The Information Systems Security - Senayanperpustakaan.fmipa.unpak.ac.id/file/2016 3rd-ed The... · Going beyond Three Blind Men Describing an Elephant: Information Warfare Terms

TheInformationSystemsSecurityOfficer’sGuide

EstablishingandManagingaCyberSecurityProgram

THIRDEDITION

Dr.GeraldL.Kovacich

TableofContents

Coverimage

Titlepage

Copyright

Dedication

AbouttheAuthor

Preface

Acknowledgments

Introduction

SectionI.TheWorkingEnvironmentoftheCyberSecurityOfficerIntroduction

Chapter1.UnderstandingthePastandPresentCyber-InformationWorldEnvironmentAh,theGoodOl’Days!

GlobalInformationInfrastructureNationalInformationInfrastructure

HowDidWeGetfromAdamtotheInternet?ChangingCriminalJusticeSystems

TheHumanFactorSummary

Chapter2.UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment

TheChangingBusinessandGovernmentEnvironments

UnderstandingtheBusinessEnvironmentManagementResponsibilitiesandCommunicatingwithManagementCreatingaCompetitiveAdvantagethroughaCyberSecurityProgram

Service,Support,andaBusinessOrientationBusinessManagersandCybersecurity

WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionalsWhatCyberSecurityProfessionalsShouldDo

QuestionstoConsiderSummary

Chapter3.AnOverviewofRelatedWorldViewsofCyberSecurity

kindle:embed:0006?mime=image/jpg

EvolutionofLaws,Standards,Policies,andProceduresGlobalviatheUN

TheEUAsia

SouthAmericaAfrica

CanadaUnitedStates

Summary

Chapter4.AGlimpseattheHistoryofTechnologyWhatIsTechnology?FromCaveMantoCyberSecurityProfessionalandInformationWarrior

RevolutionsandEvolutionsinHighTechnologyFromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnology

TheInternetTheHigh-Technology-DrivenPhenomenon

FasterandMoreMassiveHigh-Technology-DrivenCommunicationsTheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityTools

OtherHigh-TechnologyToolsinCyberSecurityWelcometotheTwenty-First-CenturyTechnology

Summary

Chapter5.UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines

ReportedDigitalBattlefieldAttacksandRelatedStoriesSummary

SectionII.TheDutiesandResponsibilitiesofaCyberSecurityOfficerIntroduction

Chapter6.TheCyberSecurityOfficer’sPosition,Duties,andResponsibilitiesIntroduction

TheCyberSecurityOfficerinaGlobalCorporationCyberSecurityOfficerDutiesandResponsibilities

GoalsandObjectivesLeadershipPosition

Vision,Mission,andQualityStatementsCyberSecurityPrinciples

ProjectandRiskManagementProcesses

CyberSecurityOfficerandOrganizationalResponsibilitiesSummary

Chapter7.TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlansIntroduction

Corporate’sCyberSecurityStrategicPlanCorporate’sCyberSecurityTacticalPlan

CyberSecurityAnnualPlanQuestionstoConsider

Summary

Chapter8.EstablishingaCyberSecurityProgramandOrganizationIntroductionCorporateCyberSecurityProgram

CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganizationQuestionstoConsider

Summary

Chapter9.DeterminingandEstablishingCyberSecurityFunctionsIntroductionProcesses

ValuingInformationInternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopment

CyberSecurityOfficer’sCyberSecurityProgramFunctionsAccessControlandAccessControlSystems

EvaluationofAllHardware,Firmware,andSoftwareRiskManagementProgram

SecurityTestsandEvaluationsProgramNoncomplianceInquiries

ContingencyandEmergencyPlanningandDisasterRecoveryProgramQuestionstoConsider

Summary

Chapter10.EstablishingaMetricsManagementSystemIntroductionMetrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsers

ExamplesofOtherMetricsChartsProjectManagementQuestionstoConsider

Summary

Chapter11.AnnualReevaluationandFuturePlansIntroductionOne-YearReview

CyberSecurityProgramStrategic,Tactical,andAnnualPlans

LinkingCyberSecurityProgramAccomplishmentstoCorporateGoalsMetricsAnalysis

PlanningforNextYearQuestionstoConsider

Summary

Chapter12.High-TechnologyCrimesInvestigativeSupportIntroductionDutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimes

AssistingwithComputerForensicsSupportDealingwithLawEnforcement


SectionIII.TheGlobal,Professional,andPersonalChallengesofaCyberSecurityOfficer

Introduction

Chapter13.IntroductiontoGlobalInformationWarfareThePossibilitiesIntroductiontoWarfare

FourGenerationsofWarfareIntroductiontoGlobalInformationWarfare

InformationWarfareWillHitYouinYourPocketbookBusinessIsWar

IWBroadlyEncompassesManyLevelsandFunctionsWhatIWIs…andIsNotBeingPrepared-BadThingsWillHappen

ThePossibleBreakdownsinanInformationEnvironmentGoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReference

InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantageHowtoUseIWtoAchieveGoalsandObjectives

CoherentKnowledge-BasedOperationsNetwork-CentricBusiness

KnowledgeManagementSummary

Note

Chapter14.TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssuesIntroductiontoPrivacyIssuesIntroductiontoEthicsIssues

CodesofEthics

CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValuesLiabilityIssues


Chapter15.ACareerasaCyberSecurityOfficerIntroduction

TheCyberSecurityOfficer’sCareerDevelopmentProgramEducation

QuestionsSummary

Chapter16.ALookatthePossibleFutureSurvivingintotheFuture

NewOldApproachtoSecurity—DefensiveApproachTheChangingEnvironment

TheNeedforEnlightenedandDedicatedLeadershipGlobalTrends

Offensive–DefensiveCyberAttacksTheFutureoftheInternet

QuestionsSummary

Index

Copyright

Butterworth-HeinemannisanimprintofElsevier

TheBoulevard,LangfordLane,Kidlington,OxfordOX51GB,UK

225WymanStreet,Waltham,MA02451,USA

Copyright©2016,2003,1998ElsevierInc.Allrightsreserved.

Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangementswithorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions.

ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher(otherthanasmaybenotedherein).

Notices

Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperiencebroadenourunderstanding,changesinresearchmethods,professionalpractices,ormedicaltreatmentmaybecomenecessary.

Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility.

Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligenceorotherwise,orfromanyuseoroperationofanymethods,products,instructions,orideascontainedinthematerialherein.

ISBN:978-0-12-802190-3

BritishLibraryCataloguinginPublicationData

AcataloguerecordforthisbookisavailablefromtheBritishLibrary

LibraryofCongressCataloging-in-PublicationData

AcatalogrecordforthisbookisavailablefromtheLibraryofCongress

ForinformationonallButterworth-Heinemannpublicationsvisitourwebsiteathttp://store.elsevier.com/

http://www.elsevier.com/permissions

http://store.elsevier.com/

Dedication

Toallthecybersecurityofficersandinformationwarriorsfightingthegoodfightagainstallodds.

AbouttheAuthor

Dr.GeraldL.KovacichgraduatedfromtheUniversityofMarylandwithabachelor’sdegreeinhistoryandpoliticswithemphasisinAsia,theUniversityofNorthernColoradowithamaster’sdegreeinsocialsciencewithemphasisinpublicadministration,GoldenGateUniversitywithamaster’sdegreeintelecommunicationsmanagement,theDODLanguageInstitute(ChineseMandarin),andAugustVollmerUniversitywithadoctoratedegreeincriminology.HewasalsoaCertifiedFraudExaminer,CertifiedProtectionProfessional,andaCertifiedInformationSystemsSecurityProfessional.1

Dr.GeraldL.Kovacichhasmorethan40yearsofexperienceinindustrialsecurity,investigations,informationsystemssecurity,andinformationwarfareasaspecialagentintheU.S.government;atechnologistandmanagerfornumeroustechnology-basedinternationalcorporations;andaninformationsystemssecurityofficer,security,audit,andinvestigationsmanager,andconsultanttoU.S.andforeigngovernmentagenciesandcorporations.Hehasalsodevelopedandmanagedseveralinternationallybased

informationsystemssecurityprogramsforFortune500corporationsandmanagedseveralinformationsystemssecurityorganizations,includingprovidingserviceandsupportfortheirinformationwarfareproductsandservices.

Dr.GeraldL.Kovacichhastaughtbothgraduateandundergraduatecoursesincriminaljustice,technologycrimesinvestigations,andsecurityforLosAngelesCityCollege,DeAnzaCollege,GoldenGateUniversity,andAugustVollmerUniversity.Hehasalsolecturedinternationallyandpresentedworkshopsonthesetopicsfornationalandinternationalconferences,aswellaswritingnumerouspublishedarticlesonhigh-techcrimeinvestigations,informationsystemssecurity,andinformationwarfare,bothnationallyandinternationally.Hehaswrittenmorethan100security-relatedarticlesthathavebeenpublishedinvariousinternationalmagazines.

Dr.GeraldL.KovacichcurrentlyspendshistimeonWhidbeyIsland,Washington.Hecontinuestoconductresearch,write,consult,andlectureinternationallyonsuchtopicsas:

•Globalandnation-stateinformationsystemssecurity;

•Corporateinformationsystemssecurity;

•Corporateandgovernmentfraud;

•Corporatesecurity;

•High-techcrimeinvestigations;

•Informationassurance;

•Proprietaryinformationprotection;

•Espionage–including“Netspionage,”economic,andindustrial;and

•Informationwarfare–offensiveanddefensive.

HeisalsothefounderofShockwaveWriters,aninformalassociationoftrustedcybersecurityandglobalinformationwarfareprofessionals,writers,researchers,andlecturerswhoconcentrateonthesetopics.HecanalsobefoundonLinkedIn.

Dr.GeraldL.Kovacichhasbeguntoexpandhiswritingsintotheworldofpoetryandfiction.Iguessthisiswhathappenswhenone“matures”inageandlongsforwritinggenresotherthanthatofthesecurityrealm.AllhiswritingscanbefoundontheusualWebsites,forexample,amazon.com.

http://amazon.com

OtherBooksAuthoredorCoauthoredbyDrGeraldL.Kovacich1.InformationSystemsSecurityOfficer’sGuide:EstablishingandManaginganInformationProtectionProgram(Elsevier;1998;ISBN:0-7506-9896-9),Kovacich

2.InformationSystemsSecurityOfficer’sGuide:EstablishingandManaginganInformationProtectionProgram(secondedition;Elsevier;2003;ISBN:0-7506-7656-6),Kovacich

3.High-TechnologyCrimeInvestigator’sHandbook:WorkingintheGlobalInformationEnvironment(Elsevier;2000;ISBN:13:978-0-7506-7086-9;10:0-7506-7086-X),Kovacich/Boni

4.High-TechnologyCrimeInvestigator’sHandbook:EstablishingandManagingaHigh-TechnologyCrimePreventionProgram(Elsevier;2006;ISBN:13:978-0-7506-7929-9;10:0-7506-7929-8),Kovacich/Jones

5.TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulAssetsProtectionProgram(Elsevier;2003;ISBN:0-7506-7487-3),Kovacich/Halibozek

6.TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulAssetsProtectionProgram(Instructor’sManual)(Elsevier;2005;ISBN:13:978-0-750-67038-1;10:0-750-67938-7),Kovacich/Halibozek

7.I-WayRobbery:CrimeontheInternet(Elsevier;1999;ISBN:0-7506-7029-0),Kovacich/Boni

8.Netspionage:TheGlobalThreattoInformation(Elsevier;2000;ISBN:0-7506-7257-9),Kovacich/Boni

9.InformationAssurance:SurvivingintheInformationEnvironment(Springer-Verlag;2001;ISBN:1-85233-326-X),Kovacich/Blyth

10.InformationAssurance:SecurityintheInformationEnvironment(secondedition;Springer-Verlag;2006;ISBN:10:1-84628-266-7;13:978-1-84628-266-9),Kovacich/Blyth

11.GlobalInformationWarfare:HowBusinesses,GovernmentsandOthersAchieveGlobalObjectivesandAttainaCompetitiveAdvantage(Auerbach/CRCPress;2002;ISBN:0-8493-1114-4),Kovacich/Jones/Luzwick

12.GlobalInformationWarfare:HowBusinesses,GovernmentsandOthersAchieveGlobalObjectivesandAttainaCompetitiveAdvantage(secondedition;Auerbach/CRCPress;2015;9781498703253),Kovacich/Jones

13.TheCorporateSecurityProfessional’sHandbookonTerrorism(Elsevier;2008;ISBN:

978-0-7506-8257-2),Kovacich/Halibozek

14.MergersandAcquisitionsSecurity:CorporateRestructuringandSecurityManagement(Elsevier;2005;ISBN:0-7506-7805-4),Kovacich/Halibozek

15.FightingFraud:HowtoEstablishandManageanAnti-FraudProgram(Elsevier;2008;ISBN:978-0-12-370868-7),Kovacich

16.PoemsofLife:ThoughtsofHumanExperiences(AuthorHouse;2012;ISBN:978-1-4772-9634-9;978-1-4772-9633-2;978-1-4772-9632-5),Kovacich

17.I-WayRobbery:CrimeontheInternet(2000;JapaneseTranslation;http://www.horei.com;ISBN:4-89346-698-4),Kovacich/Boni

18.High-TechnologyCrimeInvestigation(2009;ChineseTranslation;http://www.sciencep.com),Kovacich/Jones

19.FightingFraud(2010;RussianTranslation;Ernst&Young;ISBN:978-5-903271-31-30),Kovacich

20.TheCorporateSecurityProfessional’sHandbookonTerrorism:ProtectYourEmployeesandOtherAssetsagainstActsofTerrorism(Elsevier;2007;ISBN978-0-7506-8257-2),JonesA,KovacichG,HalibozekE.

1Nowretiredfromallthree.

http://www.horei.com/

http://www.sciencep.com/

Preface

Thepurposeofthisbookistoprovideinformationsystemssecurityofficers—todayoftencalledcybersecurityofficers,professors,students,othersecurityprofessionals,informationwarfarespecialists,relatedmanagers,auditors,andgeneralmanagementanawarenessandbasicapproachtoestablishingandmanagingwhathadbeenknownasaninformationsystemsprotectionprogram,butisnowcommonlycalleda“cybersecurity”program,foragovernmentagencyorinternationalornationalcorporation.Itcanalsobeusedbyanygroupwantingtoprotectitsnetworksandinformation.Itreportedlyhasbeen,andcanalwaysbe,usedasatextbookbyuniversityprofessorstoteachabasiccourseonthisandrelatedtopics,aswellasrecommendedreadingforrelatedcourses.

Itprovides,Ihope,aneasy-to-read,understandableimplementationplanforestablishingabasis—afoundation—foracybersecurityprogram,especiallyforthosewhohavelittleornoknowledgeonthetopicorhowtoproceed.Italsoprovidesinformationthatcanbeusedbyintermediateandadvancedprofessionals,students,andothertypesofprofessionalsinthisandrelatedtopicsofbusinesssecurityandinformationwarfare,forexample,defensivemeasures.

Therearemanybooksonthemarketrelatedtocomputersecurity,informationsystemsprotection,cybersecurity,andthelike;however,thisisoneofthefirstandbestapproachingthetopicinthemannerthatitdoesandisnowconsidereda“classic”sincefirstpublishedin1998.Ifnot,therewouldn’thavebeenasecondandnowathirdedition.

Thisbookhasbeenupdatedwheredeemedappropriateandnewchaptershavebeenadded,withlittleornomajorchangeinformat,aswhymesswithawell-selling,popular“classic”?

Justsothereisnomisunderstanding,thisabasicbookonbuildingacybersecurityprogramandaprimeronbeingacybersecurityofficer.Thereismuchinthiseditionthatisastruetodayasitwasinthefirsteditionbackin1998.Therefore,thebasicsofitallarestillthesame,withnewstuffaddedtokeepthis“classic”uptodate.

Thisthirdedition,aswiththepasttwoeditions,willprovidethereaderwiththeinformationtohelpmeetthetwenty-firstcenturycybersecurityandrelatedmanagementchallenges.

Keywords,asaminimum,thatthereadershouldknoware:

1.Security

2.Cybersecurity

3.Cybersecurityofficer

4.Computersecurity

5.Informationsystemssecurity

6.Informationwarfare

7.Auditing

8.Managingassetsprotection

9.Managinginformationsystemsorganization

10.Managingcomputersecurityorganization

11.Assetssecurity

12.Audittrails

13.Informationprotection

14.Privacy

15.Malware

16.Hacker

17.Phishing

Aswithanybook,sometimesthereadersarecritical.That’sfine.Varietyisthespiceoflife,astheysay,andeveryoneisentitledtotheirownopinion.Ifonecansitdownanddiscusscybersecurityandcybersecurityofficers’responsibilitieswiththecriticsitwouldbegreattoshareinformation.Afterall,theymayhaveimportantpointsthatcouldbeconsideredwhenupdatingthebook.However,thatisusuallynotpossible.

So,withallthatsaid,letmestatefortherecordwhatthisbookisnot:

•Itisnotabookthatisthe“endallandbeall”ofacybersecurityofficer’sfunctions,duties,andresponsibilities.Therapidchangesincyberenvironments,hightechnology,etc.,makesuchabookimpossibletoremaincurrent.

Note:Inthisenvironment,bewareofanyoneconsideringthemselves“experts.”I,forone,confessIhaveneverconsideredmyselfone(althoughworkinginthefieldsince1980)andcorrectanyonewhointroducesmeassuch.NorwillIeverconsidermyselftobeone.Toomuchtoknowandallrapidlychanging.

•Itisnotatechnicalbookanddoesnotpurporttobe—itwillnottellyouhowtoinstallafirewall,forexample.Therationaleisthattherearemanygoodbooksonthemarketthatcoverspecificaspectsofcybersecurity,narrowlyfocusedandtechnical.Itisexpectedthatthecybersecurityofficerwillreadandunderstandthesebooksasneededbasedonspecificcybersecurityneeds.

Inshort,thisbook’sgoalistoprovideabasicoverviewofthecybersecurityofficer’sworld,duties,responsibilities,andchallengesinthetwenty-firstcentury.Itisaprimer.Itisalsoaboutthecybersecurityofficerwhomustestablishandmanageacybersecurityprogramforaninternationalcorporation,althoughallofthematerialisapplicableto

variousworkenvironments,suchasgovernmentagenciesorcharitableorganizations.

Thisisthethirdeditionofthisbookandhasbeenupdatedwhereappropriate,andwherethebaselinestillfitsthecurrentenvironment,ithasonlybeen“tweaked,”aswhathasbeenprovidedfromthebeginningisstillvalidtoday.ThisisprimarilyrelevanttoSectionII,whichistheheartofthebook,andtheestablishmentandmanagementofacybersecurity(formerlyknownasInfoSec)program.Whatwaswritteninthefirstandsecondeditionisstillvalidinthisthirdedition.Therefore,ithasbeenmodified,butthebasicsofwhatiscoveredhavenotchanged.Whathaschangedistheenvironmentoftheworldofthecybersecurityofficer.Therefore,thatwasthefocusofthechangesinthisthirdedition.

ItwaswrittenbecauseovertheyearsmanyassociatesandIhadtoestablishandmanagesuchorganizationsandfoundnoprimertoguideus.So,overthemanyyearsthatIhavebeeninvolvedinvariousaspectsofsecurity,eventuallyfocusingoncybersecurity—anditsrelatedfunctionssinceabout1980—IthinkIhavedevelopedabasicapproachthathasbeensuccessful.Otherswhohavereadthisbook,whohavelistenedtomylecturesbasedonwhatbecamethisbook,andwhomIhavementoredovertheyearshaveagreedwithme.ItalsosuccessfullyworkedformewhenIhadtoestablishabasicprogramforacorporationorgovernmentagency,fromaerospacetoWallStreettothePentagon,aswellasbeingaconsultant.

So,ifyouareacybersecurity“techie,”“engineer,”orthelikeandlookingfortheHolyGrailofinformationassetsprotectionorcybersecurity,thatisnotwhatthisbookisabout.However,ifyouwantacybersecurityofficercareer,wanttoknowwhatthecybersecurityofficer’sprofessionisallabout—especiallyfromamanagementperspective—andwanttobeabletobuildafoundationforasuccessfulcybersecurityprogramandorganization,thenyes,thisbookisforyou.

Thisbookwasalsowrittenfornon-cybersecurityprofessionalsinmanagementpositionswhoareresponsibleoverallforagovernmentagencyorbusinessandthereforeitsassetsprotection–cybersecurityprogram.Theseprofessionalsshouldalsoknowwhatthecybersecurityprofessionisallaboutandthebasicsofinformation-relatedcomputersandnetworksprocessing,transmitting,andstoringinformation,data,knowledge,orwhatevertermsuitsthem.Why?Becausetheymanageabusiness,andtodayasuccessfulbusinessmustincludeacybersecurityprogramifitistoavoiddisasters,sincetechnology,forexample,networkedcomputers,isanintegralpartofabusinessthesedays.

Thisbookcanalsobeusedasatextbookor“recommendedreading”foruniversitycoursesrelatedtogeneralsecurity,assetsprotection,cybersecurity,informationsystemssecurity,orinformationwarfare(althoughmycoauthoredbookonGlobalInformationWarfare,firstandsecondeditions,maybetterservethereader’spurpose).

Ihopeyouenjoyit.Afterreadingit,pleasedropmeane-mailthroughmypublisherandletmeknow:

•Anyquestionsyoumayhave;

•Whatyoulikedaboutit;

•Moreimportantly,whatyoudidn’tlike;

•Whyyoulikedordislikedit;

•Whatideaspresentedweremostimportanttoyou;

•Yourimplementationofsomeoftheideaspresented,andyourresult;and

•WhatIshouldincludeorcoverdifferentlyinafourthedition.

Afterall,Iwantyoutobeabletousethisbookintherealworldofglobalinformationsharing,cyberwarfare,andcybersecuritybattles.Allfeedbackiswelcome.

Thanks!

Jerry

Dr.GeraldL.Kovacich,ShockwaveWriter

WhidbeyIsland,Washington,USA

Acknowledgments

Writingabookisonlypartofbringingabooktoyou,thereader.Aswithanybookprojectofthismagnitude,tocarryoutaprojectsuchasthis,ittakesmorethanjusttheauthor.Ittakesfriends,professionalassociates,andotherswhounselfishlygiveoftheirtimeandefforttohelpmaketheauthor’swritinglifeeasierandhisorherbooksworthpublishing.

Iamalsoverygratefultoaspecialgroupwhoovertheyearshavesupported,encouraged,andassistedmetimeandagainwithsuchprojectsasthis,includingthefollowingfriends,associates,andcolleagues:

•MotomuAkashi,mymentorandagreatsage;restinpeacemydearfriend.

•EdHalibozek,securityprofessional,professor,writerandconsultant,formerfellowaerospacecolleague,andlongtimefriend.

•Dr.AndyJones,cybersecurityandInfoWarprofessional,professor,writerandconsultant,andalsoagreatfriend.

•WilliamBoni,vicepresidentandcorporatesecurityinformationofficer,T-MobileCorporate,afriendforalmostlongerthantheInternethasbeenaround.

•WinnSchwartau,TheSecurityAwarenessCompany,agoodfriend.

•SteveLutz,CEO,WaySecure,fellowprofessionalandlongtimefriend.

•TothestaffandISSO-3projectteamofElsevierButterworth–Heinemann,ledbyTomStoverandincludingHilaryCarrandMohanapriyanRajendranthanksforthetime,effort,andsupportinmakingISSO-3,andmyotherBHbooks,arealityandsuccess.Withoutyoursupportandguidancethisbooktrulycouldnothavebeenwritten.

Introduction

Muchhashappenedandyet,littlehaschanged!1

Therearemanydebatesastowheretheinformationandinformationsystemssecurity(InfoSec),nowgenerallyreferredtoascybersecurity,andtheinformationsystemssecurityofficer(ISSO),nowcommonlyreferredtoasthecybersecurityofficer,positionfitinacompanyorgovernmententity.Somebelievetheybelongintheinformationtechnology(IT)department,otherssaytheybelonginthesecuritydepartment.Othersbelievethepositionshouldreporttothecorporateexecutiveofficer(CEO),corporateinformationofficer(CIO),orsomelevelofexecutivemanagementotherthanthetwomentioned.

TheITpeoplemaywantcontrolofthecybersecurityfunctionsothattheycanensurethatitdoesnothampertheirITfunctions—inotherwords,diluteitsauthority—andovertheyearshavebeensuccessful,andweallknowhowwellthathasbeenworking.

Acorporatesecuritymanagermaywantthefunctiontobesurethesevaluableassets,likeotherassetswhoseprotectionistheresponsibilityofthesecuritydepartment,areproperlyprotected.

Someofmyfriendsandfellowcybersecurityandbusiness/governmentsecurityprofessionals,withdifferentbackgroundsandcybersecurityresponsibilitiesoverthemanyyearstheyhavebeeninthebusiness,sharetheirviewsoncybersecurityandthecybersecurityprofession,environment,andfunctions.Theyare:

•EdHalibozek,securityprofessional,professor,writer,andconsultant;

•Dr.AndyJones,cybersecurityandInfoWarprofessional,professor,writer,andconsultant;

•WilliamC.Boni,VicePresidentandCorporateSecurityInformationOfficer,T-MobileCorporate;

•SteveLutz,CEO,WaySecure,fellowprofessionalandlong-timefriend.

WhatOtherCyberSecurityProfessionalsHavetoSayWilliamC.BoniInformationsecurityisoneofthefastestgrowingprofessionsatthistime.ThecombinationoftheterroristattacksofSeptember11,2001,andtheincreasinglycriticalroleofinformationsystemsandtechnologyinglobalbusinesshavecontributedtothatincrease.Asthisbookwasbeingwritten,theInternetwassubjectedtoanattackagainstthecoreinfrastructure,terroristsandnation-statesarereportedtobehoningtheirskillsforfuturecyberattacks,andcriminalsaresiphoningoffprofitsfromelectroniccommercesystemsaroundtheglobe.Therehasneverbeenagreaterneednorgreaterappreciationoftheneedforcapable,skilledinformationsecurityprofessionalstoguardthefrontiersofbusinessesandnations.

Yet,astheimportanceofinformationsecurityhasincreased,thefieldhasbecomecrowdedwith“instantexperts.”Manyofthosewhonowcallthemselves“experts”owetheircurrentnotorietytosomespecifictechnicalskillortoshortperiodsoftimeinconsultingorvendororganizations.Mostwhopublishbooksandarticlesoninformationsecurityhaveneverbeenaccountableforprotectingmajororganizationsagainstthedizzyingarrayofrisksnordealtwiththeharshrealitiesofdoingsointhecontextofcorporatecultures,politics,andthegrindofdailyoperations.

Incontrast,youholdinyourhandsabookcontainingthedistilledwisdomof40 yearsofpracticalexperiencefromoneoftheoriginalleadersininformationsecurity.Dr.GeraldL.Kovacich,“Jerry”tohismanyfriendsandadmirers,hasspentalifetimedevelopingandperfectingthematerialsthatarethecorecontentofthisbook.Theoriginalhasheldupovertheyearspreciselybecauseitis“technologyindependent.”Theassumptionisthatthereaderhaseitherattainedalreadyorcanobtain,fromotherbooks,courses,andseminars,thetechnicalskillstoworkintheinformationsecurityfield.

Therefore,ifyouarelookingfortechnicalsolutionstothecurrentorlatestsetofacronymchallenges,thenthisisnotthebookyouwanttobuy.However,ifyouareaninformationsecurityprofessionalseekingtounderstandwhatittakestobesuccessfulasamanagerandtobecomealeaderinyourorganizationandultimatelyintheprofession,thenyouhavetherightbook.

Studentsconsideringtheircareeroptions,aswellasprofessionalsinotherbutrelatedfieldssuchasIT,physicalsecurity,orITaudit,willalsofindtheinformationpresentedsoartfullybyDr.GeraldL.Kovacichtobeofgreatvalue.Readersfromallthesebackgroundswillfindthisbookexpandstheirknowledgeofthemanyactivitiesinvolvedinestablishingandsustaininganorganization’sinformationsecurityprogram.

Thisupdatedandexpandededitionbuildsuponthecontentthatmadetheoriginalvolumeoneofthebest-sellingsecuritybookseverpublished.WhattheGuidedoesthatisdifferent,perhapsuniqueintheinformationsecurityfield,iscoach,mentor,andtutorthe

readerinthevariousmanagerialandoperationalskillsthatwillensureamoresuccessfulandultimatelymoresatisfyingcareer.

FrommypersonalexperienceIcantestifytothepracticalwisdomthatiscapturedinthesepages.IoweasignificantpartofmyprofessionalsuccessandachievementtoactuallyapplyingmanyofthemethodsandtechniquesdescribedintheoriginalGuide.OverthepastsixyearsIhaverecommendedthepreviouseditiontocountlessaspiringinformationsecurityprofessionals,andnotewithsatisfactionthatmanyfoundthecontenttobekeytotheirsuccessfulparticipationintherapidlyburgeoninginformationsecurityprofession.

Understandthatakeenappreciationandlifelongcommitmenttoinformationtechnologywillberequiredforsuccessasaninformationsecuritypractitioner.However,muchasthatbackgroundisnecessary,italoneisnotsufficientforprofessionalsuccessandpersonalsatisfaction.Thosewhoaspiretoleadershipandseektobecomethemanagers,directors,andvicepresidentsofinformationsecurityinthefuturewillenjoyandlearnmuchintheGuidethatwillsupporttheirsuccess.Ibelievetheywillfind,asIhave,thatDr.GeraldL.Kovacichhasprovidedthemwithknowledgethatbetterpreparesthemforthechallengesofmanagingtheseimportantresponsibilities.

EdHalibozekMakenomistakeaboutit.Informationsecurityiscriticaltothesuccessofabusiness.Whethertheenterpriseisforprofitornotforprofit,protectinginformationisanessentialpartofmanaginginformationandinformationsystems.Moderncompanies,corporations,andgovernments,fortheirsuccessandsurvival,aredependentuponinformation:informationthatiscreated,processed,stored,andshared.Yettheactofcreating,processing,storing,andsharinginformationmakesthatsameinformationvulnerabletoloss,manipulation,theft,ordestruction.

Whetherinformationconcernsanewproductortechnology,aproprietaryprocess,abusinessplan,acustomerordonorlist,ormilitaryoperations,informationhasvaluetoitsowner.Thatsameinformationmayalsohavevaluetocompetitors,criminals,orenemies.Somewilltakeboldmeasurestoobtaininformation.Otherswillrelyonthefailureoforganizationstoadequatelyprotecttheirownsensitiveandproprietaryinformation,makingiteasyforunauthorizedcollectionanduse.Afewwillseektoobtaininformationanywaythattheycan,usinglegitimateorillegitimatemeans.

Theveryinformationthatcontributestotheviabilityandsuccessofanenterprise,ifunprotectedandfoundinthepossessionofcompetitorsorenemies,maycausethelossofacompetitiveedgeortheembarrassmentofexposureor,intheeventofmilitaryoperations,mayplacewarfightersin“harm’sway.”Thus,protectingtheavailability,confidentiality,andintegrityofinformationisanessentialtask.

Inthisbook,Dr.GeraldL.Kovacichaddressesthequestion,“IsthepositionofanISSOnecessary?”Bluntly,unlessyourgoalisfailure,theanswerisclearly“Yes.”Protectinginformationisnotaneasytask.Somuchinformationresidesonsophisticatedand

complicatedinformationsystemslinkedinlocalandwideareanetworks.Toeffectivelyandefficientlyprotectinformationandinformationsystemsrequirestheskillsanddedicationofasecurityprofessional:anISSO.

TheISSOmustbeskilledinthedisciplinesofmanagement,security,andinformationsystems;mustbecapableofconvincingothersoftheneedtoprotectinformation;andmustunderstandthatprotectinginformationismoreaboutriskmanagementthanitisaboutriskavoidance.TheISSOneedstounderstandhowinformationisusedinthecontextoftheworldandbusinessenvironmentinwhichweoperate.Thisincludesunderstandingthreatsandwheretheycomefrom,suchascompetitors,detractors,enemies,opportunists,and“badguys.”

AskilledISSOisessentialtoanyenterprise.However,anISSOisnottheonlyanswerorsolution.UnderstandthattheISSOisnotanübermensch.TheISSOalonecannotdoeverythingthatneedstobedonetoprotectinformation.TheISSOmustbecapableofbringingtogetherdiversepersonswithdivergentinterestsinanefforttodevelopaprotectionprofilefortheenterprise.Inthisbook,Dr.GeraldL.Kovacichprovidesthearchitecturetodojustthat.Heprovidesaframeworkforestablishinganeffectiveinformationprotectionprogram.

RegardingthedebateastowhereanISSOshouldreportintheorganizationhierarchy…stop!Nowisnotthetimefordebate.Nowisthetimetoact.Informationsecurityisseriousbusiness.Theprotectionofinformationisjustasseriousasthemanagementofinformation.Intoday’sorganizationsmostcompanyinformationisprocessed,stored,displayed,andtransmittedonandoverinformationsystems.CIOsareskilledexecutivesemployedtoensurethatinformationsystemsareeffectivelymanaged,meetingtheneedsoftheenterpriseandmakinginformationavailabletoallusers.Protectingthisinformationanditsavailability,integrity,andconfidentialityisjustasimportant.Askilledexecutiveisneededtoaccomplishthis—acorporatesecurityofficer(CSO).TheCSOissomeoneknowledgeableinmattersofsecurity,informationprotection,informationsystems,andbusinessmanagement.TheCSOshouldbeindependentoftheCIOandreportdirectlytotheCEOorcorporateoperationsofficer.SeparatingtheCIOfunctionfromtheCSOfunctionisimportant,astheneedtoprotectinformationisofteninconflictwiththeneedtoshareanddisseminateinformation.TheISSOshouldeitherreporttotheCSOorbetheCSO.

Let’sendthediscussionontheneedforinformationprotectionandtheneedforanISSO.OnewouldhavetobearesidentofPlato’scavetonotrealizethatinformationiscriticaltoabusinessandrequiresprotection.Let’sshiftourfocustounderstandingjustwhatrequiresprotection,howitshouldbeprotected,andfromwhom.UsingthisbookbyDr.GeraldL.Kovacichisaverygoodbeginning.

Dr.AndyJonesTheroleoftheISSOhasneverbeenofgreaterimportancethanintheenvironmentinwhichwecurrentlyfindourselvesandwhichweanticipateforthefuture.

Asorganizationsandcompaniescontinuetobecomemoredependentoninformationsystemsandconnecttoaneverwidergroupofpartnersthattheyhavetorelyonand“trust,”theprobabilitythattheywillencounterproblemsincreasesonanalmostdailybasis.Inadditiontothisincreasingrelianceonsystemsthatareincreasinglyinterconnected,itisnowanunfortunaterealitythatthosepeoplewhowouldseektodousharmincreasinglyhavetheknowledgeandcapabilitytodoso.

Foranumberofyears,thegovernmentsofanumberofcountrieshavebeenawarethattherearesomeindustriesandsystemsthatareessentialtothewell-beingandmaintenanceofnormallifewithinacountry.Thesemayincludepowerproduction,telecommunications,watersupply,fooddistribution,bankingandthefinancialsector,andawholerangeofotherindustriesandhave,together,beentaggedthecriticalnationalinfrastructure.ItisunfortunatefortheISSOsoftheseindustriesthatinadditiontoalloftheotherrisksthattheymustdealwith,theynowhavetobeconcernedthattheywillbeatargetofattackbyterroristsandotherswhowishtoaffectnottheirorganization,butthegovernment.Thismakeslifeawholelotmoredifficultinanumberofways.

SomeorganizationsarestartingtobetterappreciatetheimplicationsofthesedevelopmentsandarerecognizingthattheroleoftheISSOisnotonlyincreasinglyimportant,butalsoincreasinglydifficult.Unfortunately,othershavenottakenthesituationonboardforanoftenrepeated,endlesssetofreasonsthathavecausedthemtoignoreitinthepast.Theseincludealackofunderstandingoftheunderlyingproblems,alackofskilltoaddressthem,insufficientresources,the“itwon’thappentome”attitude,alackofeducationandtraining,andalackofdirectionfromgovernment.

Thelastofthesehaschangedsignificantlyintherecentpast,andthereisnowawillbythegovernmentsofmostdevelopedcountriestoimprovethesecurityofinformationsystems.ThisisparticularlytrueoftheUnitedStates,andhugeinvestmenthasbeenmadein“Homelanddefense,”withanapparentlygenuinedrivebygovernmenttomakeinformation-dependentcountriesasafeplacetoliveandtrade.

OneofthemajorproblemsthatanorganizationfacesinrecognizingtheneedforanISSOisbasedontheundeniabletruththatinmostcases,securityisacostlydrainonresources,inbothfinancialandstaffterms,thatdeliversnotangiblereturnontheinvestment.Ifyouareamemberoftheboardofacompanyandhavetomakethechoicebetweeninvestinginanewplantthatwillreduceproductioncostsandimproveprofitabilityandinvestingininformationsecurity,whichislikelytogetyourvote?Thisisoftenthedecisionthatmustbemade,especiallywhentheargumentfor“spendoninformationsecurity”isbasedlargelyontheintangibleandtheunprovable.Howdoyouprovethatyouarelikelytobeattackedorhavesecurityproblems,whentheevidencefrompastexperienceisthatithasnotbeenaproblembefore?Howdoesthepersonpresentingtheargumentfortheinformationsecurityinvestmentconvinceagroupofpeoplewhohaveprobablyneversufferedtheconsequencesofaninformationsecuritybreachthatthisisgoodvalueformoney?Ifthemembersofthecorporateboardhavebeeninvolvedinapreviousbreachofinformationsecurity,theinvestmentargumentwillbereceivedinaverydifferentmannerandbypeoplewhounderstandthevalueofit.

WhatisdifferentaboutanISSOfromothertypesofsecurityofficers?Well,theshortansweristhattheISSOisahybridthatdidnotneedtoexistinthepast.Securityofficershavetraditionallygainedtheirexperienceinthemilitaryoringovernmentorpublicservice(policeorthree-letteragencies)andtheycantellyouallaboutprotectingtangible“things,”whethertheyareobjectsorpeople.Theyarenormallyverygoodatitandthemethods,tools,andtechniquesthattheyusehaveallbeentestedandrefinedoveralongperiodoftime.

Becausethesecurityofinformationsystemscannotandmustnotbetreatedinisolation,theISSOneedstohaveallofthisknowledgeandthen,inaddition,needstobeabletounderstandinformationsystemsandcomputersandtheimplicationsoftheiruse.Inthisarea,thereisnocollectivepoolofknowledgethathasbeengainedovercenturiesbyalargegroupofpeople.Informationsystemsare,inhistoricalterms,veryyoung,andtheirmaturityhastakenthemthroughsomanyevolutionsinsuchashorttimethatthereareveryfewcomputerprofessionals,letalonesecurityspecialists,whoareabletokeeppacewiththechangesandthediversitythathaveoccurred.SotheISSOneedstohaveawealthofknowledgeandexperienceinsecurityandininformationtechnologiesandhastobeabletodevelop,implement,andmanagepoliciesthatwillprotecttheinformationresourcesoftheorganizationinadynamicenvironment.

Acomplicationnowarises.Wherepeoplewillcomplainaboutphysicalsecurityandwillsubvertitifitbecomestooinconvenientandcomplainaboutthedelaysthatthecheckingofpassesandlockeddoorswillcause,whenyouapplysecuritytotheinformationenvironment,awholenewsetofproblemsisexposed.

Theusersofinformationsystemshavebeenexposedtoandsufferedfromyearsofbadlyconceivedandimplementedinformationsecuritythathascausedinconvenienceandpreventedthemfromgettingonwiththeirjob.Itisasadcommentthat,inthefieldofinformationsecurity,theuserofthesystemhasoftenhadmoreknowledgeoftheinformationtechnologythanhasthe“securityexpert.”

Thebrightsideofthesituationisthatthingsareimproving—the“informationsecurityexperts”withinorganizationsaregainingexperienceandthetechnologiesthatcanhelpthemtoprovidecoherentsecurityforsystemsarebecomingavailable.Thewholeissueofthreatandriskassessmentisgainingcredibilityasmethodsaredevelopedthatgivetraceableroutestosupportthedecisionsthataremade.

Intheglobalcontext,whilethingsproceedataveryslowpace,thereareatleastdiscussionsonwaystoharmonizethelawsindifferentcountriesandgroupsofcountriesandtheexchangeofinformationbetweenthosewhoneedittomaintainsecurity.

Itiseasyforinformationsecurityofficerstobecomeveryinsularandtolookattheproblemsthattheyarefacingintermsofonlytheirorganization—afterall,thesearebusy,overworkedpeoplewhoarestrugglingjusttokeeppacewitheventsanddevelopments.Thisisahugemistakeandcanleadonlytodisasterinthelongterm.Wecannolonger,forthemostpart,“conductourbusinessinisolation.”Theorganizationsthatweworkinhaveanever-increasingneedtocommunicateandtointerconnectwithothersystemsandorganizationsandindoingso,wehavetobeawareoftheproblemsthatsuchconnections

exposeusto.

Learningfromthebestpracticethathasbeendevelopedinotherorganizationsprovidestwobenefits:Thefirstisthatitallowstheknowledgeofmanytobeappliedtotheproblemofone;andthesecondisthatitisonestepdownthelinetowardcommonstandardsandpractices,whichengendersconfidenceinothersthatthesecuritythatisbeingappliedtoyoursystemsisofanacceptablestandard(theycanunderstandwhatyouhavedonetomakeyoursystemssecureandwhyyouhavedoneit!).

Whenthelargerpictureisexamined,theresponsibilitythatisplacedonaninformationsecurityofficerisimmense.TheISSOhasaresponsibilityandadutytotheorganizationthattheISSOworksfor,butalsohasresponsibilitytopartnerorganizationsandothersthatmayrelyontheproductoftheorganization.Anexampleofthismightbeapowercompany,inwhichtheeffectofasecuritybreachmightbethelossofavailabilityoftheirsystems.Unfortunately,thepowersupplycompanyisnetworkedtoanumberofotherpowersupplierstofacilitatethebalancingofpowerproductiontomeetthecustomerneeds.Ifoneisaffected,itmayprovetobetheweaklinkinthechainandallowtheattackertogainaccesstootherpowersuppliers.Thereisalsotheissueofthecustomers—whatimpactwillthelossofpowersupplyhaveontheirbusinesses?Inturn,willithaveaneffectontheircustomers?

FromtheISSO’spointofview,lifecanonlygetworse.Insomecountries,lawsarebeingintroducedthatplacealegalobligationonorganizationsandtheiremployeestotakewhatisreferredtoas“reasonable”(orinsomecases“appropriate”)careofinformationthattheyhaveintheirpossessionandalsototake“effectivemeasures”toprotectthebusiness,sometimesreferredtoas“duediligence.”

HowcanISSOscopewithdoingthejobofdeveloping,implementing,andmanagingthesecurityoftheinformationwhileatthesametimemakingsurethattheyunderstandthecurrentrisksandthreatstotheirorganizationandthecurrenttechnologiesandtechniquesandthelawsandbestpracticeandstandards?Well,nooneeversaiditwouldbeeasy…

Goneforeverarethegoodolddayswhenwecouldoperatewithanislandmentalityandrelyontheperimetersecurityofourorganizationtoprovidethefirstandmainlineofdefense.Thesecurityperimeterisnowalmostmeaninglesswithregardtoourinformation,althoughitstillhassomebenefitsfortheprotectionofphysicalassets.Nowtheroutesintoourorganizationareasmuchaboutthewiresandfibersastheyareabouttheroadsandsidewalks.Wecanmonitorphysicalaccesstoourenvironmentwithavarietyoftechnologies(CCTV,accesscontrol,passentrysystems)andwecanalso,fairlyeffectively,monitorwhatourstaffisdoingonourinformationsystems(aslongaswehavethemonitoringsystemsturnedonandarewatchingthem).Wecanputoursecuritybarriersupontheinformationsystems(firewalls),butunlesswedeploymethodsandtoolstoallowustoseewhatactivityistakingplaceinourenvironmentthroughsystemssuchasintruderdetectionsystems,wecannotseewhatishappeningintheareaaroundour“virtualoffice.”Thenearestequivalentwouldbehavingtheexternaldoorslocked,butnothavinganywindowsorcamerastoletyouseewhatishappeningonthesidewalkoutside

thedoor(apotentiallydangeroussituationforwhenthedoorisopened,giventhatourdooronaninformationsystemopensontoasidewalkanywhereintheworld).

Itisalsoreasonabletosupposethat,aftertheWorldTradeCenterattacks,thereisincreasedconsciousnessoftheimpactthataterroristattackcanhave.Itisasadfactthatinadditiontothelivesthatwerelostasaresultoftheoutrage,anumberoforganizationsthatcouldandshouldhavesurvivedtheincidentdidnot,astheycouldnotreinstatetheirbusinesswithinthenecessaryperiodoftime.Whowasresponsiblefortheirdemise?Youcouldarguethatitwastheterrorists,buttherealityisthatitwasactuallytheirownlackofforesightandresilienceand,insomecases,justplainbadluck.Iftheorganizationshadallcarriedoutriskassessmentsfortheirbusinessesintheenvironmentinwhichtheywereoperating,morewouldhavetakenstepstoensurethattheyhadtakenactiononveryoldadvice—havebackupsandstoretheminasafeplaceinanotherlocation,havecontingencyplansandpracticethem.AstheISSO,partofthisisyourresponsibility—howareyougoingtoensurethatyourinformationisstoredsecurelyelsewhereandthatyoucanrecoveritwhenyouneedto?

ThelifeofanISSOcanneverbeaneasyone—youarethevoiceofdoomandauthoritywithinanorganizationthatsays“No”touserswhowanttodothingsthattotheirmindarequitereasonable.Youaretheonewhoactsastheirconscienceandhighlightsorinvestigatestheirsins,andyouarethebearerofbadtidingstotheboard(youneedmoreinvestmenttokeepthesystemssecure,oryouhavejusthadasecurityincidentandarereportingthedamage).Youaretheonewhoisresponsibleforthesecurityofthe“crownjewels”ofthecompany.Sowhywouldyouwanttotakeonthisrole?Well,theansweristhatitisoneofthemostsatisfyingandrewardingrolesthatyoucanimagine.Itshouldneverbeboring,andtherewillusuallynotbethesameproblemstotaxyourintellecttwice.Italsoallowsyoutouseanddevelopskillsinanareawhereyoucanmakeadifferenceandtocontributetoastrugglethatisbecomingincreasinglyfast-movingandruthless.Itcanbeahugelysatisfyingrole,forthosewhocansurvivetheapprenticeshipandcanaccepttheresponsibilitywhilemaintainingabalancedviewoftheworld.

SteveLutzThedemandforinformationsecurityconsultinghasbeensteadilyincreasingsince2005,andforgoodreason.Aseveryonegotonthetechnologybandwagoninthe1990s,thepressureincreasedtofindinnovativewaystodeploytechnologyandincreaseproductivity.Thebusinesscommunity“discovered”theInternetandgrandproclamationsweremadeabouttheobsolescenceof“brickandmortar”tobereplacedby“e-commerce.”Whilemuchofthiswasoverhyped,theracewasonand“timetomarket”becameoneoftheanthemsoftheneweconomy.

Sointhefranticracetobeatthecompetition,technologywasdeployedwithlittlethoughttosecurity.Indeed,peoplehadjustenoughtimetogetwhateveritwasworking,letalonesecureitinanymeaningfulfashion.Andthenpow,somesecuritybreachwasdiscoveredandithadtobefixedfast.IntherushtoputtheWebsiteorwhatevertogether,noonebudgetedforsecurity,andthere’snobodyin-housewiththeexpertisetohandleit.

Entertheinformationsecurityconsultant.Sinceitwasn’tbudgetedforinthefirstplace,it’sanout-of-cycleapprovalfrommanagement,andthereyouaretryingtosecureasystemthathasdeepdesignflawsfromasecurityperspectivewithanobscenelysmallbudget.Youexplainthattoreallydoitright,acompleteredesignisinorder.Yes,weunderstand,andno,wecan’tdothat.“It’saproductionsystem,”“Ourcompetitionwillkillus,”“Wedon’thavethatkindofbudgetforsecurity,”andsoon.Withasigh,youdothebestyoucantoplacesomesecurityBand-Aidsonitandadvisethemtocallyoubeforethenextdesignmeetingforversion2.0.Guesswhathappenswhenv2.0isreleased?Samething.

Thiscyclerepeateditselfforprettymuchtheentire“dot-com”era,withsomeexceptions.Someofthemoreforward-thinkingcompanieshiredconsultantsforsecurityarchitectureanddesignworkandsavedthemselvesawholelotofmoneyandheadaches.Still,theInfoSecconsultantshadmoreworkthantheycouldhandle.(Thesamewasprobablytrueinthe1920sforradioengineers.)Onegoodthingthatcameoutofthe1990swasraisedawarenessoftherolethatinformationsystemssecurityplaysinasuccessfultechnologydeployment.Oh,andtherearenowhundreds(thousands?)ofcompaniesofferingsecurityproductsforeveryconceivableproblem.

Nowthatthepartyisoverandtechnologyhasfallenbacktobeingjustanotherbusinesstool,whatwillthismeanforinformationsystemssecurityconsultants?VirtuallyallcompanieshavecutbackontheirITspendingandarefocusingonusingwhatthey’vealreadyoverbought.Partofthehangoveristhatcompanieshavehadtolayoffsignificantnumbersofpeopleacrosstheboard,includingIT.Leanandmean,baby.Nowit’stimetotakestockofwhatwedidduringthefrenzyandseeifthere’sanythingwemissed.Didwebuyenoughservers?Yes,we’vegotplenty.Networking?Yup,plentyofthat.Websites?Got‘em.Therewassomethingwemissed,though…Whatwasit?Somethingcritical…Oh,yeah!Thatsecuritything.OK,getsomebodyonit.Oops,welaidthemoff.Hmm,canwehiresomeone?Noway,there’sahiringfreezeon.Well,webettercallaconsultantthen.

Andthat’swherewe’reatnow.Informationsystemssecurityconsultingisdoingquitewellinthesetimesandmainlyforthosereasons.Alotofwhatwe’reseeingisgoingbackovereverythingandlockingitdown.That’sgreat,butwhereisitgoing?Ithinkthatthiswillcontinueforsometimeduringtheeconomicdownturn.Atjustaboutthetimetheretrofittingworkisdone,theeconomywillprobablyheatupagainandcompanieswillstartbuyingITagain.Whenthathappens,weInfoSecfolkswillbetheretosecurethenextgenerationofinformationtechnology.Let’sjusthopeeveryonedoesitrightthenexttimearound,ratherthanrushingintoeveryprojectjusttogetitouttherefast.

1Author’sthoughtsbutfeelfreetoquoteme.:)

SECTION I

TheWorkingEnvironmentoftheCyberSecurityOfficerOUTLINEIntroduction

Chapter1.UnderstandingthePastandPresentCyber-InformationWorldEnvironment

Chapter2.UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment

Chapter3.AnOverviewofRelatedWorldViewsofCyberSecurity

Chapter4.AGlimpseattheHistoryofTechnology

Chapter5.UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines

Introduction

SectionI(Chapters1–5)providesanintroduction,anoverview,oftheever-changingworldinwhichtoday’scybersecurityofficermustwork.Thissectioniscomposedoffivechapters,titledasfollows:

•Chapter1:UnderstandingthePastandPresentCyber-InformationWorldEnvironment

•Chapter2:UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment

•Chapter3:AnOverviewofRelatedWorldViewsofCyberSecurity

•Chapter4:AGlimpseattheHistoryofTechnology

•Chapter5:UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines

CHAPTER1

UnderstandingthePastandPresentCyber-InformationWorldEnvironment

AbstractTheobjectiveofthischapteristoprovideageneraloverviewofthecyber-information-dominatedandinformation-technology-dependentandconstantlychangingglobalenvironmentinwhichthecybersecurityofficermustwork.

KeywordsCommunicationstechnology;Cost-effectivecybersecurityprogram;Cyberinformation;Cybersecurityofficers;Cyberspace;Globalinformationinfrastructure(GII);Internet-enabledcommunications;Nationalinformationinfrastructure(NII);Off-ramp

Thisisaterribletimeofunwantedliberties

SandyNichol1

CONTENTS

Ah,theGoodOl’Days! 4UnderstandingYourInformation-DrivenEnvironment 6

GlobalInformationInfrastructure 10NationalInformationInfrastructure 11HowDidWeGetfromAdamtotheInternet? 11

BirthoftheInternet 13“FutureShock” 15RoadMapfortheInternet 16TheInternet:NoTrafficControls 17WhatHasBeentheImpactoftheInternet? 17OrganizationalImpacts 19UsingtheInternettoShareInformation 20

ChangingCriminalJusticeSystems 21TheHumanFactor 24

Laws,Regulations,Standards,andLegalIssues 24Summary 26

CHAPTEROBJECTIVE

Theobjectiveofthischapteristoprovideageneraloverviewofthecyber-information-dominatedandinformation-technology-dependentandconstantlychangingglobalenvironmentinwhichthecybersecurityofficermustwork.

Ah,theGoodOl’Days!Yes,muchhashappenedandyet,littlehaschanged.

Whathasnotchangedarethethreats,vulnerabilities,andriskstoinformationandinformationsystems.Whathaschangedisthelevelofsophisticationofthethreats—theattacksandthethreatagents—aswellastheexponentiallygrowingnumberofthemallovertheworldandfromvarioussources.

Information2:

1.Factsprovidedorlearnedaboutsomethingorsomeone.

2.Whatisconveyedorrepresentedbyaparticulararrangementorsequenceofthings.

2.1.ComputingDataasprocessed,stored,ortransmittedbyacomputer.

2OxfordDictionary.

Wehavegonefromanenvironmentofyounghackerswitha300-baudexternalmodem,writinghackerprogramsinBASIC,lookingfordial-uptones,toaworldofextremelysophisticatedattackers,fromgovernmentagentstoorganizedcrimegroupstoterrorists.Yes,theteenagehackerand“computerenthusiast”isstilloutthereamongthethreatagentsacybersecurityofficermustface;however,comparedtotheothersouttherenow,oneonlywishesforsomeofthegoodol’dayswhensuchhackerswerethegreatestthreattoinformationandsystems.

Evenso,itisimportanttounderstandtheenvironmentinwhichtoday’scybersecurityofficermustdobattle—andyes,itisabattle,andyes,weareatwarandshouldbeonawarfooting.However,wearenot,andthus,wearelosingtothosethreatagentswhoareattackingoursystemsanddestroyingourinformation,orstealingourinformation,24/7.

Weliveinaworldofinformation,knownthesedaysascyberinformation,computerinformation,theinformationenvironment,orthelike.Morethanever,theworldwantstotalktotheworldaboutanythingandeverything.Infact,theworldnowdemandsitatanunprecedentedscaleandisdoingitatalevelneverseenbefore.Thus,vulnerabilitytypesandnumbershavealsocontinuedtoincrease.

Furthermore,theusersthatthecybersecurityprofessionalmustsupportanddefenddonotwanttobetieddowntoanyphysicallocation.Today’susers,whichbasicallymeansprettymuchallofthetechnology-drivenworldandincreasinglythoseintheThirdWorld,whomaynothaverunningwaterbutdohaveacellphoneandincreasinglyInternetandothernetworkconnections,want—demand—itall,withmobilecapabilities!

Informationispulled,pushed,draggedaroundtheworldthroughwireless,cable,opticalfiber,satellite,andotherassortedphysicalandincreasinglymorethanevermobiledevices—andallofusalongwithit.Wearedependentoninformationasindividuals,companies,andgovernmentagencies.Infact,hasthatnotalwaysbeenthecase?It’sjustthatnow,itisinacyberformmorethanever.

Indaysgoneby,informationwascommunicatedbywordofmouth,bydrums,bysmokesignals,inwritingcarriedbycouriersonhorseback,bytelegraph,bytelephone,andnowthroughtheuseofhightechnology.

Thedifferencetodayisthatinthe“modern”countriesoftheworld,wearemoredependentoninformationandthehightechnologythatallowsustocommunicateanddobusiness,globally,atthespeedoflight.Today,morethanever,information—accurateinformation,andmoreofit,deliveredfaster—allowsoneanadvantage.Morethanever,thisappliesnotonlytocompanies—especiallytheincreasingnumberofthemgoingortryingtogoglobaltotakeadvantageofopportunitiesfornewcustomers—andtogovernmentsofnations,butalsotogroupsandindividuals.Wehaveallbeensuckedintothequicksandoftechnologydependency.

Fast,accurate,andcompleteinformationthatissecuredandprotectsprivacy—yeah,goodluckwiththatone—iswhatisdemanded;however,itisseldomrealizedthesedaysasouridentity,networks,andinformationarehacked,sold,andmisused.Theoldsaying“informationispower”isprobablymoretruetodaythaneverbefore.

Informationofgreatestvaluemustbe:

Accurate,acteduponcorrectly,andacteduponbeforeitisusedbytheadversary,e.g.,acompetitor,anothergovernment,etc.

Rememberthatiftheinformationyouneedisonaninformationsystemthatisavictim,forexample,ofasuccessfuldenial-of-serviceattack,importantinformationcouldnotgettoyouorothersattherighttimesothatyouortheycouldusethatinformationtoyouradvantage;thismayhaveseriousconsequencesintermsoflives,money,orothernegativefactors.

UnderstandingYourInformation-DrivenEnvironmentAsacybersecurityofficer,itisveryeasytogetcaughtupinhightechnologyandviewthatas“yourworld.”Afterall,intoday’shigh-technology-drivenandhigh-technology-dependentworld,andonecanalsosaycyberworld,itisveryeasytolookatinformationandhightechnologyasyourworkingenvironment,aswhatcausesyourproblems,andaswherethesolutionstoyourproblemslie.However,thetruthisthathightechnologyisjustatoollikeanyothertool.Andaswithanytool,itcanbeusedasintended,abused,orusedforillegalpurposes—bypeople.

Itseemsthatwearesofocusedontheinformationandtechnologyforanswerstocyber

securityandmitigatingrisks,weforgetourfirstpriorityshouldbethepeoplewhoareusingandabusingthesesystemsandinformation.Itisespeciallynecessarytofocusnotonlyontheoutsidethreatagentsbutalsoonthosepeoplewhohaveauthorizedaccesstothosesystemsandinformation.

Intoday’sinformationworldenvironmentthatacybersecurityofficermustworkin,itismuchmorethanjusthightechnology.You,asacybersecurityofficer,mustunderstandthisworldandalsoushumans,asallthesetopicshaveadirectbearingontheprotectionofinformationandinformationsystems—cybersecurity.Theyincludesuchthingsas:

•Globalandnationalmarketplaces;

•Globalandnation-states’economies;

•Internationalpolitics;

•Worldculturesandsocieties;

•Internationalandnationallawsandtreaties;

•Majorlanguagesoftheworld;

•Majorreligions;

•Business;

•Humanrelationsandpsychology;and

•Governmentsofnation-states.

Tobesuccessful,thecybersecurityofficershouldhaveavariedbackgroundnotonlyinsuchthingsascomputersciencesbutalsoinpsychology,criminology,socialscience,geopoliticalmatters,internationalbusiness,worldhistory,economics,accounting,andfinance.Also,themoreforeignlanguagesthecybersecurityofficerknows,thebetter.Volumeshavebeenwrittenabouteachofthesetopics.Itwouldbehoovethecybersecurityofficertohaveaworkingunderstandingofeachofthesetopics,astheyallaffectthecybersecurityofficer’sabilitytosuccessfullyestablishandmanageasuccessfulcybersecurityprogram.Therearefewprofessionstodaythatofferthechallengesthatfacethecybersecurityofficer,whetherthatpersonisinagovernmentagencyorbusiness—nomatterwhatcountryorbusinessthatpersonworksfor.

Cybersecurityofficersmustunderstandtheworldinwhichtheywillworkinordertobesuccessful.Inthepast,thisunderstandingwasgenerallylimitedtothecompanyorgovernmentagencyinwhichthatpersonworked,andtoitscomputersystems,whichwereisolatedwithinthecompanyorgovernmentagencyorevenjustinone’shome.Thecybersecurityofficersgenerallywereonceconcernedonlywiththeeventsthattookplacewithintheirrespectiveworkingenvironmentorlivingenvironmentorevenjustwithintheircountry,aswhathappenedoutsideofthatlimitedworldusuallydidnotaffecttheirworkorlife.However,thatwasinthepast.

Ifyouknowtheenemyandknowyourself,youneednotfeartheresultofahundredbattles.Ifyouknowyourselfbutnottheenemy,foreveryvictorygainedyouwillalsosufferadefeat.Ifyouknowneithertheenemynoryourself,youwillsuccumbineverybattle.

SunTzu

Theenvironmentofthecybersecurityofficerthatmayaffecttheprotectionofinformationandinformationsystemsisnowglobalinscope,andhightechnologyandglobalnetworkingarechangingmorerapidlywitheachpassingyear.Thisnewglobalenvironmentanditsassociatedhightechnologymustbeclearlyunderstood.Thisisbecauseitisallintegratedintoadrivingforcethatwilldictatewhatmustbedonetoprotecttheinformationsystemsandtheinformationthattheystore,process,display,andtransmit.Itwillalsodeterminehowsuccessfulthecybersecurityofficer’sinformationsystemssecurityprogram,nowgenerallyreferredtoascybersecurityprogram,willbeinprovidingprotectionatthelowestcosttothebusinessorgovernmentagency.

Today’scomputersystemenvironments—networksthatspantheglobe—areallbasedonthemicroprocessor.Microprocessorshavebecomecheaperandmorepowerfulatthesametime.Thisistheprimarycausefortheirproliferationthroughouttheworld.Somesaythattoday’scellphonehasmorecomputerpowerthanthecomputersystemsinthevehiclethatlandedonthemoon.

Whenwethinkofcomputers,wesometimeslookatthemasverycomplicateddevices,wheninfactitisnotthatdifficulttounderstandthebasicsatleast.Computersarecomposedofhardware,thephysicalpieces;software,theinstructionstothecomputer,whichcanbealtered;andfirmware,whichareinstructionsembeddedonamicroprocessor.Theprocessincludesinput,process,output,transmit,andstorage.Yourcybersecurityprogramcanbebrokendownintotheseelementsandeachlookedattodefendasaseparateentityandtheninaholisticmanner.

Thereisarumorgoingaroundthatatleastonenation-stateinvolvedincomputerbuildingandsaleshasembeddedintothefirmwareacodethatallowsthatnation-statetogainaccesstothatsoldcomputer,bypassingsecuritysoftware,whenitwants.

Itwasalsorumoredthat,inthepast,therehavebeencovertlyinstalledelectricaloutletsthatallowedthemanipulationoftheelectricalcurrenttoturnadesktopcomputeron,downloadinformation,andturnthesystembackoff.Somesaythatwasvalidonlysomeyearsago;however,today’smodernsystemshaveeliminatedthatrisk.

Ofcoursethemoreacybersecurityofficerknowsabouthowhardware,firmware,andsoftwarework,thebetterpositionthatpersonwillbeintoprotectthosesystemsandtheinformationtheyprocess,store,display,and/ortransmit.

Inmanyoftoday’sinformation-basednation-states,wehavebeenabletonetwork

thousandsofsystemsbecauseoftherapidadvancesinhightechnologyandcheaphardware.Wehavebuilttheinformationsystemsofthenation-states’businessesandgovernmentagenciesintomajorinformationinfrastructuressomecallnationalinformationinfrastructures.Astand-alonecomputersystem(onewithnoexternalconnectionsbetweenitandothercomputers)todayisrelegatedtoasmallminorityofbusinessesandgovernmentagencies.Wecannotfunctionintoday’sbusinessworldandinourgovernmentagencieswithoutbeingconnectedtootherinformationsystems—bothnationalandinternational.

Theprotectionofinformationsystemsandtheinformationthattheyprocess,store,display,and/ortransmitisobviouslyofvitalconcerninthisinformationworld.Manynation-statesarealreadyintheInformationAge,progressingintowhatsomecallthe“KnowledgeAge,”withmanyothernation-statesnowenteringtheInformationAgeandyetmanymoreclosebehind.Thiswillobviouslycomplicatetheproblemsofthecybersecurityofficer,asinthiscasethephrase“themorethemerrier”describessomethingacybersecurityofficerdoesnotwanttodealwith,becauseitmeansmorethreats,morevulnerabilities,simplybyconnectingtotheirsystems.

Thecybersecurityofficermustrememberthatthecybersecurityprogrammustbeserviceandsupportoriented.Thisisofvitalimportance.

Thecybersecurityofficermustunderstandthatthecybersecurityprogram,onceitistoocostly,isoutdated,anddoesnotmeettheserviceandsupportneedsofthebusinessorgovernmentagency,willbediscardedorignored.So,oneofthecybersecurityofficer’schallengesistofacilitatethenetworkingofsystemsnationallyandinternationallywhileprotectingcompanyinformationandsystems,butmitigatingtherisksinacost-effectivemanner.

Toprovideacost-effectivecybersecurityprogram,thecybersecurityofficermustcontinuallykeepupwithhightechnology.Thatpersonmustbefamiliarwithtechnologicalchangesingeneralandintimatelyfamiliarwiththetechnologybeingplannedforinstallationwithinhisorherbusinessorgovernmentagency.

Thecybersecurityofficermustunderstandhowtoapplyinformationprotection(cybersecurity)andintegrateitaround,andonto,thenewhightechnology.Failuretodosowouldleavetheinformationandhisorhersystemsvulnerabletoattack.Inthatcase,thecybersecurityofficerwouldhaveaseriousproblem—possiblyajobsecurityproblem—ifasuccessfulattackoccurredowingtothenew-foundvulnerabilitybroughtonbythenewlyimplementedtechnology.

Managementinbusinessesandgovernmentagencieswillholdthecybersecurityofficerresponsibleforanysuccessfulattacks,whetherornotitwasmanagementorthetechnicalstaffthatwasclearlyresponsibleforthevulnerabilitythatallowedthe

successfulattack.Suchisthenatureoftheposition.

Thecybersecurityofficercoulddelayinstallationofthenewhightechnologyuntilasuitableinformationprotection“umbrella”couldbeinstalled.However,inmostbusinesses,thiswouldbeconsideredacareer-limitingorcareer-endingmove.Intoday’sbusinessworld,thephrase“timeismoney”istruerthanever.Intoday’sandtomorrow’shighlytechnology-basedenvironment,innovationandflexibilityarekeywordsforthecybersecurityofficertounderstandandapplytothecompany’sorgovernmentagencies’informationprotectionprogram.

Thus,thecybersecurityofficerhasverylittlechoicebuttosupporttheinstallationofthenewhightechnologyandincorporateinformationprotectionaseffectivelyandefficientlyaspossible.Andoneofthewaystosuccessfullyprovidethatserviceandsupportistokeepupwithtechnologicalchanges.

GlobalInformationInfrastructureTheimportanceofinformationprotectioncontinuestogrow,aswebecomemoreandmoredependentonhigh-technologysystems.Thenetworkingofsystemsaroundtheworldiscontinuingtoexpandtheglobalinformationinfrastructure(GII).Today,becauseofthemicroprocessoranditsavailability,power,andlowcost,theworldis“building”theGII.TheGIIisthemassiveinternationalconnectionsofworldcomputersthatarecarryingbusinessandpersonalcommunicationsaswellasthoseofthesocialandgovernmentsectorsofnation-states.Somesayitcouldconnectentirecultures,eraseinternationalborders,support“cybereconomies,”establishnewmarkets,andchangeourentireconceptofinternationalrelations.

TheGIIisbasedontheInternetandmuchofthegrowthoftheInternet.TheGIIisnotaformalproject;rather,itistheresultoftheneedofthousandsofindividuals,corporations,andgovernmentstocommunicateandconductbusinessbythemostefficientandeffectivemeanspossible.

Theimportanceofinformationprotectiontakesonaddedmeaningbecauseoftheincreasedthreatstothesystemsandtheinformationtheystore,process,display,andtransmitowingtothisexpandedconnectivityprovidedbytheGII.Afterall,itwillcomeasnosurprisethattherearepeopleandnation-statesintheworldthatconsideryourcompanyandyourcountryanadversary—theenemy.Thatbeingthecase,theywilldowhatevertheycantomeettheirownobjectives—generallyattheexpenseofyourcompanyornation-state.

NationalInformationInfrastructureThenationalinformationinfrastructure(NII)isbasicallythenetworkofcomputersuponwhichthenation-stateanditspeoplerelyinthisinformation–knowledgeage.TheNIIisthehigh-technology,criticalinformationinfrastructureofanation-state.Thecriticalinfrastructures,accordingtoseveralnation-states,aregenerallydefinedassystemswhoseincapacityordestructionwouldhaveadebilitatingimpactonthedefenseoreconomicsecurityofthenation-state.Theyinclude:

•Telecommunications,

•Electricalpowersystems,

•Gasandoil,

•Bankingandfinance,

•Transportation,

•Watersupplysystems,

•Governmentservices,and

•Emergencyservices.

Manyhavebeensoundingthealarmforsometimenowofthevulnerabilitytoandthecatastrophicresultsofsomeadversarysuchasterroristshackingintosuchsystemsandsettingoffanuclearmeltdown,openingthefloodgatesofdams,andothercatastrophes.

HowDidWeGetfromAdamtotheInternet?3

TheuseoftheTofflers’modeloftechnologicalevolutionprovidesausefulframeworkfordiscussingchangesarisingfromtheimpactoftechnology,generally,andtheInternetspecifically.ForthoseofyouwhohaveneverheardofAlvinandHeidiToffler,readtheirbooks.Yes,theywerewrittenmaybebeforeyouwereborn,buttheTofflersareexcellentfuturistswholookedintothefuture,whichisnowours,andtheirbookspointtowherewehavebeenandwhatmaybecoming.

ThemodelbeginsbydescribingtheAgriculturalAge,whichlastedfromaboutthetimeofAdamuntilabout1745intheUnitedStates.Manuallaborandafocusonaccumulatingaminimumfoodsurplustoallowforgovernancecharacterizedthislongperiod.Duringthistime,technologicalprogresswasverylimited,slow,andlaborious.Themajorlackofunderstandingofeventhemostbasicconceptsofscienceimpededprogress.4

Warfare,althoughcommon,wasgenerallyshortindurationandwasoftendecidedbymajorbattlesorcampaignslastinglessthanayear,withsomeexceptions,suchastheHundredYears’WarandtheCrusades.Althoughlargearmieswerepossible(atonepointtheRomanEmpirefieldedmorethan700,000soldiers),therewerelimitedandrelativelyineffectivemethodsforcommunicatingandcontrollingmorethanasmallpercentageoftheseforces.Runnersandhorse-bornemessagecourierssupplementedbyflagsandothervisualmediawerethemajormethodsofremotecommunication.

The“IndustrialAge,”intheUnitedStates,lastedamuchshortertime,onlyfromapproximately1745untilabout1955.ThedefiningeventoftheIndustrialAgewastheintroductionofthesteamengine,whichallowedmechanicalequipmenttoreplacemuscle-poweredeffortsofbothhumansandanimals.Thesedevicesintroducedanewandmuchacceleratedpaceoftechnicalinnovation.Duringthis200-yearperiod,therewasadramaticexpansionofhumanknowledgeandunderstandingofthebasicprinciplesofphysicalscience.Enhancedagricultureallowednationstoaccumulatehugefoodsurpluses.Uponthefoundationofthefoodsurplus,thenation-statesincreasedtheirpower,whichwasdrivenbymassproduction.Massproductionofweaponsandthemassslaughterofbothcombatantsandnoncombatantscharacterizedtheconflictsofthisperiod.5

Communicationstechnologyevolvedfromprimitivesignalinginvolvinglanternsandreflectedlights(heliograph)tosupplementthecontinueduseofhumancouriers,whetherridinghorses,trains,orwaterbornecraft.Theinventionsofthetelegraphintheearly1800s,followedinthelate1890sbythetelephoneandthenbywirelessradiointheearly1900s,wereessentialevolutionarystepstowardtoday’stelecommunicationsinfrastructure.

The“InformationAge”intheUnitedStates,accordingtotheTofflers,beganabout1955,whichisthefirstyearthatthenumberofwhite-collaremployeesexceededthenumberinblue-collarproductionjobs.Thishasbeentheerawiththemostexplosive

growthinhumanknowledge.Morehasbeendiscoveredinthepast50 yearsinboth

scienceandengineeringthaninthethousandsofyearsofrecordedhumanhistory.Intheinformationage,knowledgeisgrowingexponentially.

ThepaceofevolutionincommunicationsandothertechnologiesacceleratedduringtheearlyyearsoftheInformationAgewiththeadventofsatellites,fiber-opticconnections,andotherhigh-speedandhigh-bandwidthtelecommunicationstechnologies.

ItisinthecontextofthisphenomenalgrowthoftechnologyandhumanknowledgethattheInternetarisesasoneofthemechanismstofacilitatesharingofinformationandasamediumthatencouragesglobalcommunications.

Inthepast,theU.S.GeneralAccountingOffice,inareporttoCongress,detailedtherapiddevelopmentofthetelecommunicationsinfrastructureintheUnitedStates,resultinginthecreationofthreeseparateandfrequentlyincompatiblecommunicationsnetworks:6

•Wire-basedvoiceanddatatelephonenetworks,

•Cable-basedvideonetworks,and

•Wirelessvoice,data,andvideonetworks.

Fromthatpastuntilnow,lookhowfarwehavecome,andimagine,asacybersecurityofficer,whatisyettocome.Itbehoovesallcybersecurityofficerstoalwaysprojectintothefutureandplannowtoaddressthefutureenvironmentinwhichthecybersecurityofficerwillworkandwagewaragainalladversariestotheirnetworks(hardware,software,information,data,users,andotherentities)forwhichtheyareresponsible.

BirthoftheInternet7Itisvitaltounderstandthehistoryandever-changingenvironmentifthecybersecurityofficeristosucceedinfulfillingalldutiesandresponsibilitiesthroughacybersecurityprogramthatdefendshisorhernetworksagainst“allenemies,foreignanddomestic.”

Theglobalcollectionofnetworksthatevolvedinthelatetwentiethcentury,andcontinuetoevolveinthetwenty-firstcentury,tobecometheInternetrepresentswhatcouldbedescribedasa“globalnervoussystem,”transmittingfromanywheretoanywherefacts,opinions,andopportunity.However,whenmostsecurityandlawenforcementprofessionalsthinkoftheInternet,itseemstobesomethingeithervaguelysinisterorofsuchcomplexitythatitisdifficulttounderstand.Popularculture,asmanifestedbyHollywoodandnetworktelevisionprograms,doeslittletodispelthisimpressionofdangerandout-of-controlcomplexity.

TheInternetaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgencyintheUnitedStatesinthe1960s.Itisperhapsoneofthemostexcitinglegacydevelopmentsofthatera.Originallyanefforttofacilitatesharingofexpensivecomputer

resourcesandenhancemilitarycommunications,overthe10 yearsfromabout1988until1998itrapidlyevolvedfromitsscientificandmilitaryrootsintooneofthepremiercommercialcommunicationsmedia.TheInternet,whichisdescribedasaglobalmeta-

network,ornetworkofnetworks,providesthefoundationuponwhichtheglobalinformationsuperhighwaywillbebuilt.8

Itwasnotuntiltheearly1990s,however,thatInternetcommunicationtechnologiesbecameeasilyaccessibletotheaverageperson.Priortothattime,Internetaccessesrequiredmasteryofmanyarcaneanddifficult-to-rememberprogramminglanguagecodes.However,thecombinationofdecliningmicrocomputerprices,enhancedmicrocomputerperformance,andtheadventofeasy-to-usebrowsersoftwarecreatedthefoundationformassInternetactivity.Whenthesevariablesalignedwiththedevelopingglobaltelecommunicationsinfrastructure,theyallowedarareconvergenceofcapability.9

Ithasnowbecomeasimplematterforaveragepeople,eventhosewhohadtroubleprogrammingtheirVCRs,toobtainaccesstotheglobalInternetandwiththeaccesssearchthehugevolumeofinformationitcontains.ThemostcommonlyaccessedapplicationontheInternetistheWorldWideWeb(Web).OriginallydevelopedinSwitzerland,theWebwasenvisionedbyitsinventorasawaytohelpshareinformation.TheabilitytofindinformationconcerningvirtuallyanytopicviasearchenginesfromamongtherapidlygrowingarrayofWebserversisanamazingexampleofhowtheInternetincreasestheinformationavailabletonearlyeveryone.OnegainssomesenseofhowfastandpervasivetheInternethasbecomeasmoreTV,radio,andprintadvertisementsdirectprospectivecustomerstovisittheirbusinessorgovernmentagencyWebsites.

Animportantfacttounderstand,andwhichisofsupremeimportanceforsecurityandlawenforcementprofessionals,isthattheWebistrulyglobalinscope.Physicalbordersaswellasgeographicaldistancearealmostmeaninglessin“cyberspace”;thedistanttargetisaseasilyattackedasalocalone.Thisisanimportantconceptforsecurityandlawenforcementprofessionalstounderstandbecauseitwillaffecttheirabilitytosuccessfullydotheirjobs.TheannihilationoftimeandspacemakestheInternetanalmostperfectenvironmentforInternetrobbers.Whenfindingadesiredserverlocatedontheothersideoftheplanetisaseasyandconvenientascallingdirectoryassistancetofindalocaltelephonenumber,Internetrobbershavethepotentialtoactinwaysthatwecanonlybegintoimagine.ThepotentialbonanzaawaitingtheInternetrobber,whoisundeterredbydistance,borders,time,orseason,isachillingprospectforthosewhoareresponsibleforsafeguardingtheassetsofabusinessorgovernmentagency.AstheISSO,youhaveresponsibilityfordeterringthesemiscreants,aswellashelpingsecurityandlawenforcementpersonnelinvestigatethem.

“FutureShock”WithappreciationfortheTofflers’bookFutureShock,thereactionofpeopleandorganizationstothedizzyingpaceofInternetprogresshasbeenmixed.Althoughsometechnologicallysophisticatedindividualsandorganizationshavebeenveryquicktoexploitthepotentialofthisnewtechnology,manyhavebeenslower,adoptingmoreofawait-and-seeposture.TherapidpaceofevolutionoftheInternetdoesraisesomequestionsastohowmuchasocietycanabsorbandhowmuchcanactuallybeusedto

benefitorganizationsinsuchacompressedtimeframe.SometimeslostinthetechnologicalhypeconcerningthephysicalspeedofInternet-enabledcommunicationsorthenewtechnologiesthataremakingiteasiertodisplaycommercialcontentistherealityoftheInternet’sgreatestimpact:Itprovidesunprecedentedaccesstoinformation.Theaccessisunprecedentedintermsofthetotalvolumeofinformationthatismovingonlineandmaybetappedfordecision-making.

Italsoisunprecedentedwhenweconsidertheincreasingpercentageoftheworld’spopulationthatenjoysthisaccess.Moreandmoreinformationmovesonlineandbecomesavailabletomoreandmorepeople,causingfundamentalchangesinhowwecommunicate,dobusiness,andthinkoftheworldwelivein.Consequently,therearealsofundamentalchangesinhowcriminalsandmiscreantscommitcrimes.

Throughoutmuchofhumanhistory,theeducatedelitesofeveryculturehavejealouslyguardedtheirknowledge.Accesstoknowledge,whetherinwrittenorspokenform,wasoftenthesourceoftheelite’sprivilegedpositionandoftenallowedthemtodominateorcontrolthegreatuninformedmassesofuneducatedhumanity—informationwasandstillisameanstopower.“Outsiders”werenevergrantedaccessestothestoreofwisdomunlesstheywereinductedintotheprivilegedelite.Now,however,theaverageInternettraveler,whereverresident,withlittlemorethanafastmodemandamediocremicrocomputer,canaccess,analyze,and/ordistributeinformationaroundtheworldonalmostanytopic.

Somepunditsdecadesagohadconcludedthatwenowliveinanerainwhichthereare“nomoresecrets.”Bysomeestimates,earlyinthiscenturytherewillbemoreinformationpublishedandavailableonlinethanhaseverbeenaccessibleinallthelibrariesonearth.HowthistorrentofinformationwillbemanagedtoensurethatInternetrobbersdonotwreakhavocanddominatetheInternet,orhavepoweroverothers,isnow(orshouldbe)theprimaryobjectiveofeverysecurityandlawenforcementprofessionalwhosebusinessorgovernmentagencytravelstheInternet.

So,whatdoyouthinkofourcurrentenvironment?Arewewinningorlosingthecybersecuritybattlesandwars?

RoadMapfortheInternetTheInternetcanbecomparedinsomewaystoaroadmapforasuperhighway.Somebasicexampleswillhelpexplainitincommonterms.

Whenmultiplecomputers(whethermicrocomputersorlarger)arelinkedtogetherbyvariouscommunicationsprotocolstoallowdigitalinformationtobetransmittedandsharedamongtheconnectedsystems,theybecomeanetwork.Thecombinationoftensofthousandsoforganizationalnetworksinterconnectedwithhigh-capacity“backbone”datacommunicationsandthepublictelephonenetworksnowconstitutestheglobalInternet.However,thereisamajordifferenceinthisenvironmentthatisimportanttoconsiderforsecurityandlawenforcementprofessionals.

WhentheisolatedbywaysofindividualbusinessorgovernmentagencynetworksbecomeconnectedtotheglobalInternet,theybecomean“off-ramp”accessibletoother

Internettravelers.ThenumberanddiversityoflocationsthatprovideInternet“on-ramps”arevastandgrowing.Today,onecanaccesstheInternetfrompubliclibraries,cybercafésinmanycitiesaroundtheworld,evenkiosksinsomeairports.TheseandotherlocationsprovideInterneton-rampstoanyonewhohasalegitimateaccount—oranInternetrobbercanhijackonefromanauthorizeduser.

Typicallyabusinessorgovernmentagencywillusecentrallycontrolledcomputers,calledservers,tostoretheinformationandthesophisticatedsoftwareapplicationsusedtomanageandcontrolitsinformationflow.Thesesystemscouldbeequatedtoasuperhighwayinterchange.

Commonlybusinessandgovernmentagencynetworksareconsideredprivatepropertyandtheinformationtheycontainasproprietaryfortheexclusiveuseoftheorganization.ThesebusinessandgovernmentagencynetworksareconnectedtolargenetworksoperatedbyInternetserviceproviderswhoprovidetheequivalentoftollroadsandturnpikes—thehighwaysfortheflowofinformation.

TheInternet:NoTrafficControlsTheInternetchallengesthesecurityandlawenforcementprofessionalwithanarrayofnewandoldresponsibilitiesinanewenvironment.Fromtheperspectiveofmanagingrisks,thisnewaccesstoinformationcreatesnewkindsofdangerstobusinessesandgovernmentagencies.Italsoallowswell-understoodsecurityissuestorecurinneworuniqueways.Nolongercanorganizationsassumetheywillobtainanysecuritythroughobscurity,nomatterwheretheyarephysicallylocated.Inotherwords,becausethereisanInternetoff-ramp,theywillbevisibletoInternetrobbers.Everythingfromanation’smostcriticaldefensesecretstobusinessinformationisvulnerabletoeasydestruction,modification,andcompromisebyunauthorizedInternettravelers.

Toooftencarelessmanagersfailtotakeadequatemeasurestosafeguardsensitiveinformation,whichresultsinprematuredisclosurewithattendantadverseimpact.Themajorpartofthecontrollableriskarisesfrominadvertentdisclosuretotheever-vigilanteyesofInternetrobbersandothers,suchascompetitiveintelligenceanalystswithInternetaccess.

WhentheInternetwaslimitedtoscientists,academicresearchers,andgovernmentemployees,suchacollaborativeframeworkwasprobablyaverycost-effectivemeansofcontrollingthevirtualworld.However,intheearly1990s,forthefirsttimethereweremorecommercialsitesthaneducationalandgovernmentalsitesusingtheInternet.Sincethattimemattershavebecomeincreasinglycomplex.Theinformalarrayofsocialsanctionsandtechnicalforumsforcooperationisnolongercapableofensuringamodicumofcivilizedbehavior.

WhatHasBeentheImpactoftheInternet?ItisapparentthattheInternethasrapidlybecomeasignificantelementinmodernsociety,figuringinadvertising,films,andtelevision,evenfacilitatingtherapiddisseminationof

investigativereportsinvolvingaU.S.president.TheInternethasprovidedmanyadditionalinformationservices,andtheyareallbecomingeasiertoaccess.ThetwoprimarynewavenuesforincreasedvolumeofinformationaccessaretheWebbrowserandnet-enablede-mail.Thisincreasedaccesstoinformationhasbeenprincipallyanadvantageforlaw-abidingcitizensandlegitimatebusinesses,butitalsooffersbothhardenedandprospectiveInternetrobbersnew,high-speedvenuesforperpetratingtheircrimesandschemes.

AlmosteveryoneworkinginAmericahasbeenexposedtosomeformofcomputertechnology.Fromthefront-lineretailclerkatthelocalfast-foodfranchise,totheWallStreetanalyst,tothefarmerplanninghiscroprotations,individualworkperformancehasbeensubstantiallyenabledbythewidespreadproliferationofmicrocomputertechnologies.Butthemacroimpactsonorganizationsareinsomewayslessremarkablethantheyhavebeenforindividuals.Gotoanygoodcomputerstore,orbetteryet,ifyouhaveInternetaccess,browsetheWebsitesofmajormicrocomputermanufacturers.Youwilldiscoverawiderangeofsystemswithmemory,speed,andstoragecapabilitiesthatwouldhavebeendescriptiveoflarge,mainframe-typecomputersintheearly1980s.Forexample,alargeregionalbankinsouthernCaliforniainthelate1980soperateditselectronicwire/funds

transfermachinewithonly48 MBofRAMand120 MBofdiskstorage,andthesystemtransferredbillionsofdollarsnightlyforthebank.Nowamuchgreaterperformanceisavailabletoanyonewithafewhundreddollarsinacellphone.

Inbusiness,ithasbecomeinsomewaysaDavidversusGoliathworld,inwhichtheadvantagesdonotalwaysaccruetotheorganizationthatcanfieldthebiggerbattalions.Advancedinformationtechnologywasoncetheprovinceexclusivelyofgovernments,themilitary,universities,andlargecorporateentities.Thisisnolongertrue.NowanyonewithamodestinvestmentinhardwareandsoftwarecanacquireapowerfulprocessorandattachittotheInternet.Itshouldbeobviousthatcriminalsandthosewithcriminalintentionsalsohaveaccesstopowerfulinformationtechnology.Thequestionremains:Howwilltheyuseit?

Asweconsiderthepotentialforcriminalactionsdirectedagainstorganizations,itiscriticallyimportanttoconsiderthesefactors.ThesameinformationtechnologyweusetomanageourorganizationscanandwillbeusedbysavvyInternetrobberstothedetrimentofgovernments,businesses,andothers.

Whenpowerfulmicrocomputersarenetworked,thecommunicationcapabilitiesinherentinthesearrangementsmultiplytheirvalue.Asinglemicrocomputerstandingaloneislittlemorethanasophisticatedtypewriterorcalculatingmachine.Therealpowercomeswhenindividualmachineslinktogethertocreatenetworksthatwillallowtheflowofinformationfromonepersontotheentireworld.Asacaseinpoint,considerthestoryofRussia’stransitionfromcommunism.WhenthemilitarycoupagainstGorbachevoccurredintheearly1990s,themilitaryplottersseizedcontrolofalltheclassicmeansofcommunication:newspapers,telephones,andradioandTVstations.However,theanti-coupforcesquicklydrovetheirmessageontheInternettogetwordtotheoutsideworldof

thesituation,andtimelycommunicationsplayedasignificantpartindefeatinganattemptbythemostpowerfulmilitaryandpoliceapparatusonearthtoregainpowerovertheRussianpeople.

ThecapabilitiesbroughttotheindividualbytheInternetareconsiderableandgrowingalmostdaily.Oneexampleistheabilitytosignupforinvestmentservicesfromlow-costbrokeragesandstockmarketadvisorsandenjoythekindoftimelyadvicethatforgenerationshasbeentheperquisiteoftherichandpowerfulclasses.Grass-rootspoliticalorganizingandcivicactionarealsoenabled.Forexample,inCalifornia,aconcernedparentscannedintoadatabaseandpostedonaWebpagethedetailsofthestate’slistofsexualpredators/pedophiles,thusallowingaveragepeopletodeterminewhethertherewasaregisteredsexoffenderresidingintheirneighborhood.

Fromshoppingforhomesandautomobiles,whereonlineservicespromisetoeliminatethebrokers’monopolyofinformation,totraffic,weatherforecasts,anddirectionspriortotrips,theInternetisprovidingmoreinformationtomorepeopleeveryday,andweareonlyatthebeginningofthatprocess!Themajortrendhereisclear:Therewillbemoreinformationaccessibletomorepeoplethanhaseverbeenpossibleinthepast.Howthisinformationpowerwillbeusedultimatelydependsontheethicsandmotivesoftheindividual:Internetrobberscanusesuchpowernegatively.

OrganizationalImpactsThemajorbenefitstoorganizationsoftheInternetandrelatedtechnologiesaresignificantandfarranging.Inlargepart,theimpactsmaybecharacterizedasdramaticallylowercostsfortransmittingandsharinginformation.Toappreciatehowfarwehavecome,beforeelectronicmailbecameubiquitous,ittookaslongasaweekforfirst-classpostalmail,derisivelycalled“snailmail”byInternetaficionados,totravelfromonecoastoftheUnitedStatestotheother.Eventhefaxmachine,whichitselfwasasignificantimprovementoverpostalandovernightcourierservices,requiresdedicatedfaxequipmentandoperatesonlyfrompointtopoint.ContrastthesewiththecapabilitiesofInternete-mail.E-mail,whichmaytransittheglobeinseconds,allowstherecipientstoobtainthemessagewhenitisconvenient;theyneednotbepresenttoreceiveit.Throughtheuseofdigitalattachments,e-mailcancarrymoreinformationinaconvenientcompressionoftransmissiontimes.

Whereastheinnocente-mailuserseesonlyincreasedspeedandvolumeofcommunication,securityandlawenforcementprofessionalsmustunderstandhowdamagingevenonemessagecouldbetoabusinessorgovernmentagency.Asinglee-mailmessagecouldcontainthewholestrategicbusinessplanoftheorganizationorthesourcecodetoabreakthroughproductandcouldbetransmittedanywhereonearthinananosecond.

Toshowthatthisthreatismuchmorethantheoretical,considertheallegationsinvolvingtwoleadingSiliconValleysoftwarecompanies,AandB.CompanyAaccusedrivalCompanyBoftheftoftradesecretsandproprietarysourcecode.CompanyA’s

managementallegedasoneelementintheircomplaintthataformerCompanyAemployeeusedhiscompany-providedInternetaccesstotransfersourcecodeofkeyproductstohisown,personalaccount.Theemployeethentenderedhisresignation.Uponarrivalathishome-basedoffice,thenow-formerCompanyAemployeeallegedlydownloadedthestolensourcecodetohishomecomputersystem.EmployedasaprogrammerconsultantbyrivalstartupCompanyB,hereportedlyusedthepurloinedsourcecodeasthefoundationforaremarkablysimilarproductcreatedatCompanyB.10

AnotherexampleisaformeremployeeofCompanyXwhowasaccusedoftransmittingthesourcecodeforanewdigitaldevicetorivalCompanyY.Thisschemeapparentlywasdiscoveredonlybyaccidentwhenthehighlyconfidentialmaterialscreatedsuchalongmessagethatitcausedthee-mailsystemtocrashandallowedasystemadministratortodiscoverthepurportedscheme.

Thesetwoincidentsaredrawnfrompressreportsinthemedia,anditislikelythattheyareonlytheverytipoftheiceberg.Infact,manyorganizationsdonothavethesecuritysystemsandtechnologiestodetectsimilarincidents.Becauseoftheadversepublicityandtheprospectofalengthycriminaljusticeprocess,eventhosebusinessesandgovernmentagenciesthathavebeenvictimizedbyInternetrobbersfrequentlydonotreportsimilarincidentstotheproperauthorities.

UsingtheInternettoShareInformationOneofthetrulyremarkabledevelopmentsininformationtechnologyhasbeenthewidespreaduseoftheWebbrowserandrelatedtechnologytodeliverinformationbothtointernalemployeesandtotheexternalcustomersofanorganization.Ife-mailcouldbedescribedasavirtualduplicationofthepostalservicesintotheglobalInternetenvironment,thenWebserverscanbethoughtofaskiosksorbulletinboards.Onthese“virtualbulletinboards,”anorganizationcanmakeaccessibletotargetpopulationstheinformationtheyneedtomakedecisionsandperformadministrative,operational,orotherfunctions.Forexample,oneverycommonintranet(internalcompanyInternet)applicationistoprovideacentral“formspage”onwhichemployeesfindthemostcurrentversionofaformtobedownloadedandprintedforeverythingfrompayrolldeductionstomedicalreimbursements.Anotheruseistofront-endadatabaseinwhichisstoredinformationthatmustbeaccessibletoawidelydispersedpopulationofusersorbroadcrosssectionofInternettravelers.

CurrentlythemostcommonandgrowingdestinationfortheInternettraveleristhebusinessorgovernmentagencyWebsite.FortheInternettraveler,Websitesareacombinationofsuperhighwaybillboards,banks,shoppingmalls,reststops,andevenfast-fooddeliveryservices.Alloftheseservicesaswellashundredsofotherscanbefoundlocatedattheon-andoff-rampstotheInternet.

TheseWebsitesareusedbybusinessesforadvertising,publicrelations,andmarketing,aswellastosellordeliverproductsorservicestoInternettravelers.

Websitesmaycontainanddispensegovernmentinformationconcerningeverything

fromhowtoprepareandsubmitforms,todescriptionsofthemostwantedcriminalfugitives,torecruitingadvertisementsforfutureemployees.EventhemostsecretiveU.S.governmentagenciessuchastheCentralIntelligenceAgency,theNationalSecurityAgency,andothershaveestablishedWebsitesthatprovideusefulinformationtoInternettravelers.

BusinessandgovernmentagencyWebsitesareoftenthetargetsofmiscreants,juveniledelinquents,andotherInternetrobbers.SuccessfulattacksagainsttheseWebsitescanbedisruptiveanddestructiveofthereputationofthesponsoringorganization.ThereforetheprotectionoftheWebsiteshouldbeanimportantpartofthebusinessorgovernmentagencyplanforusingthistechnology.

ChangingCriminalJusticeSystemsThusfar,itappearsthatinformationprotectionwillincreaseinimportance.Ifso,theworld’scriminaljusticesystemsandprocessesundoubtedlywillalsobeaffected.Thequestionis,willtheychangeforthebetterorfortheworse?IftheUnitedStatesisanyindication,theywillworsen.Why,insuchatechnologicallyadvancedcountry?Ironically,technologybringswithitrapidsocialchangeaswell.

Onemaywonder,whatistheimpactofthecriminaljusticesystemonthecybersecurityofficerandcybersecurity.Theanswerissimple:Thepeoplewhostealbusinessornationalsecrets;damage,destroy,ormodifyinformationandsystems;andcommitothercriminalactsarethemainreasonsthecybersecurityofficerandinformationprotectionprogramexist.Afterall,ifnooneviolatedlawsorcompanypolicies,andeveryoneprotectedinformationandsystems,whywouldbusinessesorgovernmentagenciesneedacybersecurityofficeroraninformationprotectionprogram?

Atsomepointinyourcareer,youwillbecomeinvolvedinahigh-technologycrimeinvestigationandthuswillbecomeactivelyinvolvedinthecriminaljusticesystem.Youmustunderstandhowthatsystemoperates,oryouwillnotonlybeatadisadvantage,butprobablydisappointedaswell!

Intheglobalmarketplacethatyourcompanyundoubtedlyworksinandisaffectedby,youasthecybersecurityofficermustunderstandtheinternationalandforeignnation-statelawsthathaveanimpactonyourbusiness,especiallythoserelatedtoprivacyandsecurity.Forexample,yourcompanymayoperateinaforeigncountry.Ifso,thatcountry’sgovernmentmaynotallowtheencryptionoftransmissionsthroughtheircountry.Ifthisisthecase,doyouviolatethatlaw,understandingitsentireramifications,toprotectcompanysecrets,ordoyounotencryptandunderstandtherisksofothersreadingthe“companymail”?

AssocietyembracestheThirdWave,asdescribedbytheTofflers,itdoesnotwaitforthetwopriorwaves’processestocatchup.Thus,onecanseethecontinuingtrendofadisintegratingU.S.criminaljusticesysteminwhichcrimeincreasesfasterthanthecriminaljusticesystemcandealwithit.Morediscretionaryarrests,plea-bargainingprosecutions,overburdenedcourtsystems,andthereleaseofconvictedcriminalsfromjailsandprisonsareindicationsofthischangetoaThirdWavesociety.WeseemtobetryingtouseSecondWavecriminaljusticesystemprocessesandfunctionstohandleThirdWaveproblems,anditdoesnotseemtobeworking.

