No Day at the Beach: The Rationale for Breach Practice

Here in the Northern hemisphere, where approximately 90% of SGSB readers reside, it's summer.  In Europe (pre financial crisis Europe, anyway), it's time to throttle back and head for the beach. In the US and other parts of the world where long breaks are less common, beach time remains, for most, a scarce commodity.

Certainly with record heat waves driving air conditioning use way up, energy workers need to be on their toes, not dipping their toes in ponds, lakes or oceans.

Because I subscribe to Mckinsey & Company's Quarterly cybersecurity newsletter, I had the good fortune to come across this article yesterday: "Playing war games to prepare for a cyberattack".

We've talked on this blog before about the need for resilience, as in THIS POST from earliest 2012 citing statements on the subject from PJM CEO Terry Boston.

To me, awareness and acknowledgement that you have endured successful attacks, are being attacked or at least scrutinized right now, and will come under increasingly heavy and varied fire in the future, is a key indictor of whether your organization is reality based ... or not.

If your company is reality based, and you've haven't been running practice breaches yet, now's a good time to start, and the Mckinsey piece gives you a framework for getting started.

I won't pull any citations from it, though it's full of goodness. But rather, leave you with this sharp comment from UK-based reader:

In this still-nascent area of corporate risk and reputational vulnerability, the understanding of precisely who has responsibility for what should the worst happen isn’t good enough. We need new governance structures to provide more robust ownership, and in the interest of all stakeholders (customers, staff, shareholders, suppliers etc), we need a better reporting framework to ensure rhat public confidence in our most important IT and network-reliant brands is maintained.

Ah yes, the need for better security governance and better structures. Nothing like an actual impactful data or systems breach, or the realistic trial of dealing with one, to show you you're not organized to deal with it the way you'd want to be. 

Practice might not make perfect, but it can only serve to improve your understanding of the challenges, and may give you the fodder you've got to have to drive the changes you need.

Now, where's the suntan lotion?

Tilted Photo credit: ToddonFlickr 

Cyber Shockwave Post Mortem

When the grid goes down, almost everything goes down. Lessons learned, there are plenty. But first, the Bipartisan Policy Center (BPC)'s own summary of the game:

Cyber ShockWave highlighted the immediate, real dangers of cyber-terrorism by bringing together a bipartisan group of former senior administration and national security officials playing the roles of Cabinet members. The simulation envisioned an attack that unfolds over a single day in July 2011. When the Cabinet convenes to face this crisis, 20 million of the nation's smart phones have already stopped working. The attack, the result of a malware program that had been planted in phones months earlier through a popular "March Madness" basketball bracket application, disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.

By all accounts I've read, it was chaos from start to finish. An overwhelming trio of info problems faced the surrogate executive decision makers: 1) of a lack of quality information, 2) a lack of confidence in the information being received and communicated, and ultimately, 3) information overload ... all of which led to paralysis.

The echoes of 9/11 and in particular, the control room confusion depicted in the fantastic film version of "Flight 93", are quite strong. If you can't tell who's attacking you or how or why, how can you decide upon the right courses of action in near-real time? The compulsion to action is great in these situations, but absent the most fundamental situational awareness, almost all actions are futile or worse. And by the time you do begin to understand what's going on, it's far too late for meaningful defense. At best, offense and well-informed reprisal are for another day.

Dark Reading's take, which finds the US response wanting, is here. And the Dark Reading's CS blog touches on Shockwave as well.  Written by the Computer Security Institute's (CSI) director, Robert Richardson, some of his points are definitely worth a look. The first addresses the profound lack of crucial domain knowledge in the crisis room:

The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed--and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. 

While there's little cyber security practioners can do to address some of the initial Shockwave concerns, Richardson finds two gaps we could begin to help close:

... how we improve attribution of attacks to their perpetrators and the question of how easily subverted software is kept off the networks are two areas that the security community can potentially address.

The first is a cyber forensics master challenge and as to the latter, we're not going to keep software off networks (networks exist to move software and data). But I suggest we can make software much more difficult to subvert, and should be making that a top priority.

And of course, cyber attacks on US and Global assets never stop, they only escalate in strength and complexity. Here's the latest reported by the Wall Street Journal.

What's next? CNN will air the event exclusively as "We Were Warned: Cyber Shockwave" on Saturday, February 20 and Sunday, February 21 at 8:00pm, 11:00pm and 2:00am ET each night.

Exercise Notice: Cyber ShockWave will Hit USA on Tuesday

In the continuing and expanding trend of war games looking at cyber threats, this one tomorrow will simulate a major attack on US critical national infrastructure. Here's an excerpt from the press release:

Washington, D.C. - The Bipartisan Policy Center (BPC) announces it will host Cyber ShockWave, a simulated cyber attack on the United States on Tuesday, February 16, 2010. Cyber ShockWave will provide an unprecedented look at how the government would develop a real-time response to a large-scale cyber crisis affecting much of the nation. The event will take place at the Mandarin Oriental Hotel in Washington, D.C. 

The Cyber ShockWave simulation, created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton, follows the acclaimed series of Oil ShockWave simulations conducted in 2007 by the BPC and Securing America’s Future Energy (SAFE). Oil ShockWave addressed dependence on foreign oil as a national security threat.

Complete press release is here. We'll keep you posted on findings and lessons learned from this exercise as these are made public.