Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
TheInformationSystemsSecurityOfficer’sGuide
EstablishingandManagingaCyberSecurityProgram
THIRDEDITION
Dr.GeraldL.Kovacich
TableofContents
Coverimage
Titlepage
Copyright
Dedication
AbouttheAuthor
Preface
Acknowledgments
Introduction
SectionI.TheWorkingEnvironmentoftheCyberSecurityOfficerIntroduction
Chapter1.UnderstandingthePastandPresentCyber-InformationWorldEnvironmentAh,theGoodOl’Days!
GlobalInformationInfrastructureNationalInformationInfrastructure
HowDidWeGetfromAdamtotheInternet?ChangingCriminalJusticeSystems
TheHumanFactorSummary
Chapter2.UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment
TheChangingBusinessandGovernmentEnvironments
UnderstandingtheBusinessEnvironmentManagementResponsibilitiesandCommunicatingwithManagementCreatingaCompetitiveAdvantagethroughaCyberSecurityProgram
Service,Support,andaBusinessOrientationBusinessManagersandCybersecurity
WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionalsWhatCyberSecurityProfessionalsShouldDo
QuestionstoConsiderSummary
Chapter3.AnOverviewofRelatedWorldViewsofCyberSecurity
EvolutionofLaws,Standards,Policies,andProceduresGlobalviatheUN
TheEUAsia
SouthAmericaAfrica
CanadaUnitedStates
Summary
Chapter4.AGlimpseattheHistoryofTechnologyWhatIsTechnology?FromCaveMantoCyberSecurityProfessionalandInformationWarrior
RevolutionsandEvolutionsinHighTechnologyFromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnology
TheInternetTheHigh-Technology-DrivenPhenomenon
FasterandMoreMassiveHigh-Technology-DrivenCommunicationsTheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityTools
OtherHigh-TechnologyToolsinCyberSecurityWelcometotheTwenty-First-CenturyTechnology
Summary
Chapter5.UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines
ReportedDigitalBattlefieldAttacksandRelatedStoriesSummary
SectionII.TheDutiesandResponsibilitiesofaCyberSecurityOfficerIntroduction
Chapter6.TheCyberSecurityOfficer’sPosition,Duties,andResponsibilitiesIntroduction
TheCyberSecurityOfficerinaGlobalCorporationCyberSecurityOfficerDutiesandResponsibilities
GoalsandObjectivesLeadershipPosition
Vision,Mission,andQualityStatementsCyberSecurityPrinciples
ProjectandRiskManagementProcesses
CyberSecurityOfficerandOrganizationalResponsibilitiesSummary
Chapter7.TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlansIntroduction
Corporate’sCyberSecurityStrategicPlanCorporate’sCyberSecurityTacticalPlan
CyberSecurityAnnualPlanQuestionstoConsider
Summary
Chapter8.EstablishingaCyberSecurityProgramandOrganizationIntroductionCorporateCyberSecurityProgram
CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganizationQuestionstoConsider
Summary
Chapter9.DeterminingandEstablishingCyberSecurityFunctionsIntroductionProcesses
ValuingInformationInternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopment
CyberSecurityOfficer’sCyberSecurityProgramFunctionsAccessControlandAccessControlSystems
EvaluationofAllHardware,Firmware,andSoftwareRiskManagementProgram
SecurityTestsandEvaluationsProgramNoncomplianceInquiries
ContingencyandEmergencyPlanningandDisasterRecoveryProgramQuestionstoConsider
Summary
Chapter10.EstablishingaMetricsManagementSystemIntroductionMetrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsers
ExamplesofOtherMetricsChartsProjectManagementQuestionstoConsider
Summary
Chapter11.AnnualReevaluationandFuturePlansIntroductionOne-YearReview
CyberSecurityProgramStrategic,Tactical,andAnnualPlans
LinkingCyberSecurityProgramAccomplishmentstoCorporateGoalsMetricsAnalysis
PlanningforNextYearQuestionstoConsider
Summary
Chapter12.High-TechnologyCrimesInvestigativeSupportIntroductionDutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimes
AssistingwithComputerForensicsSupportDealingwithLawEnforcement
QuestionstoConsiderSummary
SectionIII.TheGlobal,Professional,andPersonalChallengesofaCyberSecurityOfficer
Introduction
Chapter13.IntroductiontoGlobalInformationWarfareThePossibilitiesIntroductiontoWarfare
FourGenerationsofWarfareIntroductiontoGlobalInformationWarfare
InformationWarfareWillHitYouinYourPocketbookBusinessIsWar
IWBroadlyEncompassesManyLevelsandFunctionsWhatIWIs…andIsNotBeingPrepared-BadThingsWillHappen
ThePossibleBreakdownsinanInformationEnvironmentGoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReference
InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantageHowtoUseIWtoAchieveGoalsandObjectives
CoherentKnowledge-BasedOperationsNetwork-CentricBusiness
KnowledgeManagementSummary
Note
Chapter14.TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssuesIntroductiontoPrivacyIssuesIntroductiontoEthicsIssues
CodesofEthics
CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValuesLiabilityIssues
QuestionstoConsiderSummary
Chapter15.ACareerasaCyberSecurityOfficerIntroduction
TheCyberSecurityOfficer’sCareerDevelopmentProgramEducation
QuestionsSummary
Chapter16.ALookatthePossibleFutureSurvivingintotheFuture
NewOldApproachtoSecurity—DefensiveApproachTheChangingEnvironment
TheNeedforEnlightenedandDedicatedLeadershipGlobalTrends
Offensive–DefensiveCyberAttacksTheFutureoftheInternet
QuestionsSummary
Index
Copyright
Butterworth-HeinemannisanimprintofElsevier
TheBoulevard,LangfordLane,Kidlington,OxfordOX51GB,UK
225WymanStreet,Waltham,MA02451,USA
Copyright©2016,2003,1998ElsevierInc.Allrightsreserved.
Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangementswithorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions.
ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher(otherthanasmaybenotedherein).
Notices
Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperiencebroadenourunderstanding,changesinresearchmethods,professionalpractices,ormedicaltreatmentmaybecomenecessary.
Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility.
Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligenceorotherwise,orfromanyuseoroperationofanymethods,products,instructions,orideascontainedinthematerialherein.
ISBN:978-0-12-802190-3
BritishLibraryCataloguinginPublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary
LibraryofCongressCataloging-in-PublicationData
AcatalogrecordforthisbookisavailablefromtheLibraryofCongress
ForinformationonallButterworth-Heinemannpublicationsvisitourwebsiteathttp://store.elsevier.com/
Dedication
Toallthecybersecurityofficersandinformationwarriorsfightingthegoodfightagainstallodds.
AbouttheAuthor
Dr.GeraldL.KovacichgraduatedfromtheUniversityofMarylandwithabachelor’sdegreeinhistoryandpoliticswithemphasisinAsia,theUniversityofNorthernColoradowithamaster’sdegreeinsocialsciencewithemphasisinpublicadministration,GoldenGateUniversitywithamaster’sdegreeintelecommunicationsmanagement,theDODLanguageInstitute(ChineseMandarin),andAugustVollmerUniversitywithadoctoratedegreeincriminology.HewasalsoaCertifiedFraudExaminer,CertifiedProtectionProfessional,andaCertifiedInformationSystemsSecurityProfessional.1
Dr.GeraldL.Kovacichhasmorethan40yearsofexperienceinindustrialsecurity,investigations,informationsystemssecurity,andinformationwarfareasaspecialagentintheU.S.government;atechnologistandmanagerfornumeroustechnology-basedinternationalcorporations;andaninformationsystemssecurityofficer,security,audit,andinvestigationsmanager,andconsultanttoU.S.andforeigngovernmentagenciesandcorporations.Hehasalsodevelopedandmanagedseveralinternationallybased
informationsystemssecurityprogramsforFortune500corporationsandmanagedseveralinformationsystemssecurityorganizations,includingprovidingserviceandsupportfortheirinformationwarfareproductsandservices.
Dr.GeraldL.Kovacichhastaughtbothgraduateandundergraduatecoursesincriminaljustice,technologycrimesinvestigations,andsecurityforLosAngelesCityCollege,DeAnzaCollege,GoldenGateUniversity,andAugustVollmerUniversity.Hehasalsolecturedinternationallyandpresentedworkshopsonthesetopicsfornationalandinternationalconferences,aswellaswritingnumerouspublishedarticlesonhigh-techcrimeinvestigations,informationsystemssecurity,andinformationwarfare,bothnationallyandinternationally.Hehaswrittenmorethan100security-relatedarticlesthathavebeenpublishedinvariousinternationalmagazines.
Dr.GeraldL.KovacichcurrentlyspendshistimeonWhidbeyIsland,Washington.Hecontinuestoconductresearch,write,consult,andlectureinternationallyonsuchtopicsas:
•Globalandnation-stateinformationsystemssecurity;
•Corporateinformationsystemssecurity;
•Corporateandgovernmentfraud;
•Corporatesecurity;
•High-techcrimeinvestigations;
•Informationassurance;
•Proprietaryinformationprotection;
•Espionage–including“Netspionage,”economic,andindustrial;and
•Informationwarfare–offensiveanddefensive.
HeisalsothefounderofShockwaveWriters,aninformalassociationoftrustedcybersecurityandglobalinformationwarfareprofessionals,writers,researchers,andlecturerswhoconcentrateonthesetopics.HecanalsobefoundonLinkedIn.
Dr.GeraldL.Kovacichhasbeguntoexpandhiswritingsintotheworldofpoetryandfiction.Iguessthisiswhathappenswhenone“matures”inageandlongsforwritinggenresotherthanthatofthesecurityrealm.AllhiswritingscanbefoundontheusualWebsites,forexample,amazon.com.
OtherBooksAuthoredorCoauthoredbyDrGeraldL.Kovacich1.InformationSystemsSecurityOfficer’sGuide:EstablishingandManaginganInformationProtectionProgram(Elsevier;1998;ISBN:0-7506-9896-9),Kovacich
2.InformationSystemsSecurityOfficer’sGuide:EstablishingandManaginganInformationProtectionProgram(secondedition;Elsevier;2003;ISBN:0-7506-7656-6),Kovacich
3.High-TechnologyCrimeInvestigator’sHandbook:WorkingintheGlobalInformationEnvironment(Elsevier;2000;ISBN:13:978-0-7506-7086-9;10:0-7506-7086-X),Kovacich/Boni
4.High-TechnologyCrimeInvestigator’sHandbook:EstablishingandManagingaHigh-TechnologyCrimePreventionProgram(Elsevier;2006;ISBN:13:978-0-7506-7929-9;10:0-7506-7929-8),Kovacich/Jones
5.TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulAssetsProtectionProgram(Elsevier;2003;ISBN:0-7506-7487-3),Kovacich/Halibozek
6.TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulAssetsProtectionProgram(Instructor’sManual)(Elsevier;2005;ISBN:13:978-0-750-67038-1;10:0-750-67938-7),Kovacich/Halibozek
7.I-WayRobbery:CrimeontheInternet(Elsevier;1999;ISBN:0-7506-7029-0),Kovacich/Boni
8.Netspionage:TheGlobalThreattoInformation(Elsevier;2000;ISBN:0-7506-7257-9),Kovacich/Boni
9.InformationAssurance:SurvivingintheInformationEnvironment(Springer-Verlag;2001;ISBN:1-85233-326-X),Kovacich/Blyth
10.InformationAssurance:SecurityintheInformationEnvironment(secondedition;Springer-Verlag;2006;ISBN:10:1-84628-266-7;13:978-1-84628-266-9),Kovacich/Blyth
11.GlobalInformationWarfare:HowBusinesses,GovernmentsandOthersAchieveGlobalObjectivesandAttainaCompetitiveAdvantage(Auerbach/CRCPress;2002;ISBN:0-8493-1114-4),Kovacich/Jones/Luzwick
12.GlobalInformationWarfare:HowBusinesses,GovernmentsandOthersAchieveGlobalObjectivesandAttainaCompetitiveAdvantage(secondedition;Auerbach/CRCPress;2015;9781498703253),Kovacich/Jones
13.TheCorporateSecurityProfessional’sHandbookonTerrorism(Elsevier;2008;ISBN:
978-0-7506-8257-2),Kovacich/Halibozek
14.MergersandAcquisitionsSecurity:CorporateRestructuringandSecurityManagement(Elsevier;2005;ISBN:0-7506-7805-4),Kovacich/Halibozek
15.FightingFraud:HowtoEstablishandManageanAnti-FraudProgram(Elsevier;2008;ISBN:978-0-12-370868-7),Kovacich
16.PoemsofLife:ThoughtsofHumanExperiences(AuthorHouse;2012;ISBN:978-1-4772-9634-9;978-1-4772-9633-2;978-1-4772-9632-5),Kovacich
17.I-WayRobbery:CrimeontheInternet(2000;JapaneseTranslation;http://www.horei.com;ISBN:4-89346-698-4),Kovacich/Boni
18.High-TechnologyCrimeInvestigation(2009;ChineseTranslation;http://www.sciencep.com),Kovacich/Jones
19.FightingFraud(2010;RussianTranslation;Ernst&Young;ISBN:978-5-903271-31-30),Kovacich
20.TheCorporateSecurityProfessional’sHandbookonTerrorism:ProtectYourEmployeesandOtherAssetsagainstActsofTerrorism(Elsevier;2007;ISBN978-0-7506-8257-2),JonesA,KovacichG,HalibozekE.
1Nowretiredfromallthree.
Preface
Thepurposeofthisbookistoprovideinformationsystemssecurityofficers—todayoftencalledcybersecurityofficers,professors,students,othersecurityprofessionals,informationwarfarespecialists,relatedmanagers,auditors,andgeneralmanagementanawarenessandbasicapproachtoestablishingandmanagingwhathadbeenknownasaninformationsystemsprotectionprogram,butisnowcommonlycalleda“cybersecurity”program,foragovernmentagencyorinternationalornationalcorporation.Itcanalsobeusedbyanygroupwantingtoprotectitsnetworksandinformation.Itreportedlyhasbeen,andcanalwaysbe,usedasatextbookbyuniversityprofessorstoteachabasiccourseonthisandrelatedtopics,aswellasrecommendedreadingforrelatedcourses.
Itprovides,Ihope,aneasy-to-read,understandableimplementationplanforestablishingabasis—afoundation—foracybersecurityprogram,especiallyforthosewhohavelittleornoknowledgeonthetopicorhowtoproceed.Italsoprovidesinformationthatcanbeusedbyintermediateandadvancedprofessionals,students,andothertypesofprofessionalsinthisandrelatedtopicsofbusinesssecurityandinformationwarfare,forexample,defensivemeasures.
Therearemanybooksonthemarketrelatedtocomputersecurity,informationsystemsprotection,cybersecurity,andthelike;however,thisisoneofthefirstandbestapproachingthetopicinthemannerthatitdoesandisnowconsidereda“classic”sincefirstpublishedin1998.Ifnot,therewouldn’thavebeenasecondandnowathirdedition.
Thisbookhasbeenupdatedwheredeemedappropriateandnewchaptershavebeenadded,withlittleornomajorchangeinformat,aswhymesswithawell-selling,popular“classic”?
Justsothereisnomisunderstanding,thisabasicbookonbuildingacybersecurityprogramandaprimeronbeingacybersecurityofficer.Thereismuchinthiseditionthatisastruetodayasitwasinthefirsteditionbackin1998.Therefore,thebasicsofitallarestillthesame,withnewstuffaddedtokeepthis“classic”uptodate.
Thisthirdedition,aswiththepasttwoeditions,willprovidethereaderwiththeinformationtohelpmeetthetwenty-firstcenturycybersecurityandrelatedmanagementchallenges.
Keywords,asaminimum,thatthereadershouldknoware:
1.Security
2.Cybersecurity
3.Cybersecurityofficer
4.Computersecurity
5.Informationsystemssecurity
6.Informationwarfare
7.Auditing
8.Managingassetsprotection
9.Managinginformationsystemsorganization
10.Managingcomputersecurityorganization
11.Assetssecurity
12.Audittrails
13.Informationprotection
14.Privacy
15.Malware
16.Hacker
17.Phishing
Aswithanybook,sometimesthereadersarecritical.That’sfine.Varietyisthespiceoflife,astheysay,andeveryoneisentitledtotheirownopinion.Ifonecansitdownanddiscusscybersecurityandcybersecurityofficers’responsibilitieswiththecriticsitwouldbegreattoshareinformation.Afterall,theymayhaveimportantpointsthatcouldbeconsideredwhenupdatingthebook.However,thatisusuallynotpossible.
So,withallthatsaid,letmestatefortherecordwhatthisbookisnot:
•Itisnotabookthatisthe“endallandbeall”ofacybersecurityofficer’sfunctions,duties,andresponsibilities.Therapidchangesincyberenvironments,hightechnology,etc.,makesuchabookimpossibletoremaincurrent.
Note:Inthisenvironment,bewareofanyoneconsideringthemselves“experts.”I,forone,confessIhaveneverconsideredmyselfone(althoughworkinginthefieldsince1980)andcorrectanyonewhointroducesmeassuch.NorwillIeverconsidermyselftobeone.Toomuchtoknowandallrapidlychanging.
•Itisnotatechnicalbookanddoesnotpurporttobe—itwillnottellyouhowtoinstallafirewall,forexample.Therationaleisthattherearemanygoodbooksonthemarketthatcoverspecificaspectsofcybersecurity,narrowlyfocusedandtechnical.Itisexpectedthatthecybersecurityofficerwillreadandunderstandthesebooksasneededbasedonspecificcybersecurityneeds.
Inshort,thisbook’sgoalistoprovideabasicoverviewofthecybersecurityofficer’sworld,duties,responsibilities,andchallengesinthetwenty-firstcentury.Itisaprimer.Itisalsoaboutthecybersecurityofficerwhomustestablishandmanageacybersecurityprogramforaninternationalcorporation,althoughallofthematerialisapplicableto
variousworkenvironments,suchasgovernmentagenciesorcharitableorganizations.
Thisisthethirdeditionofthisbookandhasbeenupdatedwhereappropriate,andwherethebaselinestillfitsthecurrentenvironment,ithasonlybeen“tweaked,”aswhathasbeenprovidedfromthebeginningisstillvalidtoday.ThisisprimarilyrelevanttoSectionII,whichistheheartofthebook,andtheestablishmentandmanagementofacybersecurity(formerlyknownasInfoSec)program.Whatwaswritteninthefirstandsecondeditionisstillvalidinthisthirdedition.Therefore,ithasbeenmodified,butthebasicsofwhatiscoveredhavenotchanged.Whathaschangedistheenvironmentoftheworldofthecybersecurityofficer.Therefore,thatwasthefocusofthechangesinthisthirdedition.
ItwaswrittenbecauseovertheyearsmanyassociatesandIhadtoestablishandmanagesuchorganizationsandfoundnoprimertoguideus.So,overthemanyyearsthatIhavebeeninvolvedinvariousaspectsofsecurity,eventuallyfocusingoncybersecurity—anditsrelatedfunctionssinceabout1980—IthinkIhavedevelopedabasicapproachthathasbeensuccessful.Otherswhohavereadthisbook,whohavelistenedtomylecturesbasedonwhatbecamethisbook,andwhomIhavementoredovertheyearshaveagreedwithme.ItalsosuccessfullyworkedformewhenIhadtoestablishabasicprogramforacorporationorgovernmentagency,fromaerospacetoWallStreettothePentagon,aswellasbeingaconsultant.
So,ifyouareacybersecurity“techie,”“engineer,”orthelikeandlookingfortheHolyGrailofinformationassetsprotectionorcybersecurity,thatisnotwhatthisbookisabout.However,ifyouwantacybersecurityofficercareer,wanttoknowwhatthecybersecurityofficer’sprofessionisallabout—especiallyfromamanagementperspective—andwanttobeabletobuildafoundationforasuccessfulcybersecurityprogramandorganization,thenyes,thisbookisforyou.
Thisbookwasalsowrittenfornon-cybersecurityprofessionalsinmanagementpositionswhoareresponsibleoverallforagovernmentagencyorbusinessandthereforeitsassetsprotection–cybersecurityprogram.Theseprofessionalsshouldalsoknowwhatthecybersecurityprofessionisallaboutandthebasicsofinformation-relatedcomputersandnetworksprocessing,transmitting,andstoringinformation,data,knowledge,orwhatevertermsuitsthem.Why?Becausetheymanageabusiness,andtodayasuccessfulbusinessmustincludeacybersecurityprogramifitistoavoiddisasters,sincetechnology,forexample,networkedcomputers,isanintegralpartofabusinessthesedays.
Thisbookcanalsobeusedasatextbookor“recommendedreading”foruniversitycoursesrelatedtogeneralsecurity,assetsprotection,cybersecurity,informationsystemssecurity,orinformationwarfare(althoughmycoauthoredbookonGlobalInformationWarfare,firstandsecondeditions,maybetterservethereader’spurpose).
Ihopeyouenjoyit.Afterreadingit,pleasedropmeane-mailthroughmypublisherandletmeknow:
•Anyquestionsyoumayhave;
•Whatyoulikedaboutit;
•Moreimportantly,whatyoudidn’tlike;
•Whyyoulikedordislikedit;
•Whatideaspresentedweremostimportanttoyou;
•Yourimplementationofsomeoftheideaspresented,andyourresult;and
•WhatIshouldincludeorcoverdifferentlyinafourthedition.
Afterall,Iwantyoutobeabletousethisbookintherealworldofglobalinformationsharing,cyberwarfare,andcybersecuritybattles.Allfeedbackiswelcome.
Thanks!
Jerry
Dr.GeraldL.Kovacich,ShockwaveWriter
WhidbeyIsland,Washington,USA
Acknowledgments
Writingabookisonlypartofbringingabooktoyou,thereader.Aswithanybookprojectofthismagnitude,tocarryoutaprojectsuchasthis,ittakesmorethanjusttheauthor.Ittakesfriends,professionalassociates,andotherswhounselfishlygiveoftheirtimeandefforttohelpmaketheauthor’swritinglifeeasierandhisorherbooksworthpublishing.
Iamalsoverygratefultoaspecialgroupwhoovertheyearshavesupported,encouraged,andassistedmetimeandagainwithsuchprojectsasthis,includingthefollowingfriends,associates,andcolleagues:
•MotomuAkashi,mymentorandagreatsage;restinpeacemydearfriend.
•EdHalibozek,securityprofessional,professor,writerandconsultant,formerfellowaerospacecolleague,andlongtimefriend.
•Dr.AndyJones,cybersecurityandInfoWarprofessional,professor,writerandconsultant,andalsoagreatfriend.
•WilliamBoni,vicepresidentandcorporatesecurityinformationofficer,T-MobileCorporate,afriendforalmostlongerthantheInternethasbeenaround.
•WinnSchwartau,TheSecurityAwarenessCompany,agoodfriend.
•SteveLutz,CEO,WaySecure,fellowprofessionalandlongtimefriend.
•TothestaffandISSO-3projectteamofElsevierButterworth–Heinemann,ledbyTomStoverandincludingHilaryCarrandMohanapriyanRajendranthanksforthetime,effort,andsupportinmakingISSO-3,andmyotherBHbooks,arealityandsuccess.Withoutyoursupportandguidancethisbooktrulycouldnothavebeenwritten.