Oneofthedisadvantagesofbeingaleadingtechnology-basedcountrysuchastheUnitedStatesisthatonedoesnothavetheopportunitytolearnfromthemistakesofotherswhoaremoreadvanced.Thisisanextremelyimportantpoint,especiallywhendiscussingthecriminaljusticesystem,becausethecriminaljusticesystemistheprimarysystemresponsibleforthepreventionofcrimeandthepromotionofsocialstabilityofanation.

Ifanationistobestrongeconomicallytocompeteintheworld,itmusthavestabilityinwhichbusinessescanoperateandpeoplecanhaveasecureandpeacefullife.Lackofsecurityandpeaceleadstoincreasesincrime.Itfollowsthathigh-technologycrimes

wouldbelikelytoincrease.Inaddition,withoutagoodcriminaljusticesystem,fraudsandothercrimesnotonlywillbemorefrequent,butalsowillsaptheeconomicstrengthfromthepeople,businesses,andthecountry.

Weknowthattechnologyisincreasingatarapidrate.Computer-basedtechnologyhasbecomeanecessaryandintegralpartofbusinesses,governmentagencies,andourpersonallives.Nolongercanweefficientlyfunctionwithouttheuseoftoday’smodern,computer-basedtechnology.

Aswithanytool,computers,includingtelecommunicationsystems,canbeatargetorusedasatoolbycriminals,alsoknownastechno-criminals.Thethreatstosociety,businesses,andgovernmentagenciesbytechno-criminalsareincreasingasourtechnologyandourdependenceontechnologyincrease.

Thetechno-criminals,vis-à-vistheworld’scriminaljusticesystems,arealsofacedwithasystemthatprovidesthemsomemeasureofimmunitytotechno-crimes.Forexample,theattacksagainstU.S.computersystemsarebecomingmoreinternationallyoriented.Today’stechno-criminalcanattackanyplaceintheworldfromanyplaceintheworld.

Whatisworse,becauseofourcomplicatedcommunicationsystems,itisdifficulttotracetheattacksbacktotheattackers.Also,manycountries’lawsdonotevenaddresstheissueoftechno-crimes,makingitalmostimpossibletoprosecuteanyoneattackingaU.S.computerfromoutsidetheUnitedStates.Andbecauseofthepoliticalramificationsalone,extraditionoftheseattackerstotheUnitedStates,oranyothercountry,forprosecutionisacomplicatedandgenerallyimpossibletask!Afterall,whatnation-statewantstogiveupsovereigntyoveritscitizens?

Forthecybersecurityofficer,itisimperativetounderstandthecriminaljusticesystemsoftheUnitedStatesandothercountriesinwhichthecompanyorgovernmentagencydoesbusiness.Theproblemswiththecriminaljusticesystems,conflicts,andchanges,willcontinuetobeanunderlyingforcewhoseimpactoninformationprotectionfunctionswillextendintothetwenty-firstcentury.

Thefactthatwhite-collarcrimes,frauds,arebeingperpetratedmoreandmorethroughtheuseofcomputersandtelecommunicationssystemsseemstobeanobviousresultoftherapidchangesinsocietiesandourrelianceoninformationsystems.Thisisunderstandable,asalludedtoearlier,becausewhatoncewasdonebypaperandpencilhasnowbeenautomated,forexample,accountingsystems.Therefore,althoughtoday’scriminalshavethesamemotiveasinthepast,theymustnowoperateinanewenvironment,atechnologicalenvironment.Ifcriminalswanttostealmoney,theymustuseandattackinformationsystems.Toparaphraseanold-timebankrobber:“Becausethat’swherethemoneyis!”

Sinceitappearsthatmorecrimesarebeingcommittedbyusingthecomputerasatooltoattackothercomputers,andthattrendislikelytocontinue,thecybersecurityofficer’sresponsibilitiesincludeaninformationprotectionprogram,whichwillassistinminimizingtheopportunitiesforfraudsandothercrimesthroughthesystems.Ifsuchcrimesdooccur,itisexpectedthatthecybersecurityofficerwillplayavitalroleinthe

investigationandinanydisciplinaryactionorprosecutionoftheoffenders—thusofferinganotherchallengeandopportunitytothecybersecurityprofession.

TheHumanFactorWithallthetalkofhightechnology,theneedforinformationprotection,computercrimes,andthelike,thereisoneimportantfactortoremember.Itisthehumanbeingwhousesthetoolsforgoodorbadpurposes,anditisthehumanbeingwhomthecybersecurityofficeroftenlosessightofwhentryingtoprotectinformationandhightechnology.

Yes,itistruethatforthecybersecurityofficertobesuccessful,thatpersonmustunderstandnotonlyinformationsystems—computersandtheirassociatednetworks—butalsootherformsofhightechnology,forexample,cellularphones,faxes,andpagers.However,onemustneverlosesightofthehumanelement—usuallythemostneglectedfactorininformationprotection.Tobesure,onetalksaboutinformationprotectionawarenessprograms,butthehumanfactormustbeaddressedinmoredetailandgivenmoreemphasisifthecybersecurityofficeristoprotectinformation.

Laws,Regulations,Standards,andLegalIssuesTherearemanylawsandgovernmentregulationssuchasthoserelatedtoprotectingthestockholders’interestsinpubliclytradedcorporationsinwhichyoumaywork.Therearetoomanyofthemtodiscusshere,excepttosaythatjustbecausealaworregulationexists,itdoesnotmeanthattheentitywhereyouworkiscomplyingwiththem.Therefore,itisimportanttodeterminewhatthelawsare,andtodoso,oneshoulddevelopaworkingrelationshipwiththecorporation’slegalstaff.

Afterall,youmustbeincompliancewiththelaws,soobviously,youfirstmustknowwhattheyare.Inaddition,knowingthemandworkingwiththelegalstaffwillhelpsupportyourcasetoexecutivemanagementwhenyoushowtheconnectionofwhyyouarerunningacybersecurityprogramorparticularpartsofit.Youshouldbeabletogetthelegalstafftosupportyourcasebyhavingthemexplainwhathappenswhenyoudonotsafeguardthecorporateowners’assets.Yes,assetsprotectioninsuranceisonewaytohandlerisks;however,thecorporationmuststillbeincompliance.Aninsurancecorporationshouldobviouslydemandit,assecuritywouldstillberequired.

Asthecybersecurityofficer,youshouldsearchtheInternetandidentifysuchlawsandregulations.Therearealsointernationalstandardstoconsider.Knowthemandimplementtheminacost-effectivemannerusingriskmanagement/riskanalysesmethodologies.

ISO/IEC2700111istheinternationalstandardforinformationsecuritymanagement.Byimplementingthestandard,organizationscanidentifysecurityrisksandputcontrolsinplacetomanageoreliminatethem,gainstakeholderandcustomertrustthattheirconfidentialdataareprotected,andhelpachievepreferredsupplierstatus,helpingtowinnewbusiness.

11bsigroup.com.

AnotherexampleisfromtheNationalInstituteofStandards&Technology(TheFrameworkCore):

TheFrameworkCoreisasetofcybersecurityactivitiesandreferencesthatarecommonacrosscriticalinfrastructuresectorsorganizedaroundparticularoutcomes.TheCorepresentsstandardsandbestpracticesinamannerthatallowsforcommunicationofcybersecurityriskacrosstheorganizationfromtheseniorexecutiveleveltotheimplementation/operationslevel.TheFrameworkCoreconsistsoffivefunctions—Identify,Protect,Detect,Respond,Recover—whichcanprovideahigh-level,strategicviewofanorganization’smanagementofcybersecurityrisk.TheFrameworkCorethenidentifiesunderlyingkeycategoriesandsubcategoriesforeachofthesefunctionsandmatchesthemwithexampleinformativereferencessuchasexistingstandards,guidelines,andpracticesforeachsubcategory.Thisstructuretiesthehigh-levelstrategicview,outcomes,andstandards-basedactionstogetherforacross-organizationviewofcybersecurityactivities.Forinstance,fortheProtectfunction,categoriesincludeDataSecurity,AccessControl,AwarenessandTraining,andProtectiveTechnology.ISO/IEC27001ControlA.10.8.3isaninformativereferencethatsupportsthesubcategory“Dataduringtransportation/transmissionisprotectedtoachieveconfidentiality,integrity,andavailabilitygoals”oftheDataSecuritycategoryintheProtectfunction.

http://bsigroup.com

SummaryTobeasuccessfulcybersecurityofficer,youmust:

Understandtoday’sworldofbusiness,politics,variouscultures,people,threatagents,technology—inotherwordstheworldofexternalforcesthathaveanimpactonyourworkingworld.

Understandyourcorporationorgovernmentagencyanditsculture,people,policies,laws,regulations,internationalandnationstandards,procedures,attitudesrelativetocybersecurity,systems,processes,politicaldynamics—everythingthereistoknowaboutyourgovernmentagencyorcorporation.

1SandyNicholisafreelanceeditorbasedintheUnitedKingdom.3Thisinformationwastakenfromtheauthor’scoauthoredbook,InternetRobbery:CrimeontheInternet,publishedbyButterworth–Heinemann.4Thetimeoftheagriculturalperiodvariesbyprogressofindividualnations.5AswiththeAgriculturalAge,datesvaryforindividualnations.6“InformationSuperhighway:AnOverviewofTechnologyChallenges.”GAO-AIMD95-23,p.12.7SeethebookI-WayRobbery:CrimeontheInternet,publishedbyButterworth–Heinemann,2000,andcoauthoredbyDr.GeraldL.KovacichandWilliamC.Boni,formoredetailsabouttheInternetandcriminalactivities.8Ibid.,p.11.9SoftwarethatsimplifiesthesearchanddisplayofinformationsuppliedbytheWorldWideWeb.10Althoughbasedonactualcases,thenameshavenotbeenusedbecause,asofthiswriting,thecasesarestillbeingadjudicatedthroughthecriminaljusticeprocess.

CHAPTER2

UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment

AbstractTheobjectiveofthischapteristoprovidethereaderwithabasicunderstandingandphilosophyofcybersecuritywithinthebusinessenvironment,includinghowtocommunicatewithmanagementin“theirlanguage.”

KeywordsBusinessmanager;Cybersecurityoffice;Cybersecurityprogram;InfoSecprogram;Regularemployees;ThreeC’s;Turfbattles

CONTENTS

TheChangingBusinessandGovernmentEnvironments 28UnderstandingtheBusinessEnvironment 31ManagementResponsibilitiesandCommunicatingwithManagement 33CreatingaCompetitiveAdvantagethroughaCyberSecurityProgram 39

TheCyberSecurityOfficerasaBusinessManager 40Service,Support,andaBusinessOrientation 41BusinessManagersandCybersecurity 42WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionals 44WhatCyberSecurityProfessionalsShouldDo 45QuestionstoConsider 46Summary 46

CHAPTEROBJECTIVE

Theobjectiveofthischapteristoprovidethereaderwithabasicunderstandingandphilosophyofcybersecuritywithinthebusinessenvironment,includinghowtocommunicatewithmanagementin“theirlanguage.”

AswetransitionfromtheInformationAgetotheKnowledgeAge,successfulorganizationsaretheonesthatactivelymanagetheirinformationenvironment.1

1QuotefrommycoauthoredbookwithDr.AndyJones,GlobalInformationWarfare,secondedition,publishedbyCRCPress.

Thiscombinesoldandnewaspectsofthisenvironment,asitisimportanttoknowthepastaswellasthepresent,asthatcombinationofknowledgeoftoday’senvironmentiswherethecybersecurityofficerworks,lives,andplays.Thepastprovidesalookdowntheroadtraveledandhelpsexplainthelogicusedtogettothepresent.Furthermore,itprovidesthefoundationonwhichthecybersecurityofficercanprojectandplanacybersecurityprogramthatwillmeetthecurrentandfutureneedsofthebusinessandtheexpectationsofmanagement.

TheChangingBusinessandGovernmentEnvironmentsBusinessesandthesocietiesinwhichtheyoperateneedstabilitytoprosper.Prosperitybringsjobs,reducescrimes,andleadstomoresecurityforall.Securitybringsmorestability.Youcan’thaveonewithouttheother.

Manyofthechangesintheworldenvironmentarethebasisfortherapidshiftsinthewaywedobusiness,bothnationallyandinternationally.Businessescan,anddo,adapttothesechangesquiterapidly.However,ingovernmentagencies,thesechangescomemoreslowlyandsometimesthreatentheagencies’veryexistence.Forexample,adaymaycomeinthenottoodistantfuturewhenthepostofficesoftheworldwillbeunnecessary.E-mailsmaytaketheplaceoflettersevenforthepoorestpeopleoftheworld,astheywillhaveaccesstoInternetnetworks.Asforpackages,commercialfirmssuchasDHL,FedEx,andUPShavealreadybeenprovidingthatserviceforsometime.Evencontractsthesedaysareelectronicallysignedandthereisnoneedtomailhardcopies.However,tobelegal,theymustbesecuredtostandupincourt.

Clearexamplesofthesechangesarethe“globalmarketplace,”business-to-businessnetworks,electroniccommerce,electronicbusiness,andthelike.

Massive,growingnetworkssuchastheInternet,nationalinformationinfrastructures(NIIs),andglobalinformationinfrastructures(GIIs)areadopted,andmustcontinuallybeadapted,bybusinessesiftheyaretomaintainacompetitiveadvantage—oratleastcompete—intoday’smarketplace.Asacybersecurityofficer,youmustfindwaystofacilitatesuchgrowthinasecureandyetinvisiblemanner.Thatisachallengeforallofusintheprofession.

Asacybersecurityofficer,ifyoutrytoslowdownbusinessandglobalcommunications,youwillberunoverby“progress”andwillsoonbeupdatingyourresume.Businesscomesfirst,andifyoudonotprovideaprofessionalcybersecurityservicethatsupportsandenhancesthebusiness,whatgoodareyou?Afterall,businessisaboutprofits—andremember,youarea“parasite”ontheprofitsofmostcompanies,sinceyourfunctionisidentifiedasanoverheadcost.

Thereissomebusiness,forexample,withgovernmentagencies,forwhichthecybersecurityfunctionisadirectchargetothecontract.Theproblemisthatonemustmeticulouslykeeptrackoftimespentonthecontractwork,aschargingtoacontractwhennotworkingonthatspecificcontractresultsinafraudagainstthegovernment,whichinturncouldleadtobeinginvestigated,nevertoworkintheprofessionagain.Why?Becauseyoumaybeinjail.

Asanoverheadcost,youdonothavedirect,hands-onexperienceinbuildingyourcompany’swidgets,forexample.Yeah,yeah,yeah,weallhavetriedtoexplainthatwithoutcybersecurityandus,asprofessionalcybersecurityofficers,companiescanlose

theirbusinessandtheircompetitiveedgethroughlossoftradesecretinformation,etc.However,thebottomlineisthatitappearsthatmostoftoday’sbusinessexecutivesareinitfortheshortterm,notthelongterm.Theirconcernisthe“bottomline”forthenextquartertooneyear.Theycaneasilyterminateacybersecurityprogramandtaketheirchancesbyhavingauditorsauditforcompliancewithlawsandpoliciesandrecommendcybersecuritypoliciesthatinformationtechnologypeoplecanwrite.Thentheycanjustbuyinsurancetocoveranypotentiallossesand,bytheway,thebusinessofbuyingsuchinsuranceissupposedlybooming.

So,astoday’scybersecurityofficer,youmustdoabetterjobofmakingyourselfpartofthe“companyteam”andfindingwaystoprovidevalue-addedandintegralservicestothecompany.

Intheprivatesector,telecommunicationsbusinesseshavebecomeInternetprovidersaswellasleadingthedriveintomobilecommunicationsfromlaptops,tocellphones,totablets—andsoonwearabledevicesfromwatchestootherwrist-bandgadgetstoclothing.Aswelookintothefuture,weseemoreandmorepeoplemakinguseofthelong-distancevoicetelephonecapabilitiesoftheInternet,atverylittleadditionalcost.ThentherearetheenhancedversionsusingSkypeandFaceTime,forexample.Thedayhasarrivedwhenwenolongerneedaseparatetelephoneinthehomeoroffice,exceptmaybeinruralareas.Itisbecomingathingofthepast.

SpeakingofInternetserviceproviders(ISPs),letustakeamomenttolookatthisnewbusinessbornoutoftheInternetandseehowwellitissupportingcybersecurityandcybersecuritystandards.2

Firstalittlehistoryofhowwegottowhereweare:TheInternetwasborninthe1960sandaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgencyintheUnitedStates.Itwasoriginallyaprojecttofacilitatethesharingofcomputerresourcesandenhancemilitarycommunications.AstheInternetwasmaturing,therewereconflictsbetweenthe“haves,”whohadtheuseoftheInternet,andthe“have-nots,”whodidnot.Thehaveswerecomputerscientists,engineers,andsomeothers.TheyarguedthattheInternetshouldnotbemadeavailabletothepublic.Well,theylostthatbattle,especiallyafterthebusinesssectorfoundoutwhatalucrativemarketingandpublicrelationstooltheInternetcouldbeforreachingpotentialcustomers,suppliers,etc.Thus,theISPswereborn.

Fromthattimeuntilnow,theInternethasrapidlygrownfromanexperimentalresearchprojectandtooloftheU.S.governmentanduniversitiestothetoolofeveryoneintheworldwithacomputer.Itisthepremierglobalcommunicationsmedium.Withthesubsequentdevelopmentofsearchenginesand,ofcourse,theWorldWideWeb(Web),thesharingofinformationhasneverbeeneasier.

Therearemany,manyISPsoperatingandconnectedallaroundtheglobe.Weallshouldknowbynowthatoure-mailsdon’tgopointtopoint,buthoparoundtheInternet,wheretheycanbegleanedbyallthosewiththeresourcestoreadotherpeople’smailandstealinformationtocommitcrimessuchasidentitytheftorcollectcompetitiveintelligenceinformation,etc.

So,what’sthepoint?ThepointisthattherestillareISPsallovertheworldwithfewregulationsandfew,ifany,globalcybersecuritystandards.Happily,thisisgraduallychanging.So,someISPsmaydoanadmirablejobofprotectingourinformationpassingthroughtheirsystemswhileothersmaydolittleornothing.Furthermore,aswelearnmoreandmoreaboutNetspionage(computer-enabledbusinessandgovernmentspying),welearnmoreandmoreabouthowourprivacyandourinformationareopentootherstoread,capture,change,andotherwisemisuse.

Inaddition,withsuch“oldiesbutgoodies”programsasSORMinRussia,InternetmonitoringinChinaandelsewhere,globalEchelon,andtheU.S.FBI’sCarnivore(stillCarnivorenomatterhowoftentheychangethenametomakeitmore“politicallycorrect”ortotryto“hide”itfromthepublic),wemightaswelltakeourmostpersonalinformation,tattooitonourbodies,andrunnakedinthestreetsforalltosee.Althoughthatmaybeaslightexaggeration,thepointiswehavenoconceptofhowwellISPs,oranynetworkconnectedtoyourcorporation’snetworks,areprotectingourinformation.

Now,wearequicklyexpandingintotheworldofinstantcommunicationsthroughsuchthingsasSkype,Twitter,Facebook,andthelike.Afterall,themorerapidlyourworldchanges,themorerapidlywewanttoreactandwewanteverything—now!Ofcoursethereareperhapshundreds,ifnotthousands,ofexamplesofISPsbeingpenetratedormisused,aswellascorporateWebsitesandtheirnetworks.Theyareinthenewsonaregularbasisandalsoournetworksareconstantlyunderattackfrommultiplesources—fromteenagerstoterroriststocompetitorstoorganizedcriminals.

UnderstandingtheBusinessEnvironmentAcybersecurityprogramanditssupportingorganizationarenotthereasonthatabusinessorgovernmentagencyexists.Inthecaseofabusiness,thecompanyusuallyprovidesaserviceoraproduct.Thebusinesshascertaininformationorsystemsnetworksthatarevitaltoperformingitsserviceandproducingitsproduct.Thepurposeofacybersecurityprogram,therefore,istoprovideserviceandsupporttothebusiness.

Tomeettheneedsofitscustomers,bothinternalandexternaltothecompany,itisimperativeforthecybersecurityofficertounderstandthecompanyandthecompany’sbusiness.Thisincludesthefollowing:

•History

•Products

•Businessenvironment

•Competition

•Long-rangeplans

•Short-rangeplans

•Costofbusiness

•Productvalue

Thesearesomeofthemostimportantpartsofabusiness.Remember,ingeneral,thecybersecurityprogramisnotaproducttobesoldintheglobalmarketplaceunlessthatisthebusinessofthecorporation;itdoesnotbringinrevenue.Infact,cybersecurityisacosttothebusiness—unlessyoucanprovethatthecybersecurityprogramisavalue-addedservicethatfinanciallysupportsthebusiness,assistinginbringinginrevenue.

Yourcybersecurityprogramshould,asmuchaspossible,beseamlesslyintegratedintothesystemsandprocessesofatleastthecorebusinessandallsystemsconnectedtothatcorebusiness.

Inthisgloballycompetitiveeconomy,thereisincreasingcompetitionformarketsharesintheworldwidemarketplace.Itisimportantforthecybersecurityofficertounderstandthiscompetitionandwhatcanbedonebythecybersecurityofficerthroughthecybersecurityprogramtoenhancebusiness,increasingsuchthingsasprofits,marketshares,andincome.

KenichiOhmae,inhisbook,TheMindoftheStrategist,3discussesproduct/servicedifferentiationintheformof“thestrategicthreeC’s”:thecorporation,thecustomers,andthecompetition.Corporationsandcompetitorsaredifferentiatedbycosts.Customersdifferentiatebetweenthecorporationandthecompetitorsbyvalue.

Customerswillbuyaproductthattheywant(considerofvalue),ifitisaqualityproductattherightprice.Therefore,itisimportantthatthecybersecurityprogramaddvaluetotheproduct,anddosoatthelowestcost,inorderforthebusinesstoremaincompetitiveinthemarketplace.So,treatthecybersecurityprogramasaproductthataddsvalueandminimizescosts.Sinceitisyourproduct,marketitandsellit!

Fast,accurate,andcompleteinformationprovidestheopportunitytogainacompetitiveadvantage—assumingofcoursethattheinformationiscorrectlyacteduponintimetoprovidethatadvantage.Theresponsibilityofthecybersecurityofficeristosupportthisprocessbyassistinginstoring,processing,transmitting,anddisplayingthatfast,accurate,andcompleteinformationinasecuremanner.Thissupportisnecessarytoassistinprovidingthecompanycompetitiveadvantageopportunities.

TheseopportunitiestotakeadvantageofinformationweresummarizedbyColonelJohnR.Boyd,U.S.AirForce,asastrategybasedonthe“OODAloop”(observe–orient–decide–act).Althoughputforthsometimeago,thepointsmadearestillvalid.Theideaistolookatitfromtheviewpointthatwhoevercanbethequickesttomovethroughthisloopcangainacompetitiveadvantage.Informationhasalwaysbeentimedependentandprobablyismoresotodaythaneverbefore.Thatiswhyitiscrucialtobeabletohaveatighter(usinglesstime)OODAloopthanone’sadversaries,whethertheybeanation-state,abusiness,oranindividual.

Inaddition,thisadvantageiscreatedbecausethecompetitorbecomesmoreconfusedanduncertainoverevents,andthatmayinfluencethecompetitor’sjudgmentanddecisions.InPatternsofConflict,4Boydconcludedthatoperatinginsideanopponent’sOODAloopgeneratesuncertainty,doubt,mistrust,confusion,disorder,fear,panic,andchaos.

CaseStudyInhisbookFollowingtheEquator,5MarkTwainwroteabouthowonecantakeadvantageifonehasinformationbeforethecompetitorandknowshowtoactonthatinformation.AtthetimeofTwain’sworldtravels,sharkspopulatedtheharborofSydney,Australia.Thegovernmentpaidabountyonsharks.Ayoungmanwasdownonhisluckandwalkingaroundtheharborwhenhemetanoldmanwhowasasharkfisher,whohadnotcaughtasharkallnight.Theoldmanaskedtheyoungmantotryhisluck.Theyoungmancaughtaverylargeshark.Aswasthecustom,thesharkwasdisemboweled,assometimesonefoundsomethingofvalue.Asithappenedthisyoungmandid.

TheyoungmanwenttothehouseoftherichestwoolbrokerinSydneyandtoldhim

tobuytheentirewoolcropdeliverablein60 days.Theyformedapartnershipbasedonwhattheyoungmanfoundintheshark.ItseemsthatthesharkhadeatenaGermansailorintheThamesRiver.Inthebellyofthesharkwerefoundnotonlyhisremains,

somebuttons,andamemorandumbookdiscussingtheGerman’sreturninghometofightinthewar,butalsoacopyoftheLondonTimesthathadbeenprintedonly

10 daysbefore.Atthattime,newsfromLondoncamebyshipthattookabout50 days.However,sharkstraveledfasterthantheshipsofthattime.TheTimesstatedthatFrancehaddeclaredwaronGermany,andwoolpriceshadgoneup14%andwerestillrising.NootherAustralianwoolbrokersorwoolproducerswouldknowthatwool

priceswereskyrocketingforatleast50 days.Bythentheyoungmanandhispartnerthewoolbrokerwouldownallthewool,purchasedatthe“normallowerprice,”andcouldshipittoEuropeforaveryhandsomeprofit.

5ATrampAbroad,FollowingtheEquator,OtherTravels(LibraryofAmericaNo.200)March4,2010byMarkTwain(Author),RoyBlountJr.(Editor),1050pages,Publisher:LibraryofAmerica;FirstPrintingedition(March4,2010),Language:English,ISBN-10:1598530666,ISBN-13:978-1598530667.

Thiscasestudyisanexampleofhowaccurateinformationreceivedandacteduponwithinthecompetitor’sOODAloopcangiveoneatremendousadvantageinbusiness.So,theoldsaying“informationispower”isprobablymoretruetodaythaneverbefore,againprovidedthat:

•Theinformationisaccurate,

•Itisacteduponcorrectly,and

•Itisacteduponbeforeitisacteduponbyyourcompetitor.

ManagementResponsibilitiesandCommunicatingwithManagementOneofthebiggestmistakesmadebycybersecurityofficersistoassumethatthey“own”thesystemsandinformation.Thecybersecurityofficermustrememberthattheownersofthebusiness,whetheritbeprivateownershiporpublicownershipthroughthestockholders,makethedecisionsastohowthebusinessisrun.Thestockholdersdoitthroughtheelectedmembersofthecompany’sboardofdirectors,whoaretherisktakers.Theirresponsibilitiesincludemakingdecisionsrelativetocompanyrisks.

Asacybersecurityofficer,youaretherebecausethemanagementbelievesyouhavetheexpertisetheyneedtoprotectthebusiness’sinformationsystemsandthecompany’sinformation.

Alltoooften,thecybersecurityofficergetsintothe“tailwaggingthedog”situationinwhichthecybersecurityofficercan’tunderstandwhymanagementdoesnotprovidethecybersecurityofficerwiththesupportthatisneededorwanted.Thecybersecurityofficermustkeepinmindthatifmanagementdidnotprovideatleastsomesupport,thecompanywouldnotemploythecybersecurityofficer!

Whendecisionsaremadetoprocess,store,display,ortransmitinformationthatgoesagainstthedesiresofthecybersecurityofficer,manycybersecurityofficerstakethatpersonally.Remember,itisnotyourinformation!Itbelongstothebusinessowners.

Ofcourse,dependingonyourresponsibilitiesandtheauthoritydelegatedtoyoubymanagement,youwillprobablyberesponsibleformakingthemajorityofdecisionsthatinvolvecybersecurity.However,evenwiththatresponsibilityandauthority,thecybersecurityofficermustgainthesupportandconcurrenceofotherswithinthecompany.Youwerehiredtosafeguardthesevaluablesystems,networks,information,etc.,withthegoalofdoingsoatthelowestcostbasedonthethreats,vulnerabilities,andriskstothesesystems.Youdeterminethatbydoingformalriskanalyses.

Whenacybersecuritydecisionmustbemadeandthatdecisionisoutsidethepurviewofthecybersecurityofficer,thecybersecurityofficermustelevatethefinaldecisiontoahigherlevelofmanagement.Althougheachcompany’scultureandpolicieswilldictatewhenandhowthatprocesswillbeimplemented,thecybersecurityofficershouldbesuretoprovidecompletestaffworkonwhichthemanagementcanbasetherequireddecision.Inotherwords,thepersonmakingthedecisionmustbeprovidedwithallthenecessaryinformationonwhichtobasethedecision.Ifthatinformationisnotprovidedtouppermanagement,thewrongdecisioncouldbemade,whichmayjeopardizetheprotectionofthecompany’sinformationand/orsystemsormaycausethecompanytoincurunnecessarycosts.

Ifyouhavedoneyourhomework—ifyouhaveassessedtheriskstotheinformationandsystems,theprotectionalternatives,thecostsinvolved,andthebenefitsinvolved,andyouareinapositiontomakeyourrecommendationsaccordingly—thenyouhavedoneyourjob.

Beforeyoubringaproblemanddecisiontomanagement,you,thecybersecurityofficer,shouldbesurethatyouhaveaddressedtheproblembyprovidingmanagementwithclear,conciseinformation,usingnontechnicallanguage,onwhichtheycanbasetheirdecision.Thefollowing,asaminimum,shouldbeincludedinthatprocess:

•Identificationoftheproblem

•Possibleproblemsolutions,includingcostandbenefits

•Recommendedsolutiontotheproblem,andwhy

•Identificationofwhoshouldfixtheproblem(itmaynotbeacybersecurityissue,oritmaybeoneoutsideyourauthority)

•Consequencesofnodecision(noaction/nodecisionisalwaysanoption,andsometimestherightone)

Whetheritistheresponsibilityofthecybersecurityofficertofixtheproblemornot,thecybersecurityofficershouldfollowup.Oncetheproblemisfixed,itisalwaysgoodtocontacttheotherpersonnelwhowereatthemeetingatwhichtheproblemwasdiscussedandthedecisionmade,andadvisethemeitherverballyorinwritingwhenthecorrectiveactioniscompletedortheprojectisclosedout.

Anexcellentgesturewouldbetosendaletterofappreciationtothoseinvolvedinfixingtheproblem,withappropriatecopiestomanagement.Thisisespeciallyimportantifothersfixedtheproblemoutsideyourorganization,orifstaffoutsideyourorganizationassistedyouinfixingtheproblem.

Itistheresponsibilityofthebusinessmanagementtomakethefinaldecision,unlessofcoursetheyabdicatethatresponsibilitytoyou.They,inturn,areheldaccountabletotheownersofthebusiness.

Rememberthatmanagersareusuallyauthorizedtomakedecisionsrelatedtoacceptingcybersecurity-associatedrisksforonlytheorganizationsundertheirauthority.Theyshouldnotbeallowedbythebusinesstomakedecisionsthataffecttheentirecompany.Ifthatappearstobeoccurring,youareobligatedtoensurethatthemanageraswellasuppermanagementknowsthatinformation.Thisisofcourseasensitivematterandmustbehandledthatway.

Awordofcaution:Somemanagerswillabdicatetheirmanagementresponsibilitytothecybersecurityofficer.Asthecybersecurityofficer,youmaybeflatteredbysuchagesture,butbeware!Youmayalsobegettingsetuptotaketheblamefortheconsequences.Theseconsequencesmaybeduetoadecisionthatyoumaynothaverecommended—infact,itmaybeacaseinwhichyouwereintotaldisagreementwithmanagementastothecorrectcourseofactiontobetaken.

Theresponsibilityofbusinessmanagementisaseriousone.Undercurrentlawsinmanynation-states,managerscanbeheldpersonallyresponsible,andpossiblyliable,foranypoordecisionsthataffectthevalueofthebusiness.So,yourresponsibilityasaserviceandsupportinformationsecurity(InfoSec)professionalistogivemanagementthebest

adviceyoucan.Whentheirdecisionismade,doyourjobbysupportingthatdecisionandbyensuringthattheinformationandsystemsareprotectedbasedonthatdecision.

“JPMorganspending$250milliononcybersecurityandgoingtodoubleitto$500millioninthecomingyears.”6

6FoxNewsinterviewofJamieDimon,January13,2015.

Theremaybetimeswhen,intheopinionofthecybersecurityofficer,managementmakesthewrongdecisionrelativetoprotectionofinformation.Thecybersecurityofficerthenhasseveraladditionalchoices:

•Meetwiththedecision-makerinprivatetotrytoconvincethatpersonoftheconsequencesofthedecisionandwhyitmaynotberight,

•Appealthedecisiontothenextlevelofmanagement,

•Quitthejob,or

•Quitthecompany.

Anotherwordofcautionisneededhere.Whetherthedecisionisrightorwrong,thecybersecurityofficershoulddocumentthatdecisionprocess.Thedocumentationshouldanswerthetypicalsecurity/investigativequestionsofwho,how,where,when,why,andwhat.

Thisisimportant,notfromthestandpointofjustanotherbureaucraticprocess,buttohaveahistoryofallactionstakenthatarerelatedtocybersecurity.Thus,whensimilarinstancesoccurayearormoreafterthelastdecision,itcanbeusedasaprecedent.Thisnotonlyhelpsinmakingsubsequentdecisionsbasedonsimilarinstances,butalsohelpsensureconsistencyintheapplicationofInfoSec.InconsistentInfoSecdecisionsleadtoconfusion,whichleadstonotfollowingsoundInfoSecpolicyandcausesincreasedcoststothebusiness.Thisprocessfollowstheprocessusedbythelegalcommunity,inwhichcaselawisusedtoargueacurrentillegalissue.Precedenceisalogicalprocesstofollow—assumingthatthedecisionspreviouslymadewerethecorrectones,ofcourse.

Ifitissubsequentlyshownthatthelastdecisionhadunexpected,adverseconsequences,thenitwillhelpthedecision-makernottomakethesamemistakeagain—onewouldhope.Peoplecomeandgo,butagoodhistoricalfilewillensureconsistencyandkeepyoufromhavingtorelyonthememoriesofpeopleinvolved—assumingtheyareevenstillemployedbythecompany.

Forexample,assumethatamajordecisionhadtobemadeconcerningcybersecurity,andthedecisionwasdeterminedtobethatofmanagement.You,asthecybersecurityofficer,shoulddothefollowing:

•Leadtheefforttoresolvetheissue,

•Requestameeting,

•Ensurealltheapplicablepersonnelareinvited,and

•Briefthoseatthemeetingonthesituationasstatedabove.

Ifyouasthecybersecurityofficeraretokeepminutesofthemeeting,theminutesshouldinclude:

•Whythemeetingwasheld,

•Whenthemeetingwasheld,

•Wherethemeetingwasheld,

•Whowasatthemeeting,

•Whatinformationwaspresentedanddiscussed,

•Whatthedecisionwas,

•Howmanagementmadetheirdecision,and

•Whomadethedecision.

Someoneinmanagementshouldsigntheminutesofthemeetingshowingtheresultsofthemeeting—preferablythepersonwhomadethefinaldecision.Youwillfindthatsuchdecisionsareusuallyverbal,andmostmanagersdonotwanttosignanydocumentthatwillplacethematrisk.So,howdoyoudealwithsuchissues?Thereareseveralmethodsthatcanbeused,allofwhichmaycauseyourpositionasthecybersecurityofficertobequestioned:“notateamplayer,”“youdon’tunderstandthebigpicture,”or“youarenotabusinessperson,soyoudon’tunderstandthesituation.”Bytheway,havinganMBAmayhelpinwinningthisargument.

Eventhoughyouhavethebestinterestofthecompanyatheartanditisthebasisforyourrecommendation,andeventhoughyouconsideryourselfadedicatedandloyalemployee,intheeyesofsomeinmanagementyou’renotateamplayer.Inotherwords,youarenotontheirteam.

Youwillsoonfindthatthepositionofthecybersecurityofficerissometimesariskyone.Evenifyoudothebestprofessionaljobthatcanbedoneorhasbeendoneinthehistoryofthecybersecurityofficerprofession,officepoliticsmustbeconsidered.Suchnon-cybersecuritysituationswilloftencausemanymoreproblemsthanthecybersecurityofficerwillfaceindealingwithInfoSecissues,hackers,andthelike.

Iftheyoudonotknowaboutsuchthingsas“turfbattles”and“protectingricebowls,”thelocalbookstoreistheplacetogo.There,youwillfindnumerousbooksthatwillexplainhowtoworkandsurviveinthe“jungle”ofofficepolitics.Youmayknowcybersecurity,butifyoudonotknowofficepolitics,youmaynotsurvive—evenwiththebest

cybersecurityprogrameverdeveloped.Alwaysremember:“It’sajungleoutthere!”

Whyisitthatway?Therearemanyreasons,butforcybersecurityofficerstheprimaryreasonisthatyoumakepeopledothingsthattheydonotconsiderpartoftheirjob.Andiftheydonotfollowthecybersecuritypoliciesandprocedures,theycouldfacedisciplinaryaction.So,you,likecorporatesecuritypersonnelandauditors,arenotalwayspopular.

Obviously,asthecybersecurityofficer,youwanttoeliminateoratleastminimizethattypeofimage—the“cop”image.Itishardwork,butyoumustconstantlytrytoovercomethenegativismthatpeopletackontothecybersecurityofficerandcybersecurity.Somewaysofcounteringthatnegativeimagecanbefoundthroughoutthisbook.

Manybusinessmeetingsrequirethatminutesbetaken.Ifso,andifyouarenotresponsiblefortakingtheminutes,obtainacopyandensurethatyourrecommendationsarenotedinthem,aswellaswhomadewhatdecisions.Thisisthebestmethodofdocumentingwhatwentoninthemeeting.

Iftheminutesdonotadequatelydescribewhathastakenplace—if,forexample,theylackdetailsofwhatwaspresented,thepotentialrisks,orwhomadethefinaldecision(allcrucialpiecesofinformation)—thenannotatetheminutes.Attachanyofyourbriefingcharts,signanddatetheminutes,thenplacetheminafileincaseyouwanttousethemasareferenceatalaterdate.

Anothermethodthatcanbeused,butismoreconfrontational,istosendamemotothemanagerwhomadethedecisioninwhichyoudocumentthecybersecurityoptions,costs,benefits,andassociatedrisks.Youthenconcludewithasentencethatstates,forexample,“AfterassessingtherisksIhaveconcludedthatthebestcourseofactionisoption2.”Leaveroomforadateandthesignatureblockofthemanageryouwanttosignthedocument.

Thedocumentshouldbewordedprofessionallyandshouldbeasnonintimidatingtothemanageraspossible.Evenso,inmostcases,youmayfindthatyouwon’tgetasignedcopyreturnedtoyouifyousenditinthecompanymail.

Youshouldhandcarrythisdocumenttothemanageranddiscussitwiththatperson.Imagineyourselfinthemanager’sposition.Whenyouputyoursignatureonsuchadocument,therecanbenomistake.Youmadethedecision.Ifsomethinggoeswrong,thatlettermaydocumentthefactthatinretrospectitwasapoordecision.Nomanager—noone—everwantstobeputinthatposition.Rememberthatthemanagerdoesnothavetosignthecybersecuritydocument.Infact,nomatterhowitispresented,youwillfindmostmanagerswillfindsomewaynottosignthedocumentifthereistheslightestchanceofbeingsecond-guessedlater.Intoday’senvironmentof“touchy-feelydon’t-hold-me-responsible”management,today’scybersecurityofficersaremorechallengedthaneverbeforetogetmanagementtoownuptotheirdecisions.

Askingamanagertosignsuchadocument,especiallyifyouhavevoiceddisagreementaboutthedecision,shouldbealastresort.Itshouldbedoneonlyifyoufeelsostronglyaboutthedecisionthatyouarewillingtoputanypossibleraiseorpromotion,orevenyouremployment,ontheline.So,you’dbetterberight,andyou’dbetterstronglybelievethatit

isworthit.Also,asthecybersecurityofficer,youmustdothisasacybersecurityofficerprofessional,apersonofintegrityandprinciples.

Evenso,youmayendupbeingright,butalsorightoutofajob.Well,noonesaidthatbeingacybersecurityofficerprofessionaliseasy.

CreatingaCompetitiveAdvantagethroughaCyberSecurityProgramToensurethatthecybersecurityprogramsupportsthecompany’sbusinessservicesandproducts,thecybersecurityofficermustthinkofmethods,philosophies,andprocessesthatwillhelpthecompanyingainingacompetitiveadvantage.Suchmethodsandphilosophiesshouldincludeateamapproach.Thatis,havethecompanyemployeesandespeciallymanagementsupportyourcybersecurityprogram.

Tohelpinthatendeavor,youshouldstrivetoinsert,inappropriatecompanypolicydocuments,policiesthatcanhelpsupportyourefforts.Thefollowingaresomeexamplesthatmaybeusefulinincorporatingintocompanypolicydocumentssupportforyourcybersecurityprogramandyourquesttoassistthecompanyingainingacompetitiveadvantagethroughcybersecurity:

•Managerswillensureacompliantcybersecurityprogramwithintheirorganization.

•Managerswilldevelopourcustomers’trustthattheirsensitiveinformationwillbeeffectivelyprotectedwhileunderourcontrol.

•Managerswillemploycost-effectivecybersecuritysystemsandstrivetohelpkeepthepriceofourcompany’sservicesandproductsaslowaspossiblerelativetoourcompetitors.

•Managerswillhelpkeepthecompany’soverheaddownthrougheffectivelosspreventionandassetsprotectionprocesses.

•Managerswillminimizetheadverseimpactofourcybersecuritycontrolsontheefficiencyofthecompany’soperationalfunctionsbyworkingwiththecybersecuritystafftofindthemostcost-effectivewaysofprotectingourinformationassets.

•Managerswillproactivelyfindwaystosecurelyandefficientlyprovidethecompany’sservicesandproducts.

TheCyberSecurityOfficerasaBusinessManagerTheroleofthecybersecurityofficerinmanagingacybersecurityprogramissomewhatdifferentfromtheroleofthecybersecurityofficerasamanagerofthecompany.

Allcompanymanagershavesomeroletoplaythatappliesregardlessofthemanager’sareaofresponsibility.Thisalsoappliestothecybersecurityofficersinmanagementpositions.Thefollowingitemsshouldbeconsideredforimplementationbythecybersecurityofficerasamanagerwithinthecompany:

•Complywithallcompanypoliciesandprocedures,includingtheintentofthosepoliciesandprocedures.

•Takenoactionthatwillgivetheappearanceofviolatingapplicablecompanypolicies,

procedures,orethicalstandards.

•Implementapplicablemanagementcontrolsystemswithinthecybersecurityorganizationtoensuretheefficientuseofresourcesandeffectiveoperations.

•Identifybusinesspractices,ethics,andsecurityviolations/infractions;conductinquiries;assesspotentialdamage;directandtakecorrectiveaction.

•Communicatewithotherdepartmentstoprovideandreceiveinformationandguidanceformutualbenefit.

•Plan,organize,direct,coordinate,control,report,assess,andrefinebusinessactivitiestoachievequality,cost,schedule,andperformanceobjectives,whileretainingresponsibilityfortheresults.

•Exerciseduediligencetopreventfraud,waste,orabuse.

•Establishandmaintainaself-auditprocesstoidentifyproblemareasandtakecorrectiveactiontoeliminatedeficiencies.

Theseitems,ifmadepartofthecybersecurityofficer’sphilosophyandgoals,willnotonlybenefitthecompany,butalsoassistthecybersecurityofficerinprofessionallymeetingthecybersecuritydutiesandresponsibilitiesasavaluedmemberofthecompany’smanagementteam.Rememberthatthecybersecurityprogramisacompanyprogram.Thatmeansyouneedhelpfromeveryoneinthecompanytoensureitssuccess.

Service,Support,andaBusinessOrientationInanybusiness,thecybersecurityofficermuststrivetobalancetherequired“userfriendly”systemsdemandsofmanagementanduserswiththoseofcybersecurity.Afterall,cybersecurity,unlessitcanbeproventobe“valueadded,”thusatleastpayingforitself,isaparasiteonprofitsor,attheleast,hasanadverseimpactonbudgets.Thiswillbeafactortoconsiderasyou,thecybersecurityofficer,establishthecompany’scybersecurityprocesses,programs,plans,projects,budgets,etc.

Rememberthatthecybersecurityprogrammustbeserviceandsupportoriented.Thisisofvitalimportance.Thecybersecurityofficermustunderstandthatthecybersecurityprogram,ifitbecomestoocostlyoroutdatedordoesnotmeettheserviceandsupportneedsofthebusinessorgovernmentagency,willbediscardedorignored.Eachofthesepossibilitieswilleventuallyleadtothedismissalofthecybersecurityofficer.

Thedismissalofanycybersecurityofficeraffectsallcybersecurityofficers.Thecybersecurityofficerprofessionisthusdamaged,asisourprofessionalcredibilityandouropportunitiestoprotectvitalinformationforourinternalandexternalcustomers.Itisdifficultenough,evenintoday’senvironment,to“sell”acybersecurityprogram.Itmakesourjobsascybersecurityofficersharderwhenoneofusfails.Thefailureofacybersecurityofficercouldbealessonlearnedforallcybersecurityofficers.Learnnotonlyfromyourownfailures,butalsofromthoseofothers.

Thewordofacybersecurityofficer’sdismissalandfailuresdoesgetaroundwithintheindustryandgovernmentagencies,makingitmuchmoredifficultforthecybersecurityofficer’sreplacementtodevelopaprofessionalInfoSecprogram.Youmaybethatreplacement.

Asthecybersecurityofficer,youmustconstantlyupdateyourcybersecurityprogramanditsprocesses.Youmustcontinuouslylookatchangesinsocietyandtechnology,planforthosechanges,andbepreparedtoaddresscybersecurityramificationsoftheinstallationofnewtechnologyintothebusinessbeforeitisinstalled.Youmustimplementcybersecuritymeasuresbeforesomeonecantakeadvantageofasystemvulnerability.

Sofar,cybersecurityofficersforthemostparthavebeeninareactivemode,withlittletimetobeproactiveandputcybersecuritydefensesinplacebeforetheyareneeded!Howtodothatwillbediscussedinthefollowingchapters.

BusinessManagersandCybersecuritySomecybersecurityofficersmaywanttotalk“techie”tokeepbusinessmanagersinthedarkaboutthe“mysteries”ofcybersecurity.Theythinkthatitwillmakethecybersecurityofficerinvaluabletothecorporationand,therefore,alwaysneeded.Thatisillogicalandalsoworksagainstthecybersecurityofficer.Themorethemanagersandallemployeesunderstandabouttheconceptsandphilosophiesofcybersecurity,themoretheywillunderstandcybersecurityofficerdecisions—andalsothemoresupportivetheywillbe.

Corporatemanagement’sknowledgemayalsochallengeacybersecurityofficer,causinghimorhertorethinksomedecisionsandthelogicthatledtothem.That’sgood,exceptforthosecybersecurityofficerswhodonotwanttoexcelandacceptsuchachallenge—inotherwords,thelazyandunprofessionalpeopleincybersecurityofficerpositions.However,inthelongrun,suchcriticismsandrecommendationsaregoodforthecorporation.Why?Becauseitmeansthatmanagementisactuallylookingatcybersecurityandbecoming,astheyshould,apartofthecybersecurityteam.

Asacybersecurityofficer,youshouldknowthatthemoreinputyougetandthemoreinterestedcorporatemanagementandemployeesareincybersecurity,thebetteryourcybersecurityprogramwillbecome,andthebetteritwillmeettheneedsofthecorporation.Itistruethatyouwillprobablyspendmoretimeindiscussionswithcorporatemanagement,butthatisreallyagoodthing.Inthelongrun,yourjob,ifyoudoitright,willactuallybeeasier.

Itshouldcomeasnosurprisetocompanymanagersthattheyareresponsiblefortheprotectionofcompanyassets.Intoday’sinformation-dependentandinformation-basedcompanies,itshouldalsocomeasnosurprisethattheseassetsincludeinformation.Thesearefactsofbusinesslifetodayandareprobablyconcurredwithby99.9%ofthecompanymanagersthatonecouldsurvey.Iwouldsay100%,exceptthattherearealwayssomemanagers(manyofushavemettheminourcareers)whojustdon’tseemtogetit.So,let’sallotthe0.1%tothosemanagersthatjustdon’tgetit.

So,ifmostcompanymanagersagreewiththatpremise,whydosomanyeitherbattletonegateinformationandinformationsystemsprotection(cybersecurity)insteadofsupportingcybersecurity?Maybetheydon’tcareforanythingbeyondtheirpaychecksandbonuses.Itseemstodaythattherearemanyofthose.Itisironic,butitseemsinmanycompaniesaroundtheworldtodaythatthetrulycompany-loyalpeoplearemostlythe“regularemployees”andnotthemanagers.Employeesareoutthereworkinghardanddoingtheirbesttohelpthecompanysucceed.Theyhavealoyalty—thoughsomewhatlessthaninearlieryears—tothecompanythatitseemsmostoftoday’smanagersdonot.

Today’smanagerseitheraresoself-centeredthattheycareonlyabouttheircareers—yousee,managershave“careers,”whileemployeeshave“jobs”—orareignorantastotheirresponsibilities.Letusassumeignoranceistheirproblem.Perhapstheyhavebeenpromotedintomanagementbutnoonehaseverexplainedtheirassetsprotectionresponsibilities.Thatmaybebecausetheirbossdidnotknow—itwasnotexplainedto

himorher.Maybeitisbecausethemanagerstrytoavoidthatresponsibilitybyhiringsomeonetoprovidecybersecurity.Thustheproblemisdelegatedtosomeoneelse.Therefore,whenthingsgowrong,itisnotthecompanymanager’sfault;itisthefaultofthosehiredtoprotecttheassets.

Thenwhatcanbedoneaboutit?Whateverthereason,itisuptothecompanymanagerstoknowtheirresponsibilitiesandthecybersecurityprofessionalstopolitelyremindthemofthoseresponsibilities.Asthesayinggoes,“Youcandelegateauthoritybutnotabdicateyourresponsibilities.”

Ifyouareacompanymanagerreadingthis,otherthanasecurityprofessionalofsomekind,congratulations!Youareoneofthefewwhoareinterestedincybersecurity.Mayyourcareerriseabovethestars.Foryouothersoutthere,itisassumedyouhavesomeresponsibilityforcybersecurityorcybersecurity-relatedtaskssuchasfraudpreventionorotherassetprotection.Ifso,youshouldprovideyourcompanymanagersinformationthatpolitelyandprofessionallyexplainstothemthattheyhavesomeverybasicanddirectcybersecurityresponsibilities.Layoutthoseresponsibilitiestothemaspartofsomeawarenesse-mail,onaninternalcompanyWebpageornewsletter—whatevercommunicationformworksbestinyourenvironment.

Thefirstthingsthatcompanymanagersshouldbemadeaware(orreminded)ofisthattheydohavearesponsibilityforprotectingcompanyassets—andsomeofthemostimportantofthoseassetsaresensitiveinformationandinformationsystemswithintheirorganization.

Companymanagersshouldunderstandthebasicsofcybersecurity.Itisnotrocketscience.Itiscommonsense.Theyshouldknowthatthepurposeofcybersecurityistodothefollowing:

•Minimizetheprobabilityofasuccessfulattackonthecompany’sinformation,

•Minimizethedamageifanattackoccurs,and

•Provideamethodtoquicklyrecoverintheeventofasuccessfulattack.

Thethreebasicprinciplesthatarethefoundationofcybersecurityare:

•Accesscontrol,

•Individualaccountability,and

•Audittrails.

Theseareratherbasicandshouldbeeasyenoughforcompanymanagersnotversedincybersecuritytounderstand.Oncemanagersunderstandthecybersecuritypurposeandthethreebasicprinciples,thecybersecurityprofessionalmustbeabletoexplaintheconceptsindetailandhowtheyapplytotheindividualcompanymanagers.Obviously,thereisnotsufficientspaceinthisentirebooktoadequatelycoverthattopic.Furthermore,Ihopethat,asacybersecurityofficerresponsibleforprotectingthesevaluableassetswithinyourcompany,youdounderstandtheseconceptsandcaneasilyexplainthemto

companymanagers.Ifnot,failuretoclearlycommunicateandgainsupportforyourprogrammaybeyourdownfall.

WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionalsCompanymanagersshouldalsobesufficientlyknowledgeabletoaskintelligentquestionsaboutcybersecurity-relatedmatters,andideallythecompanycybersecurityofficercananswerthem.Somequestionscompanymanagersshouldask,andsomepossibleanswersthattheInfoSeccangiveandthenexplaininmoredetail,includethefollowing:

•Question:Howdoyouknowyouareactuallyunderattackandnotthevictimofmisconfiguredsystems?Answer:Youmaynotknowuntilitistoolate;youmayneverknow;youmayknow,butcan’tstopit.

•Question:Whatarethewarningsignsofpotentialoractualattacks?Answer:Theremaynotbeany.

•Question:Isitpossibletoknowofpendingattacks?Answer:Yes.No.Maybe—dependingonconditions.

•Question:Whatcanyoudotosetupan“imminent”attackwarningsystem?Answer:Baseitonhistory,onthelatesttechniquesidentifiedinCERTs,ontargetvisibility,onyourdefenses,onyourcountermeasures,onyouruseoftechnology,andonvendorproducts.

•Question:Whatisthebasisofdeployingintrusiondetectiontoassistincounteringtheattacks?Answer:Whatisnormalactivity?Whatisabnormal?Onecancompareactivityagainstknownattackmethodsandestablishcountermeasures,andonemusthave,asaminimum,acybersecuritypolicy,procedures,andawarenessprogram.

•Question:Whatmustbeconsideredwhendeployingtheintrusiondetectionsystemandprocesses?Answer:Anyavailabletoolsshouldbeadaptedtoyouruniqueenvironment.Theintrusiondetectionprocessmustbealwayssecure,operating,and“foolproof.”Itmustdetectallanomaliesandmisuse,musthaveaudit-basedsystemsforhistory,musthavereal-timemonitoringandwarnings,andmusttakeimmediateactionbasedoneachuniqueattack.Also,onemustknowwhattodoifattacked.

•Question:Anyotherthingstoconsider?Answer:Auditentryports,especiallytocriticalareas;prioritizeprocesses,shutdownothers;isolatetheproblem;andestablishalternateroutingpaths.

WhatCyberSecurityProfessionalsShouldDoIfthecompanymanagersareabletoasksuchquestionsandunderstandtheanswersandthedetailsprovided,thecybersecurityofficerprofessionalhasgonealongwaytohelpprotecttheirinformationandsystemsfromattacksandexternalfraud.Thecybersecurityofficerhasalsogonealongwayingainingsomebasic,activesupportfromcompanymanagers.

Aspartoftheabove,tobesuccessful,thecybersecurityofficerprofessionalshoulddoatleastthefollowing:

•Collectinformationonattacksfromallavailablesources;

•Developandmaintainathreattoolkitcontainingstrategies,tactics,tools,andmethodologiesusedtoattacksystems;

•Continuouslymaintainacurrenttoolkitandmethodologiesthatcanthreatensystemsthroughattackmethods;

•Modelthecapabilitiesofthepotentialintrudersagainstreal-timeattacks;

•Collectinformationrelatedtothecorporation’sinformationsystems’vulnerabilities;

•Establishsystemssimulatingintruderattacksusingthreattoolsinasimulationsandtestingenvironment;and

•Establishdefensesaccordingly.

QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem7:

•Doyouunderstandthecompanyforwhichyouhavecybersecurityresponsibility—itshistory;whatproductsandservicesitproduces;itsenvironment,culture,competition,andbusinessplans;theimpactofthecybersecurityprogramonprofits;andthelike?

•Areyouabsolutelyclearastowhatmanagementexpectsofyou?

•Areyouabsolutelyclearthatmanagementunderstandsyourcybersecurityprogram?

•Ismanagementclearastowhatyouexpectfromthem,suchassupport?

•Doyouhavegoodcommunicationchannelswithmanagement?

•Aretheremanagerswhoareagainstyourcybersecurityprogram,andifso,doyouavoidthemortrytounderstandtheirpositionandworkwiththem?

•Ifyoudonotworkwiththem,whynot?

•Doyouunderstandyourbusinessmanagementresponsibilities?

•Areyoutryingtomakethecybersecurityprogramavalue-addedfunction?

•Ifso,areyousucceeding,andhowdoyouknow?

•Doesmanagementalsothinkthecybersecurityprogramisavalue-addedprogram,andifso,howdoyouknow?

SummaryAswearenowwellonourwayintothetwenty-firstcentury,acybersecurityofficerfacesmanymorechallengesthanexistedonlyadecadeago.Theenvironmentisfaster,moretechnical,andmuchmorechallenging.Thetwenty-first-centurycybersecurityofficermustunderstandtheglobalmarketplaceandthecompany’sbusinessenvironmentmuchmorethanwasnecessaryonlyadecadeorsoago:

•Cybersecurityofficersmustunderstandtheircompany’sbusiness,includingitshistory,products,competition,plans,costs,andproductvalue.

•Cybersecurityofficersmustunderstandbusiness,management,andhowtocommunicatewithmanagementinmanagement’slanguage—notin“computerese”!

•Cybersecurityofficersmustdocumentmajorcybersecuritydecisionstoprovideahistoricalfilethatcanbeusedinthefuturewhenconsideringsimilarsituations.

•Cybersecurityofficersmustalsothinkandactasbusinessmanagersofthecompany.

•Cybersecurityofficersmustbeserviceandsupportoriented.

•Cybersecurityofficersmustunderstandtoday’sNIIandGIIandwherethecorporation’snetworksareconnectedtothatsystem—weakestpointandallthat.

•Cybersecurityofficersmustunderstandthethreats,vulnerabilities,andrisksassociatedwiththecorporation’ssystems

•Cybersecurityofficersmustknowwherethesystemsareandwheretheyareconnectedinsideandoutsidethecorporation.

Companymanagersmustunderstandtheirassetsprotectionresponsibilities.Thatisespeciallyimportanttoday,wheninformationprotectionandcrimepreventionshouldbeamajorresponsibilityofeverycompanymanager.Foritisonlywiththatunderstanding,support,andactionthatcompaniescanrespondtoattacksagainstthemfromcompetitors,nation-states,andtechno-spies.

2PreviouslywrittenbytheauthorunderthenameShockwaveWriterandpublishedbyReedElsevierintheirmagazineComputerFraud&Security(2002),asthearticle“InternetServiceProvidersandInfoSecStandards.”3Ohmae,Kenichi,TheMindoftheStrategist.PenguinBooks,Ltd.,Middlesex,UK,1982.4JohnBoyd,http://www.ausairpower.net/JRB/poc.pdf.PatternsofConflict,December1986.7Obviously,ifyouanswerNotoanyofthesequestions,youhavesomeadditionalworktodo.

http://www.ausairpower.net/JRB/poc.pdf

CHAPTER3

AnOverviewofRelatedWorldViewsofCyberSecurity

AbstractThischapterwillprovideashortoverviewofworldviewsofcybersecuritybrokendownbyregionsoftheworld.Weliveinaninterconnectedworldofcomputernetworks,allhavingtheabilitytopositivelyandnegativelyaffectthoseattachedtothem.

Therefore,thepurposeofprovidingtheseglobalviewsissothecybersecurityofficerhasanoverviewofwhatothersarethinkinganddoingtoprotectpartsoftheglobalinformationinfrastructure(GII)andhowthatmayaffectthecybersecurityofficer’sresponsibilitiesastheyrelatetohisorherpartoftheGII,nationalinformationinfrastructure(NII),andrelatednetworks.

Aswithanysubjectmatterthesedays,asearchoftheInternetwillfindmoreinformationthanyoueverwantedtoknowonatopic.Thistopicisnodifferent.Therefore,itisnottheintenttoprovideeverythingyoualwayswantedtoknowonwhattheUnitedNationsandotherentitiesaredoingbut,asthechaptertitlesays,providean“overview”ofwhatothersarethinkinganddoingvis-à-viscybersecurity.

Rememberthatintoday’sworldofglobalcorporations,thecybersecurityofficermayhavetofollowthecybersecuritypoliciesandproceduresinthevariousnationswherehisorhercorporationdoesbusiness.So,asacybersecurityofficer,itiscrucialthatyouunderstandsuchlaws,rules,regulations,etc.,andworkwithyourcorporation’slegalstafftobesurethatanyissuesidentifiedrelativetothesemattersareaddressed.

KeywordsAfrica;Asia;Canada;ComprehensiveNationalCybersecurityInitiative(CNCI);DepartmentofHomelandSecurity’s(DHS’s);EuropeanUnion(EU);InternationalTelecommunicationsUnion(ITU);SouthAmerica;TrustedInternetConnections(TIC);UnitedStates

Theworldisadangerousplacetolive;notbecauseofthepeoplewhoareevil,butbecauseofthepeoplewhodon’tdoanythingaboutit.1

AlbertEinstein

CONTENTS

EvolutionofLaws,Standards,Policies,andProcedures 50GlobalviatheUN 51TheEU 53

InternationalSecurityinCyberspace 53InternetGovernanceDevelopmentsin2015 53U.S.–EUCyberSecurity-RelatedCooperation 53

Asia 53SouthAmerica 54Africa 55

Canada 55UnitedStates 55

CNCIInitiativeDetails 57Summary 61

CHAPTEROBJECTIVE

Thischapterwillprovideashortoverviewofworldviewsofcybersecuritybrokendownbyregionsoftheworld.Weliveinaninterconnectedworldofcomputernetworks,allhavingtheabilitytopositivelyandnegativelyaffectthoseattachedtothem.

Therefore,thepurposeofprovidingtheseglobalviewsissothecybersecurityofficerhasanoverviewofwhatothersarethinkinganddoingtoprotectpartsoftheglobalinformationinfrastructure(GII)andhowthatmayaffectthecybersecurityofficer’sresponsibilitiesastheyrelatetohisorherpartoftheGII,nationalinformationinfrastructure(NII),andrelatednetworks.

Aswithanysubjectmatterthesedays,asearchoftheInternetwillfindmoreinformationthanyoueverwantedtoknowonatopic.Thistopicisnodifferent.Therefore,itisnottheintenttoprovideeverythingyoualwayswantedtoknowonwhattheUnitedNations(UN)andotherentitiesaredoingbut,asthechaptertitlesays,providean“overview”ofwhatothersarethinkinganddoingvis-à-viscybersecurity.

Rememberthatintoday’sworldofglobalcorporations,thecybersecurityofficermayhavetofollowthecybersecuritypoliciesandproceduresinthevariousnationswherehisorhercorporationdoesbusiness.So,asacybersecurityofficer,itiscrucialthatyouunderstandsuchlaws,rules,regulations,etc.,andworkwithyourcorporation’slegalstafftobesurethatanyissuesidentifiedrelativetothesemattersareaddressed.

EvolutionofLaws,Standards,Policies,andProceduresIngeneral,theevolutionoflawsfollowedtheevolutionof“civilization”(somearguethatwehaveyettobetruly“civilized”)fromprimitivetofeudaltoagriculturaltoindustrialtotoday’sinformationage,andsomesaythatafewnationsarebeginningtoentertheknowledgeage.

Cybersecurity-relatedlaws,standards,policies,andprocedureshave,ascanbeexpected,evolvedasthethreats,vulnerabilities,andriskstocomputers,systems,networks,theNII,theGII,andtheirrelatedinformationhaveevolved.However,theyseemtohavealwaysbeenupdatedasareactiontoattacksandnotusingaproactiveapproach.Inaddition,evenwhenanation-state,forexample,theUnitedStates,passescybersecurity-relatedlawsandpolicies,theydonotseemtobefollowed.

TheJanuary1,2015,reportrevealedandconcludedthattheDepartmentofHomelandSecurity’s(DHS’s)cybersecuritypracticesandprogramsaresobad,theDHSfailsateventhebasicsofcomputersecurityandis“unlikely”tobeabletoprotectbothcitizensandgovernmentfromattacks.2

2www.zdnet.com/…/new-report-the-dhs-is-a-mess-of-cybersecurity.

OfcoursesuchthingsastheColdWar,politicalrevolutions,economicrevolutions,revolutionsinmilitaryaffairs,humanevolutionandrevolution,andrevolutionsintechnologyallcontinuetohavemajorimpactsontheneedanddemandfornewlaws,standards,policies,andprocedures.Thiswillobviouslycontinueasvariousevolutionsandrevolutionscontinue.

Inthisoverview,thistopicwillbebrokendownasfollows:

•GlobalviatheUN,

•EuropeanUnion(EU),

•Asia,

•SouthAmerica,

•Africa,

•Canada,

•UnitedStates.

http://www.zdnet.com/.../new-report-the-dhs-is-a-mess-of-cybersecurity

GlobalviatheUNTheUNappearstobeheavilyinvolvedincybersecurity-relatedmattersregardingassociations,committees,treaties,andthelike.Thisisofcourselogicalsincecybersecurityisaglobalproblemandneedsglobalsolutions.Afterall,ifsomecybercriminalinaforeignnationcommitsacybercrimeinanothernation,thevictimnationmusthaveawaytobringthecriminaltojustice.Ifthecriminalresidesinanationwithoutanextraditiontreatywiththevictimnation,andespeciallyonethatdoesnothaveanycyberlaws,thechanceofthatcriminalbeingbroughttojusticerunsfromslimtonone,astheysay.

TheUNsystem’scollectiveengagementinaddressingcyberthreatsiscritical.TheInternationalTelecommunicationsUnion(ITU)isleadingthecallforstakeholderstoworktogethertosetinternationalpoliciesandstandardsandtobuildaninternationalframeworkforcybersecurity.3

3http://www.un.org/en/ecosoc/cybersecurity/summary.pdf.

WhatviewyoumayhaveoftheUNingeneralwillofcoursetaintyourviewoftheireffortsrelatingtocybersecurity.Forexample,aretheytryingtosetthe“laws”fortheworld?DotheywanttocontroltheInternet,maybeinamannerusedbytheUNSecurityCouncil,withpermanentmemberssuchasRussiaandChina,aswellasrotatingmembers,forexample,SaudiArabia,Libya?

Howwillsuchastructureaffectthefreedomoftheworld’susers?Somemayrejoiceinsuchamovebutothersmaycringeattheidea,fearingthelossoffreedomthatingeneraltheInternetnowprovides.EventheUnitedStateshasdesignsonmorecontrol.Infact,allgovernmentagenciesaroundtheworldforthemostpartcannotstandtohavetheircitizensbefreetolive,speaktheirminds,andwritewhatevertheywantwithoutsomegovernmentcontrols,andcertainlythatappliestothecitizensoftheworld’suseoftheInternet.

WeallmustbeonguardwhenourInternet—yesitisours,theusers’—andothernetworksaretobecontrolledbylaws,standards,rules,regulations,policies,andproceduresinthenameofprotectingusthroughcybersecurity-relatedcontrols.Yes,somecontrolsareneededtoavoidchaosandrampantcarnageofinformationstolen,destroyed,andsuch.However,wemustallbevigilantwhenpresentedwithcontrolsfor“ourowngood.”Unfortunatelymostpeoplewouldprobablypreferalittlemoresecurity,sacrificingsomefreedoms,butwhenisenoughenough?Willwerealizeitonlywhenitistoolate?

So,whathastheUNbeenuptoasrelatestocybersecuritymatters?AsearchoftheUN’swebsitedisclosedthefollowingresultofaSpecialEventonCyberSecurityandDevelopment,December9,2011,10:00a.m.to1.00p.m.,ECOSOCChamber,UN,NewYork,whichprovidesanoverview.

http://www.un.org/en/ecosoc/cybersecurity/summary.pdf

Asacybersecurityofficer,youshouldsearchonlineforthemostcurrentUN,nation-state,andregionalassociationsdealingwithcybersecurityand,asusedhere,getanunderstandingofwhatishappeningonaglobalbasiswhenitcomestocybersecuritymatters.Afterall,asacybersecurityofficer,youprobablyworkinaglobalenvironmentand,likeitornot,yournetworksareconnectedtotheworldand,asweallknow,theworldisnotasafeplace,andthatgoesforourglobal,information-andnetworked-basedenvironment.

Evenasfarbackas2011,whichisalifetimeincybersecurity,theUNstatedthat:

Cybersecurityisoneofthegreatestissuesofourtimes,anditwillcontinuetogrowinimportance.ItisourcollectivedutytoensurethatICTsaresafeandsecuresothat

the7 billionpeopleofthisplanetcanreapthebenefitsofICTs.Today,everythingisdependentonICTsandweareallvulnerable—cybersecurityisaglobalissuethatcanbesolvedonlywithglobalsolutions.CybersecurityisanareathataffectseachandeveryagencyandprogramoftheUN.AswepushforwardtheUNagendaforpeaceandsecurity,wemustrememberthatcybersecurityispartofthis.TheUNsystem’scollectiveengagementinaddressingcyberthreatsiscritical.TheITUisleadingthecallforstakeholderstoworktogethertosetinternationalpoliciesandstandardsandtobuildaninternationalframeworkforcybersecurity.

AswiththesuggestionofonlineresearchoncybersecuritymattersrelatedtotheUN,thesameappliesforallotherareasoftheworldasshownbelow.Thisisimportantasprobablyatonetimeoranother,whetheryouareacybersecurityofficerforagovernmentagencyoracorporationorassociation,orjustanInternetuser,youarelikelytobeconnectedinoneformoranotheroutsideyourowncountry.Infact,thesedaysthatisprettymuchacertainty.

So,whathappensinanotherpartoftheworldmayhaveanadverseimpactonyoupersonally,yourassociation,yourbusiness,oryourgovernmentagency.

TheEUThefollowingprovidessomeinsightintothedirectionthattheEUandUnitedStatesaregoing.NotethatthiswasthefirstmeetingandwasjustheldinDecemberof2014.Thequestionis,“What’stakenthemsolongtomeet?”

OnDecember5,2014,anEUandU.S.cybersecurity-relatedmeetingwasheldinBrussels.Thepurposeofthemeetingwastodiscussforeignpolicyrelatedtothecyberenvironmentandofcoursecybersecurity,asquotedbelow:4

InternationalSecurityinCyberspaceTheparticipantswelcomedthelandmarkconsensusofthe2012–2013GroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity,includingitsaffirmationoftheapplicabilityofexistinginternationallawtocyberspace.

InternetGovernanceDevelopmentsin2015Thetwosidesreiteratedthatnosingleentity,company,organisationorgovernmentshouldseektocontroltheInternet,andexpressedtheirfullsupportformulti-stakeholdergovernancestructuresoftheInternetthatareinclusive,transparent,accountableandtechnicallysound….

U.S.–EUCyberSecurity-RelatedCooperationTheywouldworkthroughtheirEU–U.S.workinggrouponcybersecurityandcybercrime.Theircooperationwouldencompassissuesrelatedtoraisingawareness,“cyberincidentmanagement,”cyberissuesrelatedtosexoffenders,cooperationtofightcybercrime,andworkingwithotherInternetorganizationsthatsharemutualinterests.

AsiaThefollowingprovidesanAsianoverviewofcybersecurityasitrelatestotheAssociationofSoutheastAsianNations5

TheOctopusConference:CooperationagainstCybercrimewasheldonDecember4,2013,inStrasbourg,France,6andincludedastatemententitled“StatementonCooperationinFightingCyberAttackandTerroristMisuseofCyberSpace,KualaLumpur,July28,2006.”Thestatementincluded:

…endeavortoenactandimplementcybercrimeandcybersecuritylawsinaccordancewiththeirnationalconditionsandbyreferringtorelevantinternationalinstrumentsandrecommendations/guidelinesfortheprevention,detection,reduction,andmitigationofattackstowhichtheyareaparty.

Theyalsoagreedtoaddresscriminal,terrorist,andotherissuesassociatedwithcybersecurityanduseoftheInternet.

Thatincludedthefollowing.

1.Acknowledgetheimportanceofanationalframeworkforcooperationandcollaborationinaddressingcriminal,includingterrorist,misuseofcyberspaceandencouragetheformulationofsuchaframework.

2.Agreetoworktogethertoimprovetheircapabilitiestoadequatelyaddresscybercrime,includingtheterroristmisuseofcyberspace.

3.Committocontinueworkingtogetherinthefightagainstcybercrime,includingterroristmisuseofcyberspace,throughactivitiesaimedatenhancingconfidenceamongthevariousnationalComputerSecurityIncidentResponseTeams(SIRIs),aswellasformulatingadvocacyandpublicawarenessprograms.

SouthAmericaSymantecandtheOrganizationofAmericanStates(OAS)SecretariatofMultidimensionalSecurity(SMS)andtheInter-AmericanCommitteeagainstTerrorism(CICTE)releasedareportanalyzingcybersecuritytrendsandgovernmentresponsesinLatinAmericaandtheCaribbean.7

Theco-sponsoredreportexploresvariouscybersecuritytrendsincludingtheoverallincreaseindatabreaches:

•RiseofRansomwareandCryptolocker

•ATMfraud

•Socialmediaandmobilecomputingvulnerabilities

•Malware

•Spam

•Spearphishing

AfricaAfricanUnionadoptsframeworkoncybersecurityanddataprotection88:30am|22August2014|byAccessPolicyTeam,

Withoutmuchmediaattention,theheadsofstateoftheAfricanUnion(AU)agreedtoalandmarkconventionthissummeraffectingmanyaspectsofdigitallife.

InJune,leadersintheAU,agroupof54Africangovernmentslaunchedin2002,metatthe23rdAfricanUnionSummitandapprovedtheAfricanUnionConventiononCyberSecurityandPersonalDataProtection.

TheConventioncoversaverywiderangeofonlineactivities,includingelectroniccommerce,dataprotection,andcybercrime,withaspecialfocusonracism,xenophobia,childpornography,andnationalcybersecurity…

Canada9InCanada,theydevelopedathree-pillarstrategyasfollows:

•Securinggovernmentsystems

•PartneringtosecurevitalcybersystemsoutsidethefederalGovernment

•HelpingCanadianstobesecureonline

UnitedStatesTheUnitedStateshasdevelopedthe“ComprehensiveNationalCybersecurityInitiative,”10whichisdescribedbelow.

PresidentObamahasidentifiedcybersecurityasoneofthemostseriouseconomicandnationalsecuritychallengeswefaceasanation,butonethatweasagovernmentorasacountryarenotadequatelypreparedtocounter.Shortlyaftertakingoffice,thePresidentthereforeorderedathoroughreviewoffederaleffortstodefendtheU.S.informationandcommunicationsinfrastructureandthedevelopmentofacomprehensiveapproachtosecuringAmerica’sdigitalinfrastructure.

InMay2009,thePresidentacceptedtherecommendationsoftheresultingCyberspacePolicyReview,includingtheselectionofanExecutiveBranchCybersecurityCoordinator,whowillhaveregularaccesstothePresident.TheExecutiveBranchwasalsodirectedtoworkcloselywithallkeyplayersinU.S.cybersecurity,includingstateandlocalgovernmentsandtheprivatesector,toensureanorganizedandunifiedresponsetofuturecyberincidents,strengthenpublic/privatepartnershipstofindtechnologysolutionsthatensureU.S.securityandprosperity,investinthecutting-edgeresearchanddevelopmentnecessaryfortheinnovationanddiscoverytomeetthedigitalchallengesofourtime,andbeginacampaigntopromotecybersecurityawarenessanddigitalliteracyfromourboardroomstoourclassroomsandbegintobuildthedigitalworkforceofthetwenty-firstcentury.Finally,thePresidentdirectedthattheseactivitiesbeconductedinawaythatisconsistentwithensuringtheprivacyrightsandcivillibertiesguaranteedintheConstitutionandcherishedbyallAmericans.

TheactivitiesunderwaytoimplementtherecommendationsoftheCyberspacePolicyReviewbuildontheComprehensiveNationalCybersecurityInitiative(CNCI)launchedbyPresidentGeorgeW.BushinNationalSecurityPresidentialDirective54/HomelandSecurityPresidentialDirective23(NSPD-54/HSPD-23)inJanuary2008.PresidentObamadeterminedthattheCNCIanditsassociatedactivitiesshouldevolvetobecomekeyelementsofabroader,updatednationalU.S.cybersecuritystrategy.TheseCNCIinitiativeswillplayakeyroleinsupportingtheachievementofmanyofthekeyrecommendationsofPresidentObama’sCyberspacePolicyReview.

TheCNCIconsistsofanumberofmutuallyreinforcinginitiativeswiththefollowingmajorgoalsdesignedtohelpsecuretheUnitedStatesincyberspace:

•Toestablishafrontlineofdefenseagainsttoday’simmediatethreatsbycreatingorenhancingsharedsituationalawarenessofnetworkvulnerabilities,threats,andeventswithinthefederalgovernment—andultimatelywithstate,local,andtribalgovernmentsandprivatesectorpartners—andtheabilitytoactquicklytoreduceourcurrentvulnerabilitiesandpreventintrusions.

•TodefendagainstthefullspectrumofthreatsbyenhancingU.S.counterintelligence

capabilitiesandincreasingthesecurityofthesupplychainforkeyinformationtechnologies.

•Tostrengthenthefuturecybersecurityenvironmentbyexpandingcybereducation,coordinatingandredirectingresearchanddevelopmenteffortsacrossthefederalgovernment,andworkingtodefineanddevelopstrategiestodeterhostileormaliciousactivityincyberspace.

InbuildingtheplansfortheCNCI,itwasquicklyrealizedthatthesegoalscouldnotbeachievedwithoutalsostrengtheningcertainkeystrategicfoundationalcapabilitieswithinthegovernment.Therefore,theCNCIincludesfundingwithinthefederallawenforcement,intelligence,anddefensecommunitiestoenhancesuchkeyfunctionsascriminalinvestigation;intelligencecollection,processing,andanalysis;andinformationassurancecriticaltoenablingnationalcybersecurityefforts.

TheCNCIwasdevelopedwithgreatcareandattentiontoprivacyandcivillibertiesconcernsincloseconsultationwithprivacyexpertsacrossthegovernment.ProtectingcivillibertiesandprivacyrightsremainsafundamentalobjectiveintheimplementationoftheCNCI.

InaccordwithPresidentObama’sdeclaredintenttomaketransparencyatouchstoneofhispresidency,theCyberspacePolicyReviewidentifiedenhancedinformationsharingasakeycomponentofeffectivecybersecurity.Toimprovepublicunderstandingoffederalefforts,theCybersecurityCoordinatorhasdirectedthereleaseofthefollowingsummarydescriptionoftheCNCI.

CNCIInitiativeDetailsInitiative1.ManagetheFederalEnterpriseNetworkasasinglenetworkenterprisewithTrustedInternetConnections(TIC).TheTICinitiative,headedbytheOfficeofManagementandBudgetandtheDHS,coverstheconsolidationofthefederalgovernment’sexternalaccesspoints(includingthosetotheInternet).Thisconsolidationwillresultinacommonsecuritysolution,whichincludesfacilitatingthereductionofexternalaccesspoints,establishingbaselinesecuritycapabilities,andvalidatingagencyadherencetothosesecuritycapabilities.AgenciesparticipateintheTICinitiativeeitherasTICaccessproviders(alimitednumberofagenciesthatoperatetheirowncapabilities)orbycontractingwithcommercialManagedTrustedIPServiceprovidersthroughtheGSA-managedNetworxcontractvehicle.

Initiative2.Deployanintrusiondetectionsystemofsensorsacrossthefederalenterprise.IntrusiondetectionsystemsusingpassivesensorsformavitalpartofU.S.governmentnetworkdefensesbyidentifyingwhenunauthorizedusersattempttogainaccesstothosenetworks.TheDHSisdeploying,aspartofitsEINSTEIN2activities,signature-basedsensorscapableofinspectingInternettrafficenteringfederalsystemsforunauthorizedaccessesandmaliciouscontent.TheEINSTEIN2capability

enablesanalysisofnetworkflowofinformationtoidentifypotentialmaliciousactivitywhileconductingautomaticfullpacketinspectionoftrafficenteringorexitingU.S.governmentnetworksformaliciousactivityusingsignature-basedintrusiondetectiontechnology.AssociatedwiththisinvestmentintechnologyisaparallelinvestmentinmanpowerwiththeexpertiserequiredtoaccomplishtheDHS’sexpandednetworksecuritymission.EINSTEIN2iscapableofalertingUS-CERTinrealtimetothepresenceofmaliciousorpotentiallyharmfulactivityinfederalnetworktrafficandprovidescorrelationandvisualizationofthederiveddata.OwingtothecapabilitieswithinEINSTEIN2,US-CERTanalystshaveagreatlyimprovedunderstandingofthenetworkenvironmentandanincreasedabilitytoaddresstheweaknessesandvulnerabilitiesinfederalnetworksecurity.Asaresult,US-CERThasgreatersituationalawarenessandcanmoreeffectivelydevelopandmorereadilysharesecurity-relevantinformationwithnetworkdefendersacrosstheU.S.government,aswellaswithsecurityprofessionalsintheprivatesectorandtheAmericanpublic.TheDHS’sPrivacyOfficehasconductedandpublishedaPrivacyImpactAssessmentfortheEINSTEIN2program.

Initiative3.Pursuedeploymentofintrusionpreventionsystemsacrossthefederalenterprise.ThisinitiativerepresentsthenextevolutionofprotectionforciviliandepartmentsandagenciesofthefederalExecutiveBranch.Thisapproach,calledEINSTEIN3,willdrawoncommercialtechnologyandspecializedgovernmenttechnologytoconductreal-timefullpacketinspectionandthreat-baseddecision-makingonnetworktrafficenteringorleavingtheseExecutiveBranchnetworks.ThegoalofEINSTEIN3istoidentifyandcharacterizemaliciousnetworktraffictoenhancecybersecurityanalysis,situationalawareness,andsecurityresponse.Itwillhavetheabilitytoautomaticallydetectandrespondappropriatelytocyberthreatsbeforeharmisdone,providinganintrusionpreventionsystemsupportingdynamicdefense.EINSTEIN3willassisttheDHSUS-CERTindefending,protecting,andreducingvulnerabilitiesoffederalExecutiveBranchnetworksandsystems.TheEINSTEIN3systemwillalsosupportenhancedinformationsharingbyUS-CERTwithfederaldepartmentsandagenciesbygivingtheDHStheabilitytoautomatealertingofdetectednetworkintrusionattemptsand,whendeemednecessarybytheDHS,tosendalertsthatdonotcontainthecontentofcommunicationstotheNationalSecurityAgency(NSA)sothatDHSeffortsmaybesupportedbyNSAexercisingitslawfullyauthorizedmissions.Thisinitiativemakessubstantialandlong-terminvestmentstoincreasenationalintelligencecapabilitiestodiscovercriticalinformationaboutforeigncyberthreatsandusethisinsighttoinformEINSTEIN3systemsinrealtime.TheDHSwillbeabletoadaptthreatsignaturesdeterminedbytheNSAinthecourseofitsforeignintelligenceandDepartmentofDefenseinformationassurancemissionsforuseintheEINSTEIN3systeminsupportoftheDHS’sfederalsystemsecuritymission.Informationsharingoncyberintrusionswillbeconductedinaccordancewiththelawsandoversightforactivitiesrelatedtohomelandsecurity,intelligence,anddefensetoprotecttheprivacyandrightsofU.S.

citizens.

Asofthiswriting,theDHSisconductingaexercisetopilottheEINSTEIN3capabilitiesdescribedinthisinitiativebasedontechnologydevelopedbytheNSAandtosolidifyprocessesformanagingandprotectinginformationgleanedfromobservedcyberintrusionsagainstcivilianExecutiveBranchsystems.GovernmentcivillibertiesandprivacyofficialsareworkingcloselywiththeDHSandUS-CERTtobuildappropriateandnecessaryprivacyprotectionsintothedesignandoperationaldeploymentofEINSTEIN3.

Initiative4.Coordinateandredirectresearchanddevelopment(R&D)efforts.Nosingleindividualororganizationisawareofallofthecyber-relatedR&Dactivitiesbeingfundedbythegovernment.ThisinitiativeisaimedatdevelopingstrategiesandstructuresforcoordinatingallcyberR&DsponsoredorconductedbytheU.S.government,bothclassifiedandunclassified,andredirectingthatR&Dwhereneeded.Thisinitiativeiscriticaltoeliminateredundanciesinfederallyfundedcybersecurityresearchandtoidentifyresearchgaps,prioritizeR&Defforts,andensurethetaxpayersaregettingfullvaluefortheirmoneyasweshapeourstrategicinvestments.

Initiative5.Connectcurrentcyberoperationscenterstoenhancesituationalawareness.Thereisapressingneedtoensurethatgovernmentinformationsecurityofficesandstrategicoperationscenterssharedataregardingmaliciousactivitiesagainstfederalsystems,consistentwithprivacyprotectionsforpersonallyidentifiableandotherprotectedinformationandaslegallyappropriate,tohaveabetterunderstandingoftheentirethreattogovernmentsystemsandtotakemaximumadvantageofeachorganization’suniquecapabilitiestoproducethebestoverallnationalcyberdefensepossible.ThisinitiativeprovidesthekeymeansnecessarytoenableandsupportsharedsituationalawarenessandcollaborationacrosssixcentersthatareresponsibleforcarryingoutU.S.cyberactivities.ThiseffortfocusesonkeyaspectsnecessarytoenablepracticalmissionbridgingacrosstheelementsofU.S.cyberactivities:foundationalcapabilitiesandinvestments,suchasupgradedinfrastructure,increasedbandwidth,andintegratedoperationalcapabilities;enhancedcollaboration,includingcommontechnology,tools,andprocedures;andenhancedsharedsituationalawarenessthroughsharedanalyticandcollaborativetechnologies.

TheNationalCybersecurityCenterwithintheDHSwillplayakeyroleinsecuringU.S.governmentnetworksandsystemsunderthisinitiativebycoordinatingandintegratinginformationfromthesixcenterstoprovidecross-domainsituationalawareness,analyzingandreportingonthestateofU.S.networksandsystems,andfosteringinteragencycollaborationandcoordination.

Initiative6.Developandimplementagovernment-widecybercounterintelligence(CI)plan.Agovernment-widecyberCIplanisnecessarytocoordinateactivities

acrossallfederalagenciestodetect,deter,andmitigatetheforeign-sponsoredcyberintelligencethreattoU.S.andprivatesectorinformationsystems.Toaccomplishthesegoals,theplanestablishesandexpandscyberCIeducationandawarenessprogramsandworkforcedevelopmenttointegrateCIintoallcyberoperationsandanalysis,increaseemployeeawarenessofthecyberCIthreat,andincreaseCIcollaborationacrossthegovernment.TheCyberCIPlanisalignedwiththeNationalCounterintelligenceStrategyoftheUnitedStatesofAmerica(2007)andsupportstheotherprogrammaticelementsoftheCNCI.

Initiative7.Increasethesecurityofourclassifiednetworks.Classifiednetworkshousethefederalgovernment’smostsensitiveinformationandenablecrucialwar-fighting,diplomatic,counterterrorism,lawenforcement,intelligence,andhomelandsecurityoperations.Successfulpenetrationordisruptionofthesenetworkscouldcauseexceptionallygravedamagetoournationalsecurity.Weneedtoexerciseduediligenceinensuringtheintegrityofthesenetworksandthedatatheycontain.

Initiative8.Expandcybereducation.WhilebillionsofdollarsarebeingspentonnewtechnologiestosecuretheU.S.governmentincyberspace,itisthepeoplewiththerightknowledge,skills,andabilitiestoimplementthosetechnologieswhowilldeterminesuccess.However,therearenotenoughcybersecurityexpertswithinthefederalgovernmentorprivatesectortoimplementtheCNCI,noristhereanadequatelyestablishedfederalcybersecuritycareerfield.Existingcybersecuritytrainingandpersonneldevelopmentprograms,whilegood,arelimitedinfocusandlackunityofeffort.Toeffectivelyensureourcontinuedtechnicaladvantageandfuturecybersecurity,wemustdevelopatechnologicallyskilledandcyber-savvyworkforceandaneffectivepipelineoffutureemployees.Itwilltakeanationalstrategy,similartotheefforttoupgradescienceandmathematicseducationinthe1950s,tomeetthischallenge.

Initiative9.Defineanddevelopenduring“leap-ahead”technology,strategies,andprograms.OnegoaloftheCNCIistodeveloptechnologiesthatprovideincreasesincybersecuritybyordersofmagnitudeabovecurrentsystemsandthatcanbe

deployedwithin5–10 years.ThisinitiativeseekstodevelopstrategiesandprogramstoenhancethecomponentofthegovernmentR&Dportfoliothatpursueshigh-risk/high-payoffsolutionstocriticalcybersecurityproblems.ThefederalgovernmenthasbeguntooutlineGrandChallengesfortheresearchcommunitytohelpsolvethesedifficultproblemsthatrequire“out-of-the-box”thinking.Indealingwiththeprivatesector,thegovernmentisidentifyingandcommunicatingcommonneedsthatshoulddrivemutualinvestmentinkeyresearchareas.

Initiative10.Defineanddevelopenduringdeterrencestrategiesandprograms.Ournation’sseniorpolicymakersmustthinkthroughthelong-rangestrategicoptionsavailabletotheUnitedStatesinaworldthatdependsonensuringtheuseofcyberspace.Asofthiswriting,theU.S.governmenthasbeenimplementing

traditionalapproachestothecybersecurityproblem—andthesemeasureshavenotachievedthelevelofsecurityneeded.Thisinitiativeisaimedatbuildinganapproachtocyberdefensestrategythatdetersinterferenceandattackincyberspacebyimprovingwarningcapabilities,articulatingrolesfortheprivatesectorandinternationalpartners,anddevelopingappropriateresponsesforbothstateandnonstateactors.

Initiative11.Developamultiprongedapproachforglobalsupplychainriskmanagement.GlobalizationofthecommercialinformationandcommunicationstechnologymarketplaceprovidesincreasedopportunitiesforthoseintentonharmingtheUnitedStatesbypenetratingthesupplychaintogainunauthorizedaccesstodata,alterdata,orinterruptcommunications.Risksstemmingfromboththedomesticandtheglobalizedsupplychainmustbemanagedinastrategicandcomprehensivewayovertheentirelifecycleofproducts,systems,andservices.Managingthisriskwillrequireagreaterawarenessofthethreats,vulnerabilities,andconsequencesassociatedwithacquisitiondecisions;thedevelopmentandemploymentoftoolsandresourcestotechnicallyandoperationallymitigateriskacrossthelifecycleofproducts(fromdesignthroughretirement);thedevelopmentofnewacquisitionpoliciesandpracticesthatreflectthecomplexglobalmarketplace;andpartnershipwithindustrytodevelopandadoptsupplychainandriskmanagementstandardsandbestpractices.Thisinitiativewillenhancefederalgovernmentskills,policies,andprocessestoprovidedepartmentsandagencieswitharobusttoolsettobettermanageandmitigatesupplychainriskatlevelscommensuratewiththecriticalityof,andrisksto,theirsystemsandnetworks.

Initiative12.Definethefederalroleinextendingcybersecurityintocriticalinfrastructuredomains.TheU.S.governmentdependsonavarietyofprivatelyownedandoperatedcriticalinfrastructurestocarryoutthepublic’sbusiness.Inturn,thesecriticalinfrastructuresrelyontheefficientoperationofinformationsystemsandnetworksthatarevulnerabletomaliciouscyberthreats.Thisinitiativebuildsontheexistingandongoingpartnershipbetweenthefederalgovernmentandthepublicandprivatesectorownersandoperatorsofcriticalinfrastructureandkeyresources(CIKR).TheDHSanditsprivatesectorpartnershavedevelopedaplanofsharedactionwithanaggressiveseriesofmilestonesandactivities.Itincludesbothshort-termandlong-termrecommendations,specificallyincorporatingandleveragingpreviousaccomplishmentsandactivitiesthatarealreadyunderway.ItaddressessecurityandinformationassuranceeffortsacrossthecyberinfrastructuretoincreaseresiliencyandoperationalcapabilitiesthroughouttheCIKRsectors.Itincludesafocusonpublic–privatesharingofinformationregardingcyberthreatsandincidentsinbothgovernmentandCIKR.

SummaryTheaboveprovidesashortoverviewofwhatisbeingconsideredandimplementedthroughouttheworld.Theimportantpointisthis:allthenation-statesoftheworldthataredependingontechnology,towhateverdegree,areatleasttalkingaboutcybersecurity-relatedmattersandmanyareatleasttryingtostarttoaddresstheissuesofcybersecurity,cyberterrorism,andcybercrime.Theyalsoseemwillingtocooperatetoaddresstheissues,astheissuesareasglobalasarethenetworks.

Itisrecommendedthatthecybersecurityofficeridentifyallthebusinessesthatthecorporationisconnectedtoandthenation-statesthattheyareinandconductresearchandanalysestoseewhattheyaredoingasitrelatestocybersecurityandhowitaffectshisorhercorporation.

Thisisjustthestart,butatleastitgivesthecybersecurityofficerabasicunderstandingofthestateofcybersecuritythroughouttheworld.Also,thenation-statesthatarecensoringusersshouldalsobeevaluated.Furthermore,takeitforgrantedthatnation-statesaremonitoringyourtransmissionsintotheircountryandmaybecensoringthem.

Workingwithcorporatemanagement,thelegalstaff,andtheauditstaff,thecybersecurityofficershouldidentifykeyissuesrelatedtotheprotectionofthecorporation’sinformationinforeigncountries.Aprojectplanshouldthenbedevelopedandimplementedtoconductriskanalysesrelatedtothatconnectivity.Furthermore,thecybersecurityofficershouldmeetwithhisorhercounterpartsinthosenation-statesandestablishalineofcommunicationtoaddressissuesofmutualconcern.

1http://www.brainyquote.com/quotes/keywords/world_2.html.4http://eeas.europa.eu/statements-eeas/2014/141205_05_en.htm.5http://www.nbr.org/publications/asia_policy/Free/AP18/AsiaPolicy18_Heinl_July2014.pdf.6http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_octopus2013/Octopus2013_en.asp.7http://www.symantec.com/page.jsp?id%3Dcybersecurity-trends;http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc-annex.pdf.8https://www.accessnow.org/blog/2014/08/22/african-union-adopts-framework-on-cyber-security-and-data-protection.9http://www.publicsafety.gc.ca.10https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative.

http://www.brainyquote.com/quotes/keywords/world_2.html

http://eeas.europa.eu/statements-eeas/2014/141205_05_en.htm

http://www.nbr.org/publications/asia_policy/Free/AP18/AsiaPolicy18_Heinl_July2014.pdf

http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_octopus2013/Octopus2013_en.asp

http://www.symantec.com/page.jsp?id%3Dcybersecurity-trends

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc-annex.pdf

https://www.accessnow.org/blog/2014/08/22/african-union-adopts-framework-on-cyber-security-and-data-protection

http://www.publicsafety.gc.ca

https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

CHAPTER4

AGlimpseattheHistoryofTechnology

AbstractInthischapter,technologywillbediscussed,asobviouslythecybersecurityofficermustunderstandtechnology,whichincludeshardware,software,firmware,andallrelatedaspects.

Therevolutionintechnologyhasobviouslycausednation-states,corporations,andindividualstobecomemoretechnology-driven,technology-supported,andtechnology-dependent.

Itisnottheintentheretoprovideadetailedhistoryoftechnology.Theintentistoprovideabriefoverview.Thisoverviewisprovidedbecauseitisobviouslyimportantforthoseinvolvedincybersecuritytounderstandtheirworkingenvironmentasmuchaspossible.Itmayseemobvious,butitisamazinghowmanycybersecurityofficershavelittleknowledgeoftechnologyandhowwegottowhereweare.

KeywordsAdvancedResearchProjectAgency(ARPA);Gopher;Hackertools;High-Tech;Internetprotocols;Internetserviceproviders(ISPs);Microprocessor;Processorserialnumber(PSN);Technology;WorldWideWeb

WhathathGodwrought?SamuelF.B.Morse(Whenthefirsttelegraphmessageeverwassent,1844)

CONTENTS

WhatIsTechnology? 64FromCaveMantoCyberSecurityProfessionalandInformationWarrior 64RevolutionsandEvolutionsinHighTechnology 65FromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnology 66

OtherSignificantTwentieth-CenturyTechnologicalDevelopmentsandEvents 68High-Tech:AProduct,aProcess,orBoth? 69

TheTradeAssociation:AEA 70TheConsultingGroup:RFA 70InformationProvider:OneSource 71TheResearchGroup:BLS 71

TheMicroprocessor 71Moore’sLaw 72OtherSignificantTwentiethCenturyHigh-TechnologyDevelopmentsandEvents 74

TheInternet 75TheHigh-Technology-DrivenPhenomenon 78FasterandMoreMassiveHigh-Technology-DrivenCommunications 79TheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityTools 80OtherHigh-TechnologyToolsinCyberSecurity 82WelcometotheTwenty-First-CenturyTechnology 84Summary 86

CHAPTEROBJECTIVE

Inthischapter,technologywillbediscussed,asobviouslythecybersecurityofficermustunderstandtechnology,whichincludeshardware,software,firmware,andallrelatedaspects.

