All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term "Cyber war" seems to be on everyone's lips again. (Cue the theme music for "Groundhog Day" - again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.
Yes, something is going on in the shadows; indeed, a lot is going on in the shadows. Meanwhile, in the corporate world, the focus has been on implementing "conventional wisdom" defenses against a broad spectrum of threats from phisher-kings and trophy-hunting hackers to dishonest insiders and unscrupulous competitors. "Conventional wisdom" is never a good guide; and certainly not in cyber security. Oh, of course, it is the safe path in and out of the boardroom for that annual review; until the manure actually hits the propellers. Then, well ...
The recent China-Google and Russian Spy Ring headlines drive home a troubling truth: the water is deeper than ever, and rising every fiscal quarter. It is no longer as simple as saying nation states attack nation states or disgruntled employees are 80% of the problem, the reality is much more complex. Over a decade ago, it became apparent that determining where your internal network ended and the "outside world" began was no longer as simple exercise; then some years ago, it became apparent that the definition of an "insider" as an employee or an ex-employee had also broken down.
Increasingly, lines are blurred; increasingly definitions are defunct. When China moves against the U.S. government or some large corporate entity (again), or vice versa, or some geopolitical dispute between Russia and one of its former states boils over into the EU, or Latin America or the Middle East erupt in hot cyber war, where will your enterprise be? Will it be in the middle, or on one side or the other? And which side is the right side to be on? I don't mean morally, I mean tactically, and strategically. How can you possibly prepare? How can you possibly justify putting time and grey matter into thinking through what "prepared" would look like? Where is it all going?
My friend and colleague Lawrence Dietz, General Counsel and Managing Director of Information Security for TAL Global Corporation, is also a retired Colonel in US Army Reserve, and a Psyops expert. Dietz and I have been discussing all of this as it has evolved, or devolved, over the years.
I recently interviewed him on his Cyber War Mind Map, for my CyLab Partners Portal Intelligence Briefing. The focus of that interview was on Cyber War in general, and how the Mind Map could be used to think through preparations for the national defense.
In this month's column, we pick up the thread, and hone in on the implications of Cyber War for the private sector in particular, e.g., what should any large global corporation be thinking about and preparing for, and oh yes, how ...
Richard Power: How are you using the term "cyber conflict" and how would you relate it to the terms "cyber war," "cyber terror," "information warfare," "information operations," etc.?
Larry Dietz: Conflict in my mind refers to what the military calls the spectrum of conflict that ranges from peace to total war. See: http://usacac.army.mil/blog/blogs/reflectionsfromfront/archive/2009/02/09/the-spectrum-of-conflict-a-doctrinal-disconnect.aspx
Cyber War is when a nation state attacks the IT infrastructure of another nation state. These attacks can be against legitimate military targets or the civilian infrastructure and may or may not violate today's existing 'law of war'.
Cyber Terror is a planned campaign of attacks waged by a non-state actor, an external or internal terror group where they intend to spread fear in a population as a result of cyber attacks likely used to in combination with some kind of physical (kinetic) attack. Terrorists crave publicity and unfortunately cyber attacks are not very photogenic. However, combining cyber attacks to disable traffic systems, power grids, food supply chains, health care facilities, financial institutions (especially with a local effect such as crippling the ATM system) would be effective.
Information warfare is a term that is now out of fashion and relates to dominating the information resources of a target. This could come via cyber attack designed to destroy, degrade or deny access to information as well as by 'propaganda' designed to influence the target's behavior and perceptions.
Information Operations is an official DoD term described in Joint Publication 3-13. It's purpose is to synergize core and allied capabilities to reinforce the Commander's ability to accomplish his mission. Core capabilities include Computer Network Operations (Attack, Exploitation & Defense), Psychological Operations (now called Military Information Support Operations), Electronic Warfare (jamming), and Military Deception (using decoys, simulated radio or traffic or e-mail or SMS, etc.) to deceive a military force.
What is it that commercial sector CSOs should be telling their CEOs, CFOs, board members, etc. about "cyber conflict"?
Dietz: CSOs need to ensure that their senior leaders understand today's world is a dangerous place; dangerous because there is a wide array of dynamic threats and a growing pool of adversaries. Adversaries ranging from nation states seeking to steal valuable intellectual property, non-state actors such as terrorists and organized crime seeking to exploit whatever weaknesses they can for their own purposes whether political or financial and because disaffected individuals of all types can wreak havoc on IT resources.