Introduction
Muchhashappenedandyet,littlehaschanged!1
Therearemanydebatesastowheretheinformationandinformationsystemssecurity(InfoSec),nowgenerallyreferredtoascybersecurity,andtheinformationsystemssecurityofficer(ISSO),nowcommonlyreferredtoasthecybersecurityofficer,positionfitinacompanyorgovernmententity.Somebelievetheybelongintheinformationtechnology(IT)department,otherssaytheybelonginthesecuritydepartment.Othersbelievethepositionshouldreporttothecorporateexecutiveofficer(CEO),corporateinformationofficer(CIO),orsomelevelofexecutivemanagementotherthanthetwomentioned.
TheITpeoplemaywantcontrolofthecybersecurityfunctionsothattheycanensurethatitdoesnothampertheirITfunctions—inotherwords,diluteitsauthority—andovertheyearshavebeensuccessful,andweallknowhowwellthathasbeenworking.
Acorporatesecuritymanagermaywantthefunctiontobesurethesevaluableassets,likeotherassetswhoseprotectionistheresponsibilityofthesecuritydepartment,areproperlyprotected.
Someofmyfriendsandfellowcybersecurityandbusiness/governmentsecurityprofessionals,withdifferentbackgroundsandcybersecurityresponsibilitiesoverthemanyyearstheyhavebeeninthebusiness,sharetheirviewsoncybersecurityandthecybersecurityprofession,environment,andfunctions.Theyare:
•EdHalibozek,securityprofessional,professor,writer,andconsultant;
•Dr.AndyJones,cybersecurityandInfoWarprofessional,professor,writer,andconsultant;
•WilliamC.Boni,VicePresidentandCorporateSecurityInformationOfficer,T-MobileCorporate;
•SteveLutz,CEO,WaySecure,fellowprofessionalandlong-timefriend.
WhatOtherCyberSecurityProfessionalsHavetoSayWilliamC.BoniInformationsecurityisoneofthefastestgrowingprofessionsatthistime.ThecombinationoftheterroristattacksofSeptember11,2001,andtheincreasinglycriticalroleofinformationsystemsandtechnologyinglobalbusinesshavecontributedtothatincrease.Asthisbookwasbeingwritten,theInternetwassubjectedtoanattackagainstthecoreinfrastructure,terroristsandnation-statesarereportedtobehoningtheirskillsforfuturecyberattacks,andcriminalsaresiphoningoffprofitsfromelectroniccommercesystemsaroundtheglobe.Therehasneverbeenagreaterneednorgreaterappreciationoftheneedforcapable,skilledinformationsecurityprofessionalstoguardthefrontiersofbusinessesandnations.
Yet,astheimportanceofinformationsecurityhasincreased,thefieldhasbecomecrowdedwith“instantexperts.”Manyofthosewhonowcallthemselves“experts”owetheircurrentnotorietytosomespecifictechnicalskillortoshortperiodsoftimeinconsultingorvendororganizations.Mostwhopublishbooksandarticlesoninformationsecurityhaveneverbeenaccountableforprotectingmajororganizationsagainstthedizzyingarrayofrisksnordealtwiththeharshrealitiesofdoingsointhecontextofcorporatecultures,politics,andthegrindofdailyoperations.
Incontrast,youholdinyourhandsabookcontainingthedistilledwisdomof40 yearsofpracticalexperiencefromoneoftheoriginalleadersininformationsecurity.Dr.GeraldL.Kovacich,“Jerry”tohismanyfriendsandadmirers,hasspentalifetimedevelopingandperfectingthematerialsthatarethecorecontentofthisbook.Theoriginalhasheldupovertheyearspreciselybecauseitis“technologyindependent.”Theassumptionisthatthereaderhaseitherattainedalreadyorcanobtain,fromotherbooks,courses,andseminars,thetechnicalskillstoworkintheinformationsecurityfield.
Therefore,ifyouarelookingfortechnicalsolutionstothecurrentorlatestsetofacronymchallenges,thenthisisnotthebookyouwanttobuy.However,ifyouareaninformationsecurityprofessionalseekingtounderstandwhatittakestobesuccessfulasamanagerandtobecomealeaderinyourorganizationandultimatelyintheprofession,thenyouhavetherightbook.
Studentsconsideringtheircareeroptions,aswellasprofessionalsinotherbutrelatedfieldssuchasIT,physicalsecurity,orITaudit,willalsofindtheinformationpresentedsoartfullybyDr.GeraldL.Kovacichtobeofgreatvalue.Readersfromallthesebackgroundswillfindthisbookexpandstheirknowledgeofthemanyactivitiesinvolvedinestablishingandsustaininganorganization’sinformationsecurityprogram.
Thisupdatedandexpandededitionbuildsuponthecontentthatmadetheoriginalvolumeoneofthebest-sellingsecuritybookseverpublished.WhattheGuidedoesthatisdifferent,perhapsuniqueintheinformationsecurityfield,iscoach,mentor,andtutorthe
readerinthevariousmanagerialandoperationalskillsthatwillensureamoresuccessfulandultimatelymoresatisfyingcareer.
FrommypersonalexperienceIcantestifytothepracticalwisdomthatiscapturedinthesepages.IoweasignificantpartofmyprofessionalsuccessandachievementtoactuallyapplyingmanyofthemethodsandtechniquesdescribedintheoriginalGuide.OverthepastsixyearsIhaverecommendedthepreviouseditiontocountlessaspiringinformationsecurityprofessionals,andnotewithsatisfactionthatmanyfoundthecontenttobekeytotheirsuccessfulparticipationintherapidlyburgeoninginformationsecurityprofession.
Understandthatakeenappreciationandlifelongcommitmenttoinformationtechnologywillberequiredforsuccessasaninformationsecuritypractitioner.However,muchasthatbackgroundisnecessary,italoneisnotsufficientforprofessionalsuccessandpersonalsatisfaction.Thosewhoaspiretoleadershipandseektobecomethemanagers,directors,andvicepresidentsofinformationsecurityinthefuturewillenjoyandlearnmuchintheGuidethatwillsupporttheirsuccess.Ibelievetheywillfind,asIhave,thatDr.GeraldL.Kovacichhasprovidedthemwithknowledgethatbetterpreparesthemforthechallengesofmanagingtheseimportantresponsibilities.
EdHalibozekMakenomistakeaboutit.Informationsecurityiscriticaltothesuccessofabusiness.Whethertheenterpriseisforprofitornotforprofit,protectinginformationisanessentialpartofmanaginginformationandinformationsystems.Moderncompanies,corporations,andgovernments,fortheirsuccessandsurvival,aredependentuponinformation:informationthatiscreated,processed,stored,andshared.Yettheactofcreating,processing,storing,andsharinginformationmakesthatsameinformationvulnerabletoloss,manipulation,theft,ordestruction.
Whetherinformationconcernsanewproductortechnology,aproprietaryprocess,abusinessplan,acustomerordonorlist,ormilitaryoperations,informationhasvaluetoitsowner.Thatsameinformationmayalsohavevaluetocompetitors,criminals,orenemies.Somewilltakeboldmeasurestoobtaininformation.Otherswillrelyonthefailureoforganizationstoadequatelyprotecttheirownsensitiveandproprietaryinformation,makingiteasyforunauthorizedcollectionanduse.Afewwillseektoobtaininformationanywaythattheycan,usinglegitimateorillegitimatemeans.
Theveryinformationthatcontributestotheviabilityandsuccessofanenterprise,ifunprotectedandfoundinthepossessionofcompetitorsorenemies,maycausethelossofacompetitiveedgeortheembarrassmentofexposureor,intheeventofmilitaryoperations,mayplacewarfightersin“harm’sway.”Thus,protectingtheavailability,confidentiality,andintegrityofinformationisanessentialtask.
Inthisbook,Dr.GeraldL.Kovacichaddressesthequestion,“IsthepositionofanISSOnecessary?”Bluntly,unlessyourgoalisfailure,theanswerisclearly“Yes.”Protectinginformationisnotaneasytask.Somuchinformationresidesonsophisticatedand
complicatedinformationsystemslinkedinlocalandwideareanetworks.Toeffectivelyandefficientlyprotectinformationandinformationsystemsrequirestheskillsanddedicationofasecurityprofessional:anISSO.
TheISSOmustbeskilledinthedisciplinesofmanagement,security,andinformationsystems;mustbecapableofconvincingothersoftheneedtoprotectinformation;andmustunderstandthatprotectinginformationismoreaboutriskmanagementthanitisaboutriskavoidance.TheISSOneedstounderstandhowinformationisusedinthecontextoftheworldandbusinessenvironmentinwhichweoperate.Thisincludesunderstandingthreatsandwheretheycomefrom,suchascompetitors,detractors,enemies,opportunists,and“badguys.”
AskilledISSOisessentialtoanyenterprise.However,anISSOisnottheonlyanswerorsolution.UnderstandthattheISSOisnotanübermensch.TheISSOalonecannotdoeverythingthatneedstobedonetoprotectinformation.TheISSOmustbecapableofbringingtogetherdiversepersonswithdivergentinterestsinanefforttodevelopaprotectionprofilefortheenterprise.Inthisbook,Dr.GeraldL.Kovacichprovidesthearchitecturetodojustthat.Heprovidesaframeworkforestablishinganeffectiveinformationprotectionprogram.
RegardingthedebateastowhereanISSOshouldreportintheorganizationhierarchy…stop!Nowisnotthetimefordebate.Nowisthetimetoact.Informationsecurityisseriousbusiness.Theprotectionofinformationisjustasseriousasthemanagementofinformation.Intoday’sorganizationsmostcompanyinformationisprocessed,stored,displayed,andtransmittedonandoverinformationsystems.CIOsareskilledexecutivesemployedtoensurethatinformationsystemsareeffectivelymanaged,meetingtheneedsoftheenterpriseandmakinginformationavailabletoallusers.Protectingthisinformationanditsavailability,integrity,andconfidentialityisjustasimportant.Askilledexecutiveisneededtoaccomplishthis—acorporatesecurityofficer(CSO).TheCSOissomeoneknowledgeableinmattersofsecurity,informationprotection,informationsystems,andbusinessmanagement.TheCSOshouldbeindependentoftheCIOandreportdirectlytotheCEOorcorporateoperationsofficer.SeparatingtheCIOfunctionfromtheCSOfunctionisimportant,astheneedtoprotectinformationisofteninconflictwiththeneedtoshareanddisseminateinformation.TheISSOshouldeitherreporttotheCSOorbetheCSO.
Let’sendthediscussionontheneedforinformationprotectionandtheneedforanISSO.OnewouldhavetobearesidentofPlato’scavetonotrealizethatinformationiscriticaltoabusinessandrequiresprotection.Let’sshiftourfocustounderstandingjustwhatrequiresprotection,howitshouldbeprotected,andfromwhom.UsingthisbookbyDr.GeraldL.Kovacichisaverygoodbeginning.
Dr.AndyJonesTheroleoftheISSOhasneverbeenofgreaterimportancethanintheenvironmentinwhichwecurrentlyfindourselvesandwhichweanticipateforthefuture.
Asorganizationsandcompaniescontinuetobecomemoredependentoninformationsystemsandconnecttoaneverwidergroupofpartnersthattheyhavetorelyonand“trust,”theprobabilitythattheywillencounterproblemsincreasesonanalmostdailybasis.Inadditiontothisincreasingrelianceonsystemsthatareincreasinglyinterconnected,itisnowanunfortunaterealitythatthosepeoplewhowouldseektodousharmincreasinglyhavetheknowledgeandcapabilitytodoso.
Foranumberofyears,thegovernmentsofanumberofcountrieshavebeenawarethattherearesomeindustriesandsystemsthatareessentialtothewell-beingandmaintenanceofnormallifewithinacountry.Thesemayincludepowerproduction,telecommunications,watersupply,fooddistribution,bankingandthefinancialsector,andawholerangeofotherindustriesandhave,together,beentaggedthecriticalnationalinfrastructure.ItisunfortunatefortheISSOsoftheseindustriesthatinadditiontoalloftheotherrisksthattheymustdealwith,theynowhavetobeconcernedthattheywillbeatargetofattackbyterroristsandotherswhowishtoaffectnottheirorganization,butthegovernment.Thismakeslifeawholelotmoredifficultinanumberofways.
SomeorganizationsarestartingtobetterappreciatetheimplicationsofthesedevelopmentsandarerecognizingthattheroleoftheISSOisnotonlyincreasinglyimportant,butalsoincreasinglydifficult.Unfortunately,othershavenottakenthesituationonboardforanoftenrepeated,endlesssetofreasonsthathavecausedthemtoignoreitinthepast.Theseincludealackofunderstandingoftheunderlyingproblems,alackofskilltoaddressthem,insufficientresources,the“itwon’thappentome”attitude,alackofeducationandtraining,andalackofdirectionfromgovernment.
Thelastofthesehaschangedsignificantlyintherecentpast,andthereisnowawillbythegovernmentsofmostdevelopedcountriestoimprovethesecurityofinformationsystems.ThisisparticularlytrueoftheUnitedStates,andhugeinvestmenthasbeenmadein“Homelanddefense,”withanapparentlygenuinedrivebygovernmenttomakeinformation-dependentcountriesasafeplacetoliveandtrade.
OneofthemajorproblemsthatanorganizationfacesinrecognizingtheneedforanISSOisbasedontheundeniabletruththatinmostcases,securityisacostlydrainonresources,inbothfinancialandstaffterms,thatdeliversnotangiblereturnontheinvestment.Ifyouareamemberoftheboardofacompanyandhavetomakethechoicebetweeninvestinginanewplantthatwillreduceproductioncostsandimproveprofitabilityandinvestingininformationsecurity,whichislikelytogetyourvote?Thisisoftenthedecisionthatmustbemade,especiallywhentheargumentfor“spendoninformationsecurity”isbasedlargelyontheintangibleandtheunprovable.Howdoyouprovethatyouarelikelytobeattackedorhavesecurityproblems,whentheevidencefrompastexperienceisthatithasnotbeenaproblembefore?Howdoesthepersonpresentingtheargumentfortheinformationsecurityinvestmentconvinceagroupofpeoplewhohaveprobablyneversufferedtheconsequencesofaninformationsecuritybreachthatthisisgoodvalueformoney?Ifthemembersofthecorporateboardhavebeeninvolvedinapreviousbreachofinformationsecurity,theinvestmentargumentwillbereceivedinaverydifferentmannerandbypeoplewhounderstandthevalueofit.
WhatisdifferentaboutanISSOfromothertypesofsecurityofficers?Well,theshortansweristhattheISSOisahybridthatdidnotneedtoexistinthepast.Securityofficershavetraditionallygainedtheirexperienceinthemilitaryoringovernmentorpublicservice(policeorthree-letteragencies)andtheycantellyouallaboutprotectingtangible“things,”whethertheyareobjectsorpeople.Theyarenormallyverygoodatitandthemethods,tools,andtechniquesthattheyusehaveallbeentestedandrefinedoveralongperiodoftime.
Becausethesecurityofinformationsystemscannotandmustnotbetreatedinisolation,theISSOneedstohaveallofthisknowledgeandthen,inaddition,needstobeabletounderstandinformationsystemsandcomputersandtheimplicationsoftheiruse.Inthisarea,thereisnocollectivepoolofknowledgethathasbeengainedovercenturiesbyalargegroupofpeople.Informationsystemsare,inhistoricalterms,veryyoung,andtheirmaturityhastakenthemthroughsomanyevolutionsinsuchashorttimethatthereareveryfewcomputerprofessionals,letalonesecurityspecialists,whoareabletokeeppacewiththechangesandthediversitythathaveoccurred.SotheISSOneedstohaveawealthofknowledgeandexperienceinsecurityandininformationtechnologiesandhastobeabletodevelop,implement,andmanagepoliciesthatwillprotecttheinformationresourcesoftheorganizationinadynamicenvironment.
Acomplicationnowarises.Wherepeoplewillcomplainaboutphysicalsecurityandwillsubvertitifitbecomestooinconvenientandcomplainaboutthedelaysthatthecheckingofpassesandlockeddoorswillcause,whenyouapplysecuritytotheinformationenvironment,awholenewsetofproblemsisexposed.
Theusersofinformationsystemshavebeenexposedtoandsufferedfromyearsofbadlyconceivedandimplementedinformationsecuritythathascausedinconvenienceandpreventedthemfromgettingonwiththeirjob.Itisasadcommentthat,inthefieldofinformationsecurity,theuserofthesystemhasoftenhadmoreknowledgeoftheinformationtechnologythanhasthe“securityexpert.”
Thebrightsideofthesituationisthatthingsareimproving—the“informationsecurityexperts”withinorganizationsaregainingexperienceandthetechnologiesthatcanhelpthemtoprovidecoherentsecurityforsystemsarebecomingavailable.Thewholeissueofthreatandriskassessmentisgainingcredibilityasmethodsaredevelopedthatgivetraceableroutestosupportthedecisionsthataremade.
Intheglobalcontext,whilethingsproceedataveryslowpace,thereareatleastdiscussionsonwaystoharmonizethelawsindifferentcountriesandgroupsofcountriesandtheexchangeofinformationbetweenthosewhoneedittomaintainsecurity.
Itiseasyforinformationsecurityofficerstobecomeveryinsularandtolookattheproblemsthattheyarefacingintermsofonlytheirorganization—afterall,thesearebusy,overworkedpeoplewhoarestrugglingjusttokeeppacewitheventsanddevelopments.Thisisahugemistakeandcanleadonlytodisasterinthelongterm.Wecannolonger,forthemostpart,“conductourbusinessinisolation.”Theorganizationsthatweworkinhaveanever-increasingneedtocommunicateandtointerconnectwithothersystemsandorganizationsandindoingso,wehavetobeawareoftheproblemsthatsuchconnections
exposeusto.
Learningfromthebestpracticethathasbeendevelopedinotherorganizationsprovidestwobenefits:Thefirstisthatitallowstheknowledgeofmanytobeappliedtotheproblemofone;andthesecondisthatitisonestepdownthelinetowardcommonstandardsandpractices,whichengendersconfidenceinothersthatthesecuritythatisbeingappliedtoyoursystemsisofanacceptablestandard(theycanunderstandwhatyouhavedonetomakeyoursystemssecureandwhyyouhavedoneit!).
Whenthelargerpictureisexamined,theresponsibilitythatisplacedonaninformationsecurityofficerisimmense.TheISSOhasaresponsibilityandadutytotheorganizationthattheISSOworksfor,butalsohasresponsibilitytopartnerorganizationsandothersthatmayrelyontheproductoftheorganization.Anexampleofthismightbeapowercompany,inwhichtheeffectofasecuritybreachmightbethelossofavailabilityoftheirsystems.Unfortunately,thepowersupplycompanyisnetworkedtoanumberofotherpowersupplierstofacilitatethebalancingofpowerproductiontomeetthecustomerneeds.Ifoneisaffected,itmayprovetobetheweaklinkinthechainandallowtheattackertogainaccesstootherpowersuppliers.Thereisalsotheissueofthecustomers—whatimpactwillthelossofpowersupplyhaveontheirbusinesses?Inturn,willithaveaneffectontheircustomers?
FromtheISSO’spointofview,lifecanonlygetworse.Insomecountries,lawsarebeingintroducedthatplacealegalobligationonorganizationsandtheiremployeestotakewhatisreferredtoas“reasonable”(orinsomecases“appropriate”)careofinformationthattheyhaveintheirpossessionandalsototake“effectivemeasures”toprotectthebusiness,sometimesreferredtoas“duediligence.”
HowcanISSOscopewithdoingthejobofdeveloping,implementing,andmanagingthesecurityoftheinformationwhileatthesametimemakingsurethattheyunderstandthecurrentrisksandthreatstotheirorganizationandthecurrenttechnologiesandtechniquesandthelawsandbestpracticeandstandards?Well,nooneeversaiditwouldbeeasy…
Goneforeverarethegoodolddayswhenwecouldoperatewithanislandmentalityandrelyontheperimetersecurityofourorganizationtoprovidethefirstandmainlineofdefense.Thesecurityperimeterisnowalmostmeaninglesswithregardtoourinformation,althoughitstillhassomebenefitsfortheprotectionofphysicalassets.Nowtheroutesintoourorganizationareasmuchaboutthewiresandfibersastheyareabouttheroadsandsidewalks.Wecanmonitorphysicalaccesstoourenvironmentwithavarietyoftechnologies(CCTV,accesscontrol,passentrysystems)andwecanalso,fairlyeffectively,monitorwhatourstaffisdoingonourinformationsystems(aslongaswehavethemonitoringsystemsturnedonandarewatchingthem).Wecanputoursecuritybarriersupontheinformationsystems(firewalls),butunlesswedeploymethodsandtoolstoallowustoseewhatactivityistakingplaceinourenvironmentthroughsystemssuchasintruderdetectionsystems,wecannotseewhatishappeningintheareaaroundour“virtualoffice.”Thenearestequivalentwouldbehavingtheexternaldoorslocked,butnothavinganywindowsorcamerastoletyouseewhatishappeningonthesidewalkoutside
thedoor(apotentiallydangeroussituationforwhenthedoorisopened,giventhatourdooronaninformationsystemopensontoasidewalkanywhereintheworld).
Itisalsoreasonabletosupposethat,aftertheWorldTradeCenterattacks,thereisincreasedconsciousnessoftheimpactthataterroristattackcanhave.Itisasadfactthatinadditiontothelivesthatwerelostasaresultoftheoutrage,anumberoforganizationsthatcouldandshouldhavesurvivedtheincidentdidnot,astheycouldnotreinstatetheirbusinesswithinthenecessaryperiodoftime.Whowasresponsiblefortheirdemise?Youcouldarguethatitwastheterrorists,buttherealityisthatitwasactuallytheirownlackofforesightandresilienceand,insomecases,justplainbadluck.Iftheorganizationshadallcarriedoutriskassessmentsfortheirbusinessesintheenvironmentinwhichtheywereoperating,morewouldhavetakenstepstoensurethattheyhadtakenactiononveryoldadvice—havebackupsandstoretheminasafeplaceinanotherlocation,havecontingencyplansandpracticethem.AstheISSO,partofthisisyourresponsibility—howareyougoingtoensurethatyourinformationisstoredsecurelyelsewhereandthatyoucanrecoveritwhenyouneedto?
ThelifeofanISSOcanneverbeaneasyone—youarethevoiceofdoomandauthoritywithinanorganizationthatsays“No”touserswhowanttodothingsthattotheirmindarequitereasonable.Youaretheonewhoactsastheirconscienceandhighlightsorinvestigatestheirsins,andyouarethebearerofbadtidingstotheboard(youneedmoreinvestmenttokeepthesystemssecure,oryouhavejusthadasecurityincidentandarereportingthedamage).Youaretheonewhoisresponsibleforthesecurityofthe“crownjewels”ofthecompany.Sowhywouldyouwanttotakeonthisrole?Well,theansweristhatitisoneofthemostsatisfyingandrewardingrolesthatyoucanimagine.Itshouldneverbeboring,andtherewillusuallynotbethesameproblemstotaxyourintellecttwice.Italsoallowsyoutouseanddevelopskillsinanareawhereyoucanmakeadifferenceandtocontributetoastrugglethatisbecomingincreasinglyfast-movingandruthless.Itcanbeahugelysatisfyingrole,forthosewhocansurvivetheapprenticeshipandcanaccepttheresponsibilitywhilemaintainingabalancedviewoftheworld.
