Steve Andriole
Afghanistan was not the US’s longest war. Not even close. We’ve been at cyberwar for half a century – and we’re losing. Globally, the US is losing, and the homeland is far from safe. Hell, why not just hack a municipality for a few hundred k? It’s easy. There’s no cybersecurity strategy good enough to win a cyberwar. Sure, everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare.
It’s Sometimes Horrible to Be Right
“The number of severity of cyberattacks will explode in 2020. Cyberwarfare has now leveled the playing field in industry, in government, and in national defense: why spend ten or fifteen billion dollars on an aircraft carrier when you can disable it digitally? Why spend billions on new product R&D when you can hack into your competition’s strategic plans? Why not just phish around municipalities for a quick $100K? Cyberwarfare is a cost-effective solution to all sorts of problems – and opportunities: cyberwarfare is a revenue stream, a new business model, digital transformation with its own unique flavor … but regardless of inexplicably unheeded warnings, (it’s) much worse than it’s ever been. Why? Simply because it’s the cheapest, easiest, fastest and most effective form of warfare we’ve ever seen, and because cyberwarfare defenses are more vulnerable than they’ve ever been.”
Tom Steinkopf, writing here, offered more predictions:
“Successful ransomware attacks will double.
Misplaced understanding of cloud security will increase risk.
More U.S. state election boards will be hacked.
2020 will bring the rise of securing machine identities.
Phishing will continue to evolve beyond email to SMS and video.”
Hello, Is Anyone There?
So why do long lists of valid threats go unheeded and under-funded? As I’ve reported here frequently, years ago, I assessed a huge enterprise’s vulnerability to cyberattacks. When my team finished its assessment, the results were downright scary. When I took the results to the CFO (to which technology weirdly reported), his only question was, “what’s all this going to cost me?,” which of course was the wrong question.
Cyberwarfare is also inevitable because governments are reluctant to police themselves. Listen to what Andy Greenberg, writing in Wired Magazine in 2019 said about why governments have been unwilling to deal with cyberthreats:
“More fundamentally, governments haven't been willing to sign on to cyberwar limitation agreements because they don't want to limit their own freedom to launch cyberattacks at their enemies. America may be vulnerable to crippling cyberattacks carried out by its foes, but US leaders are still hesitant to hamstring America’s own NSA and Cyber Command, who are likely the most talented and well-resourced hackers in the world.”
As usual, the US is “the best,” but in this case, it isn’t. First,as Nicole Perlroth suggests, there’s the hubris:
“The hubris of American exceptionalism — a myth of global superiority laid bare in America’s pandemic death toll — is what got us here. We thought we could outsmart our enemies. More hacking, more offense, not better defense, was our answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second.”
But way back in 2016, Paul D. Shinkman suggested that “America Is Losing the Cyber War”:
“Russia, China, Iran and North Korea routinely launch cyberattacks on civilian areas, hacking private companies or undermining foreign militaries, using online tools to manipulate information or digital propaganda to shape others' opinions, and employing digital mercenaries to do the work.
“The Chinese military stole U.S. plans to the technically sophisticated F-35 Joint Strike Fighter, allowing Beijing to create the copycat J-31. Hackers with connect-ions to the Iranian government were charged earlier this year for attacks on U.S. banks and a dam in New York. North Korean operatives released a trove of damaging emails from Sony as the entertainment company planned to release a comedy with an unflattering portrayal of the country's leader. And Russia is widely suspected in a hack of the Democratic National Committee that could amount to a bid to undermine the integrity of the upcoming U.S. election … the U.S., as of right now, is not fully prepared to match incidents like these.”
“This inadequate attention is manifest in how infrequently U.S. leaders talk about cyber issues. On congressional defense committees, cyber is essentially an afterthought compared to weapons hardware and military pay and benefits. In the Senate Armed Services press release in May on its fiscal 2020 authorization bill, cyber was barely mentioned at the end.
“Likewise, Bayer and his team found a dearth of cyber references in Navy leaders' speeches and a scarcity of cyber-related events on their calendars.
"You wouldn't even know that cyber is a Top 20 problem," he says.
“Measured in dollars, cyber also does not stack up. Unclassified cyber spending across the federal government in fiscal 2020 budget request totals just over $17 billion, considerably more than it was a few short years ago, but that is only a bit more than 2% of the roughly $750 billion annual national defense budget.”
Is Cyber Warfare the Last Competitive Advantage — & Risk?