Top management needs to be aware that the skill level to cause significant harm is low, that the legal system is generally not able to cope with cyber actions that harm organizations or individuals so that the reward factor for engaging in cyber attacks is high, while the risk factor of being held accountable is comparatively low.
Furthermore top management needs to understand that they will be held accountable for harm to the organization regardless of its source. They also need to be sensitive that they will be held accountable for today's harm in a future world where the legal standards will be much more harsh than they are today.
Prudent management plans for a variety of potential natural disasters such as fire, hurricane, flood and earthquake. They must also extend this planning to the harm by cyber attacks of various dimensions.
Just as organizations establish working relationships with police for the security of their employees and assets and fire departments for their safety, they must also consider the governmental relationships they will have to engage when they experience a cyber incident.
Cyber attacks by nations will be the most egregious because Federal Governments will want to involve their Defense Departments or Ministries in addition to law enforcement and judicial officials. This potential encroachment of defense personnel into the IT operations of an organization can have significant actual and perceived effects.
Organizations will have to cooperate with Federal agencies by law, and must understand the associated potential public relations issues such cooperation may cause. Consequently the planning for cyber attacks must be across a broader range of possible adversaries and organizational courses of action than natural disaster plans.
There are clearly certain sectors in which failing to take these issues into account and respond accordingly constitutes a failure in governance. Talk a little about which sectors are particularly vulnerable and therefore require that serious attention be paid. Are there any particular sectors that get a pass on worrying about this? are there any sectors that can afford to view it as low on their priority list?
Dietz: The Target Matrix that appears below (check critical infrastructure segment list) gives a good overview of different sectors of the critical infrastructure. The nature of the target is a function of the attacker and their objectives. The target mix will vary across the spectrum of conflict. High value intellectual property and data which can be monetized are likely to be high on the list of our enemies along with any information that can help the enemy more easily defeat or negate the operations of our military forces both cyber and conventional.
In general organizations that have little or no IP or data of value, that are not related to the defense effort and that do not effect the daily lives of the civilian population are likely to be lower down on the target list. An example might be a company that manufactures plumbing supplies used in homes or a non-staple food manufacturer. Paint manufacturers might also fall low down on the list, again with the caveat that they are not related to the defense effort.
Some of those businesses drawn into "cyber conflict" will be little more than collateral damage, some will be primary targets, others will be secondary targets, some will be a means to an end, e.g., an intel source or a back door to the primary target. Flesh out some of the scenarios that "cyber conflict" gaming and preparation should take into consideration?
Dietz: The National Infrastructure Protection Plan (NIPP); National Response Plan (NRP) ... Cyber War - The Republic of Delmarva (ROD) decides it is going to update its submarine fleet. It targets the Country of East New World (ENW) that has just launched a new submarine with a stealth nuclear power plant. ROD's Army has a cyber war unit that launches an array of bots targeting defense contractors and naval organizations with ENW that deal with submarines. The bots are designed to transmit design information back to the ROD through a chain of servers designed to obscure the origin of the attack and the destination of the data. ROD also plants sleeper agents within defense contractors and the ENW Navy department.
Cyber Terror - The Radical Violence Network (RVN) targets an athletic facility in a prominent city. They place a Vehicle Borne Improvised Explosive Device (VBIED) in the evacuation zone (a parking lot) of the athletic facility. They hack into the stadium's sprinkler and alarm system causing the sprinklers to go off. When sufficient crowds gather at the evacuation zone they set off the VBIE. For a more protracted effect they can use two VBIEDs setting off the second one when first responders get close to it. Information Warfare - The Nation of Freedom (NOF) decides to give press members a tour of a nuclear facility in order to show its peaceful intent to use its nuclear industry. It has secretly or not so secretly paid leading broadcast journalists in the region to provide favorable coverage. The government releases a story of a medical success using an isotope developed from the nuclear reactor.
Information Operations - take the cyber terror example above. Change the target to a military headquarters and add jamming the cell phones for an electronic warfare component. Add video recordings sent live as the VBIEDs are exploded much like the Internet streaming of video from the Turkish ship stopped by the Israeli's on its way to Gaza.