SteveLutzThedemandforinformationsecurityconsultinghasbeensteadilyincreasingsince2005,andforgoodreason.Aseveryonegotonthetechnologybandwagoninthe1990s,thepressureincreasedtofindinnovativewaystodeploytechnologyandincreaseproductivity.Thebusinesscommunity“discovered”theInternetandgrandproclamationsweremadeabouttheobsolescenceof“brickandmortar”tobereplacedby“e-commerce.”Whilemuchofthiswasoverhyped,theracewasonand“timetomarket”becameoneoftheanthemsoftheneweconomy.
Sointhefranticracetobeatthecompetition,technologywasdeployedwithlittlethoughttosecurity.Indeed,peoplehadjustenoughtimetogetwhateveritwasworking,letalonesecureitinanymeaningfulfashion.Andthenpow,somesecuritybreachwasdiscoveredandithadtobefixedfast.IntherushtoputtheWebsiteorwhatevertogether,noonebudgetedforsecurity,andthere’snobodyin-housewiththeexpertisetohandleit.
Entertheinformationsecurityconsultant.Sinceitwasn’tbudgetedforinthefirstplace,it’sanout-of-cycleapprovalfrommanagement,andthereyouaretryingtosecureasystemthathasdeepdesignflawsfromasecurityperspectivewithanobscenelysmallbudget.Youexplainthattoreallydoitright,acompleteredesignisinorder.Yes,weunderstand,andno,wecan’tdothat.“It’saproductionsystem,”“Ourcompetitionwillkillus,”“Wedon’thavethatkindofbudgetforsecurity,”andsoon.Withasigh,youdothebestyoucantoplacesomesecurityBand-Aidsonitandadvisethemtocallyoubeforethenextdesignmeetingforversion2.0.Guesswhathappenswhenv2.0isreleased?Samething.
Thiscyclerepeateditselfforprettymuchtheentire“dot-com”era,withsomeexceptions.Someofthemoreforward-thinkingcompanieshiredconsultantsforsecurityarchitectureanddesignworkandsavedthemselvesawholelotofmoneyandheadaches.Still,theInfoSecconsultantshadmoreworkthantheycouldhandle.(Thesamewasprobablytrueinthe1920sforradioengineers.)Onegoodthingthatcameoutofthe1990swasraisedawarenessoftherolethatinformationsystemssecurityplaysinasuccessfultechnologydeployment.Oh,andtherearenowhundreds(thousands?)ofcompaniesofferingsecurityproductsforeveryconceivableproblem.
Nowthatthepartyisoverandtechnologyhasfallenbacktobeingjustanotherbusinesstool,whatwillthismeanforinformationsystemssecurityconsultants?VirtuallyallcompanieshavecutbackontheirITspendingandarefocusingonusingwhatthey’vealreadyoverbought.Partofthehangoveristhatcompanieshavehadtolayoffsignificantnumbersofpeopleacrosstheboard,includingIT.Leanandmean,baby.Nowit’stimetotakestockofwhatwedidduringthefrenzyandseeifthere’sanythingwemissed.Didwebuyenoughservers?Yes,we’vegotplenty.Networking?Yup,plentyofthat.Websites?Got‘em.Therewassomethingwemissed,though…Whatwasit?Somethingcritical…Oh,yeah!Thatsecuritything.OK,getsomebodyonit.Oops,welaidthemoff.Hmm,canwehiresomeone?Noway,there’sahiringfreezeon.Well,webettercallaconsultantthen.
Andthat’swherewe’reatnow.Informationsystemssecurityconsultingisdoingquitewellinthesetimesandmainlyforthosereasons.Alotofwhatwe’reseeingisgoingbackovereverythingandlockingitdown.That’sgreat,butwhereisitgoing?Ithinkthatthiswillcontinueforsometimeduringtheeconomicdownturn.Atjustaboutthetimetheretrofittingworkisdone,theeconomywillprobablyheatupagainandcompanieswillstartbuyingITagain.Whenthathappens,weInfoSecfolkswillbetheretosecurethenextgenerationofinformationtechnology.Let’sjusthopeeveryonedoesitrightthenexttimearound,ratherthanrushingintoeveryprojectjusttogetitouttherefast.
1Author’sthoughtsbutfeelfreetoquoteme.:)
SECTION I
TheWorkingEnvironmentoftheCyberSecurityOfficerOUTLINEIntroduction
Chapter1.UnderstandingthePastandPresentCyber-InformationWorldEnvironment
Chapter2.UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment
Chapter3.AnOverviewofRelatedWorldViewsofCyberSecurity
Chapter4.AGlimpseattheHistoryofTechnology
Chapter5.UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines
Introduction
SectionI(Chapters1–5)providesanintroduction,anoverview,oftheever-changingworldinwhichtoday’scybersecurityofficermustwork.Thissectioniscomposedoffivechapters,titledasfollows:
•Chapter1:UnderstandingthePastandPresentCyber-InformationWorldEnvironment
•Chapter2:UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment
•Chapter3:AnOverviewofRelatedWorldViewsofCyberSecurity
•Chapter4:AGlimpseattheHistoryofTechnology
•Chapter5:UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines
CHAPTER1
UnderstandingthePastandPresentCyber-InformationWorldEnvironment
AbstractTheobjectiveofthischapteristoprovideageneraloverviewofthecyber-information-dominatedandinformation-technology-dependentandconstantlychangingglobalenvironmentinwhichthecybersecurityofficermustwork.
KeywordsCommunicationstechnology;Cost-effectivecybersecurityprogram;Cyberinformation;Cybersecurityofficers;Cyberspace;Globalinformationinfrastructure(GII);Internet-enabledcommunications;Nationalinformationinfrastructure(NII);Off-ramp
Thisisaterribletimeofunwantedliberties
SandyNichol1
CONTENTS
Ah,theGoodOl’Days! 4UnderstandingYourInformation-DrivenEnvironment 6
GlobalInformationInfrastructure 10NationalInformationInfrastructure 11HowDidWeGetfromAdamtotheInternet? 11
BirthoftheInternet 13“FutureShock” 15RoadMapfortheInternet 16TheInternet:NoTrafficControls 17WhatHasBeentheImpactoftheInternet? 17OrganizationalImpacts 19UsingtheInternettoShareInformation 20
ChangingCriminalJusticeSystems 21TheHumanFactor 24
Laws,Regulations,Standards,andLegalIssues 24Summary 26
CHAPTEROBJECTIVE
Theobjectiveofthischapteristoprovideageneraloverviewofthecyber-information-dominatedandinformation-technology-dependentandconstantlychangingglobalenvironmentinwhichthecybersecurityofficermustwork.
Ah,theGoodOl’Days!Yes,muchhashappenedandyet,littlehaschanged.
Whathasnotchangedarethethreats,vulnerabilities,andriskstoinformationandinformationsystems.Whathaschangedisthelevelofsophisticationofthethreats—theattacksandthethreatagents—aswellastheexponentiallygrowingnumberofthemallovertheworldandfromvarioussources.
Information2:
1.Factsprovidedorlearnedaboutsomethingorsomeone.
2.Whatisconveyedorrepresentedbyaparticulararrangementorsequenceofthings.
2.1.ComputingDataasprocessed,stored,ortransmittedbyacomputer.
2OxfordDictionary.
Wehavegonefromanenvironmentofyounghackerswitha300-baudexternalmodem,writinghackerprogramsinBASIC,lookingfordial-uptones,toaworldofextremelysophisticatedattackers,fromgovernmentagentstoorganizedcrimegroupstoterrorists.Yes,theteenagehackerand“computerenthusiast”isstilloutthereamongthethreatagentsacybersecurityofficermustface;however,comparedtotheothersouttherenow,oneonlywishesforsomeofthegoodol’dayswhensuchhackerswerethegreatestthreattoinformationandsystems.
Evenso,itisimportanttounderstandtheenvironmentinwhichtoday’scybersecurityofficermustdobattle—andyes,itisabattle,andyes,weareatwarandshouldbeonawarfooting.However,wearenot,andthus,wearelosingtothosethreatagentswhoareattackingoursystemsanddestroyingourinformation,orstealingourinformation,24/7.
Weliveinaworldofinformation,knownthesedaysascyberinformation,computerinformation,theinformationenvironment,orthelike.Morethanever,theworldwantstotalktotheworldaboutanythingandeverything.Infact,theworldnowdemandsitatanunprecedentedscaleandisdoingitatalevelneverseenbefore.Thus,vulnerabilitytypesandnumbershavealsocontinuedtoincrease.
Furthermore,theusersthatthecybersecurityprofessionalmustsupportanddefenddonotwanttobetieddowntoanyphysicallocation.Today’susers,whichbasicallymeansprettymuchallofthetechnology-drivenworldandincreasinglythoseintheThirdWorld,whomaynothaverunningwaterbutdohaveacellphoneandincreasinglyInternetandothernetworkconnections,want—demand—itall,withmobilecapabilities!
Informationispulled,pushed,draggedaroundtheworldthroughwireless,cable,opticalfiber,satellite,andotherassortedphysicalandincreasinglymorethanevermobiledevices—andallofusalongwithit.Wearedependentoninformationasindividuals,companies,andgovernmentagencies.Infact,hasthatnotalwaysbeenthecase?It’sjustthatnow,itisinacyberformmorethanever.
Indaysgoneby,informationwascommunicatedbywordofmouth,bydrums,bysmokesignals,inwritingcarriedbycouriersonhorseback,bytelegraph,bytelephone,andnowthroughtheuseofhightechnology.
Thedifferencetodayisthatinthe“modern”countriesoftheworld,wearemoredependentoninformationandthehightechnologythatallowsustocommunicateanddobusiness,globally,atthespeedoflight.Today,morethanever,information—accurateinformation,andmoreofit,deliveredfaster—allowsoneanadvantage.Morethanever,thisappliesnotonlytocompanies—especiallytheincreasingnumberofthemgoingortryingtogoglobaltotakeadvantageofopportunitiesfornewcustomers—andtogovernmentsofnations,butalsotogroupsandindividuals.Wehaveallbeensuckedintothequicksandoftechnologydependency.
Fast,accurate,andcompleteinformationthatissecuredandprotectsprivacy—yeah,goodluckwiththatone—iswhatisdemanded;however,itisseldomrealizedthesedaysasouridentity,networks,andinformationarehacked,sold,andmisused.Theoldsaying“informationispower”isprobablymoretruetodaythaneverbefore.
Informationofgreatestvaluemustbe:
Accurate,acteduponcorrectly,andacteduponbeforeitisusedbytheadversary,e.g.,acompetitor,anothergovernment,etc.
Rememberthatiftheinformationyouneedisonaninformationsystemthatisavictim,forexample,ofasuccessfuldenial-of-serviceattack,importantinformationcouldnotgettoyouorothersattherighttimesothatyouortheycouldusethatinformationtoyouradvantage;thismayhaveseriousconsequencesintermsoflives,money,orothernegativefactors.
UnderstandingYourInformation-DrivenEnvironmentAsacybersecurityofficer,itisveryeasytogetcaughtupinhightechnologyandviewthatas“yourworld.”Afterall,intoday’shigh-technology-drivenandhigh-technology-dependentworld,andonecanalsosaycyberworld,itisveryeasytolookatinformationandhightechnologyasyourworkingenvironment,aswhatcausesyourproblems,andaswherethesolutionstoyourproblemslie.However,thetruthisthathightechnologyisjustatoollikeanyothertool.Andaswithanytool,itcanbeusedasintended,abused,orusedforillegalpurposes—bypeople.
Itseemsthatwearesofocusedontheinformationandtechnologyforanswerstocyber
securityandmitigatingrisks,weforgetourfirstpriorityshouldbethepeoplewhoareusingandabusingthesesystemsandinformation.Itisespeciallynecessarytofocusnotonlyontheoutsidethreatagentsbutalsoonthosepeoplewhohaveauthorizedaccesstothosesystemsandinformation.
Intoday’sinformationworldenvironmentthatacybersecurityofficermustworkin,itismuchmorethanjusthightechnology.You,asacybersecurityofficer,mustunderstandthisworldandalsoushumans,asallthesetopicshaveadirectbearingontheprotectionofinformationandinformationsystems—cybersecurity.Theyincludesuchthingsas:
•Globalandnationalmarketplaces;
•Globalandnation-states’economies;
•Internationalpolitics;
•Worldculturesandsocieties;
•Internationalandnationallawsandtreaties;
•Majorlanguagesoftheworld;
•Majorreligions;
•Business;
•Humanrelationsandpsychology;and
•Governmentsofnation-states.
Tobesuccessful,thecybersecurityofficershouldhaveavariedbackgroundnotonlyinsuchthingsascomputersciencesbutalsoinpsychology,criminology,socialscience,geopoliticalmatters,internationalbusiness,worldhistory,economics,accounting,andfinance.Also,themoreforeignlanguagesthecybersecurityofficerknows,thebetter.Volumeshavebeenwrittenabouteachofthesetopics.Itwouldbehoovethecybersecurityofficertohaveaworkingunderstandingofeachofthesetopics,astheyallaffectthecybersecurityofficer’sabilitytosuccessfullyestablishandmanageasuccessfulcybersecurityprogram.Therearefewprofessionstodaythatofferthechallengesthatfacethecybersecurityofficer,whetherthatpersonisinagovernmentagencyorbusiness—nomatterwhatcountryorbusinessthatpersonworksfor.
Cybersecurityofficersmustunderstandtheworldinwhichtheywillworkinordertobesuccessful.Inthepast,thisunderstandingwasgenerallylimitedtothecompanyorgovernmentagencyinwhichthatpersonworked,andtoitscomputersystems,whichwereisolatedwithinthecompanyorgovernmentagencyorevenjustinone’shome.Thecybersecurityofficersgenerallywereonceconcernedonlywiththeeventsthattookplacewithintheirrespectiveworkingenvironmentorlivingenvironmentorevenjustwithintheircountry,aswhathappenedoutsideofthatlimitedworldusuallydidnotaffecttheirworkorlife.However,thatwasinthepast.
Ifyouknowtheenemyandknowyourself,youneednotfeartheresultofahundredbattles.Ifyouknowyourselfbutnottheenemy,foreveryvictorygainedyouwillalsosufferadefeat.Ifyouknowneithertheenemynoryourself,youwillsuccumbineverybattle.
SunTzu
Theenvironmentofthecybersecurityofficerthatmayaffecttheprotectionofinformationandinformationsystemsisnowglobalinscope,andhightechnologyandglobalnetworkingarechangingmorerapidlywitheachpassingyear.Thisnewglobalenvironmentanditsassociatedhightechnologymustbeclearlyunderstood.Thisisbecauseitisallintegratedintoadrivingforcethatwilldictatewhatmustbedonetoprotecttheinformationsystemsandtheinformationthattheystore,process,display,andtransmit.Itwillalsodeterminehowsuccessfulthecybersecurityofficer’sinformationsystemssecurityprogram,nowgenerallyreferredtoascybersecurityprogram,willbeinprovidingprotectionatthelowestcosttothebusinessorgovernmentagency.
Today’scomputersystemenvironments—networksthatspantheglobe—areallbasedonthemicroprocessor.Microprocessorshavebecomecheaperandmorepowerfulatthesametime.Thisistheprimarycausefortheirproliferationthroughouttheworld.Somesaythattoday’scellphonehasmorecomputerpowerthanthecomputersystemsinthevehiclethatlandedonthemoon.
Whenwethinkofcomputers,wesometimeslookatthemasverycomplicateddevices,wheninfactitisnotthatdifficulttounderstandthebasicsatleast.Computersarecomposedofhardware,thephysicalpieces;software,theinstructionstothecomputer,whichcanbealtered;andfirmware,whichareinstructionsembeddedonamicroprocessor.Theprocessincludesinput,process,output,transmit,andstorage.Yourcybersecurityprogramcanbebrokendownintotheseelementsandeachlookedattodefendasaseparateentityandtheninaholisticmanner.
Thereisarumorgoingaroundthatatleastonenation-stateinvolvedincomputerbuildingandsaleshasembeddedintothefirmwareacodethatallowsthatnation-statetogainaccesstothatsoldcomputer,bypassingsecuritysoftware,whenitwants.
Itwasalsorumoredthat,inthepast,therehavebeencovertlyinstalledelectricaloutletsthatallowedthemanipulationoftheelectricalcurrenttoturnadesktopcomputeron,downloadinformation,andturnthesystembackoff.Somesaythatwasvalidonlysomeyearsago;however,today’smodernsystemshaveeliminatedthatrisk.
Ofcoursethemoreacybersecurityofficerknowsabouthowhardware,firmware,andsoftwarework,thebetterpositionthatpersonwillbeintoprotectthosesystemsandtheinformationtheyprocess,store,display,and/ortransmit.
Inmanyoftoday’sinformation-basednation-states,wehavebeenabletonetwork
thousandsofsystemsbecauseoftherapidadvancesinhightechnologyandcheaphardware.Wehavebuilttheinformationsystemsofthenation-states’businessesandgovernmentagenciesintomajorinformationinfrastructuressomecallnationalinformationinfrastructures.Astand-alonecomputersystem(onewithnoexternalconnectionsbetweenitandothercomputers)todayisrelegatedtoasmallminorityofbusinessesandgovernmentagencies.Wecannotfunctionintoday’sbusinessworldandinourgovernmentagencieswithoutbeingconnectedtootherinformationsystems—bothnationalandinternational.
Theprotectionofinformationsystemsandtheinformationthattheyprocess,store,display,and/ortransmitisobviouslyofvitalconcerninthisinformationworld.Manynation-statesarealreadyintheInformationAge,progressingintowhatsomecallthe“KnowledgeAge,”withmanyothernation-statesnowenteringtheInformationAgeandyetmanymoreclosebehind.Thiswillobviouslycomplicatetheproblemsofthecybersecurityofficer,asinthiscasethephrase“themorethemerrier”describessomethingacybersecurityofficerdoesnotwanttodealwith,becauseitmeansmorethreats,morevulnerabilities,simplybyconnectingtotheirsystems.
Thecybersecurityofficermustrememberthatthecybersecurityprogrammustbeserviceandsupportoriented.Thisisofvitalimportance.
Thecybersecurityofficermustunderstandthatthecybersecurityprogram,onceitistoocostly,isoutdated,anddoesnotmeettheserviceandsupportneedsofthebusinessorgovernmentagency,willbediscardedorignored.So,oneofthecybersecurityofficer’schallengesistofacilitatethenetworkingofsystemsnationallyandinternationallywhileprotectingcompanyinformationandsystems,butmitigatingtherisksinacost-effectivemanner.
Toprovideacost-effectivecybersecurityprogram,thecybersecurityofficermustcontinuallykeepupwithhightechnology.Thatpersonmustbefamiliarwithtechnologicalchangesingeneralandintimatelyfamiliarwiththetechnologybeingplannedforinstallationwithinhisorherbusinessorgovernmentagency.
Thecybersecurityofficermustunderstandhowtoapplyinformationprotection(cybersecurity)andintegrateitaround,andonto,thenewhightechnology.Failuretodosowouldleavetheinformationandhisorhersystemsvulnerabletoattack.Inthatcase,thecybersecurityofficerwouldhaveaseriousproblem—possiblyajobsecurityproblem—ifasuccessfulattackoccurredowingtothenew-foundvulnerabilitybroughtonbythenewlyimplementedtechnology.
Managementinbusinessesandgovernmentagencieswillholdthecybersecurityofficerresponsibleforanysuccessfulattacks,whetherornotitwasmanagementorthetechnicalstaffthatwasclearlyresponsibleforthevulnerabilitythatallowedthe
successfulattack.Suchisthenatureoftheposition.
Thecybersecurityofficercoulddelayinstallationofthenewhightechnologyuntilasuitableinformationprotection“umbrella”couldbeinstalled.However,inmostbusinesses,thiswouldbeconsideredacareer-limitingorcareer-endingmove.Intoday’sbusinessworld,thephrase“timeismoney”istruerthanever.Intoday’sandtomorrow’shighlytechnology-basedenvironment,innovationandflexibilityarekeywordsforthecybersecurityofficertounderstandandapplytothecompany’sorgovernmentagencies’informationprotectionprogram.
Thus,thecybersecurityofficerhasverylittlechoicebuttosupporttheinstallationofthenewhightechnologyandincorporateinformationprotectionaseffectivelyandefficientlyaspossible.Andoneofthewaystosuccessfullyprovidethatserviceandsupportistokeepupwithtechnologicalchanges.
GlobalInformationInfrastructureTheimportanceofinformationprotectioncontinuestogrow,aswebecomemoreandmoredependentonhigh-technologysystems.Thenetworkingofsystemsaroundtheworldiscontinuingtoexpandtheglobalinformationinfrastructure(GII).Today,becauseofthemicroprocessoranditsavailability,power,andlowcost,theworldis“building”theGII.TheGIIisthemassiveinternationalconnectionsofworldcomputersthatarecarryingbusinessandpersonalcommunicationsaswellasthoseofthesocialandgovernmentsectorsofnation-states.Somesayitcouldconnectentirecultures,eraseinternationalborders,support“cybereconomies,”establishnewmarkets,andchangeourentireconceptofinternationalrelations.
TheGIIisbasedontheInternetandmuchofthegrowthoftheInternet.TheGIIisnotaformalproject;rather,itistheresultoftheneedofthousandsofindividuals,corporations,andgovernmentstocommunicateandconductbusinessbythemostefficientandeffectivemeanspossible.
Theimportanceofinformationprotectiontakesonaddedmeaningbecauseoftheincreasedthreatstothesystemsandtheinformationtheystore,process,display,andtransmitowingtothisexpandedconnectivityprovidedbytheGII.Afterall,itwillcomeasnosurprisethattherearepeopleandnation-statesintheworldthatconsideryourcompanyandyourcountryanadversary—theenemy.Thatbeingthecase,theywilldowhatevertheycantomeettheirownobjectives—generallyattheexpenseofyourcompanyornation-state.
NationalInformationInfrastructureThenationalinformationinfrastructure(NII)isbasicallythenetworkofcomputersuponwhichthenation-stateanditspeoplerelyinthisinformation–knowledgeage.TheNIIisthehigh-technology,criticalinformationinfrastructureofanation-state.Thecriticalinfrastructures,accordingtoseveralnation-states,aregenerallydefinedassystemswhoseincapacityordestructionwouldhaveadebilitatingimpactonthedefenseoreconomicsecurityofthenation-state.Theyinclude:
•Telecommunications,
•Electricalpowersystems,
•Gasandoil,
•Bankingandfinance,
•Transportation,
•Watersupplysystems,
•Governmentservices,and
•Emergencyservices.
Manyhavebeensoundingthealarmforsometimenowofthevulnerabilitytoandthecatastrophicresultsofsomeadversarysuchasterroristshackingintosuchsystemsandsettingoffanuclearmeltdown,openingthefloodgatesofdams,andothercatastrophes.
HowDidWeGetfromAdamtotheInternet?3
TheuseoftheTofflers’modeloftechnologicalevolutionprovidesausefulframeworkfordiscussingchangesarisingfromtheimpactoftechnology,generally,andtheInternetspecifically.ForthoseofyouwhohaveneverheardofAlvinandHeidiToffler,readtheirbooks.Yes,theywerewrittenmaybebeforeyouwereborn,buttheTofflersareexcellentfuturistswholookedintothefuture,whichisnowours,andtheirbookspointtowherewehavebeenandwhatmaybecoming.
