Outside:  What are the modern organization’s possible contributions to surrounding outside public enablements and related security there?  [Think:  electrical grid; communications; infrastructure such as roads, etc.]

Inside:  What are your new requirements concerning internal controls and security measures?  [Think:  Malware comprehensiveness and timeliness; firewalls; education, etc.]

In advancing the discussion, recognize that any modern organization with reliance on electronic enablements, applications, processing, content, and the dynamic flow of information, is vulnerable due to both outside liabilities, and inside liabilities.  But further, the organization will face threat with two other distinct characteristics.  There will be national threats (originating outside) that impact inside – and there will be local threats, also with corresponding inside impacts.  Further, there will be your own inside perils, due to deficiencies, deliberate harm, or human error.  We can evolve the following matrix over time for a more comprehensive understanding… and for the taking of appropriate (affordable) action:

Nation-states:  The organization is vulnerable to national threats, as delivered by outside nation-states, both formal ones such as China, as well as virtual “nations” of thought or philosophy or action, such as al-Qaeda.

If you believe the “local” organization – that is, yours – is not susceptible to large cyber threats… read on…

It’s been reported recently that the President of the United States could order a pre-emptive cyber strike if a major cyber plot was detected and deemed credible.  We’re talking about a cyber plot as mounted against the U.S. by a foreign and hostile country or entity.  (In fact, tonight’s (2-12-13) State of the Union address is going to contain mention of cyberwar as a national threat).

This reportage is not in the context of President Obama potentially ordering, or considering, such a strike:  Rather, this was a discussion for the legalities of any president, now or future, for ordering such a strike.  In other words, a general legal and Constitutional question, and potentials for action.  In this regard, The National Intelligence Estimate, considered the intelligence community’s most authoritative document, has been updated and is commissioned to focus on cyber security, with special focus on Iran, North Korea, and China.

Orgs close for inclement weather – will they close for inclement cyber conditions?

So, we’re plowing new ground – and, like it or not, considerations of large-scale cyberwarfare will come to the organization much as considerations of weather do (such as when to close early, when to close entirely, who makes those determinations, etc.)  Consider:  Will there come a day when a specific national or regional CyberThreat is deemed so high that specific geographic areas are advised to shut down computer systems, in order to take them offline and to remove their vulnerability until the threat is successfully resolved?  Computers, critical content, access to apps, and the dynamic flow of information, are necessary to virtually everything we do today:  Banking, commerce, travel, education.  Technical enablements sustain our power grid; any damage to that cascades to critical areas mentioned in the last few articles here.  If national or regional authorities believe some measure of systems supporting the power grid are in a window of vulnerability, might local power “go out” for a period of time?  (Much as it does following a bad storm).

So what are the boundaries by which we can execute cyber operations?  How “preemptive” are we permitted to be?  Former CIA deputy director John McLaughlin says that this is a “new arena, a new frontier, where people can move with stealth, agility, and invisibly.”

The difficult part of “invisibility” is that an enemy can attack, cause great harm, and escape liability or penalty, which in-turn makes it difficult for the attackee to respond, and to mount protection from continued attacks.  See how the removal of a MAD scenario exacerbates the threat (one article down, or here).

As to perils to the local organization, we’re already seeing large, private, high-profile targets being hit:  The New York Times said Chinese hackers had compromised their computers, stealing employee passwords a few weeks ago.  Same for the Washington Post and Wall Street Journal, as they reported similar incidents.

Twitter recently said that 250,000 accounts may have been compromised.  A breach at the Department of Energy came to light when employees were notified that servers had been compromised at their headquarters.  There have been numerous denial-of-service attacks on U.S. banks.

Large, high-profile, organizations and their associated vulnerabilities are pretty well understood inside of those orgs.  But what of small-to-medium business?  SMB is particularly vulnerable.  But beyond nation-states wreaking large-scale harm, SMB faces both inside and outside threats.  Where are their meager resources best-leveraged?

Understanding the problem will advance our discussion in the coming days…

Of course, there’s the nuclear component, and concomitant fear.  But hopefully the MAD policy still provides some measure of protection:  Mutually Assured Destruction.  In MAD, the theory is that if the U.S. or any country and its allies find that their forward-sensing intelligence probes have noted a missile launch, they could then launch their own volley toward the aggressor – each’s missiles traversing and crossing to their respective destinations and  -

BOOM! –  both countries would lose – so why start?

But things aren’t quite so clear with cyberwarfare.  Malware can wreak its destructive vengeance, and then clean up after itself! – hiding its originating trail.  Removed is a certain MAD component, opening the way for all sorts of attacks – perhaps… and it’s not just peril from large-scale wars between countries:  Let’s not forget or discount another cyberwar possibility:  In the future, who’s to say that simple business competitors might not unleash a cyberattack against companies in their market?  It is foolish to discount this possibility.  It may already have happened.

