Further, a tweet indicated that “the whopper flopped” and that BK had thus been sold to McDonald’s.  Several other tweets contained obscenities.

It’s not clear who hacked BK’s account, and I am not implying that it was a “competitor hack” (that is, it was not likely initiated by McDonald’s, or any potential rogue employee of that firm – although the Hamburglar’s criminal tendencies are well-established).

However, this hack has to fit squarely into one of two realms, and it provides a nice entrée to some new definitions for an evolving threat landscape.  Let’s create the concept of a “branded hack” that is unique to this forum – branded hacks that will be handles for discussion, and which will hopefully propagate for ease-of-discussion at orgs, with vendors, with media, etc.:  1)  Competitor-Hack (CH), and  2) Hack-at-Random (HaR).  This is a good opportunity to define these two types of hacks, for purpose of establishing exactly “where we are” in 2013, in getting to where we need to go – these definitions will likely evolve a bit:

New Definitions for New Realities

Competitor-Hack (CH):  This is a directed hack by a business competitor, with a business motivation:  The purpose of disrupting the competition’s ability to conduct competing business through harm to enablements (data, infrastructure, apps, etc.), or to cause damage to any specific competitor’s reputation (such as false Tweets, implanting of false content, false business positions, etc.).  These CHs can include political motivations, and political targets – they include any orgs and/or individuals who compete on some plane.

Hack-at-Random (HaR):  This is an attack that has more of a mischievous spirit as motivator.  Motivators can include humor, bragging rights, or even the preference of Big Macs over Whoppers, or Whoppers over Big Macs – but generally speaking, the people mounting these are not employees or formal representatives of the organizations in question – they are people who mount trouble for sport and fun.

Recognize this:  In discussing cybersecurity a few articles ago, as contained in this post, and as indicated in another post’s matrix, I mentioned that organizations would have to guard against CHs from business competitors.  I also debuted the concept of HaR.  It is easy enough for me to envision these things coming, as immodest as that may sound:  In the realm of risk, unmanaged possibilities become probabilities.

It is easy enough to see that risk is being compounded by three fundamental things that are being driven to everyone:

1)       Power

2)      Affordability

3)      Capability

Ever-more power, affordability, and capability are being driven to very modest “players” and devices.

Ever-more robust hacking tools will be available on rogue “gaming” sites, and the business and sport of hacking is going to explode.  Watch for it – and be positioned to guard against it.

Outside:  What are the modern organization’s possible contributions to surrounding outside public enablements and related security there?  [Think:  electrical grid; communications; infrastructure such as roads, etc.]

Inside:  What are your new requirements concerning internal controls and security measures?  [Think:  Malware comprehensiveness and timeliness; firewalls; education, etc.]

In advancing the discussion, recognize that any modern organization with reliance on electronic enablements, applications, processing, content, and the dynamic flow of information, is vulnerable due to both outside liabilities, and inside liabilities.  But further, the organization will face threat with two other distinct characteristics.  There will be national threats (originating outside) that impact inside – and there will be local threats, also with corresponding inside impacts.  Further, there will be your own inside perils, due to deficiencies, deliberate harm, or human error.  We can evolve the following matrix over time for a more comprehensive understanding… and for the taking of appropriate (affordable) action:

Nation-states:  The organization is vulnerable to national threats, as delivered by outside nation-states, both formal ones such as China, as well as virtual “nations” of thought or philosophy or action, such as al-Qaeda.

If you believe the “local” organization – that is, yours – is not susceptible to large cyber threats… read on…

It’s been reported recently that the President of the United States could order a pre-emptive cyber strike if a major cyber plot was detected and deemed credible.  We’re talking about a cyber plot as mounted against the U.S. by a foreign and hostile country or entity.  (In fact, tonight’s (2-12-13) State of the Union address is going to contain mention of cyberwar as a national threat).

This reportage is not in the context of President Obama potentially ordering, or considering, such a strike:  Rather, this was a discussion for the legalities of any president, now or future, for ordering such a strike.  In other words, a general legal and Constitutional question, and potentials for action.  In this regard, The National Intelligence Estimate, considered the intelligence community’s most authoritative document, has been updated and is commissioned to focus on cyber security, with special focus on Iran, North Korea, and China.

Orgs close for inclement weather – will they close for inclement cyber conditions?

