CyberSecurity Strategy in the New Era
This is a “personal blog” version, where I’ve added a couple of pictures. Indy’s publication on LinkedIn can be found here. Comments welcome anywhere.
Cybersecurity Strategy in the New Era
The Russian invasion of Ukraine has been shocking. As a hot conflict it inevitably makes us focus on physical threats. However, it has also necessitated discussions that produced a lot of useful articles about how to improve personal and organisational cybersecurity - in particular how to improve them in response to a raised level of cybercrime and cyberattack activity.
Of particular note we highlight the following articles:
“Russian Cyber Threats: Practical Advice For Security Leaders” from Digital Shadows, Which you can read here.
“Links in conflict: to click or not to click” from Kaspersky, which you can read here.
By Jow Slowik this long piece also covers how cyber attacks are expected to look.
While it is natural to focus on the issue of the day, as strategic thinkers we must start anticipating the future. Steering clear of gratuitous predictions about the military outcome of the current conflict, we can look at some broader patterns and draw some reasonable conclusions.
Given the wide-ranging sanctions imposed by many countries it seems that the most likely medium-term outcome is a state of increased tension, possibly even a new kind of “Cold War”. Three decades on from the fall of the Berlin Wall we are re-entering a period where there is considerable indirect conflict - but history rhymes more than it repeats. We need to remember that the original Cold War ended (around 1991) before commercial use of the internet really got going. There is no checklist of previous events to use in our preparation. Instead, we need to look at history and project some of the activities of the past into the “cyber” realm that we now depend on.
Firstly, In the Cold War, governments would turn a blind eye to a lot of smuggling activity because it suited some of their covert activities. In this era, the same is true of cybercrime. Some states even endorse it and as tensions rise we will see an increase in the level of attacks.
Some of this will be an increase in targeted attacks; organisations in key sectors - infrastructure, banking, and communications - will particularly need to be more aware of determined attackers. ( Key sectors include infrastructure, banking and communications.) Moreover, any organisations with existing or historical links to the region of hot conflict may see more attacks.
Some of this is just an overall increase in attacks, as endorsed groups take advantage of being given licence to act. Organisations might get caught up as collateral damage. The infamous NotPetya outbreak is a good example of organisations being caught up in an online incident rather than being directly evolved.
Where in the past you might get away with inadequate security just because nobody noticed, this will less and less often be the case, because of the higher levels of criminal activity.
Secondly, as we have already seen reports of attacks that look like unofficial conflict actions - for example the recent damage to Viasat network equipment. Whilst this is only of direct concern if you work in certain sectors, the possibility that these attacks hit infrastructure that you rely on has to be taken into account.
As we saw with the DNS problems facing Facebook last October, many basic parts of modern business rely on internet access. The sight of Facebook engineers locked out of their own offices is a dramatic example of this. Closer to home we’d invite you to consider what would happen if some kind of similar incident affected Office 365. Email, Teleconferencing and Document Sharing could all simply vanish.
Thirdly, many modern organisations are built out of online services. Your suppliers might be impeded or even disappear if their developers or other staff are in countries affected by the current or future conflicts.
The smart response is to not let this crisis go without acting. It’s time to catch up and do all the things you already know you should be doing.
If you’re reading this article you undoubtedly have a list of security tasks or implementations that you should carry out. Hopefully this list is prioritised ( if not then please do contact us ), and has just been waiting for the resources and/or the budget to become available. Now is the time to use this crisis as an opportunity to elevate cyber security work higher in the list of tasks - either your personal list, or to attain access to the corporate resources you need to implement these plans.
But that isn’t enough, and isn’t really strategy. Strategy involves looking to the future, anticipating possibilities, and setting up your organisation to be ready for them.
Too many organisations don’t actually have a strategy. Instead they have an accidentally created (politely called “organically grown”) methodology of lurching from one crisis to the next, usually in response to headlines.
One of the reasons we invoke the Cold War is that we’re looking at a step change in the level of cyber activity that is likely to last years and years. As such the implementation of a Cybersecurity Strategy is not a one off action. It is an (effectively) infinite game. The days of putting a huge collective effort (cancelling holidays, everyone working across the weekend) to patch up against a new threat and then relaxing are over. While the cry of “constant vigilance” can sound paranoid, the real implication is that the strategy has to be sustainable. It needs regular attention not just sporadic boosting.
Across the years new problems will come up and there needs to be the readiness and capacity to learn how to solve them. Your organisation and the infrastructure it needs will evolve, the threats will change over time. The strategy must include the capacity to learn and change. This is not just about resources, it is also a psychological commitment, both to putting in the work and to understanding that there is no dopamine hit, no party coming to celebrate the end of this project.
Part of building a sustainable strategy is acknowledging that your effort level is limited. You may one day have to put everything aside to save the organisation, but you can’t afford to do that very often. Thus, sometimes when the level of attacks is high you are going to have to accept you can’t fix everything straight away. An important strategic decision is to define some crumple zones. Crumple zones are the parts of a car that intentionally buckle on impact to reduce the damage to the core passenger compartment. In the same way a good strategy needs to define the core of the business and focus on keeping it going. When things get really bad, some parts of your setup may need to act as a crumple zone. They’ll get damaged and you’ll repair them later.
It can sometimes seem that we are doomed to repeat the same errors, over and over again. In fact, change is a choice and now is the time to make it. We can choose to pay attention, to build a sustainable setup that enables us to be safe in a dangerous environment and face the evolving challenges therein.
It’s time to build a Cybersecurity Strategy that includes the capacity to learn, the capability to solve new problems and act in new ways.
I greatly enjoyed writing this with Indy, it’s a great way to focus discussion with someone on a subject you’re discussing.