ThemodelbeginsbydescribingtheAgriculturalAge,whichlastedfromaboutthetimeofAdamuntilabout1745intheUnitedStates.Manuallaborandafocusonaccumulatingaminimumfoodsurplustoallowforgovernancecharacterizedthislongperiod.Duringthistime,technologicalprogresswasverylimited,slow,andlaborious.Themajorlackofunderstandingofeventhemostbasicconceptsofscienceimpededprogress.4
Warfare,althoughcommon,wasgenerallyshortindurationandwasoftendecidedbymajorbattlesorcampaignslastinglessthanayear,withsomeexceptions,suchastheHundredYears’WarandtheCrusades.Althoughlargearmieswerepossible(atonepointtheRomanEmpirefieldedmorethan700,000soldiers),therewerelimitedandrelativelyineffectivemethodsforcommunicatingandcontrollingmorethanasmallpercentageoftheseforces.Runnersandhorse-bornemessagecourierssupplementedbyflagsandothervisualmediawerethemajormethodsofremotecommunication.
The“IndustrialAge,”intheUnitedStates,lastedamuchshortertime,onlyfromapproximately1745untilabout1955.ThedefiningeventoftheIndustrialAgewastheintroductionofthesteamengine,whichallowedmechanicalequipmenttoreplacemuscle-poweredeffortsofbothhumansandanimals.Thesedevicesintroducedanewandmuchacceleratedpaceoftechnicalinnovation.Duringthis200-yearperiod,therewasadramaticexpansionofhumanknowledgeandunderstandingofthebasicprinciplesofphysicalscience.Enhancedagricultureallowednationstoaccumulatehugefoodsurpluses.Uponthefoundationofthefoodsurplus,thenation-statesincreasedtheirpower,whichwasdrivenbymassproduction.Massproductionofweaponsandthemassslaughterofbothcombatantsandnoncombatantscharacterizedtheconflictsofthisperiod.5
Communicationstechnologyevolvedfromprimitivesignalinginvolvinglanternsandreflectedlights(heliograph)tosupplementthecontinueduseofhumancouriers,whetherridinghorses,trains,orwaterbornecraft.Theinventionsofthetelegraphintheearly1800s,followedinthelate1890sbythetelephoneandthenbywirelessradiointheearly1900s,wereessentialevolutionarystepstowardtoday’stelecommunicationsinfrastructure.
The“InformationAge”intheUnitedStates,accordingtotheTofflers,beganabout1955,whichisthefirstyearthatthenumberofwhite-collaremployeesexceededthenumberinblue-collarproductionjobs.Thishasbeentheerawiththemostexplosive
growthinhumanknowledge.Morehasbeendiscoveredinthepast50 yearsinboth
scienceandengineeringthaninthethousandsofyearsofrecordedhumanhistory.Intheinformationage,knowledgeisgrowingexponentially.
ThepaceofevolutionincommunicationsandothertechnologiesacceleratedduringtheearlyyearsoftheInformationAgewiththeadventofsatellites,fiber-opticconnections,andotherhigh-speedandhigh-bandwidthtelecommunicationstechnologies.
ItisinthecontextofthisphenomenalgrowthoftechnologyandhumanknowledgethattheInternetarisesasoneofthemechanismstofacilitatesharingofinformationandasamediumthatencouragesglobalcommunications.
Inthepast,theU.S.GeneralAccountingOffice,inareporttoCongress,detailedtherapiddevelopmentofthetelecommunicationsinfrastructureintheUnitedStates,resultinginthecreationofthreeseparateandfrequentlyincompatiblecommunicationsnetworks:6
•Wire-basedvoiceanddatatelephonenetworks,
•Cable-basedvideonetworks,and
•Wirelessvoice,data,andvideonetworks.
Fromthatpastuntilnow,lookhowfarwehavecome,andimagine,asacybersecurityofficer,whatisyettocome.Itbehoovesallcybersecurityofficerstoalwaysprojectintothefutureandplannowtoaddressthefutureenvironmentinwhichthecybersecurityofficerwillworkandwagewaragainalladversariestotheirnetworks(hardware,software,information,data,users,andotherentities)forwhichtheyareresponsible.
BirthoftheInternet7Itisvitaltounderstandthehistoryandever-changingenvironmentifthecybersecurityofficeristosucceedinfulfillingalldutiesandresponsibilitiesthroughacybersecurityprogramthatdefendshisorhernetworksagainst“allenemies,foreignanddomestic.”
Theglobalcollectionofnetworksthatevolvedinthelatetwentiethcentury,andcontinuetoevolveinthetwenty-firstcentury,tobecometheInternetrepresentswhatcouldbedescribedasa“globalnervoussystem,”transmittingfromanywheretoanywherefacts,opinions,andopportunity.However,whenmostsecurityandlawenforcementprofessionalsthinkoftheInternet,itseemstobesomethingeithervaguelysinisterorofsuchcomplexitythatitisdifficulttounderstand.Popularculture,asmanifestedbyHollywoodandnetworktelevisionprograms,doeslittletodispelthisimpressionofdangerandout-of-controlcomplexity.
TheInternetaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgencyintheUnitedStatesinthe1960s.Itisperhapsoneofthemostexcitinglegacydevelopmentsofthatera.Originallyanefforttofacilitatesharingofexpensivecomputer
resourcesandenhancemilitarycommunications,overthe10 yearsfromabout1988until1998itrapidlyevolvedfromitsscientificandmilitaryrootsintooneofthepremiercommercialcommunicationsmedia.TheInternet,whichisdescribedasaglobalmeta-
network,ornetworkofnetworks,providesthefoundationuponwhichtheglobalinformationsuperhighwaywillbebuilt.8
Itwasnotuntiltheearly1990s,however,thatInternetcommunicationtechnologiesbecameeasilyaccessibletotheaverageperson.Priortothattime,Internetaccessesrequiredmasteryofmanyarcaneanddifficult-to-rememberprogramminglanguagecodes.However,thecombinationofdecliningmicrocomputerprices,enhancedmicrocomputerperformance,andtheadventofeasy-to-usebrowsersoftwarecreatedthefoundationformassInternetactivity.Whenthesevariablesalignedwiththedevelopingglobaltelecommunicationsinfrastructure,theyallowedarareconvergenceofcapability.9
Ithasnowbecomeasimplematterforaveragepeople,eventhosewhohadtroubleprogrammingtheirVCRs,toobtainaccesstotheglobalInternetandwiththeaccesssearchthehugevolumeofinformationitcontains.ThemostcommonlyaccessedapplicationontheInternetistheWorldWideWeb(Web).OriginallydevelopedinSwitzerland,theWebwasenvisionedbyitsinventorasawaytohelpshareinformation.TheabilitytofindinformationconcerningvirtuallyanytopicviasearchenginesfromamongtherapidlygrowingarrayofWebserversisanamazingexampleofhowtheInternetincreasestheinformationavailabletonearlyeveryone.OnegainssomesenseofhowfastandpervasivetheInternethasbecomeasmoreTV,radio,andprintadvertisementsdirectprospectivecustomerstovisittheirbusinessorgovernmentagencyWebsites.
Animportantfacttounderstand,andwhichisofsupremeimportanceforsecurityandlawenforcementprofessionals,isthattheWebistrulyglobalinscope.Physicalbordersaswellasgeographicaldistancearealmostmeaninglessin“cyberspace”;thedistanttargetisaseasilyattackedasalocalone.Thisisanimportantconceptforsecurityandlawenforcementprofessionalstounderstandbecauseitwillaffecttheirabilitytosuccessfullydotheirjobs.TheannihilationoftimeandspacemakestheInternetanalmostperfectenvironmentforInternetrobbers.Whenfindingadesiredserverlocatedontheothersideoftheplanetisaseasyandconvenientascallingdirectoryassistancetofindalocaltelephonenumber,Internetrobbershavethepotentialtoactinwaysthatwecanonlybegintoimagine.ThepotentialbonanzaawaitingtheInternetrobber,whoisundeterredbydistance,borders,time,orseason,isachillingprospectforthosewhoareresponsibleforsafeguardingtheassetsofabusinessorgovernmentagency.AstheISSO,youhaveresponsibilityfordeterringthesemiscreants,aswellashelpingsecurityandlawenforcementpersonnelinvestigatethem.
“FutureShock”WithappreciationfortheTofflers’bookFutureShock,thereactionofpeopleandorganizationstothedizzyingpaceofInternetprogresshasbeenmixed.Althoughsometechnologicallysophisticatedindividualsandorganizationshavebeenveryquicktoexploitthepotentialofthisnewtechnology,manyhavebeenslower,adoptingmoreofawait-and-seeposture.TherapidpaceofevolutionoftheInternetdoesraisesomequestionsastohowmuchasocietycanabsorbandhowmuchcanactuallybeusedto
benefitorganizationsinsuchacompressedtimeframe.SometimeslostinthetechnologicalhypeconcerningthephysicalspeedofInternet-enabledcommunicationsorthenewtechnologiesthataremakingiteasiertodisplaycommercialcontentistherealityoftheInternet’sgreatestimpact:Itprovidesunprecedentedaccesstoinformation.Theaccessisunprecedentedintermsofthetotalvolumeofinformationthatismovingonlineandmaybetappedfordecision-making.
Italsoisunprecedentedwhenweconsidertheincreasingpercentageoftheworld’spopulationthatenjoysthisaccess.Moreandmoreinformationmovesonlineandbecomesavailabletomoreandmorepeople,causingfundamentalchangesinhowwecommunicate,dobusiness,andthinkoftheworldwelivein.Consequently,therearealsofundamentalchangesinhowcriminalsandmiscreantscommitcrimes.
Throughoutmuchofhumanhistory,theeducatedelitesofeveryculturehavejealouslyguardedtheirknowledge.Accesstoknowledge,whetherinwrittenorspokenform,wasoftenthesourceoftheelite’sprivilegedpositionandoftenallowedthemtodominateorcontrolthegreatuninformedmassesofuneducatedhumanity—informationwasandstillisameanstopower.“Outsiders”werenevergrantedaccessestothestoreofwisdomunlesstheywereinductedintotheprivilegedelite.Now,however,theaverageInternettraveler,whereverresident,withlittlemorethanafastmodemandamediocremicrocomputer,canaccess,analyze,and/ordistributeinformationaroundtheworldonalmostanytopic.
Somepunditsdecadesagohadconcludedthatwenowliveinanerainwhichthereare“nomoresecrets.”Bysomeestimates,earlyinthiscenturytherewillbemoreinformationpublishedandavailableonlinethanhaseverbeenaccessibleinallthelibrariesonearth.HowthistorrentofinformationwillbemanagedtoensurethatInternetrobbersdonotwreakhavocanddominatetheInternet,orhavepoweroverothers,isnow(orshouldbe)theprimaryobjectiveofeverysecurityandlawenforcementprofessionalwhosebusinessorgovernmentagencytravelstheInternet.
So,whatdoyouthinkofourcurrentenvironment?Arewewinningorlosingthecybersecuritybattlesandwars?
RoadMapfortheInternetTheInternetcanbecomparedinsomewaystoaroadmapforasuperhighway.Somebasicexampleswillhelpexplainitincommonterms.
Whenmultiplecomputers(whethermicrocomputersorlarger)arelinkedtogetherbyvariouscommunicationsprotocolstoallowdigitalinformationtobetransmittedandsharedamongtheconnectedsystems,theybecomeanetwork.Thecombinationoftensofthousandsoforganizationalnetworksinterconnectedwithhigh-capacity“backbone”datacommunicationsandthepublictelephonenetworksnowconstitutestheglobalInternet.However,thereisamajordifferenceinthisenvironmentthatisimportanttoconsiderforsecurityandlawenforcementprofessionals.
WhentheisolatedbywaysofindividualbusinessorgovernmentagencynetworksbecomeconnectedtotheglobalInternet,theybecomean“off-ramp”accessibletoother
Internettravelers.ThenumberanddiversityoflocationsthatprovideInternet“on-ramps”arevastandgrowing.Today,onecanaccesstheInternetfrompubliclibraries,cybercafésinmanycitiesaroundtheworld,evenkiosksinsomeairports.TheseandotherlocationsprovideInterneton-rampstoanyonewhohasalegitimateaccount—oranInternetrobbercanhijackonefromanauthorizeduser.
Typicallyabusinessorgovernmentagencywillusecentrallycontrolledcomputers,calledservers,tostoretheinformationandthesophisticatedsoftwareapplicationsusedtomanageandcontrolitsinformationflow.Thesesystemscouldbeequatedtoasuperhighwayinterchange.
Commonlybusinessandgovernmentagencynetworksareconsideredprivatepropertyandtheinformationtheycontainasproprietaryfortheexclusiveuseoftheorganization.ThesebusinessandgovernmentagencynetworksareconnectedtolargenetworksoperatedbyInternetserviceproviderswhoprovidetheequivalentoftollroadsandturnpikes—thehighwaysfortheflowofinformation.
TheInternet:NoTrafficControlsTheInternetchallengesthesecurityandlawenforcementprofessionalwithanarrayofnewandoldresponsibilitiesinanewenvironment.Fromtheperspectiveofmanagingrisks,thisnewaccesstoinformationcreatesnewkindsofdangerstobusinessesandgovernmentagencies.Italsoallowswell-understoodsecurityissuestorecurinneworuniqueways.Nolongercanorganizationsassumetheywillobtainanysecuritythroughobscurity,nomatterwheretheyarephysicallylocated.Inotherwords,becausethereisanInternetoff-ramp,theywillbevisibletoInternetrobbers.Everythingfromanation’smostcriticaldefensesecretstobusinessinformationisvulnerabletoeasydestruction,modification,andcompromisebyunauthorizedInternettravelers.
Toooftencarelessmanagersfailtotakeadequatemeasurestosafeguardsensitiveinformation,whichresultsinprematuredisclosurewithattendantadverseimpact.Themajorpartofthecontrollableriskarisesfrominadvertentdisclosuretotheever-vigilanteyesofInternetrobbersandothers,suchascompetitiveintelligenceanalystswithInternetaccess.
WhentheInternetwaslimitedtoscientists,academicresearchers,andgovernmentemployees,suchacollaborativeframeworkwasprobablyaverycost-effectivemeansofcontrollingthevirtualworld.However,intheearly1990s,forthefirsttimethereweremorecommercialsitesthaneducationalandgovernmentalsitesusingtheInternet.Sincethattimemattershavebecomeincreasinglycomplex.Theinformalarrayofsocialsanctionsandtechnicalforumsforcooperationisnolongercapableofensuringamodicumofcivilizedbehavior.
WhatHasBeentheImpactoftheInternet?ItisapparentthattheInternethasrapidlybecomeasignificantelementinmodernsociety,figuringinadvertising,films,andtelevision,evenfacilitatingtherapiddisseminationof
investigativereportsinvolvingaU.S.president.TheInternethasprovidedmanyadditionalinformationservices,andtheyareallbecomingeasiertoaccess.ThetwoprimarynewavenuesforincreasedvolumeofinformationaccessaretheWebbrowserandnet-enablede-mail.Thisincreasedaccesstoinformationhasbeenprincipallyanadvantageforlaw-abidingcitizensandlegitimatebusinesses,butitalsooffersbothhardenedandprospectiveInternetrobbersnew,high-speedvenuesforperpetratingtheircrimesandschemes.
AlmosteveryoneworkinginAmericahasbeenexposedtosomeformofcomputertechnology.Fromthefront-lineretailclerkatthelocalfast-foodfranchise,totheWallStreetanalyst,tothefarmerplanninghiscroprotations,individualworkperformancehasbeensubstantiallyenabledbythewidespreadproliferationofmicrocomputertechnologies.Butthemacroimpactsonorganizationsareinsomewayslessremarkablethantheyhavebeenforindividuals.Gotoanygoodcomputerstore,orbetteryet,ifyouhaveInternetaccess,browsetheWebsitesofmajormicrocomputermanufacturers.Youwilldiscoverawiderangeofsystemswithmemory,speed,andstoragecapabilitiesthatwouldhavebeendescriptiveoflarge,mainframe-typecomputersintheearly1980s.Forexample,alargeregionalbankinsouthernCaliforniainthelate1980soperateditselectronicwire/funds
transfermachinewithonly48 MBofRAMand120 MBofdiskstorage,andthesystemtransferredbillionsofdollarsnightlyforthebank.Nowamuchgreaterperformanceisavailabletoanyonewithafewhundreddollarsinacellphone.
Inbusiness,ithasbecomeinsomewaysaDavidversusGoliathworld,inwhichtheadvantagesdonotalwaysaccruetotheorganizationthatcanfieldthebiggerbattalions.Advancedinformationtechnologywasoncetheprovinceexclusivelyofgovernments,themilitary,universities,andlargecorporateentities.Thisisnolongertrue.NowanyonewithamodestinvestmentinhardwareandsoftwarecanacquireapowerfulprocessorandattachittotheInternet.Itshouldbeobviousthatcriminalsandthosewithcriminalintentionsalsohaveaccesstopowerfulinformationtechnology.Thequestionremains:Howwilltheyuseit?
Asweconsiderthepotentialforcriminalactionsdirectedagainstorganizations,itiscriticallyimportanttoconsiderthesefactors.ThesameinformationtechnologyweusetomanageourorganizationscanandwillbeusedbysavvyInternetrobberstothedetrimentofgovernments,businesses,andothers.
Whenpowerfulmicrocomputersarenetworked,thecommunicationcapabilitiesinherentinthesearrangementsmultiplytheirvalue.Asinglemicrocomputerstandingaloneislittlemorethanasophisticatedtypewriterorcalculatingmachine.Therealpowercomeswhenindividualmachineslinktogethertocreatenetworksthatwillallowtheflowofinformationfromonepersontotheentireworld.Asacaseinpoint,considerthestoryofRussia’stransitionfromcommunism.WhenthemilitarycoupagainstGorbachevoccurredintheearly1990s,themilitaryplottersseizedcontrolofalltheclassicmeansofcommunication:newspapers,telephones,andradioandTVstations.However,theanti-coupforcesquicklydrovetheirmessageontheInternettogetwordtotheoutsideworldof
thesituation,andtimelycommunicationsplayedasignificantpartindefeatinganattemptbythemostpowerfulmilitaryandpoliceapparatusonearthtoregainpowerovertheRussianpeople.
ThecapabilitiesbroughttotheindividualbytheInternetareconsiderableandgrowingalmostdaily.Oneexampleistheabilitytosignupforinvestmentservicesfromlow-costbrokeragesandstockmarketadvisorsandenjoythekindoftimelyadvicethatforgenerationshasbeentheperquisiteoftherichandpowerfulclasses.Grass-rootspoliticalorganizingandcivicactionarealsoenabled.Forexample,inCalifornia,aconcernedparentscannedintoadatabaseandpostedonaWebpagethedetailsofthestate’slistofsexualpredators/pedophiles,thusallowingaveragepeopletodeterminewhethertherewasaregisteredsexoffenderresidingintheirneighborhood.
Fromshoppingforhomesandautomobiles,whereonlineservicespromisetoeliminatethebrokers’monopolyofinformation,totraffic,weatherforecasts,anddirectionspriortotrips,theInternetisprovidingmoreinformationtomorepeopleeveryday,andweareonlyatthebeginningofthatprocess!Themajortrendhereisclear:Therewillbemoreinformationaccessibletomorepeoplethanhaseverbeenpossibleinthepast.Howthisinformationpowerwillbeusedultimatelydependsontheethicsandmotivesoftheindividual:Internetrobberscanusesuchpowernegatively.
OrganizationalImpactsThemajorbenefitstoorganizationsoftheInternetandrelatedtechnologiesaresignificantandfarranging.Inlargepart,theimpactsmaybecharacterizedasdramaticallylowercostsfortransmittingandsharinginformation.Toappreciatehowfarwehavecome,beforeelectronicmailbecameubiquitous,ittookaslongasaweekforfirst-classpostalmail,derisivelycalled“snailmail”byInternetaficionados,totravelfromonecoastoftheUnitedStatestotheother.Eventhefaxmachine,whichitselfwasasignificantimprovementoverpostalandovernightcourierservices,requiresdedicatedfaxequipmentandoperatesonlyfrompointtopoint.ContrastthesewiththecapabilitiesofInternete-mail.E-mail,whichmaytransittheglobeinseconds,allowstherecipientstoobtainthemessagewhenitisconvenient;theyneednotbepresenttoreceiveit.Throughtheuseofdigitalattachments,e-mailcancarrymoreinformationinaconvenientcompressionoftransmissiontimes.
Whereastheinnocente-mailuserseesonlyincreasedspeedandvolumeofcommunication,securityandlawenforcementprofessionalsmustunderstandhowdamagingevenonemessagecouldbetoabusinessorgovernmentagency.Asinglee-mailmessagecouldcontainthewholestrategicbusinessplanoftheorganizationorthesourcecodetoabreakthroughproductandcouldbetransmittedanywhereonearthinananosecond.
Toshowthatthisthreatismuchmorethantheoretical,considertheallegationsinvolvingtwoleadingSiliconValleysoftwarecompanies,AandB.CompanyAaccusedrivalCompanyBoftheftoftradesecretsandproprietarysourcecode.CompanyA’s
managementallegedasoneelementintheircomplaintthataformerCompanyAemployeeusedhiscompany-providedInternetaccesstotransfersourcecodeofkeyproductstohisown,personalaccount.Theemployeethentenderedhisresignation.Uponarrivalathishome-basedoffice,thenow-formerCompanyAemployeeallegedlydownloadedthestolensourcecodetohishomecomputersystem.EmployedasaprogrammerconsultantbyrivalstartupCompanyB,hereportedlyusedthepurloinedsourcecodeasthefoundationforaremarkablysimilarproductcreatedatCompanyB.10
AnotherexampleisaformeremployeeofCompanyXwhowasaccusedoftransmittingthesourcecodeforanewdigitaldevicetorivalCompanyY.Thisschemeapparentlywasdiscoveredonlybyaccidentwhenthehighlyconfidentialmaterialscreatedsuchalongmessagethatitcausedthee-mailsystemtocrashandallowedasystemadministratortodiscoverthepurportedscheme.
Thesetwoincidentsaredrawnfrompressreportsinthemedia,anditislikelythattheyareonlytheverytipoftheiceberg.Infact,manyorganizationsdonothavethesecuritysystemsandtechnologiestodetectsimilarincidents.Becauseoftheadversepublicityandtheprospectofalengthycriminaljusticeprocess,eventhosebusinessesandgovernmentagenciesthathavebeenvictimizedbyInternetrobbersfrequentlydonotreportsimilarincidentstotheproperauthorities.
UsingtheInternettoShareInformationOneofthetrulyremarkabledevelopmentsininformationtechnologyhasbeenthewidespreaduseoftheWebbrowserandrelatedtechnologytodeliverinformationbothtointernalemployeesandtotheexternalcustomersofanorganization.Ife-mailcouldbedescribedasavirtualduplicationofthepostalservicesintotheglobalInternetenvironment,thenWebserverscanbethoughtofaskiosksorbulletinboards.Onthese“virtualbulletinboards,”anorganizationcanmakeaccessibletotargetpopulationstheinformationtheyneedtomakedecisionsandperformadministrative,operational,orotherfunctions.Forexample,oneverycommonintranet(internalcompanyInternet)applicationistoprovideacentral“formspage”onwhichemployeesfindthemostcurrentversionofaformtobedownloadedandprintedforeverythingfrompayrolldeductionstomedicalreimbursements.Anotheruseistofront-endadatabaseinwhichisstoredinformationthatmustbeaccessibletoawidelydispersedpopulationofusersorbroadcrosssectionofInternettravelers.
CurrentlythemostcommonandgrowingdestinationfortheInternettraveleristhebusinessorgovernmentagencyWebsite.FortheInternettraveler,Websitesareacombinationofsuperhighwaybillboards,banks,shoppingmalls,reststops,andevenfast-fooddeliveryservices.Alloftheseservicesaswellashundredsofotherscanbefoundlocatedattheon-andoff-rampstotheInternet.
