Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership. A few core highlights of that talk:
“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”
- Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
- The media attention to data breaches though may create clarity on this threat.
“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”
- Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred. So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…
“…We are moving from the Cold War to ‘code war.'”
- A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.
There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force. Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).
“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”
- Attribution challenges make kinetic responses highly susceptible to trickery / fraud.
The seriousness and sophistication of attack, motivation, and intent against organizations is palpable. The next few years equal sophistication must be applied to deterrence and management of information security.
Other thoughts, research, insights?
– James DeLuccia