Therevolutionintechnologyhasobviouslycausednation-states,corporations,andindividualstobecomemoretechnology-driven,technology-supported,andtechnology-dependent.

Itisnottheintentheretoprovideadetailedhistoryoftechnology.Theintentistoprovideabriefoverview.Thisoverviewisprovidedbecauseitisobviouslyimportantforthoseinvolvedincybersecuritytounderstandtheirworkingenvironmentasmuchaspossible.Itmayseemobvious,butitisamazinghowmanycybersecurityofficershavelittleknowledgeoftechnologyandhowwegottowhereweare.

WhatIsTechnology?Accordingtoonedictionary,1technologyisdefinedasfollows:

tech·nol·o·gy[tek näl′ ə j ](pluraltech·nol·o·gies)noun1.Applicationoftoolsandmethods:thestudy,development,andapplicationofdevices,machines,andtechniquesformanufacturingandproductiveprocesses•recentdevelopmentsinseismographictechnology

2.Methodofapplyingtechnicalknowledge:amethodormethodologythatappliestechnicalknowledgeortools•anewtechnologyforacceleratingincubation“…Maryland-basedfirmusesdatabaseandInternettechnologytotrackacompany’sconsumptionofprintedgoods….”ForbesGlobalBusinessandFinance,November1998.

(Earlyseventeenthcentury.FromGreektekhnologia,literally“systematictreatment,”literally“scienceofcraft,”fromtekhne“art,craft.”)

FromCaveMantoCyberSecurityProfessionalandInformationWarriorTheworldisrapidlychanging.Wehumansareinthemidstof,orhavegonethrough,ahunter–gathererperiod,anagriculturalperiod,anindustrialperiod,andnowthemodernnation-state,andoursocietyisinaninformation-basedandinformation-dependentperiod.SomearesayingthatweareapproachingtheKnowledgeAge—nottobeconfusedwitha“smarterage”!

Ourglobalsocietycannolongerfunctionwithouttheaidofautomatedinformationandhightechnology—computersandnetworks.WithcomputersandglobalnetworkssuchastheInternetcomeopportunitiestomakelifebetterforallofus.However,italsomakeseachofusmorevulnerableandincreasestherisktothehightechnologywedependon,aswellasincreasingriskstocybersecurity,ourpersonalfreedoms,andourprivacy.

Throughouthumanhistory,technologyhasplayedaroleinthedevelopmentofourspecies,andithasplayedamajorroleinourlives.Eventhemakingoffirewasprobablyseenasatechnologicalwonderintheearlyhistoryofthehumanrace—andalsousedasaweaponofwarsuchasbysettingfiretotheenemy’sfortifications,houses,andcrops.Itwasalsousedtohelpforgetoolsasweaponsofwar.

Ashortlookbackatthathistoryisappropriate,forassomeoneoncesaid:“Ifyoudon’tknowwhereyou’vebeen,youdon’tknowwhereyouaregoing”—andonemightadd,“youdon’tevenknowwhereyouare.”Andifyoudonotknowwhereyouare,yoursurvivabilityinacybersecurityenvironmentisnotgood.

Technologydriveschange.

AndrewGrove,CEO,IntelCorporation

RevolutionsandEvolutionsinHighTechnologyAswaspreviouslymentioned,onecannotaddresstheissueofcybersecuritywithoutfirstaddressingthechangesbroughtonbytechnologyanditsimpactonbusinesses,governmentagencies,societies,globalandeconomiccompetition,andtheworldingeneral.Technologyobviouslyhasamajorimpactoncybersecurityandthecybersecurityofficer’sabilitytosuccessfullyprotectinformationandnetworks.

Technologyhasmanyuses,andoverthecenturiesithasdrivenhowwehumanswork,live,andinteract.InaspeechtelevisedontheprogramBookTV,asfarbackasApril4,2002,MichaelEisner,ChairmanandCEO,TheWaltDisneyCompany,discussedtheimpactoftechnologyontheworldandusedthefollowingtimelineofthebeginningsofcommunication-related“devices”—whichisasrelevanttodayasitwasthen:

•1455:GutenbergBible

•1689:Newspapers

•1741:Magazines

•1892:Movies

•1907:Radiobroadcasts

•1927:TV

•1975:Microsoft

Lookhowfarwe’vecomeinthelast40-plusyears.Alltheseformsoftechnologyandcommunicationsystemshavehadamajorimpactonourlivesthroughouthistory.Theynotonlyentertainus,butalsoprovideuswithinformation.Someoftheinformationprocessed,stored,andtransmittedwillbesensitiveinformationthatacompanyorgovernmentagencymaywanttokeepprivateandnotreleasetothegeneralpublic.Considerthisasacybersecurityofficer:Ifthatprivate,sensitiveinformationcommunicatedtothepublicisaboutyourcompany,howthatinformationisobtainedmayindicateavulnerabilityinaninformationprotectionprocess.Ifso,youhaveaseriousproblem.Thefreerasocietyis,thefreerthenewsmediawillbe,andconsequently,themorechallengingyourjobtoprotectsensitivebusinessinformation.However,withthatsaid,rememberthatasacybersecurityprofessional,yourjobisalsotoprotecttheprivacyofindividualsinyourcompany.

Someday,onthecorporatebalancesheet,therewillbeanentrywhichreads“Information”;forinmostcasestheinformationismorevaluablethanthehardwarewhichprocessesit.

RADMGraceMurrayHopper,U.S.Navy

FromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnologyTheuseoftechnologyduringtheagriculturalandindustrialperiodssawgreatnumbersofnewinventionsandimprovementsinoldtechnologies.Thiswasalsothetimeofthebuildingofthegreatcitiesoftheworld,aswellastheirtotaldestructioninglobalwars.Thus,technologyforwarfarehadtrulycomeofage.Withtheadventoftheatomicandsubsequentbombs,theentireworldcouldnowliterallybedestroyed.Theperiodalsosawgreatimprovementsintechnologyinventionsandnewinventionssuchasthetelegraph,telephone,airtransportation,andcomputers.Thisperiodsawincreasesineducation,masstransportation,andexponentialgrowthincommunications—thesharingofinformation.

Duringthisperiod,thesharingofinformationbecameeasierowingtotheimprovementofcommunicationssystems,newcommunicationssystems,andincreasedconsolidationofpeopleintolargecities.Thisalsomadeiteasiertoeducatethepeopleintheneededskillsforworkinginthemoremodernfactoriesandofficesoftheperiodandfordeveloping,improving,andimplementingtechnologies.

ThetransitionperiodfromtheIndustrialAgetotheInformationAgeinworldhistoryvarieswitheachnation-state.IntheUnitedStates,thewell-knownauthorstheTofflersestimatedthetransitiontotakeplaceabout1955,whenthenumberofwhite-collarworkersbegantooutnumbertheblue-collarworkers.Somenation-statesarestillinvariousphasesoftransitionfromtheagriculturalperiodtotheindustrialperiodtotheinformationperiod.

Nomatterwhenanationexperiencesthistechnology-driventransition,however,itwillsee,astheUnitedStatesandothermodernnation-stateshaveseen,themostrapidchangesinallaspectsofhumanexistencesincehumansfirstwalkedonthisEarth—includinghowwarsareprosecuted.

Thetwentiethcenturysawtherapidexpansionanduseoftechnologymoresothanallpastcenturiescombined.Itwasalsothebeginningoftheconcentrateddevelopmentoftechnologyspecificallytodevelopnewandimprovednetworksonamassivescale.Thisusheredintheeraofmodernwarfare,anerathatwassponsoredprimarilybygovernmentsandgloballycommittedbusinessesthathadthewillandthemeansforsuchdevelopment,andtheseentitieswereabletousethesenewtechnologiestotheiragendasonaglobalscale.

Thus,thetwentiethcenturywasthetruebeginningoftechnology-basedwarfare.Owingtothetechnologicalimprovementofolderinventions(e.g.,submarine,machinegun)andnewinventionssuchasnuclearweapons,neverbeforecouldsomanybekilledbysofew.Therewerealsothetanks,handgrenades,poisongases,andlandminesthatgavewaytothechemical/biological/nuclearweapons,carpetbombings,smartbombs,andthebeginningoftruecybersecurity.

In1962…theCIAquietlycontractedtheXeroxCompanytodesignaminiaturecamera,tobeplantedinsidethephotocopierattheSovietUnion’sembassyinWashington.AteamoffourXeroxengineers…modifiedahomemoviecameraequippedwithaspecialphotocellthattriggeredthedevicewheneveracopywasmade.In1963,thetinyColdWarweaponwasinstalledbyaXeroxtechnicianduringaregularmaintenancevisittotheSovietembassy.2

2FromanarticlebyDawnStoverintheJanuary1996issueofPopularScience,entitled“TheCIA’sXeroxSpy-cam.”Althoughdated,thisindicateshowfarbackgovernmentagencieshavebeeninvolvedincovertcyberoperations.Imaginetheprogresstheyhavemadesincethen.

Thisperiodincludedmanysignificanttechnology-driveninventionstoonumeroustomentionhereintheirentirety.Inthemedicalfieldalone,wehaveseentherapidinventionofliterallythousandsofnewdrugs,procedures,anddevices,manyofwhichsavedpossiblymillionsoflivesovertheyears.Someothersignificanttechnologicallydriveninventionsduringthiscenturyinclude:

•Zeppelin

•Radioreceiver

•Polygraphmachine

•Airplane

•Gyrocompass

•Jetengine

•Syntheticrubber

•Solarcell

•Short-waveradio

•Wirephoto

Thetwentiethcenturysawthedevelopmentandimprovementofourmodernera’samazingelectronicinventionsleadingtothecomputeranditsperipherals:

Electronicamplifyingtube(triode) PhotocopierRadiotuner ComputerRobot IntegratedcircuitDigitalcomputer BASIClanguageUNIVACI FORTRANSputnik CompactdiskExplorerIsatellite ComputermouseLaser ComputerwithintegratedcircuitsOS/360IBMoperatingsystem RAM,ROM,EEPROMMinicomputer ARPANETOpticalfiber DaisywheelprinterCraysupercomputer Floppydisk

Spaceshuttle Dot-matrixprinterIBMpersonalcomputer Liquid-crystaldisplayVideotaperecorder ComputerharddiskGraphicuserinterface ModemCathoderaytube MobilephoneTelevision TransistorFMradio WorldWideWebVoicerecognitionmachine Browsers

OtherSignificantTwentieth-CenturyTechnologicalDevelopmentsandEventsSomeoftheothersignificanttechnologicaleventsandinventionsthattookplaceinthetwentiethcenturyandhaveledtoourrapidlychanginginformation-basedsocietiesandinformationdependency,andassistedinthedevelopmentofnewmethodsofprosecutingwarfare,includethefollowing:3

1930:Shannon’sdoctoratethesisexplainstheuseofelectricalswitchingcircuitsinmodernBooleanlogic.

1934:Computing–Tabulating–RecordingbecomesIBM.

1936:Burackbuildsthefirstelectriclogicmachine.

1940:AtanasoffandBerrydesignacomputerwithvacuumtubesasswitchingunits.

1943–1946:Mauchley,Eckert,andVonNeumannbuildtheENIAC,thefirstall-electronicdigitalcomputer.

1947:Thetransistorisperfected.

1955:ShockleySemi-ConductorfoundedinPaloAlto,California;Bardeen,Shockley,andBrattainsharetheNobelPrizeforthetransistor.

1957:FairchildSemi-Conductorisfounded.

1962:TandyCorporationbuyschainofRadioShackelectronicstores.

1964:KemenyandKurtz,DartmouthCollege,developtheBASICcomputerlanguage.

1968:Intelisfounded.

1969:IntelproducesintegratedcircuitsforJapanesecalculators;DataGeneralreleasesNova.

High-Tech:AProduct,aProcess,orBoth?Thereisnouniversallyaccepteddefinitionof“high-tech,”noristhereastandardlistofindustriesconsideredtobehigh-tech.Todaynearlyeveryindustrycontainssomeelementoftechnology,andeventhemosttechnologicallyintensiveindustrywillincludelow-techelements.

Nevertheless,severalgroupshavedevelopedlistsofindustriestheyconsiderhigh-techusingU.S.StandardIndustrialClassifications(SIC).

Thebreadthoftheselistsdependsontwofactors:(1)thegoalsoftheorganizationanditscustomersand(2)whethertheorganizationascribestotheargumentthatonlyindustriesthatproducetechnologycanbeconsideredhigh-techortotheargumentthatindustriesthatuseadvancedtechnologyprocessescanalsobecategorizedashigh-tech.

Anyindustry-baseddefinitionsofhigh-techwillbeimperfect,butnoneofthedefinitionsdiscussedhereshouldbeconsideredincorrect.Theimportantfactortoconsideristheperspectivefromwhichanylistisderived.

Mosthigh-techindustryclassificationshavecommonelements,yetmayvarysignificantlyinscope.Let’sconsiderfourclassificationsofhigh-techindustriesdevelopedbythefollowingrespectedandoftenquotedorganizations:theAmericanElectronicsAssociation(AEA),RFA(formerlyRegionalFinancialAssociates),OneSourceInformationServices,Inc.(formerlyCorpTech),andtheU.S.BureauofLaborStatistics(BLS).

Thedifferentmissionsofthesefourorganizationsinfluencehowtheydefinehigh-tech.TheAEAisatradeassociationmadeupofmostlyelectronicsandinformationtechnologycompanies.Itsmembersgenerallyproducetechnologyandascribetothelimiteddefinitionofhigh-techbasedonlyonthenatureofanindustry’sproductratherthanitsprocess.RFAisanationalconsultingfirm.Itsclientsincludebuildersandcontractors,banks,insurancecompanies,financialservicesfirms,andgovernment.Theindustrieswiththegreatestgrowthpotentialandthosereflectiveoftheirclients’interestsareincludedinRFA’slistofhigh-techindustries.WhileboththeAEAandRFAhavenarrowlydefinedhigh-tech,OneSourceandtheBLSusebroaderdefinitionsthatincludeindustrieswithbothhigh-techproductsandprocesses.

OneSourcegathersandsellscorporateinformationontechnologyfirmsforuseinsalesandmarketing.Asithasbuiltitsdatabaseoffirms,OneSourcehasexpandeditslistofwhatshouldbeconsideredahigh-techindustry.TheBLSisafederalagencyresponsibleforcollectingandanalyzingdataonthenationallaborforce.Ithasdefinedthoseindustrieswiththehighestconcentrationoftechnology-basedoccupations,suchasscientistsandengineers,ashigh-techindustries.

TheTradeAssociation:AEATheAEAreleasedCyberstates4.0,itsannualreportontechnologyemployment,basedontheAEA’slimiteddefinitionofhigh-techindustries,whichfallintothreecategories:(1)

computers,communications,andelectricalequipment;(2)communicationservices;and(3)computer-relatedservices.TheAEA’slististhemostrestrictiveofthefourclassifications.Absentfromthelistareareassuchasdrugmanufacturing,robotics,andresearchandtestingoperations.

TheConsultingGroup:RFARFA’shigh-techsectorsaresimilartothoseselectedbytheAEA.However,RFAdoesnotincludehouseholdaudioandvideoequipmentortelephonecommunications,butaddsdrugsandresearchandtestingservices.

InformationProvider:OneSourceUnliketheshortlistscompiledbytheAEAandRFA,theOneSourcelistclassifies48sectorsashigh-tech.Majoradditionsincludeanumberofmanufacturingindustries,suchasmetalproductsandtransportationequipment,andseveralserviceindustries.

TheResearchGroup:BLSBLShasfurtherrefineditshigh-techindustrydefinitionbyseparatingsectorsintotwogroups.Thoseindustrieswithahighconcentrationofresearch-orientedoccupationsarelabeledintensive,whilethosewithalowerconcentrationareconsiderednonintensive.Thedifferencesshownhereillustratewhyknowinghowdataaredefinedisessentialtounderstandingwhatthedatamean.Onceagain,thosewishingforasimpleanswerwillbefrustrated.Itisnotthedatathathavefailedthem,buttherealityofacomplexsystem(theeconomy)andthehumanfactorthatmustdeterminehowtobestreflectthatsystemusingdata.

Aswehavefound,tryingtogetahandleonthisthingcalledtechnology,anykindoftechnology,islikegrabbingair.Evenlowtechnologywasonceconsideredhightechnologyinitsday.Forexample,whenthefirstplowwasinvented,itwasprobablyconsideredatechnologicalwonder.Then,afterbeinghookeduptoahorseorwaterbuffalo,itincreasedtheproductivityofthefarmersanditcertainlydrasticallychangedfarmingmethods.Whenthewoodenplowwasintegratedwithasteelblade,certainlythatwasconsideredhightechnologyinitsday.Onemustrememberthathightechnologytoday

willundoubtedlybeconsideredlowtechnology25–50 yearsfromnow.So,hightechnologyisalsobasedonareferencepointandthatreferencepointistime—perceptionandtimearealsokeyfactorsincybersecurity.

Aswesee,itisnoteasytocometogripswiththisphenomenoncalledhightechnology.Forourpurposes,anarrowlyfocuseddefinitionisbetter.Intoday’sworld,themicroprocessordrivesthetechnologicalproductsthatdrivetheInformationAgeandcybersecurity.So,wewilldefinehightechnologybasedonthemicroprocessor.Hightechnologyisdefinedastechnologythatincludesamicroprocessor.

TheMicroprocessorIn1971,IntelintroducedtheIntel4004microprocessor.Thiswasthefirstmicroprocessoronasinglechipandincludedacentralprocessingunit,inputandoutputcontrols,andmemory.Thismadeitpossibletoprogram“intelligence”intoinanimateobjectsandwasthetruebeginningofthetechnologyrevolutionthathascausedsomanychangesintheworldandusheredinthebeginningsoftheageofcybersecurity.

Themicroprocessorwasdevelopedthroughalonglineofamazinginventionsandimprovementsoninventions.Withoutthesedramaticandoftenwhatappeartobenew,miraculousbreakthroughsinmicroprocessortechnology,today’scybersecurityphenomenonwouldstillbeonlyinthedreamsofsciencefictionwriters,thelikesofJulesVerneandGeorgeOrwell.However,becauseoftheamazingdevelopmentsinthemicroprocessor,cybersecurityisbeginningtocometotheforefrontinmodern-daygovernmentsandbusinesses.

Today,becauseofthemicroprocessoranditsavailability,miniaturization,power,andlowcost,theworldisrapidlydevelopingnewhigh-technologydevices,procedures,processes,networks,and,ofcourse,cybersecurityandconventionalwarfareweapons.Theglobalinformationinfrastructure(GII)isjustoneexampleofwhatmicroprocessorsaremakingpossible.TheGIIisthemassiveinternationalconnectionsofworldcomputersthatcarrybusinessandpersonalcommunicationaswellasthatofthesocialandgovernmentsectorsofnations.SomesaythatGIIwillconnectentirecultures,eraseinternationalborders,support“cybereconomies,”establishnewmarkets,andchangeourentireconceptofinternationalrelations.

TheGIIisbasedontheInternetandmuchofthegrowthoftheInternetisindevelopingnations.TheGIIisnotaformalprojectbutitistheresultofthousandsofindividuals’,corporations’,andgovernments’needtocommunicateandconductbusinessbythemostefficientandeffectivemeanspossible.TheGIIisalsoabattlefieldinthecybersecurityarena.

Moore’sLawNodiscussionofhightechnologyandcybersecurityweaponswouldeverbecompletewithoutashortdiscussionofMoore’sLaw.In1965,GordonE.Moore,DirectorofResearchandDevelopmentLaboratories,FairchildSemiconductor,wasaskedbyElectronicsmagazinetopredictthefutureofsemiconductorsanditsindustryduringthe

next10 years.InwhatbecameknownasMoore’sLaw,hestatedthatthecapacityor

circuitdensityofsemiconductorsdoublesevery18 monthsorquadruplesevery3 years.4TheinterestingthingaboutMoore’scommentsisthattheybecamesortofahigh-

technologydriverforthesemiconductorindustryand,evenafteralltheseyears,ithas

beenprettymuchontrackastohowsemiconductorshaveimprovedovertheyears.Itspower,ofcourse,dependsonhowmanytransistorscanbeplacedinhowsmallaspace.ThemathematicalversionofMoore’sLawis:

Bitspersquareinch = 2(time − 1962)5Someofthe-hightechnology“inventions”ofthetwentiethcenturythatdependedonthe

microprocessorincludethefollowing:

Ethernet(1973)

Laserprinter(1975)

Ink-jetprinter(1976)

Magneticresonanceimager(1977)

VisiCalc(1978)

Cellularphones(1979)

Craysupercomputer(1979)

MS-DOS(1981)

IBMpersonalcomputer(PC)(1981)

Scanningtunnelingmicroscope(1981)

AppleLisa(1983)

CD-ROM(1984)

AppleMacintosh(1984)

Windowsoperatingsystems(1985)

High-temperaturesuperconductor(1986)

Digitalcellularphones(1988)

Dopplerradar(1988)

WorldWideWeb/Internetprotocol(HTTP);HTML(1990)

Pentiumprocessor(1993)

Javacomputerlanguage(1995)

Digitalversatilediskordigitalvideodisk(1995)

WebTV(1996)

ThePioneer10spacecraftusedthe4004microprocessor.ItwaslaunchedonMarch2,1972,andwasthefirstspaceflightandmicroprocessortoentertheAsteroidBelt.

OtherSignificantTwentiethCenturyHigh-TechnologyDevelopmentsandEventsSomeofthesignificanthigh-technologycomputereventsandinventionsthattookplaceinthetwentiethcenturyandledtoourrapidlychangingmethodsofprosecutingawarinclude:6

1971:Inteldevelopsthe8008;WozniakandFernandezbuildthe“CreamSodaComputer.”

1972:KildallwritesPL/1,thefirstprogramminglanguagefortheIntel4004microprocessor;GatesandAllenform“Traf-O-Data”;WozniakandJobsbeginsellingBlueBoxes.

1973:WozniakjoinsHP;KildallandCooperbuild“astrologyforecastingmachine.”

1974:Intelinventsthe8080;XeroxreleasestheAlto;TorodeandKildallbeginsellingmicrocomputersanddiskoperatingsystems.

1975:Microsoft(previouslyknownas“Traf-O-Data”)writesBASICfortheAltair;HeiseropensthefirstcomputerstoreinLosAngeles.

1976:KildallfundsDigitalResearch;workonthefirstRadioShackmicrocomputerstartedbyLeiningerandFrench;firstsaleoftheCPMoperatingsystemtakesplace.

1977:AppleintroducestheAppleII;TRS-80developed.

1978:AppleshipsdiskdrivesfortheAppleIIandbeginsdevelopmentoftheLisacomputer.

1980:HPreleasestheHP-85;AppleIIIisannounced;MicrosoftandIBMsignanagreementforIBM’sPCoperatingsystem.

1981:OsborneIdeveloped;Xeroxcomesoutwiththe8010Starandthe820computers;IBMpresentsthePC.

1982:AppleLisaisintroduced;DECdevelopsalinesofpersonalcomputers(e.g.,DECRainbow100).

1983:IBMdevelopstheIBMPCJr.;OsbornefilesforChapter11asthemicrocomputermarketheatsup.

1984:AppleannouncestheMacintoshmicrocomputer.

1986:Inteldevelopsthe8086chip.

1987:Inteldevelopsthe8088chip.

1990s:Intel,alreadytheleaderinmicroprocessors,announcesthe286,386,and486

chips,followedrapidlybythePentiumchipsnowreachingspeedsof1.7 GHzasweenterthetwenty-firstcentury.

Moore’sLawisstillholdingtruealthoughsomebelievewewillsoonhitthesiliconwall,basedonthelawsofphysics.Someofthesedoomsayershavebeensayingsuchthingsforyears.Othersaremoreoptimisticandbelievethatothermaterialswillbefoundtoreplacesiliconorthatsiliconwillbesomehowenhancedto“defy”thelawsofphysics.Ifthepastisanycluetothefuture,thefutureofhightechnologywillnotbeimpairedbysuchminorimpedimentsasthelawsofphysics.

TheInternet

Therealissueiscontrol.TheInternetistoowidespreadtobeeasilydominatedbyanysinglegovernment.Bycreatingaseamlessglobal-economiczone,anti-sovereignandunregulatable,theInternetcallsintoquestiontheveryideaofthenation-state.7

JohnPerryBarlow

7JohnPerryBarlow,“ThinkingLocally,ActingGlobally,”Time,January,1996,p.57;asquotedonp.197,TheSovereignIndividual,byJamesDaleDavidsonandLordWilliamRees-Mogg,publishedbyTouchstone,NewYork,1999.

ItisinthecontextofthisphenomenalgrowthofhightechnologyandhumanknowledgethattheInternetarisesasoneofthemechanismstofacilitatesharingofinformationandasamediumthatencouragesglobalcommunications.TheInternethasalreadybecomeoneofthetwenty-firstcentury’scybersecuritybattlefields.

TheglobalcollectionofnetworksthatevolvedinthelatetwentiethcenturytobecometheInternetrepresentswhatcouldbedescribedasa“globalnervoussystem,”transmittingfromanywheretoanywherefacts,opinions,andopportunity.However,whenmostpeoplethinkoftheInternet,itseemstobesomethingeithervaguelysinisterorofsuchcomplexitythatitisdifficulttounderstand.Popularculture,asmanifestedbyHollywoodandnetworktelevisionprograms,doeslittletodispelthisimpressionofdangerandout-of-controlcomplexity.

TheInternetaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgency(ARPA)intheUnitedStatesinthe1960s.Itisperhapsoneofthemostexcitinglegacydevelopmentsofthatera.Originallyanefforttofacilitatesharingofexpensivecomputerresourcesandtoenhancemilitarycommunications,ithas,sinceabout1988,rapidlyevolvedfromitsscientificandmilitaryrootsintooneofthepremiercommercialcommunicationsmedia.TheInternet,whichisdescribedasaglobalmeta-network,ornetworkofnetworks,8providesthefoundationonwhichtheglobalinformationsuperhighwayhasbeenbuilt.

However,itwasnotuntiltheearly1990sthatInternetcommunicationtechnologiesbecameeasilyaccessibletotheaverageperson.Priortothattime,Internetaccessrequiredmasteryofmanyarcaneanddifficult-to-rememberprogramminglanguagecodes.However,decliningmicrocomputerpricescombinedwithenhancedmicrocomputerperformanceandtheadventofeasy-to-usebrowser9softwareaskeyenablingtechnologiescreatedthefoundationformassInternetactivity.Whenthesevariablesalignedwiththedevelopingglobaltelecommunicationsinfrastructure,theyallowedarareconvergenceofcapability.

E-mail.Althoughe-mailwasinventedin1972,itwasnotuntiltheadventofthe“modernInternetsystem”thatitreallybegantobeusedonaglobalscale.In1987,therewereapproximately10,000Internetcomputerhostsand1000newsmessagesadayin300newsgroups.In1992,thereweremorethan1,000,000hostsand10,000newsmessagesadayin1000newsgroups.By1995,thenumberofInternethostshadrisentomorethan

10 million,with250,000newsmessagesadayinover10,000newsgroups.10By2014,themajorityofe-mailtrafficoriginatedfromthebusinessworld,whichaccountedfor

morethan108.7 billione-mailsthatweresentandreceivedeveryday.11Internetprotocols.Inthe1970s,theInternetprotocolsweredevelopedtobeusedtotransferinformation.

Usenetnewsgroupandelectronicmail.Newsgroupsandelectronicmailweredevelopedinthe1980s.

Gopher.In1991,personnelattheUniversityofMinnesotacreatedtheGopherasauser-friendlyinterfacethatwasamenusystemforaccessingfiles.

WorldWideWeb.In1991,TimBerners-LeeandothersattheConseilEuropéenepourlaRechercheNucleairedevelopedtheWeb.In1993,theWebhadapproximately130

sites;in1994,about3000sites;inApril1998,thishadgrowntomorethan2.2 millionandinJanuary2015ithadreached1,169,228,000.12

ThemostcommonlyaccessedapplicationontheInternetistheWorldWideWeb(WWW).OriginallydevelopedinSwitzerland,theWebwasenvisionedbyitsinventorasawaytohelpshareinformation.Theabilitytofindinformationconcerningvirtuallyanytopicviasearchengines,suchasGoogle,Bing,AltaVista,HotBot,Lycos,InfoSeek,andothers,fromamongtherapidlygrowingarrayofWebserversisanamazingexampleofhowtheInternetincreasestheinformationavailabletonearlyeveryone.OnegainssomesenseofhowfastandpervasivetheInternethasbecomeasmoreTV,radio,andprintadvertisementsdirectprospectivecustomerstovisittheirbusinessorgovernmentagencyWebsite.Suchsitesaretypicallynamedwww.companyname.com,wherethebusinessisnamed“companyname,”orwww.governmentagency.govforgovernmentagencies.

Fromthepastcenturyuntilnow,theInternethasrapidlygrownfromanexperimentalresearchprojectandtooloftheU.S.governmentanduniversitiestothetoolofeveryoneintheworldwithacomputer.Itisthepremierglobalcommunicationsmedium.Withthesubsequentdevelopmentofsearchenginesand,ofcourse,theWeb,thesharingofinformationhasneverbeeneasier.SitessuchasGoogle.comstatethat,in2013they

searchedthrough30 trillionWebpages!

Ithasnowbecomeasimplematterforaveragepeople—eventhosewhohadtroubleprogrammingtheirVCRs—toobtainaccesstotheglobalInternetandwiththeaccess

http://www.companyname.com

http://www.governmentagency.gov

http://Google.com

searchthehugevolumeofinformationitcontains.Millionsofpeoplearoundtheworldareloggingin,creatingavastenvironmentoftenreferredtoascyberspaceandtheGII,whichhasbeendescribedasthevirtual,online,computer-enabledenvironment,asdistinctfromthephysicalrealityof“reallife.”

Bytheendofthetwentiethcentury,worldwiderevenuesviaInternetcommercehadreachedperhapshundredsofbillionsofdollars,anunparalleledgrowthrateforatechnologythathasbeenreallyeffectiveonlysincetheearly1990s!The“electroniccommerce”oftheearlytwenty-firstcenturyalreadyincludeseverythingfromonlineinformationconcerningproducts,purchases,andservicestothedevelopmentofentirelynewbusinessactivities(e.g.,Internet-enabledbankingandgambling).

Animportantfactforeveryonetounderstand,andwhichisofsupremeimportancetothoseinterestedincybersecurity,isthattheWebistrulyglobalinscope.Physicalbordersaswellasgeographicaldistancearealmostmeaninglessincyberspace;thedistanttargetisaseasilyattackedasthelocalone.

TheannihilationoftimeandspacemakestheInternetanalmostperfectenvironmentforcybercrimeandwarfare.Whenfindingadesiredadversary’s13serverlocatedontheothersideoftheplanetisaseasyandconvenientascallingdirectoryassistancetofindalocaltelephonenumber,informationwarriorshavethepotentialtoactinwaysthatonecanonlybegintoimagine.Undeterredbydistance,borders,time,orseason,thepotentialbonanzaawaitingtheinformationwarriorisachillingprospectforthosewhoareresponsibleforsafeguardinganddefendingtheassetsofabusinessorgovernmentagency.

Becauseofreligiousbeliefsinmanyfaiths,Internetaccesstomaterialconsideredpornographicisgenerallynotacceptable.Oneofsociety’sstruggleswillbehowtoprovideaccesstotheworld’sinformationwithoutcausingsomemoraldecayofsociety.Thiswillbeastruggleformanycountriesanditisbelievedthattheinformationwarriorswillhaveamajorimpactonthesocietyofsuchdevelopingcountries.

TheInternetisthelatestinaseriesoftechnologicaladvancesthatarebeingusednotonlybyhonestpeopletofurthertheircommunication,butalsobymiscreants,juveniledelinquents,andothersforillegalpurposes.Aswithanytechnologicalinvention,itcanbeusedforgoodorforillegalpurposes.Itisreallynodifferentfromotherinventionssuchasthehandgun.Thehandguncanbeusedtodefendandprotectlivesortodestroythem.Italldependsonthehumanbeingwhoisusingthetechnology.

TheHigh-Technology-DrivenPhenomenonTherearethousandsofInternetserviceproviders(ISPs)operatingandconnectedallacrosstheglobe.Itishopedthatweallknowbynowthatoure-mailsdonotgopointtopoint,buthoparoundtheInternet.Theyaresusceptibletobeinggleanedbyallthosewiththeresourcestoreadotherpeople’smailorstealinformationtocommitcrimes(e.g.,identitytheft,competitiveintelligenceinformationcollections,and,ofcourse,usefulinformationforinformationwarriors).

So,whatisthepoint?ThepointisthatthereareISPsallovertheworldwithfewregulationsandabsolutelynoprotectionanddefensivestandards.SomeISPsmaydoanadmirablejobofprotectingourinformationpassingthroughtheirsystems,whileothersmaydonothing.Furthermore,aswelearnmoreandmoreabout“Netspionage”(computer-enabledbusinessandgovernmentspying),welearnmoreandmoreabouthowourprivacyandourinformationareopentootherstoread,capture,change,andotherwisemisuse.

Inaddition,withsuchprogramsasSORMinRussia,InternetmonitoringinChinaandelsewhere,globalEchelon,andtheU.S.FBI’sCarnivore(stillCarnivorenomatterhowoftentheychangethenametomakeitmorepoliticallycorrect),wemightaswelltakeourmostpersonalinformation,tattooitonourbodies,andrunnakedinthestreetsforalltosee.Well,thatmaybeaslightexaggeration;thepointisthatwehavenoconceptofhowwellISPsareprotectinginformationbelongingtogovernments,businesses,individuals,orassociations.ThroughyourISP,howsusceptibleareyoutothethreatsofcybersecurity?DoyouknowifyourISPisprotectingormonitoringyou?Ifitismonitoringyou,forwhom?

FasterandMoreMassiveHigh-Technology-DrivenCommunicationsWearequicklyexpandingintoaworldofinstantmessages(IMs)throughISPs.Afterall,themorerapidlyourworldchanges,themorerapidlywewanttoreactandwewanteverything—now!A2014reportbyJunipernetworksstatedthatinstantmessagingapps

willaccountfor75%ofmobilemessagingtraffic,or63 trillionmessages,by2018.Furthermore,theycanbeusedtotransferfiles,sendgraphics,and,unlikethetelephoneandnormale-mails,withIMoneknowswhetherthepersonbeingcontactedisthere.Interestingramifications—checktoseeifapersonisonline;ifnot(afteralreadysettingupamasqueradeorspoof),takeoverthatperson’sidentityandcontactsomeoneposingastheother—instantly.Ofcourse,thereareperhapshundreds,ifnotthousands,ofexamplesofISPsbeingpenetratedormisused.AsfarbackasapproximatelyNovember1995,forexample,theWallStreetJournalranastoryentitled“AmericaOnlinetoWarnUsersaboutBadE-mail.”WeallknowaboutthebasicissuesofvirusesandothermaliciouscodesbeingsentviaISPs.So,theproblemhasexistedforquitesometime.

SolarStormsCouldAffectTelecommunications.Intensestormsragingonthesun…couldbrieflydisrupttelecommunications….Theeruptionstriggeredapowerful,butbrief,blackoutFridayonsomehigh-frequencyradiochannelsandlow-frequencynavigationalsignals…forecastatleasta30percentchanceofcontinuingdisruptions….Inadditiontoradiodisruptions,thechargedparticlescanbombardsatellitesandorbitingspacecraftand,inrarecases,damageindustrialequipmentontheground,includingpowergeneratorsandpipelines.14

14“SolarFlareGoesOfftheCharts,”http://www.tldm.org/News3/Solar_flare.htm.

Hightechnologyisvulnerabletonatureandtheuniverseingeneral.Whatagreattimetolaunchacybersecurityattackonanadversary,includingmaybecompetitors.Isitsunspotsoranadversarycausingtheseoutages?Bythetimetheadversaryfindsoutitisyouandnotthreedaysofsunspots,thewarcouldbeover.

http://www.tldm.org/News3/Solar_flare.htm

TheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityToolsThefollowingexamplesofmalicioussoftwarewereselectedasarepresentativesampleofthosethatareavailableandfortheirrangeoffunctionalityand,additionally,fortheirrangethroughtimefrom1991topresent.Thesetoolscanbeandarebeingadaptedandadoptedforuseincybersecurity.15

Hackertools.Ofthehackertoolsthatwerereviewed,whiletheintentionsoftheoriginatorsofthetoolsweremixed,withsomebeingmaliciousandsomewellintentioned,theycanallbeusedtostrengthenthesecurityofanetworkortomonitorthesystemforillicitactivity.Thiscanbeachievedifthesystemowneruseshackertoolstoidentifytheweaknessesthatexistinthesecurityofthesystem,toidentifyappropriateremedialaction,beforeapersonwithmaliciousintentattemptstoexploittheweaknesses.Anumberofthetoolscanalsobeusedtomonitorthesystemforillicitactivity,evenbeforesoftwarepatchesareavailable,sothatthesystemownercanmakeinformeddecisionsonappropriateactiontopreventorminimizedamagetohisorhersystem.Asacybersecurityofficer,howwillyoudefendagainstsuchattacks?

Viruses.Viruseshavenodirectbeneficialeffectonthesecurityofasystemexcepttoprovideavisibleindicationthattherehasbeenabreakdowninproceduresforthetransferofsoftwareordatabetweensystems.Thenegativeeffectofvirusesisthecostintermsoftimeandtheantivirussoftwaretocheckdataandsoftwarebeingimportedorexportedtoandfromthesystem,aswellasthecostofrectifyingaproblemwhenaninfectionhasoccurred,whichcanbeconsiderable.

Inanabstractway,theadventofthevirushasactuallybeenbeneficialtothecybersecurityofficerbecausetheimpactofavirusontheuserisavisibleandconstantreminderoftheneedtoobservegoodcybersecuritypractices.

Inthemajorityofcases,thevirusisdetectedbeforeitcanactivateitspayload,sothedamageisnormallylimitedtotheinconvenienceandcostofthecleaningupthesystemtoremovethevirus.Asacybersecurityweapon,itisavaluableandcheapweaponthatcancausedevastatingresultsagainstyourunpreparedinformationsystems.

Worms.ThereleaseontotheInternetonNovember2,1988,oftheInternetwormwrittenbyRobertT.Morris,Jr.,quicklycausedwidespreaddisruptionandthefailureofalargeproportionofthenetworkthatexistedatthattime.Theproblemwascompoundedbythefactthatsomeoftheserversthathadnotbeenaffectedweretakenofflinetopreventthemfrombecominginfected,thusplacingahigherloadonalready-affectedsectionsofthesystemanddenyingthoseelementsofthenetworkthathadgoneofflineaccesstothepatchesthatwouldprotectthem,asthenormaldistributionmethodforpatcheswasovertheInternetitself.Todate,therehavebeennosecuritybenefitsderivedfromworms,otherthan,inthecaseoftheRobertT.Morrisworm,tohighlighttheurgent

needforeffectiveandearlycommunicationofinformationonincidents.

Thepotentialfortheuseofthistypeofprograminawaythatwouldaidthesecurityofsystemshasbeenpostulated,intheformofautonomousintelligentagentsthatwouldtravelthroughthesystemandreportbackpredefinedinformation,suchasthesystemassets,theconditionandidentityofsystemelements,andthepresenceorabsenceofspecifictypesofactivity.Asaweaponforprosecutingcybersecurity,wormshaveexcellentpotentialandmayevenbeconsidereda“weaponofmassdestruction”becauseofthedamagetheycancauseahigh-technology,informationsystems-dependentadversary.Ofcourse,wenowhavemany“colored”wormsbeingwrittenandtravelingaroundtheGII,NIIs,andothernetworks.

Eastereggs.Eastereggshavenobeneficialeffectotherthantohighlightthatevenproprietarysoftwarecanhavelargesectionsofcodeincludedinthemthatareredundanttothefunctionalityforwhichtheywereintendedandalsothatthequalitycontrolproceduresfortheproductionofsoftwarebywell-knownorganizationsispooriftheEastereggswerenotdetectedduringproduction.Canyouthinkofanywaytousethese“eggs”inacybersecuritybattle?

Trojanhorses.TheTrojanhorse,bydefinition,carriesoutactionsthatarenormallyhiddenfromtheuserwhiledisguisingitspresenceasabenignitemofsoftware.Theyaredifficulttodetectbecausetheyappeartobealegitimateelementoftheoperatingsystemorapplicationthatwouldnormallybefoundonthesystem.GiventhatthepurposeofaTrojanhorseistohideitselfanditsfunctionalityfromlegitimateusers,therehavebeennobeneficialeffectsderivedfromthem—unlessyouareaninformationwarrior.Asacybersecurityofficer,youmustdefendagainstthem.

Logicbombs.Logicbombs,aswithTrojanhorses,carryoutactionsthatareunexpectedandundesirable.Somemaycauserelativelyminordamage,suchaswritingamessagetoascreen,whileothersareconsiderablymoredestructive.Theyarenormallyinsertedbydisaffectedstafforbypeoplewithagrudgeagainsttheorganization.Again,theyaredifficulttodetectbeforetheyhavebeenactivatedand,asaresult,canbeexpensivetorectify.Logicbombsarecorrectlynamedastheycanhavethesameeffectagainstthesystemofanadversaryasaphysicalbombmighthaveagainstabuilding—Boom!Itisgone!

Theclearimplicationfromtheissuesdiscussedaboveisthatsomehackertoolscanhaveabeneficialeffectonthesecurityofcomputersystemsiftheyareusedbythesystemstaffbeforetheyareusedbypersonneleitherwithintheorganizationoroutsideittoidentifyshortcomingsorflawsintheoperatingsystemorapplicationssoftware,theconfigurationofthesystem,ortheproceduresusedtosecureit.Viruses,whileprovidingnodirectbenefit,doprovideadetectableindicationthattherehasbeenabreachinthesecurityofthesystem,eitherbyanexploitationofaflawinthesecurityproceduresorbyashortcominginthesystemsoftware(itallowedavirusthroughanybarriersthathadbeencreatedtopreventaccesstothesystem).

Wormscurrentlyhavenobeneficialeffectonsystemsecuritymanagement.However,

theconceptthatwasusedtodisseminatetheRobertT.Morriswormmayhaveanapplicationinthemappingoflargenetworksifappliedtoautonomousagents.TheTrojanhorseandthelogicbomb,which,bytheirverynature,arecovertlyinsertedintothesystemwithouttheowner’sknowledge,havenobeneficialeffectandhaveonlymaliciousapplications.

OtherHigh-TechnologyToolsinCyberSecurityCyberwars(informationwarfare)throughtechnologyarebeingfoughtonmanyfronts—onthepersonalprivacy,corporateNetspionage,16andnation-statebattlefieldsoftheworld.Evensuchinnocent-soundingwordsas“cookies”takeonnewmeaninginthecybersecurityarena.

Thesecookies—thecomputerkind,nottheonesyoueat—arebeneficial,exceptwhentheyareusedtoprofilecustomerhabitsandgatheranindividual’sprivateinformation,whichisthensold.High-technologycookiesarefilesthataWebsitecanloadontoauser’ssystem.TheyareusedtosendbacktotheWebsiteauser’sactivityonthatWebsite,aswellaswhatWebsitestheuserhaspreviouslyvisited.Theyarealsoapotentialtooloftheinformationwarrior.

Intel’sPentiumIIIincludedauniqueprocessorserialnumber(PSN)ineveryoneofitsnewPentiumIIIchips.IntelclaimedthatthePSNcouldidentifyanindividual’ssurfingthroughelectroniccommerceandotherInternet-basedapplications.ItwasnotedthatbyprovidingauniquePSNthatcanbereadbyWebsitesandotherapplicationprograms,itcouldmakeanexcellentcybersecuritytool.AlthoughthisnumberisdesignedtobeusedtolinkuseractivitiesontheInternetformarketingandotherpurposes,onecaneasilyimagineotheruses,fromacybersecurityperspective,thatcanbemadeofthishigh-technologyapplication.AndasforMicrosoft’snewoperatingsystem,XP,imaginetheIWpossibilities.

Steganographyisanotheruseofhightechnologythatcanbeusedincybersecurity:17

Hidinginformationbyembeddingafileinsideanother,seeminglyinnocentfileisatechniqueknownas“steganography.”Itismostoftenusedwithgraphics,sound,text,HTML,andPDFfiles.Steganographywithdigitalfilesworksbyreplacingtheunusedbytesofdatainacomputerfilewithbytesthatcontainconcealedinformation.

Steganography(whichtranslatedfromGreekmeanscoveredwriting)hasbeeninuse

sinceabout580 B.C.Onetechniquewastocarvesecretmessagesintowoodenobjectsandthencovertheetchedwordswithcoloredwaxtomakethemundetectabletoanuninitiatedobserver.Anothermethodwastotattooamessageontotheshavedmessenger’shead.Oncethehairgrewback,themessengerwassentonhismission.Uponarrival,theheadwasshaved,thusrevealingthemessage—obviouslynottime-dependent.Themicrodot,whichreducedapageoftexttothesizeofatypewriter’speriodsothatitcouldbegluedontoapostcardorletterandsentthroughthemail,isanotherexample.18

Twotypesoffilesaretypicallyusedwhenembeddingdataintoanimage.Theinnocentimagethatholdsthehiddeninformationisa“container.”A“message”istheinformationtobehidden.Amessagemaybeplaintext,ciphertext,otherimages,oranythingthatcanbeembeddedintheleastsignificantbitsofanimage.19

SteganographicsoftwarehassomeuniqueadvantagesasatoolforNetspionageagents.First,iftheagentsuseregularcryptographicsoftwareontheircomputersystems,thefilesmaynotbeaccessibletoinvestigatorsbutwillbevisible,anditwillbeobviousthattheagentsarehidingsomething.Steganographicsoftwareallowsagentsto“hideinplainsight”anyvaluabledigitalassetstheymayhaveobtaineduntiltheycantransmitortransferthefilestoasafelocationortotheircustomer.Asasecondadvantage,steganographycanbeusedtoconcealandtransferanencrypteddocumentcontainingtheacquiredinformationtoadigitaldeaddrop.Theagentscouldthenprovidethehandlerorcustomerwiththepasswordtounloadthedeaddropbutnotdivulgethesteganographicextractionphraseuntilpaymentisreceivedortheagentsaresafelyoutsidethetargetcorporation.Asafinalnote,evenwhenafileisknownorsuspectedtocontaininformationprotectedwithsteganographicsoftware,ithasbeenalmostimpossibletoextracttheinformationunlessthepassphrasehasbeenobtained.

WelcometotheTwenty-First-CenturyTechnologyAsweleftthetwentiethcenturyandbeganthetwenty-firstcentury,ourdependenceontechnologycontinuedtoincreaseaswellasourinterconnectivityonaglobalbasis,ourintegrationofdevices–orplatforms–anduseofwireless,mobiletechnology.Thishasincreasedourvulnerabilitytosuccessfulattacksonaglobalscale.Ithasalsomadeprotectionofoursystems,information,etc.,muchmoredifficult—maybeevenimpossible.

Asweprogressintothetwenty-firstcentury,wecontinuetofallbehindinourdefensesandabilitytoreactquicklyandsuccessfullytoattacksfromaroundtheworld.Asthesophisticationofattackscontinuestoincreasesodothevulnerabilitiesofourvitalinformationinfrastructures.

TopcybersecurityexpertsechoedadirewarningfromatopintelligencechiefonthevulnerabilityoftheU.S.powergrid,withonetellingFoxNews.comthatstate-sponsoredhackerscouldsendAmerica’snervecentersonan“uncontrollable,downwardspiral.”20

20“Intelboss’warningoncyberattacksnojoke,sayexperts,”http://www.foxnews.com/world/2014/11/23/intel-boss-warning-on-cyber-attacks-no-joke-say-experts/.

Defendingourinformationhasbeenmademoredifficultbyadvancesintechnologyandalsoinsocialnetworksofallkinds,throughwhichuserscontinuetoinnocentlyprovideinformationthatisveryusefultocompetitorsandotheradversariesandthatleavesindividuals,groups,corporations,andgovernmentsmoreopentoattacks.

Let’sLookatSomeoftheMajorTechnologyAdvancesThusFarintheTwenty-firstCentury:

ThepowerofcellandWi-Fiphonesastheyhavebecomenotonlytelephones,butmoreall-in-onecommunicationdevices,forexample,voice,text,e-mail,storagedevices,andvideoanddigitalcameras.Notfarbehindarethetablets,whichofferthesamemobilityascellphonesbutbiggerscreensandoftenmorepower,storage,memorycapacity,andspeed.

Twitter,Facebook,YouTube,blogs,andothersoffersocialconnectivityasneverbeforebywhichindividuals,businesses,andgovernmentsonaglobal,mobilescaleshareinformationthatincludesaccidentallyorpurposefullypostingsensitiveormaybeevenclassifiedinformationasusersgounchecked.Itisalsoagreatplatformforblackmail,marketing,andspreadingfalseinformationorpropagandaandofcourseforcollectinginformationusefulinGIWandconventionalwarsandbattles.

http://FoxNews.com

http://www.foxnews.com/world/2014/11/23/intel-boss-warning-on-cyber-attacks-no-joke-say-experts/

Moresophisticatedgamemachinesandgamesthatcanbeusedtohelptraininfo-warriorsandinfactarebeingusedtodoso.

Driverlessvehicles,includingtrams,trains,andcars,thatareturningintocomputersonwheels.Theyareloadedwithtechnology.Imagineoncetheyaretakenover,controlledbyaterrorist,theycaneasilybeturnedintoweapons,givingnewweaponsstatusascarbombswithwhichthedriversdonothavetosacrificetheirlives.

Electricvehiclesovertimewillbecomemoreprevalent.Sinceweareunabletostoreelectricityaswellaswecangas,whatwouldhappentoourabilitytouseelectricvehicles,especiallyforemergencies,onceourpowergridsgodownandtheycannotberecharged.Asweracetobe“eco-friendly,”areweconsideringwhattodotomitigatethisup-and-comingvulnerability?No,ofcoursenot.

Wearealsoapproachingthetimewhenwewilltrulybeabletouseartificialintelligenceandpossiblybecomedependentonit.Whathappenswhenthathappensanditistakenoverandchangedbyinfo-warriorsandmadeintoweaponssupport?

Theuseofnano-technologywillcontinuetobeenhancedandasitis,itcanbeembeddedinourinfrastructurestodestroythemorinjectedintoourbodies.Also,aswedependmoreonroboticsfrommanufacturingtomedicaldevices,evenforsurgeries,whathappenswhentheyaretakenoverbyinfo-warriors?

Lookingbackatwhathasbeenaccomplishedjustinourshortlifetimes,imaginethetwenty-first-centurytechnologyandthecybersecurity-relatedimplicationscominginthefuture.

SummaryIfyouareinvolvedinanyactivityinwhichtechnologyisusedasatooltohelpyouaccomplishyourwork,youareawareofthetremendousandveryrapidadvancesthatarebeingmadeinthatarena.Itissomethingtobehold.Weareinthemiddleofthemostrapidtechnologicaladvancesinhumanhistory,butthisisjustthebeginning.Wearenotevenclosetoreachingthepotentialthattechnologyhastooffer,noritsimpactonallofus—bothgoodandbad.

Itissaidthattherehavebeenmorediscoveriesinthepast50 yearsthanintheentirehistoryofmankindbeforethattime.Wehavejusttoreadthenewspapersandthetradejournalstolookateveryprofessionandseewhattechnologyisbringingtoourworld.Therearenewdiscoveriesinmedicine,onlineandworldwideinformationsystems,theabilitytoholdteleconferencesacrossthecountryandaroundtheglobe,andhundredsofotherexamplesthatwecanallthinkof.

Hightechnologyisthemainstayofbothourbusinessesandourgovernmentagencies.Wecannolongerfunctioninbusinessorgovernmentwithoutthem.Pagers,cellularphones,e-mail,creditcards,teleconferences,smartcards,tabletsandnotebookcomputers,networks,andprivatebranchexchanges(PBXs)areallcomputerbasedandallarenowcommontoolsforindividuals,businesses,andpublicandgovernmentagencies.Informationwarriorsarealsorelyingmoreandmoreoncomputers.Ascomputersbecomemoresophisticated,sodotheinformationwarriors.Asinternationalnetworksincrease,sodoesthenumberofinternationalinformationwarriors.

Networkingandembeddedsystems,thoseintegratedintootherdevices(e.g.,automobiles,microwaveovens,medicalequipment),areincreasinganddrasticallychanginghowwelive,work,andplay.AccordingtoastudyfinancedbytheU.S.ARPAandpublishedinthebookComputersatRisk:

Computershavebecomesointegratedintothebusinessenvironmentthatcomputer-relatedriskscannotbeseparatedfromnormalbusinessrisksorthoseofgovernmentandotherpublicagencies.

Increasedtrustincomputersforsafety-criticalapplications(e.g.,medical)leadstotheincreasedlikelihoodthatattacksoraccidentscancausedeaths.(Note:Ithasalreadyhappened.)

Useandabuseofcomputersarewidespreadwithincreasedthreatsofvirusesandcreditcard,PBX,cellularphones,andotherfrauds.

Anunstableinternationalpoliticalenvironmentraisesconcernsaboutgovernmentorterroristattacksoninformationandhigh-technology-dependentnations’computerandtelecommunicationssystems.

Individualprivacyisatriskowingtolarge,vulnerabledatabasescontainingpersonalinformation,thusfacilitatingincreasesinidentitytheftandotherfrauds.

IfIwanttowreakhavoconasocietythat,insomecases,hasbecomecomplacent,Iamgoingtoattackyourqualityoflife.

CurtWeldon,R-PA.U.S.House,ArmedServicesCommittee21

21SpeakingatanInfoWarConferenceinWashington,D.C.,inSeptember1999.

Personalcomputershavechangedourlivesdramaticallyandthereisnoendinsight.Hightechnologyingeneralhasimprovedthequalityoflifeforsocietiesandmadelifealittleeasier,andyetitmakesaninformation-dependentwayoflifemoreatriskthaneverbefore.Theuseofmodemshasbecomecommonplace,withallnewlypurchasedmicrocomputersystems22comingwithaninternalmodemalreadyinstalledandreadyforglobalaccessthroughtheInternetorothernetworks.WirelessnetworksarebeingincreasinglyusedandtherearenowmillionsofWi-Fi“hotspots”towhichpeoplecanconnecttheirphone,laptop,ortabletwherevertheyare.Therefore,thesedevicesandthenetworksthattheyareusingpotentiallyrepresentsomeofthemostseriousandcomplexcrimescenesoftheInformationAge.Thiswillsurelyincreaseaswebeginthetwenty-firstcentury.

…itiscomputerizedinformation,notmanpowerormassproductionthat…willwinwarsinaworldwiredfor500TVchannels.Thecomputerizedinformationexistsincyberspace—thenewdimensioncreatedbyendlessreproductionofcomputernetworks,satellites,modems,databases,andthepublicInternet.23

NeilMunro

23NeilMunro,“ThePentagon’sNewNightmare:AnElectronicPearlHarbor,”WashingtonPost,July16,1995,p.C3.

High-technologydevelopmentcontinuestoplayadualroleininformation-basednation-states.Thehigh-technologydeviceshavebeenturnedintotoolsthathavebeenusedtodeterminetheadequacyofcyberdefensesandhavebeenadoptedandadaptedbyglobalhackers,terrorists,andothermiscreants.Theynowhavebeenusingthosetoolsforprobingandattackingsystems,especiallythroughtheInternetinterfacesofcorporationsandnation-states,aswellastheGIIandNIIsofnation-states.Thesesamehackertechniqueshavebeenreadilyadoptedandenhancedbytheinformationwarriorsofnation-statesandothers.

1EncartaWorldEnglishDictionary,1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.

3SeeP.FreibergerandM.Swaine’sbook,FireintheValley:TheMakingofthePersonalComputer,Osborne/McGraw,Berkeley,CA,1984.4Schaller,Bob,“TheOrigin,Nature,andImplicationsof‘MOORE’SLAW’:TheBenchmarkofProgressinSemiconductorElectronics,”September26,1996,http://research.microsoft.com/en-us/um/people/gray/moore_law.html.5WinfredPhillips,“Chapter2-ComputersandIntelligence,”TheMindProject,http://www.mind.ilstu.edu/curriculum/extraordinary_future/PhillipsCh2.php?modGUI=247&compGUI=1944&itemGUI=3397.6SeeP.FreibergerandM.Swaine’sbook,FireintheValley:TheMakingofthePersonalComputer,Osborne/McGraw,Berkeley,CA,1984,andhttp://www.swaine.com/wordpress/tag/mike-swaine/foradditionaldetailsofcomputerhistory.8Ibid.,p.11.9SoftwarethatsimplifiesthesearchanddisplayofWorldWideWeb-suppliedinformation.10InternetGuidebyMicrosoftPersonalComputing,http://www.microsoft.com/magazine/guides/internet/history.htm.11“EmailStatisticsReport,2014–2018,”TheRadicatiGroup,http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf.12Internetlivestats,http://www.internetlivestats.com/total-number-of-websites/.13Theterm“adversary”isusedmoreoftenthesedaystodescribeanenemythantheword“enemy”becauseitseemsitisnotasharshaterm,althoughtheintentisstilltodisableorkillthem.15Anumberofothertoolswerereviewedbutcontainednoobviouspropertyorfunctionalitythatwasconsideredtobebothbeneficialandapotentialcybersecurityweapon;thatis,theymodifiedthesystemtoexploitvulnerabilitiesortheywerepurelymaliciousandcausedadenialofservice.Thesearetoolsthatare“pure”cybersecuritytools.16Seethebook,Netspionage:TheGlobalThreattoInformation,publishedbyButterworth–HeinemanninSeptember2000.17Excerpttakenfromthebook,Netspionage:TheGlobalThreattoInformation,publishedbyButterworth–HeinemanninSeptember2000,andreprintedwithpermission.18Steganography,http://www.webopedia.com/TERM/S/steganography.html.19Steganography,http://www.jjtc.com/Steganography/.22Microcomputershadbeenatermusedtodifferentiatethemfromminicomputersandmainframecomputers.Thecomputers’powerandwhatthemanufacturersdecidedtocallthemdifferentiatedthesesystems.However,withthepoweroftoday’smicrocomputerequalingthatoflargersystems,theissueisunclearandbasicallynolongerveryrelevant.Whatthesesystemsarecalled,coupledwithnotebooks,PDAs,workstations,desktops,etc.,isnotthatimportantbecausetheyallbasicallyoperatethesameway.

http://research.microsoft.com/en-us/um/people/gray/moore_law.html

http://www.mind.ilstu.edu/curriculum/extraordinary_future/PhillipsCh2.php?modGUI=247&compGUI=1944&itemGUI=3397

http://www.swaine.com/wordpress/tag/mike-swaine/

http://www.microsoft.com/magazine/guides/internet/history.htm

http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf

http://www.internetlivestats.com/total-number-of-websites/

http://www.webopedia.com/TERM/S/steganography.html

http://www.jjtc.com/Steganography/

CHAPTER5

UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines1

AbstractWhendiscussingthevariousaspectsofcybersecurity,thecybersecurityofficermustunderstandthatheorsheisalsoaninformationwarriorandisworkinginthemidstofglobalinformationwarfare(GIW).Itisimportanttoalsobeawareoftheactual,varioustypesofinformationwarfareattacksthatarecurrentlybeingconducted24/7aroundtheworldagainstindividuals,groups,businesses,andgovernments.

KeywordsCyberCommand;Globalinformationwarfare(GIW);Informationwarfare(IW)games;Info-warriors;NationalSecurityAgency’s(NSA);Programmablelogiccontrollers(PLCs);SecretService

2Existingandpotentialthreatsinthesphereofinformationsecurityareamongthemostseriouschallengesofthetwenty-firstcentury.Threatsemanatefromawidevarietyofsourcesandmanifestthemselvesindisruptiveactivitiesthattargetindividuals,businesses,nationalinfrastructure,andgovernmentsalike.Theireffectscarrysignificantriskforpublicsafety,thesecurityofnations,andthestabilityofthegloballylinkedinternationalcommunityasawhole.

CONTENTS

ReportedDigitalBattlefieldAttacksandRelatedStories 90Summary 100

Whendiscussingthevariousaspectsofcybersecurity,thecybersecurityofficermustunderstandthatheorsheisalsoaninformationwarriorandisworkinginthemidstofglobalinformationwarfare(GIW).Itisimportanttoalsobeawareoftheactual,varioustypesofinformationwarfareattacksthatarecurrentlybeingconducted24/7aroundtheworldagainstindividuals,groups,businesses,andgovernments.

Beingawareofsuchattacks,onecangetabetterappreciationofthemassivechallengesaheadforthosecybersecurityprofessionals,sometimesalsocalledinfo-warriorsthroughoutthischapter,trying,ofteninvain,toprotecttheinformationandinformationsystemsbeingusedtoday.

Itisalsoimportanttoknowofthelatesttechnologiesbeingdevelopedandbywhom,aswellasunderstandingthepoliticsofthetime,becauseastensionsriseamongpeople,businesses,groups,andnations,theyaremoreapttobecomeaggressivelyinvolvedinGIW.

Asyoureadthroughtheseactualattacksandtheirrelatedcommentaries3,thinkofhowtodefendagainstthemandalsohowtousethem,piggy-backoffofthem,whenconductingmaybe“aggressivedefensive”operationsagainstadversaries.Knowingthe

who,how,where,when,why,andwhatwillhelpdefendagainstGIWattacksaswellasprovidingabasisthatcanbeusedforenhancingyourcorporation’sorgovernmentagency’sdefenses.

Asyoureadthroughthem,considerthatoneormoreoftheseattacksarehappening24/7andyourcorporationorgovernmentagencyisnowunderattack,hasbeen,orwillbe.Detailsarenotprovided,asthepointistogetanunderstandingoftheseattacks,similartooldwarfarebombardmentofourdefenses,ifyouwereinaphysicalwarzone.DetailsofeachoftheseattacksorotherinformationprovidedcanbefoundatreferencedWebsites.Asyouknow,allinformationonlineissubjecttobeingperishable.Evenso,youcansearchthetopicandfindinformationyouneedoneachthreattohelpyoubuildyourdefenses.

ReportedDigitalBattlefieldAttacksandRelatedStoriesLetusstartoffwithoneofthemostsophisticatedattacks,allegedlymadeinJuly2010againstIran’snuclearprogramusingaprogramcalled“Stuxnet.”

StuxnetisacomputerwormthatwasdiscoveredinJune2010.Itwasdesignedtoattackindustrialprogrammablelogiccontrollers(PLCs).PLCsallowtheautomationofelectromechanicalprocessessuchasthoseusedtocontrolmachineryonfactoryassemblylines,amusementrides,orcentrifugesforseparatingnuclearmaterial.4

Allegedly,thisprogramwastheworkoftheUnitedStatesandIsrael,althoughthisisjustspeculation.ThewormenteredtheIraniannetworkanddestabilizedover1000oftheircentrifuges.

Now,onecanonlyspeculatehowitentereda“closed”network.SomeallegeitwasinsertedviaaCD/DVDoraflashdrivebyaninsider.OthersspeculateadiskorflashdrivewasleftinaplacewheresomeoneworkingintheIranianfacilityfounditandentereditintotheclosedIraniannuclearnetworkjusttoseewhatwasonthemediumandthusunleashedtheworm.

The“Regin”malware—allegedlythemostpowerfultodate,evenmorepowerfulthanStuxnet,targetsmostlyRussianandSauditelecommunicationcompanies.Ithasbeenouttheresince2008andevenwhendetected,youcannottellwhatitisdoing.Itissupposedlyin10countries,includingIndiaandIran,withhalfofitsattacksinRussia.Somesayitissogooditisbelieveditcouldbedevelopedonlybyanation-state—aWesternnation-state.Interestingly,attacksarenowbeingreportedintheUnitedStates.

•Varney&Company,businessnewsprogram,FoxBusinessTVChannel,November24,2014

Now,letustalkaboutasimpleattack:

Ajournalisttellsthestory5ofhisdevicesallegedlybeinghackedandhisphotos,e-mails—basicallyhisentirecyberlife—weredeleted.Hewasabletocontactthehackers,whowereteenagers,andtheysaidtheyjustdiditfor“fun.”Heagreednottopresscharges,nottoidentifythem,butwantedtoknowhowtheydidit.

Theyallegedlytoldhimthattheydidnothackhispasswords,butbasicallydidthefollowing:Theybeganby“socialengineering”theirwayintohisaccountstakingadvantageofloopholesinthesystem.

•Theyfirstcalledamazon.comashimandgavethemafalsecreditcardnumber.

•TheyreceivedatemporarypasswordfromAmazon.

•NowtheyownedhisAmazonaccount.

•Theygotthelastfournumbersofhisactualcreditcard.

http://amazon.com

•Applewasusingitalsoasanidentityverificationmethod.

•Applegave“him”(thehackers)apasswordreset.

•NowtheyownedhisAppleaccount.

•TheythenwenttoGoogleandthentoTwitter.

Note:Asyoucansee,today’sGIWattackscanrangefromthenontechnical,usingsocialengineeringtechniques,tothemoresophisticatedcovertmalwaretypesofattacks,toacombinationofboth,andeverythingin-between.

U.S.militaryacademies’informationwarfare(IW)games:EveryyeartheU.S.militaryacademiesoftheArmy,Navy,CoastGuard,andAirForceputtogetheragroupofcadetinfo-warriorstocompeteinanIWgameusingapointssystemtodeterminethewinner.Itbeginswitheachacademyselectingateamandbuildinga“secure”networkandallarethenattackedoverathree-dayperiodbya“RedTeam.”ThissophisticatedIWgameisusedtohelptraintheU.S.militaryinfo-warriorsofthefuture.6

Doyouevergetthefeelingyouarebeingwatched?Ifyou’vegotawebcam,youmightberight…It’sstunninglyeasysincemostcompanies,inanefforttobehelpful,putinstallationmanualsonline,manualsthatmakepublicthedefaultpasswordsfortheirproducts.

•http://www.foxnews.com/tech/2014/11/21/hacked-webcams-is-your-home-next/?intcmp=ob_homepage_tech&intcmp=obnetwork

TheTaiwanesegovernmentisinvestigatingwhetherXiaomi,Inc.,China’sleadingsmartphonecompany…isacybersecuritythreat…asgovernmentsbecomeincreasinglywaryofpotentialcybersecuritythreatsfromtheworld’ssecond-biggesteconomy.…Thesmartphonemakerrecentlycameunderfireforunauthorizeddataaccess.

•https://ca.news.yahoo.com/taiwan-government-investigates-xiaomi-potential-cyber-security-concerns-044430946—finance.html

ASyrianTwitteruserappearedtobreakthenewsofU.S.-ledairstrikesinSyriaovernightbeforethePentagonannouncedithadlaunchedthem.

•http://news.yahoo.com/us-syria-air-strikes-live-tweets-130215331.html

HomeDepotsaidThursdayarecentcyberattackonitscomputernetworkaffecteda

colossal56 millioncustomerpaymentcards…isbelievedtobethebiggesteverhackofaretailfirm’scomputersystems…usedmalwaretocollectcustomerinformation.

•http://www.foxnews.com/tech/2014/09/19/home-depot-malware-attack-even-bigger-than-targets-56m-payment-cards-affected/?intcmp=obnetwork

Hackerswouldlovetoweaseltheirwayontoyoursmartphoneortablet…mobilegadgetsareabithardertocrack…hackershavetobeevensneakierandusemalicious

http://www.foxnews.com/tech/2014/11/21/hacked-webcams-is-your-home-next/?intcmp=ob_homepage_tech&intcmp=obnetwork

https://ca.news.yahoo.com/taiwan-government-investigates-xiaomi-potential-cyber-security-concerns-044430946--finance.html

http://news.yahoo.com/us-syria-air-strikes-live-tweets-130215331.html

http://www.foxnews.com/tech/2014/09/19/home-depot-malware-attack-even-bigger-than-targets-56m-payment-cards-affected/?intcmp=obnetwork

appsorhiddenWi-Fiattacksorsimplywalkoffwithyourgadget.

•http://www.foxnews.com/tech/2014/10/19/essential-security-apps-for-your-smartphone-and-tablet/?intcmp=obnetwork

Governmentsallaroundtheworldusemalwareandspywaretokeeptabsonpeople,fromvisitorstoresidents.

TheDetekttoolwasdevelopedandsupportedbyseveralhumanrightsgroups.Detektchecksformalwarethatisoftenusedagainstjournalists,activists,andothers.

•http://www.foxnews.com/tech/2014/11/21/free-tool-detects-government-spyware/?intcmp=ob_homepage_tech&intcmp=obnetwork

AcompanyWebsite,alongwith1.2 billionotherWebsites,wastargetedbyRussianhackersutilizingamassive“bot”attack.ThesebotsaggressivelyattemptedaccesstoWebsiteswithusernameandpasswordoptions.

•http://www.foxbusiness.com/personal-finance/2014/08/29/why-your-passwords-should-be-at-least-24-charcters-long/?intcmp=obnetwork

VotingmachinesthatswitchRepublicanvotestoDemocratsarebeingreportedinMaryland.

•http://www.foxnews.com/politics/2014/10/27/calibration-issue-pops-up-on-maryland-voting-machines/

AustraliandefenseofficialsarepreparingforwhatcouldbeabarrageofpossiblecyberattacksduringtheG20leaders’summitthisSaturdayandSundayinBrisbane.“TargetingofhighprofileeventssuchastheG20bystate-sponsoredorotherforeignadversaries,cybercriminalsandissue-motivatedgroupsisarealandpersistentthreat…”

•http://www.foxnews.com/tech/2014/11/13/australia-braces-for-g20-cyber-attacks/?intcmp=features

Someofthe“FBI’sCyber’sMostWanted”showthatthisproblemisglobalinnatureasthosewantedcomefromallpartsoftheworld.(SeetheirphotosanddescriptionsontheirWebsite—alsonotethattheyarefromallovertheworld—http://www.fbi.gov/wanted/cyber.)

Theiroffensesincludesuchthings7asconspiracytocommitwirefraud,moneylaundering,passportfraud,andtraffickingincounterfeitservicemarks;wirefraud;moneylaundering;passportfraud;andtraffickingincounterfeitservicemarks.Reward:TheU.S.DepartmentofState’sTransnationalOrganizedCrimeRewardsProgramisofferinga

rewardofupto$1 millionforinformationleadingtothearrestand/orconviction…conspiringtocommitcomputerfraud;accessingacomputerwithoutauthorizationforthepurposeofcommercialadvantageandprivatefinancialgain;damagingcomputersthrough

http://www.foxnews.com/tech/2014/10/19/essential-security-apps-for-your-smartphone-and-tablet/?intcmp=obnetwork

http://www.foxnews.com/tech/2014/11/21/free-tool-detects-government-spyware/?intcmp=ob_homepage_tech&intcmp=obnetwork

http://www.foxbusiness.com/personal-finance/2014/08/29/why-your-passwords-should-be-at-least-24-charcters-long/?intcmp=obnetwork

http://www.foxnews.com/politics/2014/10/27/calibration-issue-pops-up-on-maryland-voting-machines/

http://www.foxnews.com/tech/2014/11/13/australia-braces-for-g20-cyber-attacks/?intcmp=features

http://www.fbi.gov/wanted/cyber

thetransmissionofcodeandcommands;aggravatedidentitytheft;economicespionage;andtheftoftradesecrets.

OnMay1,2014,agrandjuryintheWesternDistrictofPennsylvaniaindictedfivemembersofthePeople’sLiberationArmy(PLA)ofthePeople’sRepublicofChina(PRC)on31criminalcounts,includingconspiringtocommitcomputerfraud,accessingacomputerwithoutauthorizationforthepurposeofcommercialadvantageandprivatefinancialgain,damagingcomputersthroughthetransmissionofcodeandcommands,aggravatedidentitytheft,economicespionage,andtheftoftradesecrets.

ThesubjectswereallegedlyofficersofthePRC’sThirdDepartmentoftheGeneralStaffDepartmentofthePLA,SecondBureau,ThirdOffice,MilitaryUnitCoverDesignator61398,atsomepointduringtheinvestigation.Theactivitiesexecutedbyeachoftheindividualsallegedlyinvolvedintheconspiracyvariedaccordingtohisspecialties.EachprovidedhisindividualexpertisetoanallegedconspiracytopenetratethecomputernetworksofsixAmericancompanieswhilethosecompanieswereengagedinnegotiationsorjointventuresorwerepursuinglegalactionwith,oragainst,state-ownedenterprisesinChina.Theythenusedtheirillegalaccesstoallegedlystealproprietaryinformationincluding,forinstance,e-mailexchangesamongcompanyemployeesandtradesecretsrelatedtotechnicalspecificationsfornuclearplantdesigns.Onesubject,Sun,whoheldtherankofcaptainduringtheearlystagesoftheinvestigation,wasobservedbothsendingmaliciouse-mailsandcontrollingvictimcomputers.

Oneindividualiswantedforhisallegedinvolvementinmanufacturingspyware,whichwasusedtointercepttheprivatecommunicationsofhundreds,ifnotthousands,ofvictims.Aspartofthescheme,thesuspectranaWebsiteofferingcustomersawayto“catchacheatinglover”bysendingspywaremasqueradingasanelectronicgreetingcard.Victimswhoopenedthegreetingcardwouldunwittinglyinstallaprogramontotheircomputers.Theprogramcollectedkeystrokesandotherincomingandoutgoingelectroniccommunicationsonthevictims’computers.Theprogramwouldperiodicallysende-mailmessagesbacktothepurchaseroftheservicecontainingtheacquiredcommunications,includingthevictims’passwords,listsofvisitedWebsites,interceptede-mailmessages,andkeystrokelogs.Theprograminquestionwasinitiallycalled“e-mailPI”andrenamed“LoverSpy”inJuly/August2003.ThesuspectallegedlyhostedtheWebsite,aswellascreatingthecomputerprogram.HerantheoperationfromhisSanDiegoresidencein2003.

Hewaschargedwiththefollowingcrimes:manufacturingasurreptitiousinterceptiondevice,sendingasurreptitiousinterceptiondevice,advertisingasurreptitiousinterceptiondevice,unlawfullyinterceptingelectroniccommunications,disclosingunlawfullyinterceptedelectroniccommunications,unauthorizedaccesstoprotectedcomputerforfinancialgain,andaidingandabetting.

ThissuspectwasintheUnitedStatesonatravelvisaandthenobtainedastudentvisawhilehewastakingcollegecourses.HehastiestoSanDiego,California,andhislastknownlocationisSanSalvador,ElSalvador.

Onesecurityexpertnotedthathealthcare.govisastillahugeripetarget…andthat

unliketheprivatesector,nolawrequiresthefederalgovernmenttoeveninformyouifyourinformationhasbeenhacked.

•http://www.foxnews.com/politics/2014/10/27/is-your-obamacare-information-safe/

Throughoutthefloodofhacksanddatabreachesatretailers,restaurants,healthcareproviders,andonlinecompaniesthisyear—HomeDepot,Target,Subway,Adobe,andeBaywerejustahandful…

•http://www.foxnews.com/tech/2014/11/01/5-steps-to-keep-your-accounts-safe-from-hackers-and-scammers/?intcmp=ob_homepage_tech&intcmp=obnetwork

DefenseAdvancedResearchProjectAgencyleaderstoldlawmakerstheagencyismakingprogresswithanongoingcybersecurityprojectknownasPlanXtoincreasecybervisibilityandprovideanewfoundationforthefast-developingworldofcyberwarfaremovingintothefuture.

•http://defensetech.org/2014/05/14/darpa-sets-cyber-foundations-with-plan-x/#ixzz32V4YPy00

Informationwarfareisoneofthehottesttopicsincurrentdiscussionsofbattlefieldandgeopoliticalconflict.Ithasbeenaddressedinwritings,conferences,doctrinesandplans,andmilitaryreorganizations,andithasbeenproposedasafundamentalelementoftwenty-first-centuryconflict.Inaway,theIWsituationisreminiscentoftheconceptoflogisticsasamilitarydiscipline,c.1940:

•Elementsoftheconcepthadbeenknownandusedformillennia.

•Thevalueofintegratingthoseelementsintoacoherentdisciplinewasjustbeginningtoberecognized.

•Thedisciplinewastobecomeacentralelementofmodernwarfare—itisnowsaidthat“amateurgenerals[thatis,SaddamHussein]talkstrategy,professionalgeneralstalklogistics.”

•FromL.ScottJohnson,whoworksforTeraResearch,Inc.,acontractorperforminganalysisonbehalfoftheDirectorateofIntelligence.

GeneralZhu’scommentswereechoedduringaspiritedquestion-and-answersessionfollowingHagel’sspeech.Inthesession,PLAMajorGeneralYaoYunzhuquestionedAmerica’srepeatedclaimthatitdoesn’ttakesidesinterritorialdisputes,askinghowthatcanbetruewhentheUnitedStatesalsoclaimsthedisputedislandsintheEastChinaSeaarecoveredbyaU.S.treatywithJapan.

•http://www.foxnews.com/world/2014/05/31/chinese-general-warns-that-us-is-making-imporant-mistakes-in-region/?intcmp=HPBucket

VirtualBattlespace3…Usingthesystem,theArmycanbuildbattlefieldscenariosandtailorthegametoreflectspecificrequirements.Soldiers,forexample,cansimulate

http://www.foxnews.com/politics/2014/10/27/is-your-obamacare-information-safe/

http://www.foxnews.com/tech/2014/11/01/5-steps-to-keep-your-accounts-safe-from-hackers-and-scammers/?intcmp=ob_homepage_tech&intcmp=obnetwork

http://defensetech.org/2014/05/14/darpa-sets-cyber-foundations-with-plan-x/#ixzz32V4YPy00

http://www.foxnews.com/world/2014/05/31/chinese-general-warns-that-us-is-making-imporant-mistakes-in-region/?intcmp=HPBucket

drivingaStryker,conductpatrols,engageinclosecombat,anddrivedowntothefiringpositiontopracticegunneryinrealisticterrain.

•http://www.foxnews.com/tech/2014/05/22/army-battles-with-brawn-and-beer-bellies/?intcmp=features

TheU.S.DepartmentofHomelandSecurityisinvestigatingabouttwodozencasesofsuspectedcybersecurityflawsinmedicaldevicesandhospitalequipmentthatofficialsfearcouldbeexploitedbyhackers…

•http://www.foxnews.com/tech/2014/10/22/us-government-probes-medical-devices-for-possible-cyber-flaws/?intcmp=features

BlackBerryhasannouncedadealtoacquireGermananti-eavesdroppingspecialistSecuSmart…providesitstechnologytoGermanChancellorAngelaMerkel,whoisatthecenterofacontroversyoveranallegedNationalSecurityAgencyphonetap.

•http://www.foxnews.com/tech/2014/07/29/blackberry-launches-cyber-snooping-counter-attack/?intcmp=obnetwork

Betweentraffic-lightcameras,blue-lightcamerasthatscanneighborhoodsforviolentcrime,camerasonboardcitytrainsandbuses—nottomentionprivatesecuritycameras—therearefewplacesyoucangoinChicagowithoutbeingmonitored.

•http://www.foxnews.com/politics/2014/05/12/security-camera-surge-in-chicago-sparks-concerns-massive-surveillance-system/

TheUnitedStatesplansto“keepupthepressure”onChinaasitgaugesthatnation’sresponsetothisweek’sindictmentoffiveChinesemilitaryofficialsforallegedlyhackingintoAmericancorporatecomputers…IfChinadoesn’tbegintoacknowledgeandcurbitscorporatecyberespionage,theUnitedStatesplanstostartselectingfromarangeofretaliatoryoptions.

•http://www.foxnews.com/politics/2014/05/24/us-to-rev-up-hacking-fight-against-china/

Thereareatleast19boguscellphonetowersoperatingacrosstheUnitedStatesthatcouldbeusedtospyupon,andevenhijack,passingmobilephones.

•https://us-mg6.mail.yahoo.com/neo/launch?.partner=ftr&.rand=701bmckq23kk8#mail

Morethan1000U.S.retailerscouldbeinfectedwithmalicioussoftwarelurkingintheircashregistercomputers,allowinghackerstostealcustomerfinancialdata,theHomelandSecurityDepartment…

•http://www.foxnews.com/tech/2014/08/22/malicious-software-in-cash-registers-could-affect-more-than-1000-us-retailers/?intcmp=obnetwork

ThedirectoroftheCIA,inarareapology,hasacknowledgedaninternalprobe’sfindingsthatCIAemployeesintheExecutiveBranchimproperlyspiedontheLegislativeBranchbysearchingSenatecomputersearlierthisyear.

http://www.foxnews.com/tech/2014/05/22/army-battles-with-brawn-and-beer-bellies/?intcmp=features

http://www.foxnews.com/tech/2014/10/22/us-government-probes-medical-devices-for-possible-cyber-flaws/?intcmp=features

http://www.foxnews.com/tech/2014/07/29/blackberry-launches-cyber-snooping-counter-attack/?intcmp=obnetwork

http://www.foxnews.com/politics/2014/05/12/security-camera-surge-in-chicago-sparks-concerns-massive-surveillance-system/

http://www.foxnews.com/politics/2014/05/24/us-to-rev-up-hacking-fight-against-china/

https://us-mg6.mail.yahoo.com/neo/launch?.partner=ftr&.rand=701bmckq23kk8#mail

http://www.foxnews.com/tech/2014/08/22/malicious-software-in-cash-registers-could-affect-more-than-1000-us-retailers/?intcmp=obnetwork

•http://www.foxnews.com/politics/2014/07/31/cia-director-apologizes-to-senate-leaders/?intcmp=latestnews

Inthefieldofartificialintelligence,thereisnomoreiconicandcontroversialmilestonethantheTuringTest,whenacomputerconvincesasufficientnumberofinterrogatorsintobelievingthatitisnotamachinebutratherisahuman.Havingacomputerthatcantrickahumanintothinkingthatsomeone,orevensomething,isapersonwetrustisawake-upcalltocybercrime.

•https://www.yahoo.com/tech/a-computer-passed-the-famous-turing-test-for-the-first-88270310244.html

ThemissiondatapackagesnowbeingdevelopedbytheAirForce’s53rdWingaredesignedtoaccommodatenewinformationasnewthreatdatabecomeavailable.ThedatabaseisloadedwithawiderangeofinformationtoincludecommercialairlinerinformationandspecificsonRussianandChinesefighterjets.

•http://www.foxnews.com/tech/2014/06/19/air-force-develops-threat-data-base-for-f-35/?intcmp=obnetwork

TheNationalSecurityAgency’s(NSA)surveillancemachineryisagaininthespotlightafteramediareportclaimedthatitissecretlyprovidingdatatoalmosttwodozenU.S.governmentagenciesviaapowerful“Google-like”searchengine.

•http://www.foxnews.com/tech/2014/08/26/google-like-search-engine-puts-nsa-snooping-back-in-spotlight/

Thefederalgovernmentisspendingnearly$1 milliontocreateanonlinedatabasethatwilltrack“misinformation”andhatespeechonTwitter…monitor“suspiciousmemes”andwhatitconsiders“falseandmisleadingideas,”withamajorfocusonpoliticalactivityonline.

•http://www.foxnews.com/politics/2014/08/26/feds-creating-database-to-track-hate-speech-on-twitter/

TheSecretServicehasconfirmedwhatyou’veprobablysuspectedforalongtime:Publiccomputersathotelsareridiculouslyinsecure,andyou’retakingagamblewithyourpersonaldataeachtimeyouuseone.

•http://www.foxnews.com/tech/2014/07/14/secret-service-warns-hotels-data-theft/?intcmp=obnetwork

Israeli’ssecretserviceinterceptedSecretaryofStateJohnKerry’sphonecallsduring2013MiddleEastpeacenegotiations,accordingtotheGermanpublicationSpiegel.

•http://www.foxnews.com/politics/2014/08/03/israel-spied-on-kerrys-calls-during-2013-peace-talks-magazine-reports/

http://www.foxnews.com/politics/2014/07/31/cia-director-apologizes-to-senate-leaders/?intcmp=latestnews

https://www.yahoo.com/tech/a-computer-passed-the-famous-turing-test-for-the-first-88270310244.html

http://www.foxnews.com/tech/2014/06/19/air-force-develops-threat-data-base-for-f-35/?intcmp=obnetwork

http://www.foxnews.com/tech/2014/08/26/google-like-search-engine-puts-nsa-snooping-back-in-spotlight/

http://www.foxnews.com/politics/2014/08/26/feds-creating-database-to-track-hate-speech-on-twitter/

http://www.foxnews.com/tech/2014/07/14/secret-service-warns-hotels-data-theft/?intcmp=obnetwork

http://www.foxnews.com/politics/2014/08/03/israel-spied-on-kerrys-calls-during-2013-peace-talks-magazine-reports/

Chinatookitsinvestigationof“allegedmonopolyactions”byMicrosofttoanewlevelthisweek,raidingfourofthecompany’sofficesandcarryingawayinternaldocumentsandcomputers.

•http://www.foxnews.com/tech/2014/07/30/microsofts-china-woes-increase/?intcmp=obnetwork

SamsungElectronicssaidfiveofitsGalaxy-brandedsmartphonesandtabletsthatcomewithitsenterprisesecuritysoftwarerecentlyreceivedapprovalfromtheU.S.DefenseInformationSystemsAgency,allowingthemtobelistedasanoptionforofficials.

•http://www.foxnews.com/tech/2014/06/09/samsung-devices-get-nod-from-us-defense-agency/?intcmp=obnetwork

AsmoredevicesandapplianceswithInternetcapabilitiesenterthemarket,protectingthosedevicesfromhackersbecomescritical.Unfortunately,manyofthesenoncomputer,nonsmartphonedevices—fromtoiletstorefrigeratorstoalarmsystems—werenotbuiltwithsecurityinmind.

•http://www.foxnews.com/tech/2014/08/26/how-to-secure-your-easily-hackable-smart-home/?intcmp=obnetwork

HotontheheelsoftheNSAsnoopingfirestorm,aleakeddocumentappearstodetailthecyberespionagetricksemployedbyitsU.K.counterpart,GCHQ.

•http://www.foxnews.com/tech/2014/07/15/uk-intelligence-agency-in-cyber-spying-controversy/

Thespyagencyhasreliedmoreonfacial-recognitiontechnologyinthepast4 yearsasaresultofnewsoftwarethatcanprocessthefloodofdigitalcommunicationssuchase-mails,textmessages,andevenvideoconferences…

•http://www.foxnews.com/politics/2014/06/01/nsa-steps-up-digital-image-harvesting-to-feed-its-advancing-facial-recognition/

ConcernedovernetworksecurityfollowingnewslastyearsuggestingGermanleaderAngelaMerkelhadherphonetappedbytheNSA,thegovernmentsaiditwilltransferallitstelecomandInternet-relatedservicestotheGermanfirmDeutscheTelekom…

•http://www.foxnews.com/tech/2014/06/27/german-government-ends-contract-with-verizon-following-nsa-revelations/?intcmp=obnetwork

TheU.K.CyberSecurityStrategy:ProtectingandpromotingtheUnitedKingdominadigitalworld.OurvisionisfortheUnitedKingdomin2015toderivehugeeconomicandsocialvaluefromavibrant,resilient,andsecurecyberspace,whereouractions,guidedbyourcorevaluesofliberty,fairness,transparency,andtheruleoflaw,enhanceprosperity,nationalsecurity,andastrongsociety.

http://www.foxnews.com/tech/2014/07/30/microsofts-china-woes-increase/?intcmp=obnetwork

http://www.foxnews.com/tech/2014/06/09/samsung-devices-get-nod-from-us-defense-agency/?intcmp=obnetwork

http://www.foxnews.com/tech/2014/08/26/how-to-secure-your-easily-hackable-smart-home/?intcmp=obnetwork

http://www.foxnews.com/tech/2014/07/15/uk-intelligence-agency-in-cyber-spying-controversy/

http://www.foxnews.com/politics/2014/06/01/nsa-steps-up-digital-image-harvesting-to-feed-its-advancing-facial-recognition/

http://www.foxnews.com/tech/2014/06/27/german-government-ends-contract-with-verizon-following-nsa-revelations/?intcmp=obnetwork

•https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

ManyofAmerica’smilitarysecretscanbestolenbyexploitingthenetworksoverwhichunclassifiedinformationissharedbymilitarycontractorsandsubcontractors…Chinesehackersarebelievedtohavestolenthedesignsfor“morethantwodozenmajorweaponssystems…”

•http://www.cbsnews.com/news/how-chinese-hackers-steal-us-secrets/2/

…ThePentagonwaspushingtoexpanditscybersecurityforces.TheU.S.military’sso-calledCyberCommandwillgrowfivefoldoverthenextfewyears,from900employeesatpresenttoabout5000civilianandmilitarypersonnel,Orrreported.

•http://www.cbsnews.com/news/china-military-unit-behind-many-hacking-attacks-on-us-cybersecurity-firm-says/

U.S.officialsareblamingChinesehackersforanotherseriousdatabreach.Someonebrokeintosecuregovernmentnetworksthatholdpersonalinformationforallfederalemployees.Thetargetappearstobeworkersapplyingforhigh-levelsecurityclearances.

•http://www.cbsnews.com/news/report-chinese-hackers-got-to-federal-workers-records/

Onaverage,thehackerswouldspendnearlyayearperusingatargetedcompany’ssystemslookingforsensitiveinformationtosteal:productdevelopmentplans,manufacturingtechniques,businessplans,andthee-mailmessagesofseniorexecutives.ThepointistohelpChinesecompaniesbemorecompetitive.

•http://gizmodo.com/why-chinese-hackers-stole-4-5-million-us-hospital-recor-1623284602

HackersmayhavebreachedtheOfficeofPersonnelManagement’snetwork…intrusionhasbeentracedtoChina,althoughitisnotclearthattheChinesegovernmentisinvolved.

•http://www.washingtonpost.com/news/morning-mix/wp/2014/07/09/report-chinese-hacked-into-the-federal-governments-personnel-office/

AChinesehackinggrouphasbeenaccusedofstealingdatafromIsrael’sbillion-dollarIronDomemissilesystem.

Thestate-sponsoredCommentCrewhackinggroup,thoughttooperateoutofChina,wasresponsibleforattacksfrom2011onwardonthreeIsraelidefensetechnologycompanies,ElisraGroup,IsraelAerospaceIndustries,andRafaelAdvancedDefenseSystems,allinvolvedwiththeIronDomeproject.

•http://www.theguardian.com/technology/2014/jul/29/chinese-hackers-steal-israel-iron-dome-missile-data

Ballistic-missiledefenses,joint-strikefighters,BlackHawks,andmore—Chinese

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

http://www.cbsnews.com/news/how-chinese-hackers-steal-us-secrets/2/

http://www.cbsnews.com/news/china-military-unit-behind-many-hacking-attacks-on-us-cybersecurity-firm-says/

http://www.cbsnews.com/news/report-chinese-hackers-got-to-federal-workers-records/

http://gizmodo.com/why-chinese-hackers-stole-4-5-million-us-hospital-recor-1623284602

http://www.washingtonpost.com/news/morning-mix/wp/2014/07/09/report-chinese-hacked-into-the-federal-governments-personnel-office/

http://www.theguardian.com/technology/2014/jul/29/chinese-hackers-steal-israel-iron-dome-missile-data

hackershavetheirhandsonplansfortheseandmoreofthePentagon’smostsophisticatedweaponssystems,justthelatestsignthatthecultureofhackinginChinacontinuestoputAmericaonthedefensive…

•http://www.thewire.com/global/2013/05/china-hackers-pentagon/65628/

Securityattacks/breachesintheU.S.governmentfromJuly2014toNovember2014,includeHealthandHumanServices,EnergyDepartment,PostalService,WhiteHouse,StateDepartment—thosearejustthereportedones;theremaybemorethatarenotreportedor,worseyet,donotevenknowtheywereattacked.8

http://www.thewire.com/global/2013/05/china-hackers-pentagon/65628/

SummaryAsyoucansee,attacksandthoseissuesassociatedwithattacksanddefensearenumerousandvaryintheirapproach.Learnfromtheseattacks,soyourgovernmentagencyorcorporationdoesnotbecomeacasualtyofthisglobalinformationwarfare.

1Muchofthischapterisquotedwithpermissionfromtheauthorandhiscoauthor’sbook,GlobalInformationWarfare,secondedition,publishedbyCRCPress.2Report(A/65/201)oftheGroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity.3Allstoriesareedited,generallydirectquotesfromthecitedWebsites,exceptwhereotherwisenoted.4http://en.wikipedia.org/wiki/Stuxnet;Razvan,Bogdan.“Win32.Worm.Stuxnet.A”.RetrievedMarch28,2014.5TVProgramcalled“NOVA,”October8,2014.6CyberWargame,”August25,2014,FoxBusinessChannelTV.7TakenfromtheFBI’sWebsite.8Cavuto,FoxNewTVProgram,November21,2014.

http://en.wikipedia.org/wiki/Stuxnet

SECTION I I

TheDutiesandResponsibilitiesofaCyberSecurityOfficerOUTLINEIntroduction

Chapter6.TheCyberSecurityOfficer’sPosition,Duties,andResponsibilities

Chapter7.TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlans

Chapter8.EstablishingaCyberSecurityProgramandOrganization

Chapter9.DeterminingandEstablishingCyberSecurityFunctions

Chapter10.EstablishingaMetricsManagementSystem

Chapter11.AnnualReevaluationandFuturePlans

Chapter12.High-TechnologyCrimesInvestigativeSupport

Introduction

SectionIprovidedabasicunderstandingoftheexternalworld,withallitsmanythreatstoinformationandinformationsystems—allofwhichhaveadirectbearingonthecybersecurityofficerandhisorherjob.SectionIIprovidesamoreinternal,businessfocusontheworldofthecybersecurityofficer.

SectionIIbeginswiththeidentificationoftheposition,duties,andresponsibilitiesofthecorporationcybersecurityofficer.Itprogressesthroughadiscussionof:

•establishingandmanagingacybersecurityprogram;

•strategic,tactical,andannualplans;

•developingandmanagingacybersecurityorganizationanditsfunctions;

•measuringcybersecuritycosts,failures,andsuccessesthroughmetricsmanagement;

•supportingtheinvestigativestaff;and

•anoverviewofthecybersecurityprograminanation-state’snationalsecurityenvironment.

CHAPTER6

TheCyberSecurityOfficer’sPosition,Duties,andResponsibilities

AbstractTheobjectiveofthischapteristodefinetherolethatthecybersecurityofficerwillplayinacorporationorgovernmentagency.Inthiscase,itistheroleofthecybersecurityofficerinaninternationalcorporation.Thedutiesandresponsibilitiesofacybersecurityofficervarydependingontheplaceofemployment.However,inthiscase,weareassumingthecybersecurityofficerhastheperfectpositionbecauseitisoneallcybersecurityofficersshouldstrivetoattaininorderto“doitrightthefirsttime.”

KeywordsCellularphones;Cybersecurityofficer;Managementblankcheck;Missionstatements;Projectmanagement;Qualitystatements;Riskmanagement;Visionstatements

Responsible,whowantstoberesponsible?Wheneversomethingbadhappens,it’salways,who’sresponsibleforthis?

JerrySeinfeld1

CONTENTS

Introduction 104WhereItBeganandItsEvolutionandRevolution 104

TheCyberSecurityOfficerinaGlobalCorporation 106CyberSecurityOfficerDutiesandResponsibilities 109GoalsandObjectives 109LeadershipPosition 110

ProvidingCyberSecurityServiceandSupport 110UseTeamConcepts 111

Vision,Mission,andQualityStatements 112VisionStatements 112MissionStatements 113QualityStatement 113

CyberSecurityPrinciples 114ProjectandRiskManagementProcesses 114

ProjectManagement 114RiskManagement 115

CyberSecurityOfficerandOrganizationalResponsibilities 115

CyberSecurityOfficer’sFormalDutiesandResponsibilities 116SummaryofthePurposeoftheCyberSecurityOfficerPosition 116Accountabilities 116

Summary 118

CHAPTEROBJECTIVE

Theobjectiveofthischapteristodefinetherolethatthecybersecurityofficerwillplayinacorporationorgovernmentagency.Inthiscase,itistheroleofthecybersecurityofficerinaninternationalcorporation.Thedutiesandresponsibilitiesofacybersecurityofficervarydependingontheplaceofemployment.However,inthiscase,weareassumingthecybersecurityofficerhastheperfectpositionbecauseitisoneallcybersecurityofficersshouldstrivetoattaininorderto“doitrightthefirsttime.”