So, we’re plowing new ground – and, like it or not, considerations of large-scale cyberwarfare will come to the organization much as considerations of weather do (such as when to close early, when to close entirely, who makes those determinations, etc.)  Consider:  Will there come a day when a specific national or regional CyberThreat is deemed so high that specific geographic areas are advised to shut down computer systems, in order to take them offline and to remove their vulnerability until the threat is successfully resolved?  Computers, critical content, access to apps, and the dynamic flow of information, are necessary to virtually everything we do today:  Banking, commerce, travel, education.  Technical enablements sustain our power grid; any damage to that cascades to critical areas mentioned in the last few articles here.  If national or regional authorities believe some measure of systems supporting the power grid are in a window of vulnerability, might local power “go out” for a period of time?  (Much as it does following a bad storm).

So what are the boundaries by which we can execute cyber operations?  How “preemptive” are we permitted to be?  Former CIA deputy director John McLaughlin says that this is a “new arena, a new frontier, where people can move with stealth, agility, and invisibly.”

The difficult part of “invisibility” is that an enemy can attack, cause great harm, and escape liability or penalty, which in-turn makes it difficult for the attackee to respond, and to mount protection from continued attacks.  See how the removal of a MAD scenario exacerbates the threat (one article down, or here).

As to perils to the local organization, we’re already seeing large, private, high-profile targets being hit:  The New York Times said Chinese hackers had compromised their computers, stealing employee passwords a few weeks ago.  Same for the Washington Post and Wall Street Journal, as they reported similar incidents.

Twitter recently said that 250,000 accounts may have been compromised.  A breach at the Department of Energy came to light when employees were notified that servers had been compromised at their headquarters.  There have been numerous denial-of-service attacks on U.S. banks.

Large, high-profile, organizations and their associated vulnerabilities are pretty well understood inside of those orgs.  But what of small-to-medium business?  SMB is particularly vulnerable.  But beyond nation-states wreaking large-scale harm, SMB faces both inside and outside threats.  Where are their meager resources best-leveraged?

Understanding the problem will advance our discussion in the coming days…

Of course, there’s the nuclear component, and concomitant fear.  But hopefully the MAD policy still provides some measure of protection:  Mutually Assured Destruction.  In MAD, the theory is that if the U.S. or any country and its allies find that their forward-sensing intelligence probes have noted a missile launch, they could then launch their own volley toward the aggressor – each’s missiles traversing and crossing to their respective destinations and  -

BOOM! –  both countries would lose – so why start?

But things aren’t quite so clear with cyberwarfare.  Malware can wreak its destructive vengeance, and then clean up after itself! – hiding its originating trail.  Removed is a certain MAD component, opening the way for all sorts of attacks – perhaps… and it’s not just peril from large-scale wars between countries:  Let’s not forget or discount another cyberwar possibility:  In the future, who’s to say that simple business competitors might not unleash a cyberattack against companies in their market?  It is foolish to discount this possibility.  It may already have happened.

Let’s also consider a recent event:  One minute you’re enjoying a game, the next, half the stadium is dark.  Ok, I’m not a conspiracy theorist, but I couldn’t resist a poke at the recent Super Bowl lighting problem.  Now that many of us have thought about it, though, it well could have been a (relatively harmless) test-hack performed by a country.  For that matter, it could have been a kid in his bedroom.   Nah.  Still…

Here in America over the past couple decades, the Pentagon and a few intelligence agencies have shared power in deploying cyberweapons.  I believe the actual “trigger” for this deployment required Presidential authorization.  The highest profile cyber attack was, perhaps, the strike on Iran’s computer systems that run their nuclear enrichment facilities.  However, we ain’t seen nothin’ yet as far as cyberwarfare’s actual potential.  Potentials of cyberwarfare cannot be ignored – countries not only must safeguard against it; they must envision their use of it (sadly), in staying competitive on the modern, virtual, battlefield – in tandem with the physical one.  And, cyberwar’s yield is hardly just virtual:  For example, removing any measure of a country’s electrical grid would yield catastrophic “real-world” results -

Imagine:  disrupting computers controlling train travel; resultant derailments, to include not only direct crash-related deaths, but the release of toxic chemicals due to crashes.  Attacks on water treatment plants, causing illness and death.  Crashing of the power grid; homes and businesses without power; rotting food, lack of potable water.  Entire industries idle.  Disruption of major media, and critical denial of wartime information, and what to do in terms of safety.  Removal of power would also inhibit basic 911-type emergency response –prioritizations of emergency activity would revert to “line of sight.”   The list can go on and on…

Let this be a call to government and private sector/innovator alike:  We need hardening of critical key infrastructure, and the securing of all electronic enablements.  We must begin building to “cyberproof” standards… or at least, make the best attempt.