You bet it is. There’s not a government or company on the planet that can ignore cyberwarfare and cybersecurity. Everyone must develop both offensive and defensive cyber capabilities. Competitiveness depends upon digital security on every level. Without security, governments and companies cannot operate. Public companies are especially vulnerable because they have shareholders and (sometimes) responsible Boards of Directors looking after the shareholders. Not to mention the entire US infrastructure which whenever a break occurs it’s treated like a Black Swan event, not a pattern or a predictor of things to come. No, just an isolated event to which a response is uniquely crafted.
Even 60 Minutes thinks SolarWinds was a big deal. On Sunday, July 4, 2021, 60 Minutes examined the SolarWinds breach of government systems. The segment felt like a voice crying in the wilderness. As a professional in the field of business technology, I was stunned to hear descriptions of how the attack occurred and how trusted systems management software was used to breach and infect thousands of computers and the networks on which they run. But what stunned me the most was when one of the experts said the only way to guarantee that the virus is completely gone is to replace all of the computers it touched. I was immediately reminded of the CFO’s question: “what’s this all going to cost me?” But then I remembered another axiom: “pay me now or pay me later.” Common sense? Obviously. Commonly shared sense? Not even close. If the SolarWinds breach is not enough to see massive increases in cybersecurity spending and fundamental changes in preparation and response protocols, there’s nothing that will move CFOs to open their wallets or C-Suiters to about face — in spite of how many times they assure their shareholders and customers that everything is under control (when it’s clearly not).
What’s It Going to Take?
Cyber warfare and cybersecurity are human challenges. Not in the traditional definition of “human,” but in the human inability to proactively deal with most anything. Individuals abuse their health even though they know that will “pay later.” Companies underinvest in infrastructure even though they know eventually they will have to “pay later.” How many times do floods occur in exactly the same place? Or why public transportation isn’t there? Or why hospital beds, ventilators, masks and toilet paper can’t be found when we need them most? Or why crisis management is an oxymoron? I wrote about that too:
“How many companies prepare for cyberbreaches, infrastructure failures, terrorist events, environment problems, sexual harassment lawsuits, product safety recalls, social media attacks, regulatory surprises and talent shortages, among lots of other events that everyone knows will occur. Yes, this costs money, but it’s cheaper to prepare than react in a state of chaos. Everyone knows that, right? Then why do so few companies invest in the inevitable? Companies should work from anticipatory playbooks, not reactionary debates over Zoom, Webex, Skype and Teams. But do they? Hardly any.”
“For most of the two decades, crisis-prepared companies were in a small minority: between 5% and 25% of the Fortune 500 companies at most. In other words, at best, 75% of companies are not equipped to manage an unfamiliar crisis. At worst, 95% are unprepared, which, of course, is extremely worrying.”
“Many executives at even well-managed companies secretly believe that they can work their way out of a crisis when the time comes without having a plan beforehand. As a result, they treat crisis preparation as a less-than-useful scenario-planning exercise that, if it must, can be conducted sporadically.”
All this suggests there’s no cybersecurity strategy good enough to win a cyberwar. Sure, everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare. Only Congress can spend money – trillions of dollars – to prepare for wars the country will never fight. That’s because the government has no shareholders or Boards of Directors, just lobbyists. Companies simply cannot – even if they actually have the money – invest heavily preparing for crises whose occurrence are uncertain and infrequent, even if the crises are crippling. Once crises occur, of course, there’s always money to fight the competition, the government and hackers, Russian and otherwise. CEOs love to talk about how effective they’re managing the crisis at hand, while shockingly no one ever asks why they didn’t avoid the crisis in the first place or prepare adequately for the crisis before it arrived.
Another reason why 60 Minutes stories like SolarWinds are only “interesting,” is because individual leaders almost always seek immediate tactical gratification, seldom long-term strategic success. That’s because corporate leaders too often optimize personal gratification over long-term corporate health since in all likelihood the leader will be gone in the “long-term.” It’s the same reason why newly public company C-Suiters’ dump stock shortly after their IPO lockups expire. Personal rewards within the control of corporate leaders are usually maximized over long-term corporate rewards (which may have something to do with Gordon Gekko’s famous “greed is good” advice).
If, on the other hand, corporate boards and shareholders insist that management invest in cybersecurity and cyber warfare – regardless of the impact on profitability or prices – things could change, but only if the “insistence” is both positively and negatively incentivized: boards would have to pay C-Suiters to do the right thing – or remove them if they failed to do what they ask. That’s the wakeup call they would take. Until then, we can expect more devastating cyberwars, more denials about who’s to blame and more grandstanding about how well the wars are being managed. All that is also all too predictable.
No comments:
Post a Comment