Cyber events of the past two years—perpetrated by state actors in several notable cases, according to public statements by the U.S. and British governments— have demonstrated the potential for damaging impact to national security, critical infrastructures, and the global economy.
Electric power distribution, healthcare services, pharmaceutical manufacturing and global shipping have all suffered significant disruptions, in some cases requiring days to even months for full recovery. Databases with all manner of sensitive information with privacy and financial implications have been pillaged even from commercial and government organizations whose entire business models center on the protection of information.
These occurrences have become so common that we are no longer surprised, yet we continue to approach the challenge of protecting processes and data as if some magic technical solution exists for computers or networks. Networks and computers are complex technical systems that are constantly evolving and delivered through an opaque global supply chain, yet we maintain the fantasy that vulnerabilities, improper configurations and compromised sources of products and updates can be prevented, avoided or managed to an acceptable degree. And thus we have the elements of Greek tragedy: a well-meaning hero whose choices lead to bad outcomes that the audience knows to be inevitable.
The pathway to this state of affairs began for many businesses 20 to 30 years ago by replacing basic business functions—such as typing, filing and communications—with individual computers. Organizations consolidated devices and hooked them all together in local area networks and began to consider new ways to manage business processes.
And then they hooked all of this to the internet and made further changes to processes and developed new ways of doing business or even new kinds of businesses. As the internet developed further—for example, with cloud computing—they found further economies of scale and efficiency. In the course of doing all of this, they considered to some degree the new risks incurred by the exposure of systems and data to a global community, but they primarily put resources into managing just the technical flaws of computers and networks.
In the early days of the internet, we often dismissed hackers as a bunch of “kids” who understood basic computers but not “sophisticated” business environments. By now, we should know better. These “kids” have demonstrated that they are technically adept, highly focused and criminally ambitious. Organized crime has capitalized on this community of young talent and opportunities provided by global connectivity and the opacity of cyberspace.
The previously noted attribution of cyber events to state actors with vast resources indicates that states too now see cyberspace as a means of coercion and influence through special operations, and perhaps as an element of broader, strategic capabilities. All of which puts business and critical infrastructure into the bull’s-eye.
What organizations have not done on a consistent or systematic basis is manage the risks and interdependencies of their data and business processes. Managing the technical flaws remains essential, but now they must make the additional investment in “operational business security.”
This might involve reconfiguring business processes and investing in procedures needed to manage the risks from global connectivity and unprecedented concentrations of data so that the business might avoid irreversible losses, sustain key operations and resume other normal processes quickly. (Also see Rick Ledgett’s Cipher Brief column on the need to practice intrusion responses).
Preparation requires a comprehensive evaluation of essential business resources, separating the different business elements by criticality and degree of risk exposure, using different criteria of protection than are typically used. For example, firewalls have been used to separate different parts of networks; however, malicious cyber actors have proven adept at overcoming these and other technical cyber security measures.
Encryption of data is often a good idea but is of no help if the adversary gains access through the compromise of the access or credentials of an authorized user. Some elements of the business should be more thoroughly protected by additional layers of isolation, authorization, distribution, or redundancy.
A business process may not require two-way sharing of data (as in the case of industrial control systems, for example). Data might not need to exist all in one place (or perhaps not exist at all). One set of credentials should perhaps not be sufficient to enable access, data transfer or any critical process. Software from third parties without a direct trust relationship should perhaps be isolated from mainline business processes. (Consider the impact of Ukrainian tax software compromised by NotPetya last June.)
Backup data and procedures must be ready to step in within established bench marks of time and scale depending on their criticality and the availability of resources. The restoration process may require separate, isolated emergency management networks that can be used to automate the rebuilding of large-scale or distributed primary networks.
Temporary, less automated procedures may need resources in place to serve as a bridge on the way to recovery. Backup procedures may be required to compensate for the loss of capabilities or services from a partner organization. Time-critical systems may need redundant systems and communication paths (as airline reservation systems have demonstrated on multiple occasions) or even backup utilities, such as power, water, and fuel.
Like a Greek tragedy, cyber disasters in retrospect typically have obvious causes and effects followed by second guessing about why certain types of risks had been judged to be acceptable. The additional investment needed to counteract these threats will undercut some of the economic advantages of using internet resources; however, recent events highlight the existential costs of being unprepared, with the long-term investment in preparation a bargain by comparison. For example, we have seen some organizations lose irreplaceable personally identifiable information, while others have spent weeks with “all hands on deck” to restore operations or lost months of manufacturing capability of key products.
None of these ideas are new; critical organizations that provide services across the entire financial sector and national security systems have adopted many of these steps. But even these organizations with experience in global high-end risk management fall into traps of ill-advised concentration or connectivity risks, and may miss insider or supply-chain threats.
What events of the past two years have demonstrated is that all organizations must go through a fundamental reevaluation of how business is conducted. We need to transcend the narrow conversation of “cyber security” and instead look at “operational business security” for entire organizations and their partners.