Cyberspace todays battlefield?

Intro


Corporations often see cyber risk as the proverbial buggy man that no one can adequately describe. When asked to show an example of an attack, a room full of cybersecurity professionals goes space gray silent, or they opt to refer to some vulnerability scanner results [Scan-I-Am]! 


Silence, in many cases, is considered consent, and with that being said, there must be a buggy man. Either that or we haven't quite figured out the risk is ourselves. 


Which one is it? 


I'll let you be the judge! 


It's not that the cyber risk does not exist or that they cannot be identified and replicated; the issue more relates to how cybersecurity risk has been traditionally communicated to the boardroom and other business stakeholders. 


We, as cybersecurity leaders, traditionally communicate our activities as something akin to an insurance policy that protects the organization in the event of an inevitable cybersecurity attack. Is the cyber landscape this simple, and are attacks inevitable for all targets? Is cybersecurity risk management another form of asymmetric warfare? 


This write-up aims to define cybersecurity risk by correlating it and military operations. War is a sensitive topic, but bar none, it describes every organization and person's position every time they enter cyberspace!   


Asymmetric Warefare: 


Being a veteran, I view cybersecurity and its parts from the battlefield perspective. If you look at many of the terms used in security, much of it is borrowed from military strategy. For instance, information security architectures leverage DMZs to house noncritical assets and traps for would-be attackers. 


The correlation between cybersecurity risk and war-based risk management sets precedence for how information security tactics should be deployed and gives us a view into how we should properly define cybersecurity risk. 


Before we move ahead, let's define some of the key terms I have already used. 


Asymmetric Warefare: unconventional strategies and tactics adopted by a force when the military capabilities of belligerent powers are not simply unequal but are so significantly different that they cannot make the same sorts of attacks on each other.


Cybersecurity Risk:  The risk of depending on cyber resources (i.e., the risk of relying on a system or system elements that exist in or intermittently have a presence in cyberspace). 


Cyberspace: A global domain within the information environment consisting of the interdependent network of information systems infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. 



Cybersecurity and the war against persons and organizations are nothing more than another form of asymmetric warfare. The only difference is that would-be attackers no longer use guns, bullets, or improvised explosive devices. This war is one of 0's and 1's. 


Cybersecurity and Geopolitical Tensions


The Internet is considered a place to gather information or seek entertainment; nevertheless, we must never forget that we are entering a battlespace where wars are raging for the superiority of individuals and nation-states. 


As we all know, the pandemic has drastically impacted international and regional economies. The subsequent shutdowns have destroyed supply chains driving corporate losses and mass layoffs worldwide. 


What does this have to do with cybersecurity risk? 


Security is traditionally associated with abundance and not lack of supply. As economies contract and world orders change, cybercrime and other forms of crime are likely to increase. Moreover, geopolitical disagreements will lead to an uptake in microaggressions from all sides. 


What better place to perform such microaggressions than in cyberspace? 


These affronts by nation-states are probably the most significant risk to society. Threat actors supported by these nation-states are well educated and aim their attacks at critical infrastructure. 


Note: I would be remiss if I did not mention that many companies have revenues exceeding some countries' Gross Domestic Product GDP. As a result, their business infrastructure is often entangled with a nation-state's critical infrastructure. Because of this simple fact, companies must consider the economy while understanding their organization's present and future cybersecurity risks.


What questions should we ask ourselves to determine our Cyber Risk? 


Since cybersecurity risk is defined as relying on cyber resources to execute an organization's mission, we should keep a series of questions in mind when determining cyber risk for our company. These questions include but are not limited to the following: 


  1. Which cyber resources manage information that, in isolation, may not be critical but in aggregation could be used to compromise sensitive information?
  2. Which system resources manage critical system functionality? This includes system function and supporting data needed to operate.
  3. Which cyber resources are responsible for managing public information? Public information could be associated with clients, partners, and or employees. 
  4. If compromised, which cyber resources could lead to catastrophic loss of availability of the organization's products and or services? 
  5. Which cyber resources have system interconnections which support the delivery of your products and services? 
  6. Which cyber resources support critical infrastructure? Each country has a definition for what it considers to be critical infrastructure; please do your research. [Here is an example]
  7. NIST Definition of Critical Infrastructure: Systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health, or safety, or any combination of those matters.
  8. Which cyber resources are responsible for managing trade secrets?


Asking these questions will begin the process of responsibly categorizing your organization's cyber risk, and it will also help your organization identify critical assets. 



What more could you ask for? 


Conclusion: 


I'm sure that we will revisit the topic of cyber risk in the future; however, I hope my thoughts have given you a deeper understanding of how cyber risk should be determined. 

 

It is not all about the threat vector, unapplied patches, and the newest hack. Cybersecurity stretches into warfare and should be approached strategically. You want to ensure that resources are deployed efficiently to protect targets critical to your organization and the world's economy. 


If you are a cyber or business leader, I would love to hear your thoughts on the topic. How does your company define cyber risk? Are they using generally accepted best practices to do so? Please leave it in the comments! 


Until next time, let's continue working together to develop cyber solutions that put business and the world's economy First! 


Assessing Cyber Risk The Right Way!

By Gideon Israel April 17, 2022
There is a wrong way to do everything!

Can Cyber Risk Be Insured Away?

By Gideon Israel April 17, 2022
Is cyber insurance being used as a catchall solution?

What Is The Best Way To Establish A Cyber Risk Profile

By Gideon Israel April 10, 2022
Build and maintain an accurate risk profile that keeps business FIRST!

Can You Automate Cybersecurity?

By Gideon Israel April 10, 2022
Automate cybersecurity! Sounds easy doesn't it?

Use Approved Frameworks to Build your Cyber Program

By Gideon Israel April 10, 2022
Frameworks help to give cybersecurity leaders a frame of reference that is industry approved!

The Devil Remains in the Details [A Rant]

By Gideon Israel April 10, 2022
Take notice all professionals to include Cyber!

No money, No Business

By Gideon Israel March 27, 2022
No Money, No Business! Formalizing Your Cyber Budget to Achieve Success

How does Cyber Impact Business

By Gideon W. Israel March 16, 2022
How Cyber Impacts Business, and Can We Expect any R.O.I?