IntroductionTheroleofthecybersecurityofficerismoredemandingnowthaneverbefore,owingtoadvancesintechnology,especiallyinminiaturizationandmobility;morenationalandglobalnetworkinterfacestohisorhercorporation;andmoresophisticatedattacks.Thechallengeshaveneverbeengreaterbuttheywillbeovertime.

WhereItBeganandItsEvolutionandRevolutionWebeganwithonlyphysicalsecurity,asafterall,theENIACandothercomputersdidnotconnecttotheworld.Aguard,apaper-authorizedpersonnelaccesslist,analarm,andsuchwereallthatwereneededinthoseearlydays.Butasthecomputerevolvedovertime,sodidtheprofessionofthecybersecurityofficer.

Thesecurityprofessionatthattimewasprimarilymadeupofretiredorformerlawenforcementormilitarypersonnel,whohadnointerestincomputersecurity.Theyknewphysicalsecurity,investigations,andpersonnelsecurity.Thisnewthingcalledacomputerwasbestlefttothecomputerscientistsandengineers.

Assystemsevolved,sodidthedepartmentsresponsiblefortheirsupport.Departmentsthatwereonceengineeringdepartmentsperhapsbecameinformationresourcemanagementdepartmentsandlaterbecameknownasinformationtechnology(IT)departments.TheprotectionofthisnewtechnologystayedwiththeITpeople.However,thecomputersecuritypositionswithintheITdepartmentsalsoevolved.

Asthemicroprocessoranditsrelatedtechnologydeveloped,theonce-separatedtelecommunicationsandcomputerstaffsbegantheirintegration.Consequently,the“computersecurity”professionbegantoalsoconsidertheprotectionofinformationasitflowedthroughtelecommunicationslinks.AstheInternetevolved,theneedforprotectinginformationasitwasdisplayed,suchasonWebsites,alsobecameanimportanttaskforthoseresponsibleforprotectingthehardware,software,andfirmware.

Informationandrelatedsystemsaresomeofabusiness’smostvaluableassets,onecanargue,secondonlytotheemployees.Infact,althoughnooneinmanagementwithinabusinesswouldeverprioritizeassetstoplaceinformationandsystemsabovetheemployees—atleastnotpublicly—peoplecanalwaysbereplaced,andreplacedatlesscostandadverseimpacttothebusiness,thantradesecretsandinformationnetworks.However,thatwillprobablyremainanunspokenissuebecauseofthesensitivenatureofvaluingmachinesoverhumans.

Whenwethinkaboutit,though,informationreallyisbusiness’sNo.1asset.Afterall,employeescanbeterminated,evenreplacedbycomputers,andthebusinesssurvives.Infact,profitsmayevenincreasebecauseoflowerlaborcosts.However,eliminateanintranetornationalorglobalinformationinfrastructureconnectionandthebusinesscouldbelost.

Today,thecybersecurityofficerpositionisgenerallystillpartoftheITdepartment’sfunction.Now,thecybersecurityofficerisresponsiblefortheprotectionofinformation

andthesystemsthatstore,process,transmit,anddisplaythatinformation.Thecybersecurityofficerprofessionhasmaturedintoaseparateprofession,andinmostlarge-to-mediumcompanies,itismorethanapart-timejoboradditionalresponsibilitythesedays.Insmallerbusinessesitremainsmostlyapart-timejoborisoutsourcedwithothersecurity-relatedfunctions.

Informationsystemsofvarioustypes,suchascellularphones,notebookcomputers,personaldigitalassistants,andfaxmachines,areallusedtoprocess,store,transmit,anddisplayinformation.Thesedevicesarebecomingmoreandmoreintegratedintoonedevice.Couplethisphenomenonwiththehardcopiesbeingproduced,andonefindsthatinformationmaybeprotectedonanintranetbutleakedthroughacellularphoneorprintedonpaperandthentakenoutofthebusiness’sfacilities.

CaseStudyCellularphonesarebecomingsmallerandsmaller.Digitalcamerasarealsobeinginstalledintothesecellularphones.Sincemanagementwantstheiremployeestohavethelatesthigh-technologydevicesthathelpsupportthebusinessinthemostefficientandeffectivewaypossible,employeesareissuedcellularphones.Thecellularphoneswithdigitalcamerasintegratedintothemallowemployeestodigitallysendphotographsaspartoftheirbusinesscommunicationsprocesses.Italsoprovidestheopportunityfortheemployeetophotographsensitivedocuments,facilities,andsuchandsendthephotosdirectlytounauthorizedsources.Thus,thereisnowanothermethodofperforming“Netspionage”(network-enabledespionage).Asacybersecurityofficer,doyouhavepolicies,etc.,inplacetomitigatethisnewthreat?

Thecybersecurityofficerpositionmustevolvetoberesponsiblenotonlyforprotectinginformationandsystemsrelatedto,ortheresponsibilityof,theITdepartment,butalsoforprotectingallofthebusiness’sinformationassets.Itisridiculoustohavethebusinesssecurityprofessionalresponsibleforthesecurityofcompanyassets,includinghard-copydocuments,people,andfacilities,andleavetheprotectionofautomatedinformationandsystemsessentiallytoITpeople.Thesepositionsmustbeintegratedtoprovideaholisticassetprotectionapproach.Thismaybeaccomplishedthroughtheevolutionofthecybersecurityofficerprofessionalintomorethana“computerprotector”andthesecuritymanagerintomorethanaphysicalsecuritymanager.Herein2016,weareslowly,grudginglygettingthere,buteversoslowly,exceptwhenitcomestomanagementfixingblame,ofcourse.

Thecybersecurityofficerpositionisevolving,butnoreal,permanent,standardized“home”hasbeenidentifiedforthecybersecurityofficerposition.Itdependsonthestructureandcultureofthecorporationinwhichheorsheisemployed.Wedoseesignsofthischangingasthisevolutioncontinues,fromguard,computerscientist,engineer,ITspecialist,computersecurityspecialist,toinformationsecurity(InfoSec)tocybersecurityofficer,withsomeindicationsofchangetocorporateinformationassuranceofficeror

corporateinformationsecurityofficerorcybersecurityofficer.Insomecases,theevolutionoftheprofessionhasalreadyledtomakingthecybersecurityofficerapartofexecutivemanagementinthepositionofavicepresident.Ofcoursethisvaries,ascanbeexpected,bythecultureofthecorporation.

Still,theevolutionmustcontinueuntilallinformationandsystemsareintegratedintoatotalbusinesscybersecurityprofession.Thisrequiresthecombiningofbusiness(corporate)security,forexample,physicalsecurityandpersonnelsecurity,andthecybersecurityofficerresponsibilities.Itisthebestwaytosafeguardallbusinessassetsinaholisticandcost-effectivemanner,butagain,basedonthecorporateculture.

TheCyberSecurityOfficerinaGlobalCorporationIfyouarechosenasthenewcybersecurityofficerforaglobalcorporation,youshouldhavedeterminedthehistoryofthatposition:

•Whenwasitestablished?

•Why?

•Whatisexpectedofyouasthecybersecurityofficer?

•Whatareyourresponsibilitiesandduties?

•Whatareyouaccountablefor?

•Whathappenedtothelastone?(Youwanttoknowsoyoucanunderstandthepoliticalenvironmentinwhichyouwillbeworking.)

Asyoubeginyournewjobasthecorporatecybersecurityofficer,youmustclearlydeterminewhatisexpectedofyou.Again,thisinformationshouldhavebeenaskedduringyourinterviewprocessfortworeasons:

•Soyouknowwhatyouweregettingintobyacceptingthecybersecurityofficerpositionand

•Soyoucanbetterprepareforthepositionwithamoredetailedcybersecurityprogrampriortobeginningyourfirstdayatwork.

Youneedadetailedplanpriortobeginningyouremploymentbecauseyouwillbebehindschedulefromthemomentyouwalkinthecorporatedoor.Thatisbecauseputtingtogetheracybersecurityprogramfromthestartisatremendousproject.Morelikelythannot,intoday’sworld,youwillprobablybeinheritingsomeoneelsecybersecurityprogram.

Asthenewcybersecurityofficer,itisimportanttoreviewtheprogramyouareinheriting,itsphilosophy,andthelogicbehinditspoliciesandprocedures.Neverchangeanythingunlessyoucanmakeitbetterbasedonriskanalysismethodology,notjustdifferent,asthatcostsmoney.Furthermore,theremaybeverygoodreasonsitiswhatitis,orthechiefexecutiveofficerorcorporateinformationofficer(CIO)wouldnothaveapproveditthewayyouinheritedit.

Youmustalsodeterminetheanswerstothefollowing:

•Whatisimportantandrequiresprotection?

•Whatisbeingprotected?

•Inwhatmanner?

•Isastaffneeded?

•Ifso,howmany?

•Withwhatqualifications,forwhatpositions?

•Whatarethetaskstobeperformed?

•Whatarethemandatory,bestpractices,andoptionalrequirementstobemet?

•Whatprocessesandfunctionsarenecessarytomeetthoserequirements?

•Whatarethenecessarybudgetallocations?

•Whatmetricsmanagementtechniquesarerequired?

andthelistgoeson.

Ontopofallthisistheneedtolearnaboutthecorporateculture,normalcorporatepoliciesandprocedures,andallthatcomeswithjustjoiningacompany.Asthenewcybersecurityofficer,youcannotaffordtowasteanytimeinyour24/7duties.Youmustunderstandandlearnyournewenvironment,thekeyplayers,andtheissuesthatmustbeaddressedfirst.Often,cybersecurityofficerstendtoisolatethemselvesfromtherestofthecorporationandconsideritalmosta“meagainstthem”situation.Intoday’scorporationsthiswillgetyounowherebutpossiblyoutthecorporatedoor.Asacybersecurityofficer,youandyourstaffmustintegrateyourfunctionsintothecorporatemainstreamandintegrateyourselvesintotheprocessesofthebusiness.“Teaming”withothersinthecorporationistheonlywaytosucceedintoday’sinformation-based,information-supported,andinformation-dependentmoderncorporations.

Thecybersecurityofficermusteventuallygetintoaproactivemodetobesuccessful,thatis,identifyingproblemsandsolutionsbeforetheycometotheattentionofmanagement.Cybersecurity-relatedproblemswillundoubtedlygetmanagement’sattentionwhentheyadverselyaffectcostsand/orschedules.Adverseimpactsoncostsandschedulesruncontrarytothecybersecurityprogramgoal,objectives,etc.

Whenacybersecurityofficerisinthepositionofconstantlyputtingoutfires,theproactivecybersecurityprogrambattleislost.Ifthatbattleislost,theresultsareadverseimpactsoncostsandschedules.Thegoalofacost-effectivecybersecurityprogramcannotbeattained.

Asthecybersecurityofficer,youhavebeentoldthatyouareexpectedtoestablishandmanageacybersecurityprogramthatworksandisnotaburdenonthecorporation.Youaretoldtoestablishaprogramthatyoubelieveisnecessarytogetthejobdone.Youhavethefullsupportofmanagementbecausetheyhavecometorealizehowimportanttheirinformationandsystemsaretothecorporationmaintainingitscompetitiveadvantageintheglobalmarketplace.Thishoneymoonwilllastmaybeaboutsixmonths—ifyouarelucky.So,youmusttakeadvantageofit.Todoso,youmusthaveafaststartandthenpickupspeed.

Basedideallyona“managementblankcheck”andyourpriorexperience(orfortheinexperiencedcybersecurityofficer,theinformationgainedfromreadingthisbook),youhaveevaluatedthecorporateenvironmentandhavedecidedthattheoverallgoalofthecybersecurityprogramisto:

Administeraninnovativecybersecurityprogramthatminimizesriskstothesevaluableassetsatleastimpacttocostsandschedules,whilemeetingallofthecorporation’sandcustomers’reasonableexpectations.

Ifthatiswhatisexpectedofyou,thenthatisyourprimarygoal.Everythingyoudoasthecybersecurityofficershouldbefocusedanddirectedtowardmeetingthatgoal.Thatincludesincorporatingthatphilosophyintoyour:

•Cybersecuritystrategicplan,

•Tacticalplan,and

•Annualplan.

CyberSecurityOfficerDutiesandResponsibilitiesAsaglobalcorporation’scybersecurityofficer,youhavecertaindutiesandresponsibilities.Theseincludethefollowing:

•Managingpeople,whichincludes:

Buildingareputationofprofessionalintegrity;

Maintainingexcellentbusinessrelationships;

Dealingwithchanges;

Communicating;

Influencingpeopleinapositiveway;

Buildingateamworkenvironment;and

Developingpeoplethroughperformancemanagement,suchasdirectingandhelpingthecybersecuritystafftoberesult-oriented.

•Managingthebusinessofthecybersecurityprogram,whichconsistsof:

Acommitmenttoresults;

Beingcustomer/supplierfocused;

Takingresponsibilityformakingdecisions;

Developingandmanagingresourceallocations,suchasbudgets;

Planningandorganizing;

Beingaproblem-solver;

Thinkingstrategically;

Usingsoundbusinessjudgment;and

Acceptingpersonalaccountabilityandownership.

•Managingcybersecurityprocesses,whichincludes:

Projectplanningandimplementation;

Persistenceofqualityineverything;

Maintainingasystemsperspective;and

Maintainingcurrentjobknowledge.

GoalsandObjectivesRememberthatyourprimarygoalistoadministeraninnovativecybersecuritythatminimizesinformationprotectionrisksattheleastimpacttocostsandschedules,whilemeetingallofthecorporation’sandcustomers’reasonableexpectations.

Youmusthaveasyourobjectivesatleastthefollowing:

•Enhancethequality,efficiency,andeffectivenessofthecybersecurityprogram.

•Identifypotentialproblemareasandstrivetomitigatethembeforetheyadverselyaffectprocesses,andespeciallybeforemanagementand/orcustomersidentifythem.

•Enhancethecompany’sabilitytoattractcustomersbecauseoftheabilitytoefficientlyandeffectivelyprotecttheirinformation.

•EstablishandmanagetheInfoSecorganizationastheleaderinthewidgetindustry.

LeadershipPositionAsacybersecurityofficer,youwillbeinaleadershipposition.Inthatposition,itisextremelyimportantthatyouunderstandwhataleaderisandhowaleaderistoact.

Accordingtothedefinitionofleadershipfoundinnumerousdictionariesandmanagementbooks,itbasicallymeansthepositionorguidanceofaleader,theabilitytolead,theleaderofagroup;apersonthatleads;orthedirecting,commanding,orguidinghead,asofagrouporactivity.

Asacybersecurityprofessionalandleader,youmustsettheexample:createandfosteran“informationprotectionconsciousness”withinthecompany.

Asacorporateleader,youmustcommunicatethecompany’scommunityinvolvement,eliminateunnecessaryexpenses,inspirecorporatepride,andfindwaystoincreaseprofitability.

Asateamleader,youmustencourageteamwork,communicatecleardirection,createacybersecurityenvironmentconducivetoteaming,andtreatothersaspeersandteammembers,notascompetitors.

Asapersonalleader,youmustimproveyourleadershipskills,acceptandlearnfromconstructivecriticism,takeownershipandresponsibilityfordecisions,makedecisionsinatimelymanner,anddemonstrateself-confidence.

ProvidingCyberSecurityServiceandSupportAsthecybersecurityofficerandleaderofacybersecurityserviceandsupportorganization,youmustbeespeciallytunedtotheneeds,wants,anddesiresofyourcustomers,bothinternal(thosewithinthecompany)andexternal(thosewhoareoutsidethecompanyandareusuallythecompany’scustomers).

Toprovideserviceandsupporttoyourexternalcustomers,youmust:

•Identifytheirinformationprotectionneeds;

•Meettheirreasonableexpectations;

•Showbyexamplethatyoucanmeettheirexpectations;

•TreatcustomersatisfactionasPriority1;

•Encouragefeedbackandlisten;

•Understandtheirneedsandexpectations;

•Treatcustomerrequirementsasanimportantpartofthejob;

•Establishmeasurestoensurecustomersatisfaction;and

•Providehonestfeedbacktocustomers.

Toprovideserviceandsupporttoyourinternalcustomers;youmust:

•Supporttheirbusinessneeds;

•Addvaluetotheirservices;

•Minimizesecurityimpacttocurrentprocesses;and

•Followthesameguidelinesasforexternalcustomers.

Asthecorporatecybersecurityofficer,youwillalsobedealingwithsuppliersofcybersecurityproducts.Thesesuppliersorvendorsarevaluablealliesbecausetheycanexplaintoyouthemanynewcybersecurity-relatedproblemsbeingdiscovered,andhowtheirproductsmitigatethoseproblems.Inaddition,theycankeepyouup-to-dateonthelatestnewswithinthecybersecurityofficerprofessionandaboutthelatestInfoSectoolsavailable.Furthermore,youcanmakeyourselfavailabletobetatestnewcybersecurityproductsandprovidefeedbacksothefinalproductswillmeetyourneeds.

Indealingwithsuppliersofcybersecurity-relatedproducts,youshoulddothefollowing:

•Advisethemofyourneedsandwhattypesofproductscanhelpyou;

•Assisttheminunderstandingyourrequirementsandtheproductsthatyouwantfromthem,includingwhatmodificationstheymustmaketotheirproductsbeforeyouarewillingtopurchasethem;

•Directtheminthesupportandassistancetheyaretoprovideyou;

•Respectthemasteammembers;

•Valuetheircontributions;

•Requirequalityproductsandhighstandardsofperformancefromthem;

•Recognizetheirneedsalso.

UseTeamConceptsItisimportantthatasthecybersecurityofficer,youunderstandthatthecybersecurityprogramisacompanyprogram.Tobesuccessful,thecybersecurityofficercannotoperateindependently,butasateamleader,withateamofotherswhoalsohaveavestedinterestintheprotectionofthecompany’sinformationandinformationsystems.

Itisimportanttorememberthatifthecybersecurityprogramanditsrelatedfunctionsaredividedamongtwoormoreorganizations(e.g.,otherassetprotectionsuchasphysicalsecurityofhardwareunderthesecuritydepartment),therewillnaturallybeatendencyforlesscommunicationandcoordination—andofcoursepoliticalturfbattles.Thecybersecurityofficermustbesensitivetothisdivisionoffunctionsandmustensurethatevenmorecommunicationandcoordinationoccurbetweenallthedepartmentsconcerned.

Thecybersecurityproceduresmustbesoldtothemanagementandstaffofthecorporation.Iftheyarepresentedasalawthatmustbefollowedorelse,thentheywillbedoomedtofailure.Thecybersecurityofficerwillneverhaveenoughstafftomonitoreveryoneallthetime,andthatiswhatwillbeneeded.Forassoonasthecybersecurityofficer’sbackisturned,theemployeeswillgobacktodoingitthewaytheywanttodoit.Everyonemustdoitthe“rightsecurityway”becausetheyknowitisthebestwayandintheirowninterests,aswellasintheinterestofthecorporation.

Inmanyglobalcorporationstoday,successcanbeachievedonlythroughcontinuousinterdepartmentalcommunicationandcooperationandbyformingspecialistsfromvariousorganizationsintointegratedprojectteamstosolvecompanyproblems.Thecybersecurityofficershouldkeepthatinmind.Teamingandsuccessgotogetherintoday’smoderncorporation.

Vision,Mission,andQualityStatementsManyoftoday’smoderncorporationshavedevelopedvision,mission,andqualitystatementsusingahierarchicalprocess.Thestatements,ifused,shouldlinkalllevelsinthemanagementandorganizationalchain.Thestatementsofthelowerlevelsshouldbewrittenandusedtosupporttheupperlevelsandviceversa.

Thefollowingexamplescanbeusedbythecybersecurityofficertodevelopsuchstatements,iftheyarenecessary.Italldependsonthecultureofthecorporationandtheprocessesinplace.Itseemsthatthesetypesofstatementsare“politicallyrequired”butgivenlipserviceastheyarethrustontheemployeesbysomeoutsourcedmarketingfirmorinternalmarketinggroup.

VisionStatementsInmanyoftoday’sbusinesses,managementdevelopsavisionstatement.Asstatedearlierinthisbook,thevisionstatementisusuallyashortparagraphthatattemptstosetthestrategicgoal,objective,ordirectionofthecompany.

Thecorporationmayhaveavisionstatementandrequireallorganizationstohavestatementsbasedonthecorporatestatement.Rememberthatavisionstatementisashortstatementthat:

•Isclear,concise,andunderstandablebytheemployees;

•Isconnectedtoethics,values,andbehaviors;

•Stateswherethecorporationwantstobe(longterm);

•Setsthetone;and

•Setsthedirection.

Thefollowingisanexampleofavisionstatement:Thecorporatevisionistomaintainitscompetitiveadvantageintheglobalmarketplacebyprovidingwidgetstoourcustomerswhentheywantthem,wheretheywantthem,andatafairprice.

ThecybersecurityofficermayreporttotheCIO,andtheCIO’svisionstatement:Inpartnershipwithourcustomers,weprovideacompetitiveadvantagefortheIWCwidgetbycontinuousmaximizationofavailabletechnologyandinnovativeinformationmanagementconceptstoenhanceproductivityandcost-effectivelysupportincreasedproductionofcorporateproducts.

Thecybersecurityvisionstatementmaybe:Weprovidethemostefficientandeffectivecybersecurityprogramforthecorporation,whichaddsvaluetoourproductsandservices,asarecognizedleaderinthewidgetindustry.

MissionStatements

Rememberthatmissionstatementsaredeclarationsofthepurposeofabusinessorgovernmentagency.Belowaresamples:

Missionstatement:Thecorporatemissionistodesign,manufacture,andsellhigh-qualityproducts,therebyexpandingourglobalmarketsharewhilecontinuingtoimproveprocessestomeetcustomers’expectations.

CIOmissionstatement:Themissionofthecorporateinformationofficeistoefficientlyandeffectivelymanageinformationandprovidelow-cost,productivity-enhanced,technology-basedservicesthatwillassistIWCinmaintainingitscompetitiveadvantageinthemarketplace.

Cybersecurityprogrammissionstatement:Administeraninnovativeprogramthatminimizesinformationprotectionrisksattheleastimpacttocostandschedule,whilemeetingallofIWC’sandcustomers’informationandinformationsystemsassetsrequirements.

QualityStatementRememberthatqualityiswhataddsvaluetoyourcompany’sproductsandservices.Itiswhatyourinternalandexternalcustomersexpectfromyou.

Qualitystatement:Toprovidequalitywidgetstoourcustomerswithzerodefectsbybuildingitrightthefirsttime.

CIOqualitystatement:ToprovidequalityinformationmanagementservicesandsystemssupportwhileenhancingtheproductivityopportunitiesoftheIWCworkforce.

Cybersecurityprogramqualitystatement:Consistentlyprovidequalitycybersecurityprofessionalservicesandsupportthatmeetthecustomers’requirementsandreasonableexpectations,inconcertwithgoodbusinesspracticesandcompanyguidelines.2

CyberSecurityPrinciplesThecybersecurityofficer’sdutiesandresponsibilitiesaremanyandsometimesquitecomplexandconflicting.However,asthecorporatecybersecurityofficer,youmustneverlosesightofthethreebasicprinciples:

•Accesscontrol;

•Individualaccountability;and

•Audittrails.

Thistriadofprinciplesmustbeincorporatedintothecybersecurityprogram.Forjustasathree-leggedstoolrequiresthreestrongandlevellegstobeuseful,thecybersecurityprogramrequiresthesethreestrongprinciples.Withoutallthree,thecybersecurityprogramwilltopple,justasatwo-leggedstoolwilltopple.

ProjectandRiskManagementProcessesTwobasicprocessesthatareanintegralpartofacybersecurityprogramareprojectmanagementandriskmanagementconcepts.

ProjectManagementAsthecybersecurityofficeandorganizationalmanagerandleaderforthecorporation,youwillalsoprovideoversightoncybersecurity-relatedprojectsthatarebeingworkedbymembersofyourstaff.

Thecriteriaforaprojectareasfollows:Formalprojects,alongwithprojectmanagementcharts,willbeinitiatedwhereimprovementsorotherchangeswillbeaccomplishedandwherethatefforthasanobjective,hasbeginningandendingdates,and

willtakelongerthan30 daystocomplete.Iftheprojectwillbeaccomplishedinlessthan30 days,aformalprojectmanagement

processisnotneeded.Therationaleforthisisthatprojectsofshortdurationarenotworththecost(intermsoftimeneededtocompletetheprojectplan,charts,etc.)ofsuchaformalprocess.

RiskManagementTobecost-effective,thecybersecurityofficermustapplyrisk-managementconceptsandidentify:

•Threatstotheinformationandinformationsystemsofthecorporation;

•Vulnerabilities(informationsystems’weaknesses);

•Risks;and

•Countermeasurestomitigatethoserisksinacost-effectiveway.

CyberSecurityOfficerandOrganizationalResponsibilitiesAsthecybersecurityofficer,youwillbemanagingandleadingacybersecurityorganization.Youwillberesponsiblefordeveloping,implementing,maintaining,andadministeringacompany-wideprogram.Thefollowingisanexamplescenarioforthedevelopmentofyourorganizationalresponsibilities.

Youhaveevaluatedthecorporateenvironmentandfoundthatacentralizedcybersecurityprogramisrequiredtocost-effectivelyjump-starttheprogramanditsassociatedprocesses.Yourevaluationofwhatisneededledyoutoconsiderthefollowingprogram-relatedfunctionsfordevelopment:

•Managementofallfunctionsandworkthatareroutinelyaccomplishedduringthecourseofconductingtheorganization’sbusinessinaccordancewithcorporatepoliciesandprocedures;

•Systemaccessadministrationandcontrols,includingthedirectuseandcontrolofsystemaccesssoftware,monitoringitsuse,andidentifyingaccessviolations;

•Accessviolationanalysestoidentifypatternsandtrendsthatmayindicateanincreasedrisktosystemsorinformation;

•Computercrimeandabuseinquirieswherethereareindicationsofintenttodamage,destroy,modify,orreleasetounauthorizedpeopleinformationofvaluetothecompany(Note:thisfunctionwascoordinatedandagreedtobytheDirectorofSecurityaslongashisinvestigativeorganizationmanagerwaskeptapprisedoftheinquiriesandcopiesofallreportssenttothatmanager);

•Disasterrecovery/contingencyplanning,whichincludesdirectingthedevelopmentandcoordinationofacompany-wideprogramtomitigatethepossibilityoflossofsystemsandinformationandensuretheirrapidrecoveryintheeventofanemergencyordisaster;

•Anawarenessprogramestablishedandadministeredtoallsystemuserstomakethemawareoftheinformationsystemsprotectionpoliciesandproceduresthatmustbefollowedtoadequatelyprotectsystemsandinformation;

•Evaluationofthesystems’hardware,firmware,andsoftwareforimpactonthesecuritysystemsandinformation;

•Whereapplicable,conductionofriskassessments,withtheresultsreportedtomanagementforriskdecisions;

•Conductionofsystems’complianceinspections,tests,andevaluationstoensurethatallusersandsystemsareincompliancewithIWC’sCIAPPpoliciesandprocedures.

CyberSecurityOfficer’sFormalDutiesandResponsibilitiesBasedontheaboveandinconcertwiththeexecutivemanagementofthecorporation,thecybersecurityofficerhasdevelopedandreceivedapprovalforformallyestablishingthefollowingcharterofthecybersecurityofficerresponsibilities:

SummaryofthePurposeoftheCyberSecurityOfficerPositionDevelop,implement,maintain,andadministeranoverall,corporate-widecybersecurityprogramtoincludeallplans,policies,procedures,assessments,andauthorizationsnecessarytoensuretheprotectionofcustomer,subcontractor,andcorporateinformationfromcompromise,destruction,and/orunauthorizedmanipulationwhilebeingprocessed,stored,and/ortransmittedbycorporate’sinformationsystems.

Accountabilities•Identifyallgovernment,customer,andcorporatecybersecurityrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbycorporate’sinformationsystems;interpretthoserequirements;anddevelop,implement,andadministercorporateplans,policies,andproceduresnecessarytoensurecompliance.

•Evaluateallhardware,firmware,andsoftwareforimpactonthesecurityoftheinformationsystems;directandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporationandapplicablesubcontractorlocations.

•Establishandadministerthetechnicalsecuritycountermeasuresprogramtosupportthecorporaterequirements.

•Establishandadministerasecuritytestandevaluationprogramtoensurethatallofcorporate’sandapplicablesubcontractors’informationsystems/networksareoperatinginaccordancewiththeircontracts.

•Identify,evaluate,andauthorizeforuseallinformationsystemsandotherhardwarewithinthecorporationandatapplicablesubcontractorlocationstoensurecompliancewithred/blackengineeringwhereproprietaryandothersensitiveinformationisprocessed.

•Directtheuseof,andmonitor,thecorporate’sinformationsystemsaccesscontrolsoftwaresystems;analyzeallsystems’securityinfractions/violationsandreporttheresultstomanagementandhumanresourcespersonnelforreviewandappropriateaction.

•Identifyinformationsystemsbusinesspracticesandsecurityviolations/infractions;conductinquiries;assesspotentialdamage;directandmonitorcorporatemanagement’scorrectiveaction;andimplement/recommendcorrective/preventiveaction.

•Establishanddirectacorporate-widetelecommunicationssecurityworkinggroup.

•Develop,implement,andadministerariskassessmentprogram;provideanalysestomanagement;modifycorporateandsubcontractorrequirementsaccordinglytoensurealowest-costcybersecurityprogram.

•Establishandadministeracybersecurityawarenessprogramforallcorporateinformationsystemsusers,toincludecustomersandsubcontractorusers,andensuretheyarecognizantofinformationsystemsthreatsandofsecuritypoliciesandproceduresnecessaryfortheprotectionofinformationsystems.

•Directandcoordinateacorporate-wideinformationsystemsemergency/disasterrecovery/contingencyplanningprogramtoensuretherapidrecoveryofinformationsystemsintheeventofanemergencyordisaster.

•Directthedevelopment,acquisition,implementation,andadministrationofthecybersecurity’ssoftwaresystems.

•Representthecorporationonallcybersecuritymatterswithcustomers,governmentagencies,suppliers,andotheroutsideentities.

•Provideadvice,guidance,andassistancetomanagementrelativetocybersecuritymatters.

•Performcommonmanagementaccountabilitiesinaccordancewithcorporate’smanagementpoliciesandprocedures.

Summary3Theroleoftoday’scybersecurityofficerhasevolvedovertimeandwillcontinuetoevolve.Thecybersecurityofficerprofessionoffersmanychallengestoanyonewhowantstomatchwitswithglobalhackers,criminals,terrorists,andothermiscreants.Inabusinessenvironmentsuchasthatofaglobalcorporation,thecybersecurityofficerhasspecificresponsibilities.Asacybersecurityofficer,youshouldunderstandthefollowing:

•Thecybersecurityofficerpositionisaleadershippositionwithinacompany.

•Therecentlyhiredcybersecurityofficermustknowwhatisexpectedofthecompany’snewcybersecurityofficerandshouldhaveaclearunderstandingofthoseexpectationsbeforetakingtheposition.

•Thethreeprimaryresponsibilitiesofacybersecurityofficerare:(1)managingpeople,(2)managingthecybersecurityprogram,and(3)managingcybersecurityprocesses.

•Thecybersecurityofficermustsetforthcleargoalsandobjectives.

•Thecybersecurityofficerintheleadershiprolemustbeacompanyleader,teamleader,andpersonalleader.

•Thecybersecurityofficermustprovidecybersecurityserviceandsupportusingteamconcepts.

•Thecybersecurityofficershoulddevelopvision,mission,andqualitystatementsasguidestodevelopingasuccessfulcybersecurityprogram.

•Thecybersecurityofficershouldstrivetoadministeracybersecurityprograminwhichallthemajorcybersecurityfunctionsareundertheresponsibilityofthecybersecurityofficer.

1Reader’sDigest,October2002,p.73.2Youwillfindthatthesamethemesofservice,support,cost-effectiveness,customerexpectations,etc.,continuouslyrunthroughthisbook.Itishopedthattheconstantreinforcementwillcausethereadertocontinuouslythinkofthesethemeswhenestablishingandmanagingacybersecurityprogram.3Muchoftheinformationinthischapterprovidesdetailsthatcouldbeusedtofillinthedetailsofthecybersecurityofficer’sportfolio.

CHAPTER7

TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlans

AbstractTheobjectiveofthischapteristoestablishthestrategic,tactical,andannualplansforthecybersecurityorganization.Theseplanswillalsosetthedirectionforcorporate’scybersecurityprogramwhileintegratingthecybersecurityplansintocorporate’splans,thusindicatingthatthecybersecurityprogramisanintegralpartofthecorporation.

KeywordsCorporateannualbusinessplan;Corporateformat;Corporate’sstrategy;Cost-effectivemethod;Cybersecuritystrategicplan;Cybersecuritytacticalplan

Thoughthisbemadness,yetthereismethodin’t

WilliamShakespeare1

CONTENTS

Introduction 120Corporate’sCyberSecurityStrategicPlan 121

TheCyberSecurityStrategicPlanObjective 122CyberSecurityStrategicPlanandTeamConcepts,Communication,andCoordination 122CyberSecurityStrategicPlanningConsiderations 123MappingCorporate’sCyberSecurityStrategicPlantotheCorporateStrategicBusinessPlan 123WritingtheCyberSecurityStrategicPlan 124

Corporate’sCyberSecurityTacticalPlan 124WritingtheCyberSecurityTacticalPlan 125

CyberSecurityAnnualPlan 125CyberSecurityAnnualPlanProjects 126MappingtheCyberSecurityAnnualPlantotheCorporateAnnualBusinessPlan 127WritingtheCyberSecurityAnnualPlan 127

QuestionstoConsider 128Summary 128

CHAPTEROBJECTIVE

Theobjectiveofthischapteristoestablishthestrategic,tactical,andannualplansforthecybersecurityorganization.Theseplanswillalsosetthedirectionforcorporate’scybersecurityprogramwhileintegratingthecybersecurityplansintocorporate’splans,thusindicatingthatthecybersecurityprogramisanintegralpartofthecorporation.

IntroductionThesaying“Yagottahaveaplan”definitelyappliestosuccessfullyaccomplishingthedutiesandresponsibilitiesofacybersecurityofficer.Withoutstrategic,tactical,andannualplans,theofficerwouldbespendingallofeverydayrunningfromcrisistocrisisandhaphazardlytryingtoprotectinformationandinformationsystemsforthecorporation.Inaddition,theseplansarethecost-effectivemethodofprovidingasecureinformationenvironmentforthecorporation.

Therewillalwaysbecrisestocontendwith;however,evenmostcrisescanbeplannedforsothatwhentheyoccur,anemergencyplancanbeimplemented.Theplanwillprovideatleastguidanceandanoutlineofwhattodo—notonlywhattodo,butwhenandhowtodoitrapidlyandeffectively.Let’sfaceit:Mostcrisescanbeidentified,andwearealreadyaccustomedtodoingsothroughourdisasterrecoveryandcontingencyplanningforsucheventsasfires,typhoons,andearthquakes.Weshoulddothesameforothereventsthatwouldbeclassifiedasanemergency,suchas,butofcoursenotlimitedto,thefollowing:

•Web-siteattackanddefacement,

•Denial-of-serviceattack,

•Wormorvirusattack,and

•Othermaliciousattacksoraccidents.

Asaprofessionalcybersecurityofficer,whenyoulearnofanewtypeofattack,checkyouremergencycontingencyplansanddeterminewhetherthelatesttypeofattackwouldbeaddressedbyoneofthoseplans.Ifso,great!Ifnot,thenit’stimetodevelopanotherplanorupdateacurrentplan.Bytheway,asyoushouldalreadyknow:

•Theseplansmustbedevelopedwithinputfromvariousdepartmentssuchasauditors,legal,andITinaprojectteamenvironment;

•Theymustbekeptcurrent;and

•Theymustbetestedoftentoensurethattheidentifiedemergencyresponseteamistrainedandcanoperateeffectivelyandefficiently.

Aswiththecybersecurityprogram,allplansshouldbeplacedonlinewithreadaccessforallemployees.Itwillalsobeeasiertokeeptheplanscurrent,andthroughtheintranetWebsiteorthroughe-mail,everyonecanbenotifiedofchangestotheplans.Thecybersecurityofficershouldalsohaveaprojecttoensurethatinformationandsystemsprotectionpoliciesandproceduresarekeptonlineforreadaccessbyallemployees.Thecybersecurityofficershouldconsider,asmuchaspossible,havingapaperlesscybersecurityprogramandcybersecurityorganization.

Atthecorporatelevel,allinformationandsystemsprotectionplansareconsideredsubsetsofthecybersecurityprogram,asareallprojectsthatareusedtobuildthesecureinformationenvironment.

Corporate’sCyberSecurityStrategicPlanTobesuccessful,thecybersecurityofficermusthaveacybersecuritystrategicplan).Thatplanshouldbeintegrated,oratleastcompatible,withcorporate’sstrategicbusinessplan.Itisthisplanthatsetsthelong-termdirection,goals,andobjectivesforinformationprotectionasstatedinthecybersecurityprogram,vision,mission,andqualitystatements.

Let’slookatanexampleofapossiblestrategicbusinessplanofacorporation.

Thecorporatestrategicbusinessplansetsforththefollowinginformation:

•Theexpectedannualearningsforthenext7 years;•Themarket-sharepercentagegoalsonanannualbasis;

•Thefutureprocessmodernizationprojectsbasedonexpectedtechnologychangesoffaster,cheaper,andmorepowerfulcomputers,telecommunicationssystems,androbotics;

•Corporateexpansiongoals;and

•Corporate’sacquisitionofsomecurrentsubcontractorandcompetitivecompanies.

Thecybersecuritystrategicbusinessplanisthebasicdocumentonwhichtobuildthecorporatecybersecurityprogramwiththegoalofbuildingacomprehensiveinformationprotectionenvironmentatlowestcostandleastimpacttothecompany.

Whendevelopingtheplan,thecybersecurityofficermustensurethatthefollowingbasiccybersecurityprinciplesareincluded,eitherspecificallyorinprinciple(sinceitispartofthecybersecuritystrategy):

•Minimizetheprobabilityofacybersecurityvulnerability,

•Minimizethedamageifavulnerabilityisexploited,and

•Provideamethodtorecoverefficientlyandeffectivelyfromthedamage.

Let’sassumethatthecorporatestrategicbusinessplancalledforamaturecybersecurityprogramwithinthenextsevenyearsthat:

•Canprotectcorporate’sinformationwhileallowingaccesstoitsnetworksbyitsinternationalandnationalcustomers,subcontractors,andsuppliersand

•Cansupporttheintegrationofnewhardware,software,networks,etc.,whilemaintainingtherequiredlevelofcybersecuritywithoutaffectingschedulesorcosts.

TheCyberSecurityStrategicPlanObjectiveTheobjectivesoftheplanareto:

•Minimizeriskstosystemsandinformation,

•Minimizeimpactoncosts,

•Minimizeimpactonschedules,

•Assistinmeetingcontractualrequirements,

•Assistinmeetingnoncontractualrequirements,

•Buildacomprehensivesystemssecurityenvironment,

•Respondflexiblytochangingneeds,

•Supportmultiplecustomers’informationprotectionneeds,

•Incorporatenewtechnologiesassoonasneeded,

•Assistinattractingnewcustomers,and

•Maximizetheuseofavailableresources.

CyberSecurityStrategicPlanandTeamConcepts,Communication,andCoordinationTohaveasuccessfulcybersecurityprogram,thestrategycallsforonethatalsodealswiththeofficepoliticsaspectofthecorporateenvironment.Akeyelement,whichwasstatedearlierinthisbook,istorememberthattheinformationandinformationsystemsbelongtocorporate,andnottothecybersecurityofficer.Therefore,cooperationandcoordinationareamust!

Manyfunctionalorganizationshaveaninterestinthecybersecuritystrategicplanandothercybersecurityprogram-relatedplans;therefore,theplansshouldbediscussedwithotherteammemberssuchastheauditors,securitypersonnel,humanresourcespersonnel,legalpersonnel,andothersdeemedappropriate.

Theplanshouldalsobediscussedwithandinputrequestedfromkeymembersoftheusercommunityandcorporatemanagers.Afterall,whatyoudoaffectswhattheydo!Itisagreatwaytogetcommunicationandinteractiongoing.Thiswillleadtoabetterplanandonethathasbroad-basedsupport.

Theirinputandtheirunderstandingofwhatthecybersecurityofficeristryingtoaccomplishwillassistinensuringcorporate-widesupportforthecybersecurityprogram.Foronlywiththiskindofcommunicationandinteraction,canthecybersecurityofficer’scybersecurityprogramsucceed.

CyberSecurityStrategicPlanningConsiderationsTheplanningconsiderationsmustincludethefollowing:

•Goodbusinesspractices,

•Qualitymanagement,

•Innovativeideas,

•Cybersecurityvisionstatement,

•Cybersecuritymissionstatement,

•Cybersecurityqualitystatement,and

•Providingchannelsforopencommunicationwithotherssuchastheauditors,systemspersonnel,securitypersonnel,users,andmanagement.

Allthesefactorsmustbeconsideredwhendevelopingacybersecurityprogramstrategyanddocumentingthatstrategyinthecybersecurityprogram.

Thecorporateprocessflowofplansbeginswiththecorporatestrategicbusinessplanthroughthecorporateannualbusinessplan.Eachplan’sgoalsandobjectivesmustbeabletosupportoneanother:top–downandbottom–up.

Oncethisprocessisunderstood,thenextstepistomapthecybersecuritystrategicplanintothecorporatestrategicbusinessplangoalsandobjectives.

MappingCorporate’sCyberSecurityStrategicPlantotheCorporateStrategicBusinessPlanCorporate’sstrategyidentifiedtheannualearningsforthenextsevenyearsaswellasmarket-sharepercentagegoals.Thisclearlyhighlightstheneedforacybersecurityprogramthatwillbecost-effective.

Aswaspreviouslymentioned,cybersecurityisa“parasite”ontheprofitsofcorporateifitcannotbeshowntobeavalue-addedfunction(onethatisneededtosupportthebottomline).Therefore,thecybersecurityprogramstrategymustbeefficient(cheap)andeffective(good).Ifthatcanbeaccomplished,thecybersecurityprogramwillbeinapositiontosupportthecorporatestrategyrelativetoearningsandmarketshare.

Mappingthesepointsinaflowchartorsimilarmanagementtoolcanhelpthecybersecurityofficervisualizeastrategypriortodocumentingthatstrategyinthecybersecuritystrategicplan.Themappingwillalsoassistthecybersecurityofficerinfocusingonthestrategiesthatsupportthecorporatestrategies.2

WritingtheCyberSecurityStrategicPlanWritingtheplanwillcomemuchmoreeasilyoncethemappingiscompleted.Oncethatisaccomplished,thecybersecurityofficerwillwritetheplanfollowingthestandardcorporateformatforplanwriting.

Thecorporateformatwasdeterminedtobeasfollows:

1.Executivesummary

2.Tableofcontents

3.Introduction

4.Visionstatement

5.Missionstatement

6.Qualitystatement

7.Cybersecuritystrategicgoals

8.Howthecybersecuritystrategiessupportcorporatestrategies

9.Mappingcharts

10.Conclusion

Corporate’sCyberSecurityTacticalPlanAtacticalplanisashort-rangeplan(athree-yearplan)thatsupportsthecorporatecybersecurityprogramandcybersecurityfunctionalgoalsandobjectives.Thecybersecuritytacticalplanshould:

•Identifyanddefine,inmoredetail,thevisionofacomprehensivecybersecurityenvironment,asstatedinthecybersecuritystrategicplan;

•Identifyanddefinethecurrentcorporatecybersecurityenvironment;and

•Identifytheprocesstobeusedtodeterminethedifferencesbetweenthetwo.

Oncethatisaccomplished,thecybersecurityofficercanidentifyprojectstoprogressfromthecurrentcorporatecybersecurityenvironmenttowhereitshouldbe,asstatedinthecybersecuritystrategicplan.Inthecorporatetacticalplan,itisalsoimportanttokeepinmind:

•Thecompany’sbusinessdirection,

•Thecustomers’direction,and

•Thedirectionoftechnology.

Oncetheseareestablished,theindividualprojectscanbeidentifiedandimplemented,beginningwiththecybersecurityannualplan.

Thecorporatetacticalbusinessplanstated(again,usinganexampleofacorporateplan),“Inaddition,itisexpectedtobeabletointegratenewhardware,software,networks,etc.,withminimumimpactonschedulesorcosts.”Therefore,itwillbenecessarytoestablishaprojectwiththeobjectiveofdevelopingaprocesstoaccomplishthatgoal.

Thecybersecurityofficermustthenalsoconsiderthatthecorporatecybersecurityprogrammustcontainprocessestoreevaluatethemechanismsusedtoprotectinformationsothatitisprotectedonlyfortheperiodrequired.Therefore,aprojectmustbeestablishedtoaccomplishthatgoal.

Thecorporatetacticalbusinessplanalsocalledforthecompletionofacybersecurityprogramthatcanprotectcorporate’sinformationwhileallowingaccesstoitsnetworksbyitsinternationalandnationalcustomers,subcontractors,andsuppliers.Therefore,anotherprojectthatmustbedevelopedisonethatcanaccomplishthisgoal.

WritingtheCyberSecurityTacticalPlanWritingtheplanshouldbesomewhateasierbasedontheexperiencegainedinmappingthegoalsforthecybersecuritystrategicplanandthecorporateplans.Oncethatisaccomplished,thecybersecurityofficerwillwritetheplanfollowingthestandardcorporateformatforplanwriting.

Thecorporateformatforthecybersecurityplanwasdeterminedtobeasfollows:

1.Executivesummary

2.Tableofcontents

3.Introduction

4.Cybersecuritystrategicgoals

5.Howthecybersecuritytacticalplansupportsthecybersecuritystrategicplan

6.Howthecybersecuritytacticssupportcorporatetactics

7.Mappingcharts(useanorganizationorflowchartifpictorialrepresentationwillhelpthereaderundertheapproachused

8.Conclusion

CyberSecurityAnnualPlanThecybersecurityofficermustalsodevelopacybersecurityannualplantosupportthecorporation’sstrategicbusinessplan,cybersecuritystrategicplan,andthecorporateandcybersecuritytacticalplans.Theplanmustincludegoals,objectives,andprojectsthatwillsupportthegoalsandobjectivesofcorporate’sannualbusinessplan.

Corporate’scybersecurityannualplanistobeusedtoidentifyandimplementprojectstoaccomplishthegoalsandobjectivesasstatedinalltheotherplans.

Remember,thecybersecurityprogramrequiresthefollowing:

•Projectmanagementtechniques,

•Ganttcharts(schedule),

•Identifiedbeginningdateforeachproject,

•Identifiedendingdateforeachproject,

•Anobjectiveforeachproject,

•Costtrackingandbudget,and

•Identificationoftheresponsibleprojectlead.

CyberSecurityAnnualPlanProjectsTheinitialandmajorprojectofthecybersecurityofficer’sannualplanistobegintoidentifythecurrentcorporateandcybersecurityenvironment.Togainanunderstandingofthecurrentcorporateenvironment,culture,andphilosophy,thefollowingprojectsaretobeestablished:

1.Projecttitle:CorporateCyberSecurityOrganization

a.Projectlead:Cybersecurityofficer

b.Objective:Establishacybersecurityprogramtosupportorganization

c.Startdate:January1,2016

d.Enddate:July1,2016

2.Projecttitle:CyberSecurityProgramPoliciesandProceduresReview


b.Objective:Identifyandreviewallcybersecurityprogram-relatedcorporatedocumentation,andestablishaprocesstoensureintegration,applicability,andcurrency

c.Startdate:February1,2016

d.Enddate:April1,2016

3.Projecttitle:CyberSecurityTeam


b.Objective:Establishacorporatecybersecurityprogramworkinggrouptoassistinestablishingandsupportingacybersecurityprogram


d.Enddate:February1,2016

4.Projecttitle:CorporateProprietaryProcessProtection

a.Projectlead:Cybersecurityorganizationsystemssecurityengineer

b.Objective:Identification,assessment,andprotectionofcorporateproprietaryprocesses

c.Startdate:April15,2016

d.Enddate:September1,2016

5.Projecttitle:CyberSecurityOrganizationalFunctions


b.Objective:Identifyandestablishcybersecurityorganizationalfunctionsandtheirassociatedprocessesandworkinstructions


d.Enddate:July1,2016

6.Projecttitle:CyberSecuritySupporttoITChanges

a.Projectlead:Cybersecurityorganizationsystemssecurityengineer

b.Objective:Establishaprocesstoprovideserviceandsupporttointegratecybersecuritypolicies,procedures,andprocessesaschangesaremadeintheITenvironment

c.Startdate:March15,2016

d.Enddate:October1,2016

MappingtheCyberSecurityAnnualPlantotheCorporateAnnualBusinessPlanAswaspreviouslyshown,mappingthecybersecurityprogramandthecybersecurityannualplantothecorporateannualbusinessplancanbeeasilyaccomplished.However,inthiscase,thecorporateannualplanobjectiveswerenotindicatedorusedtomapthecorporateplan.3

WritingtheCyberSecurityAnnualPlanAsnotedearlier,writingoftheplansmustfollowthecorporateformat.Thecybersecurityannualplanisnoexception,andthefollowingformatisrequired:

1.Executivesummary

2.Tableofcontents

3.Introduction

4.Cybersecurityannualgoals

5.Cybersecurityprojects

6.Howthecybersecurityprojectssupportcorporate’sannualplangoals

7.Mappingcharts

8.Conclusion

QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:

•Doesyourcompanyhaveplansthatcanbeconsideredstrategic,tactical,orannual,forexample,long-rangeorshort-rangeplans?

•Haveyoureadthem?

•Ifnot,howdoyouknowyouareprovidingadequateserviceandsupporttothecompany?

•Doyouhavestrategic,tactical,andannualplansthatsupportthecompany’sbusinessplans?

•Ifso,aretheycurrent?

•Howdoyouknow?

•Doyouhaveaprocessinplacetokeepthemcurrent?

•Ifnot,whynot?

•Ifyoudohavesuchplans,doyouhaveaprocessinplaceandflowchartedtoshowhowtheplans,yourinformationandsystemsprotectionfunctions,projects,riskmanagementstrategy,cost–benefitphilosophy,andsuchareintegratedintoyourcybersecurityprogramthatsupportsthecompany’splans?

•Ifnot,whynot?

SummaryPlanningisavitallyimportantandcost-effectivewaytoestablishacost-effectiveandqualitycorporatecybersecurityenvironment.Itwillhelpfocusontasksthatwilleffectivelyandefficientlymeettheplanninggoalsandobjectivesofacybersecurityprogram.Aspartofthatplanning,thecybersecurityofficershouldconsiderthefollowingpoints:

•Thecorporatecybersecuritystrategic,tactical,andannualplansmustbemappedandintegratedintothecorporatestrategic,tactical,andannualbusinessplans.

•Thecybersecurityprogram-relatedplansmustincorporatethecybersecurityvision,mission,andqualitystatementsandtheirphilosophiesandconcepts.

•Thecybersecurityprogram-relatedplansmustidentifystrategies,goals,objectives,andprojectsthatsupportoneanotherandthecorporateplans.

•Bymappingthegoalsofthecorporateplanswiththoseofthecybersecurityprogram-relatedplans,therequiredinformationfusioncantakeplaceandcanbegraphicallyrepresented.

FIGURE1 DepictsmappingofthegoalsofthecorporateplanwiththoseofthecybersecurityprogramwhereIWCstandsforagenericcorporationInternationalWidget

CorporationandCIAAPisthecorporateinformationassuranceannualplan.

•Mappingwillmakeiteasierforthecybersecurityofficertowritetheapplicablecybersecurityplans.

•Thecybersecurityannualplangenerallyconsistsofprojectsthatarethebuildingblocksofthecybersecurityprogramfollowingthestrategiesandtacticsofthecorporateandothercybersecurityprogramplans.Figure1providesanexampleofmappingshowing

therelationshipofplans.What,ifanything,islacking?

1WilliamShakespeare(1564–1616),Englishpoetandplaywright.Polonius,Hamlet(1601),Act2,Scene2.2Forthosereaderswhoareinclinedtoarguethetechnicaldefinitionsofterms,Iconcedethatthedefinitionoftermsvariesbetweencorporationsandthoseusedheremaynotfitnicelyintothedefinitionsusedbythecorporationorgovernmentagencyofthereader.However,thereadershouldnotlosesightoftheprocessbeingdiscussed.Thatistheimportantaspectofthischapter.3Thereaderprobablyunderstandsthisprocessbynowandcaneasilyusethismappingmethod.

CHAPTER8

EstablishingaCyberSecurityProgramandOrganization

AbstractTheobjectiveofthischapteristodescribehowtoestablishacorporatecybersecurityprogramanditsassociatedorganization.A“what-if”approachisusedinwhichacorporatesecurityofficerisshowntoactinacertainwaybasedonwhatisrequiredofhimorherbycorporationinwhichthatpersonisemployed,usingafictionalcorporateenvironment.

KeywordsCorporatecybersecurityprogram;Corporateinformationofficer(CIO);Corporationoverallpolicydocument;Formalprojectmanagementtechniques;Informationenvironment(IE);Off-sitecybersecurityprogram;Strategicbusinessplan(SBP);Tacticalbusinessplan(TBP)

Wetrainedhard,butitseemedeverytimewewerebeginningtoformupintoteams,wewouldbereorganized.Iwastolearnlaterinlifethatwetendtomeetanynewsituationbyreorganizing

PetroniusArbiter1

CONTENTS

Introduction 132CorporateCyberSecurityProgram 132

TheCorporateCyberSecurityProgram—Requirements 139TheCorporateCyberSecurityProgram—InformationAssetsProtectionPolicies 139

TheCorporateCyberSecurityProgramRequirementsandPolicyDirective 148PhysicalSecurityandCyberSecurityProgramPolicy 149

TheCorporationCyberSecurityProgram—CyberSecurityProcedures 150

CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganization 152

DeterminingtheNeedforCyberSecuritySubordinateOrganizations 154DevelopingtheCyberSecurityProgramOrganizationStructure 156DevelopingtheCyberSecurityProgramSubordinateOrganizations 156

ResponsibilitiesofCyberSecurityProgramSubordinateOrganizations 157

CyberSecurityJobDescriptions 160CyberSecurityJobFamilyFunctionalDescriptions 161RecruitingCyberSecurityProfessionals 168

IdentifyingIn-HouseCyberSecurityCandidates 170IdentifyingOutsideCyberSecurityCandidates 171


CHAPTEROBJECTIVE

Theobjectiveofthischapteristodescribehowtoestablishacorporatecybersecurityprogramanditsassociatedorganization.A“what-if”approachisusedinwhichacorporatesecurityofficerisshowntoactinacertainwaybasedonwhatisrequiredofhimorherbycorporationinwhichthatpersonisemployed,usingafictionalcorporateenvironment.

IntroductionThecorporation’sinformationandinformationsystemsaresomeoftheirmostvitalassets.Thesevaluableassetsmustbeconsistentlyprotectedbyallthecorporationemployees,contractedpersonnel,associatecompanies,subcontractors,and,infact,everyonewhohasauthorizedaccesstotheseassets.Theymustbeprotectedregardlessoftheinformationenvironment,whetherthroughfaxes,telephones,cellularphones,localareanetworks,Internete-mails,hardcopies,scanners,personaldigitalassistants(PDAs)—anydevicethatprocesses,transmits,displays,orstoresthecorporation’ssensitiveinformation.Whatismeantbysensitiveisallinformationthathasbeendeterminedtorequireprotection.Thatdeterminationisbasedonbasic,commonbusinesssense—forexample,amarketingplanfornextyear’sproductmustbeprotected,anditdoesn’ttakeariskassessmenttodeterminethat.Someinformationmustalsobeprotectedbecausetherearelawsthatmakethatinformationprotectionarequirement—forexample,privateinformationaboutemployees.

Toprovidethatconsistentprotection,thoseindividualswhohaveauthorizedaccesstotheinformationandinformationsystemsmustthereforedothefollowing:

•Beprovidedwithguidance,

•Understandhowtoapplyinformationassetprotection,

•Understandwhysuchinformationassetprotectionisrequired,and

•Understandthecorporationpolicyregardingthatprotection.

Thecorporation’sexecutivemanagementhaddecidedthatapolicydocumentwasneeded.So,thecorporation’scybersecurityofficerwashiredprimarilytofulfillthatrequirementasstatedinthecorporateplans,suchasthecorporationstrategicbusinessplan.

CorporateCyberSecurityProgram2

Thecybersecurityofficerknewthattosuccessfullyprotectthecorporation’sinformation-relatedassetstheremustbeformalguidelinesanddirectionsprovidedtothecorporation’semployees.Theremustalsobesomeformalprocessesthatareusedtoensurethatthecorporation’sinformationassetswereprotectedeffectivelyandefficiently—inotherwords,“cheapandgood.”Itwouldbeobvioustothecorporation’smanagementandthecybersecurityofficerthattodootherwisewouldcauseemployeestoprotecttheseinformation-relatedassetsastheysawfit,ornotprotectthematall.Suchwasalmostthecasenow,anditishopedthatthecybersecurityofficerwouldknowtherewasanurgentneedtoquicklyestablishacybersecurityprogram.

Thecybersecurityprogramwouldbedevelopedtakingintoconsiderationorincorporatingthefollowing:

•Reasonsforthecybersecurityprogram;

•Thecorporation’svision,mission,andqualitystatements;

•Informationandsystemslegal,ethical,andbestbusinesspractices;

•Thecorporation’sstrategic,tactical,andannualbusinessplans;

•Informationandsystemsprotectionstrategic,tactical,andannualbusinessplans;

•Thecorporation’soverallinformationassetsprotectionplans,policies,andproceduresasdirectedbythecorporatesecurityoffice;

•Cybersecurityvision,mission,andqualitystatements;

•Currentcybersecurityprogram-relatedpolicies;

•Currentcybersecurityprogram-relatedprocedures;and

•Othertopicsasdeemedappropriateoncethecybersecurityofficerandthecybersecurityprojectteamhaveestablishedthebaseline.

Thecybersecurityprogramcannotbedevelopedinavacuumifitistowork.Theinputofothersisanecessity:Thecybersecurityprogram,ifnotdonecorrectly,mayhaveanadverseimpactonthebusinessofthecorporation.Rememberthatthecybersecurityofficer’scybersecurityfunctionalorganizationmustbeaservice-andsupport-drivenorganization.Aspartofthatendeavor,thecybersecurityprogrammustsupportthecorporation’sbusinessplans.Itthenfollowsthattheplanscallforcertainactionstoprotectthecorporation’svitalinformationandinformationsystemsassets.

Rememberwhatisbeingdiscussedherearetheplans,processes,policies,andprocedures(P4)thatareestablished,implemented,andmaintainedasapplyingtoallthecorporationdepartments(P4becauseaseachofthe“P’s”isaddedtotheothers,protectionbaselineincreasesexponentially).Thisshouldnotbeconfusedwiththecybersecurityofficer’scybersecurityorganization’splans,policies,andprocedures,suchaswork

instructionsandprocessesthatapplystrictlywithinthatcybersecurityorganization.

Asthecybersecurityofficer,oneofyourfirsttasksistoobtainacopyofthecorporationcybersecurityprogramthatwastobeestablishedbythepriorcybersecurityofficer.Youmayfindthat:

1.Thereisnosuchdocument,

2.Thecurrentoneisnotreallycurrentatallandneedsupdating,or

3.Toyourshockandamazement,thecorporationcybersecurityprogramiscurrentandanexcellentdocument.

Ofthethreeoptions,whichwouldyoupreferandwhy?Actually,therearebenefitstoalloftheoptions,buttheyarelistedinourpreferredorder.Doesitseemstrangethatonewouldnotoptforoption3?Theoneyouchoosewillprobablybebasedonwhereyouarecomingfromandwhereyouaregoing(youreducationandexperience).OK,nomoreriddles.

Option1hassomebenefits.Ifthereisnosuchdocumentasthecorporationcybersecurityprogrambyanyname,onecan“doitrightthefirsttime”anddeveloponethatmeetstheneedsofthecorporationusingyourowntriedandtruemethods.However,thelessexperienceyouhave,themoredifficultitwillbetodoitrightthefirsttime.Ifyouarenewtothecorporationcybersecurityofficerposition,itmaybedoublydifficultandarealproblem.No,notaproblem,becauseyouarenowinahighmanagementposition.Thesearenotcalledproblems.Theyarecalledchallenges.

Havingacorporatecybersecurityprogramthathasbeenapprovedbythosewhomustapproveit(executivemanagement)hassomebenefits,ofcourse.“Approveit?”yousay.“Whydoesanyonehavetoapproveit?Iamthecybersecurityofficer,thesecurityprofessional,theexpertinthebusiness.IknowwhatIamdoing.Idon’tneedanynonsecuritypeopleoutthereplayingamateurinformationsystemssecurityexpert.”Great!Thatmayhaveworkedinthepast,maybeinthetimesofthehunter–gatherers—butnotnow.

Here’stheissue:Asthecybersecurityofficer,youaregoingtoestablishacybersecurityprogramthatwillaffecteveryoneandeverythinginthecorporationinoneformoranother,sinceinformationsystemspermeatealllevelsofthecorporationandthecorporationcannotfunctionwithoutthem.Youarenewtothecorporationandreallydon’thaveagoodhandleonhowinformationassetsprotectionpoliciesandproceduresaffectthecorporationbusinessofmakingwidgets.Youmayhaveagreatwaytoprotectacertain,sensitivecorporationinformation-relatedasset,butfindthatifitwereimplementeditwouldslowdownproduction.Thatisnotagoodideainthecompetitive,fast-paced,globalmarketplaceinwhichthecorporationcompetesforbusiness.Thatmaygetyouawarningfirst,butthenyou’llbefired(aswasthecaseofthelastcybersecurityofficer?);oritmayincreasecostsinotherways(slowingdownproductionisacostmatteralso).

Option2alsohassomeverygoodadvantages,especiallyforthecybersecurityofficer

whohaslessexperienceintheprofessionand/orlessexperienceatthecorporation.Theadvantageisthatyouhaveaframeworkonwhichtobuild,essentiallychangingittohowyouenvisionthefinalbaseline.However,aswithoption1,somecautionisadvised.Option2allowsyou,asthenewcybersecurityofficer,theopportunitytoseewhatexecutivemanagementhasauthorizedtodate.Inotherwords,youknowhowmuch“protection”theexecutivemanagementofthecorporationwillallowatwhatexpensetoproductivity,costs,etc.

Thisisimportantalsobecauseifyouincreasesecurity,youmustprovidesound,convincingbusinessreasonsthatshouldhappen.Inthiscause,youhaveanedgebecauseofthepreviouslossofthecorporationinformationassets,whichcausedthefiringoftheformercybersecurityofficer.Inaddition,thechiefexecutiveofficer(CEO)issupportiveinthatthestrategicbusinessplanandthetacticalbusinessplanbothhavecybersecurityprogramgoals,andthoseplanshadtobeapprovedbytheCEOpriortoimplementation.Thus,thecybersecurityprogramalreadyhashighvisibilityandatleastsomeexecutivemanagementsupport.However,thathoneymoonmaynotlastlongifyourequireprotectionmechanismsthataren’tbackedbysoundbusinesssense.

Option3isgreatifyouarenewtothecybersecurityofficerpositionand/orlackconfidenceorexperienceincybersecurityprogramdevelopment.However,cautionisalsoneededhere,becauseinformationassetswerelostandtheformercybersecurityofficerwasfired.Youmustgetanswersforthefollowingquestions:

•Didtheinformationassetsprotectionprocessesassetforthinthecybersecurityprogramleaveavulnerabilitythatallowedthethreatagenttotakeadvantageofit?

•Wasthecybersecurityprogramnottheissue—didsomeoneorsomegroupfailtofollowproperprocedures?

•Wasthecybersecurityofficerjustnottherightpersonforthejobatthecorporation?(Ifthisisthecase,findoutwhysoyoudon’tmakethesamemistake,assumingyouwanttoworkforthecorporationformorethanayearortwo.)

Asthenewcybersecurityofficer,youshouldfindtheanswerstothesequestionsandthendeterminehowthecybersecurityprogramcanbeenhancedtomitigatefutureattacks.Thebenefitofacurrentcybersecurityprogramisthatithasreceivedtheconcurrenceofexecutivemanagement—butremember,itmaybeabadplan.Afterall,whatdoesexecutivemanagementknowofcybersecurityprogrammattersexceptwhatthecybersecurityofficertellsthem,asidefromthe“commonsense”knowledge?

Letusassumethatnocorporationcybersecurityprogramisinexistence.So,thecybersecurityofficermuststartfromthebeginning.Actually,thatisnotentirelytrue.Asanexperiencedcybersecurityofficer,thecorporationcybersecurityofficerhasbroughtknowledgeandexperiencetothecorporationcybersecurityofficerposition.Inaddition,therearealwayssomesortofinformationandinformationsystemsprotectionpoliciesandguidelinesavailable.Itmaybejustamatterofgatheringthemalltogetherforanalysisaspartofestablishingthecybersecurityprogrambaseline.

Inaddition,thecybersecurityofficerhasswappedandcollectedcybersecurityprogramplansfromothercybersecurityprofessionalsovertheyearsthatmayproveuseful.Severalwordsofcaution:

•Nevertakeanother’scybersecurityprogram(oranydocuments)withouttheapprovalofhisorherappropriatecorporateauthority.Suchplansmaybeconsideredandmarkedascorporate–confidential,corporate–private,corporate–proprietary,orthelike.Thereisanethicsissuehere.

•Furthermore,theothercybersecurityprogramsmaybeoutdatedormaynotmeettheneedsofthecorporation,perhapsbecauseoftechnologychanges,adifferentcorporateculture,oradifferentcorporateenvironment.

Usingformalprojectmanagementtechniques,thecybersecurityofficerdecidestoestablishacybersecurityprogramprojectteamandselectsaprojectlead,leadstheteam,orhasthegroupselecttheirownprojectlead.Ifthecybersecurityofficer’scybersecurityorganizationhasoneormorespecialistsininformationassetsprotectionpoliciesandprocedures,thenoneofthosespecialistswouldbethenaturalonetoheaduptheprojectteam.Otherteammembersshouldincludethosewithinthecybersecurityorganizationwhoareresponsibleforeachofthefunctionsofthecybersecurityorganization.

Theseteammemberswouldnotbeusedfulltimeontheproject,butwouldrepresentthecybersecurityfunctionsandprovideinputasdeemedappropriatebythecybersecurityprogramprojectteamleader.Thecybersecurityofficerdecidedtouseonlyspecialistsfromthecybersecurityorganizationatthistimetospeedupthedraftofthebaselinecybersecurityprogram’sprimarydocument—thatwhichcontainstherequirementsandP4.Todootherwise—toaddauditors,informationtechnology(IT)staff,humanrelationsspecialists,legalstaff,etc.—wouldinvariablycausetoomuchtimetobetakenindiscussingsuchmattersaspoliciesbeingtoorestrictiveornotrestrictiveenough,leadingtoaslowdownorcommitteeparalysis.Thecybersecurityofficerdeterminedthatcoordinationwouldbedoneuponestablishmentoftheinitialdraftdocument.

Let’snowassumethereisaplaninplacewithoutdatedportions.Thecybersecurityofficer,whohasalreadyreadthedocumentanddoesnotagreewithsomeoftherequirementsinitandwhoseesotherrequirementsthatareobviouslylacking,shouldfirstmeetwiththespecialistcurrentlyresponsibleforthecybersecurityprogramandthatperson’smanager(theassumptionisthattherearesomecybersecuritystaffalreadyemployedandthatsomeoneinthecurrentcybersecurityorganizationhasresponsibilityforthecybersecurityprogram—orequivalentplanorprogram).Themainpurposeofthemeetingwouldbetodeterminewhyitisnotcurrentanddiscusstherationaleforalltherequirementsstatedinthedocument.Itmaybethatsomeportionsweredeletedbecauseofexecutivemanagementobjections.Thesemustbeidentified,becauseitisoflittleusetoupdatethecybersecurityprogramifitistomeetresistanceandrejectionwhenitisbriefedtoandcoordinatedwithexecutivemanagement.

Ifthecybersecurityofficerdeterminesthattherewasresistanceanddisapprovalofsomeaspectsofthecybersecurityprogram,thenthecybersecurityofficershouldlookat

thatissuefirst.Theapproachthecybersecurityofficerwilluseistoestablishanothercybersecurityprojectteam,whichwillconductalimitedriskassessmentrelatedtotheidentifiedissues:management’srejectionofsomemuch-neededinformationassetsprotectionrequirements.Theriskassessmentislimitedtoaspecificobjective:determiningtheriskstoaspecificasset,thecostsofmitigatingthatrisk,ortherationalefortherequirement.Itisalsolimitedintime.Foreachoftheseissuesinwhichdifferentinformationassetsanddepartmentshavebeeninvolved,suchasmanufacturingandmarketing,aseparate,limitedriskassessmentwillbeconducted.

Theresultsofthelimitedriskassessmentswillthenbeprovidedaspartofaformalbriefingtothevicepresidentofthatparticulardepartment,andacopyofthereportwillbegiventothecorporateinformationofficer(CIO).ThecopytotheCIO(thecybersecurityofficer’sboss)willbegivenjusttoensurethattheCIOisinthecommunicationsloopandbecauseacopywillbeavailableforusewhenbriefingtheCEOandtheexecutivemanagementteamonthenewcybersecurityprogramanditschanges.Thelimitedassessmentwillbepartofthebackupdocumentationforthebriefing.ThecybersecurityofficerreasonsthatacopytotheCEOwouldnotbeagoodideaatthistime,becausethenthecybersecurityofficerwouldhavetoexplainwhatitisandwhytheCEOhasit.

TheCEOdoesnotcurrentlyunderstandhowthenewcybersecurityofficeroperates,andnowisnotimetotakeawayfromtheprioritycybersecurityprogramprojectmanagementtoprovidea“foryourinformation”reporttotheCEO.Somecybersecurityofficersmaythinkthatsuchthingshelpthecybersecurityofficergainvisibilityandshowthe“great”thingsthatthecybersecurityofficerandcybersecuritystaffareaccomplishing.However,itmayhavetheoppositeaffect,astheCEOwouldaskquestions:

•WhydoIhavethis?

•Whatisit?

•WhatamItodowithit?

•DoIhavetomakeadecisionnowbasedonit?

Whatisyourreplyasthecybersecurityofficer?“Oh,IjustthoughtyouwouldenjoyreadingitbecauseIknowyouarenotthatbusy;youdon’thavebetterthingstodo;mystuffissomuchmoreimportantthanwhatyoudotorunthecorporation;andno,youdon’thaveanyactionitemsthatcomefromthis.IjustwanttoshowyouwhatagreatjobI’mdoing.”Thatwillworkingettingyourecognized—butforallthewrongreasonsandinthewrongway.

Thelimitedriskassessmentwillstatetherisks,themitigationfactors,andtheestimatedcostsoftheincreasedprotectionofthatparticularassetorsetofinformationassets.Ifthevicepresidentofthatdepartment,whoisalsothepersonimmediatelyresponsiblefortheprotectionofthatinformationassetorassets,doesnotconcurwiththeincreasedprotection,thenthevicepresidentmustformallyaccepttherisksinwritingonthelastpageofthereportandsenditbacktothecybersecurityofficer.

Theacceptanceofriskstatementreadsasfollows:Ihavereviewedthefindingsofthelimitedriskassessmentconductedbymembersofthecorporationcybersecuritystaff.Iunderstandthepotentiallossof,ordamageto,thecorporationinformationassetsundermycarethatmayoccurifadditionalprotectiveprocessesarenotputinplace.Iacceptthatrisk.

Youwillprobablyfindthatmostpeoplewillbeunwillingtosignsuchadocumentorwilltrytodelaysigningandhopetheissueisforgotten.Thecybersecurityofficercanneverletthathappen.Toresolvethatissue,areplyofconcurrenceornonconcurrencewillbesetforthinthedocumentwithasuspensiondate.Ifnoreplyisforthcomingbythatdate,thereportstatesthatadditionalsafeguardswillbeputintoeffectnolaterthanaspecificdatebecauseofthefailureoftheactionpersontosignthedocument.Anonreplyistakenasaconcurrence.

Oftentheexecutivewilltrytofindawayoutofthedilemmaand“negotiations”willtakeplaceinwhichvariousoptionswillbeexamined,otherthanthosealreadystatedinthereport.Thecybersecurityofficercannotsaynotosucharequest:Todosowouldallowtheexecutivetosaythatthecybersecurityofficerwasnotbeingcooperative,wasnotateamplayer,hada“takeitorleaveit”attitude.Atthesametime,thisnegotiationcannotgoonindefinitely.Ifaroadblockisreached,thentheexecutiveandthecybersecurityofficershouldagreethatthematterbediscussedatameetingwiththeCIOand/orCEO.

ThecorporationCIOwouldprobablybewonderingiftherewassomeotherwayoutofit.TheCIOthinks:“Herethiscybersecurityofficerhasn’tevenbeeninthejobamonth,andalreadyI’mgettinginvolvedinconflicts.”TheCIOdoesnotlikebecominginvolvedinconflicts.

Asasidenote,nomatterwhatfinaldecisionismade,thecybersecurityofficer’sperformancereviewandprobablymeritraisemaybeaffectedbecausethecybersecurityofficerwasnotabletoresolvetheissue(eventhoughthefaultwasthatofothers).Thecybersecurityofficercouldhaveresolvedtheissuebyjustallowingtheothervicepresidentsormanagerstohaveittheirway.However,thecybersecurityofficerknowsthatalsocontributedtothepreviouscybersecurityofficerbeingfired.Itisano-winsituation,butthat’slifeasacybersecurityofficer.Forthecybersecurityofficertodootherwiseisunprofessionalandanethicsissue.

TheCorporateCyberSecurityProgram—RequirementsIndevelopingacybersecurityprogram,onemustfirstlookattherequirementsthatdrivetheformationofpolicies,whichleadtoprocedures,whichturnintoprocessestobefollowedbyallthosehavingauthorizedaccesstothecorporationinformationandinformationsystemsassets.

Requirements,alsoknownascybersecuritydrivers,arethoselaws,regulations,commonbusinesspractices,ethics,andthelikeonwhichthepoliciesarebased.The

policiesareneededtocomplywiththerequirements;theproceduresarerequiredtoimplementthepolicy;andtheprocessesarestepsthatarefollowedtosupporttheprocedures.

TheCorporateCyberSecurityProgram—InformationAssetsProtectionPoliciesWhendiscussinginformationassetsprotectionpolicy,wedefineitasacodifiedsetofprinciplesthataredirectiveinnatureandthatprovidethebaselinefortheprotectionofcorporateinformationassets.

Itisalwaysthebestpolicytospeakthetruth,unless,ofcourse,youareanexceptionallygoodliar.

JeromeK.Jerome

Thecorporateinformationassetsprotectionpoliciesareaseriesofpoliciesthatdealwiththeprotectionofvariousinformationassetscategorieswithinthecorporation.Thesepoliciesmakeupamajorportionofthecybersecurityprogram,astheyaretheprotection“rules.”Theyarethefirstbuildingblocksofthecorporationinformationassetsprotectionenvironment.Informationassetsprotectionpoliciesarethefoundationforacybersecurityprogram.Itiscrucialthatthey:

•Coverallinformationassetsthatmustbeprotected,

•Coverallaspectsofinformationassetsprotection,

•Donothaveanyloopholesthatcouldcontributetovulnerabilities,

•Beclearlywritten,

•Beconcise,

•Takeintoaccountthecostsofprotection,

•Takeintoaccountthebenefitsofprotection,

•Takeintoaccounttheassociatedriskstotheinformationassets,

•Arecoordinatedwithexecutivemanagementandothersasapplicable,

•Areconcurredinbyexecutivemanagementandothersasapplicable,

•Areactivelysupportedbyexecutivemanagementandallemployees,and

•Includeaprocesstoensurethattheyarekeptcurrentatalltimes.

Onecannotstatetheserequirementstoostrongly.Theyarethekeytoasuccessfulcybersecurityprogram.Ifitisnotstatedinwriting,itdoesnotexist.Aftertheinformation

assetsprotectionpoliciesareestablishedandapprovedinaccordancewiththecorporationrequirements(executivemanagementapprovalforallpoliciesthataffecttheentirethecorporation),theinformationcontainedinthepoliciesmustbegiventoallcorporateemployees.Thiswillbedonethroughthecorporationcybersecurityprogrameducationandawarenesstrainingprogram.

Akeyprocessthatthecybersecurityofficermustestablishisonethatwillmaintainallinformationassetsprotectionpoliciesinacurrentstate.Becausethisisacrucialfunction,thecybersecurityofficerhasassignedonestaffmemberfulltimetoensurethatthepoliciesarecurrentatalltimesandensurethatwhenchangesareconsidered,theyareproperlycoordinated,andtheinformationisdispensedtoallemployeesassoonaspossible.Afterall,thechangesmayjustbeprocedural,ortheymaymitigatearisktosomevaluablecorporationinformationassets.

Thecybersecurityofficer’sfocalpointforinformationassetsprotectionpoliciesisthecentralcybersecuritypersontocollectinformationthatadverselyaffectstheprotectionofinformationandinformationsystems.Thatadverseinformationisanalyzedbythefocalpoint,withhelpfromothersasneeded,todetermineifpoliciesmustbeaddedormodifiedtohelpmitigatetheadverseeffects—vulnerabilities—identified.Ifso,suchchangesaredonebasedonacost–benefitsapproachtomitigatingtheidentifiedvulnerabilities.

Forthepositionofaninformationassetsprotectionpolicyspecialist,thecybersecurityofficerhaschosenapersonalreadyemployedbyHumanResources(HR).Thiswasdoneafterinterviewsandlookingattheexperienceofthecybersecuritystaff.Noneofthecybersecuritystaffwerequalifiedorinterestedinsuchaposition:Thecybersecuritystaffsawitasbeinga“nontechiepapershuffler”job.Thecybersecurityofficerpurposelylookedforaqualifiedemployeewithinthecorporation,sincethatpersonwouldalreadybefamiliarwiththecorporationcultureandprocesses—basically,howthingsweredoneatthecorporation.

ThecybersecurityofficerwasabletogetthisnewpositionapprovedbytheHRDepartmentandratedatasufficientlyhighpositionleveltoattractthebestcandidates.Thecybersecurityofficer’srationalewastorateallnewpositionsatashighalevelaspossible,sothecybersecurityofficercouldattractthebestcandidatesinthecorporationoroutsidethecorporation.Suchapositionwouldbeseenasapromotionbymanyinthecorporation.Thiswasnotaneasytask,butthecybersecurityofficerhadexperienceinworkingwithHRspecialists.Thetaskwasnotasdifficultasitmighthavebeen—andoncehadbeenforthecybersecurityofficer.

ThepersonhiredhadworkedinanHRofficeandwhosedutiesincludedwritingHRpolicyandproceduresdocuments,coordinatingdocumentapprovals,andmaintainingthecorporationdocumentationlibrary.Theindividualrespondedtoacorporation“vacantposition”announcementthatwasavailabletoallemployeesthroughtheonlineHRnetwork.

ThejobdescriptionfortheCyberSecuritySpecialistwasdevelopedbythecybersecurityofficerbasedonpastexperience.ThepersonwasnotactivelyrecruitedwithinHR,asthisviolatedthecorporationpolicy—peoplecannotactivelytryto“steal”

employeesfromoneanother.Aswellasviolatingcorporatepolicy,itisunethical.

Onepersonwhorespondedtothevacancyannouncementhadtwoyearsofexperienceatthecorporationandhadabachelor’sdegreeinjournalism,butnocybersecurityorinformationassetsprotectionexperience.Thecybersecurityofficerwantedsomeonewhocouldwriteandcoordinatepoliciesandproceduresasthefirstpriorityandcouldsecondarilylearnaboutcybersecurity-relatedmatters.Theincentivewasthatthepositionwasapromotionfromtheperson’spreviouslyheldposition,andthepersonwouldbetheleadinthisfunction,ratherthan“justanotheremployee”intheHRorganization.3

Atthecorporation,thecybersecurityofficerdevelopedanadministrativedocumentarchitectureinwhichtherewasanoverallinformationassetsprotectionpolicydocumentfollowedbytheotherassetsprotectionpolicydocuments.Thecorporationoverallpolicydocument(InformationAssetsProtectionPolicyDocument500-1,alsoknownasIAPPD500-1)beginswithaletterfromthecorporationCEOtoshowemployeesthatthisprogramwassupportedbytheCEO:

To:AllCorporationEmployees

Subject:ProtectingtheCorporation’sInformationAssetstoMaintainOurCompetitiveEdgethroughaCorporateCyberSecurityProgram

Wearealeadinginternationalcorporationinthemanufacturingandsalesofwidgets.Today,wecompetearoundtheworldintheglobalmarketplaceoffiercecompetition.Tomaintainaleadershippositionandgrow,wedependfirstandforemostonallofyouandprovideyoutheresourcestohelpyoudoyourjobstothebestofyourability.Youarevitaltooursuccess.

Itisthepolicyofthecorporationtoprotectallourvitalassetsthatarethekeytooursuccess,andamongtheseareourinformation-relatedassets.Theseincludeinformation,automatedmanufacturingtools,technology,information-andsystems-drivenprocesses,hardware,software,andfirmwarethatweallrelyupontobesuccessful.Youandtheseothervitalcorporationinformationassetsmustbeabletooperateinasafeenvironment,andourresourcesmustbeprotectedfromloss,compromise,orotheradverseeffectsthataffectourabilitytocompeteinthemarketplace.

Itisalsocorporationpolicytodependonallofyoutodoyourparttoprotectthesevaluableinformation-relatedassetsinthesevolatiletimes.

Theprotectionofourinformationassetscanbeaccomplishedonlythroughaneffectiveandefficientcybersecurityprogram.Wehavebegunanaggressiveefforttobuildsuchaprogram.

Thisdirectiveistheroadmaptoourcorporatecybersecurityprogramandthecontinuedsuccessofthecorporation.Inorderforthecybersecurityprogramtobesuccessful,youmustgiveityourfullsupport.Yoursupportisvitaltoensurethatthecorporationcontinuestogrowandmaintainitsleadershiproleinthewidgetindustry.

(SignedbythecorporationPresidentandCEO)

ItiscrucialthattheCEOleadthewayinthesupportoftheprotectionofthecorporation

informationassets.Togettheprecedingstatementpublished,thecybersecurityofficerreliedonthepolicycybersecuritystaffmembertodraftastatementfortheCEOtosign.Thecybersecurityofficerreasonedthatitisalwaysbettertowriteadraftforsomeonetoensurethatwhatispublishedmeetstheneedsofthecybersecurityprogramandthecorporation.ThestatementwasdraftedafterreviewingnumerousotherdocumentsandspeechesmadebytheCEOtoensurethatthewordsandformatusedwereconsistentwithwhattheCEOnormallysigned.

ThedraftwaseditedbythecybersecurityofficerandthencoordinatedbythecybersecurityofficerwiththeDirectorofCorporateSecurity,sincethishadtodowiththecorporationassets.TheDirectorofSecurityhadnoissueswiththepolicyandinfactwashappythatthecybersecurityofficerwasaggressivelymovingforwardonthismatter.Inaddition,theDirectorofSecuritybelievedthatthecybersecurityofficerpushingforwardwouldeventuallybenefittheSecurityDepartment.Furthermore,ifthecybersecurityofficerranintotroublewithexecutivemanagement,theDirectorcouldseehowfarthecybersecurityofficerwasabletogoinmeetingtheinformationassetsprotectionobjectives.Helikenedthecybersecurityofficertoaleadscoutgoingthroughthecorporation’sexecutivemanagementminefield.ItwouldhelptheDirectortopoliticallychoosehisground.Afterall,theDirectorwas“oldschool.”Hedidn’tcaremuchforcomputers,andhehadnoproblemlettingthecybersecurityofficertakeonthecybersecuritymatterswhiletheDirectorconcentratedonmore“mundane”securitymatterswhileawaitinghistimeforretirementinanotherfourorfiveyears.

BecausethedraftwasgoingtotheCEO,itwasalsoreviewedandeditedbythecybersecurityofficer’sboss,theCIO.ItwasthensenttotheCEO’spublicrelationsstaffandlegalstaffforeditingandsubsequentlypresentedtotheCEObythecybersecurityofficeraccompaniedbytheCIO,whowasalwaysconcernedwhenthecybersecurityofficerwasinvolvedinanythingthatbroughtCEOvisibilitytoanyaspectsoftheCIO’sdepartment.

Thecybersecurityofficeraccomplishedanotherobjectivetowardbuildingacybersecurityprogramforthecorporation.ThelettersignedbytheCEOwasjustonepartofit.ThecybersecurityofficeralsogotsupportfromtheCEOtoaggressivelyattackthevulnerabilitiesproblems,becausetheCEOdidnotobjecttotheassessmentapproachbriefedbythecybersecurityofficeraspartofthecybersecurityprogramphilosophy.That“hiddenagenda”wasusedtoinitiateamoreproactiveeffortthattheDirectorofAuditsandthecybersecurityofficerhadagreedtopriortothecybersecurityofficer’smeetingwiththeCEO.Thistacitapprovalallowedthecybersecurityofficertoestablishamoreproactiveandaggressivecybersecurityprogram.Allthismayseemalittledeviousbutnotunethical—orisit?Dotheresultsoutweighthetacticsusedtogainthoseresults?Youbethejudge.

Thecybersecuritypolicydocumenthadacoordinationnoteattachedthatshowedallthosewhohadseenthedocument(CEOsrarelysignanythingrelatingtocorporatebusinesswithoutinputfromthestaff).IfthecybersecurityofficerhadjustmadeanappointmentwiththeCEOandaskedforconcurrenceonthedocument,thecybersecurityofficerwouldundoubtedlybeaskediftheCIOhadseenit,haditbeencoordinatedwith

his(cybersecurityofficer’s)staff,etc.Thecybersecurityofficerwouldhavesaidno,wastingtheCEO’stimeandthecybersecurityofficer’stime.TheCEOwouldneversignoffonthedocumentwithoutCEOstaffinput.Thewholeincidentwouldmakethecybersecurityofficerlookfoolishandunprofessional,andperhapsfeelalittleinsecure,asthoughtheCEOdidnottrustthecybersecurityofficer.

Onekeyfactorismissinghere.Doyouknowwhatitis?WouldtheCEOhavesignedthedocumentwithoutseeingthedraftpolicydirective,IAPPD500-1?Theanswerisprobablyyes.Thisisbecausethecybersecurityofficerensuredthattheletterwaswrittenwithoutalludingtooridentifyingany“attachedpolicydocument”oranyotherdocument,forthatmatter.Whyisthisimportant?Itisimportantbecausethisdocumentistimelessandcanbeusedasastand-alonedocument.ThecybersecurityofficerthoughtthatitcouldalsobeattachedtoanyinformationassetsprotectionpolicydirectiveandwouldhelpenforcethepolicydirectivebecauseanyonewouldassumethattheCEO’ssigneddocumentissupportingthepolicydirectivetowhichitisattached.

Thefactis,itisprobablytruethattheCEOwouldsupportthepolicydirective:Thatdirectivecouldnothavebeenpublishedandimplementedwithoutfollowingthecorporationdirectivepublishingprocess.Thisprocess,asstatedinthecorporationdirectiveHRD5-17,includesdirectionsastopropercoordinationwithapplicabledepartmentsthatwouldbeaffectedbythedirective.

Thenextday,thecybersecurityofficerhappenedtobeindiscussionwiththecybersecuritypolicyspecialistaroundthecoffeepot.TheydiscussedtheCEO’sapprovalofthedocument,andthecybersecurityofficerthankedthespecialistforagreatjob.4Thespecialistsaid“Thanks”andalsosaid,“Youknow,ofcourse,thatitiscorporationpolicythatletters,regardlessofwhosignsthem,havenomorethana90-daylifespan?Thatpolicywasputinplacebecausemanyexecutivesandothermanagerswerewritingpolicy‘letters’tocircumventthecoordinationprocessfordirectives.So,thesepolicylettersproliferatedatthecorporation.Nooneknewwhatwascurrentandwhatwasn’t,andmanyfailedtofollowthelettersbecause‘theydidn’tworkforthatperson’(thepersonwhosignedtheletters).So,theletterswereignored.Thelastthingthatthecorporationneededwasabunchofletterpoliciesflowingaroundandbeingignored.Thatlefttheentirecorporationatmospherefullofconflicts,somechaos,andanattitudeoffloutinganyrulesthatonedidn’tlike.Infact,thatcontributedtoourlossofinformationassets,thefiringofmanagers,includingyourpredecessor.So,youdon’twanttoendupstartingthatmessalloveragain.Doyou?”

Thecybersecurityofficerdidn’tknowthatandwasgladthattherightpersonhadbeenhiredfortheinformationassetsprotectionpolicyspecialistposition.It’sfunnyhowthingssometimesworkoutbetterthanexpected.An“cybersecuritytechie”inthatpositionwouldprobablynothaveknownthatvaluablepieceofinformation.

Thecybersecurityofficerthoughtaboutwhattheinformationassetsprotectionpolicyspecialisthadsaid.Thecybersecurityofficerwantedtokeeptoaminimumanyobjectionstotheinformationassetspolicydirectives.

So,thecybersecurityofficerdirectedthatacopyoftheCEO’ssigneddocumentbe

attachedtoanyinformationassetsprotectionpolicydocumentthecybersecurityofficerwastryingtogetthroughthecoordinationprocess,published,andimplemented.Thecybersecurityofficeralsoincludedanoteonthecoordinationsheetthatstated:TheattacheddocumentisanimplementationdocumenttomeetthecorporationinformationassetsprotectionprogramrequirementsasstatedintheCEO’sdocument.ThecybersecurityofficerwasverysatisfiedwiththisapproachandalsodirectedthattheCEO’sletterbechangedtoaformaldirectiveandsoinstructedthecybersecuritypolicyspecialist.Thatdirective,thecybersecurityofficerreasoned,shouldnotrequireanycoordinationbecausetheCEOhadalreadysignedit.Thiswasthecase,andtheCEO’sletterbecamethecorporation’sIAPPD500-1.Therefore,allotherpolicydirectivesflowedfromthatoveralldirective—theCEO’smemo-directive.

Thecybersecurityofficerdirectedthataproject,withthecybersecuritypolicyspecialistastheprojectlead,beestablishedandimplemented.Theobjectivewastobringallinformationassetsprotectionpolicydirectivesuptodate.Thiswouldrequireallthecorporationpolicydirectivesrelatedtoinformationassetsprotectiontobereviewed,updated,coordinated,republished,andplacedonline,andthatallbriefings,training,andotherprocessesbeupdatedaccordingly.Thecybersecurityofficeralsodirectedthattheprojectleadshouldprioritizethedirectivesaccordingtothefollowingschedule:

•Directivesthatdidnotcurrentlyexistbutmustbedevelopedtoaddresstheprotectionofvariousinformationassetsand

•Directivesthatwerethemostoutdated(continuingtothosethatweretheleastoutdated).

Thecybersecurityofficerreasonedthatoutdateddirectiveswerebetterthannoinformationassetspolicydirectives,becausewheresomewereneededanddidnotexist,theinformationassetsweremorevulnerable.Althoughthemissingdirectiveswouldtakethelongesttogetimplemented,theywerethemostimportant.Thecybersecurityofficeralsodirectedtheinformationassetsprotectionpolicyprojectteam,withthepolicyspecialistastheprojectlead,todoasmuchaspossibleinparallel.Thoserequiringtheleastamountofworkcouldbedonefaster,andeveryupdateddirectivewasanothervictoryinthewartoprotectcorporateinformationassets.

War?Thechoiceofwordswasusedinallseriousness.Thecybersecurityofficerandthestaffmustgetona“warfooting”andnottreattheirprofessionaldutiesassome9-to-5job.Corporateinformationassetsarebeingattackedfrominsideandoutsidethecorporation,fromwithinthehomenation-state,andbycompetitorsandnation-statesfromaroundtheworldona24/7basis.Thiscorporationwasnoexception,andinfactbecauseofitsleadershiproleinthewidgetindustry,itwasprobablymoreatriskthansomeotherthecorporations.

Thecybersecurityofficerdirectedthatallpolicydirectivesbelimitedtospecificissues.Thecybersecurityofficerreasonedthattodeveloponelargepolicydirectivethatcoveredallaspectsofthecorporation’sinformationassetsprotectionneedswasnotagoodidea.Doyouagree?Beforeanswering,thinkaboutitfromanemployee’sperspective.Theemployeehasajobdotoasaspecialistinachosenprofession.Employeesarenot,nordo

theywanttobe,cybersecurityspecialists.Toassisttheminatleastcomplyingwiththecybersecurityprogram,the“KISS”principle(keepitsimple,stupid)shouldalwaysbeapplied.

Anemployeewhowantstodotherightthingandcomplywithallthecorporationdirectivesandinformationassetsprotectiondirectivesispartofthegroup.Let’ssaytheemployeeworksinamarketinggroup.Iftherewerejustonelargepolicydocument,theemployeewouldlookatthismonsterandmightbeintimatedbyitssize.Theemployeedoesnotneedtoknowaboutmanyoftheinformationassets’protectionrequirements—forexample,thosethatpertaintothemanufacturingenvironment.Yes,onecoulddokeywordsearchesifthedocumentsareonline,butinallprobability,pertinentinformationwouldbescatteredthroughoutthedocument.Withthecapabilityofputtingdocumentsonlineandmaintainingthemonline,itiseasyintoday’swordprocessingenvironmenttojustcutandpasteapplicableportionsofotherinformationassetsprotectiondocumentsthatapplytomoremultipleinformationenvironments.

Manyemployeeshavelostpatiencetryingtoreadthroughsuchlarge—andboring—documents.Let’sfaceit,evencybersecurityprofessionalsgetboredreadingcybersecuritydocuments.Ironically,somecybersecuritypersonnelneverreadtheentireseriesofcybersecurity-relateddocumentsunlesstheyhaveto,orunlesssomeoneembarrassesthembypointingoutthatthey(cybersecuritypersonnel)areviolatingtheirowncybersecurityrules!

Topic-orientedinformationassetsprotectionpolicydocumentscanbedeveloped,coordinated,andimplementedfaster.Inaddition,employeescaneasilydeterminewhichdirectivetosearchforguidancewithoutreadingvolumes.Also,onelargedirectivewouldbealmostconstantlyinastateofchangebecauseofvariousaspectsrequiringchangesatdifferenttimes.

Thecybersecurityofficerdirectedthat,asaminimum,individualinformationassetspolicydirectivesweretobeestablishedtoprovideguidancefortheprotectionofthefollowingcorporateinformationassets5:

•Overallinformationassetsprotection(CEO’ssignedletter);

•Informationvaluation,marking,storing,distribution,anddestruction;

•Informationprocessed,displayed,stored,andtransmittedbyinformationsystemsonthecorporation’sintranet;

•Thecorporation’stelecommunicationssystemsandvoicemail;

•Cellularphones,PDAs,andpagers;

•Faxmachines;

•Teleconferencing;

•Printersandscanners;

•Automatedmanufacturing;

•E-mail;

•Vital,automatedrecords;and

•Violationsofinformationassetsprotectionpolicies,procedures,andprocesses.

TheCorporateCyberSecurityProgramRequirementsandPolicyDirectiveThecorporationcybersecurityprogramdirectivesfollowedthestandardformatforthecorporationpoliciesandincludedthefollowing:

1.Introduction,whichincludedsomehistoryoftheneedforcybersecurityatthecorporation;

2.Purpose,whichdescribedwhythedocumentexisted;

3.Scope,whichdefinedthebreadthoftheDirective;

4.Responsibilities,whichdefinedandidentifiedtheresponsibilitiesatalllevels,includingexecutivemanagement,organizationalmanagers,systemscustodians,ITpersonnel,andusers.TheDirectivealsoincludedtherequirementsforcustomers’,subcontractors’,andvendors’accesstothecorporationsystemsandinformation.

5.Requirements,whichincludedtherequirementsfor:

a.Identifyingthevalueoftheinformation;

b.Accesstothecorporationsystems;

c.Accesstospecificapplicationsandfiles;

d.Audittrailsandtheirreview;

e.Reportingresponsibilitiesandactiontobetakenintheeventofanindicationofapossibleviolation;

f.Minimumprotectionforthehardware,firmware,andsoftware6;and

g.Cybersecurityproceduresatthecorporationdepartmentandlowerlevels.

