Avoid Your Business Being Collateral Damage in a Cyber War

Most organizations don't have the resources to cope with a serious cyber incident

All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term "Cyber war" seems to be on everyone's lips again. (Cue the theme music for "Groundhog Day" - again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.

Yes, something is going on in the shadows; indeed, a lot is going on in the shadows. Meanwhile, in the corporate world, the focus has been on implementing "conventional wisdom" defenses against a broad spectrum of threats from phisher-kings and trophy-hunting hackers to dishonest insiders and unscrupulous competitors. "Conventional wisdom" is never a good guide; and certainly not in cyber security. Oh, of course, it is the safe path in and out of the boardroom for that annual review; until the manure actually hits the propellers. Then, well ...

Also see Power's Private Investigations in the Information Age

The recent China-Google and Russian Spy Ring headlines drive home a troubling truth: the water is deeper than ever, and rising every fiscal quarter. It is no longer as simple as saying nation states attack nation states or disgruntled employees are 80% of the problem, the reality is much more complex. Over a decade ago, it became apparent that determining where your internal network ended and the "outside world" began was no longer as simple exercise; then some years ago, it became apparent that the definition of an "insider" as an employee or an ex-employee had also broken down.

Increasingly, lines are blurred; increasingly definitions are defunct. When China moves against the U.S. government or some large corporate entity (again), or vice versa, or some geopolitical dispute between Russia and one of its former states boils over into the EU, or Latin America or the Middle East erupt in hot cyber war, where will your enterprise be? Will it be in the middle, or on one side or the other? And which side is the right side to be on? I don't mean morally, I mean tactically, and strategically. How can you possibly prepare? How can you possibly justify putting time and grey matter into thinking through what "prepared" would look like? Where is it all going?

My friend and colleague Lawrence Dietz, General Counsel and Managing Director of Information Security for TAL Global Corporation, is also a retired Colonel in US Army Reserve, and a Psyops expert. Dietz and I have been discussing all of this as it has evolved, or devolved, over the years.

I recently interviewed him on his Cyber War Mind Map, for my CyLab Partners Portal Intelligence Briefing. The focus of that interview was on Cyber War in general, and how the Mind Map could be used to think through preparations for the national defense.

In this month's column, we pick up the thread, and hone in on the implications of Cyber War for the private sector in particular, e.g., what should any large global corporation be thinking about and preparing for, and oh yes, how ...

Richard Power: How are you using the term "cyber conflict" and how would you relate it to the terms "cyber war," "cyber terror," "information warfare," "information operations," etc.?

Larry Dietz: Conflict in my mind refers to what the military calls the spectrum of conflict that ranges from peace to total war. See: http://usacac.army.mil/blog/blogs/reflectionsfromfront/archive/2009/02/09/the-spectrum-of-conflict-a-doctrinal-disconnect.aspx

Cyber War is when a nation state attacks the IT infrastructure of another nation state. These attacks can be against legitimate military targets or the civilian infrastructure and may or may not violate today's existing 'law of war'.

Cyber Terror is a planned campaign of attacks waged by a non-state actor, an external or internal terror group where they intend to spread fear in a population as a result of cyber attacks likely used to in combination with some kind of physical (kinetic) attack. Terrorists crave publicity and unfortunately cyber attacks are not very photogenic. However, combining cyber attacks to disable traffic systems, power grids, food supply chains, health care facilities, financial institutions (especially with a local effect such as crippling the ATM system) would be effective.

Information warfare is a term that is now out of fashion and relates to dominating the information resources of a target. This could come via cyber attack designed to destroy, degrade or deny access to information as well as by 'propaganda' designed to influence the target's behavior and perceptions.

cyberconflict and the commercial sector cyberconflict and the commercial sector

Information Operations is an official DoD term described in Joint Publication 3-13. It's purpose is to synergize core and allied capabilities to reinforce the Commander's ability to accomplish his mission. Core capabilities include Computer Network Operations (Attack, Exploitation & Defense), Psychological Operations (now called Military Information Support Operations), Electronic Warfare (jamming), and Military Deception (using decoys, simulated radio or traffic or e-mail or SMS, etc.) to deceive a military force.

What is it that commercial sector CSOs should be telling their CEOs, CFOs, board members, etc. about "cyber conflict"?

Dietz: CSOs need to ensure that their senior leaders understand today's world is a dangerous place; dangerous because there is a wide array of dynamic threats and a growing pool of adversaries. Adversaries ranging from nation states seeking to steal valuable intellectual property, non-state actors such as terrorists and organized crime seeking to exploit whatever weaknesses they can for their own purposes whether political or financial and because disaffected individuals of all types can wreak havoc on IT resources.

Top management needs to be aware that the skill level to cause significant harm is low, that the legal system is generally not able to cope with cyber actions that harm organizations or individuals so that the reward factor for engaging in cyber attacks is high, while the risk factor of being held accountable is comparatively low.

Furthermore top management needs to understand that they will be held accountable for harm to the organization regardless of its source. They also need to be sensitive that they will be held accountable for today's harm in a future world where the legal standards will be much more harsh than they are today.

Prudent management plans for a variety of potential natural disasters such as fire, hurricane, flood and earthquake. They must also extend this planning to the harm by cyber attacks of various dimensions.

Just as organizations establish working relationships with police for the security of their employees and assets and fire departments for their safety, they must also consider the governmental relationships they will have to engage when they experience a cyber incident.

Cyber attacks by nations will be the most egregious because Federal Governments will want to involve their Defense Departments or Ministries in addition to law enforcement and judicial officials. This potential encroachment of defense personnel into the IT operations of an organization can have significant actual and perceived effects.

Organizations will have to cooperate with Federal agencies by law, and must understand the associated potential public relations issues such cooperation may cause. Consequently the planning for cyber attacks must be across a broader range of possible adversaries and organizational courses of action than natural disaster plans.

There are clearly certain sectors in which failing to take these issues into account and respond accordingly constitutes a failure in governance. Talk a little about which sectors are particularly vulnerable and therefore require that serious attention be paid. Are there any particular sectors that get a pass on worrying about this? are there any sectors that can afford to view it as low on their priority list?

Dietz: The Target Matrix that appears below (check critical infrastructure segment list) gives a good overview of different sectors of the critical infrastructure. The nature of the target is a function of the attacker and their objectives. The target mix will vary across the spectrum of conflict. High value intellectual property and data which can be monetized are likely to be high on the list of our enemies along with any information that can help the enemy more easily defeat or negate the operations of our military forces both cyber and conventional.

In general organizations that have little or no IP or data of value, that are not related to the defense effort and that do not effect the daily lives of the civilian population are likely to be lower down on the target list. An example might be a company that manufactures plumbing supplies used in homes or a non-staple food manufacturer. Paint manufacturers might also fall low down on the list, again with the caveat that they are not related to the defense effort.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber warsecuritycybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Power

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts