I sat through a presentation recently about cyberwar. Its a topic that engenders a lot of passion in the information security community. There seems to be a natural line drawn between those with previous experience in the military and government and those with primarily private sector experience. The typical military/government professional will attempt to engender a response from those in private industry. Largely those in private industry yawn (I’m excluding government contractors). And I think this is largely the right response.
Generally speaking, I want those in government to care a lot about war and I want private industry to focus on creating value for investors, customers, and other stakeholders. A lot of cyberwar discussions talk about “kinetics” or whether there is physical destruction. In large part, most private sector companies will not be able to withstand any sufficiently effective physical attack. This is due to these organizations subscribing (implicitly or explicitly) to the theory of subsidiarity, which states in part that whatever can be accomplished at the lowest and smallest level of endeavor should so be conducted. Clearly, conducting and participating in war (cyber or otherwise, kinetic or not) is not the domain of the private sector. After all, military action is what our taxes fund (amongst other things). There is history of the private sector being targeted by miltary action; taking out communications or other means of production and/or agriculture is a time-tested technique to bring you opponent to their knees. We don’t typically see this kind of technique in modern warfare, but its common to apply pressure to the citizenry in order to force the hands of the political leaders to yield to their enemy’s demands. In my opinion, this is the form in which we will see cyberwar – attacks against the private sector in order to force the hands of politicians.
So back at the presentation, the speaker responded to the seemingly innocuous question of whether or not we could win the cyberwar. He answered this question with a question: have we ever won a war? Well yes, of course we have. I quickly rattled off a few to the colleagues sitting at the table with me: WWII, WWI (although not well enough to avoid WWII), Civil War, heck the Revolutionary War, etc., etc. If the question was meant, or interpreted to mean will we ever not have cyberwar, then clearly the answer is no, but yes, we can of course win wars and skirmishes that may arise in our future. However there will always be an ever-present threat on the horizon that will demand vigilance at some level.
So how do you prepare for these kinds of skirmishes? Well, it depends on the threats you are defending against. Sophisticated nation states will likely represent the 90th, 95th, 0r even 99th percentile of attackers. To be clear, for most organizations, you can spend yourself into oblivion defending against these kinds of attackers. However, the same organizations are likely not doing an effective job of defending against the strength of attackers at even the 50th percentile of attackers. Like all risk assessments, context matters and none more so than cyberwar. Your organizations’ insurance policies probably don’t even cover acts of war, so if you think that cyberwar is a concern for your organizations then you have more exposure in other places. Security is often surprisingly boring, and here is a great example: to defend against that 90th percentile of attacker, you probably have to start by doing a good job defending against the lower-tiered attackers. Focus on patching, currency, and user access. Its boring but has good payoffs. Attend the conference and enjoy the cyberwar talks, but don’t forget the basics.