Page 71 - Cyber Warnings
P. 71
Military personnel don’t defend factories and businesses in cyberspace, and today CISOs face
increasingly dangerous threats. While everyone was paying attention to the Sony hack, which
did create a great deal of media publicity, a potentially far more groundbreaking cyber-attack
took place in Germany. In December of 2014 cyber attackers caused “massive physical
damage” to a German steel mill through a social engineering attack that then bridged across to
12
production systems. These types of attacks cause physical damage similar to what aircraft
bombs or dynamite from a saboteur would. The attacks on the Ukrainian power grid were
another example of complex and high-level attacks where a business came under direct attack
13
that had wide reaching physical effects. These attacks are only the beginning, as the
importance of cyber-physical systems increases in the often mentioned term “Internet of
Things,” the importance of attacks on those “things”, whether or not they are traditional IT also
increases. If CISOs are going to have to defend their business systems, not just from cyber-
criminals, but also against nation state level cyber attackers, what can be learned from the
traditions of military strategy?
Lesson 1: Operations Must Support Policy
The first major lesson from the great strategic theorists is the importance of ensuring that
operations always serve the larger policy purpose. This is already evident from the definition of
14
strategy given above by Gray. Clausewitz famously stated that war is a, “continuation of policy
15
with other means.” Security should be a continuation of business of objectives and security for
its own sake makes no more sense to a business than battles fought with no connection to a the
overall policy objective of a nation. Of course, the policy objectives of business generally revolve
around profit, although long term profitability vice short term profit is normally a wiser objective.
It may help the balance sheet in the short term to cheat on environmental regulations, but the hit
on long term profitability when the cheating is discovered will normally be much larger than the
short term boost. For the CISO, staying connected to business objectives often involves finding
the right balance of security, functionality, and finance.
Finding the right level of security that protects the business, while enabling connectivity and the
pursuit of business objectives is one of the most difficult challenges faced by a CISO. The
default answer for most security professionals when confronted by a threat is “lock it down” but
that is often unacceptable to functional business units trying to accomplish their tasks.
Communication is risky, but it is also the whole point of most business systems.16
“Vulnerabilities” are often inherent in the design of systems whose purpose is communication
17
and closing them down can have significant negative effects. Of course, CISOs can fail just as
easily by leaving systems too open, finding the right balance and ways to be secure while still
enabling business processes is the key.
Furthermore, every person with access to the network must become the equivalent of sentries
who are trained to identify the threats and take immediate action to minimize them. Individuals
must become trained to identify threats such as phishing as well as behavior that inadvertently
introduce threats to systems. Sometimes plugging in a phone to the network with the intent only
to charge the device could potentially introduce malware that could compromise critical
systems. Strategic CISOs must ensure training and education are part of their plans. The first
point of connecting tactical actions to business objectives is well understood but is important
71 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
