China Is ‘Prepositioning’ for Future Cyberattacks—and the New NSA Chief Is Worried – WSJ
The article above caught my attention because it does three things – identifies the Chinese as a global adversary bent on winning (whatever that implies to you) and, more abstractly, beats the war drum we have all heard these past few months; that ever-present thump*thump instilled by the war machine and distilled by the media. There is no doubt that they are preparing us, if not for actual war, then for the thought of war so that when something lesser comes, we move more easily in the direction they wish to take us.
But there is a third, hidden message in this article that impacts regular folks, every day and in real-time. It takes our eyes off the ball.
So what does that have to do with cybersecurity and awareness training? Everything.
Cyber-attacks across the globe are a new, dark war with stakes higher than the traditional, limited battlefield. Today, in the wild, nation states, ideological actors and privateers are waging war on our culture, infrastructure and economy with real-world impacts to life and limb as well as regular citizens’ ability to provide for their families and communities.
It is estimated that the bad guys have compromised the network and control systems of public works and other critical infrastructure in every major, technologically controlled municipal system globally. Our waterworks, our fuel distribution systems, and our supply chains have been infiltrated as have those of our rivals. This new faceless version of war relies on an old kinetic cold war stopgap concept called ‘mutual assured destruction’ and, the less formal cousin: ‘they wouldn’t dare because we could…’ – which, in the past, did work. Obviously – since we’re all not living in postapocalyptic bunkers.
Today there is a new specter looming over our children more chilling than the mistranslated ‘We will bury you!’ speech Krushev delivered to the UN in 1960 that played on every evening news loop, stoking cold war fears and national anti-communist resolve. Today, there is the ever-present threat of someone unknown and unknowable, some actor without political restraint or with anarchist goals who could remotely, and directly, endanger the lives of millions with the simple execution of a string of code from any internet connection.
In the extreme the thought of a random, singular event is terrifying, however remote the possibility, and we should all be aware of the potentiality as well as the low probability of a major, disruptive event. You don’t have to be a prepper to be prepared. Covid taught us all that lesson.
All of this is nation-state saber rattling is abstract and once, twice or three times removed from our day-to-day operations and strategy sessions. There are real and evident implications when our largest trade partner is our greatest enemy. But we do focus on what we can control, with solid Supply Chain Business Impact Assessments, Market Risk Evaluations, and Business Continuation & Disaster Recovery plans to help us identify, understand and mitigate even abstract risk. This is the cost of doing business in a global economy.
Here is where the noise of the drum distracts from the mission to keep our eyes on the ball.
As I work with clients to identify and treat risk, we consider the likelihood of nation-state events on their business systems depending on scope, scale and industry sector. For most small- to medium-sized businesses, the nation-state action risk is low and tied to the same outcomes their suppliers, clients and competitors would experience in a larger context. This normalization of the risk offsets the need to invest in expensive remediation steps specific to cyber and outside of the regular activity associated with protecting business channels. We don’t ignore it; we just treat it with an appropriate priority.
Our focus is then applied to the highest probability risks which include Business Email Compromise (BEC), supply chain management system disruption and business data exfiltration – all of which require both technical and social/HR remediation or intervention. Ultimately, it comes down to two factors:
- configuring systems to limit the number of possible interactions between bad actors and end-users (gatekeeping)
- building a level of awareness within end-users where identifying anomalies becomes mental muscle memory (awareness training as a culture)
Statistically, we know an average user will err – click or open a potentially malicious URL or file – once every (x) emails (weighted for business market segment, user profile, current tech saturation, tech stack investment, config compliance, etc). Using that as our baseline, we can compare the number of emails a user will see (e) over time (t) to determine the probability of an event within a set duration (1,000 emails per month for <User 1> and 2,000 per month for <User 2> means <User 2> has an event duration probability of .5 time compared to <User 1>). This allows us to predict, pretty accurately, how many events will occur over a given duration based on number of employees before we apply remediation and after we’ve engaged in a comprehensive program.
The nature of the mitigation becomes one of kicking the can down the road to elongate the amount of time between today and your next event. The further the can travels, the lower the likelihood of a costly event. AND, we have found, the #1 predicter of event likelihood is not tech stack or configuration but rather employee awareness and adoption of basic cyber hygiene principals. You can spend all your money on the best, most advanced locks but if your employees hang the key on a peg outside the door, the bad guys can, and will, bypass your security.
So what should we do?
Analyze. Plan. Practice. Monitor. Revise.
Develop a program in-house or with the help of expert consultants with experience identifying gaps in IT strategy and infrastructure. At a minimum, your IT Risk plan should contain the ability to assess and re-assess your compute environment and the way in which human internal and external human resources interact with your data. If Data is the New Oil, then we should treat it as a secure asset the same way we treat tangible assets. Afterall, you lock your business doors at night. Make sure you are locking your most precious data repositories as well.
Leave a Reply