PhysicalSecurityandCyberSecurityProgramPolicyThephysicalsecurityfunctionsforthemostpartfallundertheSecurityDepartment.ItwasagreedbytheDirectorofSecurityandthecybersecurityofficerthatthephysicalsecurityprogram,asitrelatedtocybersecurity,wastoremainunderthepurviewoftheSecurityDepartment;however,thoseaspectsrelatedtocybersecuritywouldbecoordinatedwiththecybersecurityofficerorhisorherdesignatedrepresentative.

Thetechnicalcountermeasuresprogramrelatingtoemanationsofsystems’signalsorcovertsignalsthatmaybeplacedinthecorporation’ssensitiveprocessingareashadbeen

initiallyplacedunderthepurviewofthecybersecurityofficer;however,theDirectorofSecurityapparentlybecameconcernedbecausethesystemspermeatethecorporation,whichappearedtogivethecybersecurityofficeragreatdealofauthority.

Thecybersecurityofficer’sauthority,whichtheDirectorequatedtopower,overphysicalsecurityasitrelatedtosystemsfacilitieswasrelinquishedbythecybersecurityofficer.Thecybersecurityofficer’srationalewas:

•ItshowedtheexecutivemanagementandtheDirectorofSecuritythatthecybersecurityofficerwasinterestedingettingthejobdonerightandnotwhohadtheauthoritytodoit;

•Thismove,coupledwiththecybersecurityproceduresresponsibilityplacedonthecorporatemanagement,gaveclearindicationstoeveryonethatthecybersecurityofficerwasinterestedingettingthejobdoneinacooperativeeffortinwhichcybersecurityresponsibilitiesbelongedtoeveryoneinatrueteameffort;and

•Ittookaheavyresponsibilityofftheshouldersofthecybersecurityofficer.Thecybersecurityofficerwasnolongerresponsibleforthephysicalsecurityaspects;thus,thecybersecurityofficer’sattentioncouldbedirectedtomoretechnicalaspectsofthecybersecurityprogram—thosemoreenjoyabletothecybersecurityofficer.

TheagreementreachedbythecybersecurityofficerandDirectorofSecuritywasfortheSecurityDepartmenttoberesponsiblefor:

•Controlofphysicalaccesstoinformationsystemsthroughoutthecorporation;

•Physicalaccesscontrolbadgereaderstoareascontainingsensitiveinformation-processingactivities;

•Physicaldisconnectsofallsystems-processinginformationsosensitivethattheinformationcouldnotbeprocessedoutsidespecifiedareas;

•Review,analyses,andactionrelatedtophysicalaccesscontrolaudittrails;and

•Controlofphysicalaccessofallvisitors,vendors,subcontractors,customers,andmaintenancepersonnelandtheescortingofsuchpersonnelintosensitiveinformation-processingareas.

TheCorporationCyberSecurityProgram—CyberSecurityProceduresOvertheyears,thecybersecurityofficerhashadexperienceinseveralthecorporations.Thecybersecurityofficerlearnedthatthebestwaytoprovideanupdatedcybersecurityprogramistobeginatthehighestlevelandworkdown.Thisformofinformationassetsprotectionevaluation,analysis,andimprovementisbasedonthefactthatinformationassetsprotectionisdrivenandmustbesupportedfromthetopdown.Therefore,thecybersecurityofficerbeganwiththeoverallcorporationassetsprotectionrequirements

(drivers),followedbytheinformationassetsprotectionpolicies.Oncetheywereinplace,thoserelatedproceduresthatwerealreadyinplacewereanalyzedandprojectsestablishedtoupdatethemanddevelopnewoneswhereneeded.

Eachinformationassetsprotectionpolicyrequirescompliancebythoseidentifiedinthepolicydirectives.Eachofthesedirectivesrequiresoneormoreprocedurestobeestablishedsothatthereisastandardmethodusedtosupportandimplementthepolicies,includingtheirspiritandintent.Theinformationassetsprotectiondirectivespreviouslydiscussedrequireprocedurestobeestablishedtocomplywiththosedirectives.Forexample,whatproceduresshouldbeusedtodeterminetheclassificationtobegivenapieceofinformation:corporation–tradesecret,corporation–sensitive,corporation–proprietary?Someproceduresmaybewrittenforeveryoneinthecorporationtofollow,whilevariousdepartmentsmaywriteothersbasedontheiruniqueinformationenvironments.

Therearevariousopinionsastohowbesttogoaboutdevelopingprocedures.Onecontinuestogettoamoredetailedlevelasonegoesfromrequirements(drivers)topoliciestoprocedures.Themainissueisthis:Ifthecybersecurityofficerestablishesaspecificproceduretocomplywithaspecificpolicy,whichinturnassistsinmeetingthecorporationgoalsasstatedinthecorporatestrategicbusinessplan,tacticalbusinessplan,andannualbusinessplan,theproceduresmaynotbepracticalinoneortwoofthecorporation’sdepartments.Thedepartmentheadmaysostateandmayaskforawaiversayingthattheycanstillcomplyiftheyhaveadifferentprocedurethattakesintoaccounttheiruniqueworkinginformationenvironment.Theremaybemorethanonedepartmentwithsimilarcomplaints.So,howdoesthecybersecurityofficerensurethatpeoplearefollowingproperinformationassetsprotectionprocedurestocomplywiththeinformationassetsprotectionpolicies?

Thecybersecurityofficerhasfoundthatthebestwaytodothisatthecorporationistorequirethattheindividualdepartmentsestablish,implement,andmaintaintheirownsetofinformationassetsprotectionproceduresthatcomplywiththepolicies.Thishasseveralbenefits:

•Havingeachdepartmentwriteitsownprocedureshelpsenforcethephilosophythatinformationassetsprotectioniseveryone’sresponsibility.

•Therewillbefewercomplaintsandrequestsforwaiversbecauseoneormoreofthecorporation’sdepartmentscannotcomplywiththeproceduresaswrittenbythecybersecurityofficer’sstaff.Thisbenefitsthecybersecurityofficer,astrackingwaiversmayturnintoanightmare—whohaswhatwaivers,why,andforhowlong.

•Thedepartmentscandevelopproceduresthatmeettheiruniqueconditionsandbecauseofthat,theproceduresshouldbemorecost-effective.

•Thecybersecurityofficerandhisorherstaffwillsavetimeandeffortinwritingandmaintaininginformationassetsprotectionprocedures.Tobeblunt—it’sthedepartments’problem.However,thecybersecurityofficerhasofferedtomakecyber

securitystaffavailabletoanswerquestionsandtoprovideadviceastowhatshouldbeinthedocuments.Thiswasdoneinthespiritofprovidingserviceandsupporttothecorporationemployees.Theliaisoncontactforthecybersecurityofficerwouldofcoursebethecybersecuritypolicyspecialist.

Thequestionthenaroseastohowthecybersecurityofficercouldbesurethattheprocedureswrittenbyeachdepartmentmeetthespiritandintentofthepolicies.Twomethodswereidentified:

•Thecybersecuritystaff,aspartoftheirriskmanagementprocesses,wouldconductlimitedriskassessmentsurveys,andaspartofthosesurveys,theprocedureswouldbereviewed.Thelimitedriskassessmentswouldindicatehowwelltheproceduresinplacehelpprotectthecorporationinformationassetsunderthecontrolofeachdepartmentorsuborganization.

•Thecorporation’sauditstaffwouldcomparetheprocedureswiththepoliciesduringtheirroutineaudits.TheDirectorofAuditsagreedtoconductsuchreviews,sincethatdepartmentisresponsibleforauditingcompliancewithfederal,state,andlocallawsandregulationsandthecorporation’spoliciesandproceduresanyway.Italsohelpedthatsincethecybersecurityofficer’sarrival,thecybersecurityofficerandtheDirectorofAuditsmetandagreedtomonthlymeetingstoshareinformationofmutualconcern.Thecybersecurityofficerlearnedlongagothatcybersecuritypersonnelhaveveryfewtruesupportersinhelpingthemtogetthejobdone,butauditorswereoneofthem.

Procedures,alongwiththeirrelatedprocesses,aretheheartofacybersecurityprogrambecausetheyprovidethestep-by-stepapproachforemployeesastohowtodotheirworkandalsoensuretheprotectionofcorporateinformationassets.Andifthedepartmentswritetheirownprocedures,theybecomeactivelyinvolvedasvaluableteammembersintheprocessofprotectingthecorporation’svaluableinformationassets.

CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganizationThecybersecurityofficeralsoknewthatastaffofcybersecurityspecialistswouldberequiredbecauseofthelargesizeandgeographicallocationsofthecorporationsystemsandassociatedfacilities.Whatthecybersecurityofficerhadtodeterminewashowmanyspecialistsandwhattypeswereneededandhowthecybersecurityofficer’sorganizationshouldbestructured.Althoughtherewasagroupofcybersecurityspecialiststhatmadeupthecorporation’scybersecurityorganizationthatthecybersecurityofficerinherited,theyweredisorganizedandhadbeensortof“throwntogether”bythepreviouscybersecurityofficer,whowasnotemployedlongenoughtogetaroundtoproperlyorganizingthegroup.

Thecorporationcybersecurityofficermust,inparalleltoestablishingacybersecurityprogrambaseline,alsobeginthetaskofestablishingacybersecurityprogram-relatedorganization.Thecybersecurityofficerdecidedthatthesolepurposeoftheorganizationwastoleadandsupportthecybersecurityprogram.Therefore,thecybersecurityofficerintendedtoprovidean“umbilicalcord”betweenthecybersecurityprogramandthecybersecurityofficer’sorganization.Afterall,withoutsomeformofcybersecurityprogram,nocybersecurityorganizationwouldbenecessary.Indoingso,thecybersecurityofficerneededtounderstand:

•Thelimitsofauthority,

•Theamountofbudgetavailable,and

•Theimpactofestablishingacybersecurityprogramonthecorporation—theculturechange.

Thecybersecurityofficeralsohadtodeterminehowtofindqualifiedpeoplewhocouldbuildandmaintainacost-effectivecybersecurityprogram.Thestaffmustalsobeabletodevelopintoacybersecurityteaminwhicheveryoneactsandistreatedasaprofessional.Thecorporationcybersecurityofficerwantedagroupofcybersecurityprofessionalswhowereverytalented,yetcouldleavetheiregosatthedoorwhentheycametowork(notaneasytaskforverytalentedpeople).

Thecybersecurityofficeralsohadtoconsiderthatbuildinganempireandamassive,bureaucraticorganizationwouldnotonlygivethewrongimpressiontothecorporationmanagement,butwouldalsobecostly.Furthermore,thecybersecurityofficerhadtobuildanefficientandeffectivecybersecurityorganization,asrequiredbythecorporationandasstatedinthenumerousplans.Afterall,wasn’tthatoneoftheimpliedconditionsofemployment?

Buildingabureaucracyleadstocumbersomeprocesses,whichleadtoslowdecisioncycles,whichcausethecybersecurityprogramtohaveanadverseimpactoncostsandschedules,whichleadstoacybersecurityprogramthatdoesnotprovidetheservicesandsupportneededbythecompany.Thissnowballingeffect,oncestarted,wouldbedifficult

tostop.Andifstopped,itwouldrequiretwiceaslongtorebuildtheserviceandsupportreputationofthecybersecurityofficer,thecybersecuritystaff,andthecybersecurityprogram.

Indevelopingthecybersecurityprogramorganization,thecybersecurityofficeralsohadtobearinmindallthatwasdiscussedwiththecorporatemanagementandwhatwaspromised.Theseincluded:

•Thecorporation’shistory,business,andcompetitiveenvironment;

•Mission,vision,andqualitystatements;

•Thecorporationandcybersecurityprogramplans;and

•Theneedfordevelopingacybersecurityprogramasquicklyaspossible,fortheworkwillnotwaituntilthecybersecurityofficerisfullyprepared.

DeterminingtheNeedforCyberSecuritySubordinateOrganizationsThecybersecurityofficermustdeterminewhethersubordinatecybersecurityorganizationsareneeded.Ifso,afunctionalworkbreakdownstructuremustbedevelopedtodeterminehowmanysubordinateorganizationsareneededandwhatfunctionsshouldbeintegratedintowhatsubordinateorganizations.

Thecorporation’scybersecurityofficerreviewedthecybersecurityofficer’scharterandcybersecurityprogramfocuspreviouslyagreedtobythecybersecurityofficerandexecutivemanagement.Thatcharterincludedthefollowingcybersecurityprogramfunctions:

•Requirements,policies,procedures,andplans;

•Hardware,firmware,andsoftwarecybersecurityevaluations;

•Technicalsecuritycountermeasures(functionsubsequentlytransferredtotheSecurityDepartment);

•Cybersecuritytestsandevaluations;

•Informationsystemprocessingapprovals;

•Accesscontrol;

•Noncomplianceinquiries;

•Telecommunicationssecurity;

•Riskmanagement;

•Awarenessandtraining;and

•Disasterrecovery/contingencyplanning.

Thecybersecurityofficeranalyzedtheplans,functions,numberofsystems,andnumberofusersanddeterminedthattwosubordinateorganizationswouldbeneededtoprovidetheminimumcybersecurityprogramprofessionalservicesandsupport.

Actually,thecybersecurityofficerthoughtofdividingthefunctionsintothreeorganizations,buttheneedforoneofthosewasborderline.Also,havingthreesuborganizationsmightgivethewrongimpressiontoothersinthecorporation(onemustalwaysrememberperceptionsandappearanceswhenbuildingacybersecurityprogramandorganization).Itwouldalsoprovideanotherlevelofadministrativeoverheadburdenthatwouldnotbecost-effective.Thecybersecurityofficerreasonedthatthetwosubordinateorganizationswouldsufficefornow;theorganizationscouldbereevaluatedattheendofthefirstyear’soperation.

ThecybersecurityofficerdecidedtobrieftheCIO(theboss)ontheplan.TheCIOthoughtitwasreasonable,butwonderedhowthecybersecurityofficerwouldhandletheoff-sitelocationsintheUnitedStates,Europe,andAsia.

Aswithanygoodplan,nothingeverrunscompletelyasexpected.Beinganhonestandstraightforwardcybersecurityofficer,theonlylogicalcomebackwas“Huh?”TheCIOwentontoexplainthattheirgloballocationsaremanufacturingsitesmakingfinalorsubassembliesofthewidgetsandshippingthemtothemainplantorglobalcustomers,asapplicable.

ThecybersecurityofficeraskedtheCIOhowotherorganizationshandledtheoff-site.TheCIOexplainedthattheyhavesmaller,satelliteofficestoprovidetheserviceandsupportneededatthatlocation.Thecybersecurityofficerdeterminedthatbeforedecidingontheneedforasatelliteoffice,theproblemshouldbefurtherevaluated.ThecybersecurityofficerexplainedtotheCIOthattheevaluationwouldbeconductedwithinaweekandadecisionmadeatthattime.

Thecybersecurityofficersubsequentlydeterminedthattoprovidequalityservicesandsupporttotheoff-sitelocations,smallcybersecurityorganizationswithdedicatedstaffshouldbeinplaceatallfacilities.Thiswouldreplacethecurrentstaff,who,asanadditionaldutyassignedbyon-sitefacilityexecutivemanagers,hadtoserveaspart-timecybersecuritypersons.Thisdecisionwasbasedonseveralconsiderations:

•Conversationswithmanagersofotherorganizationswhohadsatelliteofficesattheoff-sitelocation,relativetohowtheyhandledtheproblem;

•Conversationswithmanagersofotherorganizationswhodidnothavesatelliteofficesattheoff-sitelocation,astohowtheyhandledtheserviceandsupportrequirements;

•Conversationswithoff-sitefacilityexecutivemanagers;

•Ananalysisoftheoff-sitelocations’informationsystemsconfigurationsandprocessing;

•Informationflowprocesses;and

•Thecybersecurityprogramneedsofeachlocation.

Basedontheanalysis,thecybersecurityofficerdeterminedthatcybersecurityprogramsatelliteofficeswereindeednecessary,butsomefunctionscouldbesupportedfromthecorporateoffice,suchasriskmanagement,policydevelopment,andrequirements.

ThecybersecurityofficerinformedtheCIOofthedecisionandthebasisforthedecision,emphasizingitscost-effectiveness.TheCIOagreedbasedonthebusinesslogicshownbythecybersecurityofficer,theminimalnumberofcybersecuritystaffneeded,andwhattheCIOsensedasthecybersecurityofficer’sstrongcommitmenttothecybersecurityprogramusingalowestcost/minimumriskapproach.

Thenumberofpeopleinanyworkinggrouptendstoincreaseregardlessoftheamountofworktobedone

CyrilNorthcoteParkinson7

DevelopingtheCyberSecurityProgramOrganizationStructureBasedonthecybersecurityofficer’sanalyses,thecybersecurityofficerestablishedthecybersecurityprogramorganization—atleastonpaper.

Thecybersecurityofficerfoundthatestablishingthecybersecurityprogramorganizationtodatehadbeentheeasypart.Nowcamethebureaucracyofcoordinatingandgainingapprovalofthecybersecurityprogramorganizationfromthedesignatedorganizations,suchasorganizationalplanning,HR,andfacilities,aswellascompletingtheirandotherorganizations’forms.8

Awordofcautiontothecybersecurityofficer:Someserviceandsupportorganizationsaremoreinterestedinpropercompletionoftheadministrativebureaucracythaninhelpingtheirinternalcustomers.Justgrinandbearit.Youcan’tchangeit,exceptovertime,andnowisnotthetime.Thepriorityisgettingthecybersecurityprogramandthecybersecurityorganizationofftheground.Concentrateonthatpriority.

DevelopingtheCyberSecurityProgramSubordinateOrganizationsThecybersecurityofficerdeterminedthatthesubordinateorganizationsmustalsohavechartersthatidentifythecybersecurityprogramfunctionsthataretobeperformedbythestaffofthoseorganizations.Thecybersecurityofficerfurtherdeterminedthattorecruitmanagersforthesubordinateorganizationswaspremature.Thecybersecurityofficerreasonedthatwhatwasneededfirstwasprofessionalcybersecuritypersonnelwhocouldbegintheactualprogramwork.Thecybersecurityofficerwouldmanagealltheorganizationsuntilsuchtimeastheworkloadandcost-effectivenessconsiderationsdeterminedthatasubordinatemanagerormanagerswereneeded.Basedontheworktobeperformed,andtheanalysesdiscussedabove,thecybersecurityofficerdevelopedthe

chartersforthesubordinateorganizations.Intheinterim,thecybersecurityofficerusedamatrixmanagementapproachwiththeoff-sitefacilitymanagerswhowereresponsibletotheCIOforoverallinformationandinformationsystemsmanagement.

ResponsibilitiesofCyberSecurityProgramSubordinateOrganizations

CyberSecurityProgramAccessControlandComplianceThecybersecurityofficeristheactingmanagerofthecybersecurityprogramAccessControlandCompliancesubordinateorganization.

Thefollowingisthesummaryoftheposition:

Providethemanagementanddirectionandconductanalysesrequiredtoprotectinformationprocessedonthecorporation’sinformationsystemsfromunauthorizedaccess,disclosure,misuse,modification,manipulation,ordestruction,aswellasimplementingandmaintainingappropriateinformationandinformationsystemsaccesscontrols;conductnoncomplianceinquiries;andmaintainviolationstrackingsystems.9

Detailedaccountabilitiesinclude:

1.Implement,administer,andmaintainuseraccesscontrolsystemsbyprovidingcontrols,processes,andprocedurestopreventtheunauthorizedaccess,modification,disclosure,misuse,manipulation,ordestructionofthecorporation’sinformation.

2.Monitoruseraccesscontrolsystemstoprovidefortheidentification,inquiry,andreportingofaccesscontrolviolations.Analyzesystemaccesscontrolviolationdataandtrendstodeterminepotentialsystems’securityweaknessesandreporttomanagement.

3.Conductinquiriesintocybersecurityprogramviolations/incidentsandrelatedcybersecurityprogrambusinesspractices,corporationpolicies,andprocedures.Identifytheexposures/compromisescreated,andrecommendtomanagementcorrectiveandpreventiveactions.

4.Direct,monitor,andguidethecybersecurityprogramactivitiesofthecorporation’saccesscontrolsupportgroupsandsystemstoensureadequateimplementationofaccesscontrolsystemsinmeetingcybersecurityprogramrequirements.

5.Establishandmanageaninformationsystemsdefensivesystem,includingfirewallsandrelatedintrusiondetectionsystems.

6.Provideadviceonandassistancewiththeinterpretationandimplementationofcybersecurityprogrampoliciesandprocedures,contractualcybersecurityprogramrequirements,andrelateddocuments.

CyberSecurityProgramPolicyandRiskManagementThecybersecurityofficeristheactingmanagerofthecybersecurityprogramPolicyand

RiskManagementsubordinateorganization.


Providethemanagementanddirectionanddevelop,implement,andmaintaincybersecurityprogrampoliciesandprocedures,awareness,disasterrecoveryandcontingencyplanning,cybersecurityprogramsystemlifecycleprocesses,cybersecuritytestsandevaluations,riskmanagement,andcybersecurityprogramtechnicalsecurityandrelatedprogramstoprotectthecorporationsystemsandinformation.


1.Identifyallcybersecurityprogramrequirementsneededanddevelopthecorporatepoliciesandproceduresnecessarytoensureconformancetothoserequirements.

2.Evaluateallhardware,software,andfirmwaretoensureconformancetocybersecurityprogrampoliciesandprocedures,recommendmodificationswhennotinconformance,andapprovethemwheninconformance.

3.Establishandadministeracybersecuritytestsandevaluationsprogramtoensurecompliancewithsystems’securitydocumentationandapplicablecybersecurityprogramrequirements.

4.Establish,implement,andmaintainacybersecuritytechnicalprogramtoidentifyallelectronicthreatsandmitigatethosethreatsinacost-effectivemanner.

5.Establishandmaintainacybersecurityawarenessprogramtoensurethatthecorporationmanagementandusersarecognizantofcybersecurityprogrampolicies,procedures,andrequirementsfortheprotectionofsystemsandinformationandtheirrelatedthreats.

6.Develop,implement,andadministerariskmanagementprogramtoidentifyandassessthreats,vulnerabilities,andrisksassociatedwiththeinformationforwhichthecorporationhasresponsibilityandrecommendcost-effectivemodificationstothecybersecurityprogram,systems,andprocesses.

7.Establishandmaintainadisasterrecovery/contingencyplanningprogramthatwillmitigatecybersecurityprogram,corporationinformation,andsystems’lossesandensurethesuccessfulrecoveryoftheinformationandsystemswithminimalimpactonthecorporation.

Off-SiteCyberSecurityProgramOrganizationsThecybersecurityofficerisalsotheactingmanageroftheoff-sitecybersecurityprogramsubordinateorganizations.However,thecybersecurityofficerhasdeterminedthatitwillbenecessarytoappointapersonasasupervisortomanagetheday-to-dayoperationsoftheoff-sitecybersecurityprogram.Atthesametime,therearenotenoughpersonnel,asstatedbyHR,toappointamanagerateachoff-sitelocation.However,thesupervisorhasauthoritytomakedecisionsrelatedtothatactivity,withseveralexceptions.Thesupervisor

cannotcounselthecybersecurityprogramstaff,evaluatetheirperformance(excepttoprovideinputtothecybersecurityprogrammanager),makenewcybersecurityprogrampolicy,ormanagebudgets.


Implement,maintain,andadministeracybersecurityprogramforthecorporateresourcesattheoff-sitelocationandtaketheactionsnecessarytoensurecompliancewiththecybersecurityprogramrequirements,policies,andprocedurestoprotectthecorporation’sinformationfromcompromise,destruction,and/orunauthorizedmanipulation.10


1.Implementandadministerthecorporation’splans,policies,andproceduresnecessarytoensurecompliancewithstatedthecorporation’scybersecurityprogramrequirementsfortheprotectionofallinformationprocessed,stored,and/ortransmittedonthecorporation’sinformationsystems.

2.Administeracybersecuritytestsandevaluationsprogramtoensurethatallthecorporation’sinformationsystemsareoperatedinaccordancewithappropriatecybersecurityprogramrequirementsandcontractspecifications.

3.Administerandmonitorthelocaluseofthecorporation’sinformationsystemsaccesscontrolsoftwaresystems,analyzeallinfractions/violations,anddocumentandreporttheresultsofquestionableuseractivityforcybersecurityprograminquiries.

4.Identifyinformationsystems’businesspracticeirregularitiesandsecurityviolations/infractions;conductdetailedinquiries;assesspotentialdamage;monitorthecorporationmanagement’scorrectiveaction;andrecommendpreventivemeasurestoprecluderecurrences.

5.Administeracybersecurityeducationandtrainingawarenessprogramforallthecorporatemanagersandusersofthecorporation’sinformationsystemstoensuretheyarecognizantofinformationsystems’threatsandareawareofthecybersecurityprogrampolicies/proceduresnecessaryfortheprotectionofinformationandinformationsystems.

6.Representthecybersecurityprogrammanagerrelativetoallapplicablecorporationcybersecurityprogrammattersastheyapplytopersonnel,resources,andoperationsattheoff-sitelocation.

7.Provideadvice,guidance,andassistancetomanagement,systemusers,andsystems’custodiansrelativetocybersecurityprogrammatters.

8.Performotherfunctionsasdesignatedordelegatedbythecybersecurityprogrammanager.

CyberSecurityJobDescriptions

Afterestablishingandgainingfinalapprovalforthecybersecurityorganization,andwhiletryingtobeginestablishingaformal,centralizedcybersecurityprogram,thecybersecurityofficerdetermineditwasnowtimetobeginhiringsomecybersecurityprofessionals.

However,beforethatcouldbeaccomplished,andinaccordancewiththecorporationorganizationaldevelopmentandHRrequirements,acybersecurityjobfamilyfirsthadtobeestablished.Afterall,thecorporation,beingahigh-tech,moderncorporation,requiresthatemployeesbeassignedtocareerfamiliestosupporttheircareerdevelopmentprogramasdirectedbytheHRDepartment.And,unfortunately,itseemsthatcybersecurityfunctionshaveneverbeenaformalpartofthecorporation.Therefore,therearenojobfamiliesthatseemtomeettheneedsofthecybersecurityprogramfunctions.

ThecybersecurityofficerandtheHRrepresentativediscussedthematterandagreedthatthecybersecurityofficerwouldwritethecybersecurityfunctionaljobfamilydescriptions.Thecybersecurityofficerwastoldthattheymustbegeneric,sotheyareflexibleenoughtosupportseveralcybersecurityjobfunctionswithineachlevelofthejobfamily.TheHRrepresentativeadvisedthecybersecurityofficerthatthisisnecessarytoensuretheflexibilityneededforrecruiting,hiring,andsubsequentcareerdevelopmentofthecybersecurityprofessionals.Also,itwouldstreamlinetheprocessandensurethatthenumberofcybersecurityjobfamilypositiondescriptionscouldbekepttoaminimum,thusalsodecreasingbureaucracyandpaperwork.

Attheconclusionofthemeeting,theHRrepresentativeprovidedthecybersecurityofficerwiththejobdescriptionsforthesecurity,auditor,andITjobfamily.Alsoprovidedwereseveralformsthathadtobecompletedwhensubmittingthecybersecurityjobfamilydescriptions,aswellasformstobeusedfordocumentingeachjobfamilydescriptionbygradelevel.

Armedwiththechallengesofthisnewonslaughtofbureaucraticpaper,andbiddingadieutothesmilingHRrepresentative,thecybersecurityofficerheadedbacktotheofficetobeginthetaskofwritingthecorporation’scybersecurityjobfamilyassampledescriptions(whilewonderingwhentherewouldbetimetodorealcybersecurityprogramwork).

Afterreviewingtheprovidedjobdescriptionsandreadingthepaperworkneededtomakethisallhappen,thecybersecurityofficerwroteandprovidedtheHRrepresentativewiththefunctiondescriptionsofthecybersecurityjobfamily!Afterseveraliterationsandcompromises,andapprovalsthroughachainoforganizationalstaffs,thejobfamilywasapproved.

CyberSecurityJobFamilyFunctionalDescriptionsThefollowingdetailedcybersecurityjobfamilyfunctionaldescriptionsweredevelopedandapprovedbytheapplicablecorporationdepartments:

1.SystemsSecurityAdministrator

Positionsummary:Providealltechnicaladministrativesupportforthecybersecurityorganization.

Dutiesandresponsibilities:

a.Filing.

b.Typingreportsandotherwordprocessingprojects.

c.Developingrelatedspreadsheets,databases,andtext/graphicpresentations.

Qualifications:Highschooldiploma,1 yearofsecurityadministrationor2 yearsofclericalexperience.Musttypeatleast60wordsperminute.

2.SystemSecurityAnalystAssociate

Positionsummary:Assistandsupportcybersecuritystaffinensuringallapplicablecorporationcybersecurityprogramrequirementsaremet.

Dutiesandresponsibilities

a.Supporttheimplementationandadministrationofcybersecuritysoftwaresystems.

b.Provideadvice,guidance,andassistancetosystemusersrelativetocybersecurityprogrammatters.

c.Identifycurrentcybersecurityprogramandcybersecurityfunctionalprocessesandassistinthedevelopmentofautomatedtoolstosupportthosefunctions.

d.Assistintheanalysisofmanualcybersecurityprogramandcybersecurityfunctionsandprovideinputtorecommendationsandreportsoftheanalysestothecybersecurityofficer.

e.Maintain,modify,andenhanceautomatedcybersecurityfunctionalsystemsofcybersecuritytestsandevaluations,riskassessments,software/hardwareevaluations,accesscontrol,andotherrelatedsystems.

f.Collect,compile,andgeneratecybersecurityprogramfunctionalinformationalreportsandbriefingpackagesforpresentationtocustomersandmanagement.

g.Performotherfunctionsasassignedbythecybersecurityofficerandcybersecuritymanagement.

Positionrequiresbeingassignedtoperformdutiesinoneormoreofthefollowingareas:

•Accesscontrol—Maintainbasicuseraccesscontrolsystemsbyprovidingprocessesandprocedurestopreventunauthorizedaccessorthedestructionofinformation.

•Accesscontrol/technicalaccesscontrolsoftware—Assistaccesscontrolsupportgroupsandsystemsbyprovidingsoftwaretoolsandguidancetoensureadequate

implementationofaccesscontrolsystemsinmeetingcybersecurityprogramrequirements,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.

•Accesscontrol/violationsanalysis—Monitortheuseofthecorporationaccesscontrolsoftwaresystems;identifyallcybersecuritysystemsinfractions/violations;documentandreporttheresultsofquestionableuserandsystemactivityforcybersecurityprograminquiries.

•Cybersecuritytestsandevaluation/cybersecurityprogramsystemsdocumentation—Conductcybersecuritytestsandevaluationsonstand-alone(nonnetworked)systemstoensurethatthesystemsareprocessinginaccordancewithapplicablecybersecurityprogram-approvedprocedures.

Qualifications:Thispositionnormallyrequiresabachelor’sdegreeinacybersecurity-relatedprofession.

3.SystemsSecurityAnalyst

Positionsummary:Identify,schedule,administer,andperformassignedtechnicalcybersecurityanalysisfunctionstoensureallapplicablerequirementsaremet.


a.Representcybersecurityprogramtootherorganizationsonselectcybersecurityprogram-relatedmatters.

b.Provideadvice,guidance,andassistancetomanagers,systemusers,andsystemcustodiansrelativetocybersecurityprogrammatters.

c.Providegeneraladviceandassistanceintheinterpretationofcybersecurityprogramrequirements.

d.Identifyallcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbytheinformationsystems;developandimplementplans,policies,andproceduresnecessarytoensurecompliance.

e.Identifycurrentcybersecurityprogramfunctionalprocessesanddevelopautomatedtoolstosupportthosefunctions.

f.Analyzemanualcybersecurityprogramfunctionsandproviderecommendationsandreportsoftheanalysestocybersecuritymanagement.

g.Maintain,modify,andenhanceautomatedcybersecurityprogramfunctionalsystemsofcybersecuritytestsandevaluations,riskassessments,software/hardwareevaluations,accesscontrol,andotherrelatedsystems.

h.Collect,compile,andgeneratecybersecurityprogramfunctioninformationalreportsandbriefingpackagesforpresentationtocustomersandmanagement.

i.Performotherfunctionsasassignedbycybersecuritymanagement.

Positionrequiresbeingassignedtoperformdutiesinthefollowingareas:

•Accesscontrol/technicalaccesscontrolsoftware—Administerandmaintainuseraccesscontrolsystemsbyprovidingcontrols,processes,andprocedurestopreventtheunauthorizedaccess,modification,disclosure,misuse,manipulation,ordestructionofthecorporation’sinformation,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.

•Accesscontrol/violationsanalysis—Administerandmonitortheuseofthecorporation’saccesscontrolsoftwaresystems;analyzeallsystemscybersecurityprograminfractions/violations;documentandreporttheresultsofquestionableuserandsystemactivityforcybersecurityprograminquiries.

•Noncomplianceinquiry—Identifyandanalyzecybersecurityprogrambusinesspracticeirregularitiesandcybersecurityprogramviolations/infractions;conductdetailedinquiries;assesspotentialdamage;monitorcorrectiveaction;andrecommendpreventive,cost-effectivemeasurestoprecluderecurrences.

•Riskassessment—Performlimitedriskassessmentsofcybersecurityprogramsystemsandprocesses;determinetheirthreats,vulnerabilities,andrisks;andrecommendcost-effectiveriskmitigationsolutions.

•Cybersecuritytestsandevaluation/cybersecurityprogramsystemdocumentation—Scheduleandconductcybersecurityprogramtestsandevaluationsonstand-alone(nonnetworked)systemstoensurethatthesystemsareprocessinginaccordancewithapplicablecybersecurityprogram-approvedprocedures.

Qualifications:Thisclassificationnormallyrequiresabachelor’sdegreeinacyber

security-relatedprofessionandatleast2 yearsofpracticalexperience.4.SystemSecurityAnalystSenior

Positionsummary:Identify,evaluate,conduct,schedule,andleadtechnicalcybersecurityanalysisfunctionstoensurethatallapplicablecorporationcybersecurityprogramrequirementsaremet.


a.Providetechnicalanalysisofcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbysystems;interpretthoserequirements;andtranslate,implement,andadministerdivisionplans,policies,andproceduresnecessarytoensurecompliance.

b.Representcybersecurityprogramonsecuritymatterswithotherentitiesasassigned.

c.Provideadvice,guidance,andassistancetoseniormanagement,systemmanagers,andsystemusersandcustodiansrelativetocybersecurityprogrammatters.

d.Performotherfunctionsasassignedbycybersecuritymanagement.

Positionrequiresbeingassignedtoperformdutiesinthefollowingareas:

•Accesscontrol/technicalaccesscontrolsoftware—Implement,administer,andmaintainsystems’useraccesscontrolsystemsthroughtheuseofcontrols,processes,andprocedurestopreventtheirunauthorizedaccess,modification,disclosure,misuse,manipulation,and/ordestruction,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.

•Accesscontrol/violationsanalysis—Coordinate,administer,andmonitortheuseofsystems’accesscontrolsystems;analyzesystemssecurityinfractions/violationsemployingstatisticalandtrendanalysesandreporttheresults.

•Cybersecurityprogramawareness—Prepare,schedule,andpresentcybersecurityprogramawarenessbriefingstosystemsmanagers,custodians,andusers.Actasfocalpointfordisseminationofcybersecurityprograminformationthroughallformsofmedia.

•Disasterrecovery—Coordinateandensurecompliancewithsystemdisasterrecovery/contingencyplanstoensuretherapidrecoveryofsystemsintheeventofanemergencyordisaster.

•Hardwareandsoftwarecybersecurityprogramevaluations—Evaluateallhardware,firmware,andsoftwareforimpactonthecybersecurityprogramofthesystems;monitorandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporation.

•Noncomplianceinquiry—Identifyandconducttechnicalanalysesofcybersecurityprogrambusinesspracticesandviolations/infractions;plan,coordinate,andconductdetailedinquiries;assesspotentialdamage;anddevelopandimplementcorrectiveactionplans.

•Riskassessments—Conductlimitedcybersecuritytechnicalriskassessments;preparereportsoftheresultsforpresentationtomanagement.

•Cybersecuritytestsandevaluations/cybersecurityprogramdocumentation—Scheduleandconductcybersecuritytestsandevaluationstoensurethatalltheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.

•Technicalcountermeasures—Conducttechnicalsurveysanddeterminenecessarycountermeasuresrelatedtophysicalinformationleakage;conductsoundattenuationteststoensurethatinformationprocessingsystemsdonotemanateinformationbeyondthecorporation’szoneofcontrol.


security-relatedprofessionand4 yearsofpractical,relatedexperience.

5.SystemSecurityAnalystSpecialist

Positionsummary:Actastechnicalcybersecurityprogramadvisor,focalpoint,andleadtoensureallcybersecurityprogramfunctionsaremeetingthecorporationrequirements,aswellasdevelopingandadministeringapplicableprograms.

Dutiesandresponsibilities:

a.Actastechnicaladvisorforcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbysystems;interpretthoserequirements;andtranslate,document,implement,andadministerthecorporationcybersecurityprogramplans,policies,andproceduresnecessarytoensurecompliance.

b.Representcybersecurityprogramonsecuritymatterswithotherentitiesasassigned.

c.Provideadvice,guidance,andassistancetoseniormanagement,ITmanagers,systemusers,andsystemcustodiansrelativetocybersecurityprogrammatters.

d.Performotherfunctionsasassignedbycybersecuritymanagement.

Positionrequiresbeingassignedtoperformdutiesinacombinationofthefollowingareas:

•Accesscontrol/technicalaccesscontrolsoftware—Implement,administer,andmaintainsystems’useraccesscontrolsystemsthroughtheuseofcontrols,processes,andprocedurestopreventtheirunauthorizedaccess,modification,disclosure,misuse,manipulation,and/ordestruction,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.

•Cybersecurityprogramawareness—Prepare,schedule,andpresentcybersecurityprogramawarenessbriefingstosystemmanagers,custodians,andusers.Actasfocalpointfordisseminationofcybersecurityprograminformationthroughallformsofmedia.

•Disasterrecovery—Coordinateandensurecompliancewithsystemdisasterrecovery/contingencyplanstoensuretherapidrecoveryofsystemsintheeventofanemergencyordisaster.

•Hardwareandsoftwarecybersecurityprogramevaluations—Evaluateallhardware,firmware,andsoftwareforimpactonthecybersecurityprogramofthesystems;monitorandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporation.

•Riskassessments—Conductlimitedcybersecurityprogramtechnicalriskassessments;preparereportsoftheresultsforpresentationtomanagement.

•Cybersecuritytestsandevaluations/cybersecurityprogramdocumentation—Scheduleandconductcybersecuritytestsandevaluationstoensurethatalltheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.

•Technicalcountermeasures—Conducttechnicalsurveysanddeterminenecessarycountermeasuresrelatedtophysicalinformationleakage;conductsoundattenuationteststoensurethatinformationprocessingsystemsdonotemanateinformationbeyondthecorporation’szoneofcontrol.


securityprogram-relatedprofessionand6 yearsofcybersecurityprogramexperience.6.SystemSecurityEngineer

Positionsummary:Actasatechnicalsystemsmanagementconsultant,focalpoint,andprojectleadforcybersecurityprogramfunctionsandprogramsdevelopedtoensurethecorporation’srequirementsaremet.


a.Actasaleadintheidentificationofgovernment,customers,andcorporationcybersecurityprogramrequirementsnecessaryfortheprotectionofinformationprocessed,stored,and/ortransmittedbythecorporation’ssystems;interpretthoserequirements;anddevelop,implement,andadministerthecorporationcybersecurityprogramplans,policies,andproceduresnecessarytoensurecompliance.

b.Representthecybersecurityprogramoffice,whenapplicable,oncybersecurityprogrammattersaswellasservingasthecorporation’sliaisonwithcustomers,governmentagencies,suppliers,andotheroutsideentities.

c.Provideadvice,guidance,andassistancetoseniorandexecutivemanagement,thecorporation’ssubcontractors,andgovernmententitiesrelativetocybersecurityprogrammatters.

d.Providetechnicalconsultation,guidance,andassistancetomanagement,systemsusers,andcybersecurityprogramsoftwaresystemsbyprovidingcontrols,processes,andprocedures.

e.Establish,direct,coordinate,andmaintainadisasterrecovery/contingencyprogramforthecorporationthatwillmitigatesystemsandinformationlossesandensurethesuccessfulrecoveryofthesystemandinformationwithminimalimpactonthecorporation.

f.Actasleadforthetechnicalevaluationandtestingofhardware,firmware,andsoftwareforimpactonthesecurityofthesystems;directandensuretheirmodificationifrequirementsarenotmet;authorizetheirpurchaseandusewithinthecorporationandapprovethemwheninconformance.

g.Developordirectthedevelopmentoforiginaltechniques,procedures,andutilitiesforconductingcybersecurityprogramriskassessments;scheduleandconductcybersecurityprogramriskassessmentsandreportresultstomanagement.

h.Directand/orleadothersinconductingtechnicalcybersecurityprogram

countermeasuresurveystosupportcybersecurityprogramrequirementsandreportfindings.

i.Directandadministercybersecuritytestsandevaluationsprogramstoensurethattheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.

j.Providetechnicalconsultationandassistanceinidentifying,evaluating,anddocumentinguseofsystemsandotherrelatedequipmentstoensurecompliancewithcommunicationsrequirements.

k.Investigatemethodsandproceduresrelatedtothecybersecurityprogramaspectsofmicrocomputers,localareanetworks,mainframes,andtheirassociatedconnectivityandcommunications.

l.Identifyandparticipateinevaluationofmicrocomputerandlocalareanetworkcybersecurityprogramimplementations,includingantivirusanddisasterrecovery/contingencyplanningfunctions.

m.Performdevelopmentandmaintenanceactivitiesoncybersecurityprogram-relateddatabases.

n.Recommendandobtainapprovalforproceduralchangestoeffectcybersecurityprogramimplementationswithemphasisonlowestcost/minimumrisk.

o.Leadanddirectcybersecuritypersonnelintheconductofsystemscybersecurityprogramaudits.

p.Participateinthedevelopmentandpromulgationofcybersecurityprograminformationforgeneralawareness.

q.Performotherfunctionsasassignedbythecybersecuritymanager.

Positionrequiresbeingassignedtoperformdutiesinthefollowingarea:

•Supervisor,projectleader—Provideassistance,advice,guidance,andactastechnicalspecialistrelativetoallcybersecuritytechnicalfunctions.


security-relatedprofessionandaminimumof10 yearsofcybersecurityprogram-relatedexperience.

RecruitingCyberSecurityProfessionalsOncethecybersecurityofficerhadgottenthecybersecurityorganizationalstructureandthecybersecurityjobfamilyfunctionaldescriptionsbothapproved,thenexttaskwastobeginrecruitingandhiringqualifiedcybersecurityprofessionals.

Holdit!Notsofast!Thecybersecurityofficermustfirstdeterminethefollowing:

•Howmanycybersecurityprofessionalsareneeded?

•Whatfunctionswilltheyperform?

•Howmanyareneededineachfunction?

•Howmanyareneededinwhatpaycode?

•Howmanyshouldberecruitedfortheoff-sitelocation?

•Doestheoff-sitelocationormainplanthavethehighestpriority?

Thecybersecurityofficermustplanforthegradualhiringofpersonneltomeetthecybersecurityprogramandcybersecurityorganizationalneedsbasedonaprioritizedlistingoffunctions.Obviously,amixtureofpersonnelshouldbeconsidered.Oneortwohigh-levelpersonnelshouldbehiredtobeginestablishingthebasiccybersecurityprogramandcybersecurityprocesses.Personnelwhomeetthequalificationsofasystemsecurityengineershouldbehiredimmediately.Atleasttwoshouldbehired.Onewouldbetheprojectleadtobegintheprocessofestablishingtheformalfunctionsofoneofthecybersecuritysubordinateorganizationsandtheotherwoulddothesamefortheothercybersecurityorganization.Atthesametime,theaccesscontrolfunctionpositionsshouldbefilled,astheyrepresentthekeycybersecurityprogrammechanismofaccesscontrol.

Functionssuchasriskmanagement,noncomplianceinquiry,andtheawarenessprogramcouldcomelater.Therationaleusedbythecybersecurityofficerforthisdecisionwasthatcybersecurityprogrampolicieshadnotbeenestablished,sotherewasnothingonwhichtobasenoncomplianceinquiriesoranawarenessprogram.Thenextpositiontobefilled,afterthetwosystemssecurityengineersandaccesscontrolpersonnel,wasthepositionoftheemergencyplanning,disasterrecoveryplanning,andcontingencyplanningspecialist.

Thecybersecurityofficerreasonedthatwhileaccesscontrolswerebeingtightenedupandanalyzed,theengineerswerebeginningtobuildtheprocessforeachfunction,withmuchoftheaccesscontrolprocessdevelopmentbeingdonewiththeassistanceoftheaccesscontroladministrators.Intheeventofadisaster,thesystemsmustbeupandoperationalinasshortatimeperiodaspossible.Thisiscrucialtothewell-beingofthecorporation.

Unfortunately,thetypeofindividualthecybersecurityofficerwouldideallywanttoemployisnotusuallyreadilyavailable.Inaddition,thecorporation’spolicyisoneof“promotefromwithin”wheneverpossible.So,althoughamorequalifiedindividualmaybeavailablefromoutsidethecorporation,thecybersecurityofficermayhavetotransferalessqualifiedindividualcurrentlyemployedwithinthecorporation,becausethatpersondoesmeettheminimumrequirementsfortheposition—atleastasinterpretedbytheHRpersonnel.

Thecybersecurityofficersoonbegantorealizethatcompromiseandcoordinationwereamustiftherewastobeevenaslightchanceofsucceedinginbuildingthecorporationcybersecurityprogram.Basedonaself-evaluation,thecybersecurityofficerdecidedtofindasmanypeopleaspossiblewithinthecorporationwhowerewillingtotransferand

whomettheminimumrequirementsforacybersecurityprogramposition.ThecybersecurityofficersoonlearnedwhythejobdescriptionsapprovedthroughtheHRDepartmentincludewordssuchas“normally”and“equivalent.”Thecybersecurityofficernaivelythoughtthatthosewordswouldassistinbringingincybersecurityprofessionals.Itneverenteredthecybersecurityofficer’smindthatotherscouldalsousethepositiondescriptionstohelprecruitpersonnel—somewhojustbarelywouldmeettheminimumrequirements!

Forthecybersecurityofficerwhoistryingtoquicklybuildacybersecurityprogramandcybersecurityorganization,thecompromisesonstaffselectionmayhelportheymayhurt.Ineithercase,itisimportanttobeginthehiringprocessquickly.

IdentifyingIn-HouseCyberSecurityCandidatesThoseindividualswithinthecorporationorganizationswhohavebeenprovidingaccesscontrolineitherafull-orapart-timepositionfortheirdepartment’slocalareanetworksmaybegoodaccesscontrolcandidates.

TheITDepartmentmayalsobeaplaceto“recruit”(makepersonnelawareofthepositionsavailable)cybersecuritycandidates.Theauditandcybersecurityorganizationsmayalsoprovideplacestofindcybersecuritycandidates.

Awordofcautiontothecybersecurityofficer:Mostmanagersdonottakekindlytorecruitingoftheiremployees,asitmeanstheywillbeshort-handeduntiltheycanfindreplacements.Inaddition,thecybersecurityofficershouldbewareofindividualswhomthemanagersrecommend.Thesemayjustbethepeoplethatthemanagerhasbeentryingtofindsomewaytogetridofforsometime!

Thecybersecurityofficerhasenoughproblemsbuildingacybersecurityprogram,establishingandmanagingacybersecurityorganization,handlingtheday-to-daycybersecurityprogramproblems,attendingendlessmeetings,tryingtohireaprofessionalcybersecurityprogramstaff,andhavingtotransferpersonnelwhodon’tmeetthecybersecurityofficer’sexpectationstothenbesaddledwithanemployeerecommendedbyanothermanagerwhoturnsouttobea“difficult”employee.

Adifficultemployeewilloccupymoreofthecybersecurityofficer’stimethanthreeotherstaffmemberscombined.ItseemedthatthecorporationITDepartmenthadapenchantforthis.So,bewareofgeeksbearinggifts!

IdentifyingOutsideCyberSecurityCandidatesTherearemanysourcesthatcanbeusedtorecruittalentedcybersecurityprofessionals,manylimitedonlybyimaginationandbudget(especiallybudget!).Regardlessofhoworwhereyourecruit,therecruitmentmustbecoordinatedwiththeHRstaff.

Torecruitcybersecuritypersonnel,theControllermustvalidateandapprove(onanotherform,ofcourse)thatthereisbudgetsetasideforthecybersecurityorganizationtohirestaff.

Thenoncethathurdleisjumped,theHRpersonnelmustvalidatethatyouhavecompletedthenecessaryformdescribingthepositionyouwanttohireagainst,theminimumqualifications,andthepayrangeforthatposition.Luckily,allthecybersecurityofficerhastodointhiscaseisbasicallytranscribethegeneralpositiondescriptionontothenewHRformusedforrecruitingcandidatesandadvertisingtheposition.

Justasthecorporationcybersecurityofficerthoughtthatthedoorwasnowflungwideopentorecruitcybersecurityprofessionals,oneoftheHRpersonnelwalkeduptothecybersecurityofficerandmentionedhowboringtheHRjobwas,andthatitwouldbenicetotransfertoanother,moreexcitingorganization—andthecybersecurityjobseemedtobeaveryexcitingone.Experience?Well,ofcoursethepersonisproficientisusingacomputer!Anotheroften-foundproblemisthemanagerorstaffmemberwhohasacousinjustgraduatingfromcollegewhowouldbeperfectforthecybersecurityposition.

Thecybersecurityofficersoonbegantorealizethatbuildingandmanaginganoutstanding,state-of-the-artcybersecurityprogramandacybersecurityorganizationstaffedbytalentedcybersecurityprofessionalsmightbecomemoreofadreamthanareality.

Oncethecybersecurityofficerwasabletofendofftheseandsimilarcharges,therecruitmenteffortwithinandoutsidethecorporationcouldstartinearnest!Amongthewaystorecruitcybersecurityprofessionalsarethrough:

•Localadvertisementintradejournals,newspapers,etc.,

•Hiringaconsultingfirmtofindtherightpeople,

•Passingthewordamongcolleagues,

•Askingcybersecurityassociationstopasstheword,and

•UsingtheInternettoadvertisetheposition.

Withafewcybersecuritypersonnelonboard,thecybersecurityofficercouldbegintoworkonthecybersecurityprogramandalsobeginworkondevelopingthebaselineprocessesandfunctionswiththecybersecurityorganization.


•Doyouhaveaformal,thatis,documentedcybersecurityprogram?

•Ifnot,whynot?

•Whatwouldyouconsiderasthebenefitsofsuchaplan?

•Whatwouldyouconsiderasthenegativesofsuchaplan?

•Haveyoueverbriefedexecutivemanagementoncybersecurity-relatedmatters?

•Doyouidentifythecostsofstaffingandprovidingcybersecurityfunctionsusingacost–benefitriskmanagementprocess?

•Ifyouweretodevelopacybersecurityprogramforthecorporation,whatwouldyoudodifferentlyfromwhatwasstatedinthischapter?

•Ifyoucouldbuildandmanageacybersecurityorganizationforthecorporation,howwouldthestructurecomparetotheonecitedinthischapter,andwhy?

•Howwouldyoumanagetheoff-sitelocations—forexample,wouldyoumanagethemfromthecorporateoffice,orasksomeoff-sitemanagertomatrixmanagethestaffforyou?

•Whatotherjobdescriptionswouldyouaddtotheonesprovided?

•Whatotherdutiesandresponsibilitieswouldyouaddtothejobdescriptionsprovidedinthischapter?

•DoyouknowhowtosuccessfullyworkwithHRstafftomeettheirrequirementsandalsoeffectivelyandefficientlygetyourobjectivesaccomplished?

SummaryOnceplanswereinplace,thecybersecurityofficercouldbegintodevelopacybersecurityorganizationtosupportthecybersecurityprogram.Todoso,thecybersecurityofficermustunderstandthefollowing:

•Establishinganeffectiveandefficientcybersecurityorganizationandprogramrequiresadetailedanalysisandintegrationofalltheinformationthathasbeenlearnedthroughtheentireprocessofbecomingacybersecurityofficeratthecorporation.

•Determiningtheneedforcybersecuritysubordinateorganizationsrequiresdetailedanalysisofthecorporation’senvironmentandanunderstandingofhowtosuccessfullyapplyresourceallocationtechniquestothecybersecurityfunctions.

•Oncetheneedforcybersecuritysubordinateorganizationsisdetermined,thecybersecurityofficermustdeterminewhatfunctionsgoinwhatorganizations.

•EstablishingaformalcybersecurityorganizationandcybersecurityjobfamilyrequirescooperationwithHRorganizationsandothers;patienceandunderstandingaremandatory.

•Acybersecurityofficerwhoestablishesaneworganizationforacorporationwillbecompelledtolivewithinalessthanidealcorporateworldinwhichformsandbureaucraciesruletheday.Tosurvive,thecybersecurityofficermustunderstandhowtousethoseprocessesefficientlyandeffectivelytosucceed.

•Inmostcorporations,currentlyemployedpersonnelwhodesireacybersecurityposition,andwhomeettheminimumcybersecurityrequirements,mustbehiredbeforehiringanindividualfromtheoutside.

•Recruitingqualifiedcybersecurityprofessionalscanbeaccomplishedonlythroughawidespreadrecruitmenteffort,usingmanymarketingmedia;andsuccessfuladvertisementissometimesamatterofhowmuchrecruitmentbudgetisavailable.

1PetroniusArbiter(27–66),Romansatirist.Satyricon(firstcentury)asquotedinMicrosoft’sEncartaWorld.2SomeoftheinformationfromthissectionwasmodifiedfromDr.GeraldL.Kovacich’sbookcoauthoredwithEdwardP.Halibozek,TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulInformationAssetsProtectionProgram,publishedbyButterworth–Heinemann,2003;nowpendingpublicationofasecondedition.3Youmaywonderwhywegointosuchdetailastowhoishiredtodowhatorhowitisdoneatthecorporation.Thereasonistoprovide,asnearlyaspossible,real-worldexperiencestothereader.Suchinformationhelpsthereaderbyprovidinginformationthatcanbeappliedinrealcorporations;italsodevelopsanoverallknowledgeofestablishingandmanagingacorporateinformationassetsprotectionprogram.Inthiscase,acybersecurityofficermaylookforsomeonetowritepoliciesbyfirstlookingforsomeonewhoknowssecurity,wheninfactitismoreimportanttohiresomeonewhocanwritepolicy.Whattowritewillcomefrommanysources.Thepolicyspecialistwillnotoperateinavacuum.Howtowriteinclearandconcisetermswithoutambiguitiesisthekey.4Itiseasytotakeforgrantedtheworkofthestaff.Asacybersecurityofficeryoushouldbesensitivetothatandneverforgettosaythanksonceinawhile.Itdoesn’ttakealotofeffort,anditpaysgreatdividends.Justlikeyou,employeesliketoknowtheyareappreciated.5Ofcourse,thislistisjustasample,asthetopicswouldbebasedonthecorporation,thecorporateculture,andthe

methodsusedforpublishingandimplementingdirectiveswithineachcorporation.6ThephysicalsecurityaspectsoftherequirementswouldhavebeencoordinatedwiththeapplicableSecurityDepartmentmanagers,sincetheyhavetheresponsibilityforthephysicalsecurityofthecorporationassets.Thecybersecurityofficer’srationalewasthatphysicalsecurityshouldbeaddressedinthisdocument,becauseitisabasicprotectionprocess.TheDirectorofSecurityagreedandapprovedthatprocess.7CyrilNorthcoteParkinson(1909–1993),Britishpoliticalscientist,historian,andwriter.Parkinson’sLaw(1958),asquotedinMicrosoft’sEncartaWorld.8Sinceeachcorporationhasasomewhatdifferentformsbureaucracy,noattemptwillbemadeheretocompleteanyforms.Thosereaderswhohavetomakeanychangesinanorganizationcanappreciatethemazethecybersecurityofficermustnowgothrough.9Thecybersecurityofficerdecidedthatthepriorityofthecybersecurityprogramwasthesystemsandinformationattheirfacilities.Thestickyproblemofdealingwithcybersecurityprogramissues,suchassubcontractorsandcustomers,wouldhavetowait.Thecybersecurityofficerreasonedthatifithadasuccessful,professionalprogram,itwouldbeeasiertogainthecooperationofthoseoutsidethecorporation.10Becauseofitsoff-sitelocation,thispositionrequirescybersecurityprogramfunctionstobeperformedthataresimilartoorthesameasmostfunctionsnotedfortheentirecybersecurityprogramorganization.

CHAPTER9

DeterminingandEstablishingCyberSecurityFunctions

AbstractWebeganthissectionofthebookwithanoverviewofthedutiesandresponsibilitiesofthecybersecurityofficerandthendiscussedestablishingacybersecurityprogramandtherelatedcybersecurityplansandorganization.Wewillcontinuethetrendtonarrowthefocus:Thischapterdescribesaprocesstodeterminewhatcybersecurityfunctionsareneededtosuccessfullyestablishacybersecurityprogramandrelatedorganization,aswellashowtoincorporatethosefunctionsintothecybersecurityorganization’sday-to-daylevel-of-effortwork.

KeywordsAccesscontrolsystems;Businessinformation;Corporateinformation;Cybersecurityofficer;Firmware;Hardware;Nationalsecurityinformation;Personal/privateinformation;Software;Valuedinformation

Workisnecessaryforman.Maninventedthealarmclock.

PabloPicasso1

CONTENTS

Introduction 176Processes 177ValuingInformation 179

HowtoDeterminetheValueofCorporateInformation 179WhyIsDeterminingInformationValueImportant? 180TheValueofInformation 180ThreeBasicCategoriesofInformation 181TypesofValuedInformation 182DeterminingInformationValue 182

BusinessInformationTypesandExamples 183QuestionstoAskWhenDeterminingValue 184

InternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopment 184

RequirementsIdentificationFunction 184CyberSecurityOfficer’sCyberSecurityProgramFunctions 185

AwarenessProgram 185AwarenessBriefings 186

ContinuingAwarenessMaterial 187AccessControlandAccessControlSystems 187

AccessControlSystems 189EvaluationofAllHardware,Firmware,andSoftware 189RiskManagementProgram 191

WhatIsRiskManagement? 191RiskManagementProcess 191RecommendationstoManagement 192RiskManagementReports 192

SecurityTestsandEvaluationsProgram 193NoncomplianceInquiries 194ContingencyandEmergencyPlanningandDisasterRecoveryProgram 194

WhatIsIt? 194WhyDoIt? 195HowDoYouDoIt? 195TheCEP-DRPlanningSystem 195TestthePlan 198


CHAPTEROBJECTIVE

Webeganthissectionofthebookwithanoverviewofthedutiesandresponsibilitiesofthecybersecurityofficerandthendiscussedestablishingacybersecurityprogramandtherelatedcybersecurityplansandorganization.Wewillcontinuethetrendtonarrowthefocus:Thischapterdescribesaprocesstodeterminewhatcybersecurityfunctionsareneededtosuccessfullyestablishacybersecurityprogramandrelatedorganization,aswellashowtoincorporatethosefunctionsintothecybersecurityorganization’sday-to-daylevel-of-effortwork.

IntroductionTherearemanydifferentwaystoconfigureacybersecurityorganization,andtherearemanywaystoconfigurethecybersecurityfunctionsthatarepartofthatorganization.Manycybersecurityofficersbeginestablishingacybersecurityorganization,or“inherit”one,withoutlookingattheneedforthevariousfunctionsandfromwherethatneedwasderived.Asstatedearlier,allfunctionsshouldbederivedfromoneormoreofthefollowingrequirements(drivers):

•Laws,

•Regulations,

•Bestbusinesspractices,

•Bestcybersecuritypractices,

•Ethics,

•Privacyneeds,and

•Corporatepolicies.

Whendevelopingorreorganizingacybersecurityprogram,onecanconsideroneofthreebasicstructuresastheyrelatetothecybersecurityprogramorganizationthatthecybersecurityofficerwillmanageandlead.Thethreebasicoptionsare:

•Centralizedcybersecurityprogramorganizationunderthecybersecurityofficer,

•Decentralizedorganizationthroughoutthecorporation,or

•Acombinationofthetwo.

Oneofthemajorfactorsindecidingwhatphilosophyandapproachtotakeisthecultureofthecorporation,aswellasthecharterofthecybersecurityofficerspellingoutthecybersecurityofficer’sdutiesandresponsibilities.Thecybersecurityofficermustrememberthatthemorecentralizedtheorganization,themoreproblemsandworkforthecybersecurityofficerandstaff.Theoldadage“Ifyouwantitdoneright,doityourself”mayworkforsome,butasacybersecurityofficer,thatapproachwillbringyoumorestressthanusual.Inaddition,youwilldefinitelyageexponentially.Developingandmaintainingaprotectedinformationenvironmentforthecorporationrequirethesupportandactiveinvolvementofallemployees.Sometimesacybersecurityofficerforgetsthatandtriestotakeontheentireprotectionmatterinsteadofleadingacorporateteameffort.Suchanapproachleadstomoreproblemsthansolutionsfordevelopingandmaintainingaprotectedinformationenvironment.

So,whatshouldyoudo?Thebestapproachseemstobeacombination.Forexample,thiscorporatecybersecurityofficerdecidedthattheoverallinformationandinformationsystemsprotectionlogicallyshouldbecentralizedunderthecybersecurityofficerandcybersecurityprogramstaff.Afterall,theyhavetheexperienceandknow-howtolead

thiseffort.However,atthesametime,whygetburdenedwithtryingtowriteandmaintaincurrentcybersecurityprogramproceduresthatmustbeimplementedbythedepartmentstocomplywiththosecybersecurityprogrampolicies?So,procedureswrittenforcompliance,aspreviouslystated,willbetheresponsibilityofthecorporatedepartments.Theiradequacywillbedeterminedthroughaudits,cybersecurityprogramtestsandevaluations,noncomplianceinquiries,andthelike.

Inaddition,thecorporatedepartmentswillberesponsiblefordeveloping,implementing,andmaintainingtheprocessesthatareanintegralpartoftheproceduresneededtocomplywiththecybersecurityprogram.

ProcessesThecybersecurityofficermustalsodevelopprocedures,functions,andprocessestocomplywiththecybersecurityprogrampolicies,asanorganizationalmanager.Inaddition,thecybersecurityofficermustleadtheefforttodevelopfunctionsthatthecybersecurityprogramorganizationwillperformtoleadandsupportthecorporatecybersecurityprogram.

Thiscybersecurityofficerdecidedthatthebestapproachisthroughthedrivers’(cybersecurityprogram–cybersecurityprogramrequirements)baseline.So,basedonthedrivers,oneisthenabletodevelopa“needs”statementorstatements.Thesecanbesetforthinvariousways,suchasthevision,mission,andqualitystatements,andincorporatedintoplans,forexample,strategic,tactical,andannual,aspreviouslydiscussed.Regardlessofhowandinwhatformyoustatetheseneedsforthecybersecurityprogram,theymustsupportcorporateplans,policies,objectives,andgoalsandmustalsoeventuallybetiedtoactionitems.

Theseactionitemsarethenanalyzedandareimplemented—forexample,establishedascybersecurityprogramfunctionsthatarethenincorporatedintothecybersecurityofficer’scybersecurityprogramorganizationasitscharterofresponsibilitiesandaccountabilities,asstatedinthepreviouschapter.Onesteptolookatistheprocess.Aprocessisbasically“aseriesofactionsdirectedtowardaparticularaim.”2Afterthedriversandneedsareidentified,thecybersecurityofficermustestablishaprocessformeetingtheidentifiedrequirements.Theprocessisbasicallythedetailsofhowafunctionistobeperformed.

Theactionitemsshouldbepartofaformalprojectmanagementprograminwhich,asstatedearlier,you,asthecybersecurityofficer,determinethatthereisaneedforsomesortofcybersecurityprogramactionthatwilltaketimeandmustbeincorporatedintothecybersecurityprogramorganization.Remember,theprojectplanshave:

•Objectivestoaccomplish,

•Beginningandendingdates,

•Tasksidentifiedandassigned,

•Personnelassignedtotasks,

•Budgetallocated,and

•Timeallocatedforcompletingthosetasks.

Therearemanycybersecurityprogram-relatedfunctions;however,atthiscorporation,thecybersecurityofficerdeterminedthatthefunctionsidentifiedinthecybersecurityofficer’scharterwerethemainfunctionsthatweredrivenbyorrelatedtothebaselinecybersecurityprogram.Therefore,theyarethebasicfunctionsthatshouldbeestablished,andaflowprocessdescriptionshouldbedevelopedrelativetohowthefunctionsshouldbeperformed.Forexample3:

•Cybersecurityprogramrequirementsidentification;

•Cybersecurityprogramplans,policies,processes,andprocedures;

•Awarenesseducationandtraining;

•Accesscontrol;

•Evaluationofhardware,firmware,andsoftwareforimpactonthesecurityoftheinformationsystems;

•Securitytestsandevaluations;

•Noncomplianceinquiries;

•Riskmanagement;and

•Disasterrecovery/contingencyplanning.

ValuingInformationBeforeaddressingthecybersecurityprogramfunctions,thecybersecurityofficerdeterminedthattoprovideaneffectivecybersecurityprogramwiththeleastimpacttocostandschedule,itisimportanttoestablishaprocesstodeterminethevalueofinformation.

Thecybersecurityofficer’sreasoningwasthatnoinformationshouldbeprotectedanymorethanisnecessary.Therationaleusedbythecybersecurityofficerwasasfollows:

Thevalueofinformationistimedependent.Inotherwords,informationhasvalueforonlyacertainperiodoftime.Informationrelativetoanew,uniquecorporatewidgetmustbehighlyprotected,andthatincludestheelectronicdrawings,diagrams,processes,etc.However,oncethenewwidgetisannouncedtothepublic,completewithphotographsofthewidget,sellingprice,etc.,muchoftheprotectedinformationnolongerneedsprotection.

Thatinformation,whichoncerequiredprotectiontomaintainthesecrecyofthisnewwidget,cannowbeeliminated.Thiswillsavemoneyforthecorporationbecausecybersecurityprogramcostsareaparasiteontheprofitsofthecorporation.Thosecostsmustbereducedoreliminatedassoonaspossible.Itisthetaskofthecybersecurityofficerandstafftocontinuouslylookformethodstoaccomplishthisobjective.

HowtoDeterminetheValueofCorporateInformationDeterminingthevalueofthecorporation’sinformationisaveryimportanttask,butonethatisseldomdonewithanysystematic,logicalapproachbyacompany.However,thecybersecurityofficerbelievedthattoprovidetheprogramthecorporationrequired,thistaskshouldbeundertaken.

Theconsequencesofnotproperlyclassifyingtheinformationcouldleadtooverprotection,whichiscostly,orunderprotection,whichcouldleadtothelossofthatinformationandthusofprofits.

Todeterminethevalueofinformation,thecybersecurityofficermustfirstunderstandwhatismeantbyinformationandwhatismeantbyvalue.Thecybersecurityofficermustalsoknowhowtoproperlycategorizeandclassifytheinformation,andwhatguidelinesaresetforthbygovernmentagenciesorbusinessesfordeterminingthevalueandprotectionrequirementsofthatinformation.Inaddition,howtheinformationownersperceivetheinformationanditsvalueiscrucialtoclassifying4it.

WhyIsDeterminingInformationValueImportant?Iftheinformationhasvalue,itmustbeprotected;protectionisexpensive.Oneshouldprotectonlythatinformationwhichrequiresprotection,onlyinthemannernecessarybasedonthevalueofthatinformation,andonlyfortheperiodrequired.

TheValueofInformationOnemightask,“Doesalltheinformationofacompanyorgovernmentagencyhavevalue?”Ifyou,asthecorporatecybersecurityofficer,wereaskedthatquestion,whatwouldbeyourresponse?Thefollow-onquestionwouldbe“Whatinformationdoesnothavevalue?”Isitthatinformationwhichthereceiveroftheinformationdetermineshasnovalue?Whentheoriginatoroftheinformationsaysso?Whodetermineswhetherinformationhasvalue?

Thesearequestionsthatthecybersecurityofficermustask—andanswer—beforetryingtoestablishaprocesstosetavaluetoanyinformation.Asyoureadthroughthismaterial,thinkabouttheinformationwhereyouwork,howitisprotected,whyitisprotected,etc.

Thecybersecurityofficerknowsthatacentralizedapproachwouldnotworkforvaluinginformation,aseverypieceofinformationmustbeanalyzedaccordingtoaspecificcriterion,identifiedaccordingtoacertainprotectivecategory,suchascorporate-sensitive,andthenmarkedandprotectedaccordingly.Thecybersecurityofficerknewthatthebestapproachwastosetthecriteriaandguidelinesfortheidentification,marking,transmission,storage,anddestructionofcorporateinformationandhavetheinformationownersidentifytheinformationthattheyproduceand,followingthepolicyguidelinesinthecybersecurityprogram,protectthatinformation.Thosecriteriaandrequirementswouldbedevelopedaspartofthecybersecurityofficer’sprojectteam,whichwouldalsoincludevariousdepartmentrepresentatives,suchasmanufacturing,procurement,legal,security,finance,andplanning.

Theholderoftheinformationmaydeterminethevalueoftheinformation.Eachpersonplacesavalueontheinformationinhisorherpossession.Theinformationthatisnecessarytosuccessfullycompleteaperson’sworkisveryvaluabletothatperson;however,itmaynotbeveryvaluabletoanyoneelse.Forexample,toanaccountant,theaccountspayablerecordsareveryimportant,andwithoutthem,theaccountantscouldnotdotheirjob.However,forthepersonmanufacturingthecompany’sproduct,thatinformationhaslittleornovalue.

Ordinarily,theoriginatordeterminesthevalueoftheinformation,andthatpersoncategorizesorclassifiesthatinformation,usuallyinaccordancewiththeestablishedguidelines.

ThreeBasicCategoriesofInformationAlthoughtherearenostandardcategoriesofinformation,mostpeopleagreethatinformationcanlogicallybecategorizedintothreecategories:

•Personal,privateinformation;

•Nationalsecurity(bothclassifiedandunclassified)information(addressedinChapter12);and

•Businessinformation.

Personal,privateinformationisanindividualmatter,butalsoamatterforthegovernmentandbusinesses.Peoplemaywanttokeepprivatesuchinformationaboutthemselvesastheirage,weight,address,cellularphonenumber,salary,andlikesanddislikes.

Atthesametime,manycountrieshavelawsthatprotectinformationundersometypeof“privacyact.”Inbusinessesandgovernmentagencies,itisamatterofpolicytosafeguardcertaininformationaboutemployees,suchastheirages,addresses,andsalaries.Therefore,thisrequirement(cybersecurityprogramdriver)mustbeconsideredindevelopingtheinformationvalueandprotectionpolicyandguidelines.

Althoughtheinformationispersonaltotheindividual,othersmayrequirethatinformation.Atthesametime,theyhaveanobligationtoprotectthatinformationbecauseitisconsideredtohavevalue.

Businessinformationalsorequiresprotectionbasedonitsvalue.Atthiscorporation,thisinformationwassometimescategorizedasfollows:

•Corporate–confidential,

•Corporate–internaluseonly,

•Corporate–private,

•Corporate–sensitive,

•Corporate–proprietary,and

•Corporatetradesecret.

Thenumberofcategoriesusedwillvarywitheachcompany;however,thefewercategories,thefewerproblemsinclassifyinginformationandalso,possibly,thefewerproblemsinthegranularityofprotectionrequired.Again,thisisacost-itemconsideration.Thecybersecurityofficerfoundthatprivate,internaluseonly,andproprietarywouldmeettheneedsofthecybersecurityprogram.

Thiscompanyinformationmustbeprotectedbecauseithasvaluetothecompany.Thedegreeofprotectionrequiredisalsodependentonthevalueoftheinformationduringaspecificperiodoftime.

TypesofValuedInformationGenerally,thetypesofinformationthathavevaluetothebusinessandthatrequireprotectionincludethefollowing:Allformsandtypesoffinancial,scientific,technical,economic,orengineeringinformation,including,butnotlimitedto,data,plans,tools,mechanisms,compounds,formulas,designs,prototypes,processes,procedures,programs,codes,orcommercialstrategies,whethertangibleorintangible,andwhetherstored,compiled,ormemorializedphysically,electronically,graphically,photographically,orin

writing.

Examplesofinformationrequiringprotectionmayincluderesearch,proposals,plans,manufacturingprocesses,pricing,andproduct.

DeterminingInformationValueBasedonanunderstandingofinformation,itsvalue,andsomepracticalandphilosophicalthoughtsonthetopicasstatedabove,thecybersecurityofficermusthavesomesenseofwhatmustbeconsideredwhendeterminingthevalueofinformation.

Whendeterminingthevalueofinformation,thecybersecurityofficermustdeterminewhatitcosttoproducethatinformation.Alsotobeconsideredisthecostintermsofdamagescausedtothecompanyifitweretobereleasedoutsideprotectedchannels.Additionalconsiderationmustbegiventothecostofmaintainingandprotectingthatinformation.Howtheseprocessesarecombineddeterminesthevalueoftheinformation.Again,don’tforgettofactorinthetimeelement.

Therearetwobasicassumptionstoconsiderindeterminingthevalueofinformation:(1)Allinformationcostssometypeofresource(s)toproduce,forexample,money,hours,oruseofequipment;and(2)notallinformationcancausedamageifreleasedoutsideprotectedchannels.

Iftheinformationcoststoproduce(andallinformationdoes)andnodamageisdoneifitisreleased,youmustconsider,“Doesitstillhavevalue?”Ifitcoststoproducetheinformation,butitcannotcausedamageifitisreleasedoutsideprotectedchannels,thenwhyprotectit?

Thetimefactorisakeyelementindeterminingthevalueofinformationandcannotbeoveremphasized.Let’slookatanexampleinwhichinformationisnottimedependent—orisit?ThereisacompanypicnictotakeplaceonMay22,2016.Whatisthevalueoftheinformationbefore,on,orafterthatdate?Doestheinformationhavevalue?Towhom?When?

Ifyou’relookingforwardtothecompany’sannualpicnic,asisyourfamily,theinformationastowhenandwhereitistotakeplacehassomevaluetoyou.Supposeyoufoundoutaboutitthedayafterithappened.Yourfamilywouldbedisappointed,theywouldbeangryatyoufornotknowing,youwouldfeelbad,etc.Tothecompany,theinformationhad“novalue.”However,thefactthattheemployeedidnotreceivethatinformationcausedhimorhertobedisgruntledandblamethecompanyforhisorherlatestfamilyfight.Basedonthat,theemployeedecidedtoslowdownhisorherproductivityforaweek.

Thisisasimpleillustration,butitindicatesthevalueofinformationdependingonwhohasandwhodoesnothavethatinformation,aswellasthetimeelement.Italsoshowsthatwhatisthoughttobeinformationnotworthasecondthoughtmayhaverepercussionscostingmorethanthevalueoftheinformation.

Thefollowingisanotherexample:Anew,secret,revolutionarywidgetbuilttocompete

inaverycompetitivemarketplaceistoenterthemarketonJanuary1,2017.WhatisthevalueofthatinformationonJanuary2,2016?

Again,tostressthepoint,onemustconsiderthecosttoproducetheinformationandthedamagedoneifthatinformationwerereleased.

Ifitcosttoproduceandcancausedamageifreleased,itmustbeprotected.Ifitcosttoproduce,butcannotcausedamageifreleased,thenwhyprotectit?Atthesametime,besensitivetodissemination.Information,tohavevalue,tobeuseful,mustgettotherightpeopleattherighttime.

BusinessInformationTypesandExamplesTypesofinternaluseonlyinformation:

•Notgenerallyknownoutsidethecompany,

•Notgenerallyknownthroughproductinspection,

•Possiblyusefultoacompetitor,and

•Providessomebusinessadvantageovercompetitors.

Examplesarethecompanytelephonebook,companypoliciesandprocedures,andcompanyorganizationalcharts.

Typesofprivateinformation:

•Revealstechnicalorfinancialaspectsofthecompany,

•Indicatesthecompany’sfuturedirection,

•Describesportionsofthecompany’sbusiness,

•Providesacompetitiveedge,and

•Identifiespersonalinformationofemployees.

Examplesarepersonnelmedicalrecords,salaryinformation,costdata,short-termmarketingplans,anddatesforunannouncedevents.

Typesofsensitiveinformation:

•Providessignificantcompetitiveadvantage,

•Couldcauseseriousdamagetothecompany,and

•Revealslong-termcompanydirection.

Examplesarecriticalcompanytechnologies,criticalengineeringprocesses,andcriticalcostdata.

QuestionstoAskWhenDeterminingValueWhendeterminingthevalueofyourinformation,youshould,asaminimum,askthefollowingquestions:

•Howmuchdoesitcosttoproduce?

•Howmuchdoesitcosttoreplace?

•WhatwouldhappenifInolongerhadthatinformation?

•Whatwouldhappenifmyclosestcompetitorhadthatinformation?

•Isprotectionoftheinformationrequiredbylaw,andifso,whatwouldhappenifIdidn’tprotectit?

InternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopmentThecybersecurityofficerhaslearnedthatthedevelopmentofanewcybersecurityprogramrequirestheestablishmentofcybersecurityprogramfunctionsforthatprogram.Establishingaprocessforeachfunction,asthefirsttask,willassistinensuringthatthefunctionswillbegininalogical,systematicwaythatwillleadtoacost-effectivecybersecurityprogram.

RequirementsIdentificationFunctionAspreviouslystated,thecybersecurityofficerhasdeterminedthatthedriverforanycybersecurityprogram-relatedfunctionistherequirementsforthatfunction.Therequirementsarethereasonforthecybersecurityprogram.Thisneedisfurtheridentifiedanddefinedandissubsequentlymetbytheestablishmentofthecybersecurityprogramfunctions.

So,tobeginthefunctions’processidentification,itisimportanttounderstandwheretherequirement—wheretheneed—comesfromasseenfromaslightlydifferentperspective.5Forthiscorporation,itisasfollows:

•Aneedforacybersecurityprogramasstatedbyexecutivemanagementtoprotectthecorporation’scompetitiveedge,whichisbasedoninformationsystemsandtheinformationthattheystore,process,display,andtransmit;

•Contractualrequirementsasspecifiedincontractswithcustomers,suchasprotectingcustomers’information;

•Contractualrequirementsasspecifiedincontractswithsubcontractors,suchasprotectingsubcontractors’information;

•Contractualrequirementsasspecifiedincontractswithvendors,suchasprotectingvendors’information;

•Corporate’sdesiretoprotectitsinformationandsystemsfromunauthorizedaccessbycustomers,subcontractors,andvendors;and

•Federal,state,andlocallawsthatareapplicabletothecorporation,suchasrequirementstoprotecttheprivacyrightsofindividualsandcorporationsastheyrelatetotheinformationstored,processed,andtransmittedbyIWCsystems.

CyberSecurityOfficer’sCyberSecurityProgramFunctionsThecybersecurityofficerhasgonethroughtheprocesspreviouslynotedtoidentifythebaselinefunctionsthatareneededwithinthecybersecurityprogramorganizationtosupportthecybersecurityprogram,whichasmentionedearliersupportsbusinessneedsasstatedinthestrategic,tactical,andannualbusinessplans.Thefollowingparagraphsidentify,describe,anddiscusssomeofthefunctionsidentifiedbythecybersecurityofficer.

AwarenessProgramThecybersecurityofficerdecidedtoconcentrate,asahighpriority,onthecybersecurityprogramEducationAwarenessandTrainingProgram(EATP)asamajorcybersecurityprogramorganizationalfunctionandalsoasanintegralpartofthecybersecurityprogram.TheEATPwasneededtomaketheusersawareoftheneed,aswellastheirresponsibility,toprotectinformationandsystems,aswellastogaintheusers’supportintheprotectionofinformationandsystems.

Thecybersecurityofficerreasonedthatoncethepoliciesofthecybersecurityprogramweredevelopedandpublished,theemployeesmustbemadeawareofthemandalsowhytheywerenecessary.Foronlywiththefullsupportandcooperationoftheemployees,couldasuccessfulcybersecurityprogrambeestablishedandmaintained.

Theawarenessprogramprocesswasbrokenintotwomajorparts:

•Awarenessbriefingsand

•Continuingawarenessmaterial.

AwarenessBriefingsTheawarenessbriefingsincludedinformationrelativetotheneedforinformationandsystemsprotection,theimpactofprotectingandnotprotectingthesystemsandinformation,andanexplanationofthecybersecurityprogram.

Thecybersecurityofficerreasonedthattheawarenessmaterialandbriefings,whengivenasageneralbriefing,couldbeusedonlyfornewemployees.Thegeneralbriefingsfailedtoprovidethespecificinformationrequiredbyvariousgroupsofsystemsusers.Thus,theawarenessbriefingsweretailoredtospecificaudiencesasfollows:

•Allnewhires,whetherornottheyusedasystem,therationalebeingthattheyallhandleinformationandcomeincontactwithcomputerandtelecommunicationsystemsinoneformoranother;

•Managers;

•Systemusers;

•InformationTechnologyDepartmentpersonnel;

•Engineers;

•Manufacturers;

•AccountingandFinancepersonnel;

•Procurementpersonnel;

•HumanResourcespersonnel;

•SecurityandAuditpersonnel;and

•Thesystemsecuritycustodians(thosewhowouldbegivenday-to-dayresponsibilitytoensurethatthesystemsandinformationwereprotectedinaccordancewiththecybersecurityprogrampolicyandprocedures).

Aprocesswasestablishedtoidentifythesepersonnel,inputtheirprofileinformationintoadatabase,and,usingastandardformat,tracktheirawarenessbriefingattendanceatboththeirinitialbriefingsandtheirannualrebriefings.Thatinformationwouldalsobeusedtoprovidethem,throughtheIWCmailsystem,withawarenessmaterial.

ContinuingAwarenessMaterialThecybersecurityofficer,inconcertwiththeHumanResourcesandTrainingstaffs,decidedthatensuringthatemployeeswereawareoftheircybersecurityprogramresponsibilitieswouldrequireconstantreminders.Afterall,informationandsystemsprotectionisnotthemajorfunctionofmostemployees.However,awaymustbefoundtoremindtheemployeesthatitisapartoftheirfunction.

Itwasdecidedthatawarenessmaterialcouldbecost-effectivelyprovidedtotheemployees.Thiswasaccomplishedbyprovidingcybersecurityprogrammaterialtotheemployeesthrough:

•Annualcalendars,

•Posters,

•Labelsforsystemsanddisks,

•Articlespublishedinthecorporatepublicationssuchastheweeklynewsletter,and

•Log-onnoticesandsystembroadcastmessages,especiallyofcybersecurityprogramchanges.

AlthoughthisEATPbaselinewasnotall-inclusive,thecybersecurityofficerbelievedthatitwasagoodstartthatcouldbeanalyzedforcost-effectiveimprovementsattheendofthecalendaryear.

AccessControlandAccessControlSystemsThecybersecurityofficerdeterminedthattheaccesscontrolandaccesscontrolsystemsrankedasahighpriorityinestablishingprocessesforthecontrolofaccesstosystems,aswellastheaccesstotheinformationstored,processed,andtransmittedbythosesystems.Therefore,accesscontrolsweredividedintotwosections:

•Accesstosystemsand

•Accesstotheinformationonthesystems.

Thecybersecurityofficerreasonedthateachdepartmentcreatedandusedthecorporatesystemsandtheirinformation.Therefore,theyshouldberesponsibleforcontrollingaccesstothosesystemsandinformation.

Themajorsystems,suchasthecorporate-wideareanetwork,wereownedandoperatedbytheITDepartment,whileindividualsystemsandlocalareanetworks(LANs)wereownedandoperatedbytheindividualdepartments.

Aspartofthecybersecurityprogram,thecorporation,incoordinationwithotherdepartments’managers,establishedaprocessforallemployeeswhorequiredaccesstothesystemstoperformtheirjobfunctions.Suchemployeeswouldhavetoobtainsystemaccessapprovalfromtheirmanagerandfromthemanagerordesignatedrepresentativeofthatsystemand/ortheinformationowner,suchasforfinancialdatabaseaccess.Theowners’approvalwasbasedonajustifiedneedforaccessasstatedbytheemployee’smanager.Ifthesystemand/orinformationownersagreed,accesswasgranted.

Thecybersecurityofficerhadfound,duringtheinitialevaluationofthecybersecurityprogramofthecorporation,thatdepartmentshadlogicallygroupedtheirinformationintocategories.Theyhaddonesotocontrolaccesstotheirownfiles.Thismadeiteasyforthesecurityofficer,becausethemanagersofthedepartmentsagreedthatonceaccesstosystemswasgrantedbythesystemowners,accesstotheinformationonthosesystemsshouldbeapprovedbytheownersofthosegroupsoffiles,databases,etc.

Thus,theaccesscontrolprocessincludedajustificationbyanemployee’smanagerstatingnotonlywhatsystems,andwhy,theemployeeneededaccessto,butalsowhatinformationheorsherequiredaccesstoinordertoperformhisorherjob.

Forthemostpart,thiswasaneasyandlogicalprocess.Forexample,intheAccountingDepartment,personnelgenerallyhadaccesstothegroupsoffilesanddatabasesbasedontheirjobfunctions—accountspayable,accountsreceivable,etc.

Thisaccesscontrolprocesshelpedmaintainanaudittrailofwhoapprovedaccesstowhomandforwhatpurposes.Italsohelpedprovideaseparationoffunctionsthatisavitalcomponentofanycybersecurityprogram.Forexample,anaccountspayablepersonshouldnotalsobetheaccountsreceivablepersonandtheinvoiceprocessingperson.Suchasystemwouldallowonepersontoomuchcontroloveraprocessthatcanbe—andhasbeen—usedforcommittingfraud.

Thebenefitsoftheforegoingprocesstothecybersecurityofficerwerethatitdocumentedaninformalprocessthatforthemostparthadbeeninplace,anditalsoplacedcybersecurityprogramresponsibilitiesforsystemsandinformationaccessexactlywhereitbelonged,withtheidentifiedownersofthesystemsandinformation.

Inoneinstance,acybersecurityofficerfoundthatonemanagerdidnotwanttotakeresponsibilityforaLANinthedepartment,andsinceothersoutsidethedepartmentusedtheinformation,themanagerdidnotwanttotakeownershipoftheinformation.ThemanagerthoughttheITDepartmentshouldbetheowner—afterall,theywereresponsibleforthemaintenanceofthesystem.

Thecybersecurityofficerinthiscaseaskedthemanagerifthecybersecurityofficercouldthenberesponsibleastheownerofthesystemsandtheinformation.Themanagerquicklyagreed.Thecybersecurityofficerthentoldthemanagerthatsinceitwasnowownedbythecybersecurityprogramorganization,accesstothesystemsandinformationwouldbedeniedtoallthosenotinthecybersecurityprogramorganization.

Themanagerobjected,statingthatthepersonnelinhisorganizationneededaccesstothosesystemsandtheirinformationtoperformtheirjobfunctions.Afterfurtherdiscussion,theorganizationalmanageragreedthathisorganizationwouldappeartobethelogicalownersandsubsequentlyacceptedthatresponsibility.

AccessControlSystemsThecybersecurityofficer,incoordinationwiththeIT,Security,andAuditDepartments,determinedthattheaccesscontrolsystems(hardwareandsoftware)belongedtothesamedepartmentsandorganizationsidentifiedasthesystemowners.However,thecybersecurityprogrampersonnelwouldestablishthedetailedproceduresfortheaccesscontrolsystemsandtheauditorswouldevaluatecompliancewiththoseprocedures.

Thesystemownersagreedtothisprocessandalsotoappointingaprimaryandalternatesystemcustodianwhowouldberesponsibleforensuringthatthecybersecurityprogrampoliciesandprocedureswerefollowedbyallthosewhousedthesystems.Inaddition,thecustodianwouldreviewthesystemaudittrails,whichweremandatoryonallcorporatesystems.6

EvaluationofAllHardware,Firmware,andSoftwareAllnewhardware,firmware,andsoftwareshouldbeevaluatedforitsimpactonthesecurityofinformationandsystems.ThiswasdeterminedtobenecessaryinajointagreementbetweenthecybersecurityofficerandtheITDepartmentpersonnel,auditors,andsecuritypersonnel.

Toperformthisfunctionwithminimalimpactoncostandinstallationschedules,itwasdeterminedthatabaselinechecklistwouldbedevelopedandthatthischecklistwouldbecompletedbythesuppliersoftheproduct,inconcertwiththecybersecurityprogramstaff.Anyitemsthatadverselyaffectedthecybersecurityprogramwouldbeevaluatedbasedonariskassessment,usingtheapprovedriskmanagementandreportingprocess.

TheprocessincludedcompletionofthebaselinecybersecurityprogramchecklistandatechnicalevaluationbycybersecurityprogrampersonnelinconcertwithITpersonnel.Iftheitem(hardware,software,etc.)wasconsideredrisk-acceptable,itwasapprovedforpurchase.

Iftheitemwasnotrisk-acceptable,theriskmanagementprocessidentifiedcountermeasures.Althoughthisprocessgenerallyapprovesthepurchaseofalmostallitems,someitemsmighthaveanunacceptablelevelofrisk,butwouldstillbeacceptedbecauseoftheirvaluetothecompany.Inthoseinstances,specialaudittrailscouldbecreatedtomonitortheuseoftheitem.Inanycase,thecybersecurityofficerunderstoodthatitisalwaysbetteratleasttoknowthatasystemisvulnerablethannottoknowthevulnerabilityexisteduntilitwastoolate.

Thecybersecurityofficeridentifiedtheseveralpotentialprocessesrelativetonew,modified,orupgradedsystems’hardware,software,andfirmwareimplementationinwhichtheprotectionofinformationandinformationsystemscouldbesubjecttoincreasedvulnerabilities.Thecybersecurityofficerdecidedtoformaprojectteamtoevaluatetheseandotherprocesses.Theprojectteamwouldincludethecybersecurityofficer’sstaffspecialistastheprojectlead,aswellasITrepresentatives,departmentrepresentatives,aprocurementrepresentative,acontractsrepresentative,andalegalrepresentative.Theserepresentativeswerechosenforthefollowingreasons:

•IT:Theyareresponsibleforthemajorsystems,suchasintranetsandInternetinterfaces.

•Departments:Theyareresponsiblefortheirownstand-alonesystems,suchasmicrocomputers,andfortheirownLANsthatarenotconnectedoutsidethedepartment.

•Procurement:Theyareresponsiblefororderingthehardware,software,andfirmware.

•Contracts:They,basedoncybersecurityofficercoordination,includecybersecurityprogram-relatedspecificationsandclausesinthecorporatecontracts,suchassoftwarefromavendorcertifiedfreeofmaliciouscodes.Furthermore,ifaproductisvulnerableorincreasesthesystems’vulnerabilities,thecontractmaycallforthevendortopatch

thesoftwareorprovidethesourcecodeforprogrammerstopatchthecode.

•Legal:Theyareresponsibleforensuringthatallissuesrelatedtocontractsandprocurementmattersmandatingcybersecurityprogramcriteriaarestatedinsuchawayastoensuretheirenforcementthroughlegalmeans.

RiskManagementProgramTheobjectiveoftheriskmanagementprogramistomaximizesecurityandminimizecostthroughriskmanagement.

WhatIsRiskManagement?Becauseitisthebaselineforallofthecybersecurityofficer’sdecisionsrelativetoinformationandsystemsprotection,thecybersecurityofficerdecidedtoformalizethefunctionofriskmanagementasanintegralpartofthecybersecurityprogramandthecybersecurityprogramorganization.

Thecybersecurityofficerknewthatforcorporateemployees,especiallymanagement,tounderstandthephilosophybehindhowcybersecurityprogram-relateddecisionsweremade,theyshouldhavesomebasicgraspoftheriskmanagementphilosophy.Thus,thecybersecurityofficerdirectedthatthistopicbeanintegralpartofthecybersecurityprogramandEATP.Thecybersecurityofficerknewthattounderstandtheriskmanagementmethodology,onemustfirstunderstandwhatriskmanagementmeans.Thecybersecurityofficerdefinedriskmanagementasthetotalprocessofidentifying,controlling,andeliminatingorminimizinguncertaineventsthatmayaffectsystemresources.Itincludesriskassessments;riskanalyses,includingcost–benefitanalyses;targetselection;implementationandtesting;securityevaluationofsafeguards;andoverallcybersecurityprogramreview.

Thecybersecurityofficerestablishedtheobjectiveoftheriskmanagementprocessasfollows:toprovidethebestprotectionofsystemsandtheinformationtheystore,process,display,and/ortransmitatthelowestcostconsistentwiththevalueofthesystemsandtheinformation.

RiskManagementProcessRememberthatthecybersecurityprogramisacorporateprogrammadeupofprofessionalswhoprovideserviceandsupporttotheircompany.Therefore,theriskmanagementprocessmustbebasedontheneedsofcustomers.

Also,thecybersecurityofficerwantedtobesurethattheriskmanagementconcepts,program,andprocesseswereinformallyandformallyusedinallaspectsofthecybersecurityprogram,includingwhenandhowtodoawarenessbriefingsandtheimpactofinformationsystemssecuritypoliciesandproceduresontheemployees.

Thefollowingstepsshouldbeconsideredinthecybersecurityofficer’sprocess:

1.Managementinterest:Identifyareasthatareofmajorinteresttoexecutivemanagementandcustomers;approachfromabusinesspointofview.So,theprocessshouldbeginwithinterviewsofyourinternalcustomerstodeterminewhatareasofthecybersecurityprogramareadverselyaffectingtheiroperationsthemost.Then,targetthoseareasfirstasthestartingpointfortheriskmanagementprogram.

2.Identifyspecifictargets:Softwareapplications,hardware,telecommunications,electronicmediastorage,etc.

3.Identifyinputsources:Users,systemadministrators,auditors,securityofficers,technicaljournals,technicalbulletins,riskassessmentapplicationprograms,etc.

4.Identifypotentialthreats:Internalandexternal,naturalorhuman-made.

5.Identifyvulnerabilities:Throughinterviews,experience,history,testing.

6.Identifyrisks:Matchthreatstovulnerabilitieswithexistingcountermeasures,verify,andvalidate.

7.Assessrisks:Acceptableornotacceptable,identifyresidualrisk,andthencertifytheprocessandgainapproval.Iftherisksarenotacceptable,then:

•Identifycountermeasures,

•Identifyeachcountermeasure’scosts,and

•Comparecountermeasures,risks,andcoststomitigatedrisks.

RecommendationstoManagementWhentheriskassessmentiscompleted,thecybersecurityofficermustmakerecommendationstomanagement.Rememberinmakingrecommendationstothinkfromabusinesspointofview:cost,benefits,profits,publicrelations,etc.

RiskManagementReportsAbriefingthatincludesaformal,writtenreportisthevehicletobringtheriskstomanagement’sattention.Thereportshouldincludeareasidentifiedthatneedimprovement,areasthatareperformingwell,andrecommendedactionsforimprovement,includingcostsandbenefits.

Rememberthatitismanagement’sdecisiontoeitheraccepttheriskormitigatetheriskandhowmuchtospendtodoso.Thecybersecurityofficeristhespecialist,thein-houseconsultant.Itismanagement’sresponsibilitytodecidewhattodo.Theymayfollowyourrecommendations,ignorethem,ortakesomeotheraction.Inanycase,thecybersecurityofficerhasprovidedtheserviceandsupportrequired.

Ifthedecisionismadethatnoactionwillbetaken,thereisstillabenefittoconductingtheanalyses.Thecybersecurityofficernowhasabetterunderstandingoftheenvironment,aswellasanunderstandingofsomeofthevulnerabilities.Thisinformationwillstillhelpinmanagingacybersecurityprogram.Thecybersecurityofficerhasdevelopedariskmanagementprocesstobeusedasanoverallbaselineforimplementationaspartoftheriskmanagementphilosophyofthecorporation.

SecurityTestsandEvaluationsProgramThecybersecurityofficersawtheneedforasecuritytestsandevaluationsprogram(ST&E)oncethecybersecurityprogramprocessesofawareness,accesscontrol,andriskmanagementwereimplemented.

TheST&Ewasdevelopedtoincorporatetestingandevaluatingofthetotalcybersecurityprogramprocesses,environments,hardware,software,andfirmwareasaproactivemethodtosupportriskassessmentsandtheevaluationofthesystems’components.

Thecybersecurityofficerbelievedthattheauditors’complianceauditsweremoreofachecklistprocessofensuringcompliancewiththecorporatecybersecurityprogrampoliciesandprocedures.Whatwasneeded,thecybersecurityofficerreasoned,wasawaytoactuallytestcybersecurityprogramprocesses,systems,etc.,todeterminewhethertheyweremeetingthecybersecurityprogramneedsofthecorporation—regardlessofwhethertheycompliedwiththecybersecurityprogrampoliciesandprocedures.