TheseWebsitesareusedbybusinessesforadvertising,publicrelations,andmarketing,aswellastosellordeliverproductsorservicestoInternettravelers.
Websitesmaycontainanddispensegovernmentinformationconcerningeverything
fromhowtoprepareandsubmitforms,todescriptionsofthemostwantedcriminalfugitives,torecruitingadvertisementsforfutureemployees.EventhemostsecretiveU.S.governmentagenciessuchastheCentralIntelligenceAgency,theNationalSecurityAgency,andothershaveestablishedWebsitesthatprovideusefulinformationtoInternettravelers.
BusinessandgovernmentagencyWebsitesareoftenthetargetsofmiscreants,juveniledelinquents,andotherInternetrobbers.SuccessfulattacksagainsttheseWebsitescanbedisruptiveanddestructiveofthereputationofthesponsoringorganization.ThereforetheprotectionoftheWebsiteshouldbeanimportantpartofthebusinessorgovernmentagencyplanforusingthistechnology.
ChangingCriminalJusticeSystemsThusfar,itappearsthatinformationprotectionwillincreaseinimportance.Ifso,theworld’scriminaljusticesystemsandprocessesundoubtedlywillalsobeaffected.Thequestionis,willtheychangeforthebetterorfortheworse?IftheUnitedStatesisanyindication,theywillworsen.Why,insuchatechnologicallyadvancedcountry?Ironically,technologybringswithitrapidsocialchangeaswell.
Onemaywonder,whatistheimpactofthecriminaljusticesystemonthecybersecurityofficerandcybersecurity.Theanswerissimple:Thepeoplewhostealbusinessornationalsecrets;damage,destroy,ormodifyinformationandsystems;andcommitothercriminalactsarethemainreasonsthecybersecurityofficerandinformationprotectionprogramexist.Afterall,ifnooneviolatedlawsorcompanypolicies,andeveryoneprotectedinformationandsystems,whywouldbusinessesorgovernmentagenciesneedacybersecurityofficeroraninformationprotectionprogram?
Atsomepointinyourcareer,youwillbecomeinvolvedinahigh-technologycrimeinvestigationandthuswillbecomeactivelyinvolvedinthecriminaljusticesystem.Youmustunderstandhowthatsystemoperates,oryouwillnotonlybeatadisadvantage,butprobablydisappointedaswell!
Intheglobalmarketplacethatyourcompanyundoubtedlyworksinandisaffectedby,youasthecybersecurityofficermustunderstandtheinternationalandforeignnation-statelawsthathaveanimpactonyourbusiness,especiallythoserelatedtoprivacyandsecurity.Forexample,yourcompanymayoperateinaforeigncountry.Ifso,thatcountry’sgovernmentmaynotallowtheencryptionoftransmissionsthroughtheircountry.Ifthisisthecase,doyouviolatethatlaw,understandingitsentireramifications,toprotectcompanysecrets,ordoyounotencryptandunderstandtherisksofothersreadingthe“companymail”?
AssocietyembracestheThirdWave,asdescribedbytheTofflers,itdoesnotwaitforthetwopriorwaves’processestocatchup.Thus,onecanseethecontinuingtrendofadisintegratingU.S.criminaljusticesysteminwhichcrimeincreasesfasterthanthecriminaljusticesystemcandealwithit.Morediscretionaryarrests,plea-bargainingprosecutions,overburdenedcourtsystems,andthereleaseofconvictedcriminalsfromjailsandprisonsareindicationsofthischangetoaThirdWavesociety.WeseemtobetryingtouseSecondWavecriminaljusticesystemprocessesandfunctionstohandleThirdWaveproblems,anditdoesnotseemtobeworking.
Oneofthedisadvantagesofbeingaleadingtechnology-basedcountrysuchastheUnitedStatesisthatonedoesnothavetheopportunitytolearnfromthemistakesofotherswhoaremoreadvanced.Thisisanextremelyimportantpoint,especiallywhendiscussingthecriminaljusticesystem,becausethecriminaljusticesystemistheprimarysystemresponsibleforthepreventionofcrimeandthepromotionofsocialstabilityofanation.
Ifanationistobestrongeconomicallytocompeteintheworld,itmusthavestabilityinwhichbusinessescanoperateandpeoplecanhaveasecureandpeacefullife.Lackofsecurityandpeaceleadstoincreasesincrime.Itfollowsthathigh-technologycrimes
wouldbelikelytoincrease.Inaddition,withoutagoodcriminaljusticesystem,fraudsandothercrimesnotonlywillbemorefrequent,butalsowillsaptheeconomicstrengthfromthepeople,businesses,andthecountry.
Weknowthattechnologyisincreasingatarapidrate.Computer-basedtechnologyhasbecomeanecessaryandintegralpartofbusinesses,governmentagencies,andourpersonallives.Nolongercanweefficientlyfunctionwithouttheuseoftoday’smodern,computer-basedtechnology.
Aswithanytool,computers,includingtelecommunicationsystems,canbeatargetorusedasatoolbycriminals,alsoknownastechno-criminals.Thethreatstosociety,businesses,andgovernmentagenciesbytechno-criminalsareincreasingasourtechnologyandourdependenceontechnologyincrease.
Thetechno-criminals,vis-à-vistheworld’scriminaljusticesystems,arealsofacedwithasystemthatprovidesthemsomemeasureofimmunitytotechno-crimes.Forexample,theattacksagainstU.S.computersystemsarebecomingmoreinternationallyoriented.Today’stechno-criminalcanattackanyplaceintheworldfromanyplaceintheworld.
Whatisworse,becauseofourcomplicatedcommunicationsystems,itisdifficulttotracetheattacksbacktotheattackers.Also,manycountries’lawsdonotevenaddresstheissueoftechno-crimes,makingitalmostimpossibletoprosecuteanyoneattackingaU.S.computerfromoutsidetheUnitedStates.Andbecauseofthepoliticalramificationsalone,extraditionoftheseattackerstotheUnitedStates,oranyothercountry,forprosecutionisacomplicatedandgenerallyimpossibletask!Afterall,whatnation-statewantstogiveupsovereigntyoveritscitizens?
Forthecybersecurityofficer,itisimperativetounderstandthecriminaljusticesystemsoftheUnitedStatesandothercountriesinwhichthecompanyorgovernmentagencydoesbusiness.Theproblemswiththecriminaljusticesystems,conflicts,andchanges,willcontinuetobeanunderlyingforcewhoseimpactoninformationprotectionfunctionswillextendintothetwenty-firstcentury.
Thefactthatwhite-collarcrimes,frauds,arebeingperpetratedmoreandmorethroughtheuseofcomputersandtelecommunicationssystemsseemstobeanobviousresultoftherapidchangesinsocietiesandourrelianceoninformationsystems.Thisisunderstandable,asalludedtoearlier,becausewhatoncewasdonebypaperandpencilhasnowbeenautomated,forexample,accountingsystems.Therefore,althoughtoday’scriminalshavethesamemotiveasinthepast,theymustnowoperateinanewenvironment,atechnologicalenvironment.Ifcriminalswanttostealmoney,theymustuseandattackinformationsystems.Toparaphraseanold-timebankrobber:“Becausethat’swherethemoneyis!”
Sinceitappearsthatmorecrimesarebeingcommittedbyusingthecomputerasatooltoattackothercomputers,andthattrendislikelytocontinue,thecybersecurityofficer’sresponsibilitiesincludeaninformationprotectionprogram,whichwillassistinminimizingtheopportunitiesforfraudsandothercrimesthroughthesystems.Ifsuchcrimesdooccur,itisexpectedthatthecybersecurityofficerwillplayavitalroleinthe
investigationandinanydisciplinaryactionorprosecutionoftheoffenders—thusofferinganotherchallengeandopportunitytothecybersecurityprofession.
TheHumanFactorWithallthetalkofhightechnology,theneedforinformationprotection,computercrimes,andthelike,thereisoneimportantfactortoremember.Itisthehumanbeingwhousesthetoolsforgoodorbadpurposes,anditisthehumanbeingwhomthecybersecurityofficeroftenlosessightofwhentryingtoprotectinformationandhightechnology.
Yes,itistruethatforthecybersecurityofficertobesuccessful,thatpersonmustunderstandnotonlyinformationsystems—computersandtheirassociatednetworks—butalsootherformsofhightechnology,forexample,cellularphones,faxes,andpagers.However,onemustneverlosesightofthehumanelement—usuallythemostneglectedfactorininformationprotection.Tobesure,onetalksaboutinformationprotectionawarenessprograms,butthehumanfactormustbeaddressedinmoredetailandgivenmoreemphasisifthecybersecurityofficeristoprotectinformation.
Laws,Regulations,Standards,andLegalIssuesTherearemanylawsandgovernmentregulationssuchasthoserelatedtoprotectingthestockholders’interestsinpubliclytradedcorporationsinwhichyoumaywork.Therearetoomanyofthemtodiscusshere,excepttosaythatjustbecausealaworregulationexists,itdoesnotmeanthattheentitywhereyouworkiscomplyingwiththem.Therefore,itisimportanttodeterminewhatthelawsare,andtodoso,oneshoulddevelopaworkingrelationshipwiththecorporation’slegalstaff.
Afterall,youmustbeincompliancewiththelaws,soobviously,youfirstmustknowwhattheyare.Inaddition,knowingthemandworkingwiththelegalstaffwillhelpsupportyourcasetoexecutivemanagementwhenyoushowtheconnectionofwhyyouarerunningacybersecurityprogramorparticularpartsofit.Youshouldbeabletogetthelegalstafftosupportyourcasebyhavingthemexplainwhathappenswhenyoudonotsafeguardthecorporateowners’assets.Yes,assetsprotectioninsuranceisonewaytohandlerisks;however,thecorporationmuststillbeincompliance.Aninsurancecorporationshouldobviouslydemandit,assecuritywouldstillberequired.
Asthecybersecurityofficer,youshouldsearchtheInternetandidentifysuchlawsandregulations.Therearealsointernationalstandardstoconsider.Knowthemandimplementtheminacost-effectivemannerusingriskmanagement/riskanalysesmethodologies.
ISO/IEC2700111istheinternationalstandardforinformationsecuritymanagement.Byimplementingthestandard,organizationscanidentifysecurityrisksandputcontrolsinplacetomanageoreliminatethem,gainstakeholderandcustomertrustthattheirconfidentialdataareprotected,andhelpachievepreferredsupplierstatus,helpingtowinnewbusiness.
11bsigroup.com.
AnotherexampleisfromtheNationalInstituteofStandards&Technology(TheFrameworkCore):
TheFrameworkCoreisasetofcybersecurityactivitiesandreferencesthatarecommonacrosscriticalinfrastructuresectorsorganizedaroundparticularoutcomes.TheCorepresentsstandardsandbestpracticesinamannerthatallowsforcommunicationofcybersecurityriskacrosstheorganizationfromtheseniorexecutiveleveltotheimplementation/operationslevel.TheFrameworkCoreconsistsoffivefunctions—Identify,Protect,Detect,Respond,Recover—whichcanprovideahigh-level,strategicviewofanorganization’smanagementofcybersecurityrisk.TheFrameworkCorethenidentifiesunderlyingkeycategoriesandsubcategoriesforeachofthesefunctionsandmatchesthemwithexampleinformativereferencessuchasexistingstandards,guidelines,andpracticesforeachsubcategory.Thisstructuretiesthehigh-levelstrategicview,outcomes,andstandards-basedactionstogetherforacross-organizationviewofcybersecurityactivities.Forinstance,fortheProtectfunction,categoriesincludeDataSecurity,AccessControl,AwarenessandTraining,andProtectiveTechnology.ISO/IEC27001ControlA.10.8.3isaninformativereferencethatsupportsthesubcategory“Dataduringtransportation/transmissionisprotectedtoachieveconfidentiality,integrity,andavailabilitygoals”oftheDataSecuritycategoryintheProtectfunction.
SummaryTobeasuccessfulcybersecurityofficer,youmust:
Understandtoday’sworldofbusiness,politics,variouscultures,people,threatagents,technology—inotherwordstheworldofexternalforcesthathaveanimpactonyourworkingworld.
Understandyourcorporationorgovernmentagencyanditsculture,people,policies,laws,regulations,internationalandnationstandards,procedures,attitudesrelativetocybersecurity,systems,processes,politicaldynamics—everythingthereistoknowaboutyourgovernmentagencyorcorporation.
1SandyNicholisafreelanceeditorbasedintheUnitedKingdom.3Thisinformationwastakenfromtheauthor’scoauthoredbook,InternetRobbery:CrimeontheInternet,publishedbyButterworth–Heinemann.4Thetimeoftheagriculturalperiodvariesbyprogressofindividualnations.5AswiththeAgriculturalAge,datesvaryforindividualnations.6“InformationSuperhighway:AnOverviewofTechnologyChallenges.”GAO-AIMD95-23,p.12.7SeethebookI-WayRobbery:CrimeontheInternet,publishedbyButterworth–Heinemann,2000,andcoauthoredbyDr.GeraldL.KovacichandWilliamC.Boni,formoredetailsabouttheInternetandcriminalactivities.8Ibid.,p.11.9SoftwarethatsimplifiesthesearchanddisplayofinformationsuppliedbytheWorldWideWeb.10Althoughbasedonactualcases,thenameshavenotbeenusedbecause,asofthiswriting,thecasesarestillbeingadjudicatedthroughthecriminaljusticeprocess.
CHAPTER2
UnderstandingthePastandPresentGlobalBusinessandManagementEnvironment
AbstractTheobjectiveofthischapteristoprovidethereaderwithabasicunderstandingandphilosophyofcybersecuritywithinthebusinessenvironment,includinghowtocommunicatewithmanagementin“theirlanguage.”
KeywordsBusinessmanager;Cybersecurityoffice;Cybersecurityprogram;InfoSecprogram;Regularemployees;ThreeC’s;Turfbattles
CONTENTS
TheChangingBusinessandGovernmentEnvironments 28UnderstandingtheBusinessEnvironment 31ManagementResponsibilitiesandCommunicatingwithManagement 33CreatingaCompetitiveAdvantagethroughaCyberSecurityProgram 39
TheCyberSecurityOfficerasaBusinessManager 40Service,Support,andaBusinessOrientation 41BusinessManagersandCybersecurity 42WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionals 44WhatCyberSecurityProfessionalsShouldDo 45QuestionstoConsider 46Summary 46
CHAPTEROBJECTIVE
Theobjectiveofthischapteristoprovidethereaderwithabasicunderstandingandphilosophyofcybersecuritywithinthebusinessenvironment,includinghowtocommunicatewithmanagementin“theirlanguage.”
AswetransitionfromtheInformationAgetotheKnowledgeAge,successfulorganizationsaretheonesthatactivelymanagetheirinformationenvironment.1
1QuotefrommycoauthoredbookwithDr.AndyJones,GlobalInformationWarfare,secondedition,publishedbyCRCPress.
Thiscombinesoldandnewaspectsofthisenvironment,asitisimportanttoknowthepastaswellasthepresent,asthatcombinationofknowledgeoftoday’senvironmentiswherethecybersecurityofficerworks,lives,andplays.Thepastprovidesalookdowntheroadtraveledandhelpsexplainthelogicusedtogettothepresent.Furthermore,itprovidesthefoundationonwhichthecybersecurityofficercanprojectandplanacybersecurityprogramthatwillmeetthecurrentandfutureneedsofthebusinessandtheexpectationsofmanagement.
TheChangingBusinessandGovernmentEnvironmentsBusinessesandthesocietiesinwhichtheyoperateneedstabilitytoprosper.Prosperitybringsjobs,reducescrimes,andleadstomoresecurityforall.Securitybringsmorestability.Youcan’thaveonewithouttheother.
Manyofthechangesintheworldenvironmentarethebasisfortherapidshiftsinthewaywedobusiness,bothnationallyandinternationally.Businessescan,anddo,adapttothesechangesquiterapidly.However,ingovernmentagencies,thesechangescomemoreslowlyandsometimesthreatentheagencies’veryexistence.Forexample,adaymaycomeinthenottoodistantfuturewhenthepostofficesoftheworldwillbeunnecessary.E-mailsmaytaketheplaceoflettersevenforthepoorestpeopleoftheworld,astheywillhaveaccesstoInternetnetworks.Asforpackages,commercialfirmssuchasDHL,FedEx,andUPShavealreadybeenprovidingthatserviceforsometime.Evencontractsthesedaysareelectronicallysignedandthereisnoneedtomailhardcopies.However,tobelegal,theymustbesecuredtostandupincourt.
Clearexamplesofthesechangesarethe“globalmarketplace,”business-to-businessnetworks,electroniccommerce,electronicbusiness,andthelike.
Massive,growingnetworkssuchastheInternet,nationalinformationinfrastructures(NIIs),andglobalinformationinfrastructures(GIIs)areadopted,andmustcontinuallybeadapted,bybusinessesiftheyaretomaintainacompetitiveadvantage—oratleastcompete—intoday’smarketplace.Asacybersecurityofficer,youmustfindwaystofacilitatesuchgrowthinasecureandyetinvisiblemanner.Thatisachallengeforallofusintheprofession.
Asacybersecurityofficer,ifyoutrytoslowdownbusinessandglobalcommunications,youwillberunoverby“progress”andwillsoonbeupdatingyourresume.Businesscomesfirst,andifyoudonotprovideaprofessionalcybersecurityservicethatsupportsandenhancesthebusiness,whatgoodareyou?Afterall,businessisaboutprofits—andremember,youarea“parasite”ontheprofitsofmostcompanies,sinceyourfunctionisidentifiedasanoverheadcost.
Thereissomebusiness,forexample,withgovernmentagencies,forwhichthecybersecurityfunctionisadirectchargetothecontract.Theproblemisthatonemustmeticulouslykeeptrackoftimespentonthecontractwork,aschargingtoacontractwhennotworkingonthatspecificcontractresultsinafraudagainstthegovernment,whichinturncouldleadtobeinginvestigated,nevertoworkintheprofessionagain.Why?Becauseyoumaybeinjail.
Asanoverheadcost,youdonothavedirect,hands-onexperienceinbuildingyourcompany’swidgets,forexample.Yeah,yeah,yeah,weallhavetriedtoexplainthatwithoutcybersecurityandus,asprofessionalcybersecurityofficers,companiescanlose
theirbusinessandtheircompetitiveedgethroughlossoftradesecretinformation,etc.However,thebottomlineisthatitappearsthatmostoftoday’sbusinessexecutivesareinitfortheshortterm,notthelongterm.Theirconcernisthe“bottomline”forthenextquartertooneyear.Theycaneasilyterminateacybersecurityprogramandtaketheirchancesbyhavingauditorsauditforcompliancewithlawsandpoliciesandrecommendcybersecuritypoliciesthatinformationtechnologypeoplecanwrite.Thentheycanjustbuyinsurancetocoveranypotentiallossesand,bytheway,thebusinessofbuyingsuchinsuranceissupposedlybooming.
So,astoday’scybersecurityofficer,youmustdoabetterjobofmakingyourselfpartofthe“companyteam”andfindingwaystoprovidevalue-addedandintegralservicestothecompany.
Intheprivatesector,telecommunicationsbusinesseshavebecomeInternetprovidersaswellasleadingthedriveintomobilecommunicationsfromlaptops,tocellphones,totablets—andsoonwearabledevicesfromwatchestootherwrist-bandgadgetstoclothing.Aswelookintothefuture,weseemoreandmorepeoplemakinguseofthelong-distancevoicetelephonecapabilitiesoftheInternet,atverylittleadditionalcost.ThentherearetheenhancedversionsusingSkypeandFaceTime,forexample.Thedayhasarrivedwhenwenolongerneedaseparatetelephoneinthehomeoroffice,exceptmaybeinruralareas.Itisbecomingathingofthepast.
SpeakingofInternetserviceproviders(ISPs),letustakeamomenttolookatthisnewbusinessbornoutoftheInternetandseehowwellitissupportingcybersecurityandcybersecuritystandards.2
Firstalittlehistoryofhowwegottowhereweare:TheInternetwasborninthe1960sandaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgencyintheUnitedStates.Itwasoriginallyaprojecttofacilitatethesharingofcomputerresourcesandenhancemilitarycommunications.AstheInternetwasmaturing,therewereconflictsbetweenthe“haves,”whohadtheuseoftheInternet,andthe“have-nots,”whodidnot.Thehaveswerecomputerscientists,engineers,andsomeothers.TheyarguedthattheInternetshouldnotbemadeavailabletothepublic.Well,theylostthatbattle,especiallyafterthebusinesssectorfoundoutwhatalucrativemarketingandpublicrelationstooltheInternetcouldbeforreachingpotentialcustomers,suppliers,etc.Thus,theISPswereborn.
Fromthattimeuntilnow,theInternethasrapidlygrownfromanexperimentalresearchprojectandtooloftheU.S.governmentanduniversitiestothetoolofeveryoneintheworldwithacomputer.Itisthepremierglobalcommunicationsmedium.Withthesubsequentdevelopmentofsearchenginesand,ofcourse,theWorldWideWeb(Web),thesharingofinformationhasneverbeeneasier.
Therearemany,manyISPsoperatingandconnectedallaroundtheglobe.Weallshouldknowbynowthatoure-mailsdon’tgopointtopoint,buthoparoundtheInternet,wheretheycanbegleanedbyallthosewiththeresourcestoreadotherpeople’smailandstealinformationtocommitcrimessuchasidentitytheftorcollectcompetitiveintelligenceinformation,etc.
So,what’sthepoint?ThepointisthattherestillareISPsallovertheworldwithfewregulationsandfew,ifany,globalcybersecuritystandards.Happily,thisisgraduallychanging.So,someISPsmaydoanadmirablejobofprotectingourinformationpassingthroughtheirsystemswhileothersmaydolittleornothing.Furthermore,aswelearnmoreandmoreaboutNetspionage(computer-enabledbusinessandgovernmentspying),welearnmoreandmoreabouthowourprivacyandourinformationareopentootherstoread,capture,change,andotherwisemisuse.
Inaddition,withsuch“oldiesbutgoodies”programsasSORMinRussia,InternetmonitoringinChinaandelsewhere,globalEchelon,andtheU.S.FBI’sCarnivore(stillCarnivorenomatterhowoftentheychangethenametomakeitmore“politicallycorrect”ortotryto“hide”itfromthepublic),wemightaswelltakeourmostpersonalinformation,tattooitonourbodies,andrunnakedinthestreetsforalltosee.Althoughthatmaybeaslightexaggeration,thepointiswehavenoconceptofhowwellISPs,oranynetworkconnectedtoyourcorporation’snetworks,areprotectingourinformation.
Now,wearequicklyexpandingintotheworldofinstantcommunicationsthroughsuchthingsasSkype,Twitter,Facebook,andthelike.Afterall,themorerapidlyourworldchanges,themorerapidlywewanttoreactandwewanteverything—now!Ofcoursethereareperhapshundreds,ifnotthousands,ofexamplesofISPsbeingpenetratedormisused,aswellascorporateWebsitesandtheirnetworks.Theyareinthenewsonaregularbasisandalsoournetworksareconstantlyunderattackfrommultiplesources—fromteenagerstoterroriststocompetitorstoorganizedcriminals.