Over the years, the field of information security has matured, there is a robust body of common policies and standards to adapt, there are a plethora of cyber security technologies to implement, programs are pretty well-defined, the basic buildings blocks and best practices are documented, so what does this mind map of "Cyber Conflict & the Commercial Sector" alter or add to? How is a program that has taken it into account different from a program that has not?
Dietz: Three key differences are the inclusion of Global Situational Awareness, Common Operating Picture and Legal Consequences. These are essential components in planning for cyber incidents that differ from the more traditional, natural disaster focused planning.
Organizations need a highly focused Global Situational Awareness because they must be sensitive to the adversary universe. The rise of certain adversaries will heighten the threat level and danger to the organization. For example an organization that experiments on animals needs to know that an organization opposed to that effort has used cyber attacks in conjunction with kinetic attacks to rescue animals.
A common operating picture in this context means the ability to see across the IT infrastructure to understand what possible attacks have been launched against the organization, how effective they have been and best practices concerning defense and mitigation. It would also be useful to know what other organizations have done from the same perspectives. This combined knowledge would help to optimize the organizations' actions to secure its personnel and assets.
Lastly the legal consequences are critical here. If the attack is a nation state then the organization will have a forced working relationship with its country's defense department. If the attacker is a non-state actor, especially a terrorist, this is likely to mean a protracted relationship with the nation's federal and possibly state or provincial law enforcement and judicial systems.
Long-term relationships within the judicial system, especially those involving criminal prosecution will result in extensive discovery. Organizations need to be zealous and out front so as to protect their intellectual property from exposure and to safeguard the brand against degradation due to governmental interaction and cooperation.
Let's go through some of the elements of the Mind Map, and the issues involved and/or any recommendations you might offer, specifically for commercial sector organizations: Outside Resources and Partners Agreements? Common Operating Picture? Global Situational Awareness?
Dietz: In the event of a serious cyber incident most organizations will not have the organic resources they need to cope with the incident, minimize the harm, absorb the lessons learned to apply going forward and defensively prepare for legal actions as a result of the incident.
Partners who will likely figure into the picture include: federal, state/provincial and potentially law enforcement; outside law firms; data forensics experts; IT recover resources beyond those already contracted for to deal with potential natural disasters; investigators; security management, executive protection, etc.
Other partners might include hot/cold sites; decontamination (cyber and physical) teams/resources; managed service providers; alternative sources of various goods and services should be considered and if possible negotiated ahead of time. The exact nature of the needed goods and services depends on the organization, the likely threats, geographic location, etc.
Yet one more set of partners are those who might be called upon to deal with the legal after math of cyber incidents. Outside specialty counsel, government prosecutors and e-discovery vendors are potential partners for these endeavors.
Evidence Protection and Collection?
Dietz: This is a particularly tricky one. The classic lawyerly answer is "it depends". It depends on the nature of the attacker, the gravity of harm caused and who will be prosecuting for what. Federal prosecutors seeking to prosecute for treason, terrorist acts, war crimes and the like will be particularly aggressive and intrusive.
Resource poor local prosecutors, especially those with no track record in computer crimes will likely be less of a challenge.
General Counsel can provide insight as to the level of care and detail the organization needs to consider when planning its evidence collection and data forensics strategy.
Combat forensics will likely be the order of the day during the initial phases of an attack when it is unclear who the attacker is and what legal courses of action are likely to occur once the immediacy of the attack is over and dealt with.
Organizations may opt for expediency in data forensics to help determine the nature and source of the attack that may be vital to mitigating its effects and deterring similar attacks in the future.
Given the lack of precedent it is difficult to predict what level of data forensics and evidence preservation the federal government will require where they suspect a nation state or terrorist attack. ##
Critical Infrastructure Sectors:
- Information and communication
- Banking and Finance
- Water Supply
- Transportation (Aviation, Highway, Mass Transit, Pipelines, Rail, Waterborne Commerce)
- Emergency Law Enforcement
- Emergency Fire Services, Continuity of Government
- Electric Power, oil and gas production and storage
- Public Health Services
Source: CRITICAL INFRASTRUCTURE PROTECTION
Significant Challenges in Developing National Capabilities
http://www.gao.gov/new.items/d01323.pdf; page 28
Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab and a frequent contributor to CSO Magazine. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in forty countries. Power is the author of five books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.