The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior execution skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.
Interestingly, most countries try to project being passive victims, but a careful consideration reveals that an increasingly large number of countries are actively targeting opponents’ commercial and security-specific information. While state-sponsored attacks are less frequent, counts of espionage and sabotage from individual groups are on the rise. However, the most sophisticated sabotage are carried out by states directly or via hackers supported by the state.
Security company Symantec has detailed how a sophisticated and multi-stage piece of malware, Regin, has been in use since 2008 as a mass surveillance tool. Believed to be a nation state espionage tool, Regin “has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.” Loaded with stealth features that are highly complex and work for several years, the malware targets ISPs, Exchange servers, and the commercial and military aviation, hospitality and energy sectors, among many others. “Even when its presence is detected, it is very difficult to ascertain what it is doing.”
Frankly, the consequences of state-sponsored cyber warfare are now gradually crossing the mark of just being politically painful for the affected country. The sabotage of Sony’s Pictures Entertainment division computer infrastructure involving hackers calling themselves Guardians of Peace has led to the release of wave of data files containing thousands of classified emails and sensitive personal information of thousands of past and present Sony employees. Speculated to be done as a ‘retaliation’ for the movie The Interview – a lampoon that depicts the assassination of Kim Jong-un, the present North Korean supreme, the Sony episode has reignited the old enmity between Pyongyang and the Pentagon.
The White House calls the attack “cybervandalism” and has promised to respond “proportionately” while it is also viewed as “one of the most destructive cyber attacks on American soil.” The National Defense Commission in North Korea on the other hand warned that its 1.2 million-member army is ready to use all types of warfare against the United States, including “the whole US mainland” for “recklessly” blaming North Korea for the cyber attack – the first instance that the US has directly implicated another country. After things developed, North Korea experienced Internet and mobile network outages about which the White House is reluctant to comment, while the reclusive country has blamed the US accusing its head of acting “like a monkey in a tropical forest.”
Interestingly, while proliferating attacks are bringing newer avenues to the fore, it is also unmasking the weakness of responsible agencies, even with international coordination, to prevent risk events. An investigation exhibits how “not the Americans, not the Brits, not the Indians” could “put together the whole picture” to prevent the Mumbai mayhem on November 26, 2009, despite having credible clues.
The analysis reveals that “although electronic eavesdropping often yields valuable data, even tantalizing clues can be missed if the technology is not closely monitored, the intelligence gleaned from it is not linked with other information, or analysis does not sift incriminating activity from the ocean of digital data.” A former senior US intelligence official admitted, they “didn’t see it coming” as they “were focused on many other things.”
Not foreseeing a potential threat has been one of the chief detriments rendering risk management strategies ineffective while concentrating on “other things” has more often partially blinded the purpose of a holistic risk management approach. A comprehensive cyber security risk management strategy is of vital importance as it enhances operational efficiency, which, in turn, facilitates risk mitigation and ensures rapid response after a risk incident. It also entails a sure-shot belief cyber threats cannot be eliminated in their entirety, and that, therefore, this type of risks must be managed by building a strong operational risk management framework. This is especially true – as we have seen above – because the boundaries of cyber warfare risk are no longer limited to technology.
Although the common challenges to effective risk assessment applies to cyber warfare risk management, to successfully execute a cyber security strategy it is necessary to identify the information or ‘the areas’ that need to be protected. Sound risk management principles help to overcome the barriers by ensuring that systems, network, email and other all other involved tools are constantly evaluated. Implemented efficiently, proper risk management practices will also help in foretelling the effects of a successful cyber breach. Such an estimate will aid in minimizing exposure and assist in rapid response and recovery post disaster.
Businesses and industries need to implement risk management practices to mitigate cyber warfare risks and sustain business continuity in the risk-intensive world and hope that countries will walk towards meaningful cooperation to build accountability and the subsequent response, soon!
Risk Management Studio is a risk management toolkit combining information security and technology risk management with business continuity planning for one easy to use solution. RM Studio is a turnkey deployment design that will immediately streamline the operational risk management for the implementation and maintenance of an effective and efficient ISMS, as well as meet the compliance requirements outlined in management standards such as ISO 27001:2013, NIST 800-53 and PCI DSS.