Forexample,theST&EwouldincludeperiodicallyobtainingauserIDonasystemwithvariousaccessprivileges.Thecybersecurityprogramstaffmemberusingthatidentificationwouldviolatethatsystemandattempttogainunauthorizedaccesstovariousfiles,databases,andsystems.Thatinformationwasanalyzedinconcertwithacomparisonofthesystem’saudittrails,thusprofilingthecybersecurityprogramofasystemornetwork.Also,theST&Ewouldincludeareviewofrecordsandprioraudittraildocumentstohelpestablishthe“cybersecurityprogramenvironment”beingtestedandevaluated.

NoncomplianceInquiriesNoncomplianceinquiries(NCIs)wereidentifiedasacybersecurityofficerresponsibilityandtheprocesswasdevelopedbythecybersecurityprogramstaffandcoordinatedwiththeauditandsecuritymanagement.TheNCIprocesswasasfollows:

•Receiveallegationsofnoncompliancebyauditors,securitypersonnel,managers,users,andgenerallyanyoneelse.

•Theallegationwasevaluatedand,ifnotconsideredacceptable,filed.7

•Iftheallegationwassubstantiated,aninquirywasconducted.Theinquiryincludedinterviews,technicalreviews,documentreviews,etc.

•Theinformationgatheredwasanalyzed,collated,andprovidedinaformalreporttomanagementwithcopiestoappropriatedepartmentssuchassecurityandhumanresources.

•Thereportwasprotectedforreasonsofprivacyandalsoincludedrecommendationsandtrendanalysestomitigatefutureoccurrences.

ContingencyandEmergencyPlanningandDisasterRecoveryProgramAcontingencyandemergencyplanninganddisasterrecovery(CEP-DR)programisoneoftheleastdifficultprogramstoestablishandyetalwaysseemstobeadifficulttask.Withthechangeininformationsystems’environmentsandconfigurations—client–server,LAN,distributedprocessing,etc.—thisproblemmaybegettingworse.

PriortodiscussingCEP-DR,itisimportanttounderstandwhyitisneeded.Itisreallyaveryimportantaspectofacybersecurityprogramandmayevenbeitsmostvitalpart.

Thecybersecurityofficermustrememberthatthepurposeofthecybersecurityprogramisto:

•Minimizetheprobabilityofasecurityvulnerability,

•Minimizethedamageifavulnerabilityisexploited,and

•Provideamethodtorecoverefficientlyandeffectivelyfromthedamage.

WhatIsIt?Contingencyplanningismakingaplanforrespondingtoemergencies,runningbackupoperations,andrecoveringafteradisaster.Itaddresseswhatactionwillbetakentoreturntonormaloperations.Emergenciesrequiringactionwouldincludesuchnaturaleventsasfloodsandearthquakes,aswellashuman-causedactssuchasfiresorhackerattackscausingdenialofservices.

Disasterrecoveryistherestorationoftheinformationsystems,facility,orotherrelatedassetsfollowingasignificantdisruptionofservices.

WhyDoIt?Primarilyusersoftenaskthequestion,whyisaCEP-DRprogramnecessary?Everyoneassociatedwithusing,protecting,andmaintaininginformationsystemsandtheinformationthattheystore,process,and/ortransmitmustunderstandtheneedforsuchaprogram:

•Toassistinprotectingvitalinformation,

•Tominimizeadverseimpactonproductivity,and

•Tosupportthebusinessstayinginbusiness!

HowDoYouDoIt?EachCEP-DRprogramisuniquetotheenvironment,culture,andphilosophyofeachbusinessorgovernmentagency.However,thebasicprogram,regardlessofbusinessor

agency,requiresthedevelopmentandmaintenanceofaCEP-DRplan.Itmustbeperiodicallytested,problemsidentifiedandcorrected,andprocesseschangedtominimizethechancesofadverseeventshappeningagain.

TheCEP-DRPlanningSystemThecorporation’sCEP-DRplanmustbewrittenbasedonthestandardformatusedbythecorporation.Thefollowinggenericformatisofferedforconsideration:

1.Purpose:Statethereasonfortheplananditsobjective.Thisshouldbespecificenoughthatitiscleartoallwhoreaditwhyithasbeenwritten.

2.Scope:Statethescopeandapplicabilityoftheplan.Doesitincludeallsystems,alllocations,subcontractors?

3.Assumptions:Statethepriorities,thesupportpromised,andtheincidentstobeincludedandexcluded.Forexample,ifyourareadoesnothavetyphoons,willyouassumethattyphoons,asapotentialdisasterthreat,willnotbeconsidered?

4.Responsibilities:Statewhoistoberesponsiblefortakingwhatactions.Thisshouldbestatedclearlysoeveryoneknowswhoisresponsibleforwhat.Consideragenericbreakdownsuchasmanagers,systemsadministrators,andusers.Also,specificauthorityandresponsibilityshouldbelistedbyaperson’stitleandnotnecessarilybythatperson’sname.Thisapproachwillsavetimeinupdatingtheplanbecauseofpersonnelchanges.

5.Strategy:Discussbackuprequirementsandhowoftentheyshouldbeaccomplishedbasedonclassificationofinformation;statehowyouwillrecover,etc.

6.Personnel:Maintainanaccurate,complete,andcurrentlistofkeyCEP-DRpersonnel,includingaddresses,phonenumbers,pagenumbers,andcellularphonenumbers.Besuretoestablishanemergencyprioritized,notificationlistingandalistingofresponseteammembersandhowtocontacttheminanemergency.

7.Information:Maintainanon-siteinventorylistingandanoff-siteinventorylisting;identifytherotationprocesstoensureahistoryandcurrentinventoryoffiles.Identifyvitalinformation.Thisinformationmustcomefromtheownerofthatinformationandmustbeclassifiedaccordingtoitsimportance,basedonapprovedguidelines.

8.Hardware:Maintainaninventorylisting,includingsupplier’sname,serialnumber,andpropertyidentificationnumber;ensurethatemergencyreplacementcontractsareinplace;maintainhardcopiesofapplicabledocumentsonandoffsite.

9.Software:Identifyandmaintainbackupoperatingsystemsandapplicationsystemssoftware.Thisshouldincludeoriginalsoftwareandatleastonebackupcopyofeach.Besuretoidentifytheversionnumbers,etc.Inthisway,youcancomparewhatislistedintheplanwithwhatisactuallyinstalled.Itwouldnotbeauniqueeventifsoftwarebackupswerenotkeptcurrentandcompatiblewiththehardware.Ifthisisthecase,thesystemsmightnotbeabletoworktogethertoprocess,store,andtransmitmuch-needed

information.

10.Documentation:All-importantdocumentationshouldbeidentified,listed,inventoried,andmaintainedcurrentinbothon-andoff-sitelocations.

11.Telecommunications:Theidentificationandmaintenanceoftelecommunicationshardwareandsoftwarelistingsarevitalifyouareoperatinginanytypeofnetworkenvironment.Manysystemstodaycannotoperateinastand-aloneconfiguration;thus,thetelecommunicationslines,backups,schematics,etc.,areofvitalimportancetogettingbackinoperationwithinthetimeperiodrequired.Aswithotherdocumentation,theiridentification,listing,etc.,shouldbemaintainedatmultipleon-andoff-sitelocations.Besuretoidentifyallemergencyrequirementsandallalternativecommunicationmethods.

12.Supplies:SuppliesareoftenforgottenwhenestablishingaCEP-DRplan,astheyoftentakeabackseattohardwareandsoftware.However,listingandmaintenanceofvitalsuppliesarerequired,includingthename,address,telephonenumbers,andcontractinformationconcerningsuppliers.Besuretostoresufficientquantitiesatappropriatelocationsonandoffsite.Ifyoudon’tthinkthisisanimportantmatter,tryusingaprinterwhenitstonercartridgehasdriedoutorisempty!.

Physicalsuppliesforconsiderationshouldincludeplastictarpstoprotectsystemsfromwaterdamageintheeventofafireinwhichsprinklersystemsareactivated

13.Transportationandequipment:Ifyouhaveadisasteroremergencyrequiringtheuseofabackupfacilityorobtainingbackupcopiesofsoftware,etc.,youobviouslymusthavetransportationandtheapplicableequipment(e.g.,adollyforhaulingheavyitems)todothejob.Therefore,youmustplanforsuchthings.Listemergencytransportationneedsandsources,howyouwillobtainemergencytransportationandequipment,andwhichroutesandalternateroutestotaketotheoff-sitelocation.Besuretoincludemapsinthevehiclesandalsointheplan.Besuretherearefullycharged,hand-heldfireextinguishersavailablethatwillworkonvarioustypesoffires,suchaselectrical,paper,orchemical.

14.Processinglocations:Manybusinessesandagenciessigncontractualagreementstoensurethattheyhaveanappropriateoff-sitelocationtobeusedintheeventtheirfacilityisnotcapableofsupportingtheiractivities.

Ensurethatemergencyprocessingagreementsareinplacethatwillprovideyouwithpriorityserviceandsupportintheeventofanemergencyordisaster.Eventhen,youmayhaveadifficulttimeusingthefacilityifitisamassivedisasterandothershavealsocontractedforthefacility.

Besuretoperiodicallyusethefacilitytoensurethatyoucanprocess,store,and/ortransmitinformationatthatlocation.Don’tforgettoidentifyon-sitelocationsthatcanbeusedorconvertedforuseifthedisasterislessthantotal.

15.Utilities:Identifyon-siteandoff-siteemergencypowerneedsandlocations.Don’tforgetthattheserequirementschangeasfacilities,equipment,andhardwarechange.Batterypoweranduninterruptablepowermightnotbeabletocarrytheloadormightbe

toooldtoevenwork.Theymustbeperiodicallytested.Aswiththeprintercartridgesupplies,systemswithoutpowerareuseless.Inadditiontopower,don’tforgettheairconditioningrequirements.Itwouldbeimportanttoknowhowlongasystemcanprocesswithoutairconditioningbasedoncertaintemperatureandhumidityreadings.

16.Documentation:Identifyallrelateddocumentation;storeitinmultipleon-andoff-sitelocations,andbesuretoincludetheCEP-DRplan.

17.Other:Miscellaneousitemsnotcoveredabove.

TestthePlanOnlythroughtestingcanthecybersecurityofficerdeterminethataplanwillworkwhenrequired.Therefore,itmustbeperiodicallytested.Itneednotbetestedallatonce,becausethatwouldprobablycausealossofproductivitybytheemployees,whichwouldnotbecost-effective.

Itisbesttotesttheplaninincrements,relyingonallthepiecestofittogetherwhenallpartshavebeentested.Regardlessofwhenandhowyoutesttheplan,whichisamanagementdecision,itmustbetested.Probablythebestwaytodeterminehowandwhattotest,andinwhatorder,istoprioritizetestingbasedonprioritizedassets.

Whentesting,thescenariosusedshouldbeasrealisticaspossible.Thisshouldincludeemergencyresponse,testingbackupapplicationsandsystems,andrecoveryoperations.

Throughtesting,documenttheproblemsandvulnerabilitiesidentified.Determinewhytheyoccurredandestablishformalprojectstofixeachproblem.Additionally,makewhatevercost-effectiveprocesschangesarenecessarytoensurethatthesameproblemwouldnothappenagainorthatthechanceofithappeningisminimized.

Thecybersecurityofficerevaluatedthecorporateorganizationalstructurerelativetothecorporation.AftercoordinationwiththeDirectorofSecurity,aprocesswasdevelopedtointegratethecybersecurityofficerandstaffintothecurrentCEP-DRprocess.


•Doyoubelievethatthebasicrequirements—drivers—discussedinthischapterarevalid?

•Canyouthinkofothersthatyouwoulduseasacybersecurityofficer?

•Aftertherequirementsareidentified,inwhatorderwouldyouprioritizepolicies,procedures,plans,processes,functions,andprocesses?

•Whydidyoudecidetoprioritizeeachintheordernoted?

•Doyouhaveaprocessinplaceforvaluingcompanyinformation?

•Ifnot,howdoyouknowwhattoprotectinacost-effectivemanner?

•Ifyouhavesuchaprocessinplace,isitcurrent?

•Isitworking?

•Howdoyouknowitisworkingcost-effectively?

•Whatarethefunctionsthatyouasacybersecurityofficerbelievearerequiredtobeapartofyourcybersecurityprogramorganization?

•Whichonesareoptional,andwhy?

•Whichoneswouldneverbeauthorizedbymanagementtobepartofyourcybersecurityprogramresponsibilities?

•Doyouuseaformal,documentedriskmanagementphilosophy?

•Ifnot,howdoyoucost-effectivelymakecybersecurityprogramdecisions?

•Ifso,isthatphilosophysharedwiththeemployeessotheycanunderstandwhycertaincybersecurityprogramdecisionsaremade?

•Areyouanintegralpartofthecompany’sCEP-DRprocesses?

•Ifnot,shouldyoube?

•Ifso,areyouinvolvedintestingtheCEP-DRplans?

•Afteranemergencyordisaster,areyouinvolvedinverifyingandvalidatingthatallthesecurityhardware,software,andfirmwareareoperatinginaccordancewiththecybersecurityprogramandsecurityspecifications?

•Ifnot,howwouldyouknowtheywereeventurnedbackonbyITpersonnelafterthesystemswentofflineandwerebroughtbackonlineagain?

SummaryItiscrucialforacybersecurityofficerwhoisnewtothecorporationtoevaluatethecurrentcybersecurityprogramorganizationalstructure,thestaff,andtheirexperienceandeducationandensuretheorganizationiscost-effectivelystructured.Thecybersecurityofficershouldconsiderthefollowingpoints:

•Establishingthepropercybersecurityprogramfunctionsintherightpriorityorderisvitaltoestablishingthecybersecurityprogramorganizationandcybersecurityprogrambaseline.

•Thecybersecurityprogramfunctionalprocessesshouldgenerallyfollowthefunctiondescriptionsnotedinthecybersecurityofficer’scharterofresponsibilities.

•Establishingaprocesstodeterminethecategoriesofinformationidentifiedbythegeneralvalueofthatinformationwouldassistinthedevelopmentofacost-effectivecybersecurityprogram.

•Functionsandprocessesshouldbedevelopedbasedonrequirementssuchaslawsandregulations.

•Flowchartsshouldbedevelopedtohelpvisualizethelinkagebetweenrequirements;plans;vision,mission,andqualitystatements;policies;processes;andfunctions.

1AttributedtoPabloPicasso(1881–1973),Spanishpainterandsculptor.Microsoft’sEncartaDictionary.2EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.3Otherscanbeadded,butthesebasicexamplesgivethereaderagoodideaofwhatisneeded.4Inthecontextusedhere,thetermclassifyhasnothingtodowithclassificationasitrelatestonationalsecurityinformation,suchasconfidential,secret,andtopsecret.5Youmayfindthatthisdriver–requirement,cybersecurityprogram–cybersecurityprogramfunctionstopicisredundant.Ideally,itis,andyouarebeginningtogetitingrainedinyourcybersecurityofficerheadthatthesearethebasicsthateverycybersecurityofficershouldknowanduseasthebaselineforleadingandmanaginganinformationandsystemsprotectionprogramforacompanyorgovernmentagency.Ihopethatafterreadingthisbook,certainbasicphilosophies,suchasthefactthatthecybersecurityprogramisaparasiteontheprofits,willbemadeanautomaticpartofanycybersecuritytypeofprogramandcybersecurityprogramorganizationyouwillleadandmanage.6Atfirst,theaudittrailsrequirementsweretobeappliedonlytothosesystemsprocessingsensitiveinformation;however,itwasquicklydiscoveredthatallthesystems,becauseoftheirnetworking,fellunderthatcategory.Managementagreedthattheadditionalcostofsucharequirementwasbeneficialbasedontheriskoflossofthatinformationtointernalorexternalthreats.7Thecybersecurityofficerwassensitivetoprivacyissuesanddidnotwanttoinitiateaninquirywithoutsubstantiatedinformation,sincesomeonemayhaveagrudgeagainstanotherandusetheprocesstoharasshimorher.

CHAPTER10

EstablishingaMetricsManagementSystem

AbstractThischapterisdesignedtoprovidebasicguidancenecessaryforthedevelopmentofametricsmethodologytounderstandwhat,why,when,andhowacybersecurityprogramcanbemeasured.Usingafictitiouscorporationandfunctionsthatwerepreviouslydescribed,ametricssystemwillbedeveloped.Thechapterincludesadiscussionofhowtousethemetricstobriefmanagement,justifybudget,andusetrendanalysestodevelopamoreefficientandeffectivecybersecurityprogram.

KeywordsCorporateinformationofficer(CIO);Cost-avoidancemetrics;Cybersecurityprogrammetric;Educationandawarenesstrainingprogram(EATP);Metricscharts;Metricsmanagement;Projectchart;Stand-alonemicrocomputers

Don’tworkharder—worksmarterKenBlanchard

CONTENTS

Introduction 202WhatIsaMetric? 202WhatIsaCyberSecurityProgramMetric? 202WhatIsCyberSecurityProgramMetricsManagement? 203

Metrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsers 207

ChartingLevelofEffortthroughNumberofSystemUsers 208WhyShouldTheseStatisticsBeCollected? 208WhatSpecificStatisticsWillBeCollected? 208HowWillTheseStatisticsBeCollected? 208WhenWillTheseStatisticsBeCollected? 209WhoWillCollectTheseStatistics? 209Where(atWhatPointintheFunction’sProcess)WillTheseStatisticsBeCollected? 209

SignificanceoftheSystemUsersChart 209GrantingUsersAccesstoSystems 210

ExamplesofOtherMetricsCharts 211CyberSecurityProgramTestsandEvaluations 212

CyberSecurityProgramEducationandAwarenessTraining 213Cost-AvoidanceMetrics 215MetricsManagementandDownsizing 215

ProjectManagement 218QuestionstoConsider 221Summary 222

CHAPTEROBJECTIVE

Thischapterisdesignedtoprovidebasicguidancenecessaryforthedevelopmentofametricsmethodologytounderstandwhat,why,when,andhowacybersecurityprogramcanbemeasured.Usingafictitiouscorporationandfunctionsthatwerepreviouslydescribed,ametricssystemwillbedeveloped.Thechapterincludesadiscussionofhowtousethemetricstobriefmanagement,justifybudget,andusetrendanalysestodevelopamoreefficientandeffectivecybersecurityprogram.

IntroductionSomeofthemostcommoncomplaintscybersecurityofficersmakearethatmanagementdoesn’tsupportthemand—asthefamouscomedianRodneyDangerfieldisknownforsaying—“Igetnorespect.”Anothercomplaintisthatthecostsandbenefitsofacybersecurityprogramcannotbemeasured.

Asforthefirsttwo,yougetsupport,becauseyouarebeingpaid—andthesedays,moreoftenthannot,quitehandsomely—andyouhaveabudgetthatcouldhavebeenpartofcorporateprofits.Furthermore,respectisearned.Besides,ifyouwanttobepopular,youaredefinitelyinthewrongprofession.

Oneoftenhearsmanagementask:

•“Whatisallthissecuritycostingme?”

•“Isitworking?”

•“Canitbedoneatlesscost?”

•“Whyisn’titworking?”

Thatlastquestionoftencomesrightafterasuccessfuldenial-of-serviceattackorsomeotherattackonthecorporatesystemsorWebsites.Ofcourse,manycybersecurityofficersrespondbysayingthatitcan’tbemeasured.Thatisoftensaidoutofthecybersecurityofficer’signoranceofprocessestomeasurecostsorbecausethecybersecurityofficeristoolazytotrackcosts.

Themoredifficultquestiontoansweris,“Whatarethemeasurablebenefitsofacybersecurityprogramandthefunctionsthatprovidesupportunderthecybersecurityprogram?”Ofcourse,onecouldalwaysusethewell-worn-statement,“Itcanbemeasuredonlyasasuccessorfailuredependingonwhetherornottherehavebeensuccessfulattacksagainstoursystems.”Thetruthisthatmanyattacksgounnoticed,unreportedbytheusersorinformationtechnology(IT)people.Furthermore,separatingattacksfrom“accidents”(humanerror)isusuallynoteasy;however,metricscanhelpintheanalyses.

WhatIsaMetric?Tobegintounderstandhowtousemetricstosupportmanagementofacybersecurityprogram,itisimportanttounderstandwhatismeantby“metrics.”Forourpurposes,ametricisdefinedasastandardofmeasurementusingquantitative,statistical,and/ormathematicalanalyses.

WhatIsaCyberSecurityProgramMetric?Acybersecurityprogrammetricistheapplicationofquantitative,statistical,and/ormathematicalanalysestomeasurecybersecurityprogramfunctionaltrendsandworkload—inotherwords,trackingwhateachfunctionisdoingintermsoflevelofeffort(LOE),

costs,andproductivity.

Therearetwobasicwaysoftrackingcostsandbenefits.Oneisbyusingmetricsrelativetotheday-to-day,routineoperationsofeachcybersecurityprogramfunction.ThesemetricsarecalledLOEandarethebasicfunctionsnotedinthecybersecurityofficer’scharterofresponsibilitiesandaccountabilities.Exampleswouldbedailyanalysesofaudittrailrecordsofafirewall,grantingusersaccesstosystems,andconductingnoncomplianceinquiries.Inmorefinancialterms,thesearetherecurringcosts.

Theotherwayoftrackingcostsandbenefitsisthroughformalprojectplans.Inotherwords,ifthetasksbeingperformedarenotthenormalLOEtasks,thentheyfallunderprojects.Rememberthatfunctionsarenever-endingdailywork,whileprojectshaveabeginningandendingdatewithaspecificobjective.Inmorefinancialterms,thesearethenonrecurringcosts.

So,toefficientlyandeffectivelydevelopametricsmanagementprogram,itisimportanttoestablishthatphilosophyandwayofdoingbusiness.Everythingthatacybersecurityofficerandstaffdocanbeidentifiedasfittingintooneofthesetwocategories:LOEorproject.

WhatIsCyberSecurityProgramMetricsManagement?Cybersecurityprogrammetricsmanagementisthemanagingofacybersecurityprogramandrelatedfunctionsthroughtheuseofmetrics.Itcanbeusedwheremanagerialtasksmustbesupportedforsuchpurposesasbackingthecybersecurityofficer’spositiononbudgetmatters,justifyingthecost-effectivenessofdecisions,ordeterminingtheimpactofdownsizingonprovidingcybersecurityprogramserviceandsupporttocustomers.

Theprimaryprocesstocollectmetricsisasfollows:

•Identifyeachcybersecurityprogramfunction1;

•Determinewhatdrivesthatfunction,suchaslabor(numberofpeopleorhoursused),policies,procedures,andsystems;and

•Establishametricscollectionprocess.Thecollectionprocessmaybeassimpleasfillingoutalogforlatersummarizationandanalysis.Theuseofaspreadsheetthatcanautomaticallyincorporatecybersecurityprogramstatisticsintographsisthepreferredmethod.Thiswillmakeiteasierforthecybersecurityofficertousethemetricsforsupportingmanagementdecisions,briefings,etc.

Thedecisiontoestablishaprocesstocollectstatisticsrelativetoaparticularcybersecurityprogramfunctionshouldbemadebyansweringthefollowingquestions:

•Whyshouldthesestatisticsbecollected?

•Whatspecificstatisticswillbecollected?

•Howwillthesestatisticsbecollected?

•Whenwillthesestatisticsbecollected?

•Whowillcollectthesestatistics?

•Where(atwhatpointinthefunction’sprocess)willthesestatisticsbecollected?

Byansweringthesequestionsforeachproposedmetric,thecybersecurityofficercanbetteranalyzewhetherametricscollectionprocessshouldbeestablishedforaparticularfunction.Thisthoughtprocesswillbeusefulinhelpingexplainittothecybersecurityprogramstafformanagement,ifnecessary.Itwillalsohelpthecybersecurityofficerdecidewhetherheorsheshouldcontinuemaintainingthatmetricafteraspecificperiodoftime.Sincethecorporatecybersecurityofficerhadbegunwithananalysisofcybersecurityprogramrequirements(drivers)thatledtotheidentificationofacybersecurityofficercharterthatledtotheidentificationofcybersecurityprogramfunctionswithprocessflowcharts,thetaskofdevelopingmetricswillbemucheasier.Thatisbecauseeachstepnotedinthecybersecurityprogramfunctions’flowchartscanbeapointofquantifyingandqualifyingcostsofperformingeachspecificfunction.

Allmetricsshouldbereviewed,evaluated,andreconsideredforcontinuationattheendofeachyear,orsooner—whenarequirementchanges,afunctionmayalsochange.Rememberthatalthoughthecollectionofthemetricsinformationwillhelpthecybersecurityofficerbettermanagethecybersecurityprogramdutiesandresponsibilities,aresourcecostisincurredinthecollectionandmaintenanceofthesemetrics.Theseresourcesinclude:

•Peoplewhocollect,input,process,print,andmaintainthemetricsforyou;

•Timetocollect,analyze,anddisseminatetheinformation;and

•Thehardwareandsoftwareusedtosupportthateffort.

Whenusingthesemetricschartsformanagementbriefings,onemustrememberthatthechartformatandcolorsaresometimesdictatedbymanagement;however,whichtypeofchartisbestforanalysisorpresentationtomanagementisprobablyuptothecybersecurityofficer.

Thecybersecurityofficershouldexperimentwithvarioustypesofline,bar,andpiecharts.Thechartsshouldbekeptsimpleandeasytounderstand.Remembertheoldsaying,“Apictureisworthathousandwords.”Thechartsshouldneedverylittleverbalexplanation.

Ifthecybersecurityofficerwillusethechartsforbriefings,thebriefingshouldcommentonlyonthevarioustrends.Thereasonforthisistoclearlyandconciselypresentthematerialandnotgetboggeddownindetails,whichdetractfromtheobjectiveofthecharts.

Onewaytodeterminewhetherthemessageofthechartsisclearistohavesomeonelookateachchartanddescribewhatittellshimorher.Ifitiswhatthechartissupposedto

portray,thennochangesareneeded.Ifnot,thecybersecurityofficershouldthenasktheviewerwhatthechartdoesseemtorepresentandwhatleadshimorhertothatconclusion.Thecybersecurityofficermustthengobacktothechartandreworkituntilthemessageisclearandisexactlywhatthecybersecurityofficerwantsthecharttoshow.Eachchartshouldhaveonlyonespecificobjective,andthecybersecurityofficershouldbeabletostatethatobjectiveinonesentence,suchas“Thischart’sobjectiveistoshowthatcybersecurityprogramsupporttocorporateisbeingmaintainedwithoutadditionalbudgetalthoughtheworkloadhasincreased13%.”

Thefollowingparagraphsidentifysomebasicexamplesofcybersecurityprogrammetricsthatcanbecollectedtoassistacybersecurityofficerinmanagingacybersecurityprogramandbriefingthemanagementontheprogramandtheprogram’sorganization.Bytheway,whenestablishingabriefingtomanagementinwhichthemetricschartswillbeused,asimilarchartcanbeusedtostartoffthebriefing.Thatcharttrackstherequirements(drivers)thatcanbetracedtoeachfunction.Onemayalsowanttoprovidemoredetailedchartstrackingspecificrequirementstospecificfunctions.

Ofcourse,asthecybersecurityofficer,youwouldwanttogetmorespecificandtracktoamoredetailedlevelofgranularity.Infact,thecybersecurityprogramstaffresponsibleforleadingaspecificfunctionshouldbetaskedwithdevelopingthischartorcharts.Thatway,thestaffwillknowexactlywhytheyaredoingwhattheydo.Thenextstepwouldbeforthemtotracktheirworkflow,analyzeit,andfindmoreefficientwaystodothejob.Atthesametimetheywouldalsolookatcurrentcostsandcostsavingsasmoreefficientwaysarefoundtosuccessfullyaccomplishtheirjobs.

Thecybersecurityofficermustrememberthatmetricsareatooltosupportmanyofthecybersecurityofficer’sdecisionsandactions;however,theyarenotperfect.Therefore,thecybersecurityofficermustmakesomeassumptionsrelativetothestatisticaldatatobecollected.That’sfine.Thecybersecurityofficermustrememberthatmetricsarenotrocketscience,onlyatooltohelpthecybersecurityofficertakebetter-informedactionsandmakebetter-informeddecisions.So,thecybersecurityofficershouldnevergetcarriedawaywiththehuntfor“perfectstatistics,”orbecomesoinvolvedinmetricsdatacollectionthat“paralysisbyanalysis”takesplace.2

Thespreadsheetsandgraphsusedformetricsmanagementcanbecomeverycomplicated,withlinkstootherspreadsheets,elaboratethree-dimensionalgraphics,etc.Thatmayworkforsome,butthecybersecurityofficershouldconsidertheKISS(keepitsimple,stupid)principlewhencollectingandmaintainingmetrics.Thisisespeciallytrueifthecybersecurityofficerisjustgettingstartedandhasnoorverylittleexperiencewithmetrics.Onemayfindthattheprojectleadswhoaredevelopingan“automatedstatisticalcollection”applicationareexpendingmorehoursdevelopingtheapplication—whichneverseemstoworkquiteright—thanitwouldtaketomanuallycollectandcalculatethestatisticalinformation.

Itisalsoimportant,fromamanagerialviewpoint,thatallcharts,statistics,andspreadsheetsbedoneinastandardformat.Thisisnecessarysothattheycanbereadyatalltimesforreviewsandbriefingstouppermanagement.Thisstandardisindicativeofa

professionalorganizationandonethatisoperatingasafocusedteam.

Cybersecurityofficerswhoarenewtothecybersecurityofficerposition,ormanagementingeneral,maythinkthatthisissomewhatridiculous.Afterall,whatdifferencedoesitmakeaslongastheinformationisasaccurateaspossibleandprovidesthenecessaryinformation?Thismaybecorrect,butinthebusinessenvironment,standards,consistency,andindicationsofteamingarealwaysaconcernofmanagement.Yourchartsareindicativeofthosethings.

Thecybersecurityofficerhasahardenoughjobgettingandmaintainingmanagementsupport.Thejobshouldnotbemademoredifficultthanithastobe.

Anothernegativeimpactofnonconformanceofformatwillbethattheattendeeswilldiscussthechartsandnottheinformationonthem.Once“nonconformancetobriefingchartsstandards”isdiscussed,managementhasalreadyformedanegativebias.Thus,anythingpresentedwillmakeitmoredifficulttogetthepointacross,gainthedecisiondesired,andmeettheestablishedobjectiveofthebriefing.

Itisbetterjusttofollowtheestablishedstandardsthantoarguetheirvalidity.Itisbettertosaveenergyforarguingforthosethingsthataremoreimportant.Afterall,onecan’twin,andthecybersecurityofficerdoesnotwanttobeseenas“anon-teamplayer”morethannecessary.

Ofcoursethenumber,type,collectionmethods,etc.,thatthecybersecurityofficerwillusewillbedependentontheenvironmentandthecybersecurityofficer’sabilitytocost-effectivelycollectandmaintainthemetrics.

Metrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsersTherearetwobasiccybersecurityprogramLOEdriverswithinanorganization,thatis,thosethingsthatcausethecybersecurityprogramworkloadtobewhatitis,increasingordecreasing.Thetwobasicdriversare:

•Thenumberofsystemsthatfallunderthepurviewofthecybersecurityprogramandcybersecurityofficer’soverallresponsibilityforprotectionand

•Thenumberofusersofthosesystems.

Aquestionthatmustbeaskedis:Whyarethesemetricsworthtracking?Theyareworthtrackingbecausetheydrivethecybersecurityprogramworkload—theLOE—whichmeanstheydrivethenumberofhoursthatthecybersecurityprogramstaffmustexpendinmeetingtheircybersecurityprogramresponsibilitiesrelativetothosesystemsandusers.

Asthenumberofusersonthecorporatenetworkschangesorthenumberofsystemschanges,sodoestheworkload;therefore,sodoesthenumberofstaffrequiredandtheamountofbudgetrequired—timetodothejob.Forexample,assumethatthecorporationisdownsizing—acommonoccurrencethatcybersecurityofficerswilleventuallyfaceintheircybersecurityprogramcareers.Ifthecybersecurityofficerknowsthatthecorporationwilldownsizeitsworkforceby10%,andassumingthattheworkforceallusecomputers,whichisnotunusualintoday’scorporations,theworkloadshouldalsodecreaseabout10%.Thismaycausethecybersecurityofficertoalsodownsize(layoffstaff)byapproximately10%.

However,thedownsizing,whetheritismoreorlessthanthecorporateaverage,shouldbebasedontherelatedcybersecurityprogramworkload.Thecybersecurityprogramdriversaremetricsthatcanhelpthecybersecurityofficerdeterminetheimpactofthecorporation’sdownsizingonthecybersecurityprogramanditsorganization.Themetricsassociatedwiththateffortcanalsojustifydownsizingdecisionstocorporatemanagement—toincludepossiblydownsizingby5or12%insteadof10%.Forexample,morelayoffsmaymeanmorecybersecurityprogram-relatedinfractions,whichmeansanincreaseinnoncomplianceinquiriesandthusanincreaseintheworkload.Massivelayoffswouldalsomeanmoreworkforthosewhoareresponsiblefordeaccessingemployeesfromthesystemspriortoemploymentterminations.Themetricscanshowthisworkincreaseandmakeacasetomanagementfornotlayingoffcybersecurityprogramstaffuntilaftertheothermajorlayoffshaveoccurred.

ChartingLevelofEffortthroughNumberofSystemUsersAsacybersecurityofficer,youdecidedthatitwouldbeagoodideatousethedriver’smetricthatisusedfortrackingthenumberofsystemusers.Youhavegonethroughtheanalyticalprocesstomakethatdecisionbasedonansweringthewhy,what,how,when,

who,andwherequestions.

WhyShouldTheseStatisticsBeCollected?Thedriver’smetricthattracksthenumberofsystemusersforwhichthecybersecurityofficerhascybersecurityprogramresponsibilityisusedtoassistindetailingtheneededhead-countbudgetforsupportingthoseusers.Asanexample,thefollowingfunctionsarechartedbasedonthenumberofcorporatesystemusers:

•Accesscontrolviolations,

•Noncomplianceinquiries,and

•Awarenessbriefings.

WhatSpecificStatisticsWillBeCollected?•Totalusersbylocationandsystemsand

•Totalsystemsbylocationandtype.

HowWillTheseStatisticsBeCollected?•ThetotalnumberofuserswillbedeterminedbytotalingthenumberofuserIDsoneachnetworksystemandaddingtoitthenumberofstand-alonesystems.Itisassumedthateachstand-alonesystemhasonlyoneuser.

•Stand-alonemicrocomputersandnetworkedsystems(whichwillcountasonesystem)willbeidentifiedandtotaledusingtheapprovedsystemdocumentationonfilewithinthecybersecurityprogramorganizationontheapprovedsystemsdatabase.Atthecorporation,allsystemsprocessingsensitiveinformationfallingwithinthecategoriespreviouslyidentifiedatthecorporationforidentifyinginformationbyitsvaluemustbeapprovedbythecybersecurityofficer(ordesignatedcybersecurityprogramstaffmembers).Therefore,datacollectionisavailablethroughthecybersecurityprogram’srecords.

WhenWillTheseStatisticsBeCollected?ThestatisticswillbecompiledonthefirstbusinessdayofeachmonthandincorporatedintoMetrics1,cybersecurityprogramdrivers,graphmaintainedonthecybersecurityprogramdepartment’sadministrativemicrocomputer.

WhoWillCollectTheseStatistics?Thestatisticswillbecollected,inputted,andmaintainedbytheprojectleadersresponsibleforeachcybersecurityprogramfunction,suchassystemaccessesandsystemapprovals.

Where(atWhatPointintheFunction’sProcess)WillThese

StatisticsBeCollected?Thecollectionofstatisticswillbebasedontheinformationavailableandonfileinthecybersecurityprogramorganizationthroughcloseofbusinessonthelastbusinessdayofthemonth.

Ofcourse,thenumberofsystemusersaffectsallcybersecurityprogramfunctions.Follow-onchartswouldshowtheworkloadrelativetotheothercybersecurityprogramfunctionsthatareaffected.Boldfontsareusedtohighlightimportantfactsthatthecybersecurityofficerwantstoemphasize—management’seyesarenaturallydrawntoboldfonts.

SignificanceoftheSystemUsersChartThenumberofsystemusersisalsoadriverofcybersecurityprogramworkloadbecausethecybersecurityprogramfunctions’LOEandsomeprojectsarebasedonthenumberofusers.Theyincludethefollowing:

•Thecybersecurityprogramstaffprovidesaccesscontrolsforusers;

•Thenumberofnoncomplianceinquirieswillprobablyincreasebasedontheincreasednumberofusers;

•Thenumberofnoncomplianceinquiriesmayactuallyincreasewhenthecorporationdownsizesbecauseofmorehostilityamongtheemployees(ametricschartshowingcaseloadmayhelpindefendingcybersecurityofficerstafffrommoredrasticlayoffsthanmayhavebeenrequiredbymanagement);

•Thetimetoreviewaudittrailrecordswillincreaseasaresultofmoreactivitybecauseofmoreusers;and

•Thenumberofawarenessbriefingsandprocessingofadditionalawarenessmaterialwillincreaseasaresultofanincreaseinusers.

Rememberthatasacybersecurityofficeryouarealsoacybersecurityprogram“salesperson”andmusteffectivelyadvertiseandmarketinformationandsystemsprotectiontocorporation’spersonnel.Achartcanbeusedbythecybersecurityofficerforthefollowing:

•Justifytheneedformorebudgetandotherresources;

•Indicatethatthecybersecurityprogramisoperatingmoreefficiently,becausethebudgetandotherresourceshavenotincreasedalthoughthenumberofsystemshasincreased;and

•Helpjustifywhybudgetandotherresourcescannotbedecreased.

Whendecidingtodevelopmetricschartstotrackworkload,efficiency,costs,etc.,ofthatfunction,alwaysstartatthehighestlevelandthendevelopchartsatlowerlevels(in

moredetail)thatsupporttheoverallchart.Thisisdoneforseveralpurposes.Thecybersecurityofficermayhavelimitedtimetobriefaspecificaudience,andifitisanexecutivemanagementbriefing,thetimewillbeshorter,asusuallytheirattentionspanisshortwhenitcomestocybersecurityprogrammatters.So,the“top-down”approachwillprobablyworkbest.Ifyouhavetimetobriefinmoredetail,thechartsareavailable.Ifexecutivemanagementhasaquestionrelativetosomelevelofdetail,thentheotherchartscanbeusedtosupportthecybersecurityofficerstatementsand/orpositioninreplytothequestionoftheaudience.

GrantingUsersAccesstoSystemsAmajorcybersecurityprogramserviceandsupportfunctionistoaddnewuserstosystemsandtoprovidethemnewaccessprivilegesasdirectedbytheirmanagementandinformationowners.

Aspartofthatserviceandsupporteffort,thecybersecurityofficerwantstoensurethattheseusersaregivenaccessasquicklyaspossible,becausewithouttheiraccessornewaccessprivileges,theuserscannotperformtheirjobs.

Ifuserscannotgainexpeditiousaccess,thenthecybersecurityprogramiscostingthecorporationintermsoflostproductivityofemployeesorevenpossiblylostrevenueinotherforms.

Thecybersecurityofficer,incoordinationwiththecybersecurityprogramstaffresponsiblefortheaccesscontrolfunction,evaluatedtheaccesscontrolprocessand

determinedthatusersshouldbegivenaccesswithin24 hofreceiptofarequestfrommanagement.

Thecybersecurityofficerdecidedtotrackthisprocessbecauseofitshighvisibility.Nothingcandamagethereputationofthecybersecurityofficerandstafffasterthanahostilemanagerwhoseemployeescannotgetsystemsaccesstobeabletodotheirwork,leading,forexample,toincreasedcostsduetolostdepartmentproductivitycausedbytheslownessofaccessingemployeestosystems.Todevelopametricschart,oneshouldfirstcreateaflowchartofthefunction.

Anythingworthdoingdoesnothavetobedoneperfectly—atfirst.

KenBlanchard

ExamplesofOtherMetricsChartsTherearenumerousmetricschartsthatcanbedevelopedtosupportthevariousneedsofthecybersecurityofficerandthecybersecurityprogram.Thecybersecurityofficermayalsousethisinformationwhenbudgetcutsarerequired.Thechartcanbeshowntomanagementandmodifiedtoshowwhatwouldhappenifthestaffwerecutbyoneperson,twopeople,etc.Inotherwords,theaverageusers’initialaccesstosystemsintermsofturnaroundtimewouldincrease.Managementmayormaynotwanttolivewiththoseconsequences.Thecostcanbequantifiedbytakingtheaveragehourlywageoftheemployee,identifyinghowmuchproductivitytimeislostwithaccesscomingwithinonebusinessday,andcomparingthattotimelostifaccess,becauseanaccesscontrolpersonhasbeenlaidoff,takestwobusinessdays.

Forexample,anemployeeearns$15anhour.Theemployeeshowsupatthedeskofanaccesscontrolleratthestartofthebusinessday,8.00am.Thatemployeeisauthorized

systemaccessby8.00amthenextday.Thislossofatleast8 hofproductivityat$15anhourwouldbethenormalcostofthecybersecurityprogramfunctionofaccesscontrol,or$120peremployee.However,iftheaccesswasnotauthorizeduntilthedayafter,thecostperemployeewouldbe$240.

Thechartcanshowthecybersecurityofficerwherestaffcutscanbemadeandstillmeettheexpectedgoals.Thecybersecurityofficercanalsousethisinformationwhendecidingtoreallocateresources(transferaperson)toanotherfunctionforwhichthegoalsarenotbeingmetandthefastestwaytomeetthegoalsistoaddheadcount.Awordofcautionhere—addingordecreasingheadcountisusuallyconsideredafast,simplesolution.However,itisnotalwaystheanswer.

Sometimeswhenthenumberslookrightthedecisionisstillwrong!

KenBlanchardandNormanVincentPeale

ManyprojectleadersandcybersecurityofficershavefoundovertheyearsthatprojectsandLOEproblemsarenotalwayssolvedbyassigningmorebodiestosolvingtheproblem.Oneshouldfirstlookattheprocessandatsystemicproblems.Thisisusuallyamorecost-effectiveapproachtosolvingthesetypesofproblems.Forexample,usingtheexampleofthenewlyhiredemployeegettingfirst-timesystemaccess,supposeawaywas

foundtocutthattimedownto1 h.Thecostssavingwouldbefromthenormal$120to$15,orasavingof$105pernewemployee.Suchchartscanbeusedformanagementbriefingsandwillshowspecificallyhowthecybersecurityofficerandstaffareloweringcybersecurityprogramcosts,atleastforthatparticularcybersecurityprogramfunction.

Aswithallmetricscharts,adecisionmustalsobemadewhethertocollectthedatamonthly,quarterly,semiannually,annually,orsomewhereinbetween.Thetimeperiodwilldependonseveralfactors.Theseinclude,butarenotlimitedto:

•Whattheywillbeusedfor,suchasmonthlyorannualexecutivebriefings;

•Budgetjustifications;

•Cybersecurityprogramstafffunctionsresourceallocations;and

•Theobjectivesofeachchart.

Asubchartofthischartmaybetheaveragetimespent,inhours,pertypeofinquiry.Oncethetimeelementsareknown,theycanbeequatedtoproductivitygainsandlosses,aswellasbudget,suchasmoney,equipment,andstaff.

CyberSecurityProgramTestsandEvaluationsThecybersecurityofficermaydecidetoestablishaprocessthatwillprovideguidelinesontheneed,establishment,andimplementationofmetricscharts.Thecybersecurityofficerusesacybersecurityprogramfunctiontodeveloptheprocess—themethodology—withthefollowingresults:

•Thecybersecurityprogramwillconductsecuritytestsandevaluations(ST&E)asprescribedbythecorporation’scybersecurityprogrampoliciesandprocedures.

•ResultsofthecybersecurityprogramST&Ewillbecharted.

•Eachchartwillbeevaluatedtodeterminewhetherapattern/trendexists.

•Patterns/trendswillbeevaluatedtodeterminehoweffectivelyafunctionisbeingperformed.

•Resultsandrecommendationswillbepresented,inaccordancewithcybersecurityprogrampoliciesandprocedures,totheapplicablemanagers.

AnothercybersecurityprogramfunctionthatprovidesopportunitiesforusingmetricsmanagementtechniquesisthefunctionofthecybersecurityprogramST&E.

Thecybersecurityofficermayconsiderareallocationofstaffbecauseoftheincreasedworkload.AlsotobeconsiderediswhethertochangetheST&Eprocess.OneconsiderationistoconductfewerST&E.Ifonedoesthat,itwouldbeimportanttomonitorthenumberofnoncomplianceinquiries,astheymaygoup.Forexample,fewerST&Emayresultinincreasedsystemsvulnerabilities,whichmayinturnleadtomoresuccessfulattacksandthustomorenoncomplianceinquiries.AnotherfactorthecybersecurityofficermayconsiderisdoingmoreST&Eusingautomatedcybersecurityprogramsoftwaretoreplacesomecurrentlymanualtesting.

OnecanalsoconsiderprovidingtrainingtodepartmentstaffsotheycandotheirownST&Eandprovidereportstothecybersecurityofficer.Thisisusuallynotagoodidea,astheobjectivityofthetestingmaybequestionable.Forexample,theymayfindvulnerabilitiesbutnotreportthem,becausetheydonotwanttoincurthecostsintimeandbudgettomitigatetherisksidentifiedbythesevulnerabilities.Inaddition,asfarthe

corporationasawholeisconcerned,oneisonlypassingonthecostsintermsofallocationofresourcestoconducttheST&Etoanotherdepartmentandnotdecreasingoverallcybersecurityprogramcosts.

Rememberthatthecorporationisaglobalcorporationwithplantsandofficesonthreecontinents.Sincethecybersecurityofficerhasoverallcybersecurityprogramandcybersecurityprogramfunctionalresponsibilityforalllocations,aprocessmustbeputinplaceformetricsmanagementatalllocations.Thecybersecurityprogram–cybersecurityprogramfunctionalleadsatallthelocationswouldprovidethestatisticsandchartsfortheirlocations.Thesestatisticswouldbeindicatorsforestablishingcybersecurityprogramfunctionalresourceallocationsbasedonthe“worst”locations.

Theissuethatwilloftencomeupwhendesigningchartsiswhattypeofchartstouse—bar,line,pie,etc.Thechoiceshouldbetousetheformatthatmeetsthechart’sobjectiveinthemostconciseandclearway.

CyberSecurityProgramEducationandAwarenessTrainingThecybersecurityprogram’seducationandawarenesstrainingprogram(EATP)isoneofthemajorbaselinesofthecybersecurityprogram.Itfollowsthatitisanintegralpartofthecybersecurityofficer’scybersecurityprogramorganization.Itdoesn’tmatterwhetherbriefings,training,andsucharegivenbyacybersecurityprogramstaffmember,thecorporatetrainingoffice,theDirectorofSecurity’ssecuritytrainingpersonnel,HumanResourcesnew-hirebriefings,oracombinationofanyofthese.Itisacybersecurityprogram,andthereforeacybersecurityprogramcost,anditshouldbemetrics-managed.

Let’sassumethattobesomewhatcost-effective,thegoalistohaveatleast15employeesonaverageattendeachbriefing.Thatbeingthecase,thismetricschartoranotherlikeitwouldshownotonlythenumberofbriefingsandthetotalattendees,butalsotheaveragenumberofattendeesperbriefing.Inaddition,astraightlinecouldbeincludedat15sothattheaverageattendeesperbriefingcaneasilybecomparedagainstthegoalof15employeesperbriefing.

Ifthegoalwasnotbeingreached,asthecybersecurityofficer,youmightwanttodiscussthematterwithyourcybersecurityprogramleaderfortheEATP.Certainlyifthegoalisnotbeingmet,youcan’t,andobviouslyshouldn’t,ignoreit.Thereisnothingworsethansettingagoal,metricsmanagingtoattainthatgoal,andthenignoringitwhenitisnotbeingmet.Furthermore,asacybersecurityofficeryoushouldn’tjustwaituntiltheendoftheyeartoattempttocorrectthematterinadiscussionwithyourEATPleadandthenzapthatpersoninhisorheryear-endperformanceevaluation.

Letusassumethatemployeesmustattendanannualbriefingrelativetothecybersecurityprogramandtheirdutiesandresponsibilities.Assumethattheypreparetoattend

thebriefingandwalktothebriefingroomandthatthattakes15 min.Theyattenda1-h

briefingandreturntotheirplaceofwork,foratotaltimeof90 min.Atanaverageemploymentrateof$15perhour,eachemployee’stime(andlostproductivity,sincetheyarenotperformingtheworkforwhichtheywerehired)fortheannualbriefingis$22.50.Let’salsosupposethatthecorporationemploys100,000peopleworldwideandallofthemmustattendtheannualbriefing.Thatmeansthattheannualbriefingprogram,excludingthetimethecybersecurityprogramspecialisttakesinpreparingtheupdatedmaterialeachyearandotherexpenses,costsanastounding$2,250,000!

Onecanarguethatthebriefingsarenecessary,theysavemoneyinthelongrunbecausevaluablecorporationisprotected,andallthat.However,thatdoesnotchangethefactthatthisisarathercostlyprogram.Infact,thereisnoindicationthatthecost–benefitshaveeverbeenvalidated.Yet,everycybersecurityofficerknowsthatemployeeawarenessofthethreats,vulnerabilities,andriskstoinformationandinformationsystemsisanabsolutenecessity.So,whatcanbedonetolowerthecostofsuchaprogram?

Usingtheprojectteamapproach,thecybersecurityofficershouldestablishaprojectteamtolookatthecosts,benefits,andrisksofnothavinganannualbriefingandothermethodsforprovidingawarenesstoemployees.Possiblytheuseofe-mails,onlinebriefings,andotherelectronicmeanscouldeliminatetheneedfortheemployeestophysicallyattendabriefing.Possiblybriefingscouldbeeliminatedoronlinebulletinsused.

Cost-AvoidanceMetricsAsacybersecurityofficer,youmaywanttousethemetricsmanagementapproachtobeabletoquantifythesavingsofsomeofyourdecisions.Forexample,whenanalyzingyourbudgetandexpenditures,younotethatamajorbudgetitemistravelcostsforyourstaff.Thisislogical,becausestaff,aswellasyou,musttraveltothevariouscorporateofficestoconductcybersecurityprogramtestsandevaluations.

Again,usingtheprojectmanagementapproach,youleadaprojectteamofyourself,staffmembers,andrepresentativesfromthecontractofficeandthetraveloffice.Yourgoalistofindwaystocuttravelcostswhilestillmeetingallthecybersecurityprogram’sandyourcharter’sresponsibilities.Arepresentativefromthecontractofficewilladvisetheprojectteamoncontractualobligationsandwaysinwhichtheycanbemetwithlesstravel,butwithoutviolatingthetermsofthecontracts.Thetravelofficewillgiveadviceonwaystocuttravelcosts.Forexample,becausemanytripsareknownwellinadvance,flightsandhotelscanalsobebookedinadvance.

MetricsManagementandDownsizingAllcybersecurityofficersatonetimeoranotherintheircareersfacetheneedtodownsize—thatis,layoff,fire,orterminate—cybersecurityprogramstaff.However,ifyouareoperatingatpeakefficiencyandhavenotbuiltanyexcessstaffintomeetingyourcharterresponsibilities,youmaybeabletomakeacasefornotterminatingstafforfor

terminatingfewerpersonnel.

Manymanagers,andcybersecurityofficersarenoexception,tendtoforgetthattheyarehiredtodoajob,andthatjobisnottobuildan“empire”orbureaucracy.Thekeytosuccessisgettingthejobdoneefficientlyandeffectively—aswesaidbefore,goodandcheap.Inaddition,themorestaffmembersandthelargerthebudgetyouhave,themorepeopleproblemsyouwillhaveandtheharderthefinancialpeoplewilltrytotakesomeofyourbudget.Soyouareconstantlybattlingtomaintainyourlargebudget.

If,ontheotherhand,youhaveasmallstaffandasmallerbudget,youhaveabetterchanceofprotectingwhatyouhave,becauseitistheminimumneededtogetthejobdone.Thatapproachcoupledwithmetricsmanagementtechniquesandperiodicbriefingstoexecutivemanagementwillhelpyoucontinuetogetthejobdoneasyoudeemappropriate,eventhoughotherorganizationsarelosingstaff.

Let’slookatsomefiguresshowingvariouswaysofpresentinginformationbasedonmetricsmanagement’sdatacollectionefforts:

AnotherchartthatisimportantforbriefingmanagementisonethatshowstheLOEversusthehoursavailableforthecybersecurityprogramstaff.ThedifferencebetweenLOEandtimeavailablecanbeshowntobepartofabriefingonworkbacklogorusedtoshowthedifferenceinovertimebeingworked.Asubchartmayshowdetailsontheamountofbackloganditsimpactonthecostofdoingbusiness.Itcanalsoshowtheovertimecostsbeingpaidandperhapsacomparisonofthatcostwiththecostofhiringoneormoreadditionalstaff.Seeingthiscomparisonwouldhelpinmakingdecisionsastowhichischeaper,payingovertimeorhiringmorestaff.

Thesechartsmustalsobeaccompaniedbyothersshowingproductivityanddriversofworkload,asinsomeofthechartsshownearlier.Thisisnecessarybecausemanagementwillaskwhyyoumustdothethingsyoudoandwhyyoumustdotheminthewayyouaredoingthem.Thisquestforproductivityandefficiencygainswillbeaconstantchoreforthecybersecurityofficer.Itisachallenge,butonethatcanbesupportedbymetricscharts.

Layoffsareafactoflifeinbusiness,andmetricschartscanhelpthecybersecurityofficerjustifyheadcountandwork,asshownbysomeofthesecharts.Thechartcanshowmeasurementintermsofheadcountorhoursthatareequivalenttoheadcount.

Generally,whenmanagementdecidestocutcosts,theylayoffemployeesastheeasiestmethod.Theyalsousuallydirecteachmanagertocutacertainpercentageofstaff,say,20%.However,althoughthismaybetheeasiestway,itisnotthebestway;sometimesitwouldbecheapertokeepsomeofthestaff,becausetheirlosscausesdelayscostingmillionsofdollarsworthofproduction,sales,etc.Asweallknow,executivemanagementoftentakesashort-term,“what’sinitformenow”approachtomanagingtheirpartsofthebusiness.

Metricsmanagementcanhelpthecybersecurityofficerpleadthecasetonotcut20%ofstaff.Onewordofcaution:Thecybersecurityofficershoulddothisobjectivelyandbasedonprovidingeffectiveandefficientserviceandsupporttothecorporation’sdepartments.Itshouldnever,everbebasedonkeepingalargestaffandbureaucracyforthesakeof

status,power,ego,orothernonbusinessreasons.

Thecybersecurityofficerwouldincludeinformationrelativetotheimpactofboththecorporation’sdirectedlayoffnumbersandthoseofthecybersecurityofficer.Thismustbeobjectivelydonebasedonabusinessrationale.Thisinformationwouldincludethefollowing,identifiedasincreasingthelevelofriskstoinformationandinformationsystems:

•Contingencyplanning:Contingency,emergency,anddisasterrecoverytestingandplanupdateswillbedelayed.Theresultwillbeanythingfromnoimpacttonotbeingabletoeffectivelyandefficientlydealwithanemergency.

•Awarenessprogram:Employeesmaynotbeawareoftheirresponsibilities,thusleavingthesystemsopentopotentialattackoranincreaseinthepotentialforthelossofsensitiveinformation.

•Accessviolationsanalyses:Therewillbedelaysofbetween48and72 hintheanalysesofauditrecords.Thus,anattackagainstcorporatesystemswouldnotbeknownforat

least48–72 h.Duringthatperiod,informationcouldbestolen.However,somethinglikeadenial-of-serviceattackwouldbeknownwhenitwassuccessful.Theopportunitytoidentifytheinitialattemptsattheseattacksoveraperiodoftimewouldbelost,andwithitthechancetomountdefensesbeforetheattacksweresuccessful.Theresultwillbesystems,possiblyproductionsystems,thataredownforanunknownperiodoftime.

•Noncomplianceinquiries:Theaveragetimeitwouldtaketocompleteaninquirywould

increasebymorethan2 weeks.Thus,noactiontoadjudicatetheallegedinfractionwouldbepossibleuntilthereportwasdeliveredtomanagement.Furthermore,theallegedinfractionmayhavecalledfortherevocationofsystemprivilegesoftheemployeeoremployeeswhoarethesubjectoftheinquiry.Thus,theirabilitytobeproductiveemployeesduringthattimewouldbenegated.

•Accesscontrol:Itisassumedthatthenumberofnewemployeeshiredwouldbedrasticallyreduced,andthatcouldmitigatesomeoftheLOEexpendedbytheaccesscontrollers.However,employeesrequiringchangesinprivilegewouldhavethose

accesschangesdelayedanadditional48–72 hfromthepresentaverageof8–12 h.Thismayadverselyaffecttheirproductivity.Toallowdepartmentstodotheirownemployees’privilegechangeswasevaluatedunderapreviousprojectandfoundnottoberealistic:Theinformationtowhichtheemployeesneededaccessdidnotbelongtothatdepartment;mostoftenitbelongedtoanotherinformationowner.Theseinformationownersdidnotwantotherstoaccesstheirinformationwithouttheirapproval.Inaddition,thischangewouldjustbetransferringthecostsandwouldnotsavethecorporationanyadditionalresources.

Theforegoingisasmallexampleofhowmetricmanagementtechniquescanbeusedwhentheneedforbudgetcutsoccurs.Theexampleprovidessomeinsightintohowmetricmanagementtechniqueshelpmitigatetherisksofbudgetandstaffdownsizingwhensuchdownsizingwillhurtthecybersecurityprogramandthecorporation.Metricmanagementtechniquescanhelpthecybersecurityofficermakeacasetoexecutivemanagement.Furthermore,ifthecybersecurityofficer,supportedbythemetricmanagementapproach,hasbeenperiodicallybriefingmanagementofthecybersecurityprogramandthecybersecurityofficer’sprojectsandLOE,thecybersecurityofficerwillhavegainedtheconfidenceofmanagementasareliablemanagerwhogetsthejobdoneasefficientlyandeffectivelyaspossible.

ProjectManagementAspreviouslydiscussed,therearetwobasictypesofworkperformedbythecybersecurityofficerandstaff:(1)LOEand(2)projects.WehavediscussedLOEandhaveprovidedsomeexamplesofprocessandmetricsflowchartsrelativetoLOE.

Ithasbeenstatedseveraltimes,butbearsrepeating:Projectsareestablishedwhensometasksrelatedtothecybersecurityprogramand/oritsfunctionsmustbecompletedbuttheyarenotongoingtasks.Itisimperativethatthecybersecurityofficerbeintimatelyfamiliarwithandexperiencedinprojectmanagement—aswellastimemanagement.

Rememberthatwhetherornotsometaskshouldbeaprojectdependsonwhetherithasthefollowing:

•Astatedobjective(generallyinoneclear,concise,andcompletesentence),

•Abeginningdate,

•Anendingdate,

•Specifictaskstobeperformedtosuccessfullymeetthatobjective,

•Aprojectleader,and

•Specificpersonneltocompleteeachtaskandthetimeperiodinwhichthetaskwillbecompleted.

Let’sassumethatthecorporateinformationofficer(CIO)sentamemotothecybersecurityofficerbasedonaconversationthattheCIOhadwiththeDirectorofIT.ItseemsthattheyhadameetingandduringthemeetingthediscussionturnedtoITprojectsrelatedtotheirprojectsofupgradingsystems,suchashardware,software,andtheirgeneralmaintenance.Thecybersecurityprogrampolicycalledforsuchupgradesandmaintenanceeffortstoensurethattheinformationenvironmentismaintainedincompliancewiththerequirementssetforthinthecybersecurityprogram.TheDirectorstatedthattheITstaffdidn’tknowifthatwasalwaysthecasewhentheymadechangestosystems.Consequently,theDirectorsuggestedthatmembersofthecybersecurityofficer’sorganizationbepartoftheITprojectteamswithresponsibilityfordeterminingwhetherthechangeskeptthecorporation’sinformationenvironmentsecure.TheCIOagreedandsentthecybersecurityofficeralettertothateffect.Whenthecybersecurityofficerreceivedthememo,thecybersecurityofficerdiscussedthematterwiththeSeniorSystemsSecurityEngineer.ItwasdecidedthataprojectbedevelopedtoestablishaprocessandfunctiontocomplywiththerequestfromtheCIOandDirectorofIT.

Asacybersecurityofficer,youshouldbeabletoidentifyseveralissuesthatthecybersecurityofficermustresolveapartfrominitiatingthisproject.First,theDirectorofITandthecybersecurityofficershouldbeworkingcloselytogether,andbydoingso,theycouldhavedealtwiththismatterwithoutinvolvingtheirboss,theCIO.Inaddition,thefactthattheCIOsentamemotothecybersecurityofficer,insteadofcallingormeetingpersonallywiththecybersecurityofficer,indicatesthatthecommunicationandworkingrelationship

betweentheCIOandthecybersecurityofficermustbeimproved.ThecybersecurityofficermusttakeactiontoimmediatelybeginimprovingthecommunicationandrelationshipwiththeDirectorandtheCIO.

Aprojectchartshouldincludethefollowing:

•Subject:Theprojectname—SecurityTestandEvaluationFunctionDevelopment

•Responsibility:Thenameoftheprojectleader—JohnDoe,cybersecurityprogramSeniorSystemsSecurityEngineer.

•ActionItem:Whatistobeaccomplished—ITrequirescybersecurityofficersupporttoensurethatinformationandsystemsprotectionareintegratedintoITsystems’integration,maintenance,andupdateprocesses.

•References:Whatcausedthisprojecttobeinitiated—forexample,“SeememotocybersecurityofficerfromCIO,datedNovember2,2002.”

•Objective(s):Statetheobjectiveoftheproject—Maintainasecureinformationenvironment.

•Risk/Status:Statetheriskofnotmeetingtheobjective(s)ofthisproject—Becauseoflimitedstaffingandmultiplecustomerprojectsbeingsupported,thisprojectmayexperiencedelaysashigherpriorityLOEandprojectstakeprecedence.

•Activity/Event:Statethetaskstobeperformed,suchas“MeetwithITprojectleads.”

•Responsibility:Identifythepersonresponsibleforeachtask.Inthiscase,itistheSeniorSystemsSecurityEngineer,JohnDoe.

•Calendar:Thecalendarcouldbeayear-long,monthly,quarterly,or6-monthcalendarwithverticallinesidentifyingindividualweeks.Usingthe6-monthcalendar,theprojectleadandassignedprojectteammemberswoulddecidewhattaskshadtobeaccomplishedtomeettheobjective.Arrowsanddiamonds,forexample,identifiedinthelegend,wouldbeusedtomarkthebeginningandendingdatesofeachtask.Thearrowsarefilledinwhenthetaskisstartedandwhenthetaskiscompleted;thediamondsareusedtoshowdeviationsfromtheoriginaldates.

•Risk—Level:Inthisspace,eachtaskisassociatedwiththepotentialriskthatitmaybedelayedorcostmorethanallocatedinthebudgetforthetask.Using“high,”“medium,”or“low”or“H”,“M”,or“L”,theprojectlead,inconcertwiththepersonresponsibleforthetask,assignsalevelofrisk.

•Risk—Description:Ashortdescriptionoftheriskisstatedinthisblock.Ifitrequiresadetailedexplanation,thatexplanationisattachedtotheprojectplan.Inthisblocktheprojectlead,whoisalsoresponsibleforensuringthattheprojectplanisupdatedweekly,states“SeeAttachment1.”

•IssueDate:Thedatetheprojectbeginsandthechartinitiatedgoesinthisblock.

•StatusDate:Themostcurrentprojectchartdateisplacedhere.Thisisimportantbecauseanyonelookingattheprojectchartwillknowhowcurrenttheprojectchartis.

Othertypesofchartscanalsobedevelopedtoshowprojectcostsintermsoflabor,materials,andthelike.Agood,automatedprojectplansoftwareprogramiswellworththecostsformanagingprojects.

Inthecaseofprojectcharts,thecybersecurityofficercanusethemtobriefmanagementrelativetotheongoingworkofthecybersecurityprogramorganizationandstatesofthecybersecurityprogram.ThecybersecurityofficerreceivesweeklyupdatesonFridaymorninginameetingwithallthecybersecurityofficer’sprojectleaders,during

whicheachprojectleadisgiven5 mintoexplainthestatusoftheproject—forexample,“Theprojectisstillonschedule”or“TaskNo.2willbedelayedbecausethepersonassignedthetaskisoutsickforaweek;however,itisexpectedthattheprojectcompletiondatewillnotbedelayedbecauseofit.”

ThecybersecurityofficerholdsanexpandedstaffmeetingthelastFridayofeachmonth.Allassignedcybersecurityprogrampersonnelattendthesemeetings,whichlast

2–3 h.Atthesemeetings,1 histakenforallprojectleadsandcybersecurityprogramfunctionalleadstobriefthestatusoftheirLOEandprojectstotheentirestaff.Thecybersecurityofficerdoesthissothateveryoneintheorganizationknowswhatisgoingon—avitalcommunicationstool.Alsoduringthistime,othermattersarebriefedanddiscussed,suchasthelatestriskmanagementtechniques,conferences,andtrainingavailable.


•Doyouuseformalmetricsmanagementtechniques?

•Ifnot,whynot?

•Ifso,aretheyusedtobriefmanagement?

•Areeachofyourcybersecurityprogramfunctionsdocumented,notonlyinworkinstructionsbutalsoinprocessflowcharts?

•DoyouusesimilarchartstodocumentthecybersecurityprogramfunctionalLOE?

•Whatotherchartswouldyoudevelopforeachofthecybersecurityofficerfunctions?

•Doyouhaveatleastonemetricscharttotrackthecostsofeachcybersecurityprogramfunction?

•Howwouldyouusemetricsmanagementchartstojustifyyourbudgetrequests?

•Howwouldyouusemetricsmanagementchartstojustifythenumberofyourstaff?

•Howmanycharts,byfunctionanddescription,wouldyouwanttouseasacybersecurityofficer?

SummaryMetricsmanagementtechniqueswillprovideaprocessforthecybersecurityofficertosupportcybersecurityprogram-andcybersecurityprogram-relateddecisions.Thecybersecurityofficershouldunderstandthefollowingpoints:

•MetricsmanagementisanexcellentmethodtotrackcybersecurityprogramfunctionsrelatedtoLOE,costs,useofresources,etc.

•Theinformationcanbeanalyzed,andresultsoftheanalysescanbeusedto:

Identifyareaswhereefficiencyimprovementsarenecessary;

Determineeffectivenessofcybersecurityprogramfunctionalgoals;

Provideinputforperformancereviewsofthecybersecurityprogramstaff(amoreobjectiveapproachthansubjectiveperformancereviewsoftoday’scybersecurityofficers);and

Indicatewherecybersecurityprogramserviceandsupporttothecorporationrequiresimprovement,meetsitsgoals,etc.

1Itisassumedeachfunctioncoststime,money,anduseofequipmenttoperform.2Dr.GeraldL.Kovacichhasusedapproximately47metricschartsatvarioustimestoassistinmanagingseverallargecybersecurityprogramsandcybersecurityprogramorganizations.

CHAPTER11

AnnualReevaluationandFuturePlans

AbstractThischapterdescribestheprocessthatcanbeusedeachyeartodeterminethesuccessesandfailuresofthecybersecurityprogramandorganizationandamethodologythatcanbeusedtocorrectthefailuresandtoplanfortheupcomingyears.

KeywordsCorporateinformationofficer(CIO);Level-of-effortactivities;Link-analysismethodology;Linkingcybersecurityprogram;Metricsanalysis;One-yearreview

Readnottocontradictandconfute,nortobelieveandtakeforgranted,nortofindtalkanddiscourse,buttoweighandconsider

FrancisBacon1

CONTENTS

Introduction 223One-YearReview 224

Level-of-EffortActivities 225Projects 226

CyberSecurityProgramStrategic,Tactical,andAnnualPlans 228LinkingCyberSecurityProgramAccomplishmentstoCorporateGoals 228MetricsAnalysis 230PlanningforNextYear 231QuestionstoConsider 233Summary 234

CHAPTEROBJECTIVE

Thischapterdescribestheprocessthatcanbeusedeachyeartodeterminethesuccessesandfailuresofthecybersecurityprogramandorganizationandamethodologythatcanbeusedtocorrectthefailuresandtoplanfortheupcomingyears.

IntroductionTheinformationenvironmentofthecorporationisverydynamicandmustbesoforthecorporationtosuccessfullycompeteinthefast-pacedwidgetbusinessintheglobalmarketplace.Consequently,theworldofthecybersecurityofficermustalsobeverydynamic.Thecybersecurityofficermustconstantlybelookingatwherethecorporatebusinessisgoingandmodifythecybersecurityprogramanditsorganizationaccordingly.Thecybersecurityofficercannotsitbackandthinkthatthecybersecurityprogramisinplace,itsorganizationisestablished,andeverythingisrunningsmoothly—evenwhenyouthinkitis.

Asthecorporation’scybersecurityofficeryoumustbeworkingeverydaytoprovideeffectiveandefficientserviceandsupporttothecorporationinthefuture.Youmustprojectaheadandlookatpotentialnewthreatstothecorporation’sinformationandsystemsandbeginnowtomitigatethosefuturethreats,suchascellularphoneswithinstalleddigitalcameras.Thecybersecurityofficer,likeallcybersecurityofficers,mustestablishproactiveprocesses,astoday’scorporationsdependtoomuchoninformationandinformationsystemstohavethosesystemsfailbecausethecybersecurityofficerdidnotseethethreatcoming.Today’scybersecurityofficersmustbeproactiveandnotconstantlyreactive.Proactiveprocessesarepreparedtomitigatethreatsbeforetheycanoccur—anditischeaperthanbeingreactive.

Thecybersecurityofficermustalsoreevaluatethecybersecurityprogramandhaveprocessesinplacetoconstantlyupdateit.Inaddition,allcybersecurityprogramfunctionsmustbereevaluatedandupdatedastheneedarises,butatleastannually.Thecybersecurityofficershouldleadanannualyear-endreviewandanalysisofthecybersecurityprogramandcybersecurityprogramfunctions.Thisisdonesothatthecybersecurityofficerscanhavesomeassurancethattheyareoperatinginthemosteffectiveandefficientwaypossibleandneededchangesareinplace.

One-YearReviewThecorporation’sfiscalyearandcalendaryearbothendonDecember31.Thecybersecurityofficerdecidesthatthebeginningofthefourthquarter(October)isagoodtimetostartplanningforthecomingyearandbeginevaluatingthecurrentyear.

Toplanforthecomingyear,thecybersecurityofficermustfirstdeterminehowsuccessfulthecybersecurityprogramandthecybersecurityprogramstaffhavebeenforthepastyear.Ofinterestwouldbe:

•Whatwasaccomplished?

•Whatwasplannedbutnevercompleted,andwhy?

•Whatwasplannedbutneverstarted,andwhy?

•Whatwassuccessful,andwhy?

•Whatwasn’tsuccessful,andwhy?

•Whatprocessesarecurrent?

•Whatprocessesrequireupdating?

•Ifaprocesswasoutdated,whywasitnotupdatedasneeded?

•Isthecybersecurityprogramorganizationoperatingwithinbudget?

•Ifnot,whynot?

•Whatbudgetisrequiredforthecomingyear,aswellastwoorthreeyearsfromnow?

•Ifmorebudgetisrequired,why?

•Ifmorebudgetisneeded,arethereothermeasuresthatcanbetakentominimizetheneedforalargerbudget?(Rememberthatasacybersecurityofficer,yougetpaidforresultsandnotthesizeofyourcybersecurityprogramstafforthesizeofyourbudget.)

Level-of-EffortActivitiesThecybersecurityofficertaskedeachcybersecurityprogramfunctionalleadtoformaprojectteamwithselectedmembersofthecybersecurityprogramfunctionalstaffandevaluatetheprocessesusedforcompletingtheirassignedlevel-of-effort(LOE)function.Ofcourse,ifthecybersecurityprogramfunctionwasaone-personjob,thatpersonwouldconductthereviewbyhim-orherselfandaskforinputasneededfromotherstaffmembersandthecybersecurityofficer.RememberthattheLOEactivitiesarethoseactivitiesorfunctionsthataretheday-to-daycybersecurityprogramtasksperformedbythecybersecurityprogramstaff.Theseactivitieswerethoseidentifiedasthecybersecurityofficerresponsibilitiespreviouslydiscussedandincluded:

•Accesscontrol,

•Awarenessprogram,

•Noncomplianceinquiries,and

•Securitytestsandevaluationsprogram,etc.

Thisistobeaccomplishedbyeachfunctionalteamsittingdowntogethertodetermine:

•Whatworked?

•Whatdidn’twork?

•Whyitworked(processmaybeusefulforotherfunctions)?

•Whyitdidn’twork?

•Howmuchtimetheyspentdoingeachtaskorsubtaskonaverage?

•Howthejobmightbedonebetter?

•Howtheprocessesmightbechanged,why,andwhatarethepotentialsavings?

•Whichforms,ifany,shouldbemodifiedoreliminated?and

•Otherconsiderations.

Thecybersecurityofficerdirectedthatanyrecommendedchangesbequantifiedintimeand/orcostsavings,asapplicable.Ifthechangescouldnotbequantified,thestaffmemberswouldhaveadifficulttimechangingtheprocess.Thecybersecurityofficerreasonedthat,withfewexceptions,processchangesthatdidnotsavetimeormoneywereprobablynotworthmaking,asnonquantifiedchangescostmoneywithusuallynoreturnvalue.

ThecybersecurityofficerdirectedthatallmembersofeachfunctionsupporttheirfunctionalleadinthisendeavorandprovideabriefingtobeheldthefirstweekinNovemberaspartofthecybersecurityofficer’sexpandedstaffmeeting,whichallcybersecurityprogramstaffattended.Duringthatbriefing,thefunctionalprocesseswouldbediscussedandmodificationsapprovedwherenecessary.Ifthemodificationscouldnotbe

accomplishedwithin30 days,aformalprojectplanwouldhavetobedevelopedandbriefedatthatNovembermeeting.

ProjectsDuringthefirstweekofOctober,thecybersecurityofficerwillalsobegintheevaluationofthecybersecurityprogramforthepastyear.Thecybersecurityofficer,inconcertwiththecybersecurityprogramstaff,willreviewtheprojectsthatwerebegunthisyear,aswellasthoseprojectsthatwerebegunlastyearandcompletedthisyear.

Thecybersecurityofficerwilldeterminethefollowing:

•Dideachprojectaccomplishitsobjective?

•Wastheprojectcompletedinaccordancewiththeprojectplan?

•Forthoseprojectsnotcompletedontime,whatwasthecauseofnotmeetingthecompletiondate?

•Forthoseprojectscompletedaheadofschedule,whyweretheycompletedaheadofschedule?(Thecybersecurityofficerwantsthisinformationbecauseitmaybeduetopoorprojectplanning,whichmustbecorrected,oritmaybeduetoauniqueapproachthatcouldbeusedonotherprojects.)

•Whatwasthecostofeachproject?

•Weretheprojectedbenefitsoftheprojectsrealized,andifnot,whynot?

Thecybersecurityofficerwill,inconcertwiththecybersecurityprogramstaff,analyzealltheprojectsand,basedonthatevaluation,modifytheprocessusedforinitiating,determiningcosts,determiningresourceallocations,anddeterminingschedulesforallnewprojects.

Alsoofimportanceisfeedbackfromcorporateemployees:theirevaluationofserviceandsupportprovidedtothembythecybersecurityofficerandcybersecurityprogramstaff.Theemployees’opinionsastowhatimprovementscanbemadeinthecybersecurityprogramtominimizecostsandprovidethenecessarylevelofinformationenvironmentprotectionarealsoimportant.Thecybersecurityofficerandstaffwilldevelopasurveytobesentouttoalldepartments.Thefeedbackreceivedwillalsobeincorporatedintotheyear-endevaluation–analysis.Somecybersecurityofficersmaynotwanttotakethissurveyapproach,becausetheymaybereluctanttoreceivecriticismandcomplaintsfromnon-cybersecurityprogramprofessionalsabouthowthecybersecurityofficerandcybersecurityprogramstaffcanbetterdotheirjobs.However,suchfeedbackisimportantandshouldbewelcomedandconsideredatalltimes.

Oncetheanalysisiscomplete,thecybersecurityofficerandstaffmemberswilldeterminewhatnewprojectswillberequiredforthefollowingyear.Thoseprojects,onceidentified,willbeassignedtotheapplicablemembersofthestaff,thatistotheproject

leads.Thestaffmemberswillthenbegiven30 daystocompleteadraftprojectplan.Thatplanwillidentifythespecificobjectivetobeaccomplished,alltasks,milestones,resourcesrequired,etc.

DuringthestaffmeetingheldduringthefirstweekofNovember,alltheprojectleadswillpresenttheirprojectplanstothecybersecurityofficerandthestaff.Theprojectplanswillbeevaluatedanddiscussedbythecybersecurityofficerandthestaff.Anyrecommendedchangestotheprojectplanswillbecauseforactionstobetakentochangetheplansasappropriate.Inaddition,theoverallprojectplanprocesswillbediscussedandmodifiedasneeded.

Itistheresponsibilityofthecybersecurityofficertoensurethatadequateresourcesareallocatedforthecompletionoftheprojectsasplanned.Whereseveralmembersofthecybersecurityprogramstaffareassignedtoleadorsupportmultipleprojects,thecybersecurityofficerwillprioritizetheprojectsandthenallowtheprojectleadandprojectsupportstafftoworkoutthedetails.Whereconflictsinworkarise,thematterwillbediscussedwiththecybersecurityofficer,whowillmakethefinaldecisionbasedontheinputofallthoseconcernedandtheproperallocationofresources.

Thisapproachfollowsthemanagementphilosophyofhavingdecisionsmadeatthelowestpossiblelevelwheretherequiredinformationonwhichtobaseadecisionisknown.Italsomeetsthecybersecurityofficer’sphilosophyoftrustingyourprofessionalcybersecurityprogramstaffandtreatingthemaspartoftheprofessionalcybersecurityprogramteam.

CyberSecurityProgramStrategic,Tactical,andAnnualPlansOncethecybersecurityofficerhasbeenbriefedontheaboveLOEandprojects,theresultswillbemappedagainstthecybersecurityprogramstrategic,tactical,andannualplans.TheLOEandprojectresultscouldbeidentifiedassomeofthespecificbuildingblocksofeachoftheplans.

Thecybersecurityprogramannualplan’sgoalsshouldhavebeenaccomplished.Ifso,thecybersecurityofficerthenidentifiesthelinksbetweenthesuccessfulaccomplishmentofthosegoalswiththecorporation’sannualbusinessplanandthecybersecurityprogramandalsothestrategicandtacticalplansasappropriate.

Ifadirectlinkbetweentheaccomplishmentsofthecybersecurityprogramstaffandthegoalsoftheplancannotbeshown,thecybersecurityofficermustquestionwhythespecificprojectsorLOEidentifiedwereeverdoneinthefirstplace.Theremaybeaveryvalidreason;however,thisshouldalwaysbequestioned,asanyresourceallocationsthatcannotbedirectlylinkedbacktotheaccomplishmentofstatedgoalsareprobablymisallocations.Theyareanaddedcostburdenonthecybersecurityprogrambudgetaswellasanadditionaloverheadcosttothecorporation.

LinkingCyberSecurityProgramAccomplishmentstoCorporateGoalsThecybersecurityofficerbelievesthattheinitialreasonsforthecorporation’scybersecurityprogramandthecorporation’sreasonsforestablishingthecybersecurityofficerpositionhavenotchanged,butareverificationandvalidationwouldprobablybeagoodidea.Tobesurethatthecybersecurityprogramandthecybersecurityofficer’saccomplishmentsaremeetingtheirstatedpurpose,thecybersecurityofficerdecidesonthefollowingcourseofaction:

•Usingalink-analysismethodology,thecybersecurityofficermapsalltheLOEandprojectresultstoallapplicablecybersecurityprogramandcorporateplansand

•Thecybersecurityofficerdevelopsaformalpresentationtobegiventothecorporateexecutivemanagementinwhichthecybersecurityprogramstatusisbriefed(assumingthatthecybersecurityofficer’sbossagrees).

Ifthecybersecurityofficerdoesalinkanalysis,itmaydisclosethatoverallcybersecurityprogramgoals,LOE,projects,andobjectiveswere,withsomeminorsetbacksandexceptionsovertheyear,meetingtheneedsofthecorporation.

Let’slookatsomepossiblescenarios:Thecybersecurityofficerdiscussedthematterwiththecorporateinformationofficer(CIO).TheCIOagreedthatabriefingwouldbeagoodidea,especiallysincethiswastheendofthefirstyearoftheformalcybersecurityprogramunderthecybersecurityofficer.Theexecutivemanagementwouldwanttoknow:

•Whatwasaccomplished,

•Thecostofthecybersecurityprogram,

•Thestatusoftheoverallprotectionofthecorporation’sinformationenvironment,and

•Whatelsewasneededtoensureasecureinformationenvironment.

TheCIOprovidedseveralrecommendations:

•Thebriefingshouldtakenolongerthan15 minandallow15 minforquestions;•Thecybersecurityofficershouldnotuseanytechnicaljargonbutspeakinbusinesstermsofcosts,benefits,andcompetitiveadvantageandgivethemanagementsomesenseofassurancethattheinformationandsystemsarebeingprotectedasneeded;

•Thebriefingchartsshouldbeclear,concise,andmoreofagraphicalpresentationthantext—anotherreasonfor“managementbymetrics”;

•Thebriefingshouldbegivenprofessionallyandobjectively;itshouldnotbeusedasasoapboxforrequestingadditionalresourcesortoshowhowgreatjobthecybersecurityofficerisdoing;

•Allbriefingchartsshouldbeprovidedinapackageforeachmemberoftheaudiencewithsupportingdetailedcharts;and

•Atleast5ofthe15 minshouldbeusedtobriefonnextyear’sprojectsandgoals,theircosts,andhowtheywouldbenefitthecorporation.

Thecybersecurityofficerhadnotbeenpreparedtopresentthenewyear’splansandprojectsaspartofthebriefing.However,itappearedthatthenecessaryinformationwouldbeavailablebasedonthepreviousbriefingsanddiscussionswiththecybersecurityprogramstaff.

ThecybersecurityofficersuggestedabriefingtobeheldthefirstweekofDecember.TheCIOagreedtosetitup.Thecybersecurityofficer’srationaleforameetinginDecemberwasthatthecybersecurityprogramstaff’sLOEandprojectinputwouldbeavailableonoraboutthefirstweekofNovember,andthatwouldprovidesufficienttimetodevelopthebriefing.

Thecybersecurityofficerwantedtoensurethatthebriefingaccomplisheditsgoals,andthatcouldbejeopardized,notbythematerial,butbythemannerandformatused.Thecybersecurityofficerhadheardofseveralbriefershavingtheirmessagesignoredbecausetheformat,fonts,colors,orwhateverwasusedtopresentthefactswasnotlikedbyoneormoreoftheexecutivemanagement.

Thecybersecurityofficerknewthatsuchtriviashouldnotbeaprimeconcernofexecutivemanagement,butthecybersecurityofficeralsoknewthatsuchthingsdidoccur.Toensurethatthecybersecurityprogrambriefingwassuccessful,theproperformatwouldbethefirstitemofbusiness.

Thecybersecurityofficerstoppedbythedesksofseveralofthekeyexecutivemanagers’secretaries,whoprovidedinsightastothecorrectformat,fontsize,andcolorofslidestouse.Atthesametime,thecybersecurityofficerwasgivensomevaluabletipsfromseveralofthesecretariesastohowtopresentthematerialinamannerthattheexecutivespreferred.(Note:Althoughthroughoutthisbookthecybersecurityofficeractionsarediscussed,somemaybedelegatedbythecybersecurityofficer,suchasthistasktothecybersecurityofficersecretaryoradministrativeassistant.)

Thecybersecurityofficerlongagolearnedthatthesecretariesoftheexecutivemanagershadgreatinsightintowhatworkedwiththeirbossesandwhatdidn’t.Thecybersecurityofficer’srespectforthemandinformalassistancetothemovertheyearhadmadethemcloseallies.Now,thatfriendshipwouldbeabletohelpensureasuccessfulbriefingformat.

Aspartofthisbriefing,thecybersecurityofficerdevelopedanannualreportforeachcorporatedepartmentvicepresidentbasedonthemetricschartsusedthroughoutmostoftheyear.Thatannualreportcontainedsomenarrativeandanalysessupportedbymetricschartsshowingthestatusofeachdepartment’scompliancewiththecybersecurityprogramandthesecurityoftheirinformationenvironment.Itincludedanexecutive

summaryinthefrontofthereportandrecommendationsforimprovementsthatcouldbemadeinthefuture,aswellasthebenefitsoftherecommendedimprovementversusthepotentialcostsandcostsavings.

MetricsAnalysisAspartoftheyear-endreview,thecybersecurityofficerdidacompleteanalysisofthemetricschartsthathadbeendevelopedandusedthroughoutthefirstyearofthecybersecurityprogram.

Thecybersecurityofficernotedthatthechartshadgrowntomorethan47separatemetricscharts.Thecybersecurityofficerwasconcernedthatsomeofthechartshadoutlivedtheirusefulness,whileotherscontinuedtobeofvalue,andpossiblysomenewchartswereneeded.

Theanalysisofthemetricschartsindicatedthatseveralofthechartshadbeennecessarytotrackparticularproblemareas.However,someoftheproblemsappearedtohavebeen

resolvedandthemetricscharts,fortheprevious4 months,hadsupportedthatview.Somemetricschartsweredevelopedandbriefedperiodicallytomanagementbecause

somemanagerswereinterestedinperiodicallyknowingtheamountofLOEbeingusedtosupportsomespecifictasks.Thecybersecurityofficerdecidedtoidentifythosechartstothemanagerswhowereinterestedintheinformationandgaintheirapprovaltoeliminatethosecharts,asitappearedtheinformationprovidedhadmettheirneeds.Ifnot,itmightbepossibletoprovidethatinformationtomanagementonanannualorsemiannualbasisinsteadofthecurrentmonthlyorquarterlyreport.Thefinaldecisionshouldbemadebythecybersecurityofficer’scustomer2.

Thecybersecurityofficertookallthemetricschartsandidentifiedthembytheirobjectives—inotherwords,theirpurposeforbeingdevelopedandused.Thosewouldalsobelinkedtospecificareasthatsupportthecorporatecybersecurityprogramandcybersecurityprogramorganizationalplans.Thecybersecurityofficerwantedtobesurethatthemetricsusedtohelpmanagethecybersecurityprogramanditsorganizationmettheneedsofthecybersecurityprogram,ofmanagement,andofthecybersecurityprogramorganization.

Thecybersecurityofficerknewthatmetricschartstendtoincreaseandseemtosometimestakeonalifeoftheirown.ThecybersecurityofficerwasconcernedthatthetimeittooktotrackspecificLOEsandprojectsusingmetricswassometimesnotcost-effective.Byidentifyingthechartsagainsttheirpurposeinamatrix,thecybersecurityofficerfoundthatitwaseasytoanalyzethemetricschartsandtheirpurpose.

PlanningforNextYearThecybersecurityofficerhadreceivedtheinputfromthecybersecurityprogramstaffattheNovembermeetings.Basedonthatinput,thecybersecurityofficerwaspreparedtowritenextyear’scybersecurityprogramannualplanandupdatethecybersecurityprogramstrategicandtacticalplans.However,toaccomplishthosetasks,thecorporateplansmustbereceived.Afterall,thecybersecurityprogramplanshadtosupportthecorporateplans.

ThecybersecurityofficerknewthatthedraftofthecorporateplanswouldnotbeavailableuntilJanuary.Therefore,thecybersecurityofficerdraftedthecybersecurityprogramannualplanandupdatedthecybersecurityprogramstrategicandtacticalplansbasedoninformationgatheredthroughdiscussionswithvariouslevelsofmanagementinvolvedindevelopingthecorporateannualplanandupdatingthetacticalandstrategicplans.

ThecybersecurityofficerimplementedthecybersecurityprogramplansonJanuary1,withoutwaitingforthedraftcorporateplans.Thecybersecurityofficerdidsotobeginthemuch-neededLOEmodificationsandprojectsthatweretime-dependent.Iftheywerenotstartedrightafterthefirstoftheyear,theirschedulesmighthavetobeslipped.Thecybersecurityofficercouldnotaffordtodothatandtooktheriskthattheinformationgatheredtodatewasaccurateandthatanychangesatthecorporatelevelwouldcauseonlyminoradjustmentstothecybersecurityprogramschedules—ifany.

Aspartofthecybersecurityofficerandcybersecurityprogramstaffyear-endanalyses,aflowchartwasdeveloped,whichwouldbeusedforbriefingsandalsowouldletcybersecurityprogramstaffseehowtheirjobssupportedthecorporation.

Thecybersecurityofficerandstaffalsotookalltheirriskmanagementreportsfortheyearandevaluatedwhatwasaccomplishedtocorrectcybersecurityprogramdeficienciesanddeterminewhatneededtobedoneinthecomingyeartocorrectotherdeficiencies.Thesethenwerelinkedthroughavulnerabilities–projectsflowcharttoidentify“StrategicDirection:CyberSecurityProgramProjectstoAddressVulnerabilities.”

Aftercompletionofalltheexecutivemanagementbriefingcharts,andoneweekpriortobriefingexecutivemanagement,thecybersecurityofficergavethebriefing,withadditionalanalysisofthecybersecurityprogramandcybersecurityprogramfunctionalaccomplishments,tothecybersecurityprogramstaff.Theone-weekintervalwastoensurethatthebriefingwasaccurateandthatthechartssaidwhatneededtobesaid.Thecybersecurityprogramstaffcouldevaluatethebriefingandprovideanavenueforconstructivecriticism.Afterall,thecybersecurityofficerwanted,asasideissue,toshowexecutivemanagementtheoutstandingjobdonebythecybersecurityprogramstaffduringthepastyear,withoutsayingso.Inotherwords,letthebriefingspeakforthat.

TheCIOwasinvitedtoattendthecybersecurityofficer’s“expandedstaffmeeting”sothattheCIOwouldnothaveanysurprisesattheexecutivemanagementbriefing.Inaddition,thecybersecurityofficerwantedtheCIOtoattendtosayafewwordsafterthebriefing,thankingthecybersecurityprogramstafffortheirfineworkoverthepastyear.

Thecybersecurityofficerbelievedthatsuchvisibilityofcybersecurityprogramstafftoexecutivemanagementwouldalsoboostmorale,astheywouldseethattheirhardworkwasappreciated.

Uponthecompletionofthesuccessfulbriefing,thecybersecurityofficerscheduledanotherexpandedstaffmeetingtobeheldonaFridaybeforetheholidaysandscheduledtolastallday.Atthatexpandedstaffmeeting,thecybersecurityofficerhadacateredlunchbroughtinasaspecialmeasureofthankstothecybersecurityprogramstaff.Afterall,ifthecybersecurityprogramstaffwasnotsuccessful,thecybersecurityofficercouldnotbesuccessful.

QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsand,asacybersecurityofficer,howyouwouldreplytothem:

•Doyouhaveaprocessinplacetoconductaformalyear-endanalysisofyourcybersecurityprogramandcybersecurityprogramfunctions?

•Ifnot,whynot?

•Ifso,doesitincludecost–benefitanalyses?

•Doyouprovidea“state-of-the-cybersecurityprogram”reportofthecorporateinformationenvironmentatyear’send?

•Ifso,isitbriefedtoexecutivemanagement?

•Are“subreports”providedtoeachdepartmentheadaddressingspecificallythestatusoftheprotectionoftheirinformationenvironment?

•Doyouinvolveyourcybersecurityprogramstaffintheyear-endreviews,analyses,andplanning?

•Doyourewardyourcybersecurityprogramstaffforajobwelldoneatyear’send—bymorethanwords?

•Howwouldyougoaboutconductingandimprovingontheprocessdescribedinthischapter?

SummaryEvaluationsandanalysesoftheentirecybersecurityprogramandcybersecurityprogramorganizationhelpmaintainaproactiveandcurrentprotectedinformationenvironment.Thecybersecurityofficershouldrememberthefollowingpoints:

•Itisagoodideatoevaluatetheentirecybersecurityprogramandcybersecurityprogramfunctionsonanannualbasis.

•TheevaluationshouldincludeallprojectsandLOEs.

•Changesshouldbemadebywhichvalueisaddedintermsofcostdecreases,productivitygains,ortimesavings.

•Executivemanagementshouldreceiveaclear,concise,business-orientedbriefingonthestateofthecybersecurityprogramandthecorporation’scurrentprotectedinformationenvironmentatleastonanannualbasis.

•Metricschartsshouldbeevaluatedatleastannuallyandtheneliminatedormodifiedasnecessary.

•Link-analysismethodologiesareusefulindeterminingthesuccessofacybersecurityprogram.

1FrancisBacon(1561–1626),Englishphilosopher,lawyer,andstatesman.Essays“OfStudies”(1625)—EncartaBookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.2Dependingontheworkingenvironmentofthecorporation,thecustomermaybeinternal,e.g.management,external,e.g.corporation’scustomer(s),orboth.

CHAPTER12

High-TechnologyCrimesInvestigativeSupport

AbstractThischapterdiscussesthedutiesandresponsibilitiesofacybersecurityofficerwhenitcomestoprovidingserviceandsupportfordeterringhigh-technologycrimes,conductingnoncomplianceinquiries,assistingwithcomputerforensicssupport,anddealingwithlawenforcement.Afictionalcasestudyscenariowillbeused.

KeywordsComputerforensics;Corporateexecutiveofficer(CEO);Cybersecurityofficer;Director;High-technologycrimepreventionprogram(HTCPP);Lawenforcement;Non-complianceinquiries(NCIs)

ItwasacommonsayingofMysonthatmenoughtnottoinvestigatethingsfromwords,butwordsfromthings;forthatthingsarenotmadeforthesakeofwords,butwordsforthings

DiogenesLaërtius1

CONTENTS

Introduction 235DutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimes 236AssistingwithComputerForensicsSupport 238DealingwithLawEnforcement 240QuestionstoConsider 242Summary 243

CHAPTEROBJECTIVE

Thischapterdiscussesthedutiesandresponsibilitiesofacybersecurityofficerwhenitcomestoprovidingserviceandsupportfordeterringhigh-technologycrimes,conductingnoncomplianceinquiries,assistingwithcomputerforensicssupport,anddealingwithlawenforcement.Afictionalcasestudyscenariowillbeused.

IntroductionNotlongafterthecybersecurityofficertookoverthejobasthecybersecurityofficer,ameetingwasheldbetweenthecybersecurityofficerandtheDirectorofSecurity.Atthattime,anagreementwasreachedastothecybersecurityofficer’sdutiesandresponsibilitiesandthoseoftheDirectorofSecurity.TheDirectorofSecurityagreedthatthecybersecurityofficer’sdutiesandresponsibilitieswouldconflictwiththoseoftheSecurityDepartmentifthecybersecurityofficerconductedanytypeofinvestigation.TheDirectorofSecurityandthecybersecurityofficerreachedacompromiseandagreedthatanyinfractionsofthecybersecurityprogramcouldbelookedatbythecybersecurityofficeraslongastheyrelatedtononcompliancewiththecybersecurityprogram,suchasviolationofautomatedinformationprotection.

Theybothagreedtothefollowing:

•Todifferentiatebetweenaninvestigationandthecybersecurityofficer’sinquiriesbyhavingthecybersecurityofficercallthatfunction“noncomplianceinquiries”(NCIs)andfocusingonthecybersecurityprograminfractions;

•AninformationcopyofeachNCIwastobeforwardedtotheDirectorofSecurity;

•ThecybersecurityofficerwouldprovidetechnicalandforensicssupporttotheSecuritystaff,whenrequested;

•TheDirectorofSecuritywasthecorporatefocalpointforlawenforcementliaisonactivities,andanyneedtocontactalawenforcementagencymustbeapprovedbytheDirectorofSecurity,aswellasotherssuchasthePublicRelationsstaffandthelegalstaff;

•Intheeventofthecybersecurityofficerormembersofthecybersecurityofficer’sstaffwerecontactedforanyrequestsbyoutsideagenciesforinvestigativeassistance,thatrequestmustbecoordinatedwiththeDirectorofSecurityandothersatthecorporation;

•Thecybersecurityofficer’sstaffwouldprovidein-housecomputerforensicstrainingtotheSecuritystafftwiceayear;

•TheSecuritystaffwouldprovidein-housetraininginassetsprotectionandbasicinvestigativetechniques,suchashowtoconductaninterview,tothecybersecurityprogramstafftwiceayear;and

•TheSecuritystaffwouldprovidethebudgetforcomputerforensicssoftwaretobeusedinsupportofSecurityinvestigations,onanas-neededbasis.