UnderstandingtheBusinessEnvironmentAcybersecurityprogramanditssupportingorganizationarenotthereasonthatabusinessorgovernmentagencyexists.Inthecaseofabusiness,thecompanyusuallyprovidesaserviceoraproduct.Thebusinesshascertaininformationorsystemsnetworksthatarevitaltoperformingitsserviceandproducingitsproduct.Thepurposeofacybersecurityprogram,therefore,istoprovideserviceandsupporttothebusiness.
Tomeettheneedsofitscustomers,bothinternalandexternaltothecompany,itisimperativeforthecybersecurityofficertounderstandthecompanyandthecompany’sbusiness.Thisincludesthefollowing:
•History
•Products
•Businessenvironment
•Competition
•Long-rangeplans
•Short-rangeplans
•Costofbusiness
•Productvalue
Thesearesomeofthemostimportantpartsofabusiness.Remember,ingeneral,thecybersecurityprogramisnotaproducttobesoldintheglobalmarketplaceunlessthatisthebusinessofthecorporation;itdoesnotbringinrevenue.Infact,cybersecurityisacosttothebusiness—unlessyoucanprovethatthecybersecurityprogramisavalue-addedservicethatfinanciallysupportsthebusiness,assistinginbringinginrevenue.
Yourcybersecurityprogramshould,asmuchaspossible,beseamlesslyintegratedintothesystemsandprocessesofatleastthecorebusinessandallsystemsconnectedtothatcorebusiness.
Inthisgloballycompetitiveeconomy,thereisincreasingcompetitionformarketsharesintheworldwidemarketplace.Itisimportantforthecybersecurityofficertounderstandthiscompetitionandwhatcanbedonebythecybersecurityofficerthroughthecybersecurityprogramtoenhancebusiness,increasingsuchthingsasprofits,marketshares,andincome.
KenichiOhmae,inhisbook,TheMindoftheStrategist,3discussesproduct/servicedifferentiationintheformof“thestrategicthreeC’s”:thecorporation,thecustomers,andthecompetition.Corporationsandcompetitorsaredifferentiatedbycosts.Customersdifferentiatebetweenthecorporationandthecompetitorsbyvalue.
Customerswillbuyaproductthattheywant(considerofvalue),ifitisaqualityproductattherightprice.Therefore,itisimportantthatthecybersecurityprogramaddvaluetotheproduct,anddosoatthelowestcost,inorderforthebusinesstoremaincompetitiveinthemarketplace.So,treatthecybersecurityprogramasaproductthataddsvalueandminimizescosts.Sinceitisyourproduct,marketitandsellit!
Fast,accurate,andcompleteinformationprovidestheopportunitytogainacompetitiveadvantage—assumingofcoursethattheinformationiscorrectlyacteduponintimetoprovidethatadvantage.Theresponsibilityofthecybersecurityofficeristosupportthisprocessbyassistinginstoring,processing,transmitting,anddisplayingthatfast,accurate,andcompleteinformationinasecuremanner.Thissupportisnecessarytoassistinprovidingthecompanycompetitiveadvantageopportunities.
TheseopportunitiestotakeadvantageofinformationweresummarizedbyColonelJohnR.Boyd,U.S.AirForce,asastrategybasedonthe“OODAloop”(observe–orient–decide–act).Althoughputforthsometimeago,thepointsmadearestillvalid.Theideaistolookatitfromtheviewpointthatwhoevercanbethequickesttomovethroughthisloopcangainacompetitiveadvantage.Informationhasalwaysbeentimedependentandprobablyismoresotodaythaneverbefore.Thatiswhyitiscrucialtobeabletohaveatighter(usinglesstime)OODAloopthanone’sadversaries,whethertheybeanation-state,abusiness,oranindividual.
Inaddition,thisadvantageiscreatedbecausethecompetitorbecomesmoreconfusedanduncertainoverevents,andthatmayinfluencethecompetitor’sjudgmentanddecisions.InPatternsofConflict,4Boydconcludedthatoperatinginsideanopponent’sOODAloopgeneratesuncertainty,doubt,mistrust,confusion,disorder,fear,panic,andchaos.
CaseStudyInhisbookFollowingtheEquator,5MarkTwainwroteabouthowonecantakeadvantageifonehasinformationbeforethecompetitorandknowshowtoactonthatinformation.AtthetimeofTwain’sworldtravels,sharkspopulatedtheharborofSydney,Australia.Thegovernmentpaidabountyonsharks.Ayoungmanwasdownonhisluckandwalkingaroundtheharborwhenhemetanoldmanwhowasasharkfisher,whohadnotcaughtasharkallnight.Theoldmanaskedtheyoungmantotryhisluck.Theyoungmancaughtaverylargeshark.Aswasthecustom,thesharkwasdisemboweled,assometimesonefoundsomethingofvalue.Asithappenedthisyoungmandid.
TheyoungmanwenttothehouseoftherichestwoolbrokerinSydneyandtoldhim
tobuytheentirewoolcropdeliverablein60 days.Theyformedapartnershipbasedonwhattheyoungmanfoundintheshark.ItseemsthatthesharkhadeatenaGermansailorintheThamesRiver.Inthebellyofthesharkwerefoundnotonlyhisremains,
somebuttons,andamemorandumbookdiscussingtheGerman’sreturninghometofightinthewar,butalsoacopyoftheLondonTimesthathadbeenprintedonly
10 daysbefore.Atthattime,newsfromLondoncamebyshipthattookabout50 days.However,sharkstraveledfasterthantheshipsofthattime.TheTimesstatedthatFrancehaddeclaredwaronGermany,andwoolpriceshadgoneup14%andwerestillrising.NootherAustralianwoolbrokersorwoolproducerswouldknowthatwool
priceswereskyrocketingforatleast50 days.Bythentheyoungmanandhispartnerthewoolbrokerwouldownallthewool,purchasedatthe“normallowerprice,”andcouldshipittoEuropeforaveryhandsomeprofit.
5ATrampAbroad,FollowingtheEquator,OtherTravels(LibraryofAmericaNo.200)March4,2010byMarkTwain(Author),RoyBlountJr.(Editor),1050pages,Publisher:LibraryofAmerica;FirstPrintingedition(March4,2010),Language:English,ISBN-10:1598530666,ISBN-13:978-1598530667.
Thiscasestudyisanexampleofhowaccurateinformationreceivedandacteduponwithinthecompetitor’sOODAloopcangiveoneatremendousadvantageinbusiness.So,theoldsaying“informationispower”isprobablymoretruetodaythaneverbefore,againprovidedthat:
•Theinformationisaccurate,
•Itisacteduponcorrectly,and
•Itisacteduponbeforeitisacteduponbyyourcompetitor.
ManagementResponsibilitiesandCommunicatingwithManagementOneofthebiggestmistakesmadebycybersecurityofficersistoassumethatthey“own”thesystemsandinformation.Thecybersecurityofficermustrememberthattheownersofthebusiness,whetheritbeprivateownershiporpublicownershipthroughthestockholders,makethedecisionsastohowthebusinessisrun.Thestockholdersdoitthroughtheelectedmembersofthecompany’sboardofdirectors,whoaretherisktakers.Theirresponsibilitiesincludemakingdecisionsrelativetocompanyrisks.
Asacybersecurityofficer,youaretherebecausethemanagementbelievesyouhavetheexpertisetheyneedtoprotectthebusiness’sinformationsystemsandthecompany’sinformation.
Alltoooften,thecybersecurityofficergetsintothe“tailwaggingthedog”situationinwhichthecybersecurityofficercan’tunderstandwhymanagementdoesnotprovidethecybersecurityofficerwiththesupportthatisneededorwanted.Thecybersecurityofficermustkeepinmindthatifmanagementdidnotprovideatleastsomesupport,thecompanywouldnotemploythecybersecurityofficer!
Whendecisionsaremadetoprocess,store,display,ortransmitinformationthatgoesagainstthedesiresofthecybersecurityofficer,manycybersecurityofficerstakethatpersonally.Remember,itisnotyourinformation!Itbelongstothebusinessowners.
Ofcourse,dependingonyourresponsibilitiesandtheauthoritydelegatedtoyoubymanagement,youwillprobablyberesponsibleformakingthemajorityofdecisionsthatinvolvecybersecurity.However,evenwiththatresponsibilityandauthority,thecybersecurityofficermustgainthesupportandconcurrenceofotherswithinthecompany.Youwerehiredtosafeguardthesevaluablesystems,networks,information,etc.,withthegoalofdoingsoatthelowestcostbasedonthethreats,vulnerabilities,andriskstothesesystems.Youdeterminethatbydoingformalriskanalyses.
Whenacybersecuritydecisionmustbemadeandthatdecisionisoutsidethepurviewofthecybersecurityofficer,thecybersecurityofficermustelevatethefinaldecisiontoahigherlevelofmanagement.Althougheachcompany’scultureandpolicieswilldictatewhenandhowthatprocesswillbeimplemented,thecybersecurityofficershouldbesuretoprovidecompletestaffworkonwhichthemanagementcanbasetherequireddecision.Inotherwords,thepersonmakingthedecisionmustbeprovidedwithallthenecessaryinformationonwhichtobasethedecision.Ifthatinformationisnotprovidedtouppermanagement,thewrongdecisioncouldbemade,whichmayjeopardizetheprotectionofthecompany’sinformationand/orsystemsormaycausethecompanytoincurunnecessarycosts.
Ifyouhavedoneyourhomework—ifyouhaveassessedtheriskstotheinformationandsystems,theprotectionalternatives,thecostsinvolved,andthebenefitsinvolved,andyouareinapositiontomakeyourrecommendationsaccordingly—thenyouhavedoneyourjob.
Beforeyoubringaproblemanddecisiontomanagement,you,thecybersecurityofficer,shouldbesurethatyouhaveaddressedtheproblembyprovidingmanagementwithclear,conciseinformation,usingnontechnicallanguage,onwhichtheycanbasetheirdecision.Thefollowing,asaminimum,shouldbeincludedinthatprocess:
•Identificationoftheproblem
•Possibleproblemsolutions,includingcostandbenefits
•Recommendedsolutiontotheproblem,andwhy
•Identificationofwhoshouldfixtheproblem(itmaynotbeacybersecurityissue,oritmaybeoneoutsideyourauthority)
•Consequencesofnodecision(noaction/nodecisionisalwaysanoption,andsometimestherightone)
Whetheritistheresponsibilityofthecybersecurityofficertofixtheproblemornot,thecybersecurityofficershouldfollowup.Oncetheproblemisfixed,itisalwaysgoodtocontacttheotherpersonnelwhowereatthemeetingatwhichtheproblemwasdiscussedandthedecisionmade,andadvisethemeitherverballyorinwritingwhenthecorrectiveactioniscompletedortheprojectisclosedout.
Anexcellentgesturewouldbetosendaletterofappreciationtothoseinvolvedinfixingtheproblem,withappropriatecopiestomanagement.Thisisespeciallyimportantifothersfixedtheproblemoutsideyourorganization,orifstaffoutsideyourorganizationassistedyouinfixingtheproblem.
Itistheresponsibilityofthebusinessmanagementtomakethefinaldecision,unlessofcoursetheyabdicatethatresponsibilitytoyou.They,inturn,areheldaccountabletotheownersofthebusiness.
Rememberthatmanagersareusuallyauthorizedtomakedecisionsrelatedtoacceptingcybersecurity-associatedrisksforonlytheorganizationsundertheirauthority.Theyshouldnotbeallowedbythebusinesstomakedecisionsthataffecttheentirecompany.Ifthatappearstobeoccurring,youareobligatedtoensurethatthemanageraswellasuppermanagementknowsthatinformation.Thisisofcourseasensitivematterandmustbehandledthatway.
Awordofcaution:Somemanagerswillabdicatetheirmanagementresponsibilitytothecybersecurityofficer.Asthecybersecurityofficer,youmaybeflatteredbysuchagesture,butbeware!Youmayalsobegettingsetuptotaketheblamefortheconsequences.Theseconsequencesmaybeduetoadecisionthatyoumaynothaverecommended—infact,itmaybeacaseinwhichyouwereintotaldisagreementwithmanagementastothecorrectcourseofactiontobetaken.
Theresponsibilityofbusinessmanagementisaseriousone.Undercurrentlawsinmanynation-states,managerscanbeheldpersonallyresponsible,andpossiblyliable,foranypoordecisionsthataffectthevalueofthebusiness.So,yourresponsibilityasaserviceandsupportinformationsecurity(InfoSec)professionalistogivemanagementthebest
adviceyoucan.Whentheirdecisionismade,doyourjobbysupportingthatdecisionandbyensuringthattheinformationandsystemsareprotectedbasedonthatdecision.
“JPMorganspending$250milliononcybersecurityandgoingtodoubleitto$500millioninthecomingyears.”6
6FoxNewsinterviewofJamieDimon,January13,2015.
Theremaybetimeswhen,intheopinionofthecybersecurityofficer,managementmakesthewrongdecisionrelativetoprotectionofinformation.Thecybersecurityofficerthenhasseveraladditionalchoices:
•Meetwiththedecision-makerinprivatetotrytoconvincethatpersonoftheconsequencesofthedecisionandwhyitmaynotberight,
•Appealthedecisiontothenextlevelofmanagement,
•Quitthejob,or
•Quitthecompany.
Anotherwordofcautionisneededhere.Whetherthedecisionisrightorwrong,thecybersecurityofficershoulddocumentthatdecisionprocess.Thedocumentationshouldanswerthetypicalsecurity/investigativequestionsofwho,how,where,when,why,andwhat.
Thisisimportant,notfromthestandpointofjustanotherbureaucraticprocess,buttohaveahistoryofallactionstakenthatarerelatedtocybersecurity.Thus,whensimilarinstancesoccurayearormoreafterthelastdecision,itcanbeusedasaprecedent.Thisnotonlyhelpsinmakingsubsequentdecisionsbasedonsimilarinstances,butalsohelpsensureconsistencyintheapplicationofInfoSec.InconsistentInfoSecdecisionsleadtoconfusion,whichleadstonotfollowingsoundInfoSecpolicyandcausesincreasedcoststothebusiness.Thisprocessfollowstheprocessusedbythelegalcommunity,inwhichcaselawisusedtoargueacurrentillegalissue.Precedenceisalogicalprocesstofollow—assumingthatthedecisionspreviouslymadewerethecorrectones,ofcourse.
Ifitissubsequentlyshownthatthelastdecisionhadunexpected,adverseconsequences,thenitwillhelpthedecision-makernottomakethesamemistakeagain—onewouldhope.Peoplecomeandgo,butagoodhistoricalfilewillensureconsistencyandkeepyoufromhavingtorelyonthememoriesofpeopleinvolved—assumingtheyareevenstillemployedbythecompany.
Forexample,assumethatamajordecisionhadtobemadeconcerningcybersecurity,andthedecisionwasdeterminedtobethatofmanagement.You,asthecybersecurityofficer,shoulddothefollowing:
•Leadtheefforttoresolvetheissue,
•Requestameeting,
•Ensurealltheapplicablepersonnelareinvited,and
•Briefthoseatthemeetingonthesituationasstatedabove.
Ifyouasthecybersecurityofficeraretokeepminutesofthemeeting,theminutesshouldinclude:
•Whythemeetingwasheld,
•Whenthemeetingwasheld,
•Wherethemeetingwasheld,
•Whowasatthemeeting,
•Whatinformationwaspresentedanddiscussed,
•Whatthedecisionwas,
•Howmanagementmadetheirdecision,and
•Whomadethedecision.
Someoneinmanagementshouldsigntheminutesofthemeetingshowingtheresultsofthemeeting—preferablythepersonwhomadethefinaldecision.Youwillfindthatsuchdecisionsareusuallyverbal,andmostmanagersdonotwanttosignanydocumentthatwillplacethematrisk.So,howdoyoudealwithsuchissues?Thereareseveralmethodsthatcanbeused,allofwhichmaycauseyourpositionasthecybersecurityofficertobequestioned:“notateamplayer,”“youdon’tunderstandthebigpicture,”or“youarenotabusinessperson,soyoudon’tunderstandthesituation.”Bytheway,havinganMBAmayhelpinwinningthisargument.
Eventhoughyouhavethebestinterestofthecompanyatheartanditisthebasisforyourrecommendation,andeventhoughyouconsideryourselfadedicatedandloyalemployee,intheeyesofsomeinmanagementyou’renotateamplayer.Inotherwords,youarenotontheirteam.
Youwillsoonfindthatthepositionofthecybersecurityofficerissometimesariskyone.Evenifyoudothebestprofessionaljobthatcanbedoneorhasbeendoneinthehistoryofthecybersecurityofficerprofession,officepoliticsmustbeconsidered.Suchnon-cybersecuritysituationswilloftencausemanymoreproblemsthanthecybersecurityofficerwillfaceindealingwithInfoSecissues,hackers,andthelike.
Iftheyoudonotknowaboutsuchthingsas“turfbattles”and“protectingricebowls,”thelocalbookstoreistheplacetogo.There,youwillfindnumerousbooksthatwillexplainhowtoworkandsurviveinthe“jungle”ofofficepolitics.Youmayknowcybersecurity,butifyoudonotknowofficepolitics,youmaynotsurvive—evenwiththebest
cybersecurityprogrameverdeveloped.Alwaysremember:“It’sajungleoutthere!”
Whyisitthatway?Therearemanyreasons,butforcybersecurityofficerstheprimaryreasonisthatyoumakepeopledothingsthattheydonotconsiderpartoftheirjob.Andiftheydonotfollowthecybersecuritypoliciesandprocedures,theycouldfacedisciplinaryaction.So,you,likecorporatesecuritypersonnelandauditors,arenotalwayspopular.
Obviously,asthecybersecurityofficer,youwanttoeliminateoratleastminimizethattypeofimage—the“cop”image.Itishardwork,butyoumustconstantlytrytoovercomethenegativismthatpeopletackontothecybersecurityofficerandcybersecurity.Somewaysofcounteringthatnegativeimagecanbefoundthroughoutthisbook.
Manybusinessmeetingsrequirethatminutesbetaken.Ifso,andifyouarenotresponsiblefortakingtheminutes,obtainacopyandensurethatyourrecommendationsarenotedinthem,aswellaswhomadewhatdecisions.Thisisthebestmethodofdocumentingwhatwentoninthemeeting.
Iftheminutesdonotadequatelydescribewhathastakenplace—if,forexample,theylackdetailsofwhatwaspresented,thepotentialrisks,orwhomadethefinaldecision(allcrucialpiecesofinformation)—thenannotatetheminutes.Attachanyofyourbriefingcharts,signanddatetheminutes,thenplacetheminafileincaseyouwanttousethemasareferenceatalaterdate.
Anothermethodthatcanbeused,butismoreconfrontational,istosendamemotothemanagerwhomadethedecisioninwhichyoudocumentthecybersecurityoptions,costs,benefits,andassociatedrisks.Youthenconcludewithasentencethatstates,forexample,“AfterassessingtherisksIhaveconcludedthatthebestcourseofactionisoption2.”Leaveroomforadateandthesignatureblockofthemanageryouwanttosignthedocument.
Thedocumentshouldbewordedprofessionallyandshouldbeasnonintimidatingtothemanageraspossible.Evenso,inmostcases,youmayfindthatyouwon’tgetasignedcopyreturnedtoyouifyousenditinthecompanymail.
Youshouldhandcarrythisdocumenttothemanageranddiscussitwiththatperson.Imagineyourselfinthemanager’sposition.Whenyouputyoursignatureonsuchadocument,therecanbenomistake.Youmadethedecision.Ifsomethinggoeswrong,thatlettermaydocumentthefactthatinretrospectitwasapoordecision.Nomanager—noone—everwantstobeputinthatposition.Rememberthatthemanagerdoesnothavetosignthecybersecuritydocument.Infact,nomatterhowitispresented,youwillfindmostmanagerswillfindsomewaynottosignthedocumentifthereistheslightestchanceofbeingsecond-guessedlater.Intoday’senvironmentof“touchy-feelydon’t-hold-me-responsible”management,today’scybersecurityofficersaremorechallengedthaneverbeforetogetmanagementtoownuptotheirdecisions.
Askingamanagertosignsuchadocument,especiallyifyouhavevoiceddisagreementaboutthedecision,shouldbealastresort.Itshouldbedoneonlyifyoufeelsostronglyaboutthedecisionthatyouarewillingtoputanypossibleraiseorpromotion,orevenyouremployment,ontheline.So,you’dbetterberight,andyou’dbetterstronglybelievethatit
isworthit.Also,asthecybersecurityofficer,youmustdothisasacybersecurityofficerprofessional,apersonofintegrityandprinciples.
Evenso,youmayendupbeingright,butalsorightoutofajob.Well,noonesaidthatbeingacybersecurityofficerprofessionaliseasy.
CreatingaCompetitiveAdvantagethroughaCyberSecurityProgramToensurethatthecybersecurityprogramsupportsthecompany’sbusinessservicesandproducts,thecybersecurityofficermustthinkofmethods,philosophies,andprocessesthatwillhelpthecompanyingainingacompetitiveadvantage.Suchmethodsandphilosophiesshouldincludeateamapproach.Thatis,havethecompanyemployeesandespeciallymanagementsupportyourcybersecurityprogram.
Tohelpinthatendeavor,youshouldstrivetoinsert,inappropriatecompanypolicydocuments,policiesthatcanhelpsupportyourefforts.Thefollowingaresomeexamplesthatmaybeusefulinincorporatingintocompanypolicydocumentssupportforyourcybersecurityprogramandyourquesttoassistthecompanyingainingacompetitiveadvantagethroughcybersecurity:
•Managerswillensureacompliantcybersecurityprogramwithintheirorganization.
•Managerswilldevelopourcustomers’trustthattheirsensitiveinformationwillbeeffectivelyprotectedwhileunderourcontrol.
•Managerswillemploycost-effectivecybersecuritysystemsandstrivetohelpkeepthepriceofourcompany’sservicesandproductsaslowaspossiblerelativetoourcompetitors.
•Managerswillhelpkeepthecompany’soverheaddownthrougheffectivelosspreventionandassetsprotectionprocesses.
•Managerswillminimizetheadverseimpactofourcybersecuritycontrolsontheefficiencyofthecompany’soperationalfunctionsbyworkingwiththecybersecuritystafftofindthemostcost-effectivewaysofprotectingourinformationassets.
•Managerswillproactivelyfindwaystosecurelyandefficientlyprovidethecompany’sservicesandproducts.
TheCyberSecurityOfficerasaBusinessManagerTheroleofthecybersecurityofficerinmanagingacybersecurityprogramissomewhatdifferentfromtheroleofthecybersecurityofficerasamanagerofthecompany.
Allcompanymanagershavesomeroletoplaythatappliesregardlessofthemanager’sareaofresponsibility.Thisalsoappliestothecybersecurityofficersinmanagementpositions.Thefollowingitemsshouldbeconsideredforimplementationbythecybersecurityofficerasamanagerwithinthecompany:
•Complywithallcompanypoliciesandprocedures,includingtheintentofthosepoliciesandprocedures.
•Takenoactionthatwillgivetheappearanceofviolatingapplicablecompanypolicies,
procedures,orethicalstandards.
•Implementapplicablemanagementcontrolsystemswithinthecybersecurityorganizationtoensuretheefficientuseofresourcesandeffectiveoperations.
•Identifybusinesspractices,ethics,andsecurityviolations/infractions;conductinquiries;assesspotentialdamage;directandtakecorrectiveaction.
•Communicatewithotherdepartmentstoprovideandreceiveinformationandguidanceformutualbenefit.
