Outside:  What are the modern organization’s possible contributions to surrounding outside public enablements and related security there?  [Think:  electrical grid; communications; infrastructure such as roads, etc.]

Inside:  What are your new requirements concerning internal controls and security measures?  [Think:  Malware comprehensiveness and timeliness; firewalls; education, etc.]

In advancing the discussion, recognize that any modern organization with reliance on electronic enablements, applications, processing, content, and the dynamic flow of information, is vulnerable due to both outside liabilities, and inside liabilities.  But further, the organization will face threat with two other distinct characteristics.  There will be national threats (originating outside) that impact inside – and there will be local threats, also with corresponding inside impacts.  Further, there will be your own inside perils, due to deficiencies, deliberate harm, or human error.  We can evolve the following matrix over time for a more comprehensive understanding… and for the taking of appropriate (affordable) action:

Nation-states:  The organization is vulnerable to national threats, as delivered by outside nation-states, both formal ones such as China, as well as virtual “nations” of thought or philosophy or action, such as al-Qaeda.

If you believe the “local” organization – that is, yours – is not susceptible to large cyber threats… read on…

It’s been reported recently that the President of the United States could order a pre-emptive cyber strike if a major cyber plot was detected and deemed credible.  We’re talking about a cyber plot as mounted against the U.S. by a foreign and hostile country or entity.  (In fact, tonight’s (2-12-13) State of the Union address is going to contain mention of cyberwar as a national threat).

This reportage is not in the context of President Obama potentially ordering, or considering, such a strike:  Rather, this was a discussion for the legalities of any president, now or future, for ordering such a strike.  In other words, a general legal and Constitutional question, and potentials for action.  In this regard, The National Intelligence Estimate, considered the intelligence community’s most authoritative document, has been updated and is commissioned to focus on cyber security, with special focus on Iran, North Korea, and China.

Orgs close for inclement weather – will they close for inclement cyber conditions?

So, we’re plowing new ground – and, like it or not, considerations of large-scale cyberwarfare will come to the organization much as considerations of weather do (such as when to close early, when to close entirely, who makes those determinations, etc.)  Consider:  Will there come a day when a specific national or regional CyberThreat is deemed so high that specific geographic areas are advised to shut down computer systems, in order to take them offline and to remove their vulnerability until the threat is successfully resolved?  Computers, critical content, access to apps, and the dynamic flow of information, are necessary to virtually everything we do today:  Banking, commerce, travel, education.  Technical enablements sustain our power grid; any damage to that cascades to critical areas mentioned in the last few articles here.  If national or regional authorities believe some measure of systems supporting the power grid are in a window of vulnerability, might local power “go out” for a period of time?  (Much as it does following a bad storm).

So what are the boundaries by which we can execute cyber operations?  How “preemptive” are we permitted to be?  Former CIA deputy director John McLaughlin says that this is a “new arena, a new frontier, where people can move with stealth, agility, and invisibly.”

The difficult part of “invisibility” is that an enemy can attack, cause great harm, and escape liability or penalty, which in-turn makes it difficult for the attackee to respond, and to mount protection from continued attacks.  See how the removal of a MAD scenario exacerbates the threat (one article down, or here).

As to perils to the local organization, we’re already seeing large, private, high-profile targets being hit:  The New York Times said Chinese hackers had compromised their computers, stealing employee passwords a few weeks ago.  Same for the Washington Post and Wall Street Journal, as they reported similar incidents.

Twitter recently said that 250,000 accounts may have been compromised.  A breach at the Department of Energy came to light when employees were notified that servers had been compromised at their headquarters.  There have been numerous denial-of-service attacks on U.S. banks.

Large, high-profile, organizations and their associated vulnerabilities are pretty well understood inside of those orgs.  But what of small-to-medium business?  SMB is particularly vulnerable.  But beyond nation-states wreaking large-scale harm, SMB faces both inside and outside threats.  Where are their meager resources best-leveraged?

Understanding the problem will advance our discussion in the coming days…

Of course, there’s the nuclear component, and concomitant fear.  But hopefully the MAD policy still provides some measure of protection:  Mutually Assured Destruction.  In MAD, the theory is that if the U.S. or any country and its allies find that their forward-sensing intelligence probes have noted a missile launch, they could then launch their own volley toward the aggressor – each’s missiles traversing and crossing to their respective destinations and  -

BOOM! –  both countries would lose – so why start?

But things aren’t quite so clear with cyberwarfare.  Malware can wreak its destructive vengeance, and then clean up after itself! – hiding its originating trail.  Removed is a certain MAD component, opening the way for all sorts of attacks – perhaps… and it’s not just peril from large-scale wars between countries:  Let’s not forget or discount another cyberwar possibility:  In the future, who’s to say that simple business competitors might not unleash a cyberattack against companies in their market?  It is foolish to discount this possibility.  It may already have happened.

