The New Corporate Mandate: Cyber Preparation
by Dean Lane
There is an adage within the IT world: the main thing is keeping the main thing the main thing. At first glance the sentence may seem nonsensical, but read a second time, the wisdom of the words quickly become applicable to both business and life.
Every innovator, risk-taker, or entrepreneur understands the difficulty in launching a new concept. Confusion or a lack of thorough understanding can cloud a receiving audience’s judgment and perceive the concept as unimportant. Such has been the case with Cyber Security in both the public and private sectors. However, the world is, rather abruptly, waking up to the urgent need to educate future decision-makers in the world of Cyber. All one has to do is scan the headlines and a May 12, 2021, Executive Order from the White House to grasp just how urgent that need has become.
The May 7, 2021, Cyber attack on the Colonial Pipeline is just the latest in the world of Cyber Terror and Cyber Warfare. The Colonial Pipeline's 5,500-mile system delivers about 45% of the fuel for the East Coast, including gasoline and jet fuel, and its ransomware attack on Colonial Pipeline’s corporate network forced management to shut down the system lest it spread to other parts of the pipeline. This then drove fuel shortages and panic amongst east coast businesses and residents and, to date, has been the single greatest infrastructure outage by a cyber attack within the United States.
Ransomware would have been problematic enough, but in an odd turn of events, it appears that an antivirus company discovered a flaw in the attackers’ ransomware earlier this year and publicly offered a free tool that would prevent future attacks from the group. This alerted the attackers to the flaw and, once fixed, allowed them to unleash a slew of ransomware attacks—including the one on Colonial Pipeline—as a thank you.
The Colonial Pipeline attack is far from the only major Cyber attack to happen in recent months. On June 1, 2021, meat producer, JBS USA, suffered a cyberattack on servers supporting its IT systems in North America and Australia. On June 2, 2021, the largest ferry service between Martha’s Vineyard, Nantucket, and Cape Cod, was targeted in a ransomware attack. These all follow the Solar Winds attack, discovered in December 2020, which was in many ways a copy of the NotPetya attack on Ukrainian infrastructure in June 2017. That attack was based on the U.S.-designed Stuxnet attack of the Iranian nuclear development program, discovered in 2010. In another example of a U.S. National Security issue, Iran shot down an American drone on June 20, 2019, and it was decided to retaliate, not kinetically, but with Cyber by shutting down the Iranian air defense network.
These few examples demonstrate a critical need for a business shift allowing Cyber to take the lead in policy and decision-making. Why? Because in many situations, Cyber Terrorism has not been made as much of a priority as it truly needs to be. That this shift has not happened already is mind-boggling as Cyber Security is a top-of-mind subject with all organizations with whom I speak. Top management relies on Chief Information Security Officers (CISOs) and others to report on the status of the organization’s information security they involve themselves in these discussions, they are not committed to making real change. The difference between being involved and committed can best be illustrated by thinking about a breakfast of ham and eggs. The chicken was involved in making the breakfast, but the pig was committed.
Winston Churchill once said, “Generals are always prepared to fight the last war”. Nothing could be more appropriate when discussing Cyber Terrorism and attacks that have occurred. The Colonial Pipeline personnel are now upgrading and preparing to protect themselves from a repeat of the May attack. This clearly needs to be accomplished, but it will not be enough as they are only one of many infrastructures and necessary providers upon whom the world relies. And, it’s important to note, that attackers don’t limit themselves to infrastructure-type companies. This means that all organizations must look at their own vulnerabilities from every possible attack to which they could fall victim. As a shortlist, these should include Cyber attacks such as Malware, Ransomware, Viruses, Worms, Trojan Horses, Bots, and different Phishing attacks.
To remain ahead of the Cybercriminals who are ever-improving both their skills and resources, companies should pursue the following information as “living information” that is continuously and deliberately updated. Below is a list of the information requirements necessary to have continuous Cyber Security:
Who is, or will be, the perpetrator of an attack or crime?
Where was, or will be the point of entry for this attack or crime?
When did, or could, the attack or crime occur?
What was, or will, the perpetrator attempting to accomplish?
Why were, or will, the assets or information be attacked?
How did, or will, the attack or crime occur?
To answer these questions, one must have broad and current knowledge of the global geopolitical landscape and an ongoing awareness of the company’s internal systems and vulnerabilities. It is not sufficient to reach a given maturity level and stay in that position since Cybercriminals are active and planning new attacks twenty-four hours a day.
To survive the Cyber Wars being waged against companies each day, a directional vector on Cyber Security must be mandated from the very top of an organization’s leadership and resources (people and money) must be appropriated. It is my hope that top executives will begin to understand the impact of their commitment and in an absence of that, the impact of Cyber Terrorism.
Dean Lane is Senior Vice President for Cyber Intelligence at The Institute of World Politics. Dean brings a wealth of knowledge to his role at IWP. He has founded his own company, taught courses at Universities in California, was the Chief Information Officer for multiple companies, worked for a Big Four Consulting firm, and spent his time in the military with the Special Forces. Dean has a Bachelor of Arts from UCLA and a Master’s degree in Business Administration from National University. He is the author of three #1 best-selling books related to information technology.