•Plan,organize,direct,coordinate,control,report,assess,andrefinebusinessactivitiestoachievequality,cost,schedule,andperformanceobjectives,whileretainingresponsibilityfortheresults.
•Exerciseduediligencetopreventfraud,waste,orabuse.
•Establishandmaintainaself-auditprocesstoidentifyproblemareasandtakecorrectiveactiontoeliminatedeficiencies.
Theseitems,ifmadepartofthecybersecurityofficer’sphilosophyandgoals,willnotonlybenefitthecompany,butalsoassistthecybersecurityofficerinprofessionallymeetingthecybersecuritydutiesandresponsibilitiesasavaluedmemberofthecompany’smanagementteam.Rememberthatthecybersecurityprogramisacompanyprogram.Thatmeansyouneedhelpfromeveryoneinthecompanytoensureitssuccess.
Service,Support,andaBusinessOrientationInanybusiness,thecybersecurityofficermuststrivetobalancetherequired“userfriendly”systemsdemandsofmanagementanduserswiththoseofcybersecurity.Afterall,cybersecurity,unlessitcanbeproventobe“valueadded,”thusatleastpayingforitself,isaparasiteonprofitsor,attheleast,hasanadverseimpactonbudgets.Thiswillbeafactortoconsiderasyou,thecybersecurityofficer,establishthecompany’scybersecurityprocesses,programs,plans,projects,budgets,etc.
Rememberthatthecybersecurityprogrammustbeserviceandsupportoriented.Thisisofvitalimportance.Thecybersecurityofficermustunderstandthatthecybersecurityprogram,ifitbecomestoocostlyoroutdatedordoesnotmeettheserviceandsupportneedsofthebusinessorgovernmentagency,willbediscardedorignored.Eachofthesepossibilitieswilleventuallyleadtothedismissalofthecybersecurityofficer.
Thedismissalofanycybersecurityofficeraffectsallcybersecurityofficers.Thecybersecurityofficerprofessionisthusdamaged,asisourprofessionalcredibilityandouropportunitiestoprotectvitalinformationforourinternalandexternalcustomers.Itisdifficultenough,evenintoday’senvironment,to“sell”acybersecurityprogram.Itmakesourjobsascybersecurityofficersharderwhenoneofusfails.Thefailureofacybersecurityofficercouldbealessonlearnedforallcybersecurityofficers.Learnnotonlyfromyourownfailures,butalsofromthoseofothers.
Thewordofacybersecurityofficer’sdismissalandfailuresdoesgetaroundwithintheindustryandgovernmentagencies,makingitmuchmoredifficultforthecybersecurityofficer’sreplacementtodevelopaprofessionalInfoSecprogram.Youmaybethatreplacement.
Asthecybersecurityofficer,youmustconstantlyupdateyourcybersecurityprogramanditsprocesses.Youmustcontinuouslylookatchangesinsocietyandtechnology,planforthosechanges,andbepreparedtoaddresscybersecurityramificationsoftheinstallationofnewtechnologyintothebusinessbeforeitisinstalled.Youmustimplementcybersecuritymeasuresbeforesomeonecantakeadvantageofasystemvulnerability.
Sofar,cybersecurityofficersforthemostparthavebeeninareactivemode,withlittletimetobeproactiveandputcybersecuritydefensesinplacebeforetheyareneeded!Howtodothatwillbediscussedinthefollowingchapters.
BusinessManagersandCybersecuritySomecybersecurityofficersmaywanttotalk“techie”tokeepbusinessmanagersinthedarkaboutthe“mysteries”ofcybersecurity.Theythinkthatitwillmakethecybersecurityofficerinvaluabletothecorporationand,therefore,alwaysneeded.Thatisillogicalandalsoworksagainstthecybersecurityofficer.Themorethemanagersandallemployeesunderstandabouttheconceptsandphilosophiesofcybersecurity,themoretheywillunderstandcybersecurityofficerdecisions—andalsothemoresupportivetheywillbe.
Corporatemanagement’sknowledgemayalsochallengeacybersecurityofficer,causinghimorhertorethinksomedecisionsandthelogicthatledtothem.That’sgood,exceptforthosecybersecurityofficerswhodonotwanttoexcelandacceptsuchachallenge—inotherwords,thelazyandunprofessionalpeopleincybersecurityofficerpositions.However,inthelongrun,suchcriticismsandrecommendationsaregoodforthecorporation.Why?Becauseitmeansthatmanagementisactuallylookingatcybersecurityandbecoming,astheyshould,apartofthecybersecurityteam.
Asacybersecurityofficer,youshouldknowthatthemoreinputyougetandthemoreinterestedcorporatemanagementandemployeesareincybersecurity,thebetteryourcybersecurityprogramwillbecome,andthebetteritwillmeettheneedsofthecorporation.Itistruethatyouwillprobablyspendmoretimeindiscussionswithcorporatemanagement,butthatisreallyagoodthing.Inthelongrun,yourjob,ifyoudoitright,willactuallybeeasier.
Itshouldcomeasnosurprisetocompanymanagersthattheyareresponsiblefortheprotectionofcompanyassets.Intoday’sinformation-dependentandinformation-basedcompanies,itshouldalsocomeasnosurprisethattheseassetsincludeinformation.Thesearefactsofbusinesslifetodayandareprobablyconcurredwithby99.9%ofthecompanymanagersthatonecouldsurvey.Iwouldsay100%,exceptthattherearealwayssomemanagers(manyofushavemettheminourcareers)whojustdon’tseemtogetit.So,let’sallotthe0.1%tothosemanagersthatjustdon’tgetit.
So,ifmostcompanymanagersagreewiththatpremise,whydosomanyeitherbattletonegateinformationandinformationsystemsprotection(cybersecurity)insteadofsupportingcybersecurity?Maybetheydon’tcareforanythingbeyondtheirpaychecksandbonuses.Itseemstodaythattherearemanyofthose.Itisironic,butitseemsinmanycompaniesaroundtheworldtodaythatthetrulycompany-loyalpeoplearemostlythe“regularemployees”andnotthemanagers.Employeesareoutthereworkinghardanddoingtheirbesttohelpthecompanysucceed.Theyhavealoyalty—thoughsomewhatlessthaninearlieryears—tothecompanythatitseemsmostoftoday’smanagersdonot.
Today’smanagerseitheraresoself-centeredthattheycareonlyabouttheircareers—yousee,managershave“careers,”whileemployeeshave“jobs”—orareignorantastotheirresponsibilities.Letusassumeignoranceistheirproblem.Perhapstheyhavebeenpromotedintomanagementbutnoonehaseverexplainedtheirassetsprotectionresponsibilities.Thatmaybebecausetheirbossdidnotknow—itwasnotexplainedto
himorher.Maybeitisbecausethemanagerstrytoavoidthatresponsibilitybyhiringsomeonetoprovidecybersecurity.Thustheproblemisdelegatedtosomeoneelse.Therefore,whenthingsgowrong,itisnotthecompanymanager’sfault;itisthefaultofthosehiredtoprotecttheassets.
Thenwhatcanbedoneaboutit?Whateverthereason,itisuptothecompanymanagerstoknowtheirresponsibilitiesandthecybersecurityprofessionalstopolitelyremindthemofthoseresponsibilities.Asthesayinggoes,“Youcandelegateauthoritybutnotabdicateyourresponsibilities.”
Ifyouareacompanymanagerreadingthis,otherthanasecurityprofessionalofsomekind,congratulations!Youareoneofthefewwhoareinterestedincybersecurity.Mayyourcareerriseabovethestars.Foryouothersoutthere,itisassumedyouhavesomeresponsibilityforcybersecurityorcybersecurity-relatedtaskssuchasfraudpreventionorotherassetprotection.Ifso,youshouldprovideyourcompanymanagersinformationthatpolitelyandprofessionallyexplainstothemthattheyhavesomeverybasicanddirectcybersecurityresponsibilities.Layoutthoseresponsibilitiestothemaspartofsomeawarenesse-mail,onaninternalcompanyWebpageornewsletter—whatevercommunicationformworksbestinyourenvironment.
Thefirstthingsthatcompanymanagersshouldbemadeaware(orreminded)ofisthattheydohavearesponsibilityforprotectingcompanyassets—andsomeofthemostimportantofthoseassetsaresensitiveinformationandinformationsystemswithintheirorganization.
Companymanagersshouldunderstandthebasicsofcybersecurity.Itisnotrocketscience.Itiscommonsense.Theyshouldknowthatthepurposeofcybersecurityistodothefollowing:
•Minimizetheprobabilityofasuccessfulattackonthecompany’sinformation,
•Minimizethedamageifanattackoccurs,and
•Provideamethodtoquicklyrecoverintheeventofasuccessfulattack.
Thethreebasicprinciplesthatarethefoundationofcybersecurityare:
•Accesscontrol,
•Individualaccountability,and
•Audittrails.
Theseareratherbasicandshouldbeeasyenoughforcompanymanagersnotversedincybersecuritytounderstand.Oncemanagersunderstandthecybersecuritypurposeandthethreebasicprinciples,thecybersecurityprofessionalmustbeabletoexplaintheconceptsindetailandhowtheyapplytotheindividualcompanymanagers.Obviously,thereisnotsufficientspaceinthisentirebooktoadequatelycoverthattopic.Furthermore,Ihopethat,asacybersecurityofficerresponsibleforprotectingthesevaluableassetswithinyourcompany,youdounderstandtheseconceptsandcaneasilyexplainthemto
companymanagers.Ifnot,failuretoclearlycommunicateandgainsupportforyourprogrammaybeyourdownfall.
WhatCompanyManagersShouldAskofTheirCyberSecurityProfessionalsCompanymanagersshouldalsobesufficientlyknowledgeabletoaskintelligentquestionsaboutcybersecurity-relatedmatters,andideallythecompanycybersecurityofficercananswerthem.Somequestionscompanymanagersshouldask,andsomepossibleanswersthattheInfoSeccangiveandthenexplaininmoredetail,includethefollowing:
•Question:Howdoyouknowyouareactuallyunderattackandnotthevictimofmisconfiguredsystems?Answer:Youmaynotknowuntilitistoolate;youmayneverknow;youmayknow,butcan’tstopit.
•Question:Whatarethewarningsignsofpotentialoractualattacks?Answer:Theremaynotbeany.
•Question:Isitpossibletoknowofpendingattacks?Answer:Yes.No.Maybe—dependingonconditions.
•Question:Whatcanyoudotosetupan“imminent”attackwarningsystem?Answer:Baseitonhistory,onthelatesttechniquesidentifiedinCERTs,ontargetvisibility,onyourdefenses,onyourcountermeasures,onyouruseoftechnology,andonvendorproducts.
•Question:Whatisthebasisofdeployingintrusiondetectiontoassistincounteringtheattacks?Answer:Whatisnormalactivity?Whatisabnormal?Onecancompareactivityagainstknownattackmethodsandestablishcountermeasures,andonemusthave,asaminimum,acybersecuritypolicy,procedures,andawarenessprogram.
•Question:Whatmustbeconsideredwhendeployingtheintrusiondetectionsystemandprocesses?Answer:Anyavailabletoolsshouldbeadaptedtoyouruniqueenvironment.Theintrusiondetectionprocessmustbealwayssecure,operating,and“foolproof.”Itmustdetectallanomaliesandmisuse,musthaveaudit-basedsystemsforhistory,musthavereal-timemonitoringandwarnings,andmusttakeimmediateactionbasedoneachuniqueattack.Also,onemustknowwhattodoifattacked.
•Question:Anyotherthingstoconsider?Answer:Auditentryports,especiallytocriticalareas;prioritizeprocesses,shutdownothers;isolatetheproblem;andestablishalternateroutingpaths.
WhatCyberSecurityProfessionalsShouldDoIfthecompanymanagersareabletoasksuchquestionsandunderstandtheanswersandthedetailsprovided,thecybersecurityofficerprofessionalhasgonealongwaytohelpprotecttheirinformationandsystemsfromattacksandexternalfraud.Thecybersecurityofficerhasalsogonealongwayingainingsomebasic,activesupportfromcompanymanagers.
Aspartoftheabove,tobesuccessful,thecybersecurityofficerprofessionalshoulddoatleastthefollowing:
•Collectinformationonattacksfromallavailablesources;
•Developandmaintainathreattoolkitcontainingstrategies,tactics,tools,andmethodologiesusedtoattacksystems;
•Continuouslymaintainacurrenttoolkitandmethodologiesthatcanthreatensystemsthroughattackmethods;
•Modelthecapabilitiesofthepotentialintrudersagainstreal-timeattacks;
•Collectinformationrelatedtothecorporation’sinformationsystems’vulnerabilities;
•Establishsystemssimulatingintruderattacksusingthreattoolsinasimulationsandtestingenvironment;and
•Establishdefensesaccordingly.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem7:
•Doyouunderstandthecompanyforwhichyouhavecybersecurityresponsibility—itshistory;whatproductsandservicesitproduces;itsenvironment,culture,competition,andbusinessplans;theimpactofthecybersecurityprogramonprofits;andthelike?
•Areyouabsolutelyclearastowhatmanagementexpectsofyou?
•Areyouabsolutelyclearthatmanagementunderstandsyourcybersecurityprogram?
•Ismanagementclearastowhatyouexpectfromthem,suchassupport?
•Doyouhavegoodcommunicationchannelswithmanagement?
•Aretheremanagerswhoareagainstyourcybersecurityprogram,andifso,doyouavoidthemortrytounderstandtheirpositionandworkwiththem?
•Ifyoudonotworkwiththem,whynot?
•Doyouunderstandyourbusinessmanagementresponsibilities?
•Areyoutryingtomakethecybersecurityprogramavalue-addedfunction?
•Ifso,areyousucceeding,andhowdoyouknow?
•Doesmanagementalsothinkthecybersecurityprogramisavalue-addedprogram,andifso,howdoyouknow?
SummaryAswearenowwellonourwayintothetwenty-firstcentury,acybersecurityofficerfacesmanymorechallengesthanexistedonlyadecadeago.Theenvironmentisfaster,moretechnical,andmuchmorechallenging.Thetwenty-first-centurycybersecurityofficermustunderstandtheglobalmarketplaceandthecompany’sbusinessenvironmentmuchmorethanwasnecessaryonlyadecadeorsoago:
•Cybersecurityofficersmustunderstandtheircompany’sbusiness,includingitshistory,products,competition,plans,costs,andproductvalue.
•Cybersecurityofficersmustunderstandbusiness,management,andhowtocommunicatewithmanagementinmanagement’slanguage—notin“computerese”!
•Cybersecurityofficersmustdocumentmajorcybersecuritydecisionstoprovideahistoricalfilethatcanbeusedinthefuturewhenconsideringsimilarsituations.
•Cybersecurityofficersmustalsothinkandactasbusinessmanagersofthecompany.
•Cybersecurityofficersmustbeserviceandsupportoriented.
•Cybersecurityofficersmustunderstandtoday’sNIIandGIIandwherethecorporation’snetworksareconnectedtothatsystem—weakestpointandallthat.
•Cybersecurityofficersmustunderstandthethreats,vulnerabilities,andrisksassociatedwiththecorporation’ssystems
•Cybersecurityofficersmustknowwherethesystemsareandwheretheyareconnectedinsideandoutsidethecorporation.
Companymanagersmustunderstandtheirassetsprotectionresponsibilities.Thatisespeciallyimportanttoday,wheninformationprotectionandcrimepreventionshouldbeamajorresponsibilityofeverycompanymanager.Foritisonlywiththatunderstanding,support,andactionthatcompaniescanrespondtoattacksagainstthemfromcompetitors,nation-states,andtechno-spies.
2PreviouslywrittenbytheauthorunderthenameShockwaveWriterandpublishedbyReedElsevierintheirmagazineComputerFraud&Security(2002),asthearticle“InternetServiceProvidersandInfoSecStandards.”3Ohmae,Kenichi,TheMindoftheStrategist.PenguinBooks,Ltd.,Middlesex,UK,1982.4JohnBoyd,http://www.ausairpower.net/JRB/poc.pdf.PatternsofConflict,December1986.7Obviously,ifyouanswerNotoanyofthesequestions,youhavesomeadditionalworktodo.
CHAPTER3
AnOverviewofRelatedWorldViewsofCyberSecurity
AbstractThischapterwillprovideashortoverviewofworldviewsofcybersecuritybrokendownbyregionsoftheworld.Weliveinaninterconnectedworldofcomputernetworks,allhavingtheabilitytopositivelyandnegativelyaffectthoseattachedtothem.
Therefore,thepurposeofprovidingtheseglobalviewsissothecybersecurityofficerhasanoverviewofwhatothersarethinkinganddoingtoprotectpartsoftheglobalinformationinfrastructure(GII)andhowthatmayaffectthecybersecurityofficer’sresponsibilitiesastheyrelatetohisorherpartoftheGII,nationalinformationinfrastructure(NII),andrelatednetworks.
Aswithanysubjectmatterthesedays,asearchoftheInternetwillfindmoreinformationthanyoueverwantedtoknowonatopic.Thistopicisnodifferent.Therefore,itisnottheintenttoprovideeverythingyoualwayswantedtoknowonwhattheUnitedNationsandotherentitiesaredoingbut,asthechaptertitlesays,providean“overview”ofwhatothersarethinkinganddoingvis-à-viscybersecurity.
Rememberthatintoday’sworldofglobalcorporations,thecybersecurityofficermayhavetofollowthecybersecuritypoliciesandproceduresinthevariousnationswherehisorhercorporationdoesbusiness.So,asacybersecurityofficer,itiscrucialthatyouunderstandsuchlaws,rules,regulations,etc.,andworkwithyourcorporation’slegalstafftobesurethatanyissuesidentifiedrelativetothesemattersareaddressed.
KeywordsAfrica;Asia;Canada;ComprehensiveNationalCybersecurityInitiative(CNCI);DepartmentofHomelandSecurity’s(DHS’s);EuropeanUnion(EU);InternationalTelecommunicationsUnion(ITU);SouthAmerica;TrustedInternetConnections(TIC);UnitedStates
Theworldisadangerousplacetolive;notbecauseofthepeoplewhoareevil,butbecauseofthepeoplewhodon’tdoanythingaboutit.1
AlbertEinstein
CONTENTS
EvolutionofLaws,Standards,Policies,andProcedures 50GlobalviatheUN 51TheEU 53
InternationalSecurityinCyberspace 53InternetGovernanceDevelopmentsin2015 53U.S.–EUCyberSecurity-RelatedCooperation 53
Asia 53SouthAmerica 54Africa 55
Canada 55UnitedStates 55
CNCIInitiativeDetails 57Summary 61
CHAPTEROBJECTIVE
Thischapterwillprovideashortoverviewofworldviewsofcybersecuritybrokendownbyregionsoftheworld.Weliveinaninterconnectedworldofcomputernetworks,allhavingtheabilitytopositivelyandnegativelyaffectthoseattachedtothem.
Therefore,thepurposeofprovidingtheseglobalviewsissothecybersecurityofficerhasanoverviewofwhatothersarethinkinganddoingtoprotectpartsoftheglobalinformationinfrastructure(GII)andhowthatmayaffectthecybersecurityofficer’sresponsibilitiesastheyrelatetohisorherpartoftheGII,nationalinformationinfrastructure(NII),andrelatednetworks.
Aswithanysubjectmatterthesedays,asearchoftheInternetwillfindmoreinformationthanyoueverwantedtoknowonatopic.Thistopicisnodifferent.Therefore,itisnottheintenttoprovideeverythingyoualwayswantedtoknowonwhattheUnitedNations(UN)andotherentitiesaredoingbut,asthechaptertitlesays,providean“overview”ofwhatothersarethinkinganddoingvis-à-viscybersecurity.
Rememberthatintoday’sworldofglobalcorporations,thecybersecurityofficermayhavetofollowthecybersecuritypoliciesandproceduresinthevariousnationswherehisorhercorporationdoesbusiness.So,asacybersecurityofficer,itiscrucialthatyouunderstandsuchlaws,rules,regulations,etc.,andworkwithyourcorporation’slegalstafftobesurethatanyissuesidentifiedrelativetothesemattersareaddressed.
EvolutionofLaws,Standards,Policies,andProceduresIngeneral,theevolutionoflawsfollowedtheevolutionof“civilization”(somearguethatwehaveyettobetruly“civilized”)fromprimitivetofeudaltoagriculturaltoindustrialtotoday’sinformationage,andsomesaythatafewnationsarebeginningtoentertheknowledgeage.
Cybersecurity-relatedlaws,standards,policies,andprocedureshave,ascanbeexpected,evolvedasthethreats,vulnerabilities,andriskstocomputers,systems,networks,theNII,theGII,andtheirrelatedinformationhaveevolved.However,theyseemtohavealwaysbeenupdatedasareactiontoattacksandnotusingaproactiveapproach.Inaddition,evenwhenanation-state,forexample,theUnitedStates,passescybersecurity-relatedlawsandpolicies,theydonotseemtobefollowed.
TheJanuary1,2015,reportrevealedandconcludedthattheDepartmentofHomelandSecurity’s(DHS’s)cybersecuritypracticesandprogramsaresobad,theDHSfailsateventhebasicsofcomputersecurityandis“unlikely”tobeabletoprotectbothcitizensandgovernmentfromattacks.2
2www.zdnet.com/…/new-report-the-dhs-is-a-mess-of-cybersecurity.
OfcoursesuchthingsastheColdWar,politicalrevolutions,economicrevolutions,revolutionsinmilitaryaffairs,humanevolutionandrevolution,andrevolutionsintechnologyallcontinuetohavemajorimpactsontheneedanddemandfornewlaws,standards,policies,andprocedures.Thiswillobviouslycontinueasvariousevolutionsandrevolutionscontinue.
Inthisoverview,thistopicwillbebrokendownasfollows:
•GlobalviatheUN,
•EuropeanUnion(EU),
•Asia,
•SouthAmerica,
•Africa,
•Canada,
•UnitedStates.
GlobalviatheUNTheUNappearstobeheavilyinvolvedincybersecurity-relatedmattersregardingassociations,committees,treaties,andthelike.Thisisofcourselogicalsincecybersecurityisaglobalproblemandneedsglobalsolutions.Afterall,ifsomecybercriminalinaforeignnationcommitsacybercrimeinanothernation,thevictimnationmusthaveawaytobringthecriminaltojustice.Ifthecriminalresidesinanationwithoutanextraditiontreatywiththevictimnation,andespeciallyonethatdoesnothaveanycyberlaws,thechanceofthatcriminalbeingbroughttojusticerunsfromslimtonone,astheysay.
TheUNsystem’scollectiveengagementinaddressingcyberthreatsiscritical.TheInternationalTelecommunicationsUnion(ITU)isleadingthecallforstakeholderstoworktogethertosetinternationalpoliciesandstandardsandtobuildaninternationalframeworkforcybersecurity.3
3http://www.un.org/en/ecosoc/cybersecurity/summary.pdf.
WhatviewyoumayhaveoftheUNingeneralwillofcoursetaintyourviewoftheireffortsrelatingtocybersecurity.Forexample,aretheytryingtosetthe“laws”fortheworld?DotheywanttocontroltheInternet,maybeinamannerusedbytheUNSecurityCouncil,withpermanentmemberssuchasRussiaandChina,aswellasrotatingmembers,forexample,SaudiArabia,Libya?