Aftercompletionofthediscussionwiththecybersecurityofficer,theDirectorofSecurityknewthatthecybersecurityofficerandthecybersecurityprogramorganizationunderthecorporateinformationofficer(CIO)werewheretheyshouldbe.ThecomplicatedjobandheadachesofthecybersecurityofficerrelativetoNCIsandtheentirecybersecurityprogrammatterweresomethingthattheDirectordidnotwanttobe

responsiblefor.

DutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimesAlthoughinvestigationsatthecorporationarethepurviewoftheSecuritystaff,thecybersecurityofficerandtheDirectorofSecuritybothknewthatmanysuchinvestigations,orNCIs,arehigh-technologybased,suchasthoseinvolvingmicroprocessors(computers).Therefore,thecybersecurityofficer’sstaffwouldbeactiveinsupportingSecurity’santicrimeprogramaspartofSecurity’sassetsprotectionprogramforthecorporation.Theybothknewthattheentirecorporateassetsprotectionprogramwouldbebestserved,thatis,moreeffectivelyandefficientlyaccomplished,ifthecybersecurityofficerandthecybersecurityprogramfunctionsreportedtotheDirectorofSecurityinsteadoftotheCIO.

However,atthecorporation,asatmanycorporations,theDirectorofSecurityreallydidnotwantthatresponsibility,andpolitically,itwasadifficultselltoexecutivemanagement.Furthermore,thecybersecurityofficerposition,whichnowreportstotheCIO,whoreportstothecorporateexecutiveofficer(CEO),wouldbedowngraded,asthecybersecurityofficerwouldreporttotheDirectorofSecurity,whoreportstotheVicePresidentofHumanResources,whoreportstoCorporateOfficeExecutiveVicePresident,whoreportstotheCEO.Thepositionwouldalsomeanlessprestige,lessmoney,andtheinabilitytoexercisemanagementauthorityatasufficientlyhighlevel.

However,theDirectorandthecybersecurityofficeragreedthatahigh-technologycrimepreventionprogramshouldbeestablishedatthecorporationaspartofthecorporation’stotalassetsprotectionprogram,whichwasledbytheDirectorofSecurity.Therefore,theDirectorandthecybersecurityofficerdecidedtoestablishaprojecttoprovidesuchaprogramandensurethatitinterfacedwiththecybersecurityprogram.Itwasalsoagreedthatalong-termgoalwouldbetointegratethecrimeprevention,cybersecurity,andcorporatephysicalassetsprotectionpoliciesintoanoverallcybersecurityprogramundertheauthorityofboththeDirectorandthecybersecurityofficerusingamatrixmanagementapproach.

TheDirectorandthecybersecurityofficeragreedthatthecybersecurityofficer’sapproachtothecybersecurityprogramanditsrelatedfunctionswasadaptabletothedevelopmentofahigh-technologycrimepreventionprogram.Afterthatinitialbaselinewasdevelopedbythecybersecurityofficer,theDirectorwouldintegrateantitheft,antifraud,andothercrime-relatedpolicies,procedures,andprocessesintotheprogramandbaselinethemaspartofthecorporateassetsprotectionprogramundertheauthorityoftheDirectorofSecurity.

Theybothagreedthatthebasisonwhichtobuildthecorporationhigh-technologycrimepreventionprogram(HTCPP)wasthedevelopmentofacomprehensivehigh-technologycrimepreventionenvironmentatlowestcostandleastimpacttothecorporation.

TheDirectorandthecybersecurityofficerdecidedtocategorizeHTCPPinvestigationsandNCIssothattheycouldmoreeasilybeanalyzedandplacedinacommondatabaseforanalysessuchastrendsorvulnerabilitiesofprocessesthatallowsuchincidentstooccur.Thecybersecurityofficeragreedthatthecybersecurityofficer’sorganizationwouldmaintainthedatabase,buttheSecuritystaffwouldhaveinputandreadaccess.However,modifications,maintenance,upgrades,anddeletionswouldbecontrolledbythecybersecurityofficertoensurethattheintegrityofthedatabasewasmaintained.TheinitialcategoriesagreedtobytheDirectorandcybersecurityofficerwere:

•Violationsoflaws(requiredbylawtobereportedtoagovernmentinvestigativeagency);

•Unauthorizedaccess;

•Computerfraud;

•Actionsagainstusers;

•Actionsagainstsystems;

•Interruptionofservices;

•Tampering;

•Misuseofinformation;

•Theftofservices;

•Othercrimesinwhichcomputerswereused,suchas:

Moneylaundering

Copyrightviolations

Intellectualpropertythefts

Mailfraud

Wirefraud

Pornography

•Othercrimes

•Violators:

Internal

External

Itwasfurtheragreedthatthesecategorieswouldbeexpandedbasedonanalysesofinvestigationsandnoncomplianceinquiriesconductedtodate.

AssistingwithComputerForensicsSupportBusinesses,publicagencies,andindividualsincreasinglyrelyonawiderangeofcomputers,oftenlinkedtogetherintonetworks,toaccomplishtheirmissions.Becausecomputershavebecomeubiquitous,theyareoftenahighlyproductivesourceofevidenceandintelligencethatmaybeobtainedbyproperlytrainedandequippedcybersecurityprogramandinvestigativeprofessionals.Equippingthespecialiststobeabletocompetentlysearchcorporationsystemsisessential.Inmanycases,asuspectwilluseacomputertoplanthecrime,keepdiariesorrecordsofactsinfurtheranceofaconspiracy,orcommunicatewithconfederatesaboutdetailsviaelectronicmail.Inotherschemesthecomputerwillplayamorecentralrole,perhapsservingasthevehicleforanunauthorizedintrusionintoalargersystemfromwhichvaluablefilesorotherinformationisdownloadedortampered.

Surprisingly,evenmanysophisticatedcriminalswhoarehighlycomputerliterateremainunawareofthemanysoftwareutilitiesavailablethatallowevidencetobescavengedfromvariousstoragemedia,includingharddrives,randomaccessmemory,andotherlocationsintheoperatingsystemenvironmentssuchasfileslack,swap,andtemporaryfiles.Therefore,everyinvestigationofcrimesandunauthorizedactivitiesshouldnowassumethatsomeeffortwillbeinvestedinexaminingcomputersandcomputerrecordstolocaterelevantevidencethatwillproveordisproveallegationsorsuspicionsofwrongdoing.

Whethercomputersarethemselvesusedasthetooltocommitothercrimesormerelycontaindocuments,files,ormessagesdiscussingtheschemeorplans,computerscanprovideawealthofusefulinformationifproperlyexploited.Amajorbarriertoobtainingthispotentiallyvaluableevidenceistherelativelackofknowledgeofmanycorporateandlawenforcementinvestigatorsconcerninghigh-technology—computertechnology.Thislackoffamiliarityandexperiencehampersthecomputerforensicsspecialists’abilitytoconducteffectivesearches.Whenthecrimesceneitselfisacomputeroranetwork,orwhentheevidencerelatedtotheillegalorunauthorizedactivitiesisstoredonacomputer,thereisnosubstitutefortheuseof“computerforensics”togatherrelevantevidence.

Webster’sDictionarydefinesforensicsas“belongingto,usedin,orsuitabletocourtsofjudicatureortopublicdiscussionanddebate.”2Thus,computerforensicsisatermthatwedefineasdescribingtheapplicationoflegallysufficientmethodsandprotocolsandtechniquestogather,analyze,andpreservecomputerinformationrelevanttoamatterunderinvestigation.Operationally,computerforensicsencompassesusingappropriatesoftwaretoolsandprotocolstoefficientlysearchthecontentsofmagneticandotherstoragemediaandidentifyrelevantevidenceinfiles,fragmentsoffiles,anddeletedfiles,aswellasfileslackandswapspace.

ThecybersecurityofficerandcybersecurityprogramNCIspecialistassignedastheSecuritysupportfocalpointsprovidedacomputerforensicsawarenessbriefingtothecorporationSecuritystaff.ThebriefinggaveanintroductiontocomputerforensicsandalsodiscussedthesupportthecybersecurityofficerstaffwouldgivetheSecuritystaff.

ThecybersecurityofficeragreedtosupportthecorporationSecuritystaffbyprovidinghigh-technology-relatedforensicservices.

DealingwithLawEnforcementThereisagreatlackofcommunicationbetweencybersecurityprofessionalsandlawenforcementagencies.Neitherprofessionseemstoknowwhattheotherdoesorhowtheycanassisteachother.Thecybersecurityofficerworksprimarilyintheinternalworldofthecorporation.Therefore,cybersecurityofficersusuallyareignorantofwhatinvestigationsarebeingconductedbylawenforcementagencies,eveninthecitieswherethecorporationhasfacilities.

Thislackofcommunicationmeansthatthecybersecurityofficer,andmoreoftenthannottheDirectorofSecurity,isnotawareoflocalhigh-technologycrimeinvestigationsthatlawenforcementareconducting.Thus,thecybersecurityofficerisunawareofsomehigh-technologycrimetechniquesthatwouldbeusefultoknowaboutwhendevelopinginternaldefensesandcontrolstoprotectthecorporationagainstsuchattacks.

WhentoCallforHelp—andWhom.

IfyouoroneofyourstaffisconductinganNCIorsupportingaSecuritystaffmemberconductinganinvestigation,thereismorethanonepersonwhocanbeofassistance.Theseinclude:

•Victims,

•Witnesses,

•Consultants,

•Vendors,

•Suspects,and

•Lawenforcementofficers.

Whatifahigh-technologycrimeisperpetratedatthecorporationandthelawrequiresalawenforcementagencytobecontacted?Whatifmanagementdecidesthattheywanttheperpetratorcaughtandprosecuted?Theywillfileacomplaintwiththeappropriatelawenforcementagency,andthecybersecurityofficerhasanimportantroletoplaytosupportprosecutionofthecriminal.Therefore,thecybersecurityofficershouldbeawareoftheprocessesinvolved.Someofthethingstoconsiderare:

•Doesthecorporationhaveacompanypolicyastowhenorwhennottocallanoutsidelawenforcementagency?

•AreLegalstaffinvolved?

•AreHumanResourcespersonnelinvolved?

•ArePublicRelationspersonnelinvolved?

•Isbudgetavailabletosupporttheinvestigationandprosecution?

•Isthequestion“Canthecorporationstandthebadpublicity?”consideredinmakingthedecision?

•Isexecutivemanagementpreparedfortherequiredcommitment?

•Isreportingrequiredbylaw?

•Ifyes,shoulditbereported?

•Ifno,shoulditbereported?

Whendecidingwhethertocalllawenforcement,oneshouldalsoconsider:

•Costsversusbenefits,

•Extentofloss,

•Probabilityofidentifyingandsuccessfullyprosecutingthesuspect,

•Potentiallawsuitsthatwillfollowifsomeoneisidentified(whetherornotheorsheissuccessfullyprosecuted),and

•Timeinsupportingthecriminaljusticeprocess:investigationthroughprosecution.

Therearesomeadvantagestocallinglawenforcement,whocan:

•Performactsthatareillegalifdonebycitizens,

•Obtainsearchwarrantstorecoverproperty,

•Gainaccesstorelatedinformation,and

•Protectvictimsundersomeinstances.

Someofthedisadvantagesofcallinglawenforcementforhelpinclude:

•Controlovertheincidentislost,

•Itisprobablycostlyandtime-consuming,and

•Thecompanymustbewillingtocooperateintheprosecution,duringwhichthecasemayreceivehighvisibilityfromnewsmedia,stockholders,andothers.

Ifyoudecidetocallinalawenforcementagency,corporatemanagementmustalsodecidewhichonetocallandwhy—national,state,orlocal.Nomatterwhichoneiscalled,corporatemanagementmustalsobepreparedtohelpthemforanextendedperiodoftime.Initially,thecybersecurityofficerinconcertwiththeDirectorofSecurityshould:

•Prepareabriefingforinvestigators;

•EnsurethatexecutivemanagementandtheLegalStaffDirectorattend;

•Besureofthefacts;

•Briefinclear,concise,andnontechnicalterms;

•Identifytheloss,thebasisfortheamount,andtheprocessusedtodeterminethatamount;

•Gatherallrelatedevidence;

•Knowtherelatedlaws;

•Describeactiontakentodate;

•Explainthereal-worldimpactoftheallegedcrime;

•Identifyanddetermineifanyvictimswillcooperate;

•Explainwhatassistancetheycanprovide.

Iftheincidentistobehandledinternally:

•Whatistheobjective?

•Whatistheplantoaccomplishthatobjective?

•Whatexpertiseisavailabletohelp?

•Whatisthecost?

•Whataretheconsequences?

•Whatcanbedonetobesureitdoesn’thappenagain?


•Doyouthinkthecybersecurityofficer’sresponsibilitiesshouldincludeconductinganytypeofinvestigationorinquiry?

•Ifso,why?

•Ifnot,whynot?

•Doyouthinkitisthejobandprofessionalresponsibilityofacybersecurityofficerandstafftosupportinternalandexternalinvestigationsbyprovidingforensicssupport?

•Ifso,whatlimitationswouldyousetonthatsupport?

•Asacybersecurityofficer,doyouhaveapolicy,plan,process,andprocedureinplaceastowhenandhowyouwouldsupportaninternalorexternalinvestigation?

•Ifso,aretheycurrent?

•Havetheybeencoordinatedwithapplicableinternalcustomers,suchasauditorsandSecuritystaff?

SummaryUsually,asecuritydepartment’sstaffisnottrainedtoconducthigh-technologyinvestigations,whereasthecybersecurityofficerandstaffareinthebestpositiontosupportthesecuritydepartmentoranoutsidelawenforcementagencyinconductingtheirinvestigations.AnagreementshouldbeworkedoutbetweentheDirectorofSecurityandthecybersecurityofficerastowhohaswhatauthorityforinvestigationsrelevanttoviolationsofcorporatepoliciesaswellasthosethatwouldalsobeacriminaloffense.

Corporationsmusthavecurrentpoliciesdetailingwhenanoutsidelawenforcementagencyshouldbecalledandwhenamatteridentifiedasaviolationoflaw,criminalorcivil,shouldbeinvestigatedinternally.Itisabsolutelymandatorythatsuchdecisionnotbemadebythecybersecurityofficer,butbytheexecutivemanagementsupportedbytheLegalstaff,PublicRelationsstaff,andHumanResourcesstaff.Ifalawenforcementagencyiscontacted,thecorporationmustbepreparedforusuallymanymonthsofsupporttotheinvestigativeagencyaswellasbadpublicity.

High-technologycrimeinvestigationsandNCIsarebasedonbasicinvestigativetechniquesandansweringthequestionsofwho,how,where,when,why,andwhat.

High-technologycriminalsarebeginningtoinstallmoresophisticatedsecuritysystems,includingencryptionsystems.Suchdeviceswillrequireverysophisticateddevicesandexpertisetoaccessthem.Somehavefocusedonmethodsofdestroyingevidenceiflawenforcementorinvestigatorstamperwiththesystem.

Thechallengestohigh-technologycrimeinvestigatorsandcomputerforensicsspecialistsaremanyandquicklyincreasing.Onlythroughconstanttrainingwillinvestigatorsandcybersecuritystaffmembershaveanyhopeatallofkeepingupwiththesechanges,includingsearchingmediaforevidence.

Keystosuccessfulsearchesincludeknowingthetechnology,havingaplan,usingcommonsense,andusingaspecialistwhoisanexpertinthetechnologyandaccompanyingsoftwaretobesearched.

1DiogenesLaërtius(thirdcentury?),Greekhistorianandbiographer.LivesofthePhilosophers“Myson”(thirdcentury?)—Encarta®BookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.2Merriam–Webster’sCollegiateDictionary.G&CMerriamCompany,1973.

SECTION I I I

TheGlobal,Professional,andPersonalChallengesofaCyberSecurityOfficerOUTLINEIntroduction

Chapter13.IntroductiontoGlobalInformationWarfare

Chapter14.TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssues

Chapter15.ACareerasaCyberSecurityOfficer

Chapter16.ALookatthePossibleFuture

Introduction

Inthefirsttwosectionsofthisbook,youwereintroducedtotheinternalandexternalworldofthecybersecurityofficer.Thethirdandlastsectionofthisbookdiscussesthemajorchallengesforthecybersecurityofficer,nowandintothefuture.Themostchallengingthreattothecybersecurityofficer—andagrowingthreat—isthatofinformationwarfare(IW),includingterrorism.AlthoughvarioustypesofIWhavebeenaroundsincesomeonefirstusedtheterminformation,becauseofhightechnologythatthreatisrapidlygrowing.Therefore,SectionIIIbeginswithanintroductionandoverviewofIW.

TheIWchapterisfollowedbyachapteronthecybersecurityofficerandhisorherresponsibilitiesrelatedtoethicalconduct,privacy,andliabilityissues.Thischapterisconsideredimportantsincesuchissuesandbeingacybersecurityofficerprofessionalgohandinhand.

Thefinalchapterofthisbooklooksintothefutureanddiscussesthechallengesandrisksthecybersecurityofficerwillfaceinthetwenty-firstcentury.

CHAPTER13

IntroductiontoGlobalInformationWarfare

AbstractThischapterprovidesanintroductionanddiscussionofglobalinformationwarfare(IW).Asaprofessionalcybersecurityofficeryoumaynotknowitasorcallitinformationwarfareonaglobalscale,butwecertainlyareinacyberwar.Furthermore,ifyouaretoprotectthegovernmentagencyorcorporateinformation,systems,andnetworksthatareyourpartoftheglobalornationalinformationinfrastructure,youbetterstartthinkingandactingasifyouwereinawarbecause,likeitornot,youare.

KeywordsCommandandcontrolwarfare(C2W);First-generationwarfare;Informationenvironment(IE);Informationwarfare(IW);LocustSwarm;Locustsprogram;Second-generationwarfare;Waterpumpingstations

Wardoesnotdeterminewhoisright—onlywhoisleft.BertrandRussell

CONTENTS

ThePossibilities 248IntroductiontoWarfare 250FourGenerationsofWarfare 250IntroductiontoGlobalInformationWarfare 251InformationWarfareWillHitYouinYourPocketbook 254BusinessIsWar 256IWBroadlyEncompassesManyLevelsandFunctions 257WhatIWIs…andIsNot 257BeingPrepared-BadThingsWillHappen 260ThePossibleBreakdownsinanInformationEnvironment 261GoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReference 261InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantage 268HowtoUseIWtoAchieveGoalsandObjectives 269CoherentKnowledge-BasedOperations 270Network-CentricBusiness 271KnowledgeManagement 271

Summary 272Note 272

Thischapterprovidesanintroductionanddiscussionofglobalinformationwarfare(IW).Asaprofessionalcybersecurityofficeryoumaynotknowitasorcallitinformationwarfareonaglobalscale,butwecertainlyareinacyberwar.Furthermore,ifyouaretoprotectthegovernmentagencyorcorporateinformation,systems,andnetworksthatareyourpartoftheglobalornationalinformationinfrastructure,youbetterstartthinkingandactingasifyouwereinawarbecause,likeitornot,youare.

Itbeginswithafictionalscenariothatsooncanbecomealltooreal—someofitalreadyhasoccurred.SomeaspectsofIWattackshavealreadybeentestedbygovernmentagencies,terrorists,hackers,organizedcrimemembers,andthegeneralcriminalouttogetrichatourexpense,througheithertheftorblackmail,ortodenytheiradversarytheabilitytofunction.

ThisfictionalscenarioispresentedaspartofanintroductiontoglobalIWsothatthereadercanseewhatdevastationcanbecausedbyglobalIW,globalbecauseitcanhappenfromanywheretoanywhere.ItissomethingthattheglobalIWdefendermustconsiderwhenaddressingglobalIWissues.

Let’slookatthepossibilitiesofaworst-caseIWattackscenarioontheUnitedStates.

ThePossibilitiesAtfirst,somethoughtitwasamassivesolareruptionworsethanthatof1998,sincecommunications,includingmicrowaveandcellphonetowers,weremadeinoperable.Thenitwastheorizedasasoftwareglitchsimilartothescareofthe2000millenniumbugyearsearlier.Then,alltoosoon,therealreasonforthepowerlossanditsdominoeffectbecameclear—aglobalIWattackonamassivescale.

ItfirststartedonChristmasEveintheUnitedStates,fortheyknewonlyminimalstaffingwouldbeinplace,manyonvacationandoutofthecommunicationloop,thosebeingvitaltogettingsystemsupandrunningagain.Theyunleasheditlateatnighttocausethemosthavoc;itstartedintheNorthwest,intheSeattlearea,movedsouthtoPortland,SanFrancisco,andLosAngeles,andatthesametimemovedEast.Thepowerwentout,firstonthewesterngrids,shuttingdownpowerstationafterpowerstation,blackeningeachneighborhood,eachtown,eachcity,fromthePacificOceanmovingslowlyeastwardlikeaswarmoflocuststotheAtlanticOcean,intopartsofCanadaandMexicothatwereunfortunateenoughtoshareAmerica’spowergrids.Theycalledtheattackprogram“LocustSwarm.”

America’senergygridslowlywentdown,andforthosewhohadcontingencyplansthatincludedgenerators,theyboughtthemmoretime,buttimewasnotontheirside.Eventually,thegas-poweredgeneratorsranoutofgas.Gaswasnotforthcomingaselectricalpowerwasoutfromgasstationstooilrefineriesandtheoilpipesleadingtothemhadnopowertomovetheoil.Gaspumpswereclosed,panicensued.Thealarmsystemsinstores,banks,andeverywhereelseinthecountryceasedoperation.

Localpowercompaniesfoundthatsometransformershadexploded,takingdaystomonthstofindreplacementsassomanyweredead;someestimateditwouldtakeaslongassixmonthstoreplacemanyofthem,electricitybeingcrucialtopoweringtechnology,andtechnologyrunningeverything.Whethertheyusedsolarcells,windmills,coal,naturalgas,ordieselfuel,itdidn’tmatterasallwerecontrolledandrunbycomputers.Eventhemonitoringsystemswererunbytechnologyandwhenfalsereadingsweresentthroughthem,theyalsohelpedcausethechaosandtheoverloadsthatensued.Systemsmonitoringnuclearfacilitiestodamswereaffected.

Justbeforetherollingblackouthitanarea,therewereanumberofTwitterbroadcasts—“Powerisout,bankalarmsareout,storealarmsareout,cometakeyourshareofthebounty.”Whenthemiscreantsofeachareawherepowerfailedgotthemessage,theyjoinedtheirfriendsandsoonpoliceandfirefighterswereoccupiedwithemergencies.Mobsbrokeintoanyplacethatofferedthemmoney,furniture,televisions,andothergoodsfreeforthetaking,settingfireastheywent.TheyactedwithimpunityasevenCCTVcameraswereout.

Firedepartmentswereoverwhelmedandfiretruckseventuallyranoutofgasandcouldnotrespond.Thesamethingappliedtopolicedepartments,eventheNationalGuardandothermilitaryfacilities.

Medicalequipmentinhospitalsvitaltokeepingpeoplealiveceasedtooperateas

generatorsfailed,andthousandsofpatientsacrossthecountrydied,manyontheoperatingtables.

Insteadofaircraftlosingcommunicationswiththetowers,theLocuststhathadinfectedthecountrydidnotshutdownthecontroltowersasrapidly.Noonethoughttoaskwhyuntilitwastoolate.AnditwastoolatewhentheLocustswereuploadedtoaircraftandwormedtheirwayintothecomputersystemschangingtheinstrumentationsettingsontheaircraftwithouttheknowledgeoftheflightcrews,onbothcommercialandmilitaryaircraft.

Aircraftpilotshadlearnedtoflyusingcomputersandtheirinstruments.Longgonewerethepilotswho“flewbytheseatoftheirpants,”programmingerrorscausingplanestocrashandthousandstodie.Somethatwererunningoutoffueltriedlandingbutreliedonfalseinstrumentreadingsandburneduponrunways,stoppingotheraircraftfromtryingtoland.Whilesomemadeitdownsafely,otherscrashedandburnedinadjacentfieldsandtaxiways.Theskiesglowedwiththefiresofcrashedaircraft,bodiesstrewneverywhere.Somesurvivedforawhilebuttheemergencyteamswereoverwhelmedandmanydied.

TheLocustsprogramwormeditswayintoautomatedhomesystems.Itwasthemiddleofwinterandheaterswereturnedoffandairconditionersturnedon.Manyvulnerablepeopleinthenorthernregionofthenationfrozetodeath.Andthoseinnursinghomesandanimalsinshelterscouldnotbecaredfor.

Waterpumpingstationsceasedoperation,sewersystemsfailed.Sowhenwaterwasneededthemost,bottledwaterstartedflyingoffstoreshelvesuntilitranout.Peopleturningontheirwaterfaucetsfoundnothingbutstinking,brownwatercomingout,andthennoteventhat.

Allmodernnationsreliantontechnologyarevulnerabletosuchattacks.Ofcoursetherearethosewhosayitcan’thappen.Really?

IntroductiontoWarfareWarshavebeenfoughteversincetherewerehumanbeingsaroundwhodidnotagreewithoneanother.Theseconflictscontinuetothisday,withnoendinsight.Theuseofinformationinwarfareisnothingnew.Thosewhohadthebestinformationthefastestandwereabletocorrectlyactonitthesoonestwereusuallythevictorsinbattles.

IsitanywonderthatsincewearenowintheInformationAgeweshouldalsohaveinformationwarfare?Becausewenowlookatalmosteverythingonaglobalscale,itshouldalsonotbesurprisingthatinformationwarfareisviewedonaglobalscale.Informationwarfareistoday’smuch-talked-abouttypeofwarfare.AsearchoftheInternetonthetopicusingGoogle.comdisclosedthatin2002therewere472,000hitsbutin2014therewere27,700,000hits.Informationwarfareisbecominganintegral,digitalpartofwarfareofalltypesinthemodernera.

http://Google.com

FourGenerationsofWarfareMilitaryhistoriansandprofessionalsovertheyearshavediscussedthevariousgenerationsofwarfare.Somebelievetherearefourgenerationsofwarfaretodate:1

•First-generationwarfarestartedwiththeriseofthenation-stateandincludedatop-downmilitarystructure,limitedweapons,andarmiesmadeupofserfs.ItendedintheearlynineteenthcenturyaboutthetimeoftheNapoleonicWars.

•Second-generationwarfarebeganabout1860intheUnitedStateswithitsCivilWar.Thisgenerationofwarfareincludedartillery,machineguns,massweaponsdevelopment,andlogisticssupportedbytrains.ThisgenerationofwarfareendedsometimeafterWorldWarI.

•ThebeginningofthethirdgenerationofwarfareisattributedtotheGermansinWorldWarII,inwhich“shock-maneuver”tacticswereused.

•In1989,theU.S.MarineCorpsGazette2containedanarticlebyseveralmilitarypersonnel.Thearticle,entitled“ChangingtheFaceofWar:IntotheFourthGeneration,”discussedthefourth-generationbattlefield,whereitislikelythatitwillincludethe“wholeoftheenemy’ssociety….Thedistinctionbetweencivilianandmilitarymaydisappear….Televisionnewsmaybecomeamorepowerfuloperationalweaponthanarmoreddivisions.”Ifoneweretohaveanydoubtsabouttheaccuracyofthatstatement,onejusthastoremembertheU.S.televisionnewsshowingadeadAmericanmilitaryman’sbodybeingdraggedthroughthestreetsofMogadishu.ThelossofnationalwillcanbecloselycorrelatedwithhowquicklytheUnitedStatesdepartedthatcountry.This,too,ispartoftheinformationwarfarecampaignsbeingwagedonaworldwidescale.

Onecanarguethatinformationwarfarehasexistedinallgenerationsofwarfareandincludedspying,observationballoons,breakingenemycodes,andmanyotherfunctionsandactivities.True,informationwarfareisasoldashumans,butmanyaspectsastohowitisbeingappliedinourinformation-dependent,information-basedworldarenew.

IntroductiontoGlobalInformationWarfareIntheearly1990s,severalpeopleintheU.S.DepartmentofDefense(DoD)articulatedauniqueformofwarfaretermed“InformationWarfare.”TheChinesesaytheyweredevelopingIWconceptsinthelate1980s.Whoiscorrect?Doesitmatter?TheareasembracedbyIWhavebeendevelopedoverthecenturiesandmillenniaandhavebeenanormalpartofhumanactivitiesfromhumankind’sbeginning.WhatisuniqueaboutIWisthatitisthefirstinstantiationoftryingtotietogetheralltheareasthatmakeuptheinformationenvironment(IE).TheIErunsthrougheverypartofyourcountry,organization,andpersonallife.Atthepresenttime,thereisnocookbookrecipetodotheextremelycomplextaskofbringingtogetheralltheareas.

WhatisIW?ThegeneralworkingdefinitionofIWemployedinthisbookisasfollows:IWisacoherentandsynchronizedblendingofphysicalandvirtualactionstohavecountries,organizations,andindividualsperform,ornotperform,actionssothatyourgoalsandobjectivesareattainedandmaintained,whilesimultaneouslypreventingcompetitorsfromdoingthesametoyou.Clearly,thisembracesmuchmorethanattackingcomputerswithmaliciouscode.Thelitmustestisthis:ifinformationisusedtoperpetrateanactthatwasdonetoinfluenceanothertotakeornottakeactionsbeneficialtotheattacker,thenitcanbeconsideredIW.

Thedefinitionisintentionallybroad,embracingorganizationallevels,people,andcapabilities.Itallowsroomforgovernments,cartels,corporations,hacktivists,terrorists,othergroups,andindividualstohaveapart.Itisuptoeachenlightenedenterprisetotailorthedefinitiontofititsneeds.Thisshouldnotbeadefinitionofconvenience,to“checkthebox.”

Youareasked,andmanytimesforcedbygovernmentandbusinesses,todependontheInternet;theInternetthatishometohackers,crackers,phreakers,hacktivists,scriptkiddies,Netespionage(network-enabledespionage),andinformationwarriors;theInternetthatishometoworms,Trojanhorses,softwarebugs,hardwareglitches,distributeddenial-of-service(DDoS)attacks,viruses,andvariousformsofmalware.Allthis,andtheInternetisonlyaportionoftheareasthatIWaddresses.AlthoughtheInternettouchesmanycriticalinfrastructures,andtheseinturnaffectthemanyIEswithwhichyouinterface,mostoftheIWareaswerearoundbeforetheInternet.

As“competition”isanalogousto“enemy”or“adversary,”otherbusiness–militaryanalogiescanbemadewithprofit,shareholdervalue,competitiveedge,andindustryranktoachievebrandrecognition,customerloyalty,exertionofpower,influence,andmarketshare.Abusinessleaderormilitaryleadermusttrainandequipforces;gatherintelligence;assemble,deploy,andemployforcesatdecisiveplacesandtimes;sustainthem;formcoalitionswithotherbusinessesandnation-states;andbesuccessful.Therearemanyphysicalandvirtualworldparallels,ascanbeseeninthefollowingheadline:“CiscotouseSNAasweaponagainstcompetition….CiscobelievesitsexperienceinmeldingSNAandIPinternetworkscanbeusedasaweaponinthecompany’sbattlewithLucentandNortelforleadershipinconvergingvoice,video,anddataoverIPnetworks.”2

Puristswillfocusonwarfareasastateofaffairsthatmustbedeclaredbyagovernmentandcanbeconductedonlybyagovernment.Butconsiderguerrillawarfare,economicwarfare(onecountry“forcing”anothercountrytospenditselfintobankruptcy,asallegedlytheUnitedStatesdidtotheSovietUnion),oracompanyadjustingpricestodamageitscompetition(e.g.,takingalongtimehorizontousevolumeandtimetoadjustpricesdownward).“Conflict”or“that’sbusiness”doesnotcarrythesamesoundofultimatestruggleasreferringtobusinessas“war.”Clausewitzstated,“Warisanextensionofpolitics.”Byanalogy,becausebusinessistheimplementationofacountry’slaws,economicpolicy,andvalues,businessisalsoanextensionofpolitics.

Inafreemarketeconomy,competitioniscentraltobusinessstrategytowincustomersandmarketshare.Competition,likewar,isastruggleforawinningposition.Themarketplacecanthenbereferredtoanalogouslyasabattlefieldwithwinnersandlosers.Itfollowsthatbusinessisanalogoustowar.Therefore,usingmilitaryphraseologyinabusinesscontextisappropriate.Infact,onejusthastorememberSeptember11,2001,andNewYork’sWorldTradeCenterstoseethatintoday’sworld,warfareiswagedonmanylevelsbyvariousadversariesagainstvarioustargets.Thesetargetscanbenation-states,theirgovernments,groups,businesses,orindividuals.Thetoolswillbeanythatcanbeappliedforattackerstosuccessfullyattaintheirgoals.

Thecounterargumentisthatsomeinsurancecompanies’contractsstatethatifalossisduetoanactofterrorismorwar,theywillnotpayfordamages.IntheUnitedStates,attacksoncomputersbydefaultarecriminalactsandarethusinthepurviewoflawenforcement.Often,afteraninvestigationdeterminesthatthecriminalactisanationalsecurityissue,theintelligenceagenciesandothergovernmentorganizationswilltakethelead.

Thereareadversaries,winners,andlosers.AllthewritingonIWfocusesonweaknesses,defenses,andlosses.Despitethegloomyforecastsbygovernmentofficialsandthemedia,IWisalsoaboutstrengths,offenses,andgains.Thesepositivefeaturesarewithinthegraspofanygovernmentorbusinessorganizationwithadesiretoseizeandmaintainacompetitiveadvantage—tobeawinnerontheIWbattlefield.Importantly,unlikesomeoftoday’sphysicalwarsandthoseofthepast,withoutagreatdealofresources,asmallnation,forexample,NorthKorea,hasthepowertosuccessfullyattackglobalandanation’sbusiness,aswellasgovernments.

WhatpossibleapplicationcanIWhaveoutsidespecializedmilitarycircles?Fromapracticalviewpoint,howdoesIWshortendecisioncycletimes,raiserevenue,loweroravoidcosts,andimproveperformance?IfIWcannotimproveeffectivenessorefficiency,orbringaboutinnovation,whydoit?IWdoesdothesethingsandoughttobetheapproachusedratherthanthetopmanagementfadsthatcomeandgo,leavingbusinessesworseofffortryingthem.ThepurposeofIWistogainpowerandinfluenceoverothers.Powerandinfluenceareattheheartofallsuchrelationships.BecauseIWrequireseffort,theeffortneedstoresolveintosomeaspectofpower,suchasprofitoreconomicormilitarydominationonthebattlefieldorinthemarketplace.

InformationWarfareWillHitYouinYourPocketbookTherehavebeensomeeventsthatwerenotexpected.HannibalcrossedtheAlps.ClaydefeatedListonfortheheavyweightboxingtitle.CDUniversedidnotthinkcrackerswouldbreakintoitssystems.Buy.comdidnotexpectaDDoSattack,nordidSony,Target,orvictimstoonumeroustomention.ItseemsnewwebsitesarediscoveredandhackedwithinminutesofbeingontheInternet.Onehoneypotprojectwasattackedwithin

5 min.Itwillhappen:onedayyourIEdefensesaregoingtobebeaten.Whentheygodown,yourrevenuesandprofitswillgodown.TheInternetAgehasagainproventhe

adagethat“timeismoney.”SupposeacompanyhasUS$1 billioninelectronicandmobile-commercerevenue.Thatequatesto$2,739,726perday,$114,155perhour,$1903perminute,and$32persecond.3Howlongcanyourbusinessaffordtobeadverselyaffectedbyanattack?Inotherwords,whataretherisksandconsequencesyouarewillingtoaccept?

Inaportentofcripplingeventstocome,sinceearly2000therehavebeenthousandsofautomatedcomputer-baseddistributedattacks,extortionattemptsfortensandhundredsofmillionsofdollars,andpostingontheInternetofmillionsofsupposedlyprotectedcreditcarddetailsandotherprivateinformation.Apparently,thelawsandcourtsentencesforcomputercrimeslackdeterrentvalue.Ofcourse,ifhardwareandsoftwareproducts,communicationssystems,e-commercesites,andotherinformationtechnology(IT)componentsweredesignedwithsecurityinmind,wewouldnothavethispredicament—somethingthatevenBillGatesofMicrosoftfinallyrealized.

Inmanycases,thedollarlossissecondarytothelossoftrust.Banksandinsurancecompaniesespeciallyfeelcustomers’wrath.Whencustomersbelievetheirtrusthasbeencompromised,theyvotewiththeirpocketbooksandtaketheirbusinesselsewhere.Thatiswhenrevenuesandprofitsdecline,whichleadstoadeclineinthestockprice,whichinthenottoodistantfuturewillleadtoshareholderlawsuitsfornegligenceandotherclaims.

IWconjuresupmanyimages:computers,networks,andtelecommunications-savvyexpertsinthemilitaryandintelligencecommunities,corporateespionage,andpale14-year-oldlookingliketheycouldbethenextdoorneighbor’skids—oryours.Direprognosticationsabouthowan“electronicPearlHarbor”threatensnationalsecurityandthedailymediacoverageofvirusesanddenial-of-serviceattacksinterchangeablyusingphrasessuchasinformationwarfare,cyberwarfare,andcyberterrorismmaymakeIWseemdistantandsurreal.

Someoftheattacks,premeditatedorunintentional,resultedinbillionsofdollarsindamages.Computeremergencyresponseteamsandlawenforcementagenciesstressprotectionanddefenseofinformation,informationinfrastructure,andinformation-basedprocessestowardoffmaliciousattacks.WhatdotheseandmanyotheraspectsofoperatingintheIEhavetodowithmanagingagovernmentorganizationorrunninga

http://Buy.com

business?Forbusinesses,thismaymeannewbusinessgeneration,costavoidance,profit,customerretention,marketleadership,andpositivepowerpublicperception.Fornation-states,thismaybeeconomic,political,ormilitarypower,influence,ordefeat.

Theoncehigh-profileeventssuchastheMorriswormandCitibank’s$400,000loss

($10 millionwasstolen,andallbut$400,000allegedlyrecovered)shouldhavebeensufficientwarningshotsacrossthebowthatadifferentapproachwasneeded.However,suchattacksof“longago,”intechnologyterms,paleincomparisontothenumber,sophistication,andscaleoflossesoftoday’sattacks.

Note:Manyofussincethelate1980sandintothe1990sforwardhavebeenwarningofthepotentialforIWattacksandwhatshouldbedonetoprepareforthem.Ofcourse,asusualwhenitcomestosecurity,managementinbusinessesandingovernmentagenciesignoredourwarningsandarenowreapingtheresults.Wepredicttheworseisyettocome.

Themuch-neededsecurityfixesareyearsawayasdefensescontinuetolagbehindtheattackersinsophistication.However,therearepocketsofgovernment-sponsoredsophisticatedattacks;somemayevenbecalled“defensiveattacks”orpreemptivestrikesagainstanadversary.Demandislowbecausethegeneralpublicappearstobeuninterestedincrackerexploits,madeindifferentbythealmostdailynewsstories.Saiddifferently,thepublichascometoexpectidentifythefts,theftoftheircreditcards,andsuch.However,sincecorporationsareheldliableinmostcases,andcreditcardcorporationsabsorbthelossesoftheircustomers,thegeneralpublicremainscomplacentingeneralbutpersonallyoutragedonlywhenitistheirownidentityorfinancialinstrumentsthathavebeencompromised.

BusinessIsWarAnadvertisingcampaigncanbeconsideredasubsetofanIWcampaign.Hereisaperhapsnotsohypotheticalexample.Takinggrocerystoreshelfspace,owingtoproductorpackagingredesign,fromacompetitorisnotionallynodifferentfromdenyinguseofaradaroraseaporttotheenemy.Insteadofcerealboxesthatstoodandpouredvertically,whatiftheystoodhorizontallyandhadspoutsforpouring(besides,verticalboxesarepronetotipping)?Thiswouldresultinmoreshelfspaceneededforthesameamountofcerealboxes.Thepackagingwillcarryamessagethatconveys“new”and“improved.”Theboxeswillbeateyelevel—easyfortheconsumertospot.In-storeadvertisingwillattempttovectorshopperstothecerealaisle.Newspaperandmagazineadvertisingwillattempttoconvincecustomerstotrythe“new”and“improved”product,andcouponswillbeusedasfurtherenticement.Theremayevenbeanin-storedemonstration.Becausethereislimitedshelfspaceandifthecerealcompanyhasbargainingpower,othercerealshavetolosespace.Lostspace,itishoped,thentranslatestolostproductsales,whichinturnleadstoreducedrevenueandprofitsaswellasalowerstockprice.

Inbusiness,theIWtargetcanbethecustomer,thecompetition,oranotherentity.ThepurposeoftheIWcampaignistohavethecompetitortakeactionthatwillresultinincreasedprofitsforyourcompany.Inthebestofalloutcomes,yourrevenuesgoupandthecompetitors’revenuesdecline.Evenifyoursaleswereconstant,justhavinglessspacetosellshouldmakecompetitors’salesdecline,soyourindustryrankingwillimprove.Whatwillthecompetitiondo?Redesignpackaging?Alteringredients?Lowertheproduct’sprice?Counterwithcoupons?Haveatelevisioncampaignemployingadoctortoextolthehealthbenefitsoftheircereal?Playhardballwiththesupermarketchain?Acombination?Nothing,takingawait-and-seeapproach?ThisisphysicalandvirtualIWatthecorporatelevel.Itembracesthemedia,perceptionmanagement,physicaloperations,intelligencecollection,andmore.

Thisisnodifferentfromonecountryobservinganotherandbringingtobeareconomic,diplomatic,andmilitarymeans.Thesemeansmayincludeveryadvancedopensourcesearchesandanalysesandcovertmeansinvolvingmanipulationoftheradiofrequency(RF)spectrum.Fromabusinessperspective,operations,marketing,publicrelations,manufacturing,finance,transportation,andotherpartsofthecompanymustoperateinasynchronizedandcoherentfashion.Thecompetitionmustbemonitored,intelligencecollectedsothecompanycanbeinpositiontoagilelyandeffectivelyrespondtoanycountermoves.

IWBroadlyEncompassesManyLevelsandFunctionsIWisnotthesolepurviewofamodern,technology-based,anddependentgovernment;otherwise,onlythewealthycountriescouldpracticeit.AnarrowinterpretationofIWfliesinthefaceofreality.Otherthanauniquesetofcapabilitiesthatarebasedonunlimiteddeeppocketsandspecializedespionagecapabilities,morebrainpowerand,perhaps,morecapabilitiesresideexternaltoagovernment.Anyorganization,andevenindividuals,canconductoffensiveanddefensiveIW.Itisaboutseizingcontrolofperceptions,physicalstructures,andvirtualassets.Seizingcontrolcanbedonefrombothoffensiveanddefensivepositions.Thatputsanyorganizationsquarelyincontrolofitsdestiny.Thosethatareunenlightenedwillneverperformatornearthetopofthepackandmaywellgooutofexistence.ThosethatembraceIWhaveamuchbetterchanceofsurvivingandreapingtherewards.

Themilitary,intelligencecommunity,andlawenforcementgenerallydonotembracethisperspective.Why?Theyhavecapabilitiesthatarehighlyclassified.Ifusedbyindustry,then“allhellwouldbreakloose.”Certainly,thereareuniqueoffensiveanddefensivecapabilitiesthatcanbedevelopedonlybythegovernmentbecauseoftheirhighriskoffailureandthenecessaryfunding.However,therehasbeenanexplosionofbrainpowerwithregardtophysicalandvirtualcapabilities.Themajorityofbrainpoweringenetics,robotics,nanotechnology,microelectromagneticsystems,andhydrogentechnologiesresidesoutsidethemilitary,intelligencecommunity,andlawenforcement.Whatistopreventthesecapabilitiesfromfallingintothehandsofnation-states,individuals,businesses,andorganizationsthatwishtoperpetratesomeformofhostilebehavior?Absolutelynothing.

WhatIWIs…andIsNotInformationwarfareisnotaboutaone-timesilverbulletforaquickfixandlookinggoodonaquarterlyfinancialreport.IWisnotrestrictedtousingcomputerstoattackothercomputers.Itisnotconfinedtothecyberrealm.“Virtual”meanselectronic,RF,andphotonicmanipulation.Organizationsneedtousethecapabilitieswithinthevirtualandphysicaldomainsinamannerthatoptimizeswhattheywishtodo.ThebestapproachforIW,asitshouldbewithabusinessorgovernmentorganization,istoconductphysicalandvirtualoperationsinasynchronizedandcoherentfashion.Easiersaidthandone.Goddard’sexperimentscontributedtomannedspaceflight—fourdecadeslater.Asvirtualcapabilitiesbecomemorepracticalforthegovernment,military,andbusiness,thegreatertheirimportancebecomesinoperations.Fifteenyearsago,laptops,mobilephones,andpersonaldigitalassistants—rememberthem?—werebulky,seldommorecapablethantheirtraditionalcounterparts,andmuchmoreexpensive.Forsomepeople,thetime-savingandcost-reducingcapabilitiesofthegadgetsbordersontechnologicalcocaine,andthesepeoplealmostcannotfunctionwithouttheirgadgets.Somebusinessandgovernmentorganizationshaveboughtintotechnologysomuchsothattheiroperationscantrulybetermed“network-centricbusiness.”WhatbetterwaytocounterthisthanwithIW?Notmanyyearsfromnow,IWwillbemainstream,andthosewhodonotparticipatewillfail.

Muchhypesurroundshackerexploitsandcomputer-basedviruses.Mosthacker,cracker,andphreakerexploitsandvirusesqualifyasfallingwithinIW,albeitatthelowendofthespectrum,becausethereisanattempttoinfluence,eitherdirectlyorindirectly,otherstotakeanaction.Approachesrangefromaltruistic(“Ifoundaholeinthesoftware.Developapatchforit.”)toanger(“Iwillmakethemmiserableforfiringme.”)tosocialawareness(“Stopdrugresearchonanimals.”)tocriminal(“Hereishowtodefeatthefraudcontrolandcomputersecuritysystemsoffill-in-the-blankcorporationasallarevulnerable,moreorless.”).Almostalloftheeventsandattacksfallintotherealmoftheft,extortion,fraud,andrelatedcriminalbehavior.Measuresmustbeemployedtoprotectanddefendcorporateandgovernmentsystemsbecauseindividuallosseshavealreadybeeninthetensandhundredsofmillionsofdollars.

Evenifyouhavetakenalltheappropriatemeasurestoprotectandsecureyourphysicalandvirtualassets,muchfallsoutsideyourspanofcontrol:protectedandsecuredpower,finance,communications,transportation,water,andcontinuityofgovernmentinfrastructures;security-richandbug-freecommercialoff-the-shelf(COTS)software;andthecreativityofcrackersandphreakerstofindnewvulnerabilitiesintechnologytoexploit.Also,youprobablycannotcontrolyourbusinesspartners’,customers’,financialstakeholders’,andsuppliers’IEsthatareconnectedtoyours.IfyouareanInternet-basedcompany,thenelectronicandmobile-commerceaccountsforthemajorityofyourrevenue.Anydisruptionandyourcustomerswillgotoyourcompetitors.Ifyouareatraditionalbricks-and-mortarcompanyexpandingintotheInternettoenhanceyourcustomers’abilitytodobusinesswithyou,businessinterruptionsanddisclosureofcustomerdatawilltaintyourreputationandcredibility.Businessinterruptioncanbecostlyonmanylevels.4

Whenproperlyemployed,IWisanagilecapabilitythatcanbetailoredtoanysituation.

Itcanbringamultitudeoffunctionstobear.Itcanbeimplementedinboththephysicalandthevirtualworlds.CentraltoIWishowitisusedtoinfluencedecision-makers.Magazines,radio,television,newspapers,leaflets,e-mail,webpages,socialmedia,andotherformsofmediacanallbeusedasavehicletodeliverIW.

IWshouldnotberestrictedtoasmallcadre.CertainlyonlyafewpeopleshouldknowaboutthesensitivedetailsthatwillmakeorbreaktheexecutionoftheIWplan.Allpartsofanenterprise,notjustanorganization,needtobelinkedforthemosteffectiveimplementationofIW.Anyorganizationhasafiniteportionofresources.Partnerships,alliances,consortia,andotherrelationshipscanservetoexpandanorganization’scapabilities.

Properuseofinformationiscentraltoprofitablebusinessandsuccessfulmilitaryoperations.IWisusedtoprovideyourorganizationacompetitiveadvantagewhilelimitingthecompetition’scapabilitytoreduceyouradvantageandincreasetheirown.EffectiveIWisnotpossiblewithoutcontrolofyourinformationenvironment.

AnIEisaninterrelatedsetofinformation,informationinfrastructure,andinformation-basedprocesses.Dataincludethemeasurementsusedasabasisforreasoning,discussion,orcalculation.Dataarerawinput.Informationappliestofactstold,read,orcommunicatedthatmaybeunorganizedandevenunrelated.Informationisthemeaningassignedtodata.Knowledgeisanorganizedbodyofinformation.Itisthecomprehensionandunderstandingconsequenttohavingacquiredandorganizedabodyoffacts.Informationasusedheremeansdata,information,andknowledge.Nodoubthorrifictopurists,thereisnoonegoodwordintheEnglishlanguagethatembracesallthreeconceptstogether.Allthreeprocessesexistwithinanyorganization.Atanygiventime,oneoftheprocesseswillbeofgreatervaluethantheothers.Yourcompetitionwantsyourinformation,sodonotbelievethat“gentlemendon’treadothergentlemen’smail.”

Informationmovesacrossinformationinfrastructuresinsupportofinformation-basedprocesses.Theinformationinfrastructureisthemediawithinwhichwedisplay,store,process,andtransmitinformation.Examplesarepeople,computers,fiber-opticcable,lasers,telephones,andsatellites.Examplesofinformation-basedprocessesaretheestablishedwaystoobtainandexchangeinformation.Thisincludespeopletopeople(e.g.,telephoneconversationsandofficemeetings),electroniccommerce/electronicdatainterchange,datamining,batchprocessing,andsurfingtheweb.Attacking(i.e.,denying,altering,ordestroying)oneormoreIEcomponentscanresultinthelossoftensofmillionsofdollarsinprofitorindegradednationalsecurityandcanbemoreeffectivethanphysicaldestruction.Degradeordestroyanyoneofthecomponentsand,likeathree-leggedstool,theIEwilleventuallycollapse.5

BeingPrepared-BadThingsWillHappenBadthingshappen,suchasfloods,hurricanes,andearthquakes;powersurgesandsags;andfires.Disgruntledemployeescansteal,manipulate,ordestroyinformation.Crackersworktheirwaythroughtheelectronicsieveofprotectionmechanisms(e.g.,firewallsandintrusiondetectiondevices)intoinformationassets.

Sounddisasterrecovery,businesscontinuity,andcontingencyoperatingplansareessential.Foreveryminuteinformationsystemsarenotupandfullyrunning,revenues,profits,andshareholdervaluearebeinglost.Thelastthingageneralcounselneedsisalawsuitfromunhappyshareholderswhoaresuingformillionsbecausethecorporationdidnotfollowbestpracticestoprotectinformation.OneproblemisthatCOTShardwareandsoftwareareverydifficulttoprotect.Anotherconcernisthatfirewalls,intrusiondetectiondevices,andpasswordsarenotenough.Thestate-of-the-artininformationassuranceisagainstscriptkiddiesandmoderatelyskilledhackers.Whataboutthecompetition,drugcartels,andhostilenation-statesthataresignificantlybetterfunded?Thereisnofirewallorintrusiondetectiondeviceonthemarketthatcannotbepenetratedorbypassed.Passworddictionariescancoveralmostanyentirelanguage,andthereareveryspecificdictionaries(e.g.,sports,StarTrek,orhistoricdatesandevents).

ThePossibleBreakdownsinanInformationEnvironmentIEsexistinternalandexternaltoanorganization.AnIEistailorablesoitcansupportmanyactors.AnIEcanconsistofacorporation,itscustomers,andthegovernment.AnotherIEcanbeamilitary,itsalliesandcoalitionpartners,andthegovernment.WhatevercomprisesaspecificIE,theimportantfactremains:ifitselementsarenotprotectedandsecured,theconsequencescanrangefromirritantstocatastrophes.

Anorganizationhasemployees.Theseemployeesdeliverproducts,services,andprocessestotheorganizationanditscustomers.Tokeeptheorganizationrunning,suppliersdeliverproducts,services,andprocesses.Financialstakeholders—venturecapitalists,banks,stockholders,andothers—providecapital.Thepublichasapositive,neutral,ornegativeviewoftheorganization.Strategicteamingpartnersprovidephysical,financial,cerebral,andothercapabilities.EveryentitywithwhichtheorganizationislinkedhasitsownIE.IEsareconnectedto,andareinterdependenton,otherIEs.

GoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReferenceIWcutsacrossnationalborders,educationalbackground,andculturalviews.Toensureaconsistentunderstandingduringthisdiscussion,workingdefinitionsofIWandmanysupportingtermsareoffered.Thisdoesnotprecludenationalinterpretationsandcertainlydoesnotattempttorationalize,harmonize,andnormalizedefinitions.Commontermsofreference(TOR)permitasharedunderstanding,aswellasapointofdepartureforapplyingtheTORwithinspecificorganizations.

GeorgeSantayanasaid,“Thosewhoignorethelessonsofhistoryarecondemnedtorepeatthem.”

Hereisanexampleofhowparochialismcausedadisaster.

InAugustandOctoberof1943,theAllieslaunchedairraidsagainstSchweinfurtwithdisastrousconsequences—fortheAllies.IntheAugustraid,of600planes,60werelostalongwith600crewmen.Why?Therewasnolong-rangefighterescort.Why?Inthe1920sand1930s,resourceswereallocatedforstrategicbombardmentoverpursuit.Why?GeneralEmilioDouhetandotherspostulatedthatairpoweralonecouldwinwarsbystrikingtheenemy’sstrategiccenters.Lessonlearned:Thedecisionsmadeinthe1920sand1930sledtothewrongtacticalemploymentadecadelater.WemustnotmakethesamemistakewithIW.Ifwedo,nationalsecurity,economicviability,andcorporatecapabilitieswillbelost.

ItseemsthatthereareasmanydefinitionsofIWandrelatedtopicsastherearepeople.Itisreminiscentofthreeblindmendescribinganelephantbytouchingtheanimal’svariousparts.Oneblindmansaid,“Anelephantisareptileandisthinandlong,”ashewastouchingthetail.Touchingthetusks,anotherblindmansaid,“Anelephantislikeabigfishwithitssmoothandpointedbody.”Thethirdblindmansaid,“Anelephantresemblesalargeleafwithaholeinthemiddle”becausehewastouchingtheears.Noneofthemcouldextrapolatetheirinterpretationstoarealelephant.Similarly,whatoneseesisnotnecessarilywhatonegets.“Ques-quec’est?”willbemispronouncedifonedoesnothaveabasicunderstandingofFrenchdiction.So,too,isitwithtermsusedtodescribevariouspracticesintheinformationrealm.

Althoughthenamesareinitiallyobtusetothosewhodonotworkinthoseareas,theseinformationpracticeshavebeenanormalevolutionincommunicationsandcomputersandalsothedark-sidemove/countermove/counter-countermove“coolwar.”Therearemanyothervariations.Littlewonderthetermsareunderstoodbyfewpeopleanderroneouslyusedinterchangeably.Fewunderstandthedifferencebetweenahacker,acracker,andaphreaker,muchlessawhite-hathacker.

Insomecases,moreterminologyonlydetracts.“Cyber”istoolimiting.Itisasif,ratherthanpushingthroughdifficultpointstoachievephilosophicalinsightsandtechnical

understanding,peoplecreatetermstodifferentiatethemselveswithoutknowingwhattheyaredoing.

Informationandknowledgearenowinvogue.WeareintheInformationAgeandrapidlytransitioningintotheKnowledgeAge.Acquiringtherightdata,derivinggoodinformation,andapplyingittomakesounddecisionstopositivelyaffectthebottomlineareessential.SearchengineshavemadefindinginformationontheInternetverysimple.

Witness,duringthepastatleast40 years,theexplosionofterminologyrelatedtotheprotectionofinformationandusinginformationfornationalsecuritypurposes.Themostimportantpointistounderstandthemeaningofthesetermsandwhatthedifferentfunctionscan—andcannot—dotomakeaninformeddecisionwhethertocommitresources(i.e.,people,money,andtime).

Manycountrieshavedevelopeddefinitions.IW,informationassurance,informationoperations,informationsuperiority,informationdominance,andotherconstructspopularintheU.S.militaryarepartoftherevolutioninmilitaryaffairsandinsecurityaffairs.Governmentorganizationsandbusinesseshavedevelopedadditionalterms,andsomedonotagreewiththenationalversion.Sotherecanbeapointofdepartureforthisdiscussion,definitionsacceptedbymanyareputforth.Insomecases,workingdefinitionswillbeused.ThefollowingdefinitionsarefromtheU.S.DoDDictionaryofMilitaryandAssociatedTerms:6

Commandandcontrolwarfare(C2W):Theintegrateduseofoperationssecurity,militarydeception,psychologicaloperations,electronicwarfare,andphysicaldestruction,mutuallysupportedbyintelligence,todenyinformationto,influence,degrade,ordestroyadversarycommandandcontrolcapabilities,whileprotectingfriendlycommandandcontrolcapabilitiesagainstsuchactions.C2Wisanapplicationofinformationwarfareinmilitaryoperationsandisasubsetofinformationwarfare.C2Wappliesacrosstherangeofmilitaryoperationsandalllevelsofconflict.C2Wisbothoffensiveanddefensive.

Defenseindepth:Thesitingofmutuallysupportingdefensepositionsdesignedtoabsorbandprogressivelyweakenattack,topreventinitialobservationsofthewholepositionbytheenemy,andtoallowthecommandertomaneuverthereserve.

Information:Facts,data,orinstructionsinanymediumorform.Themeaningthatahumanassignstodatabymeansoftheknownconventionsusedintheirrepresentation.Herearesome“oldiesbutgoodies”termsthatarestillvalidtodayastheydescribetheIW-relatedenvironment:

•Informationassurance:Informationoperationsthatprotectanddefendinformationandinformationsystemsbyensuringtheiravailability,integrity,authenticity,confidentiality,andnonrepudiation.Thisincludesprovidingforrestorationofinformationsystemsbyincorporatingprotection,detection,andreactioncapabilities.

•Information-basedprocesses:Processesthatcollect,analyze,anddisseminateinformationusinganymediumorform.Theseprocessesmaybestand-aloneprocessesorsubprocessesthat,takentogether,comprisealargersystemorsystemsofprocesses.

•Informationenvironment:Theaggregateofindividuals,organizations,orsystemsthatcollect,process,ordisseminateinformation;alsoincludedistheinformationitself.

•Informationsecurity:Theprotectionofinformationandinformationsystemsagainstunauthorizedaccessormodificationofinformation,whetherinstorage,processing,ortransit,andagainstdenial-of-servicetoauthorizedusers.Informationsecurityincludesthosemeasuresnecessarytodetect,document,andcountersuchthreats.Informationsecurityiscomposedofcomputersecurityandcommunicationssecurity.AlsocalledINFOSECorcybersecurity.

Anolderdefinitionfocusedononlyphysicalprotections:locks,alarms,safes,markingofdocuments,andsimilarphysicalworldcapabilities.

•Informationsystem:Theentireinfrastructure,organization,personnel,andcomponentsthatcollect,process,store,transmit,process,display,disseminate,andactoninformation.

•Informationwarfare:Informationoperationsconductedduringtimeofcrisisorconflicttoachieveorpromotespecificobjectivesoveraspecificadversaryoradversaries.

WecanexpandonthisbecauseofthedefinitionofIW.WhatisIW?Itismorethancomputernetworkattackanddefense.Thatalmosteveryoneagreeson.ButwhatelseisencompassedbyIW?HeateddebatesgoontodayaboutwhatIWshouldembraceandaccomplish.IWisanumbrellaconceptembracingmanydisciplines.IWismosteffectivewhenperformedinasynchronizedandcoherentfashion.Thatiswhyknowledgemanagement(KM)complementsitsowell.Allcomponentsofanorganization,aswellasacrosstheenterprise,needtobeincludedinanIWactionplan.

ThegoodnewsisthatIWembracesthemarketing,publicrelations,counterintelligence,andotherfunctionsyounowperform.IWisnotthesefunctionsrenamed.Theycontinuetoberunbythesubjectmatterexperts.IWisthecoherentapplicationandsynchronizedapproachofthesefunctions.Whatisneededareexpertswho,byanalogy,areconductorsoftheorchestra.Theyknowwheretheexpertiseresideswithintheorganization,understandwhatthefunctionscanandcannotdo,andbringthemtobearforoptimumperformance.Atpresent,onlythemilitaryinafewcountriescomesclosetounderstandingtherelationshipsandfunctionsoflinkingthephysicaldomainwiththevirtualrealmandhasbegunpolicydevelopmentandallocationofresources.Forthemostparttheequivalentdoesnotexistinindustry—yet.

ThepurposeofIWistocontrolorinfluenceadecision-maker’sactions.Anareaofcontrolcanbedirectlymanipulated,whereasanareaofinfluencecanbeonlyindirectlymanipulated.Controlandinfluencearetheessenceofpower.Fromabusinessperspective,sectorandindustry-leadingmarketshareandprofitaretheresultsofproperIWexecution.

Whatwouldmakeadecision-makeractornotact?Perhapsfalseormisleadinginformation,ananalysisofopensourceinformation,documentsmysteriouslyacquired,orintelligencefromanemployeehiredawayfromthecompetition.IWatthecorporatelevelmanifestsitselfinmarketing,publicrelations,legal,researchanddevelopment,

manufacturing,andotherfunctions.Withtheintroductionofcommercialhigh-resolutionsatellitephotography,somecompanieshavealteredtheirdeliveryandshipmentschedules,toincludeusingemptyrailcarsandsemitrailerstomaskinventory,productioncapability,andcustomerquantities.IWisafullspectrumofcapabilities.Ingredientsarecarefullyselectedandtailoredtoeachcase.

IWcanbeconductedwithoutusingphysicaldestruction.Bothmilitarypsychologicaloperationsandcommercialadvertisingdependheavilyonpsychologyandsociology,thestudyofindividualandgroupbehavior.Theimplicationsofthisinsightareenormous.BusinessesengageinIWallthetime,orisitthatonlytheeffectiveonesdo?

IWenablesdirectandindirectattacksfromanywhereintheworldinamatterofseconds.Physicalproximitytoatargetisnotnecessary.Howisthispossible?Becausewehavemadeconsciousandunconsciousdecisionstohavespeedandconnectivitywithoutcomplementarysecurity.InSunTzu’sandGenghisKhan’seras,physical,personnel,andoperationalsecuritywereallthatwasneededforprotection.Todaywehavefiberoptics,satellites,smartphonesandtabletcomputers,infraredandlasercommunications,interactivecabletelevision,andahostofothertechnologymarvelsthatallowusinafewsecondstoreachanywhere.Now,inseconds,ourinformationcanbeintercepted,modified,manipulated,andstolen.

NosimplesentenceorparagrapheffectivelydescribesIW.Therearebroadandnarrowinterpretationswithinnationalandinternationalgovernment,business,andacademiccommunities,andsomeeventotallyrejectthenotionofIW.TheoverallviewofIWmustbeexpansive.Informationiseverywhere.Wefindinformation,forexample,inmassmediasuchasradio,television,andnewspapers,atWorldWideWebsites,incommunicationssystems,andincomputernetworksandsystems.AnyandallmaybesubjectedtoattackviaoffensiveIW.ItfollowsthatalltheseareasmustbedefendedwithdefensiveIW.

OffensiveIWcanmakeagovernment,society,nation,orbusinessbendtothewilloftheattacker.Attackscanbeverylarge,devastating,andnoticed,suchaseconomicorsocialdisruptionorbreakdownanddenialofcriticalinfrastructure(e.g.,power,transportation,communications,andfinance)capabilities.Theycanalsobesmall,lowkey,andunassuming,suchasarequestforpublicationsandtelephonecalls(asthebasisforsocialengineering).Businessesdonothavethedeeppocketsofagovernment,butthatdoesnotrestrictthemfromengaginginIW.

Abusinesswantstodenythecompetitionorders,customers,andinformationaboutitsresearchanddevelopment.Industrialespionagehasitsshareofillegalactivities:theft,monitoringcommunications,anddenyinguseofserverstoconductelectroniccommerce.Governmentsengageinpsychologicaloperations(withthesubsetsofmis/disinformationandpropagandausingleaflets,television,andradiobroadcasts).Businessesmustidentifywhendisinformationisbeingusedtolurecustomersawayandhavethemeanstocounterit.Ofcourse,thatisstartingfromapositionofweakness.Whatisaproactive,defensiveIWapproachtocountertheattack?Inoculatethecustomers,suppliers,businesspartners,andothersintheIE.

DefensiveIWistheabilitytoprotectanddefendtheIE.Defensedoesnotimplyreactive.

Measurescanbetakentoforewarnofattacksandtoprepositionphysicalandvirtualforces.Examplesofvirtualforcesaresoftwareandbrainpower.Theacmeofskillistopresentaposturetopreventacompetitorfromattackingandtoachievevictorywithouthavingtoattack.Perceptionmanagementisasimportantasdemonstrablephysicalandvirtualcapabilities.

•Informationoperations(IO):Asstatedabove,forthepurposesofthisbook,IWisnotrestrictedtowar,soIOasdescribedbelowisincludedinIW.Actionstakentoaffectadversaryinformationandinformationsystemswhiledefendingone’sowninformationandinformationsystems.

•DefensiveIO:Theintegrationandcoordinationofpoliciesandprocedures,operations,personnel,andtechnologytoprotectanddefendinformationandinformationsystems.Defensiveinformationoperationsareconductedthroughinformationassurance,physicalsecurity,operationssecurity,counterdeception,counterpsychologicaloperations,counterintelligence,electronicwarfare,andspecialinformationoperations.Defensiveinformationoperationsensuretimely,accurate,andrelevantinformationaccesswhiledenyingadversariestheopportunitytoexploitfriendlyinformationandinformationsystemsfortheirownpurposes.

•OffensiveIO:Theintegrateduseofassignedandsupportingcapabilitiesandactivities,mutuallysupportedbyintelligence,toaffectadversarydecision-makerstoachieveorpromotespecificobjectives.Thesecapabilitiesandactivitiesinclude,butarenotlimitedto,operationssecurity,militarydeception,psychologicaloperations,electronicwarfare,physicalattackordestruction,andspecialinformationoperationsandcouldalsoincludecomputernetworkattack.

•Informationsuperiority:Thedegreeofdominanceintheinformationdomainthatpermitstheconductofoperationswithouteffectiveopposition.InformationsuperiorityistherelativestateofinfluenceandcontroloftheIEbetweentwoormoreactors.Somearguetheoppositeof“superiority”is“inferiority.”Thisisnotthecase.Allactorshaveequalaccesstoopensourceinformation.Restricted,sensitive,andclassifiedinformationcanbeacquiredthroughovertorcovertoperations.Havingthedata,information,andknowledgeisnotthekeytoattainingandmaintaininginformationsuperiority.Whatisdonewiththeinformationandthespeedatwhichitisdoneisthegoldnugget.Informationsharing,automation,cross-platforminformationsharing,andautomatingprocesses(suchasairtrafficcontrol,sales–manufacturing/production–inventory–transportation,andmilitaryintelligence–platformmaneuver–weaponsselectionandrelease–battledamageassessment)areessentialtohaveexecutioncyclesfasterthanthoseofthecompetition.

•Operationssecurity:Aprocessofidentifyingcriticalinformationandsubsequentlyanalyzingfriendlyactionsattendantonmilitaryoperationsandotheractivitiesto:(1)identifythoseactionsthatcanbeobservedbyadversaryintelligencesystems;(2)

determineindicatorsthathostileintelligencesystemsmightobtainwhatcouldbeinterpretedorpiecedtogethertoderivecriticalinformationintimetobeusefultoadversaries;and(3)selectandexecutemeasuresthateliminateorreducetoanacceptablelevelthevulnerabilitiesoffriendlyactionstoadversaryexploitation.AlsocalledOPSEC.

•Vulnerability:Ininformationoperations,aweaknessininformationsystemsecuritydesign,procedures,implementation,orinternalcontrolsthatcouldbeexploitedtogainunauthorizedaccesstoinformationorinformationsystems.

Inadditiontotheabovedefinitions,theU.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC)4009,NationalInformationSystemsSecurity(INFOSEC)Glossary14offersthefollowing:

•Attack:Typeofincidentinvolvingtheintentionalactofattemptingtobypassoneormoresecuritycontrols.

•Confidentiality:Assurancethatinformationisnotdisclosedtounauthorizedpersons,processes,ordevices.

•Criticalinfrastructure:Thosephysicalandcyber-basedsystemsessentialtotheminimumoperationsoftheeconomyandgovernment.

•Integrity:Qualityofaninformationsystem(IS)reflectingthelogicalcorrectnessandreliabilityoftheoperatingsystem;thelogicalcompletenessofthehardwareandsoftwareimplementingtheprotectionmechanisms;andtheconsistencyofdatastructuresandoccurrenceofthestoreddata.Notethat,inaformalsecuritymode,integrityisinterpretedmorenarrowlytomeanprotectionofunauthorizedmodificationordestructionofinformation.

•Nonrepudiation:Assurancethatthesenderofthedataisprovidedwithproofofdeliveryandtherecipientisprovidedwithproofofthesender’sidentitysothatneithercanlaterdenyhavingprocessedthedata.

•OPSEC:Processdenyinginformationtopotentialadversariesaboutcapabilitiesorintentionsbyidentifying,controlling,andprotectingunclassifiedgenericactivities.

•Probe:TypeofincidentinvolvinganattempttogatherinformationaboutanISfortheapparentpurposeofcircumventingitssecuritycontrols.

•Risk:PossibilitythataparticularthreatwilladverselyimpactanISbyexploitingaparticularvulnerability.

•Riskmanagement:Processofidentifyingandapplyingcountermeasurescommensuratewiththevalueoftheassetsprotectedbasedonariskassessment.

NeitherNSTISSC4009northeU.S.DoDDictionaryofMilitaryandAssociatedTermsdefinesconsequenceandconsequencemanagement.Risksaretheintersectionofthreatsandvulnerabilities.Residualrisksarethosethatremainaftermitigatingactions.Toplan

effectively,decision-makersneedtoknowtheconsequencesofvariouscoursesofactions.Theresidualrisksinfluencetheoutcomes.Theoutcomesarebestrepresentedviaconsequencemanagementcascadingeffects.Third-andfourth-ordereffects,orfurther,needtobewellestimatedforthebestcourseofactiontobechosen.

InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantageThepurposeofabusinessistocreatevalueforitsshareholders,andthepurposeofagovernmentistoprovideforthecommongood.Fromabusinessviewpoint,beingeffectiveandefficientincurrentmarketsandopeningnewlinesofbusinessarekeytosustainedrevenuegenerationandprofits.Fromanationalsecurityperspective,weshouldexpectthemilitary,intelligencecommunity,andlawenforcementtodevelopandusecapabilitiestomaintainsovereignty,createandsustainpeaceandeconomicprosperity,andensurepublicsafetyfromcriminalsandmonopolies.Theseentitiescannotsurvivebyinsulatingthemselves.Theymustembrace,withintheirvaluesystem,whateverittakestogobeyondsurvivingto“thrive.”

HowtoUseIWtoAchieveGoalsandObjectivesComplexityinterwovenacrossgovernment,industry,andsocietypresentsadauntingchallengeforIW.Itisinthebestinterestofanygovernment,business,andotherorganizationtotakeprudentactiontodefendagainstinformationwarfareattacksandtobeabletolaunchthem.

Theadvancedhackerbreaksintoonlineshoppingexchanges,manipulatesorders,stealsmerchandise,plunderscreditcardnumbers—themodern-daypirate,highwayrobber,andWildWestoutlaw.Thosewhowouldbepartoftheonlineshoppingpopulationcometoexpectthismaliciousbehaviorbutarenotdissuadedfromshoppingonline.

Espionage,disinformation,physicaldestruction(normallypermittedbylawonlyforthemilitaryandlawenforcement),andotheractionsareameanstoanend.IWisahigher-level,cerebralactivity.Thetargetcanbeapopulation(thenationalwilloraspecificpolitical,religious,orethnicgroup),adespot,ageneral,oranyoneinanorganization.How,then,shouldIWbeappliedtoindustry?Afterall,iswarnotadeclarationofCongress,Parliament,orothergovernmententity?Ifabusinessisdestroyedbyanactofwarorterrorism,itwillnotberemuneratedbyinsurance.Isthisamisnomer?Bynomeans!

Becausebusinessiswar,theprinciplesofwarnormallyassociatedwiththemilitaryoughttobeapplied.Thesearenotrigid,andtheirapplicationistailoredtoeachuse.Objective,offensive,mass,economyofforce,unityofleadership,maneuver,security,surprise,andsimplicityaregenerallyrecognizedprinciplesthatwillbenefitanyorganization.ApplyingtheprinciplestocoherentandsynchronizedIWwillproduceapositivereturnoninvestment(ROI).

IntheITworld,determiningROIisconsideredtheHolyGrail.TheproblemforquantitativemetricsforIWisthatordersofmagnitudearemoredifficultbecauseofthemanydisciplines,manyorganizationallevels,andsheerscopeinvolved.Somepreferitthatwaybecauseitallowsthemtohidebehindclassifiedinformationandblackmagic.IfIWistobesuccessful,metricsarenecessary.Existingtraditionalmeasuresareagoodstart(e.g.,howmanyprobesdidourintrusiondetectionsystempickup?),butarenotsufficientlyexpansiveandprecise.Whatisthevalueofadatabase?Whatisthevalueofthatdatabaseafterithasbeensuccessfullydatamined?Becausequantitativemetricsneedtobedeveloped,qualitativeoneswillneedtobeused.

IWisanembracingapproach,customizabletoproducepositiveresultsinanyorganizationandtailorabletomeetthedemandsofthemarketplace.Bybalancingtriedandtruecapabilitieswithleading-edgetechnologiesandconcepts,IWremainsafreshandusefulapproachforachievinggoalsandobjectivesonthewaytoattainingandmaintainingacompetitiveadvantage.

CoherentKnowledge-BasedOperationsIWforIW’ssakeissenseless.IWmusthelpcountriesachievetheirnationalsecurityobjectivesandhelpbusinessesattaintheirgoals.WhenIWiscombinedwithKMandhowbusinessisdone,thecombinationprovidesapowerfulcapability.ApplyingIWwithKMresultsininformationsuperiority.WhenKMisappliedtohowbusinessisdone,situationalawarenesswillresult.CombiningIWwithhowbusinessisdonedeliverstactics,techniques,andprocedurestoattainacompetitiveadvantage.TheintersectionofIWwithKMandhowbusinessisdoneiscoherentknowledge-basedoperations(CKOs).CKOenablesacountryorabusinesstoattainandmaintainacompetitiveadvantagethroughthesynchronizationandcoherentapplicationofallofitscapabilitiesintheextendedIE.

Organizationsdabbleinmanypopmanagementfads.Well-intentionedornot,theseoftenarestovepipesolutionsthatdivertfiniteresources—people,money,andtime—fromtheorganization’scentralinterestsandobjectives.CKObringstogetherwhatappeartobeseveraldisparatecomponents.Coherentmeansanorderlyorlogicalrelationofpartsthataffordscomprehensionorrecognition.Thepartsarenetwork-centricbusiness(NCB)(howbusinessisdone),KM,andIW.Whenusedinconcert,theirsumisfarmorepowerfulthantheindividualcomponents,creatingapowerfulmeansofattainingandmaintainingacompetitiveadvantage.CKOcanbeusedtoexecuteandtosurviveIWattacks.

Network-CentricBusinessWearetoldthatweareintheInformationAge,ridetheinformationhighway,andarepartoftheknowledge-basedeconomy.Weconductelectroniccommerce,haveelectronicdatainterchangebetweencomputers,allowemployeestotelecommuteandhaveremoteaccess,andspendmillionsofdollarsonwebsitestoattractcustomerstobuyproductsandservices.Computersandrobotsareinthemanufacturingplants,personnelandmedicalrecordsareautomated,andmanyofusparticipateinautomateddepositsandbillpayments.Ifthecomputersstopped,notenoughtrainedandskilledpeoplecouldtakeoverthefunctionsinamanualsystem,andmanybusinessesandgovernmentfunctionswouldquicklycometoahalt.Computers,databases,andnetworksareasvitaltoabusinessasthecirculatoryandnervoussystemsaretoyourbody.Computersandnetworkshavebecomeasubiquitousastoasters,andnetwork-centricappliancesareintheworks.Thecurrentgenerationofsmartphonesaretheforerunnersoftoolswithtremendouscapability,limitedonlybyhumancreativity.IfyoudonotquicklygaincontrolofyourIE,doingsointhefuturewillbeexponentiallymoredifficult—andexpensive.ThemainadvantageofcontrollingyourIEisthatyourbottomlinewillimprove.

Thereisnofaster,moreeffective,ormoreefficientmeanstobeatthecompetitionthantouseNCB.NCBallowsanorganizationtotakemaximumadvantageofitsbusinessprocesses:takingandplacingorders,usingthesupplychain,conductingjust-in-timeproduction,andusingdistributionchannelstofieldproductsandservices.NCBleveragesnotonlyalltheresourceswithinanorganization,butalsoitscustomersandbusinesspartners.Theyareallpartofthesolutionsetthatdrivesthebottomline.Theresourceswithintheorganization—people,money,andtime—arefinite,butcanbeeffectivelyandefficientlyallocatedtoprovideoptimalsupporttocustomersandtomaximizethebottomline.5

KnowledgeManagementKMintegratestechnologies,processes,andculturalchangestoprovideameansforwell-informed,rapiddecision-makingviacollaborativeinformationandknowledgesharingbyvariedanddispersedorganizationsandindividuals.KMtenetsincludesupportfororganizationalprocesses,tailoredcontentdelivery,informationsharingandreuse,capturingtacitknowledgeaspartoftheworkprocess,situationalawarenessofinformationandknowledgeassets,andvaluation.KMenablesanorganizationtobemoreagile,flexible,andproactive.Theapproachisidealforintegrating,forexample,intelligence(e.g.,economicandopensource)andsecurity(e.g.,physical,personnel,andoperations),salesandproduction,andresearchanddevelopmentwithbusinessdevelopment.5

SummaryInformationwarfareisanembracingconceptthatbringstobearalltheresourcesofanation-stateorbusinessorganizationinacoherentandsynchronizedmannertocontroltheinformationenvironmentandtoattainandmaintainacompetitiveadvantageandgainpowerandinfluence.JudicioususeofIW,whencoupledwithKMandNCB,leadstoreducedoravoidedcosts,increasedrevenues,moresatisfiedcustomers,andlargerprofitsandnationalsecurity.GovernmentsandbusinessescanuseIWoffensivelyanddefensivelyinthephysicalandvirtualdomains.CounterstoIWdonothavetobeinkind;theycanbeno,low,orhightechnology,andtheycanbeasymmetric.NotconductingIWwillresultinareducedmarketpresenceandlowernationalsecurity.Althoughthenamemaychangeovertheyears,IWwillevolvefromitsnascentstageandbecomemainstreamin

20 years.Weprojectedthatin2002.Weareinfacttherealready.

IWoccurswhen,inthephysicalandvirtualdomains,youattackyourcompetitionortheyattackyou.IWisaboutsynchronizedandcoherentrelationshipsandcapabilities.Aspreviouslydiscussed,centraltoIWarethosephysicalandvirtualcapabilitiestocontroltheIE.

CKOcouplesIWinausefulapproachwithKMandhowtheorganizationdoesbusiness.Notonlyisthecorporation’sIEengaged,theresourcesofitsenterprisearebroughttobeartouseallitscapabilitiesinacoherentandsynchronizedmannertoseizeasgreatacompetitiveadvantageaspossible.Inthisfashion,acountrycancallonitsalliesandcoalitionpartners,andabusinesscancallonitssuppliersandbusinesspartnerssoasmuchknowledgeandasmanycapabilitiesaspossiblecanbebroughttobear.

NoteTheinformationpresentedthischapterwasliberallyquotedfromtheauthor’scoauthoredbookwithDr.AndyJonesentitledGlobalInformationWarfare,secondedition,andusedwiththekindpermissionofCRCPress,whopublishedthebook.

1TakenfromaGannettNewsServicearticle,September27,2001.2NetworkWorld,August10,1998.3“IfMostofYourRevenueIsfromE-Commerce,thenCyberInsuranceMakesSense,”PerryLuzwick,“SurvivingInformationWarfare”column,ComputerFraudandSecurity,aReed-Elsevierpublication,March2001.4Seefootnote3.5“What’saPoundofYourInformationWorth?ConstructsforCollaborationandConsistency,”PerryLuzwick,AmericanBarAssociation,StandingCommitteeonLawandNationalSecurity,NationalSecurityLawReport,August1999.6DepartmentofDefenseDictionaryofMilitaryandAssociatedTerms,April12,2001.

CHAPTER14

TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssues

AbstractThischapterdiscussestheissuesofethics,privacy,andliabilityastheyrelatetothecybersecurityofficer.

KeywordsBusinesspractices;Codeofethics;Corporateethics;Corporatevalues;Ethicalbehavior;Liability;Whistleblower

Ethicsisnotapolicingfunction.It’saboutcreatingthekindofclimateinwhichpeopleareencouragedtomaketherightdecisionsinthefirstplace.1

KentKresa

CONTENTS

IntroductiontoPrivacyIssues 273IntroductiontoEthicsIssues 274CodesofEthics 277CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValues 278LiabilityIssues 279QuestionstoConsider 280Summary 280

CHAPTEROBJECTIVE

Thischapterdiscussestheissuesofethics,privacy,andliabilityastheyrelatetothecybersecurityofficer.

IntroductiontoPrivacyIssuesMuchismadeoftheword“privacy”andtheprotectionofprivacy,privacyofanindividual’spersonalinformation,forexample.However,unlessyouhavebeenhiding

underarockforthelast,oh,50 yearsormore,youknowthatonlylipserviceisgiventoprivacyasanythingotherthanaconcept,a“nicetry,nowlet’smoveon”thing.

Forexample,whennetworksanddatabasesareattackedandcompromised,users’/customers’names,addresses,socialsecuritynumbers,creditcardnumbers,andthelikearestolenliterallybythemillions.

Whatdowemeanbyprivacyanyway?Well,accordingtotheSharpelectronicdictionary,privacyis“thestateorconditionofbeingfreefrombeingobservedordisturbedbyotherpeople.”

TheU.S.government’sDepartmentofJusticewebsitestatesthefollowing:

ThePrivacyActof1974,5U.S.C.§552a(2006),whichhasbeenineffectsinceSeptember27,1975,cangenerallybecharacterizedasanomnibus“codeoffairinformationpractices”thatattemptstoregulatethecollection,maintenance,use,anddisseminationofpersonalinformationbyfederalexecutivebranchagencies.However,theAct’simpreciselanguage,limitedlegislativehistory,andsomewhatoutdatedregulatoryguidelineshaverendereditadifficultstatutetodecipherandapply.Moreover,evenaftermorethanthirty-fiveyearsofadministrativeandjudicialanalysis,numerousPrivacyActissuesremainunresolvedorunexplored.AddingtotheseinterpretationaldifficultiesisthefactthatmanyearlierPrivacyActcasesareunpublisheddistrictcourtdecisions.Aparticulareffortismadeinthis“Overview”toclarifytheexistingstateofPrivacyActlawwhileatthesametimehighlightingthosecontroversial,unsettledareaswherefurtherlitigationandcaselawdevelopmentcanbeexpected.

Theinterestingthingisthatthereseemstobemoreexceptionsthannotforgovernmentagenciesandcorporations.Onejusthastolookatthemassivecollectionofinformationbeingconducted24/7byU.S.agenciesandthenation-statesofprettymuchtheworld.Ofcourse,theycitetheirneedtoinvadeourprivacyasbeingforourowngood;youknow,forourwell-beingandsecurity.Asacybersecurityofficer,youmaybeinvolvedinthisendeavor.

Corporationsdon’tdoitintheinterestofnationalsecuritybutintheinterestofgettingthatcompetitiveedge,identifyingandsellingtotargetedpotentialcustomers.Suchtechniquesaregettingmoresophisticateditseemsbytheday.Ofcourse,youvolunteertogiveupmuchofyourprivateinformationjusttobeabletomakeapurchaseordoanythingwithaboutanyoneonline.

Now,althoughweallabhorsuchinvasionofprivacy,asacorporateorgovernmentagencycybersecurityofficeryoumaybeinvolvedinsuchinvasionofprivacyasa

minimumbyensuringthattheinformationcollectedisproperlyprotected.Weknowfromthenumerousattacks,forexample,onTargetandSony,thatsomearen’tdoingaverygoodjob.

Asacybersecurityofficer,youMUSTfindadequatewaystoprotecttheinformationofthegovernmentagencyorcorporation.Afterall,thatiswhatyouaregettingpaidtodo—protecttheprivacyofindividualsandthecorporationorgovernmentagency.Sofar,how’sthatworkingforyou?

IntroductiontoEthicsIssuesWehearalotaboutethicsthesedays,whenitseemseveryoneisoutforthemselves,fromtheexecutivesofmajorcorporationstoasecretaryinasmallcompanyofficewhoperpetratesafraud.Onethingthatmakesaprofessionalatrueprofessionalisethicalconduct.Thatisespeciallyarequirementforacybersecurityofficer.

Whenyouthinkofethicsandethicalbehavior,whatcomestomind?Forsomeitmeans“doingtherightthing.”Butwhatisthe“right”thingtodo?Forsome,itisanythingthattheycangetawaywithwithoutviolatinganylaws.Infact,somenarrowlydefinebeingethicalasdoinganythingaslongasitdoesnotviolatelaws.However,ethicsandmoralitygohandandhand,butwhatismoral?Forexample,communistsbelievethatwhateverfurtherstheadvanceofcommunismismoralandactinginamannerthatdoesnotfurthercommunismisimmoral.

Rememberthatwetalkedearlierinthisbookaboutcommittingcrimes,andcommittingcrimestakesopportunity,motive,andrationalization.Thesameappliestoethicalbehavior.Youcanuseopportunity,motive,andrationalizationtodothe“right”thingortonotdowhatisright.

eth·ics[éthiks]noun

1.studyofmorality’seffectonconduct:thestudyofmoralstandardsandhowtheyaffectconduct(takesasingularverb);alsocalledmoralphilosophy;

2.codeofmorality:asystemofmoralprinciplesgoverningtheappropriateconductforanindividualorgroup(takesapluralverb).

[15thcentury;viaOldFrenchethiquesfrom,ultimately,Greekēthikē,fromēthikos“ethical”(seeethic).]2

Ifyoufindsomeone’swallet,youhavetheopportunitytokeepit.Supposethemotiveisthatyoudonothaveajobandyouhaveafamilytosupport.Youcanrationalizeitbysayingthatthemoneycanbuymuch-neededfoodforthefamily,andbesides,thepersonmustbewelloffbasedonthenumberofgoldandplatinumcreditcardsinthewallet.Let’ssaythatyoujustfoundthemoneyandthereisabsolutelynoevidenceindicatingtowhomitbelonged.Woulditthenbeoktokeepit?Theanswerinbothcasesisno.Why?Itdoesnotbelongtoyou.Therefore,evenifitwerenotagainstthelawtokeepthemoney,itwouldbestillunethical.However,sometimestheprocessisthatyouturnitovertothelocalpoliceandif,afterasetperiodoftime,nooneclaimsthemoney,itisyours.Thatwouldbeethicalbecauseyoufollowedthelocallyestablishedprocesses.Whataboutillegallycopyingsoftwareinviolationofcopyrightlaws?Isn’tthatalsounethical?

Theinterestingthingaboutethicsisthatitmayalsodependonyourculture.Forexample,thebusinesspersonwhogivesgiftstoaprocurementofficerinacorporationthatheorshewantstodobusinesswithmaybebreakingthelawinsomecountries,butsuchgiftsareexpectedinothers.Isitwrongtoacceptthegiftsinthosecountrieswherethatisatradition?No.Ofcourse,ifitviolatedalaworcompanypolicy,itwouldbeunethical

becauseviolatingalawisinitselfunethical.Addtoallthisthemoralissues,knowingwhatisrightandwhatiswrong,consideringwhatyouweretaughtgrowingup,andallthisbroughttogetherandintegratedineachofuswithourculture,workingenvironment,andthelike.Thephilosophyofmoralsandethicshasbeenthesubjectofstudyanddiscussionforcenturies.Wesurelywillnotprovidethedefinitiveanswershere.However,wemustunderstandthebasicsofethicsbecauseitdoeshaveanimpactonprotectingcorporateassets.

mor·al[máwrəl]adjective

1.involvingrightandwrong:relatingtoissuesofrightandwrongandtohowindividualsshouldbehave;

2.derivedfrompersonalconscience:basedonwhatsomebody’sconsciencesuggestsisrightorwrong,ratherthanonwhatthelawsaysshouldbedone;

3.intermsofnaturaljustice:regardedintermsofwhatisknowntoberightorjust,asopposedtowhatisofficiallyoroutwardlydeclaredtoberightorjust;amoralvictory;

4.encouraginggoodnessandrespectability:givingguidanceonhowtobehavedecentlyandhonorably;

5.goodbyacceptedstandards:goodorright,whenjudgedbythestandardsoftheaveragepersonorsocietyatlarge;

6.tellingrightfromwrong:abletodistinguishrightfromwrongandtomakedecisionsbasedonthatknowledge;

7.basedonconviction:basedonaninnerconviction,intheabsenceofphysicalproof.

noun(pluralmor·als)

1.valuablelessoninbehavior:aconclusionabouthowtobehaveorproceeddrawnfromastoryorevent;

2.finalsentenceofstorygivingadvice:ashort,preciserule,usuallywritteninaratherliterarystyleastheconclusiontoastory,usedtohelppeoplerememberthebestormostsensiblewaytobehave.

pluralnounmor·als

standardsofbehavior:principlesofrightandwrongastheygovernstandardsofgeneralorsexualbehavior.

[14thcentury;fromLatinmoralis,frommor-,stemofmos“custom,”inplural“morals”(sourceofEnglishmoraleandmorose).]3

Ethicalbehaviorisexpectedofeveryonewhoworksinacorporation.Few,ifany,corporationsoranytypeofbusinessorgovernmentagencywanttobeseenasdoinganythingunethical.

Somepeoplebelievethatifitisnotagainstthelaw,itisethical.Oftenitseemsthatcorporationsthatwalkafinelinebetweenlegalandillegalbehavioruseagreatdealofrationalizationtojustifytheiractions.However,inmostcircumstances,theethicalquestionremains:Yes,itislegal,butisittheethicalthingtodo?

Ifyouseesomeoneinyourcorporationdoingsomethingthatviolatescorporatepolicy,shouldyoureportthatpersontomanagement?Thisisprobablyanemployee’smostdifficultethicaldilemma.Insomenation-states,itisbettertonotreportanyone,evensomeonecommittingaseriouscrime,becausemanychildrenwerebroughtupnottobea“squealer,”a“fink,”a“snitch.”Insomesocieties,thatisalmostasbad,ifnotworse,ascommittingtheoffensethatisbeingreported.

Becauseoftheamountofunethicalbehaviorwithinsomecorporationsandnation-states,thereareprocessesbywhichone,sometimescalledawhistleblower,canreceivefinancialrewardsforidentifyingillegalorunethicalbehavior.However,asmuchascorporationsliketosaythattheyhaveanethicsprogramwithintheircorporation,whenanemployeecomesforthandreportsillegalactivities,itseemsthat,moreoftenthannot,heorsheisthesubjectofharassment,receivesnopromotions,andismadetofeelunwantedinthecorporation.Managementlooksuponthatpersonasonewhocouldnotbetrusted.Ironic,isn’tit?Apersonreportssomeone’sunethicalbehaviorinaccordancewiththecorporatepolicy.Thatperson,insteadofbeingconsideredanhonestandloyalemployee,isconsideredtobeuntrustworthy.TherearemanyexamplesofsuchconductwithinthecorporationsoftheUnitedStatesandothernation-states.Sufficeittosaythatcorporatemanagementcantoutanethicsprogram,butonethattrulyworksasstatedinthebrochuresisanothermatter.

CodesofEthicsMost,ifnotall,professionalassociationshaveacodeofethics.Theyareallaboutthesameinthatonemustdowhatisrightandreportwhatiswrong.Asacybersecurityprofessional,youmustbehaveinaprofessionalmanneratalltimesand,therefore,complywiththeprofessionalcodeofethics.

Itisquitepossiblethatmembersofassociationswithacodeofethicshaveactuallyneverreadthecodeofethics,eventhoughasacybersecurityprofessionalandmemberofoneormoresecurity-relatedassociations,youarerequiredtocomplywiththeassociation’scodeofethics.Infact,itcanevenbeconsideredunethicalnottohaveeverreadthecodeofethicsforthevariousassociationstowhichyouasacybersecurityprofessionalbelong.

Whatdoesthatsayaboutyouandyourprofessionalism?Onemaycounterbysayingthatheorshealwaysactsinanethicalmanneranddoesn’thavetoreadanycodeofethics.This“know-it-all”attitudeisasymptomofpossiblyamoreseriousmatter:theideathatonehasnomoretolearnaboutaninformationsecurity-relatedtopic.Thatnotonlyisimpossiblebutwillendupcostingthecorporationintermsofeffectivenessandefficiency.How?Becausethecybersecurityofficerwhoisnotcontinuouslylearningandapplyingnewandbettertechniquesdoesnottakeadvantageofnew(andpossiblybetterandcheaper)waysofprotectingassets.

Nowisagoodtimetotaketheopportunitytoreadsomecodesofethicsfromsecurity-relatedprofessionalassociations.Pleasetakethetimetosearchonline,read,understand,andapplythecodesofethicsasanintegralpartofyourjobandprofession.

CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValuesManycorporationsinmanycountriesoftheworldtodayconcernthemselveswithethics,standardsofconduct,businesspractices,andvalues.Whatdoesallthatmean?Basically,itstillmeansthatonemustknowthedifferencebetweenrightandwrong,acceptableconductandunacceptableconduct.Intoday’sworld,corporationsaresuccessfullysuedbecauseoftheunethicalconductoftheiremployees.Therefore,iffornootherreasonthanlossofrevenue,suchmattersareaseriousconcernofcorporatemanagement.

Therearecorporatepoliciesandawarenesstrainingsessionsgiventoemployeesandoftenspecialtraininggiventomanagement.Thisisbecauseitseemsthatitismostlymanagementthatisinvolvedinunethicalconduct.Forexample,managementmaydirecttheiremployeestoactinanunethicalmannerbytakingashortcutinamanufacturingprocesssuchasaqualitychecktogettheproductoutthedoorfaster.

Cybersecurityprofessionalsincorporationsareofteninvolvedinfollowinguponethicsmattersthathavebeenreportedbymanagersoremployees,eitherdirectlyorthroughacorporateethicshotline,forexample,noncompliancewiththecybersecurityprogram.Theethicshotlineprovidesacommunicationsmediumtoobtainreportsofunethicalbehavior.Itshouldneverbeusedtotrytoidentifythecallerifthatcallerdidnotleaveanyinformationrelativetohisorheridentity.Infact,todosowouldbeunethicalinitself,andoncewordgotoutofsuchconductbymanagement,thechancesofobtainingfurtherinformationconcerningunethicalbehaviorwouldbealmostzero.Ifthatdidoccur,thatmanagerseekingtheidentityofthecallershouldbethesubjectofanethicsinquiry.Oneshouldneverdwellsomuchonthemessengerasthemessage.Afterall,isn’tthattheobjectiveoftheethicsprogramandethicshotline?Itisamazinghowmanymanagersincorporationsfocusonidentifyingthecallerinsteadofactingontheinformationthecallerprovided.Thatalonetellsagreatdealabouttheethicsofsomemanagers.

Oneoftenhearsaboutmanagers“shootingthemessenger.”Anymanagerwhoverballyorotherwiseattacksthemessengeris“notgettingthemessage.”So,whatdoesthishavetodowiththeISSOandprofessionalism?Asanemployeeofacorporation,youhaveprobablybeenononeendortheother—orboth—ofsuchincidents.Thinkaboutit.Noonelikestoreceivebadnews,andfindingoutthroughsomeethicschannelthatsomeassetswerestolen,thatsomeonewasnotcomplyingwiththeassetsprotectionpolicies,andthatthispersonwasaseniorexecutivemaycausemanagementto“shootthemessenger.”