Let’s also consider a recent event:  One minute you’re enjoying a game, the next, half the stadium is dark.  Ok, I’m not a conspiracy theorist, but I couldn’t resist a poke at the recent Super Bowl lighting problem.  Now that many of us have thought about it, though, it well could have been a (relatively harmless) test-hack performed by a country.  For that matter, it could have been a kid in his bedroom.   Nah.  Still…

Here in America over the past couple decades, the Pentagon and a few intelligence agencies have shared power in deploying cyberweapons.  I believe the actual “trigger” for this deployment required Presidential authorization.  The highest profile cyber attack was, perhaps, the strike on Iran’s computer systems that run their nuclear enrichment facilities.  However, we ain’t seen nothin’ yet as far as cyberwarfare’s actual potential.  Potentials of cyberwarfare cannot be ignored – countries not only must safeguard against it; they must envision their use of it (sadly), in staying competitive on the modern, virtual, battlefield – in tandem with the physical one.  And, cyberwar’s yield is hardly just virtual:  For example, removing any measure of a country’s electrical grid would yield catastrophic “real-world” results -

Imagine:  disrupting computers controlling train travel; resultant derailments, to include not only direct crash-related deaths, but the release of toxic chemicals due to crashes.  Attacks on water treatment plants, causing illness and death.  Crashing of the power grid; homes and businesses without power; rotting food, lack of potable water.  Entire industries idle.  Disruption of major media, and critical denial of wartime information, and what to do in terms of safety.  Removal of power would also inhibit basic 911-type emergency response –prioritizations of emergency activity would revert to “line of sight.”   The list can go on and on…

Let this be a call to government and private sector/innovator alike:  We need hardening of critical key infrastructure, and the securing of all electronic enablements.  We must begin building to “cyberproof” standards… or at least, make the best attempt.

In the coming days, we’ll examine what the emerging responsibilities are for organizations:  Your “local” scope of responsibilities and duties is fairly clear, and hopefully covered in your Security, Acceptable Use, and related policies and plans…

So, vis-a-vis cyberwarfare:

Outside:  What are the modern organization’s possible contributions to surrounding public enablements and related security there?

Inside:  What are your new requirements concerning internal controls and security measures?  Stay tuned…

NP:  Gerry Mulligan Meets Stan Getz, original LP, Verve, MG V – 8249

Most people think of cyber crime as identity theft, for purpose of stealing money from online accounts, or perhaps in order to pose as someone else online for whatever reason.  Cyber bullying comes to many people’s minds  That, and outright “hacks” into systems by breaching electronic perimeter defenses, and then exploiting whatever resources are within for the taking.

But there are a number of other nuances.  Routine “spam” is bothersome, but spam also incentivizes other cyber-crime.  Disseminators of spam aren’t particularly interested in paying for their own processing, broadband, and propagation means and infrastructures – and that’s where you (the individual or organization) comes in.  If you’re insecure enough (from a systems and security perspective) to host, automate, and blast spam, then there are plenty of entities out there surveying for you and your associated vulnerabilities.

Credit fraud is big.  A simple keystroke monitor can glean your, or an organization’s, credit card number and authenticating credentials – and away they go.  Recognize that your SSN, address, bank account numbers, and all manner of other info and online accounts can be breached.  Ouch.

There’s also the use of networks and resources for piracy, and the illegal transfer of data and information.  You don’t want your company’s resources used for illegally passing music transfers, or other copyrighted material, for example.  Nor do you or your organization want to be in the middle of electronic money laundering operations or tax evasion schemes.

Certainly government agencies are aware of cyber-terrorism, which can involve access for theft of secrets, flooding and disabling of critical systems, and breakage of systems through intrusion of malware.  Too, false-information can replace legitimate content, confusing those people who rely on these sites for best information, best practices, and  thus there is the subsequent hindering of allied cooperation between supporting/reinforcing agencies.

In 2013 and beyond, the stakes are too high to ignore the first step toward best-security postures:  Modern Awareness.

For our first take-away in this series, recognize that Everyone with online presence should be a Security Officer of sorts.  So, next, we’ll get to an awareness for both individuals and orgs.

 

The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.

If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support:  That of water, power, communications, and other essentials such as policing.  

There have been many hacks and harming incidents of various scope and harm in years past, of course.  However, those were squarely within the realm of information’s availability or wellness:  Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.

But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization.  Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past.  But what of more mundane, and perhaps likely, concerns for the average organization?

Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking).  What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen:  Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.”  It will be sport.  It will be an attempt to gain mention on the daily news cycle.

Why?  Because if people can do it, they generally will.

Begin with a review of your Acceptable Use policy:  Make certain people in your organization are not opening security vulnerabilities.  They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.

They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization.  Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive:  There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.

Review all security policies, and establish a monthly or quarterly security refresher training.  All actions and activities should be viewed through security’s prism.  Make everyone in the organization a security officer.

NP:  Purple Passages, Deep Purple.

 

Today, any organization is dead without its technical supports.  Even an attack on content – information, business intelligence, data – can put business at risk. 

By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission:  Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor.  You have business that needs to be conducted on a daily, ongoing, basis.

Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content.  Lose it all, and it most definitely will go out of business.

And now comes word of cyber-terror.  What the heck does the local organization do about that??  Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach.  He’s a thought leader as regards emerging perils.  According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism.  Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”

That doesn’t sound too hopeful.  Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.

“There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.

So – what’s the local organization to do?  There is a need to protect yourself.  With ever-more power and knowledge being available to individuals and small groups, imagine:  Imagine a disgruntled ex-employee wiping out your organization’s assets, for example.  But further:  Can the average organization make a contribution to the larger, surrounding, public security?

I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example).  Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.

It’s going to become a necessity:  Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack.  In a 12-page report to Congress, made public, the Pentagon said:

“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country.  We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”

The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.

But, again, what of your locale?  What if simple everyday “hacktivists” decided to take down some service providers that were key to you?  It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.

It’s something worth thinking about… at least start to think about it –  and where effective, efficient, contributions by your org might be made.

NP:  Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.