Preparing for a black swan event: what COVID-19 has taught us about cyber survival

Jeez, I don’t believe anyone saw 2020 coming! The COVID-19 pandemic has made everything go haywire: millions of jobs lost, the global economy teetering, work from home now the norm, and the threat of new lockdowns looming. For those of us in the cyber world, our worries don’t end there!

There are many who tout their 20/20 hindsight, but in reality, few had enough clarity of vision and determination to prepare for this most recent catastrophe. No one can be completely prepared for any unexpected disaster or “black swan”. However, some organizations who took a more proactive posture and made the necessary investments to be as prepared as possible for any unforeseen event, pandemic or otherwise.  These are the entities that will fare much better—and survive—than those in denial about their vulnerability. 

If you research how to become Cyber Secure today, nine out of ten websites, companies, and people will give you the following five steps drawn from the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, National Institute of Standards and Technology. In general, these are good tactical steps and worth listing here:

Step 1: Identify
Take inventory of key technologies you use and know what information you need to rebuild your infrastructure from scratch. Inventory the key data you use and store and keep track of likely threats.

Step 2: Protect
Assess what protective measures you need to have in place to be as prepared as possible for a cyber incident. Put protective policies in place for technologies, data and users, and ensure that your contracts with cloud and other technology service providers include the same protections. 

Step 3: Detect
Put measures in place to alert you of current or imminent threats to system integrity, or loss or compromise of data. Train your users to identify and speedily report incidents.

Step 4: Respond
Make and practice an Incidence Response Plan to contain an attack or incident and maintain business operations in the short term.

Step 5: Recover
Know what to do to return to normal business operations after an incident. Protect sensitive data and your business reputation over the long term.

What is lacking from this list is critical to true cyber security: a higher form of understanding about the who, what, when, and why an organization might be attacked. Without it, the defense is merely a veneer across the infrastructure.

Let’s consider cyber defense another way, as if we were discussing the defense of a football team. Every player knows that the opposition is going to move the ball downfield. However, if that is all they know, then the most logical thing—their defense—is to put all of the players on the scrimmage line and hope for the best. Imagine if they had insight, an intelligence, into how the opposing team will act; the defense can be adjusted to become much more effective. With each increase education and information, the team will be better prepared to read the opposition and the risk of their scoring is greatly reduced.

The “higher intelligence” beyond cyber security is cyber intelligence. This is the ability to identify potential adversaries and anticipate potential attacks; to develop strategies to defend, deflect and defeat such adversarial attacks. It is not so much technical, but instead employs classic intelligence and counter-intelligence statecraft to reduce the potential for “black swan” events like COVID-19 before they happen. It is like having the best defensive coordinator in the NFL on your team to defeat the other team’s touchdown strategy.

In the pursuit of cyber intelligence nothing beats preparation. Beyond firewalls, standard procedures and hardware, an enterprise needs to acquire cyber intelligence capability in order to prepare in advance for the next major hack, ransomware, malicious crippling, or theft of intellectual property. In other words, your business must have strategies in place before an adversary tries to “black swan” your team.