In the coming days, we’ll examine what the emerging responsibilities are for organizations:  Your “local” scope of responsibilities and duties is fairly clear, and hopefully covered in your Security, Acceptable Use, and related policies and plans…

So, vis-a-vis cyberwarfare:

Outside:  What are the modern organization’s possible contributions to surrounding public enablements and related security there?

Inside:  What are your new requirements concerning internal controls and security measures?  Stay tuned…

NP:  Gerry Mulligan Meets Stan Getz, original LP, Verve, MG V – 8249

 

Staying ahead of threats and potentials is the name of the game today…  in the realm of risk, unmanaged possibilities become probabilities.  Therefore, manage your security.

Cyber espionage, the unauthorized surveilling of data or outright theft of it, is a problem in virtually every part of the world utilizing computers and harboring electronic content.

However, what’s happening in China is quite another thing… and may even point to what’s coming to the U.S. and elsewhere.  I hope not.

Security experts warn travelers to China that contents of smartphones can be ripped off in seconds.  “I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, who is a former senior White House official for Asia. 

In the matter of laptops, you must realize that the Chinese government owns all of the networks – making it very easy to monitor and capture everything going in and out of the country.  Once you jump onto a transport for e-mailing and web browsing – you may as well assume you’ve been compromised.  Many travelers to China have resorted to disposable phones and rented laptops – free of any sensitive data.  Other folks store data on thumb drives, and only use that data on stand-alone computers, completely offline.

And yet, China’s embassy spokesman, Wang Baodong, says, “It’s advisable for all international travelers to take due precautions with their computers and cellphones.  China is not less insecure than other countries.”  I do think he meant to say ‘China is not less secure than other countries’… but the former may indeed be true.

Equal concern for networks and corporate data back home is evidenced by a 2008 incident where Chinese malware was inserted into visitors’ cellphones by remote means.  The cellphones were then carried home, and subsequently infected servers in the U.S.  Thus, there is enormous potential for danger of compromise to all manner of environments.  Amazingly, but perhaps not surprisingly, intrusions have been discovered at the State Department and Defense Department, and those intrusions are alleged to have been from China.

When traveling, consider using a rented laptop devoid of sensitive info.  Work offline with discreet data stored on thumbs.  Consider a rented phone.

If you don’t feel you have particularly sensitive data on your own devices, feel free to take your chances.  However, for corporate business travelers, be certain to protect your patents, ideas, and information. 

And, it’s not just China that presents risks.  For U.S. readers, I would advise that any travel outside the U.S. be done with circumspection.

On this day (Sep. 29^th):  Scotland Yard is formed in London in 1829.

 

The Washington Times has an interesting article about future combat, and its involvement of cyber warfare (Computer-based Attacks Emerge as Threat of Future, General Warns, Sep. 13, 2011).

General Keith Alexander, commander of the U.S. Cyber Command, warns of electronic strikes, yielding widespread power outages.  Too, there is the threat of destruction of physical computers, machines, and allied infrastructure.  Of course, the attendant loss of data and power would likely cause mass chaos in large geographic regions, and recoveries would be hampered.

General Alexander is also the director of the National Security Agency.  He cites among examples an August 2003 electrical outage caused by the simple act of a tree causing damage to two high-voltage power lines.  Software controlling the electrical power grid erroneously entered a “Pause” mode – shutting down power to millions of people across several states.

Amazingly, General Alexander says that cyber attacks are only outranked by nuclear attack or other means of mass destruction.  Maybe the General doesn’t want to alarm anyone too badly, but what of Electro-magnetic Pulse (EMP)?  EMP pairs perfectly with cyber warfare.

In the case of EMP, a modest nuclear burst over the continental U.S. wouldn’t cause much physical damage – and even nuclear fallout would be modest (comparatively speaking for what’s coming next).  But EMP’s destruction would be comprehensive:  All power would be removed from general society.  All data would be wiped out.  All electronic communications, to include computer and phone, would be nonexistent.  Emergency actions would be mounted and prioritized strictly on a “line of sight” basis.

No one would be able to summon help – other than through their voice.  Large regions would soon run out of food and potable water, as there would be no refrigeration and no water plants able to pump water.

A revisit to the last chapter of I.T. Wars might be in order.  The chapter What’s At Stake clearly documents the threats and challenges – and further, suggests what any “local” organization (that is, yours) can do.

It’s worth a thought.

NP:  On this day (Sep. 14^th) in 1916, Christy Mathewson pitched his final game.  He won.