Let’s also consider a recent event:  One minute you’re enjoying a game, the next, half the stadium is dark.  Ok, I’m not a conspiracy theorist, but I couldn’t resist a poke at the recent Super Bowl lighting problem.  Now that many of us have thought about it, though, it well could have been a (relatively harmless) test-hack performed by a country.  For that matter, it could have been a kid in his bedroom.   Nah.  Still…

Here in America over the past couple decades, the Pentagon and a few intelligence agencies have shared power in deploying cyberweapons.  I believe the actual “trigger” for this deployment required Presidential authorization.  The highest profile cyber attack was, perhaps, the strike on Iran’s computer systems that run their nuclear enrichment facilities.  However, we ain’t seen nothin’ yet as far as cyberwarfare’s actual potential.  Potentials of cyberwarfare cannot be ignored – countries not only must safeguard against it; they must envision their use of it (sadly), in staying competitive on the modern, virtual, battlefield – in tandem with the physical one.  And, cyberwar’s yield is hardly just virtual:  For example, removing any measure of a country’s electrical grid would yield catastrophic “real-world” results -

Imagine:  disrupting computers controlling train travel; resultant derailments, to include not only direct crash-related deaths, but the release of toxic chemicals due to crashes.  Attacks on water treatment plants, causing illness and death.  Crashing of the power grid; homes and businesses without power; rotting food, lack of potable water.  Entire industries idle.  Disruption of major media, and critical denial of wartime information, and what to do in terms of safety.  Removal of power would also inhibit basic 911-type emergency response –prioritizations of emergency activity would revert to “line of sight.”   The list can go on and on…

Let this be a call to government and private sector/innovator alike:  We need hardening of critical key infrastructure, and the securing of all electronic enablements.  We must begin building to “cyberproof” standards… or at least, make the best attempt.

In the coming days, we’ll examine what the emerging responsibilities are for organizations:  Your “local” scope of responsibilities and duties is fairly clear, and hopefully covered in your Security, Acceptable Use, and related policies and plans…

So, vis-a-vis cyberwarfare:

Outside:  What are the modern organization’s possible contributions to surrounding public enablements and related security there?

Inside:  What are your new requirements concerning internal controls and security measures?  Stay tuned…

NP:  Gerry Mulligan Meets Stan Getz, original LP, Verve, MG V – 8249

Back in my misspent youth, us kids used to ride our bikes as fast as we possibly could, trying to leave group members behind.  The slowpokes invariably whined… “Hey!”… “Wait up!”… and if we could actually get someone to cry, so much the better!  We’d laugh maniacally, looking back over our shoulders at our hapless slower counterparts.  Oh, the inhumanity! 

My father once saw a group led by me, leaving my little brother behind – and he heard my brother’s protestations.  Upon return to home, I was punished – banished to my room for some measure of time – with the stern counsel of my father, “Never leave your brother behind.”

Some folks and organizations are pedaling pretty fast these days, in trying to stay up with, and ahead of, the pack in matters of security:  Trying to keep up with best and burgeoning practices, and trying to stay ahead of new threats and potentials of harm.  But many surprising entities are at the back, and if they ain’t cryin’ yet, they soon may be.

Consider this:  “Cyber-cops” in the U.S. were surprised, caught off-guard, by a case of cyber-espionage thought to be unprecedented in scope and size.  It’s been described as a five year hacking scheme (five years!), as mounted and exercised by a single “state actor.”  The espionage targeted computer systems of the U.S. government, United Nations, defense firms and private industries.  The state actor is thought to be China, but that info hasn’t been released.

Hmmm… did some measure of government agency discover the hacking?  Perhaps some U.N. security expert?  Or surely one of those leading defense or private industries had some proactive, forward thinking, cybercop scanning and discovering the breaches (after five years!)?  Sorry to report, but it was McAfee.  According to Fox News, McAfee’s vice president of threat research, Dmitri Alperovitch, said “Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators.”

Mr. Alperovitch’s report indicated 72 victims of the spying, 49 of which were American agencies and firms, during which massive losses of information occurred – there is potential for a huge economic threat.  We must recognize too that state actors don’t rest – just because this five year effort has been busted, they’re constantly evolving their spying means and mechanisms.  A U.S. official has confirmed the espionage and theft, and as pertains to McAfee’s report, told Fox “The report is fairly accurate.”

If McAfee’s report is correct, our government didn’t learn of a successful multiyear cyber-spying effort from its own internal cyber-police, but from McAfee.  What’s embarrassing, and scary, is that Janet Napolitano, head of the Department of Homeland Security, became aware of the McAfee report – and large scale breach – only on the same day the report was released to the press.  She further said, “We obviously will evaluate it and look at it and pursue what needs to be pursued.”  Obviously.  The White House has been briefed, so too has the U.S. Cyber Command at Ft. Meade, MD, and on and on…  lotsa people pedaling on this block, you see. 

Just not very fast:  National Security Agency director General Keith Alexander serves as the head of the Pentagon’s new Cyber Command.  He has stated that our military may not have the present capability to safeguard Pentagon networks from cyber-attack.  “The Department has a shortfall of cyber force capacity to plan, operate, and defend its networks and ensure freedom of action and maneuver for our nation in cyberspace.  Additionally, we are still discussing across the Administration how to best defend against a ‘Cyber 9/11′ that affects our critical infrastructure and beyond.”

Private industry is vulnerable too:  Lockheed Martin was the victim of a cyber hack earlier this year, as well as others. 

What does this mean for you?  Beyond “state actors” (such as China), and dedicated teams targeting private industry (such as the insiders referenced in yesterday’s article), there are malicious hackers who are simply out for fun.  They’re looking for websites and networks to hack just for the opportunity to wreak havoc.  All of these levels are pedaling at a fast clip, looking to breach, steal, and harm – and likely… laughing maniacally with each success, at the expense of those at the back of the pack.

How fast are you pedaling?

On this day (Oct. 11^th):  The Juliana, 1^st steam-powered ferryboat, begins operation in 1811.