybersecurity.
What I found most interesting, and liked most, about this book is that it is interdisciplinary. As a long time systems administrator, the legal and economic impacts of the breaches, were for me, mostly unknown. This book does not seek to frighten, but to inform, and ask the difficult questions that at this time, have no easy answers.
What I found most interesting, and liked most, about this book is that it is interdisciplinary. As a long time systems administrator, the legal and economic impacts of the breaches, were for me, mostly unknown. This book does not seek to frighten, but to inform, and ask the difficult questions that at this time, have no easy answers.
August 16, 2019
I took my time with this book, stepping in and out while I read other things. The book is a good summary of key issues in cybersecurity using case studies to explain the issues. The book provides useful information. The weakest aspect of the book is the discussion of cybercrime prosecutions. For example, the author argues that in a prosecution against members of Anonymous for intentionally causing damage using DDOS attacks. The author argues that neither the target computers were not accessed nor did the bots, which were the intermediaries for the attack, incur financial losses. She’s just wrong on that because “access” is not an element of 1030(a)(5) and denial of service attacks cause “damage” by compromising the availability of network resources, often with financial losses.
February 8, 2019
Interesting look at how companies and government agencies have dealt with data breaches. The non-technical aspects of who to blame, who can help prevent them and why non of that happens are the most interesting.
Displaying 1 - 9 of 9 reviews