How Your Business Can Avoid Being Collateral Damage In A Cyber War
Larry Dietz talks to Richard Power about critical infrastructure and how businesses should think about digital conflict
By Richard Power
August 23, 2010 — CSO —
All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term "Cyber war" seems to be on everyone's lips again. (Cue the theme music for "Groundhog Day" - again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.
Yes, something is going on in the shadows; indeed, a lot is going on in the shadows. Meanwhile, in the corporate world, the focus has been on implementing "conventional wisdom" defenses against a broad spectrum of threats from phisher-kings and trophy-hunting hackers to dishonest insiders and unscrupulous competitors. "Conventional wisdom" is never a good guide; and certainly not in cyber security. Oh, of course, it is the safe path in and out of the boardroom for that annual review; until the manure actually hits the propellers. Then, well ...
The recent China-Google and Russian Spy Ring headlines drive home a troubling truth: the water is deeper than ever, and rising every fiscal quarter. It is no longer as simple as saying nation states attack nation states or disgruntled employees are 80% of the problem, the reality is much more complex. Over a decade ago, it became apparent that determining where your internal network ended and the "outside world" began was no longer as simple exercise; then some years ago, it became apparent that the definition of an "insider" as an employee or an ex-employee had also broken down.
Increasingly, lines are blurred; increasingly definitions are defunct. When China moves against the U.S. government or some large corporate entity (again), or vice versa, or some geopolitical dispute between Russia and one of its former states boils over into the EU, or Latin America or the Middle East erupt in hot cyber war, where will your enterprise be? Will it be in the middle, or on one side or the other? And which side is the right side to be on? I don't mean morally, I mean tactically, and strategically. How can you possibly prepare? How can you possibly justify putting time and grey matter into thinking through what "prepared" would look like? Where is it all going?
My friend and colleague Lawrence Dietz, General Counsel and Managing Director of Information Security for TAL Global Corporation, is also a retired Colonel in US Army Reserve, and a Psyops expert. Dietz and I have been discussing all of this as it has evolved, or devolved, over the years.
I recently interviewed him on his Cyber War Mind Map, for my CyLab Partners Portal Intelligence Briefing. The focus of that interview was on Cyber War in general, and how the Mind Map could be used to think through preparations for the national defense.
In this month's column, we pick up the thread, and hone in on the implications of Cyber War for the private sector in particular, e.g., what should any large global corporation be thinking about and preparing for, and oh yes, how ...
Richard Power: How are you using the term "cyber conflict" and how would you relate it to the terms "cyber war," "cyber terror," "information warfare," "information operations," etc.?
Larry Dietz: Conflict in my mind refers to what the military calls the spectrum of conflict that ranges from peace to total war. See: http://usacac.army.mil/blog/blogs/reflectionsfromfront/archive/2009/02/09/the-spectrum-of-conflict-a-doctrinal-disconnect.aspx
Cyber War is when a nation state attacks the IT infrastructure of another nation state. These attacks can be against legitimate military targets or the civilian infrastructure and may or may not violate today's existing 'law of war'.