Making moves on the cyber chessboard
Jarno Limnell, director of cyber security, Stonesoft
When terms such as Stuxnet show up on primetime crime dramas, you know cyber security has reached the popular consciousness.
U.S. Defense Secretary Leon Panetta's headline-grabbing metaphor of a “cyber Pearl Harbor” quickly gained public and political interest in the debate.
While cyber security legislation has stalled in Congress, the issue's very presence on the legislative floor is important. In this respect, the United States remains ahead of many of the countries in Europe, where a top-level discussion of the importance of cyber security to governments, military, businesses and the civilian populous is disturbingly absent.
While it is important to recognize that cyber security is not simply a military problem (the highest priority targets of any attack, be it from a rogue state or a terrorist organization, are likely to be civilians, critical infrastructure, and businesses), we can certainly learn a lot from how armed forces approach threats.
In military organizations, operations and activities are usually divided into three levels: strategic, operational and technical/tactical. Over the centuries, it has become recognized that sound military operations depend upon strategic considerations informing and driving the two levels below.
Similarly in the cyber security domain, the strategic level should be the number one priority -- providing guidance to the operational level and the tactical level in turn.
It is useful to define what each of these terms mean in the cyber domain:
- Strategic considerations: How do cyber attacks affect policies, industry, business decisions?
- Operational considerations: What kind of security procedures, processes, models do we need?
- Technical considerations: How can we solve our security problems technologically?
At the moment, in a whole host of institutions, from medium size corporations to the highest-level global geopolitical organizations, the top-down leadership is simply not happening because of an absence of a strategic discussion on cyber security.
The cyber domain is one where strategic advantage can be won or lost. Since we are not discussing the strategic impacts, we could be handing an advantage to those who wish to harm our businesses and civil institutions.
Just as responsibility ends with the senior officers and the commander-in-chief in a military context, CISOs, CSOs and even CEOs must ensure that the risk factors facing an enterprise are properly managed. To accomplish that task, the executive team must apply the appropriate level of due diligence at a peer-to-peer level, focusing on strategic issues and not just tactical and technical analysis.
There are many unknowns when it comes to understanding prospective cyber attacks. Therefore, a dynamic response is necessary. This requires a critical mind shift. Fundamentally, an organization can never truly be dynamic, possess acute situational awareness and have a flexible foundation unless it has organized itself strategically.
A thorough assessment of the risks of cyber attacks is the first step.
It is difficult to overestimate the potential impacts. A cyber attack on a particular business could cripple that company and even endanger employees and customers, not to mention what an attack on a major city's infrastructure might do. Understanding the potential consequences should spur business and IT leaders to take a “security first” approach to any major IT decisions, be it moving to the cloud, launching new applications or going mobile. As it stands, security against cyber attacks is often an afterthought.
Next, there needs to be a consistent and concerted effort to think offensively. Businesses and other organizations need to realize that 100 percent cyber security is not possible. It's a myth. At some point, a company's infrastructure will be vulnerable to attack. A strategic assessment will make this very clear and help enterprises focus on the best possible defenses, but also the resilience to be able to weather an attack and ensure that hackers cannot paralyze an organization.
A robust defense must be tested and tightened as necessary, using friendly attacks and penetration testing.
It is critical that as a security community we begin a debate around how we should respond strategically to cyber threats. There are so many moving pieces on the world's cyber security chess board that a focus on the technology behind specific malware and DDoS attacks will not be enough to protect us alone. We need to step back and consider the bigger picture, and put strategy first.