How do you predict cyber attacks? Listen to your Cassandras

Protecting proprietary data and intellectual property has never been a more critical requirement. Bad actors are targeting institutions that have previously been sacrosanct. Their methods have become harder to detect, and the damages inflicted in some cases have dealt near-fatal blows to corporate financials and organizations’ operations.

Take, for example, the North Korea-backed Lazarus hack of the international SWIFT banking system, the worldwide interbank communication network that settles transactions. Consider that hospitals are being targeted with ransomware that holds patient information like blood type hostage, making it impossible for surgical procedures to be performed. Think about the Ukranian power grid outage and look at the chaos that ensued during the Verizon acquisition of Yahoo when it revealed 500 million Yahoo user accounts had been compromised and pricing had to be re-negotiated.

All these attacks were enabled in part by the fact that none of the organizations expected to be victims. How can a chief security officer (CSO) or chief information security officer (CISO) anticipate attacks that the organization as a whole doesn’t see coming? Is it possible for them to predict the future?

CSO interviewed R.P. Eddy, CEO of the global intelligence firm Ergo and co-author with Richard A. Clarke, of the new book Warnings: Finding Cassandras to Stop Catastrophes, to get his insight. The book details several cases of prescient people, the authors describe as “modern-day Cassandras” (after the figure from Greek mythology who foresaw disasters) who clearly predicted the Bernie Madoff Ponzi scheme, the 2008 recession, the rise of ISIS and many others. They were all ignored. 

CSO:  In your new book Warnings, you lay out a strategy for a government office with a suggested name of National Warning Office, whose specific mission is to forecast future problems and provide warnings to address and possibly avoid catastrophes. How would you advise CSOs/CISOs to create a similar group and build a process to emulate what you’ve suggested for government for their corporation?

Eddy:  The book tells the stories of catastrophes and the Cassandras who were proven technical experts in their fields and used data-driven evidence to support their warnings. This phenomenon had not been discovered before my co-author Dick Clarke identified it. It is one of the only predictive tools of merit I’ve ever seen. There is an absolute dearth of regimented study about how to do prediction. We’re horrible at it. The only place we’re okay with prediction is weather. Forget corporate decision-making. There are tools, but they’re not widely adopted.

In very few instances do people in and around the C-suite think about surprises. Most CEOs aren’t thinking about what’s coming around the corner to punch them in the face. Good CEOs realize this and want information to defend against the surprises. The problem is you go from that CEO with that view to an organization incapable of scratching that itch.

Why not? Three reasons. 1) They’re not designed to do it. They don’t have the right people or the right tools and the right mandate. 2) The right tools don’t really exist or aren’t properly taught. 3) Organizations are strategically surprised because decision-makers aren’t properly aware or tuned in to the warnings they’re getting.

[Related: These are the good ol’ days of cybersecurity]

I encourage corporations to form a Warning Office or a Futures Office. In a corporate environment, just as in our government solution, the [forecasting] group needs to be at a high level so they can cut across divisions and not be slowed down by bureaucracy.   

CSO:   Who would be the best people/titles to engage?

Eddy:  I would get my chief risk officer (CRO), my general council and my CSO/CISO together and say, “I want to understand how we’re going to foretell surprises. If you want it in an org chart, I want a chief futures officer. I don’t want that person doing pie-in-the-sky about when robots take over. I want them looking for strategic surprise.” The challenge is that in most organizations the CRO is supposed to do this. In reality, they don’t do it because they’re too busy being reactive.

The chief futures officer should report to the board, the CEO. They should look across the organization, look across sectors, across timelines not just short term but also a couple years into the future. They need to have the proper tools, but there are few.

They need to tell everything they do in story form. They will have a hard time convincing CEOs and the board of things that are difficult to see, a future they can’t grasp. For example, you say, “Bernie Madoff is a fraud.” They say, “Impossible, he’s the chairman of the NASDAQ, the NASD, one of the most respected people in the industry.” They can’t envision him being a fraud. You have to tell that story in a narrative format so they get it.

People learn through stories. Corporations need to get better at using the few tools available like basic scenario analysis, virtual markets, Cassandra Theory and applied history. They’re all related. Apply them in concert with usable, actionable tactical intelligence to ward off the threat. Tactical intelligence enables the decision-makers who have been convinced beyond a shadow of a doubt that the threat is real and have allocated sufficient resources toward the fight.

CSO:   What types of threat do you see potentially (or actually) causing problems for the private sector?

Eddy:  There’s a framework we use at Ergo to help organizations see around these corners where we provide the strategic threat in a narrative format. Many threats they hadn’t thought of, and we bring them through those threats with war games, mock headlines in newspapers and clips. We show them how the threat would look and tune in the decision-makers, the board and CEO. Then we identify with them several threats they need to keep their eyes on.

[Related: Present and future ransomware tactics model the past]

Next, we do contact tactical intelligence collection around those threats globally, and funnel that review back into a living computer system. We can constantly watch the risk flags receding or proceeding. The reason isn’t just to keep track of the risks, which is necessary, but to keep the decision-makers tuned in, empowered with enough accurate intelligence, and ready to make decisions rapidly.

CSO:  Is there anything we haven’t discussed that you want to cover today?

Eddy:  Let’s close by talking about Initial Occurrence Syndrome (IOC). It’s a very important piece of the equation. As complex, thoughtful and lovely as humans like to think humans are, we are not. We are bias-driven animals. We make decisions on bias heuristics all day long.

One of the great biases is IOC, which says, “If I can’t see it, if it hasn’t happened before, I don’t believe it’s going to happen.” If you tell me that my corporation is going to get hacked, every one of my computers will get bricked, and I’ll have to scrounge for ancient Blackberries to communicate with other employees, I don’t believe that because it’s never happened before. The enormousness of the possibility is something I can’t wrap my brain around so I ignore it. IOC blinds people. It’s up to the newly formed Futures Office to provide me with enough accurate, actionable tactical intelligence that will help me see around that corner.