Security By Design- Part 9
Last month I closed my post by saying that in my next series of posts, I will endeavor to explore with you the exploding Global Risk Ecosystem which threatens our businesses today and into the future, and to help you self-assess as you ask your organization the following question:
Do you and your business have the ability to anticipate, prepare for, and adapt to changing conditions to withstand, respond to, and recover from a Cyber Business Disruption?
I will begin this series of posts with a quote from a recent an Opinion article published in the Washington Post on February 14, 2024:
“At this moment, … the United States faces escalating threats posed by China, Russia, Iran, foreign cartels, sophisticated hackers, WMD proliferators, spies, terrorists and more …”. Gen. Paul M. Nakasone
(Article: I was head of the NSA. In a world of threats, this is my biggest worry. By Paul M. Nakasone, February 14, 2024, published in the Washington Post. General Paul M. Nakasone was commander of the U.S Cyber Command, Director of the national Security Agency and chief of the Central Security Service until February 2nd, 2024.)
Gen. Nakasone goes on in his article to speak about what remains his biggest worry concerning these continuing and escalating threats. He worries that we “make ourselves blind to external threats” by not sharing and connecting the dots of knowledge and intelligence we have available to prevent and block attacks. He continues to share his views on how we need to continue to work across and with all aspects of government, technology companies, businesses and suppliers to businesses and government whose services are increasingly being exploited by terrorists and other bad actors.
Your business is under attack every day!
Gen. Nakasone goes on in his article to speak very specifically about the various challenges and aspects of sharing risk and intelligence information across U.S. Intelligence Agencies. His perspectives remind me of the challenges of engaging in risk and threat dialogs within a business as a security officer. You are acutely aware of risks and threats to your business. Yet in the crush of business as usual you may not or do not have the attention of your leadership peers concerning the knowledge and intelligence you possess concerning the risk and threats your business faces.
It has been my experience that my greatest challenge has always been keeping the attention of my peers focused on the things that would harm our business. I am not speaking about the mundane operational tasks and activities of cybersecurity. I am speaking about the real risks –High Impact High Probability risks, the multiplicative effects of Low Impact High Probability risks, and actual unfolding attacks.
Why is this such a challenge? We are bombarded with bad news from all corners of online and traditional news and media every day. With most of the online news being sensationalized for clicks, it is hard for our peers to avoid being influenced into not knowing what to pay attention to or not to pay attention to. So why should they pay attention to you?
Let’s use an example:
February 07, 2024: Cybersecurity & Infrastructure Security Agency Advisory
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Alert Code: AA24-038A
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
This is not fake news! This is real. The implications of this are staggering. China / Volt Typhoon is already pre-positioned inside these critical infrastructure Complex Digital Systems! This is not about defending against an attack. The attack has already happened. You may look at the list of critical infrastructure sectors above and say to yourself that you are not in those business sectors. Rest assured, though, that you will be dramatically impacted by any attack in any of these sectors.
I pray that the organizations penetrated and impacted are taking all appropriate actions to deal with this.
Now to make my closing point today. This amazing CISA Alert was in the major news feeds for one day. It was reported and reposted by many on Linked-In for a second day. I have seen no other posts after that, no continuing dialog, no follow up news articles. Creeping Normality strikes again. We have become so used to hearing about cybersecurity threats, breaches, data loss, etc., that the importance of such risk and threat intelligence is glossed over. This example forces me to ask this question:
Has any senior leadership executive in your organization reached out to ask you about this (CISA Advisory Alert Code: AA24-038A)?
or
Have you reached out to any senior leadership executive in your organization to advise them about the ramification of this (CISA Advisory Alert Code: AA24-038A) to your organization?
I am not in any way suggesting that you need to take any specific action at or within your business because of this CISA Advisory Alert. Only you would know if you should be communicating with your senior leadership about this. In the words of Gen. Nakasone, if you should be in dialog with your senior leadership about this cybersecurity intelligence “failure to do so would be a self-inflicted wound of the highest order.”
Joseph F. Norton is a Risk, Security, and Crisis Management professional.
He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.
He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s. He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.
DISCLAIMER
Copyright ©2024 by DivIHN Integration Inc. | [email protected].