Asacybersecurityprofessional,youhaveaprofessionalresponsibilitynottoallowtheshootingofmessengers.Instead,youmustdirectmanagementeffortstotheidentifiedproblem.Ifyouarerequestedordirectedtodoallyoucantoidentifytheanonymousreporterofethicsviolations,youshouldexplainthatsuchconductisinviolationofthecorporateethicspolicyand,therefore,therequestordemanditselfisunethical.Unfortunately,itmaycostyouyourmeritraise,alessthanfavorableperformancereview,andthelike,butthatisapricethatyoumustbewillingtopay.Itisamatterofprinciple—

yourprofessionalintegrity—andthatmeansamatterofethicalconduct.

LiabilityIssuesOneoftheconsequencesofnotprovidingadequatecybersecurityisthesuccessfulattacksthatleadtoviolationsofprivacyandethics.Theseresultinoftenmassivelawsuitsinwhichthecorporationthatemploysyoumustpayout.Wearetalkingmillionsofdollars.

Yourjobisofcourseonthelinebecauseregardlessofyourtellingmanagementwhatneedstobedonefallingondeafmanagementears,youwillbeheldresponsible.Saying“Itoldyouso”and“Ididn’thaveenoughbudget”orsuchwillnothelpyou.Thebestyoucandoiscontinuallydocumentallthe“Itoldyouso’s”andrequestsforwhateveryouneededthatyoudidn’tget,forexample,staff,securitysoftware,etc.Itprobablywon’tstopyoufromgettingfiredbutmaybewillhelpwitha“wrongfuldischarge”lawsuit.

Theotherwaytohandlesuchissuesistoconvinceyourlegaldepartment,andthenforbothofyoutoadvisemanagement,oftheneedforinsurancetocoversuchlossesdueto,forexample,successfulhackerattacks.Inmanycases,itisaprudentbusinessdecision.

Cyberattackriskrequires$1 bnofinsurancecover,companieswarned4

4ft.com,April20,2015.

http://ft.com


•Doesyourcompanyhaveethicsandprivacyprograms?

•Areyouandyourstaffactivelyinvolvedintheprograms?

•Doyousupporttheprogramsbyconductinginquiriesintononcompliancewiththecybersecurityprogramorcompanyethicspolicies?

•Doesyourcorporationhaveanethicshotline?

•Doyoudiscussproperbehaviorwithyourstaff?

•Ifnot,whynot?

•Ifso,whatdoyoudiscussandhowoften?

•Doyouusethecorporateethicsandprivacyprogramstosupportfollowingthecybersecurityprogram?

•Ifso,doyoutrytogetmanagementtoviewacybersecuritynoncomplianceissueasalsoanethicsorprivacyissue?

•Haveyoudiscussedliabilityinsurancewithyourlegalstaff,maybeauditorsandmanagement?

SummaryCybersecurityprofessionalsmustbeextremelyhonestpeopleofhighintegrity.Afterall,theyknowthevulnerabilitiesofthecorporateinformationandinformationsystemsassetsaswellastheprotectionmechanisms.Thatisveryvaluableinformation.Cybersecurityofficersmustconductthemselvesinanethicalmanneratalltimes.Iftheybelongtoaprofessional,security-relatedassociation,theymustalsoadheretotheassociation’scodeofconduct.

Cybersecurityprofessionalsmustalsodotheirbesttoencourageallcorporateemployees,ledbyexecutivemanagement,toactinanethicalmannerwhendoingtheirworkatthecorporation.Thecybersecurityprogramwillbenefitthroughfewerinformationthefts,lessdamage,lessunauthorizedmodification,andfewercybersecurityviolationsandwillprovideforacorporatecybersecurityenvironmentthatisbetteroverall.

Aspartoftheirjob,theymustalsoprotecttheprivacyofthecorporation,employees,associates,subcontractors,andofcoursecustomers.Youmaybepersonallyliableifyourcybersecurityprogramfails.Certainlyyourcorporationwillbe.

1KentKresaisChairmanoftheBoardandCEOofNorthropGrummanCorporation.2EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.3EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.

CHAPTER15

ACareerasaCyberSecurityOfficer

AbstractThecybersecurityofficerprofessionalsofthetwenty-firstcenturymustpossessmanyskillsthatdifferfromthosepossessedbysomecurrentandpastcybersecurityofficerprofessionals.Inthischapter,thediscussionwillcenteronwhatarethenecessaryskillsthatacybersecurityofficerandprofessionalcybersecuritystaffshouldpossesstobesuccessful,aswellashowtoestablishandmaintainacybersecuritycareerdevelopmentprogram.2

KeywordsAdvisoryservices;Assessmentservices;Augmentationservices;Coldcallingpotentialcustomers;Cybersecurityconsultant;Cybersecurityoffice;Education;Securityimplementation

Amanmustservehistimetoeverytradesavecensure—criticsallarereadymade.1

LordByron

CONTENTS

Introduction 284TheCyberSecurityOfficer’sCareerDevelopmentProgram 285Education 286

HowtoMarketYourselfasaCyberSecurityOfficer 288InterviewingfortheCyberSecurityOfficerPosition 288BecomingaCyberSecurityConsultant 292EngagementSetup 296EngagementProcess 297AssessmentServices 298AdvisoryServices 299SecurityImplementation 299Augmentation 299LegalIssues 299InternationalAspects 299

Questions 300Summary 300

CHAPTEROBJECTIVE

Thecybersecurityofficerprofessionalsofthetwenty-firstcenturymust

possessmanyskillsthatdifferfromthosepossessedbysomecurrentandpastcybersecurityofficerprofessionals.Inthischapter,thediscussionwillcenteronwhatarethenecessaryskillsthatacybersecurityofficerandprofessionalcybersecuritystaffshouldpossesstobesuccessful,aswellashowtoestablishandmaintainacybersecuritycareerdevelopmentprogram.2

IntroductionChangesthathaveoccurredovertheyearsinthedutiesandresponsibilitiesofthecybersecurityofficerprofessionalincludeaworkingenvironmentthatinvolvesincreasing:

•Complexity;

•Rapidityofchange;

•Technologydependence;

•Technologydrivenness;

•Sophisticationoftheworkforce;

•Competitivenessinthebusinessworld;

•Instantcommunication;

•Informationavailabletomorepeoplethaneverbefore;

•Incidentsofcorporatefraud,waste,andabuse;

•Threatsto,andvulnerabilitiesof,corporateinformation-relatedassets;and

•Competitionforhigh-levelcybersecuritypositions.

Sincethistwenty-firstcenturyenvironmentmeansmorecompetitionforcybersecuritypositions,thosewhowanttosucceedinthiscareerfieldmustgainmoreexperienceandhavemoreeducationthaneverbefore—oratleastmorethantheothercybersecurityprofessionalstheyarecompetingagainst.

Thecorporateculture,cybersecurityduties,responsibilities,andpositionsvaryalmostasmuchasthenumberofcorporations.Manyoutsourcemuchoftheircybersecurityserviceandsupportfunctions,whileothersfinditmorecost-effectivetouseemployees.Nomatterwhattypeofcorporation—orgovernmentagencyforthatmatter—thatyouworkfor,themaingoalisstilltoprotecttheinformationandinformationsystemsassetsofthecompany(orgovernmentagency).

Corporationswanttohirecybersecurityprofessionalswhocandothatsuccessfullyatleastimpacttocostandschedules.

pro·fes·sion·al[prōféshən’l,prōféshnəl,prəféshən’l]adjective

verycompetent:showingahighdegreeofskillorcompetence

noun(pluralpro·fes·sion·als)

memberofaprofession:somebodywhoseoccupationrequiresextensiveeducationorspecializedtraining

somebodyverycompetent:somebodywhoshowsahighdegreeofskillorcompetence3

3Encarta®WorldEnglishDictionary©&(P)1999MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.

Ifyouconsideryourselfacybersecurityprofessionalandwanttobetheworld’sbest,thenyouneedacareerdevelopmentprogram.

TheCyberSecurityOfficer’sCareerDevelopmentProgramSomequestionsyoumaywanttoaskyourselfaboutacybersecurityofficercareerare:

•Whatcybersecurity-relatedcareerdoIwanttogetinto?

•Why?

•Whatarethequalifications(educationandexperience)fortheentrylevelandothersecuritypositions?

•Whatarethepositions(specializations)withinthatprofession?

•ArethereanythatIwouldliketospecializein?

•Why?

•WhataretheotherpositionswithinthecybersecurityprofessionthatImaywanttospecializein?

•CanIlisttheminorderofpriority,includingtheireducationandexperiencerequirements?

Thecybersecurityofficerprofessionshouldberesearchedtoobtaintheanswerstotheabovequestionsby:

•Interviewingvariouscybersecurityofficerprofessionalsindifferenttypesofbusinesses,nonprofitentities,andgovernmentagencies;

•ResearchingthecybersecurityofficerprofessionanditsvariousspecialtiesthroughtheInternet;

•DiscussingtheprofessionwithrepresentativesfromtheAmericanSocietyforIndustrialSecurity,HighTechnologyCrimeInvestigationAssociation,AssociationofCertifiedFraudExaminers,InformationSystemsSecurityAssociation,andvarioustraininginstitutesanduniversitiesthatteachcybersecurity-relatedcourses;and

•Readingjobdescriptionsforcybersecurityofficerpositionsinthetradejournalsandnewspapersandthroughinterviewswithrecruiters.

Basedonthisresearch,youasacybersecurityprofessionalcanestablishacareerdevelopmentplanbeginningatahighlevelwithsubsectionsforeducationandexperienceforeachposition.

Thefuturecybersecurityofficermightalsosettwolimits:

•Experienceandeducationmustberelevanttoeventuallybecomingacybersecurityofficer.

•Timelearningthrougheducation,training,andgainingexperiencemustbescheduledso

thattheintermediarymilestonesandultimategoalcanbemet.

Thecybersecurityofficershouldalsoincludethegoalofsupervisoryandmanagementexperienceaswellasexperienceintheworldsoffinance,marketing,sales,accounting,investigations,communications,technology,internationaltravel,andhumanresources.Thecybersecurityofficershouldsetagoalofgraduallygainingincreasedresponsibility,experience,andeducationinsecurityjobsthatwouldpreparethecybersecurityofficerforahighlypaidcybersecurityofficerpositioninaninternationalcorporation.

Basedontheresearch,youmaycomeupwiththeideaofa“fourparallellines”approachtocareerdevelopment.Theseareitemsthatshouldbeintegratedintothecareerdevelopmentplan:

•Money—HowmuchdoIwant,andbywhen,tomeetmygoals?

•Position—WhatcybersecuritypositionspaymethemoneyIwanttomeetmygoalsbasedonmytimelineofgoals?

•Education—WhataretheeducationrequirementsforeachpositionIwanttoget?

•Experience—WhataretheexperiencerequirementsforeachpositionIwanttoget?

Thecybersecurityofficer’sgoalshouldbetobethemostqualifiedpersonforeachpositioninthecybersecurityofficer’sprofession.

Alsoduringresearch,thecybersecurityofficermayfindthattobethebestcybersecurityprofessionalrequiresonetohaveknowledge,education,andexperienceinareasotherthancybersecurity,including:

•Business

•Investigations

•Technology

•Dealingwithpeople

•Communicationsskills

•Management

•Writing

•Projectplanning

•Publicspeaking

•Majorforeignlanguageorlanguages

EducationTherearetwodifferentapproachesthatsomecybersecurityofficershaveused:

•Theybeganwithatechnicaleducationsuchasadegreeordegreesincomputerscience,mathematics,ortelecommunications.Becauseoftheirdegree,orprobablysomerelatedcybersecurityexperience,theywerechosenorvolunteeredtobethecompany’scybersecurityofficer.

•Theybeganwithageneraldegreesuchasbusiness,security,criminaljustice,orliberalartsandeventually,somehow,foundthemselvesinthecybersecurityofficerposition.Andonceinthatposition,theylikeditanddecidedtostayinthecybersecurityofficerprofession.

Intoday’senvironment,acollegedegreewithamajorincomputerscienceortelecommunicationsisoneofthebestwaystostartacybersecurityofficercareer.Analternativeistomajorincybersecurity.Ascollegesanduniversitiesseethedemandforsuchsubjects,theywilloffermorecybersecuritycoursesandprograms.Astheneedforcybersecuritygrows,moreuniversitiesandcollegeswillbegintooffermajorsincybersecurity.

Analternativetoacollegeoruniversityisatechnicalschoolthatofferscybersecurity-relatedspecializedprogramsinvariousaspectsofthecomputerandtelecommunicationsfunctions.Thistrainingusuallyoffershands-onexperienceandmayprovideafasteravenueintothecybersecurityprofession.Also,manycollegesanduniversitiesoffercertificatesinaspecializedcybersecurityofficer-relatedfieldsuchaslocalareanetworksandtelecommunications.Thesecoursescanalsobeappliedtothedegreeprogram,butcheckthecollegeoruniversitytobesure.Thosewhochoosethetechnicaltrainingpathshouldstillpursueacollegedegreethatwillenhancepromotionopportunitiesinthecybersecurityofficerprofession.

Education,whethertechnicaloracademic,providesthefuturecybersecurityofficerwithanopportunityformorecybersecurityofficerpositions.

Intoday’smarketplace,theneedforexperiencecoupledwithadvanceddegreesandcertificationshasincreased.Ithasincreasedtothepointatwhichallyoureducation,experience,andcertificationsonlygetyouthroughthefirstresumefilteringprocess.Itistheinterviewthatwillgetyouthejob.

Whatelsecanonedotoprepareforsuchapositionandalsomaintainaworkingknowledgeofallthatisassociatedwithandneededtobeacybersecurityofficer?Theseincludeknowledgegainedthrough:

•Conferencesandtrainingclasses;

•Networkingwithothersintheprofession;

•Usingtradejournalsandmagazinestolearnmore;

•Experience,whichisalwaysagoodtrainer;

•Certifications—knowledgegainedstudyingforcertifications;and

•Joiningassociationsandattendingtheirmeetings,whereinformationcanbegained.

HowtoMarketYourselfasaCyberSecurityOfficerWorkisaresponsibilitymostadultsassume,aburdenattimes,acomplication,butalsoachallengethat,likechildren,requiresenormousenergyandthatholdsthepotentialforqualitative,aswellasquantitative,rewards.

MelindaM.Marshall4

4TheColumbiaWorldofQuotations.1996(http://www.bartleby.com/66/2/38002.html);MelindaM.Marshall(20thcentury),U.S.writerandeditor.GoodEnoughMothers,introduction(1993).

Sometimesacybersecurityofficerwillhavesomeconflictswhenitcomestoseekingoutanewpositioninsteadofstayinga“loyalcompanyemployee.”Thereshouldnotbeanysuchconflict,becauseintoday’sbusinessworld,itseemsthatitisseldomthatthecorporationisloyaltotheemployees,sowhyshouldtheemployeesbeloyaltothecorporation?

Ifyouarehappydoingwhatyouaredoingandwouldliketodothesamethingfortherestofyourlifeinthesamecompany,thendoit.However,onewordofcaution—intoday’scorporateworld,nopositionseemstolastforever,anditappearsthattoday’scorporationsdonotwanttheiremployeestostayforever.So,itisalwaysbettertobepreparedbyhavingabackupplanintheeventyouarenotifiedthatyourservicesarenolongerwanted.

Alsorememberthatitiseasiertofindajobifyoualreadyhaveajob.So,thebesttimetofindoutyourworthasacybersecurityofficeristolookforadvancementopportunitiesorlateralopportunitiesforothercybersecuritypositionswhileyouarestillemployed.Ifnothingelse,theemploymentinterviewswillkeepyouinpracticeandhelpyoufine-tuneyourinterviewskillsandyourpersonalportfolio.

InterviewingfortheCyberSecurityOfficerPositionCongratulations!Yourresumehasfinallymadeitthroughthefilteringprocessandyouarebeingaskedtoappearforaninterview.Youwillprobablyfindthatcybersecurityofficerpositionsareverycompetitive,withtalentedcybersecurityofficerprofessionalscompetingagainstyouforeachofthosepositions.So,youmustbeprepared.Aswithmostjobinterviewsthesedays,youwillprobablybesubjectedtoaseriesofinterviewsconsistingofmembersofthehumanresourcesdepartment,informationsystems

http://www.bartleby.com/66/2/38002.html

organization,auditors,andsecuritypersonnel.

Don’tbenervous,butthisinterviewiswhatwillputyoubackontheroadtocybersecurityofficerjobhuntingorofferyouthechallengesofthenewcybersecurityofficerposition.So,youmustbeprepared!

Therearemanybooksonthemarkettellingyouhowtointerviewforaposition.Theyofferadviceoneverythingfromhowtodresstohowtoanswerthe“motherofallinterviewquestions”—Whatareyoursalaryexpectations?

Itisnotthepurposeofthisbooktohelpyouanswerthosecommoninterviewquestions.Itisassumedthatyouwillhavereadthosebooks,andthatyouhavepreparedandpracticedfortheupcominginterview.Thepurposeofthissectionistoshowyouhowyoumaybeabletoseparateyourselffromyourcybersecurityofficercompetition.

Youhaveprobablyalreadyinterviewedmoretimesthanyoucaretoadmit.Inallthoseinterviews,youprobably,likeyourpeers,walkedinwearingdark,conservativebusinessattire,neatlygroomed,andpreparedtoansweranyquestionthrownatyou.Thequestionis,whatseparatedyoufromyourcompetitors?Whatwasitthatwouldmaketheinterviewersrememberyouandchooseyouabovetherest?

Youprobablyansweredmostquestionsinthemostpoliticallycorrectway,forexample,“Whatisyourmajorweakness?”Answer:“MymajorweaknessisthatIhaveverylittlepatienceforthosewhodon’tliveuptotheircommitments.Whensomeoneagreestocompleteaprojectbyaspecificdate,Iexpectthatdatetobemetunlesstheprojectleadercomestomeinadvanceofthedeadlineandexplainsthereasonthatdatecan’tbemet.Ibelieveinateameffort,andallofus,asvitalmembersofthatteam,mustworktogethertoprovidetheserviceandsupportneededtoassistthecompanyinmeetingitsgoals.”

Willthatanswertothatquestionbeconsideredaweaknessorstrengthbytheinterviewers?Probablyastrength,butthatishowthegameisplayed.

Manyintervieweeshave“beenthereanddonethat”butstilldidn’tgettheposition.Why?Maybebecauseouranswers“float”intheinterviewroomair.Theyhangthereminglingwiththoseoftheothercandidatesbeforeusandwillbeminglingagainwiththecandidatesthatcomeafterus.

Theonlyreal,lastingevidenceoftheinterviewiswhatwaswrittendownbytheinterviewersandwhatimpressionsyou,theprospectivecybersecurityofficer,leftintheirminds!Manyoftheinterviewersare“screeners,”humanresourcepeoplewhohavenoclueastowhatcybersecurityisallabout.Theyaretherebecausewedoteamingtoday.

Weoperatebyconsensus.So,gettingselectedmaybemuchmoredifficult.

So,youneedonething—onethingthatwillleavealastingimpressionontheinterviewers.Onethingthatwillshowthemyouhavethetalents,theappliededucation(that’seducationthatyougainedincollegeandotherplacesandsomethingthatyoucanactuallyuseinthebusinessworld!),theexperience,andthegameplan.You’vedoneit!You’vebeensuccessfulinbuildingacybersecurityprogrambefore,andyouwillbesuccessfulagain.Youcanprovethatyoucandoitbecauseyouhaveyourcybersecurity

officerportfolio!

Thenextquestionthatthereadermayaskis,“Whattheheckismycybersecurityofficerportfolio?”Youprobablyhaveseenmoviesinwhichthemodelsshowupatthemodelstudioormoviestudioandpresentafoldercontainingphotographsofthemselvesinvariousposes.No,sorry—yourphotowillprobablynothelpyougetthecybersecurityofficerposition—butthinkaboutit.Theytookwiththemtotheirinterviewphysicalevidenceintheformofphotographs,meanttoprovethatheorshewasthebestpersonfortheposition.

Whatyoumustdoisdevelopyourownportfoliototakewithyouandleavewiththeinterviewers—proofthatyou’vebeenthere,donethat.Youarethebestpersonfortheposition.It’sallthereintheportfolio.

Yourcybersecurityofficerportfolioissomethingyoushouldbeginbuildingassoonasyoubeginyourfirstcybersecurityofficerjoborbefore.Itshouldcontainanindexandidentifiedsectionsthatincludelettersofreference,lettersofappreciation,copiesofawardcertificates,projectplans,metricchartsyouuseformeasuringthesuccessofyourcybersecurityprograms,and,probablymostimportant,yourcybersecurityphilosophyandcybersecurityplanoutlinethatyouwillimplementassoonasyouarehired.

Thecybersecurityplanisprobablythemostimportantdocumentinyourportfolioandshouldbethefirstpageafteryourindex.Alltheotherdocumentsarejustproofthatwhatyouplantodo,you’vedonebefore.

Inthecaseofsomeonewhohasneverbeenacybersecurityofficer,theprospectivecybersecurityofficercanbuildhisorhercybersecurityplanandcybersecurityportfoliofromtheinformationprovidedinthisbook.Builditforanimaginarycorporation.

Thenextquestionthatmayariseis,“IfIneverworkedthere,howdoIknowwhatIshoulddoifIgethired?”Again,gobacktodoingsomeresearch.Rememberthatifyoureallywantthisjob,youhavetoworkatleastashardtogetitasyouwillonceyoudogetit.

YourfirststopshouldbetheInternet.Findoutaboutthecompany.Someinformationthatyoushouldknowis:

•Whenwasitstarted?

•Whatareitsproducts?

•Howisthecompanystockdoing?

•Wherearetheirofficeslocated,etc.?

Youshouldalsostopbythecompanyandpickupanapplication,anycompanybrochuresavailable,theirbenefitspamphlets,etc.

Youshouldstudytheinformation,completetheapplication,andplaceitinyourportfolio.Afterall,iftheydecidetohireyou,you’dhavetofilloneoutanyway.Youshouldgointotheinterviewknowingasmuchifnotmoreaboutthecompanyasthe

peopleinterviewingyou.Thisisinvaluable,especiallyifyouareinterviewingforasenior-levelposition.Theseinterviewswillundoubtedlyincludemembersoftheexecutivemanagement.Yourabilitytotalkabouttheircompanyinbusinesstermswithanunderstandingofthecompanywillundoubtedlyimpressthemandindicatethatyouarebusiness-oriented.

Allyouranswerstotheinterviewers’questionsshouldbedirectedtosomethinginyourportfolio.Forexample,iftheyaskyouhowyouwoulddealwithdownsizinginyourdepartmentandwhatimpactthatwouldhaveonyourabilitytoadequatelyprotectthecompany’sinformationanditsrelatedsystems,howwouldyouanswer?

Youshouldbeabletodirectthemtoaprocesschart,ametric,somethingthatindicatesthatyouhavedoneitbefore,orthatyouhaveabusiness-orientedapproachtodealingwiththeissue.

Ifyouhavenotdoneitbefore,writedownhowyoucould,andwould,performthesefunctions,assessthecybersecurityprogram,etc.

Theportfoliocanworkforanynewcybersecurityofficerinanycompany.Thefollowingisasampleportfoliooutline,whichcanbeusedasaguidebyaneworexperiencedcybersecurityofficer.Inthiscase,itisthecybersecurityofficerapplyingforthecybersecurityofficerposition.It’suptoyoutofillinthedetails.Manyoftheideasofwhattoputinyourcybersecurityportfoliowillbefoundinthisbook.

Youwillnotethattheprospectivecybersecurityofficerapplyingforthecorporatepositionhasdonetheresearchnecessarytotailoracybersecurityprogramforthecorporation.Thebeautyofbuildingthistypeofportfolioisthatitseemsspecific,andyetit’sgeneric.

Thecybersecurityofficershouldalsopracticeinterviewingskills.Theresumeorpersonalcontactsmaygetyoutheinterview,buttheinterviewwillgetyouthejob.Beforeanyinterviews,andduringtheinterview,youmustdothefollowing:

•Learnallyoucanaboutthepotentialemployer;

•Readandlearnfrombooks,magazines,andthelikeaboutinterviewsandproperclothingtowear;

•Prepareanswerstotypicalquestionsthatwillbeasked,andpracticeansweringthemwithoutseemingasthoughtheanswerswererehearsed;

•Developandmaintainanupdatedworkportfolio;

•Duringtheinterviewalwaysreferto“we”or“us”insteadof“I”and“you”asmuchaspossible,soitseemsasifyoualreadyhavethejobandarejustbriefingfellowemployees;and

•Referinterviewerstoyourportfolioinansweringtheirquestions.

Thefollowingisafictionalscenarioofoneindividual’scybersecurityjobhunt:

Thecybersecurityofficerestablishedacareerdevelopmentplanasaformalprojectplanwithanobjective,goals,milestones,andtasks.Theprojectplanhelpedthecybersecurityofficerfocusoncareerprogression,andalsothatfocusmadeiteasiernottogetsidetrackedandwastetimeonmattersthatdidnotlendthemselvestomeetingtheprojectplanmilestones.Thecybersecurityofficercontinuallyupdatedtheplan.Attheendofeachcalendaryear,thecybersecurityofficerwouldanalyzetheprogressinmeetingtheplangoalsandobjective.Regardlessofwhethertheplanprogressedaheadofscheduleorbehindschedule,thereasonsforthechangewerenotedandlessonslearned.Thentheupdatedplanwouldbeusedforthenextyear.

Overtheyears,thecybersecurityofficerdevelopedaportfolio.Intheportfolio,thecybersecurityofficermaintainedaplanthatwouldbecontinuallyupdatedandusedduringallinterviews,withextracopiesavailablefortheinterviewers,andthecybersecurityofficersuccessfullyuseditforthecorporation.

Whenotherswentthroughtheinterviewprocessansweringtheinterviewers’questions,theirresponseswerelostintheairlikesmoke;however,thiscybersecurityofficer’sthoughts,experience,education,planforacybersecurityprogram,andotherinformationrelevanttomeetingthecorporation’sneedsweredownonpaperandcouldbereferredtobytheinterviewers.

Thisportfolioalsoindicatedapersonwhowasorganizedandcameinwithanactionplan.Furthermore,sincethiscybersecurityofficerresearchedthecorporationpriortobeinginterviewed,thecybersecurityofficerwasintimatelyfamiliarwiththecorporationandevenofferedsomeinformationaboutthecorporationthatwasnewtosomeoftheinterviewers.

BecomingaCyberSecurityConsultantIfyouwishtosucceed,consultthreeoldpeople.

ChineseProverb

Tobeinanytypeofprofessionworkingforoneselftakesaspecialtypeofpersonalitytosucceed.Afterall,thereisnoonetocontinuetopayyouwhenyouareonvacation,nobenefitsthatyoudon’thavetopayfor,andifyoudecidetojusthangaroundtheofficeandnotwork,youwon’tgetpaidforthat,either.Thereisnosafetynet,nopaidtimeoffwhensick.Nowork—nopay.Fortheindependentconsultant,theoldsaying“timeismoney”iscertainlytrue.Inaddition,thereisaconstantneedtomaintaincontacts(potentialcustomers)andkeepupwithhightechnology,andofcoursethereisthealmostconstanttravel.

Somecybersecurityofficersandmanagersmayhavetheconnectionsandbelievethattheyarewellthoughtofascybersecurityprofessionals,calledupontolectureatconferences,assistclientswiththeircybersecurityneeds,andthelike.However,thosethatdosoasamemberofalargefirm,suchasalargeaccounting–consultingfirm,believethatitistheywhoaretheonesthatdrawclientstothemforhelp,wheninfactitisusually

notthatatall.Itisusuallythelargecorporatenamethatbringstheseclientstothecybersecurityperson.

Somecybersecuritymanagersandtechniciansdon’trealizethisfact.Thenwhentheydecidetogooutontheirownascybersecurityconsultants,theyfindthatwhattheythoughtwasagreatclientbaseonwhichtobuildtheirbusinesstradeturnsouttobetheclientbaseoftheirformeremployer,andtheyaren’tswitchingtoyourfirm.Furthermore,therearelegalandethicalmattersrelatingto“stealing”clientsawayfromaformeremployer.Whentheshockofthisfacthitsthem,theyfindthemselvesscramblingforclients.

Someadviceforthosewhomaybereadytotakethecybersecurityconsultingplunge:Besurethatyouobjectivelyinventoryyourskillsandpotentialclientbase,andalsohaveatleasttwoyearsofyourcurrentsalary(includingfundsforequivalentbenefits)safelyinthebank.Thatemergencyfundwillprovideayearormoreofincomeasyougrowyourbusiness.Ifnothingelse,itwillprovideagoodemergencyfundforsomeleantimesorforthetimeswhenyouwillwanttotakeabreakforaweekortwoandgoonvacation.Afterall,youhavetopayforyourowndaysoffnow.Oh,anddon’tforgetinsurancessuchas“errorsandomissions,”alsoknownasprofessionalliabilityinsurance,generalliability,andworker’scompensation.

Someclientsrequireproofofsomeorallofthesepoliciesbeforeyousetfootinthedoor.Withallthatsaid,ifyouhavetheeducation,experience,businesssense,andpersonalitytohandlebeingoutonyourown,itdoesofferitsownrewards.

Theserewardsincludesettingyourownscheduleandhours,beingyourownboss,vacationingwheneveryoulike,doingityourway—butwaitaminute,that’snotcompletelytrue.

Yourhourswillbesetbyyourworkloadandyourclients.Youwillbeabletodotheworkprettymuchyourway,butdoingonlytheworkthatmeetstheclients’needs.Andvacationscanbecutshortbyanurgentclientneed.Youreallycan’taffordtopostponeanurgentclientrequest,asyourisklosingtheclienttoacompetitor.Paymentsfromclientsmaybeslowincomingandtheymaybeshockedbytheirbillforservicesrendered,causingyoutonegotiateorgetyourlawyertonegotiateforyou.Thatmeansadditionalcostsifyoucan’tgetyourlawyer’scostsportedovertotheclients.However,onethingiscertain:Whensuchissuesarise,youmayeventuallygetyourmoney,butyouwillprobablyneverdobusinesswiththatclientagain.Howmanyclientscanyouaffordtolose?

Beingacybersecurityconsultantlooksgreatonpaperanditmaydoyouregogood,butafterawhiletherealworldtakesover.It’satoughlifeandnotforthefaintatheart.So,beforeyouthinkaboutit,besureyouhaveagoodbusinessplanandonethatisdoneobjectively.Also,besureyoucansupportyourselfandyourfamilywithoutworkforextendedperiodsoftime.Yes,itsoundsgreat,butmaybethatsalary,thoseworkingconditions,andthatbossweren’tallthatbad?

However,youhavesuccessfullyworkedyourcareerplanandhavedevelopedthe

educationandexperienceovertheyearsthathavegivenyoutheconfidencetothinkaboutgoingoutonyourownasacybersecurityconsultant.Youhavehadarticlespublishedinmagazines,havelecturedinternationally,andhavedevelopedareputationasaprofessionalcybersecurityofficer.So,youthinkyouareaboutreadyforthiscareermove.Ifso,youneedaplan.

Ifyoudecidetobecomeanindependentcybersecurityconsultant,thefirstthingyoushoulddoisdevelopabusinessplan—beforeyouresignfromyourcurrentjob.Developingtheplanmayultimatelymakeyoudecidethatyoudon’twanttoorcan’tmakeitasanindependentcybersecurityconsultant.Therearemanysamplebusinessplansavailableinbooksandassoftwareprogramsthatcanhelpyougetstarted.

Regardlessofhowyouproceedtodevelopyourcybersecuritybusinessconsultingplan,youmustbeobjective.Ifyouaretoassumeanything,assumetheworst.Thatway,youwillbepreparedfortheworst-casescenarioandwillbeabletosuccessfullydealwithit.Yourplanshouldbelookedatasaprojectplanand,asaminimum,shouldaddressthefollowing:

•Yourbusinessgoalsandobjectives;

•Whyyouwanttostartthisbusiness;

•Youreducationandexperienceskillsandwhethertheywillfityourconsultingbusiness—berealistic;

•Howmuchmoneyyouwillneedtobegin;

•Howmuchmoneyyouhave;

•Howyouwillgetthemoneyyoudon’thavebutneed;

•Howyouwillfinanciallysurvivewhenbusinessisslow;

•Ifyouhaveafamilyorsignificantother,whethertheywillsupportyou;

•Ifnot,whetheryoumighthavetodecideyourrelationship–businesspriorities;

•Whetheryouarewillingtotravelthemajorityofyourtime—afterall,youmustgotoclientsandnotthemtoyou;

•Whatstepsyouwilltaketobeginthebusinessandthecostforeachlineitemortask;

•Whetheryouwillincorporateyourbusiness;

•Whetheryouknowthemarketplace—yourcompetitors;

•Whetheryouofferbetterservicesatlowerprices;

•Yourcompetitors’strengthsandweaknesses;

•Yourstrengthsandweaknesses;

•Acompletecompetitiveanalysis;

•Acompletemarketscope;

•Whetheryoushouldhavealogoandbusinessmotto,andifso,whattheywillbeandwhy;

•Whetheryoushouldgetalawyertoassistyou;

•Whetheryouwillhavecopyrightedmaterial,trademarks,and/ortradesecretsand,ifso,howyouwillhandlethoseprocesses;

•Whetheryouhavestandardinvoices,proposals,confidentialityagreements,contracts,andbillingandgeneralbusinessprocessesandformsinplaceandreadyforuse;

•Whetheryouhavetrustedcybersecurityspecialistsavailabletosupportyourcontractsassubcontractors(afterall,youcan’tbeexperiencedineverything);

•Howyouwillobtainbusiness;

•Howmuchyouwillchargeforwhatwork;and

•Whetheryouareawareofthelawsandregulationsthataffectyoudoingbusiness.

Thesearebutafewofthemanyquestionsthatyoushouldanswerbeforemakingtheplungeintothecybersecurityconsultingservicesbusiness.Rememberalsotheguidingprinciplesthatyoushouldemploy:

•Confidentiality;

•Objectivity;

•Professionalism;

•Respect;

•Integrity;

•Honesty;

•Quality;

•Efficiency;and

•Clientfocus(“we”).

Onceyouhaveyourbusinessplaninplaceandhavedecidedtobecomeanindependentcybersecurityconsultant,yourplanshouldprovideyouwithastep-by-stepapproachtogettingstarted.5Let’sbreakdownthecybersecurityconsultingbusinessintosections:

•Engagementsetup

•Engagementprocess

•Assessmentservices

•Advisoryservices

•Securityimplementation

•Augmentation

•Legalissues

•Internationalaspects

EngagementSetupTobegin,youneedan“entryintothebusiness”strategy.Youmusthaveestablishedandcontinuetorefineyourinformationnetwork(trustedcontactswithinyourbusinessarenawhocantellyouwhatisgoingonwhere,etc.).Youmustalsouseothersourcestofindyourpotentialcustomers—orclients,assomeliketocallthem.Suchothersourcesincludereferralsandmarketingthroughbrochures,pamphlets,lectures,books,articles,andyourbusinesswebsite.Italsoincludes“coldcalling”potentialcustomersandexplainingtothemwhatservicesyouoffer.

Onceyouhavemadecontactwithapotentialclient,youmustclearlyandpreciselycommunicateyourservices;youmust“findtheirpain”andexplainhowyoucanhelpsolvetheirproblems.Trytomakethisaquestion-and-answersessioninwhichadialogtakesplace.Youshouldalsousetheopportunitytoexplainyourexperiencebycitingexamplesofyourpastservicestoclients,withoutprovidingspecificnames,ofcourse.

Assumingthemeetingwentwellandtheyaskyouforaproposal,youshouldprovideoneinthemostexpeditiousmannerpossibleandbesurethatyouunderstand:Eachclientrequiresadifferentapproachdependingonthesizeoftheclient—small,medium,orlargeorganization—asthescale,tactics,andstrategywillvarywitheach.Intheproposalyoushouldbeprecise;includeaprojectschedulewithlogisticsrequirements,roles,andresponsibilities(forbothyouandyourclient);andaddressliabilityissues.Othermatterstoconsiderare:

•Understandwhoyouaredealingwithandbesuretogettotherightlevelofauthoritytomakedecisionsthataffectyourwork;

•Identifytheirneedsasspecificallyaspossible;

•Understandtheirbudget(sizeandcycle);

•Getthe“bigpicture”;

•Besureyouhaveaclearunderstandingoftheirexpectationsandyourdeliverables,beforeleavingthepotentialclient;

•Determineanytimefactorsthattheywanttoconsider;and

•Ifneeded,exchangeencryptionkeyssocorrespondencecanbedoneinprivate.

Aspartofyourengagementsetup,youshouldhaveaspecificwrittenproposalprepared,aswellasoneinthestandardformatyouhavedeveloped.Bothshouldbeonyournotebookcomputersothattheycanbemodifiedimmediatelytofitthesituation.Ifyoubelieveyourspecificwrittenproposalisjustrightforyourpotentialclient,besuretohaveseveralhardcopiesavailabletopresenttothepotentialclient.Theproposal,asaminimum,shouldinclude:

•Proposalstructure,

•Worktobeperformed,

•Projectschedule,

•Timingandfees,

•Rolesandresponsibilities,

•Assumptionsandcaveats,

•Legalissues.

EngagementProcessOnceyoubegin,remembertodocumenteverythingtoinclude:

•Timeanddates,

•Whomyouspoketo,

•Whatwassaid,

•Anyactionitemsresultingfromtheconversations,

•Tasksyoucompletedandtheirtimeanddate,

•Notableeventsthatoccurred,and

•Allothermattersthatcanbeusedtosupportyouractivities,position,timespent,andthelike.

Morethanoneconsultanthasfoundthattheyperformedworkbasedonconversationswithaclient’semployeeandthenfoundthattheclientbalkedinmakingpaymentsforthatwork,sincetheyconsidereditunauthorized—thepersonhadnoauthoritytodirectaconsultanttoperformthatfunction.Itisimperativethatyouandtheclientbothhaveaclearunderstandingofwhatisagreedto,whenitwillbeaccomplished,proofthatitwasaccomplished,andthefeesrelativetocompletingthework.

Noteshelpwhendiscussingtheworkperformedandespeciallyindealingwiththebillingprocess.Anexcellenttechniquetouseduringtheengagementmanagementprocess

istomonitortheprogressoftheengagementonadailybasis.Constantlycommunicatewiththeclienttheprogress(orlackofit)anddelineatewhytherearedelays.Iftherearedelaysduetoafaultonthepartoftheclient,informtheclientoftheimpacttotheengagementandgivechoicessuchas:

•Askforadditionalfunding,

•Abbreviatecertaintasks,or

•Eliminatecertaintasks.

Thistechniquehelpsavoidunpleasantsurprisesandmisunderstandings.It’sa“we”mentality.Youapproachyourcounterpartprojectmanagerandsay“Joe,we’vegotaproblem.Theprojectisbehindbecauseofthis,this,andthis.Howdoyouthinkwecanfixthis?”Iftheprojectisscrewedup,Joehasjustasmuchtolosepoliticallyasyoudomonetarily.Ifthereisadebateastowhythingsaren’tgoingwell,theeventsarefreshineveryone’smindsandit’seasytosortoutandcorrectorcompensate.Acommonmistakeistowaituntilneartheendoftheengagementwhenthingsarewaybehindscheduleandinformtheclient,thinkingthatsomehoweverythingmightworkout.

Thiswillendupinabest-casescenarioassouringtheclientrelationshipandworstcase,incourtarguingoverwhodidwhatwhen.

Iftherearedelaysduetoyourownperformanceorlackofplanning,workextrahoursandaccepttheloss.Dowhateveryouhavetodotomeettheobjectivesoftheproposal,anddon’tcomplainaboutit.Makecarefulnotesastowhyyoumiscalculatedorundermanagedtheengagement,andusethatknowledgewhenwritingyournextproposal.

AssessmentServicesYoumaywanttobreakyourservicesintovariousgroups.Onegroupmaybe“assessmentservices.”Thisshouldhavebeendecidedaspartofyourbusinessplan.Theseservicesincludesuchthingsaspenetrationtestingandsecuritytestsandevaluationsofsoftwareandsystemsanditmayincludesupportingdocumentationanalyses.Alsoincludedmaybetechnicalsecuritycountermeasures,audits,andriskassessments.

AdvisoryServicesAdvisoryservices,alsopreviouslyconsideredaspartofyourbusinessplan,includethefollowing:

•Technicaldesignreview;

•Policies,procedures,andguidelines;

•Securitychangemanagement;

•Systemsandnetworksecurity;and

•Securityarchitecture.

SecurityImplementationTheservicestobeconsidered,basedonyourexpertise,ofcourse,includeensuringthatproductstobeinstalledonsystemsdon’tmakethesystemsandnetworksmorevulnerableandanysecuritysoftwaremeetstheneedsofthebusinessandoperatesasadvertised.Again,besuretodocumenteverything.

AugmentationAugmentationservicesmayincludesuchthingsasterminationsurveillanceandassistinginclientinvestigationsofemployees,suchascomputerforensicservices.Youmayalsoberequestedtorespondtoincidents.Ifso,thisshouldbeaddressedinyourcontractandalsothebillingforsuchresponses—whichoftenseemtohappenaftermidnight.

LegalIssuesLegalissuesmayariseastoyourauthorityinconductingorassistinginhightechnologycrimeinvestigations;aswellasissuesrelatedtoyourcontract.Itisimperative,toavoidlegalproblemslater,thatallmattersbeclearlyandconciselystatedinthecontract.Theworstthingyouwouldwantisconflictsincontractinterpretations,delayedpayments,orrefusaltopaywhatyoubilledtheclient,nottomentiontheproblemofyourreputation,whichwillfollowyou(goodandbad)fromclienttoclient.

Aboveall,neverbeginanengagementwithoutasignedcontract.Makecertainthatthepersonsigningithasthelegalrighttodosofortheorganization(usuallyanofficerordirector).

InternationalAspectsMoreandmorecybersecurityconsultantsareworkingallovertheworldandwithforeignclients.Indealingwithsuchclients,itisimportantto:

•Avoidslangandcolloquialterms,

•Learnasmuchoftheforeignlanguageandcultureaspossible,

•Makepositivecommentsonthefoodandarchitecture,

•Uselocalhandgesturesandvolumeofspeech,

•Understandtheforeigngovernmentswhereyouwillbeworking,

•Understandthelatestterroristthreatsintheregion,

•Explaincybersecuritytermsinlocalcontext,

•Don’tcomplainabouttheircountryorcultureorbragaboutyours,and

•Avoidpoliticaldiscussionsor,ifyouaredraggedintoaconversation,remainneutral.

Questions•Doyouhaveacareerdevelopmentplan?

•Doyoukeepitcurrent?

•Doyoudocumentallyourexperiencesandeducation?

•Doyoukeepyourresumecurrent?

•Doyouhaveyourinterviewtechniquesdownsoyouranswersseemnatural?

•Doyoukeepagenerallistofquestionstoaskduringtheinterviewsothatyoucomeacrossasinterestedinthatjobandthatcorporation?

•Doyouhaveaplantocontinuetokeepupwithchangesinyourprofession?

•Doyouwanttoeventuallybeaconsultant?

•Ifso,areyoupreparingforthattime?

•Doyouhaveabusinessplan?

•Areyoupreparedfor“feastorfamine”times?

•Doyouhavewhatittakestobeaconsultant?

SummaryHavingandkeepingcurrentacareerdevelopmentplan,keepingupwithchangesintheprofession,andalwaysbeingpreparedforthatnextjobsothatyoucancompeteatthehighestpossibleleveltakeplanningandhardwork.However,ifdoneright,itisworththeeffortasitcanleadtoyoursuccess.

1EncartaBookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.;LordByron(1788–1824),Englishpoet.“EnglishBardsandScotchReviewers”(1809).2SomeoftheinformationnotedinthischapterwasexcerptedfromanotherButterworth–Heinemannbook,TheManager’sHandbookforCorporateSecurity:HowtoDevelopandManageaSuccessfulAssetsProtectionProgram,publishedin2003,andcoauthoredbyGeraldL.KovacichandEdwardP.Halibozek.5SomeoftheinformationprovidedinthischapterwasprovidedbySteveLutz,President,WaySecure,averysuccessfulinternationalsecurityconsultantandCybersecurityspecialistfordecades.

CHAPTER16

ALookatthePossibleFuture

AbstractInthisfinalchapter1,welooktothefutureandsomeofitspossibilitiesastheyrelatetoourglobal,moreinterconnectedthaneversociety;governments,businesses,groups,andindividuals’actionsandreactions;technology;andtheimpactthatallthesetopicshaveoncybersecurity.

KeywordsAdvancedpersistentthreat(APT);Globaltrends;Globalization;Internet;Leadership;Offensive–defensivecyberattacks;Pervasiveinsecurity;Security—defensiveapproach

CONTENTS

SurvivingintotheFuture 303NewOldApproachtoSecurity—DefensiveApproach 304TheChangingEnvironment 305TheNeedforEnlightenedandDedicatedLeadership 305GlobalTrends 306

ImpactofGlobalization 307NewChallengestoGovernance 308PervasiveInsecurity 309TransmutingInternationalTerrorism 309PolicyImplications 309

Offensive–DefensiveCyberAttacks 310TheFutureoftheInternet 311Questions 311Summary 311

Ifyouconsciouslytrytothwartopponents,youarealreadylate.MiyamotoMusashi,Japanesephilosopherandsamurai(1645).

Thefutureisdisorder.Adoorlikethishascrackedopenfiveorsixtimessincewegotuponourhindlegs.Itisthebestpossibletimetobealive,whenalmosteverythingyouthoughtyouknewiswrong.

TomStoppard,Arcadia

Inthisfinalchapter,1welooktothefutureandsomeofitspossibilitiesastheyrelatetoourglobal,moreinterconnectedthaneversociety;governments,businesses,groups,and

individuals’actionsandreactions;technology;andtheimpactthatallthesetopicshaveoncybersecurity.

Whenthefirsteditionofthisbookwaspublishedin1998,wediscussedthefuturebasedontheimpactoftopicslikethoseidentifiedabove.Muchofwhatisrequiredforcybersecurityanditsprogramisbasedonprovencybersecuritytechniquesthathavebeenaroundfordecades,albeitundervariousnamessuchascomputersecurity,networksecurity,andinformationsystemssecurity.

Althoughyouwillfindmuchofthefollowingredundantwiththisbook’sfirsttwoeditions,itisnotbeingrepeatedbecausewearetoolazytostartanew.Itisbecausethesameissuesandsamebasicmethodstosolvethemhavenotchangedanymorethanthethreatsthatthefutureholds.So,let’stakeoutourcrystalballandseewhatthefuturecontinuestoholdforallofus.

Unfortunately,eventhebasicsofcomputersecuritystandardsthathavebeenaroundfordecadeshaveoftennotbeenmeet.Infact,evenU.S.federalgovernmentcomputersecuritystandards,requiredtobefollowedbygovernmentagencies,oftenarenotfollowed.

U.S.SecretServicerefusedtoprovidedataonitscomputersecuritysystemstotheDepartmentofHomelandSecurity…preventingitfrombeingabletoverifyifitwascomplyingwithsecuritypolicies,…Theservice…“refusedtocomplywithmandatedcomputersecuritypolicies,”accordingtothereportbytheDHSinspectorgeneral.2

2http://news.yahoo.com/secret-needs-beef-security-report-193616952.html.

Willthischangeinthefuture?Maybe,butprobablynot,ifhistoryisanyindication;andifso,probablynottotheextentneeded.

Inthebusinessworld,thesameappliesundertheguisethatitisnotcost-effective.However,nowandintothefuture,aslackofsecurityinfluencesthebottomline,wehopethatthatwillchange.

Oneoftheproblemsisthatwebaseoursecurityrequirements,includingcybersecurityrequirements,on“risk,”andbusinessisfundamentallybasedonrisktaking.Whenyoubaseyoursecurityrequirementsontheconceptofmanagingrisk,youareacceptingthatyouareonlybuyingtimeandthat,atsomepoint,anincidentwillhappen.

However,asconstantsuccessfulattacksshow,thecoststopatchsystems,topayoutmoneyinlawsuits,andoftheadversepublicrelationsissuesthatfollowandthelossesinstockvaluesastheyplummetbasedonallthatarehigherthanto“doitrightthefirsttime”andcontinuouslyupdateandimproveovertime.Corporatemanagementjustdoesn’tgetit,maybeneverwill.Governments,groups,andindividualshavedeclaredwar.Willthat

http://news.yahoo.com/secret-needs-beef-security-report-193616952.html

increaseordecreaseinthefuture?Allindicationspointtoanincrease.

Althoughnotofficiallyconfirmed,atleastonemajorbusinesswassuccessfullyattackedbecausethedefaultpasswordsthatcamewiththesoftwarewereneverchanged.Thatwasidentifiedasanissueatleastasfarbackasthe1980s,ifnotbefore.Thatfirsthackerattackbasedonthatvulnerabilitycanbetracedtoatleastthefirst300-baudexternalmodembasedonahackersoftwareprogramusingtheBASICprogramlanguage.Forthoseofyouwhodon’tknowwhatwearetalkingaboutbecauseyouweren’tevenbornatthattime,itprovesmypoint.

Whywon’ttheseleadersinbusinesses,industries,andgovernmentschange?Someofthe“blame”restsindemocraticnationswherepeopleenjoyatleastsomesemblanceoffreedom,andbeingtoldwhattodoandhowtodoitissomethingthattheydon’tlikeandtrytoavoid.Securityandlawenforcementpeople,andauditors,arealwaystellingpeoplewhattodoandwhatnottodo.Inthefuture,awaymustbefoundtomakethemwillingtodoitormakesecuritytotallyinvisibletothem,sothatnotevenapasswordorbiometricaccesscontrolwillbeneeded,unlesserror-free,andtheuserdoesnothavetotakeanyaction.An“avatar”thatissecure,maybe?Notaneasytask.

SurvivingintotheFutureSeniorcorporateandgovernmentleadershipsupportcontinuestobemissingandisnecessarytodeveloptheappropriateplanning,guidance,strategy,skilledworkforce,plant,andequipment.Corporationsandnation-statesneedtoboldlyacceptthenewrealitylesttheywishtoloseandnotbeabletoreattainthecompetitiveedge.Bureaucracyhasnoplaceinacybersecurity-protectedenvironmentwithnanosecondattackweaponsrequiringnanosecondresponses.Asthepastandpresenthaveshown,theyhavenotchanged,andpersonallyIdonotholdoutmuchhopeforthattochangeinthefuture.

Seniorleadershipisessentialforsecuritytobemeaningfultothebottomlineornationalsecurityofnation-states.Corporateespionagewillcontinuetobeasbigathreatasgovernmentespionage—maybemoreso.Netspionage3hasbecomeavaluabletacticinsupportofacorporationorgovernmentagency’soverallespionageandcompetitivebusinessstrategy.

Informationwarfareattacksagainstglobalcorporationshavedramaticallyincreasedsincethattopicandtermwascoinedmorethanadecadeago.Let’sfaceit,wecertainlyareinaglobalinformationwarwhoseagentsareallthosewhoattackoursystemsandnetworksforfun,profit,andpower.

Theyhavegrowninsophisticationandareexpectedtodoso,fromgovernmentstoindividualsaroundtheworld.Sadly,ithasalsoneverbeeneasier.Financiallossesduetoattackshavebeencausedbysuccessfulsecuritybreaches,fromfinancialfraudandtheftofproprietaryinformationtoidentitythefttosabotageandblackmail.Anewtermhascomeintousageoverthepastfewyears—“advancedpersistentthreat,”orAPTforshort.APTisusedtodescribeanongoingsetofstealthycomputerhackingattacks,oftentargetingaspecificbusinesssector,organization,orsystem.

ThemotivationforanAPTcanbeforbusinessorpoliticalgain.Asthenameimplies,APTconsistsofthreeelements:theattackisofanadvancedtype,itispersistent,anditposesathreat.ThetermwasfirstusedtodescribeanongoingseriesofattacksthatoriginatedinChina,butisnowmorewidelyused.Whatisclearisthatwecanexpectthesetypesofattacknotonlytocontinue,butalsotoincrease.Whywouldn’tthey?Wearen’tverygoodatdetectingandrespondingtothem,andaslongasthebenefitsoutweighthecost,itisworthwhileforthenation-stateorgroupthatisdoingthem.Therehavenotbeenanyrepercussions.

Attacksfromanation-stategoonaswetradewiththem.Therearenopenaltiesforattackingournetworks.Soadversaries,andthatincludesgeneralhackers,attackwithimpunity.

Thereisnosilverbullet,noone-timeexpenditureofmoneyto“fixtheproblem,”andnomeanstoputthegeniebackinthebottle.Enlightenedanddedicatedleadershipwillingtostaythecourseisnecessarytoguidegovernmentsandbusinessesintothefuture.

NewOldApproachtoSecurity—DefensiveApproachTheapproachthatresponsiblegovernments,businesses,andotherentitiesmusttakeinthefuturetoensurethatwehavethecorrectenvironmenttoendureistoatleastgetthebasicsecurityprocessesinplace!

Thiswillrequireasignificantchangeintheattitudeandapproachthataretakenatalllevelsofgovernanceandmanagement.Wehavebeensayingthissincethe1980sandwesayithereonceagainin2016.Wemustgetonawarfooting.Goodgrief!

Whatwillberequiredinorderforthestructuresthatweunderstandtosurviveisalarge-scaleadjustmentintheattitudestakenonthewholesubject.Thetruthofwhatwehavesaidinthepast,“…thethreatsarereal;andtheadversariesareseriousaboutit,”mustberealized.Toacertainextent,thatrealizationtakesplacegenerallyonlyafteramassive,successfulattack.However,afteritisover,andeveryonehascalmeddownandbeguntoforgetit,managementgoesbacktobusinessasusualandsodogovernmentagencies.Wedonotseemtobeabletolearnfromeitherourownpastorthatofotherorganizationsandseemtobedoomedtocontinuetorepeatit.

Therehasbeenfear(andstillis)thata“pearlharbor.com,”asWinnSchwartauputsit,iscoming.Wehavealreadyseenitinthephysicalworld.Canthevirtualworld’sPearlHarborbefarbehind?Minionesaretakingplacegloballyanddaily.However,asthoseofusintheprofessionhavesaidthisforsolong,itisliketheboycryingwolf,orliketheYear2000“worldwillendasweknowit”owingtothemillenniumbugcrashthatneverhappened;wemustinthefuturechooseourwordsmorecarefullyandpresenttheprobablerisksinamoreobjectiveway.

http://pearlharbor.com

TheChangingEnvironmentTothepresentday,wehaveahistoryofunderstandingtheissuesthatarerelatedtoattacksandcybersecuritythatareimposedbyphysical,procedural,orpersonnelmeans.Wealsonowunderstandtheattacks’offensiveanddefensiveworldsbetterthaneverbeforeandwehopewewillgetbetteratunderstandingtheissuescominginthefuture,butunderstandingtheissuesanddoingsomethingaboutthemaretwodifferentthings.

TheNeedforEnlightenedandDedicatedLeadershipIfanenvironmentinwhichorganizationscanfeelsafefromsuccessfulattacksistobeachieved,thereneedtobesignificantchangesintheattitudesofbothgovernmentandmanagementatalllevelsoforganization.

Aninfrastructure,ataninternationallevel,forcollaborationbetweengovernmentsandlawenforcementagenciesalreadyexists,butuntilALLcountriessignuptothisandallocatesufficientresourcestomakeiteffective,therewillcontinuetobeissues.

Therearecurrentlycountriesthatprovide“safeharbor”tobothorganizedcriminalsandterroriststhatareusingtheInternettocarryoutcyberattacks.AllegedlyChinaisdoingthatrelativetoNorthKorea’sinformationwarriorsoperatinginfacilitiesontheChinesemainland.Therearealsoothercountriesthatare,themselves,conductingcyberattackoperations.Whilethiscontinues,ourdefensesneedtobeimprovedtomeeteverypossibility.

Perhapsoneofmeasuresthatcanbeputinplacewillbeforumsinwhichincidentscanbereportedinasuitablemannerbyindividuals,companies,andgovernmentsandwherebestadvicecanbegained—withoutworryingaboutthepoliticalandpower-playgames.

Whiletheseexistinsomecountriesandcommunities,theymustbeubiquitousandeasytoaccess.Ifattacksaretakingplaceatnanosecondspeedsoverstructuresthatdonotrecognizenationalborders,thenanyimpedimentthatthecurrentstructuresandorganizationsimposewillencouragetheperpetrator.

Ingovernment,inmostofthedemocraticnations,anindividualwhowillchampionthecauseofcreatingthecorrectenvironmentfortheprotectionofinformationsystemsisaconundrum.Itwouldrequireapoliticalnomineewhoiswillingtoputthecausethatheorsheissupportingnotonlyabovehisorherownambitions(cybersecurityisnotanareathathasatrackrecordofproducingnewpartyornationalleaders)butalsoabovepartyloyalty.Heorshewouldneedtohavesenioritywithinhisorherownparty,cross-partysupport,andtenureinthepostforaperiodofmorethanonetermofofficetohaveanysignificanteffect.

Willthathappen?Idoubtit.Whensomethinghappens,theywillholdpublichearings,lookforscapegoats,gettheirfacesonthenews,pontificatefromonhigh,butafterwardgobacktotheiroldways.Iftheywanttofindthosepartiallyresponsibletheyhavebuttolookinthemirror.

GlobalTrends4Itisimperativethatwhenlookingatcybersecurity,cyberattacks,andthelike,oneshouldbeginbyunderstandingtheglobaltrendsbecausethatistheenvironmentthatwilldictatemuchoftheoffensiveanddefensiveenvironmentsandtacticsandhelponeunderstandthereasonforsuchattacks,aswellashelpingtounderstandthedefensiveneedsandsolutions.

EveryfouryearstheU.S.NationalIntelligenceCouncil(NIC)publishesanupdateofits“GlobalTrends”seriesthatidentifieskeydriversanddevelopmentslikelytoshapeworldeventsacoupleofdecadesintothefuture.

Inthe“ReportoftheNationalIntelligenceCouncil’s2020Project,”theNICincludedanexecutivesummary,someofwhichisquotedbelow:

…AtnotimesincetheformationoftheWesternAlliancesystemin1949havetheshapeandnatureoftheinternationalalignmentsbeeninsuchastateofflux…TheroleoftheUnitedStateswillbeanimportantvariableinhowtheworldisshaped,influencingthepaththatstatesandnonstateactorschoosetochoose…

NewGlobalPlayers:ThelikelyemergenceofChinaandIndiaaswellasothers,asnewmajorglobalplayers—similartotheadventofaunitedGermanyinthe19thCenturyandapowerfulUnitedStatesintheearly20thCentury—willtransformthegeopoliticallandscape,withimpactspotentiallyasdramaticasthoseintheprevioustwocenturies…howwementallymaptheworldin2020…

Newglobalplayersarenotreallythatnew;however,theyhaveincreasedinpowerandimpactontheworldstage.Suchshiftsandchangesarecausingthestatusquotofadeaway.Thus,therewillbemorenationfightingandwiththattheuseofcybertacticstoassistnationsingainingdominance.

ImpactofGlobalization…Globalizationasanoverreaching“mega-trend”,aforcesoubiquitousthatitwillsubstantiallyshapeallothermajortrendsintheworldof2020…theworldeconomyislikelytocontinuetogrowimpressively:by2020,itisprojectedtobeabout80%largerthanitwasin2000,andaveragepercapitaincomewillberoughly50%higher…Yetthebenefitsofglobalizationwon’tbeglobal…Thegreatestbenefitsofglobalizationwillaccruetocountriesandgroupsthatcanaccessandadoptnewtechnologies…ChinaandIndiaarewellpositionedtobecometechnologyleaders,andeventhepoorestcountrieswillbeabletoleverageprolific,cheaptechnologiestofuel—althoughataslowerrate—theirowndevelopment…

…Morefirmswillbecomeglobal,andthoseoperatinginaglobalarenawillbemorediverse,bothinsizeandorigin,moreAsianandlessWesterninorientation.Suchcorporations,encompassingthecurrent,largemultinationals,willbeincreasinglyoutsidethecontrolofanyonestateandwillbekeyagentsofchangeindispersing

technologywidely,furtherintegratingtheworldeconomy,andpromotingeconomicprogressinthedevelopingworld…Thussharperdemanddrivencompetitionforresources,perhapsaccompaniedbyamajordisruptionofoilsupplies,isamongthekeyuncertainties.5

Today’seconomicwarshaveincludedoffensiveoperationsandtheseareexpectedtoincreaseinvolumeandsophisticationasthedemandforeconomicpowerissupportedandmademorevulnerablebytheworld’sdependencyontechnology.

NewChallengestoGovernanceThenation-statewillcontinuetobethedominantunitoftheglobalorder,buteconomicglobalizationandthedispersionoftechnologies,especiallyinformationtechnologies,willplaceenormousnewstrainsongovernments…politicalIslamwillhaveasignificantglobalimpactleadingto2020,rallyingdisparateethnicandnationalgroupsandperhapsevencreatinganauthoritythattranscendsnationalboundaries…Theso-called“thirdwave”ofdemocratizationmaybepartiallyreversedby2020—particularlyamongthestatesoftheformerSovietUnionandinSoutheastAsia,someofwhichneverreallyembraceddemocracy…

…Withtheinternationalsystemitselfundergoingprofoundflux,someoftheinstitutionschargedwithmanagingglobalproblemsmaybeoverwhelmedbythem…6

Technologycanfreeusorhelpenslaveus.WeareevensomuchclosertoGeorgeOrwell’spredictionsinhisbook,1984.Italldependswhohasdominantpoweroveritineachnation,business,orgroup,includingreligiousgroups.OnehastojustlookatthelatesteffortsbytheNSA,CIA,andtheircounterpartsinRussia,China,Iran,andtheliketoseethatwecitizensoftheworldareindangeroflosingmoreofourfreedoms,butmaybeevenourhumanity.Ofcourse,manyagenciescitedoingthisinthenameofsecurityforusall.Manyalsowouldgiveupmorefreedomforsecurity,butwhenisitenough?

LiketheAsianviewoftheworldandlifeinYin–Yangterms,weshouldlookatoursecurityversusourfreedominasimilarfashion.

Whendoweknowwhenwearegivinguptoomuchofourfreedomandhowdowegetitback,orwillitalreadybetoolate?

Sincethefirsteditionofthisbookwaswritten,therehasbeenadramaticincreaseinterrorism.Terrorists’offensiveuseofcyberwartactics,techniques,andcyberweaponshasdrasticallyincreasedanditisexpectedtodosointothefuture.Terroristsstillpreferthepropagandaeffectorbarbaricactssuchasbombing,kidnappings,beheadings,andthelike;however,theyareeverincreasinglyrelyingoncyberweaponstoexploitthe

vulnerabilitiesoftheirenemies—whicharebasicallymostofus.

Inthepasttheyhavehadtorelyonthenewsmediaofthenationsinvolvedtopropagatetheirmessages,whereasnowtheyhavethemeanstogettheirmessagestoanyonewhoiswillingtolisten.Blogsandsocialmediaaregreatpropagandatoolsforspewingtheirhatredandarealsogreatrecruitingtools,aswehaveseenwith“lone-wolfattacks.”Physicalattacks,yes,butrecruitedonline.

PervasiveInsecurityEvenasmostoftheworldgetsricher,globalizationwillprofoundlyshakeupthestatusquo—generatingenormouseconomic,cultural,andconsequentlypoliticalconvulsions…Thetransitionwillnotbepainlessandwillhitthemiddleclassesofthedevelopedworldinparticular…Weakgovernments,laggingeconomyandextremism,andyouthbulgeswillaligntocreateaperfectstormforinternalconflictincertainregions…

…Thelikelihoodofgreatpowerconflictescalatingintototalwarinthenext

15 yearsislowerthanatanytimeinthepastcentury,unlikeduringpreviouscenturieswhenlocalconflictssparkedworldwars…Countrieswithoutnuclearweapons—especiallyintheMiddleEastandNortheastAsia—mightdecidetoseekthemasitbecomesclearthattheirneighborsandregionalrivalsaredoingso…7

Wemustalsorememberthepowerthatindividualsnowhavetoexploitthosethattheyfeelareagainstthem,whethertheybegovernments,businesses,groups,orotherindividuals,forexample,evenschoolbullyingcausingsometocommitsuicide—andonaglobalwarfront.Theworsetheeconomygets,themorehostileanddissatisfiedanation’scitizensbecome.So,wemaynothaveaglobalWorldWarIII,butcertainlywearehavingthousandsofglobalcyberattackskirmishes24/7andthis,too,iscertaintoincreaseintothefuture.

TransmutingInternationalTerrorismThekeyfactorsthatspawnedinternationalterrorismthathasnosignsofabating

overthenext15 years…Weexpectthatby2020al-Qa’idawillbesupersededbysimilarlyinspiredIslamicextremistgroups…Ourgreatestconcernisthatterroristsmightacquirebiologicalagentsor,lesslikely,anucleardevice,eitherofwhichcouldcausemasscasualties…8

ThishasalreadytakenplacewiththeadventofISIS,andsurelymoregroupswillfollowandevenlookatotherterroristgroupsastheirenemiesastheyallcontinuevyingforglobaldomination.Surelytheiruseofcyberattackswillnotbelimitedtoonlynonterroristgroups.

PolicyImplications…Althoughthechallengesaheadwillbedaunting,theUnitedStateswillretainenormousadvantage,playingapivotalroleacrossthebroadrangeofissues—economic,technological,politicalandmilitary—thatnootherstatewillmatchby2020…WhilenosinglecountrylookswithinstrikingdistanceofrivalingUSmilitarypowerby2020,morecountrieswillbeinapositiontomaketheUnitedStatespayaheavypriceforanymilitaryactiontheyoppose.Thepossessionofchemical,biological,and/ornuclearweapons…alsoincreasethepotentialcostofanymilitaryactionbytheUS…

…Acounterterrorismstrategythatapproachestheproblemonmultiplefrontsoffersthegreatestchanceofcontaining—andultimatelyreducing—theterroristthreat…

Overthenext15 yearstheincreasingcentralityofethicalissues,oldandnew,havethepotentialtodivideworldwidepublicsandchallengeUSleadership…9

Whilegovernmentsaroundtheworldcontinuetothinkintermsoftwentiethcenturyweaponsinthistwenty-firstcenturyworld,wemustrememberhowvulnerableourtechnology-dependentgovernmentsandbusinessesaretosuccessfulcyberattacks.Themore“advanced”anationisandthegreateritsdependencyontechnology,thegreatertheexposuretocyberattacks.

Itisasadcommentary,butchancesaretheuseofcyber-offensiveoperationswillcontinuetoincreaseandthelackofviabledefensiveoperationswillallowmoreandmoreattackstobesuccessful,causinggreaterscalesofdamageasthesecyberweaponscontinuetoincreaseinsophisticationwhiledefensivetoolscontinuetolagbehind.

Offensive–DefensiveCyberAttacksWhenwillwegettothepointatwhichaperson,group,business,orgovernmentisgoingtosay:“I’mmadashellandI’mnotgoingtotakeitanymore!”Wearefastapproachingthattime,ifnotalreadypastit.

Ifanentityisattacked,itisabouttimethatthevictims,inself-defense,goafterthoseattackingthemandnotrelyonsomeoneelsetoprotectthem.Obviously,agenciessuchastheFBIandlocalpoliceinvestigatorscomeinaftertheattacks,runtheirinvestigations,andmayevenidentifytheadversary.Thenwhat?Nojurisdiction,sonoprosecution.So,basically,maybetimeforalittle“WildWest”independentaction?

Whatweneedinthefutureisacovert“mirror-image”softwareprogramthatwillnotonlydeflecttheattackbuthavethatprogramturnonitselfandbouncebacktoattacktheattacker.

Yes,somegovernmentagenciesarebeginningtotakecovert,offensive–defensiveactions.However,moreisneededatalllevelsofvictimization.The“reapwhatyehavesown,”“eyeforaneye,”old-stylephilosophyandjusticemaybeneedtocomebackinvogue?

Somewillcriticize“vigilante”justice,warningthatwecan’tbelikethem;chaoswillreign.Theonessayingthatareprimarilythoseinlawenforcementwhofearthatdependencyonthemwillwane,politicianswhofearlosingpower,andthosewhohaveno“skininthegame,”amongothers.

TheFutureoftheInternetBecauseofthepowerandinfluenceoftheInternet,somenationswanttocontrolit,otherswanttohavetheUnitedNationsberesponsibleforitsmanagement.Governmentsdon’tlikesomethingtheycannotcontroltotheirbenefit.ThedaytheInternetfallsintopoliticalhandstocontrolit,ourfreedomontheInternetaswenowenjoyit,weasusers,isdoomed.Iwouldhopethat,asusers,wewillnotallowthattohappen.

Thatbeingsaid,someareoptimisticthatnewtechnologywillallowglobaluserstoreconnectonaglobalscaleusinganotherformoftechnologyasitsupersedesthe“old-fashioned”Internet.Infact,globalusersmayevenbeabletoestablishtheirownmini-Internetsandconnecttoothermini-Internetsthroughadvancedcommunications,evenembeddedmicroprocessortechnologyasaformofcyber-telepathy.TheybecometheirownInternetserviceproviders.Onecanonlyhope.

Questions•Areyoupreparingnowforthefutureofcybersecurity,informationwarfare,cyber-terroristattacks,andthelike?

•Doyoukeepupwithtechnologyandprojectwhat-ifnewtechnologiesintoyourfuturecybersecurityplansandprogram?

•WhatdoyouthinkthefutureholdsforallofusiftheInternetfreedomwenowhaveistakenaway?

•Willyoubeafreedomfighteroracybersecurityofficerthat“justfollowsorders?”

•Doyoumaintainadatabaseofdefensivesoftwareandoffensivesoftware(thatusedbythecyberattackers)thatyoucanusewhenneededandalsocompareyourdatabaseofcyberattacksoftwaretoincomingeventstoseeiftheyareanattack?

•Whatareyou,asacybersecurityofficer,goingtodonowtomeetthefuturechallengesofcybersecurity?

SummaryThesaying“themorethingschange,themoretheystaythesame”certainlyseemstobeholdingtrue.Althoughwehaveandwillcontinuetohaveadvancesintechnologyallowingformoresophisticatedoffensivecyberattacksanddefenses,wearefightingmorecyberbattlesandlosingmoreofthemthaneverbefore.

Inthefuture,wemustreconsiderourdefensiveapproaches,fundthemasahighpriorityineveryentity,andgoontheoffensiveasadefensiveapproach.

Thefutureisdisorder.Adoorlikethishascrackedopenfiveorsixtimessincewegotuponourhindlegs.Itisthebestpossibletimetobealive,whenalmosteverythingyouthoughtyouknewiswrong.

TomStoppard,Arcadia

1Muchoftheinformationpresentedistakenfromtheauthor’sbook,coauthoredwithDr.AndyJones,GlobalInformationWarfare,secondedition,publishedbyCRCPressandquotedwiththeirpermission.3Forabasicoverviewonthattopic,seetheclassicNetspionagepublishedbyButterworth–Heinemann.4Seehttp://www.dni.gov/index.php/about/organization/national-intelligence-council-global-trends.5ReportoftheNationalIntelligenceCouncil’s2020Project.6Seefootnote5.7Seefootnote5.8Seefootnote5.9Seefootnote5.

http://www.dni.gov/index.php/about/organization/national-intelligence-council-global-trends

Index

Note:Pagenumbersfollowedby“f”,“t”and“b”indicatesfigures,tablesandboxesrespectively.

A

Accesscontrol,187,217–218

accesscontrolsystems,189

benefits,188

LANs,188

systems,189

Accessviolationsanalyses,217

Accountabilities,116–117

Advancedpersistentthreat(APT),304

AdvancedResearchProjectAgency(ARPA),75–76

Advisoryservices,299

AEA,SeeAmericanElectronicsAssociation(AEA)

Africa,55

“Aggressivedefensive”operations,90

AgriculturalAge,11

AirForce’s53rdWing,97

Allegedmonopolyactions,97

Amazon.com,91

AmericanElectronicsAssociation(AEA),70

Annualreevaluation

cybersecurityofficer,223–224

cybersecurityprogramstrategic,tactical,andannualplans,228

linkingcybersecurityprogram,228–230

metricsanalysis,230–231

one-yearreview,224

LOEactivities,225–226

projects,226–227

planningfornextyear,231–233

APT,SeeAdvancedpersistentthreat(APT)

ARPA,SeeAdvancedResearchProjectAgency(ARPA)

Asia,53–54

Assessmentservices,298

Augmentation,299

Awareness

briefings,186–187

program,185–186,217

B

BlackBerry,96

BLS,SeeU.S.BureauofLaborStatistics(BLS)

Blue-lightcameras,96

Business

information,181

practices,278–279

Businessmanagers

SeealsoGlobalbusinessandmanagementenvironment

andcybersecurity,42

companymanagers,43

corporatemanagement’sknowledge,42

cybersecurityprogram,42

principles,44

responsibilities,43

cybersecurityofficeras,40–41

C

C2W,SeeCommandandcontrolwarfare(C2W)

Canada,55

Cellularphones,105b

CEO,SeeChiefexecutiveofficer(CEO),Corporateexecutiveofficer(CEO)

CEP-DR,SeeContingencyandemergencyplanninganddisasterrecovery(CEP-DR)

Changingcriminaljusticesystems,21–24

Chiefexecutiveofficer(CEO),135,138,144

Chinesehackinggroup,99

CI,SeeCounterintelligence(CI)

CIKR,SeeCriticalinfrastructureandkeyresources(CIKR)

CIO,SeeCorporateinformationofficer(CIO)

CKO,SeeCoherentknowledge-basedoperations(CKO)

Classifiednetworkssecurity,60

CNCI,SeeComprehensiveNationalCybersecurityInitiative(CNCI)

Codesofethics,277–278

Coherentknowledge-basedoperations(CKO),270

Coldcallingpotentialcustomers,296

Commandandcontrolwarfare(C2W),263

Commercialoff-the-shelfsoftware(COTSsoftware),258–259

Communicationstechnology,12

Companymanagers,44–45

ComprehensiveNationalCybersecurityInitiative(CNCI),55–57

initiative,55–57

Computerforensics,238–240

Contingencyandemergencyplanninganddisasterrecovery(CEP-DR),194

adverseevents,195

contingencyplanning,194–195

needs,195

planningsystem,195–198

testingplan,198

Contingencyplanning,217

Corporatecybersecurityprogram,132–152

SeealsoCybersecurityofficer

cybersecurityprocedures,150–152

cybersecurityprogrampolicy,149–150

informationassetsprotectionpolicies,139–150

physicalsecurity,149–150

policydirective,148–149

requirements;alsoCybersecurityofficer,139,148–149

Corporateethics,278–279

Corporateexecutiveofficer(CEO),237

Corporateformat,124–125

Corporateinformation,determiningvalue,179–180

Corporateinformationofficer(CIO),107,137–139,144,155,219,229,236

Corporateleader,110

Corporatemanagement,241–242

knowledge,42

Corporatestrategicbusinessplan,123,127

Corporatevalues,278–279

Corporation,customers,andcompetition(threeC’s),32

Corporationoverallpolicydocument,142

Cost-effectivecybersecurityprogram,9

Cost-effectivemethod,120

COTSsoftware,SeeCommercialoff-the-shelfsoftware(COTSsoftware)

Counterintelligence(CI),60

Criticalinfrastructureandkeyresources(CIKR),61–62

Cumbersomeprocesses,153

CyberCommand,98–99

Cybereducationexpansion,60

Cyberoperationsconnection,59

Cybersecurity,52,123,305

Africa,55

Asia,53–54

Canada,55

CNCIinitiative,57–62

EuropeanUnion,53

evolutionoflaws,standards,policies,andprocedures,50–51

globalviaUN,51–53

policydocument,144

principles,114

procedures,150–152

professionals,45

program,7,31

policy,149–150

strategic,tactical,andannualplans,228

programlevelofeffortdrivers,207

chartinglevelofeffortthroughnumberofsystemusers,208–209

grantingusersaccesstosystems,210–211

significanceofsystemuserschart,209–210

programmetrics,202–203

cybersecurityofficer,204,207

examples,205

management,203

metricsmanagement,206

security-associatedrisks,35

SouthAmerica,54

strategicplan,121–124

mappingtocorporatestrategicbusinessplan,123

objective,122

planningconsiderations,123

strategicbusinessplan,121

teamconcepts,communication,andcoordination,122

writingplan,124

tacticalplan,124–125

techie,145

writingplan,125

UnitedStates,55–57

Cybersecurityfunction,29,176

SeealsoAccesscontrol

annualplan,125–127

mappingtocorporateannualbusinessplan,127

projects,126–127

writingplan,127

CEP-DR,194–198

consultant,292

businessplan,296

consultingplan,294

cybersecuritymanagersandtechnicians,293

guidingprinciples,295

cybersecurityofficer,185

awarenessbriefings,186–187

awarenessprogram,185–186

continuingawarenessmaterial,187

firmwareevaluation,189–191

job

descriptions,160–161

familyfunctionaldescriptions,161–168

NCIs,194

processdevelopment,184

requirementsidentificationfunction,184–185

processes,177–179

riskmanagementprogram,191–193

softwareevaluation,189–191

ST&Eprogram,193

valuinginformation,179

corporateinformationvalue,179–180

informationcategories,181–182

informationvalue,180–184

questions,184

valuedinformationtypes;alsoAccesscontrol,182

Cybersecurityofficer,6–8,28–29,34,104,125,152–171,185,202,235–236

SeealsoCorporatecybersecurityprogram

awareness

briefings,186–187

program,185–186

asbusinessmanager,40–41

careerdevelopmentprogram,284–286

continuingawarenessmaterial,187

corporateculture,284

cybersecurityjobdescriptions,160–161

cybersecurityjobfamilyfunctionaldescriptions,161–168

dutiesandresponsibilities,109,236–237

Directorand,238

HTCPP,237

violationsoflaws,238

evolutionandrevolution,104–106

inglobalcorporation,106

CIO,107

corporateculture,107–108

managementblankcheck,108

goalsandobjectives,109–110

leadershipposition,110–112

missionstatements,112–113

needforcybersecuritysubordinateorganizations,154–156

organizationstructuredevelopment,156

andorganizationalresponsibilities,115

formaldutiesandresponsibilities,116–117

professional,283

projectmanagement,114–115

qualitystatements,112–114

recruitingcybersecurityprofessionals,168–171

in-housecybersecuritycandidatesidentification,170

outsidecybersecuritycandidatesidentification,171

riskmanagement,115

subordinateorganizationsdevelopment,156–160

cybersecurityprogramaccesscontrolandcompliance,157–158

cybersecurityprogrampolicyandriskmanagement,158–159

off-sitecybersecurityprogramorganizations,159–160

visionstatements,112–113

Cybersecurityprogramandorganizationestablishment,132

corporatecybersecurityprogram,132–152

cybersecurityprocedures,150–152

cybersecurityprogrampolicy,149–150

informationassetsprotectionpolicies,139–150

physicalsecurity,149–150

policydirective,148–149

requirements,139,148–149

cybersecurityofficerthoughtprocess,152–171

cybersecurityjobdescriptions,160–161

cybersecurityjobfamilyfunctionaldescriptions,161–168

needforcybersecuritysubordinateorganizations,154–156

organizationstructuredevelopment,156

recruitingcybersecurityprofessionals,168–171

subordinateorganizationsdevelopment,156–160

CyberSecuritySpecialist,141–142

Cyberwars,82

Cyber-informationworldenvironment,4

changingcriminaljusticesystems,21–24

GII,10

humanfactor,24–26

information,5–6

information-drivenenvironment,6

computersystems,7

computers,8

cybersecurityandmitigatingrisks,6

cybersecurityofficer,6–8,10


microprocessors,7–8

protectionofinformationsystems,8–9

NII,11

Cyberspace,14–15,77

CyberspacePolicyReview,57

D

DDoS,SeeDistributeddenial-of-service(DDoS)

DefenseAdvancedResearchProjectAgencyleaders,95

“Defensiveattacks”,255–256

DefensiveIO,266

DepartmentofHomelandSecurity(DHS),50b,57,59,61–62

NationalCybersecurityCenter,59–60

Detekttool,92

Deterrencestrategiesandprograms,61

DHS,SeeDepartmentofHomelandSecurity(DHS)

Digitalbattlefieldattacks,90

allegedmonopolyactions,97

America’smilitarysecrets,98

Australiandefenseofficials,93

BlackBerry,96

blue-lightcameras,96

Chinesehackinggroup,99

CIA,96

companyWebsite,92

crimes,94

CyberCommand,98–99

DefenseAdvancedResearchProjectAgencyleaders,95

Detekttool,92

diskorflashdrive,90

FBI’sCyber’sMostWanted,93

federalgovernment,97

floodofhacksanddatabreaches,94

GeneralZhu’scomments,95

GIWattacks,91

hackers,92,99

healthcare.gov,94

informationwarfare,95

Israeli’ssecretservice,97

IW,91

malwareandspyware,92

missiondatapackages,97

NSA,97

snoopingfirestorm,98

offenses,93

PLA,93

PLCs,90

“Regin”malware,91

SamsungElectronics,97

SecretService,97

securityattacks/breaches,100

socialengineering,91

spyagency,98

spyware,94

SyrianTwitter,92

Taiwanesegovernment,92

TuringTest,96

U.K.CyberSecurityStrategy,98

U.S.DepartmentofHomelandSecurity,95

U.S.officials,99

votingmachines,93

Director,237–238

DirectorofSecurity,235–237,240

Disasterrecovery,195

Distributeddenial-of-service(DDoS),252

DoD,SeeU.S.DepartmentofDefense(DoD)

E

E-mail,76

PI,94

Eastereggs,81

EATP,SeeEducationAwarenessandTrainingProgram(EATP)

Education,286

advisoryservices,299

assessmentservices,298

augmentation,299

cybersecurityconsultant,292–296

engagement

process,297–298

setup,296–297

internationalaspects,299–300

interviewingforcybersecurityofficerposition,288–292

legalissues,299

marketyourselfascybersecurityofficer,287–288

securityimplementation,299

EducationAwarenessandTrainingProgram(EATP),185–186,213–214

EINSTEIN2approach,57–58

EINSTEIN3approach,58–59

Electroniccommerce,77

Electronicmail,76

Engagement

process,297–298

setup,296–297

Environment,changing,305

“Errorsandomissions”,293

Ethicsissues,274–275

businessperson,275–276

committingcrimes,275

standardsofbehavior,276

unethicalbehavior,277

EuropeanUnion(EU),53

F

FederalEnterpriseNetworkmanagement,57

Federalroleinextendingcybersecurity,61–62

Firmwareevaluation,189–191

First-generationwarfare,250

Formalprojectmanagementtechniques,136

FrameworkCore,25–26

FutureShock,15–16

G

GII,SeeGlobalinformationinfrastructure(GII)

GIW,SeeGlobalinformationwarfare(GIW)

Globalbusinessandmanagementenvironment,28

businessmanagersandcybersecurity,42

companymanagers,43

corporatemanagement’sknowledge,42


principles,44

responsibilities,43

casestudy,33,33b

changes,28

company

managers,44–45

team,29

business,31

competitiveadvantagethroughcybersecurityprogram,39

cybersecurityofficerasbusinessmanager,40–41

examples,39

cybersecurity

function,29

officer,28–29,32

professionals,45

program,31

growingnetworks,28

Internet,30

ISPs,29–30

managementresponsibilitiesandcommunicatingwithmanagement,33–34

additionalchoices,36

businessmeetings,38

company’scultureandpolicies,34

consequences,35

cybersecurityofficer,34,37–39

cybersecurity-associatedrisks,35

decisions,34,36–37

document,38

excellentgesture,35

InfoSec,36

problemanddecisiontomanagement,35

risks,34

“touchy-feelydon’t-hold-me-responsible”management,39

“oldiesbutgoodies”programs,30

OODAloop,32

service,support,andbusinessorientation,41–42

telecommunicationsbusinesses,29

WorldWideWeb,30

Globalcorporation,cybersecurityofficerin,106

CIO,107

corporateculture,107–108

managementblankcheck,108

Globalinformationinfrastructure(GII),10,28,72,77

Globalinformationwarfare(GIW),89,251

SeealsoInformationwarfare(IW)

freemarketeconomy,253

Internet,252

IW,252–254

Globalnervoussystem,13,75

Globaltrends,306

impactofglobalization,307

newchallengestogovernance,308

pervasiveinsecurity,309

policyimplications,309–310

transmutinginternationalterrorism,309

Globalizationimpact,307

Gopher,76

Government-widecyberCIplan,60

H

Hackers,92,99

tools,80

Handgun,78

Hardwareevaluation,189–191

healthcare.gov,94

Hightechnology,66

SeealsoTechnology

AEA,70

BLS,71

electronicinventions,68,68t

factors,69

industryclassifications,70

industry-baseddefinitions,69

inventions,67

Microprocessor,71–72

Moore’slaw,72–73

OneSource,71

revolutionsandevolutionsin,65–66

RFA,70

sharingofinformation,66

technologicallydriveninventions,67–68

technology-driventransition,67

toolsincybersecurity,82–84

transitionperiod,66–67

twentiethcenturyhigh-technologydevelopmentsandevents,74–75

twentieth-centurytechnologicaldevelopmentsandevents,68–69

High-technologycrimepreventionprogram(HTCPP),237

High-technologycrimes

SeealsoCybersecurityfunctions

CIO,236

computerforensics,238–240

cybersecurityofficer,235–236

Directorand,238

dutiesandresponsibilities,236–237

HTCPP,237

violationsoflaws,238

lawenforcement,240–242

NCIs,236

High-technology-drivencommunications,79–80

High-technology-drivenphenomenon,78–79

HR,SeeHumanResources(HR)

HTCPP,SeeHigh-technologycrimepreventionprogram(HTCPP)

Humanfactor,24–26

HumanResources(HR),141

I

IAPPD500–1,SeeInformationAssetsProtectionPolicyDocument500–1(IAPPD500–1)

IE,SeeInformationenvironment(IE)

IMs,SeeInstantmessages(IMs)

IndustrialAge,12

Info-warriors,89

Information

assurance,263

categories,181–182

InformationAge,12

information-basedprocesses,263

superiority,267

value,180,182

businessinformationtypesandexamples,183–184

timefactor,183

InformationAssetsProtectionPolicyDocument500–1(IAPPD500–1),142,145–146

Informationenvironment(IE),132,151,251,263

breakdownsin,261

components,260

Informationoperations(IO),266

Informationsecurity(InfoSec),36,106,263–264

SeealsoCybersecurity

Informationsystem(IS),264,268

Informationtechnology(IT),104,136–137,202,254

Informationwarfare(IW),91,95,247,252,264

forattainingandmaintainingcompetitiveadvantage,268–269

business,256–257

CKO,270

COTSsoftware,258–259

goalsandobjectives,269–270

governmentorganization,257–258

information,259–260

KM,271–272

levelsandfunctions,257

NCB,271

inpocketbook,254

defensiveattacks,255–256

high-profileevents,255

possibilities,248

aircraftpilots,249

localpowercompanies,249

“LocustSwarm”program,248

waterpumpingstations,250

TOR,261

C2W,263

cyber,262

decision-makeract,264–265

defensiveIW,266

informationsuperiority,267

IW-relatedenvironment,263

KM,264

militarypsychologicaloperations,265

NSTISSC4009,268

warfare,250

generations,250–251

InfoSec,SeeInformationsecurity(InfoSec)

INFOSEC,SeeNationalInformationSystemsSecurity(INFOSEC)

Instantmessages(IMs),79

Intel’sPentiumIII,83

Internaluseonlyinformationtypes,183

InternationalSecurityinCyberspace,53

Internet,17,30,52,75

annihilationoftimeandspace,77–78

ARPA,75–76

communicationtechnologies,76

cyberspaceandGII,77

electroniccommerce,77

future,311

globalnervoussystem,75

handgun,78

impact,17–19

Internet-enabledcommunications,15

organizationalimpacts,19–20

protocols,76

toshareinformation,20–21

society’sstruggles,78

WorldWideWeb,77

Internet,Birthof,13–15

InternetGovernanceDevelopments,53

Internetserviceproviders(ISPs),29,78

Interviewingforcybersecurityofficerposition,288

cybersecurity

officerportfolio,290

plan,290

interviewprocess,292

interviewees,289

Intrusiondetectionsystemdeployment,57–58

Intrusionpreventionsystemsdeployment,58–59

IO,SeeInformationoperations(IO)

IS,SeeInformationsystem(IS)

ISPs,SeeInternetserviceproviders(ISPs)

IT,SeeInformationtechnology(IT)

IW,SeeInformationwarfare(IW)

K

“Keepitsimple,stupid”principle(“KISS”principle),147,206

KnowledgeAge,8–9

Knowledgemanagement(KM),264,271–272

L

LANs,SeeLocalareanetworks(LANs)

Laws,24–26

enforcement,240–242

Leadership

needforenlightenedanddedicated,305–306

position,110

providingcybersecurityserviceandsupport,110–111

usingteamconcepts,111–112

“Leap-ahead”technology,60–61

Legalissues,24–26

Level-of-effort(LOE),202–203,225–226

Liabilityissues,279–280

Link-analysismethodology,228

Linkingcybersecurityprogram,228–230

Litmustest,252

Localareanetworks(LANs),188

“LocustSwarm”program,248

Locustsprogram,250

LOE,SeeLevel-of-effort(LOE)

Logicbombs,82

M

Managementblankcheck,108

Message,83

Metric(s),202

analysis,230–231

cybersecurityprogramlevelofeffortdrivers,207

chartinglevelofeffortthroughnumberofsystemusers,208–209

grantingusersaccesstosystems,210–211

significanceofsystemuserschart,209–210

projectmanagement,218–221

Metricscharts,211

cost-avoidancemetrics,215

cybersecurityprogram

EATP,213–215

testsandevaluations,212–213

managementanddownsizing,215

foregoing,218

informationandinformationsystems,217

subchart,216

Microdot,83

Microprocessors,7–8,71–72

Mission

datapackages,97

statements,112–113

Moore’slaw,72–73

Multiprongedapproach,61

N

NationalCybersecurityCenter,59–60

Nationalinformationinfrastructure(NII),11,28

NationalInformationSystemsSecurity(INFOSEC),267

NationalSecurityAgency(NSA),58–59,97

NationalSecurityPresidentialDirective54/HomelandSecurityPresidentialDirective23(NSPD-54/HSPD-23),56

NCB,SeeNetwork-centricbusiness(NCB)

NCIs,SeeNoncomplianceinquiries(NCIs)

Netspionageagents,84

Network-centricbusiness(NCB),270–271

NIC,SeeU.S.NationalIntelligenceCouncil(NIC)

NII,SeeNationalinformationinfrastructure(NII)

Noncomplianceinquiries(NCIs),194,217,236

NSA,SeeNationalSecurityAgency(NSA)

NSTISSC,SeeU.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC)

O

Observe–orient–decide–actloop(OODAloop),32

OctopusConference,54

Off-ramp,16

Off-sitecybersecurityprogramorganizations,159–160

OffensiveIO,266

Offensive–defensivecyberattacks,310

On-ramps,16

OneSource,71

One-yearreview,224

LOEactivities,225–226

projects,226–227

OODAloop,SeeObserve–orient–decide–actloop(OODAloop)

Operationssecurity(OPSEC),267–268

Organizationalresponsibilities,115

cybersecurityofficer’sformaldutiesandresponsibilities,116

accountabilities,116–117

cybersecurityofficerposition,116


P

P4,SeePlans,processes,policies,andprocedures(P4)

PDAs,SeePersonaldigitalassistants(PDAs)

People’sLiberationArmy(PLA),93

People’sRepublicofChina(PRC),93

Personaldigitalassistants(PDAs),132

Personalinformation,181

Personalleader,110

Pervasiveinsecurity,309

PLA,SeePeople’sLiberationArmy(PLA)

PlanX,95

Plans,processes,policies,andprocedures(P4),133

PLCs,SeeProgrammablelogiccontrollers(PLCs)

Policyimplications,309–310

PRC,SeePeople’sRepublicofChina(PRC)

Preemptivestrikes,255–256

Privacyissues,273–274

Privateinformation,181

Privateinformationtypes,184

Processorserialnumber(PSN),83

Programmablelogiccontrollers(PLCs),90

Project(s),226–227

chart,219–221

management,114–115,218

CIO,219

cybersecurityofficer,221

projectchart,219–221

PSN,SeeProcessorserialnumber(PSN)

Q

Qualitystatements,112–114

R

R&D,SeeResearchanddevelopment(R&D)

Radiofrequencyspectrum(RFspectrum),256–257

Recruitingcybersecurityprofessionals,168–171

in-housecybersecuritycandidatesidentification,170

outsidecybersecuritycandidatesidentification,171

“Regin”malware,91

RegionalFinancialAssociates(RFA),70

Regularemployees,43

Regulations,24–26

Requirementsidentificationfunction,184–185

Researchanddevelopment(R&D),59

Returnoninvestment(ROI),269

RFspectrum,SeeRadiofrequencyspectrum(RFspectrum)

RFA,SeeRegionalFinancialAssociates(RFA)

Riskmanagement,115,191

process,190

process,191–192

program,191

recommendationstomanagement,192

reports,192–193

RoadMapforInternet,16–17

ROI,SeeReturnoninvestment(ROI)

S

SamsungElectronics,97

SBP,SeeStrategicbusinessplan(SBP)

Second-generationwarfare,251

SecretService,97

Securityimplementation,299

Securitytestsandevaluations(ST&E),193,212–213

Security—defensiveapproach,304–305

Seniorcorporateandgovernmentleadership,303

Seniorleadership,303

Sensitiveinformation,132,184

SIC,SeeU.S.StandardIndustrialClassifications(SIC)

Softwareevaluation,189–191

SouthAmerica,54

Spyagency,98

Spyware,94

ST&E,SeeSecuritytestsandevaluations(ST&E)

Stand-alonemicrocomputers,208

Standards,24–26

ofconduct,278–279

Steganography,83

software,84

Strategicbusinessplan(SBP),135,151

Stuxnet,90

Subordinateorganizationsdevelopment,156–160

cybersecurityprogram

accesscontrolandcompliance,157–158

policyandriskmanagement,158–159

off-sitecybersecurityprogramorganizations,159–160

SyrianTwitter,92

T

Tacticalbusinessplan(TBP),135,151

Teamleader,110

Technology,63–64

SeealsoHightechnology

fromcavemantocybersecurityprofessionalandinformationwarrior,64–65

revolutionin,63

Telecommunications,196–197

businesses,29

Termsofreference(TOR),261

informationwarfare,261

C2W,263

cyber,262

decision-makeract,264–265

defensiveIW,266

informationsuperiority,267

IW-relatedenvironment,263

KM,264

militarypsychologicaloperations,265

NSTISSC4009,268

TICinitiative,SeeTrustedInternetConnectionsinitiative(TICinitiative)

Timefactor,183

Tofflers’modeloftechnologicalevolution,11

Topic-orientedinformationassetsprotectionpolicydocuments,147

TOR,SeeTermsofreference(TOR)

“Touchy-feelydon’t-hold-me-responsible”management,39

Traf-O-Data,74

Transmutinginternationalterrorism,309

Trojanhorses,81–82

TrustedInternetConnectionsinitiative(TICinitiative),57

Turfbattles,43

TuringTest,96

Twenty-firstcenturytechnology,84–86

U

U.K.CyberSecurityStrategy,98

U.S.BureauofLaborStatistics(BLS),70–71

U.S.DepartmentofDefense(DoD),251

U.S.DepartmentofHomelandSecurity,95

U.S.federalgovernmentcomputersecuritystandards,302

U.S.NationalIntelligenceCouncil(NIC),306

U.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC),267

U.S.StandardIndustrialClassifications(SIC),69

U.S.–EUCyberSecurity-RelatedCooperation,53

UnitedStates,55–57

US-CERT,57–58

Usenetnewsgroup,76

V

Valuinginformation,179,182

corporateinformationvaluedetermination,179–180

importanceofdetermination,180–181

informationvalue,180

categories,181–182

determination,182–184

questions,184

types,182

Viruses,80–81

Visionstatements,112–113

Vulnerability,267

W

Waterpumpingstations,250

Webster’sDictionary,239

Whistleblower,277

Work,287b

WorldWideWeb(Web),14,76–77

Worms,81

Documents

The Information Systems Security - Senayanperpustakaan.fmipa.unpak.ac.id/file/2016 3rd-ed The... · Going beyond Three Blind Men Describing an Elephant: Information Warfare Terms