但实际上艾尔帕洛维蒂奇修改这句话，是意有所指的。在布什和克林顿政府任职的前白宫安全顾问理查德·克拉克，同意这句新的三段体话。他刚与奥巴马政府的网络主管罗伯特·柯内克合写了一本书《第五领域》（The Fifth Domain），书中提到网络已经成为继陆地、海洋、天空和外太空之后的最新的战争威胁。
Attend any cybersecurity confab, and you’ll encounter some version of the following refrain. “There are two types of companies in this world: those that have been hacked and those that don’t yet know they’ve been hacked.”
The phrase that launched a thousand quips was coined by Dmitri Alperovitch, a Moscow-born entrepreneur and one of the world’s foremost hacker-sleuths. In 2011, as head threat researcher at antivirus pioneer McAfee, he created the classification while investigating—and publicly revealing—half a decade’s worth of cyberattacks on more than 70 organizations, including defense contractors, tech companies, and the United Nations.
Now the huff of resignation is due for an update. “I’ve since modified that phrase,” Alperovitch tells Fortune. “The first two companies still exist, but now there’s a third type that’s able to successfully defend itself against intrusion.” Ah, hope yet!
One could write off Alperovitch’s addendum as a savvy sales pitch. As the cofounder and chief technology officer of CrowdStrike, a cybersecurity company that stunned investors with a share price–popping IPO in June, there’s no wonder he’s feeling a bit of good cheer.
But there’s something to Alperovitch’s revision. Richard A. Clarke, former White House security adviser to both Bushes and to Clinton, agrees with the new, tripartite framing. He says as much in his just-published book, coauthored with Obama cyber lead Robert K. Knake, The Fifth Domain—a reference to cyber as the newest theater of war, after land, sea, air, and space.
Consider NotPetya. The devastatingly global computer-wiping attack, which Russia released on the world in 2017, caused billions of dollars of damage to corporations such as FedEx, Maersk, and Merck.
But not all firms succumbed. “What you don’t hear about is the list of American companies that were there doing business in Ukraine”—ground zero for the attack—“that didn’t get damaged,” Clarke says. Firms like Boeing, DowDuPont, and Johnson & Johnson “were the dogs that didn’t bark, and in our book, we tried to figure out why.”
So, what separates the hacks from the hack-nots? At a technical level, the unharmed firms had patched their machines against the vulnerability exploited by NotPetya. But a more fundamental question is, Why did some companies patch, while others neglected to?
In a word: prioritization. The most resilient organizations have buy-in across the—literal—board. Any executive who blocks a chief information security officer better have a damn good reason. The CEO will surely hear about it.
That’s good defense, but what if companies could punch back? That’s what some members of Congress are proposing in a piece of legislation known as the “hack back” bill, which would allow companies to probe an attacker’s computer and destroy stolen data.
Mark Mao, head of privacy practice at Troutman Sanders, an Atlanta law firm, is a cautious proponent. “Personally, I don’t think it’s a bad idea,” he says. “To me, it’s like a cyber Second Amendment.” (He adds that it would have to be “limited” and that “a lot of the details would have to be worked out.”)
Mao draws a comparison to nuclear stalemates. “Deterrence works because nobody wants to be nuked,” he says. “Most hackers get away with [it] because there’s no retribution in any way.”
But most cybersecurity industry insiders agree that if the hack back bill became law, the results would be a fiasco. Sandra Joyce, head of intelligence at cybersecurity firm FireEye and a U.S. Air Force reservist, disapproves. “The last thing we need is to add well-intentioned rookies into the mix,” she says, noting the dangers of misidentifying attackers and the threat of tit-for-tat escalation. It’d be “releasing a vigilantism fraught with risk.”
The bill, she says, represents “the voice of the commercial sector that has felt very neglected. It’s a signal of frustration.”
The vexation is understandable. Worldwide spending on cybersecurity is expected to grow about 9%, to $124 billion this year, according to Gartner. And the breaches seem to just keep coming.
Companies don’t need to bankrupt their coffers to keep hackers from bankrupting them. Clarke says companies that spend 8% to 10% of their IT budget on cybersecurity tend to be best in class.
But even this price tag is not always necessary to outrun the proverbial bear. Alperovitch says he knows of one Fortune 500 customer in the hospitality business that spends a mere $11 million annually to defend itself, and he is convinced that it’s among the most secure he has ever seen.
At that particular concern, the chair of the board gave his cell phone number to the company’s chief information security officer and included a message: “Call me anytime, day and night, if anyone says no to you.”
As Alperovitch puts it: “At that organization, no one tells him no.”
A version of this article appears in the August 2019 issue of Fortune with the headline “The Corporate Fortress.”