Howwillsuchastructureaffectthefreedomoftheworld’susers?Somemayrejoiceinsuchamovebutothersmaycringeattheidea,fearingthelossoffreedomthatingeneraltheInternetnowprovides.EventheUnitedStateshasdesignsonmorecontrol.Infact,allgovernmentagenciesaroundtheworldforthemostpartcannotstandtohavetheircitizensbefreetolive,speaktheirminds,andwritewhatevertheywantwithoutsomegovernmentcontrols,andcertainlythatappliestothecitizensoftheworld’suseoftheInternet.
WeallmustbeonguardwhenourInternet—yesitisours,theusers’—andothernetworksaretobecontrolledbylaws,standards,rules,regulations,policies,andproceduresinthenameofprotectingusthroughcybersecurity-relatedcontrols.Yes,somecontrolsareneededtoavoidchaosandrampantcarnageofinformationstolen,destroyed,andsuch.However,wemustallbevigilantwhenpresentedwithcontrolsfor“ourowngood.”Unfortunatelymostpeoplewouldprobablypreferalittlemoresecurity,sacrificingsomefreedoms,butwhenisenoughenough?Willwerealizeitonlywhenitistoolate?
So,whathastheUNbeenuptoasrelatestocybersecuritymatters?AsearchoftheUN’swebsitedisclosedthefollowingresultofaSpecialEventonCyberSecurityandDevelopment,December9,2011,10:00a.m.to1.00p.m.,ECOSOCChamber,UN,NewYork,whichprovidesanoverview.
Asacybersecurityofficer,youshouldsearchonlineforthemostcurrentUN,nation-state,andregionalassociationsdealingwithcybersecurityand,asusedhere,getanunderstandingofwhatishappeningonaglobalbasiswhenitcomestocybersecuritymatters.Afterall,asacybersecurityofficer,youprobablyworkinaglobalenvironmentand,likeitornot,yournetworksareconnectedtotheworldand,asweallknow,theworldisnotasafeplace,andthatgoesforourglobal,information-andnetworked-basedenvironment.
Evenasfarbackas2011,whichisalifetimeincybersecurity,theUNstatedthat:
Cybersecurityisoneofthegreatestissuesofourtimes,anditwillcontinuetogrowinimportance.ItisourcollectivedutytoensurethatICTsaresafeandsecuresothat
the7 billionpeopleofthisplanetcanreapthebenefitsofICTs.Today,everythingisdependentonICTsandweareallvulnerable—cybersecurityisaglobalissuethatcanbesolvedonlywithglobalsolutions.CybersecurityisanareathataffectseachandeveryagencyandprogramoftheUN.AswepushforwardtheUNagendaforpeaceandsecurity,wemustrememberthatcybersecurityispartofthis.TheUNsystem’scollectiveengagementinaddressingcyberthreatsiscritical.TheITUisleadingthecallforstakeholderstoworktogethertosetinternationalpoliciesandstandardsandtobuildaninternationalframeworkforcybersecurity.
AswiththesuggestionofonlineresearchoncybersecuritymattersrelatedtotheUN,thesameappliesforallotherareasoftheworldasshownbelow.Thisisimportantasprobablyatonetimeoranother,whetheryouareacybersecurityofficerforagovernmentagencyoracorporationorassociation,orjustanInternetuser,youarelikelytobeconnectedinoneformoranotheroutsideyourowncountry.Infact,thesedaysthatisprettymuchacertainty.
So,whathappensinanotherpartoftheworldmayhaveanadverseimpactonyoupersonally,yourassociation,yourbusiness,oryourgovernmentagency.
TheEUThefollowingprovidessomeinsightintothedirectionthattheEUandUnitedStatesaregoing.NotethatthiswasthefirstmeetingandwasjustheldinDecemberof2014.Thequestionis,“What’stakenthemsolongtomeet?”
OnDecember5,2014,anEUandU.S.cybersecurity-relatedmeetingwasheldinBrussels.Thepurposeofthemeetingwastodiscussforeignpolicyrelatedtothecyberenvironmentandofcoursecybersecurity,asquotedbelow:4
InternationalSecurityinCyberspaceTheparticipantswelcomedthelandmarkconsensusofthe2012–2013GroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity,includingitsaffirmationoftheapplicabilityofexistinginternationallawtocyberspace.
InternetGovernanceDevelopmentsin2015Thetwosidesreiteratedthatnosingleentity,company,organisationorgovernmentshouldseektocontroltheInternet,andexpressedtheirfullsupportformulti-stakeholdergovernancestructuresoftheInternetthatareinclusive,transparent,accountableandtechnicallysound….
U.S.–EUCyberSecurity-RelatedCooperationTheywouldworkthroughtheirEU–U.S.workinggrouponcybersecurityandcybercrime.Theircooperationwouldencompassissuesrelatedtoraisingawareness,“cyberincidentmanagement,”cyberissuesrelatedtosexoffenders,cooperationtofightcybercrime,andworkingwithotherInternetorganizationsthatsharemutualinterests.
AsiaThefollowingprovidesanAsianoverviewofcybersecurityasitrelatestotheAssociationofSoutheastAsianNations5
TheOctopusConference:CooperationagainstCybercrimewasheldonDecember4,2013,inStrasbourg,France,6andincludedastatemententitled“StatementonCooperationinFightingCyberAttackandTerroristMisuseofCyberSpace,KualaLumpur,July28,2006.”Thestatementincluded:
…endeavortoenactandimplementcybercrimeandcybersecuritylawsinaccordancewiththeirnationalconditionsandbyreferringtorelevantinternationalinstrumentsandrecommendations/guidelinesfortheprevention,detection,reduction,andmitigationofattackstowhichtheyareaparty.
Theyalsoagreedtoaddresscriminal,terrorist,andotherissuesassociatedwithcybersecurityanduseoftheInternet.
Thatincludedthefollowing.
1.Acknowledgetheimportanceofanationalframeworkforcooperationandcollaborationinaddressingcriminal,includingterrorist,misuseofcyberspaceandencouragetheformulationofsuchaframework.
2.Agreetoworktogethertoimprovetheircapabilitiestoadequatelyaddresscybercrime,includingtheterroristmisuseofcyberspace.
3.Committocontinueworkingtogetherinthefightagainstcybercrime,includingterroristmisuseofcyberspace,throughactivitiesaimedatenhancingconfidenceamongthevariousnationalComputerSecurityIncidentResponseTeams(SIRIs),aswellasformulatingadvocacyandpublicawarenessprograms.
SouthAmericaSymantecandtheOrganizationofAmericanStates(OAS)SecretariatofMultidimensionalSecurity(SMS)andtheInter-AmericanCommitteeagainstTerrorism(CICTE)releasedareportanalyzingcybersecuritytrendsandgovernmentresponsesinLatinAmericaandtheCaribbean.7
Theco-sponsoredreportexploresvariouscybersecuritytrendsincludingtheoverallincreaseindatabreaches:
•RiseofRansomwareandCryptolocker
•ATMfraud
•Socialmediaandmobilecomputingvulnerabilities
•Malware
•Spam
•Spearphishing
AfricaAfricanUnionadoptsframeworkoncybersecurityanddataprotection88:30am|22August2014|byAccessPolicyTeam,
Withoutmuchmediaattention,theheadsofstateoftheAfricanUnion(AU)agreedtoalandmarkconventionthissummeraffectingmanyaspectsofdigitallife.
InJune,leadersintheAU,agroupof54Africangovernmentslaunchedin2002,metatthe23rdAfricanUnionSummitandapprovedtheAfricanUnionConventiononCyberSecurityandPersonalDataProtection.
TheConventioncoversaverywiderangeofonlineactivities,includingelectroniccommerce,dataprotection,andcybercrime,withaspecialfocusonracism,xenophobia,childpornography,andnationalcybersecurity…
Canada9InCanada,theydevelopedathree-pillarstrategyasfollows:
•Securinggovernmentsystems
•PartneringtosecurevitalcybersystemsoutsidethefederalGovernment
•HelpingCanadianstobesecureonline
UnitedStatesTheUnitedStateshasdevelopedthe“ComprehensiveNationalCybersecurityInitiative,”10whichisdescribedbelow.
PresidentObamahasidentifiedcybersecurityasoneofthemostseriouseconomicandnationalsecuritychallengeswefaceasanation,butonethatweasagovernmentorasacountryarenotadequatelypreparedtocounter.Shortlyaftertakingoffice,thePresidentthereforeorderedathoroughreviewoffederaleffortstodefendtheU.S.informationandcommunicationsinfrastructureandthedevelopmentofacomprehensiveapproachtosecuringAmerica’sdigitalinfrastructure.
InMay2009,thePresidentacceptedtherecommendationsoftheresultingCyberspacePolicyReview,includingtheselectionofanExecutiveBranchCybersecurityCoordinator,whowillhaveregularaccesstothePresident.TheExecutiveBranchwasalsodirectedtoworkcloselywithallkeyplayersinU.S.cybersecurity,includingstateandlocalgovernmentsandtheprivatesector,toensureanorganizedandunifiedresponsetofuturecyberincidents,strengthenpublic/privatepartnershipstofindtechnologysolutionsthatensureU.S.securityandprosperity,investinthecutting-edgeresearchanddevelopmentnecessaryfortheinnovationanddiscoverytomeetthedigitalchallengesofourtime,andbeginacampaigntopromotecybersecurityawarenessanddigitalliteracyfromourboardroomstoourclassroomsandbegintobuildthedigitalworkforceofthetwenty-firstcentury.Finally,thePresidentdirectedthattheseactivitiesbeconductedinawaythatisconsistentwithensuringtheprivacyrightsandcivillibertiesguaranteedintheConstitutionandcherishedbyallAmericans.
TheactivitiesunderwaytoimplementtherecommendationsoftheCyberspacePolicyReviewbuildontheComprehensiveNationalCybersecurityInitiative(CNCI)launchedbyPresidentGeorgeW.BushinNationalSecurityPresidentialDirective54/HomelandSecurityPresidentialDirective23(NSPD-54/HSPD-23)inJanuary2008.PresidentObamadeterminedthattheCNCIanditsassociatedactivitiesshouldevolvetobecomekeyelementsofabroader,updatednationalU.S.cybersecuritystrategy.TheseCNCIinitiativeswillplayakeyroleinsupportingtheachievementofmanyofthekeyrecommendationsofPresidentObama’sCyberspacePolicyReview.
TheCNCIconsistsofanumberofmutuallyreinforcinginitiativeswiththefollowingmajorgoalsdesignedtohelpsecuretheUnitedStatesincyberspace:
•Toestablishafrontlineofdefenseagainsttoday’simmediatethreatsbycreatingorenhancingsharedsituationalawarenessofnetworkvulnerabilities,threats,andeventswithinthefederalgovernment—andultimatelywithstate,local,andtribalgovernmentsandprivatesectorpartners—andtheabilitytoactquicklytoreduceourcurrentvulnerabilitiesandpreventintrusions.
•TodefendagainstthefullspectrumofthreatsbyenhancingU.S.counterintelligence
capabilitiesandincreasingthesecurityofthesupplychainforkeyinformationtechnologies.
•Tostrengthenthefuturecybersecurityenvironmentbyexpandingcybereducation,coordinatingandredirectingresearchanddevelopmenteffortsacrossthefederalgovernment,andworkingtodefineanddevelopstrategiestodeterhostileormaliciousactivityincyberspace.
InbuildingtheplansfortheCNCI,itwasquicklyrealizedthatthesegoalscouldnotbeachievedwithoutalsostrengtheningcertainkeystrategicfoundationalcapabilitieswithinthegovernment.Therefore,theCNCIincludesfundingwithinthefederallawenforcement,intelligence,anddefensecommunitiestoenhancesuchkeyfunctionsascriminalinvestigation;intelligencecollection,processing,andanalysis;andinformationassurancecriticaltoenablingnationalcybersecurityefforts.
TheCNCIwasdevelopedwithgreatcareandattentiontoprivacyandcivillibertiesconcernsincloseconsultationwithprivacyexpertsacrossthegovernment.ProtectingcivillibertiesandprivacyrightsremainsafundamentalobjectiveintheimplementationoftheCNCI.
InaccordwithPresidentObama’sdeclaredintenttomaketransparencyatouchstoneofhispresidency,theCyberspacePolicyReviewidentifiedenhancedinformationsharingasakeycomponentofeffectivecybersecurity.Toimprovepublicunderstandingoffederalefforts,theCybersecurityCoordinatorhasdirectedthereleaseofthefollowingsummarydescriptionoftheCNCI.
CNCIInitiativeDetailsInitiative1.ManagetheFederalEnterpriseNetworkasasinglenetworkenterprisewithTrustedInternetConnections(TIC).TheTICinitiative,headedbytheOfficeofManagementandBudgetandtheDHS,coverstheconsolidationofthefederalgovernment’sexternalaccesspoints(includingthosetotheInternet).Thisconsolidationwillresultinacommonsecuritysolution,whichincludesfacilitatingthereductionofexternalaccesspoints,establishingbaselinesecuritycapabilities,andvalidatingagencyadherencetothosesecuritycapabilities.AgenciesparticipateintheTICinitiativeeitherasTICaccessproviders(alimitednumberofagenciesthatoperatetheirowncapabilities)orbycontractingwithcommercialManagedTrustedIPServiceprovidersthroughtheGSA-managedNetworxcontractvehicle.
Initiative2.Deployanintrusiondetectionsystemofsensorsacrossthefederalenterprise.IntrusiondetectionsystemsusingpassivesensorsformavitalpartofU.S.governmentnetworkdefensesbyidentifyingwhenunauthorizedusersattempttogainaccesstothosenetworks.TheDHSisdeploying,aspartofitsEINSTEIN2activities,signature-basedsensorscapableofinspectingInternettrafficenteringfederalsystemsforunauthorizedaccessesandmaliciouscontent.TheEINSTEIN2capability
enablesanalysisofnetworkflowofinformationtoidentifypotentialmaliciousactivitywhileconductingautomaticfullpacketinspectionoftrafficenteringorexitingU.S.governmentnetworksformaliciousactivityusingsignature-basedintrusiondetectiontechnology.AssociatedwiththisinvestmentintechnologyisaparallelinvestmentinmanpowerwiththeexpertiserequiredtoaccomplishtheDHS’sexpandednetworksecuritymission.EINSTEIN2iscapableofalertingUS-CERTinrealtimetothepresenceofmaliciousorpotentiallyharmfulactivityinfederalnetworktrafficandprovidescorrelationandvisualizationofthederiveddata.OwingtothecapabilitieswithinEINSTEIN2,US-CERTanalystshaveagreatlyimprovedunderstandingofthenetworkenvironmentandanincreasedabilitytoaddresstheweaknessesandvulnerabilitiesinfederalnetworksecurity.Asaresult,US-CERThasgreatersituationalawarenessandcanmoreeffectivelydevelopandmorereadilysharesecurity-relevantinformationwithnetworkdefendersacrosstheU.S.government,aswellaswithsecurityprofessionalsintheprivatesectorandtheAmericanpublic.TheDHS’sPrivacyOfficehasconductedandpublishedaPrivacyImpactAssessmentfortheEINSTEIN2program.
Initiative3.Pursuedeploymentofintrusionpreventionsystemsacrossthefederalenterprise.ThisinitiativerepresentsthenextevolutionofprotectionforciviliandepartmentsandagenciesofthefederalExecutiveBranch.Thisapproach,calledEINSTEIN3,willdrawoncommercialtechnologyandspecializedgovernmenttechnologytoconductreal-timefullpacketinspectionandthreat-baseddecision-makingonnetworktrafficenteringorleavingtheseExecutiveBranchnetworks.ThegoalofEINSTEIN3istoidentifyandcharacterizemaliciousnetworktraffictoenhancecybersecurityanalysis,situationalawareness,andsecurityresponse.Itwillhavetheabilitytoautomaticallydetectandrespondappropriatelytocyberthreatsbeforeharmisdone,providinganintrusionpreventionsystemsupportingdynamicdefense.EINSTEIN3willassisttheDHSUS-CERTindefending,protecting,andreducingvulnerabilitiesoffederalExecutiveBranchnetworksandsystems.TheEINSTEIN3systemwillalsosupportenhancedinformationsharingbyUS-CERTwithfederaldepartmentsandagenciesbygivingtheDHStheabilitytoautomatealertingofdetectednetworkintrusionattemptsand,whendeemednecessarybytheDHS,tosendalertsthatdonotcontainthecontentofcommunicationstotheNationalSecurityAgency(NSA)sothatDHSeffortsmaybesupportedbyNSAexercisingitslawfullyauthorizedmissions.Thisinitiativemakessubstantialandlong-terminvestmentstoincreasenationalintelligencecapabilitiestodiscovercriticalinformationaboutforeigncyberthreatsandusethisinsighttoinformEINSTEIN3systemsinrealtime.TheDHSwillbeabletoadaptthreatsignaturesdeterminedbytheNSAinthecourseofitsforeignintelligenceandDepartmentofDefenseinformationassurancemissionsforuseintheEINSTEIN3systeminsupportoftheDHS’sfederalsystemsecuritymission.Informationsharingoncyberintrusionswillbeconductedinaccordancewiththelawsandoversightforactivitiesrelatedtohomelandsecurity,intelligence,anddefensetoprotecttheprivacyandrightsofU.S.
citizens.
Asofthiswriting,theDHSisconductingaexercisetopilottheEINSTEIN3capabilitiesdescribedinthisinitiativebasedontechnologydevelopedbytheNSAandtosolidifyprocessesformanagingandprotectinginformationgleanedfromobservedcyberintrusionsagainstcivilianExecutiveBranchsystems.GovernmentcivillibertiesandprivacyofficialsareworkingcloselywiththeDHSandUS-CERTtobuildappropriateandnecessaryprivacyprotectionsintothedesignandoperationaldeploymentofEINSTEIN3.
Initiative4.Coordinateandredirectresearchanddevelopment(R&D)efforts.Nosingleindividualororganizationisawareofallofthecyber-relatedR&Dactivitiesbeingfundedbythegovernment.ThisinitiativeisaimedatdevelopingstrategiesandstructuresforcoordinatingallcyberR&DsponsoredorconductedbytheU.S.government,bothclassifiedandunclassified,andredirectingthatR&Dwhereneeded.Thisinitiativeiscriticaltoeliminateredundanciesinfederallyfundedcybersecurityresearchandtoidentifyresearchgaps,prioritizeR&Defforts,andensurethetaxpayersaregettingfullvaluefortheirmoneyasweshapeourstrategicinvestments.
Initiative5.Connectcurrentcyberoperationscenterstoenhancesituationalawareness.Thereisapressingneedtoensurethatgovernmentinformationsecurityofficesandstrategicoperationscenterssharedataregardingmaliciousactivitiesagainstfederalsystems,consistentwithprivacyprotectionsforpersonallyidentifiableandotherprotectedinformationandaslegallyappropriate,tohaveabetterunderstandingoftheentirethreattogovernmentsystemsandtotakemaximumadvantageofeachorganization’suniquecapabilitiestoproducethebestoverallnationalcyberdefensepossible.ThisinitiativeprovidesthekeymeansnecessarytoenableandsupportsharedsituationalawarenessandcollaborationacrosssixcentersthatareresponsibleforcarryingoutU.S.cyberactivities.ThiseffortfocusesonkeyaspectsnecessarytoenablepracticalmissionbridgingacrosstheelementsofU.S.cyberactivities:foundationalcapabilitiesandinvestments,suchasupgradedinfrastructure,increasedbandwidth,andintegratedoperationalcapabilities;enhancedcollaboration,includingcommontechnology,tools,andprocedures;andenhancedsharedsituationalawarenessthroughsharedanalyticandcollaborativetechnologies.
TheNationalCybersecurityCenterwithintheDHSwillplayakeyroleinsecuringU.S.governmentnetworksandsystemsunderthisinitiativebycoordinatingandintegratinginformationfromthesixcenterstoprovidecross-domainsituationalawareness,analyzingandreportingonthestateofU.S.networksandsystems,andfosteringinteragencycollaborationandcoordination.
Initiative6.Developandimplementagovernment-widecybercounterintelligence(CI)plan.Agovernment-widecyberCIplanisnecessarytocoordinateactivities
acrossallfederalagenciestodetect,deter,andmitigatetheforeign-sponsoredcyberintelligencethreattoU.S.andprivatesectorinformationsystems.Toaccomplishthesegoals,theplanestablishesandexpandscyberCIeducationandawarenessprogramsandworkforcedevelopmenttointegrateCIintoallcyberoperationsandanalysis,increaseemployeeawarenessofthecyberCIthreat,andincreaseCIcollaborationacrossthegovernment.TheCyberCIPlanisalignedwiththeNationalCounterintelligenceStrategyoftheUnitedStatesofAmerica(2007)andsupportstheotherprogrammaticelementsoftheCNCI.
Initiative7.Increasethesecurityofourclassifiednetworks.Classifiednetworkshousethefederalgovernment’smostsensitiveinformationandenablecrucialwar-fighting,diplomatic,counterterrorism,lawenforcement,intelligence,andhomelandsecurityoperations.Successfulpenetrationordisruptionofthesenetworkscouldcauseexceptionallygravedamagetoournationalsecurity.Weneedtoexerciseduediligenceinensuringtheintegrityofthesenetworksandthedatatheycontain.
Initiative8.Expandcybereducation.WhilebillionsofdollarsarebeingspentonnewtechnologiestosecuretheU.S.governmentincyberspace,itisthepeoplewiththerightknowledge,skills,andabilitiestoimplementthosetechnologieswhowilldeterminesuccess.However,therearenotenoughcybersecurityexpertswithinthefederalgovernmentorprivatesectortoimplementtheCNCI,noristhereanadequatelyestablishedfederalcybersecuritycareerfield.Existingcybersecuritytrainingandpersonneldevelopmentprograms,whilegood,arelimitedinfocusandlackunityofeffort.Toeffectivelyensureourcontinuedtechnicaladvantageandfuturecybersecurity,wemustdevelopatechnologicallyskilledandcyber-savvyworkforceandaneffectivepipelineoffutureemployees.Itwilltakeanationalstrategy,similartotheefforttoupgradescienceandmathematicseducationinthe1950s,tomeetthischallenge.
Initiative9.Defineanddevelopenduring“leap-ahead”technology,strategies,andprograms.OnegoaloftheCNCIistodeveloptechnologiesthatprovideincreasesincybersecuritybyordersofmagnitudeabovecurrentsystemsandthatcanbe
deployedwithin5–10 years.ThisinitiativeseekstodevelopstrategiesandprogramstoenhancethecomponentofthegovernmentR&Dportfoliothatpursueshigh-risk/high-payoffsolutionstocriticalcybersecurityproblems.ThefederalgovernmenthasbeguntooutlineGrandChallengesfortheresearchcommunitytohelpsolvethesedifficultproblemsthatrequire“out-of-the-box”thinking.Indealingwiththeprivatesector,thegovernmentisidentifyingandcommunicatingcommonneedsthatshoulddrivemutualinvestmentinkeyresearchareas.
Initiative10.Defineanddevelopenduringdeterrencestrategiesandprograms.Ournation’sseniorpolicymakersmustthinkthroughthelong-rangestrategicoptionsavailabletotheUnitedStatesinaworldthatdependsonensuringtheuseofcyberspace.Asofthiswriting,theU.S.governmenthasbeenimplementing
traditionalapproachestothecybersecurityproblem—andthesemeasureshavenotachievedthelevelofsecurityneeded.Thisinitiativeisaimedatbuildinganapproachtocyberdefensestrategythatdetersinterferenceandattackincyberspacebyimprovingwarningcapabilities,articulatingrolesfortheprivatesectorandinternationalpartners,anddevelopingappropriateresponsesforbothstateandnonstateactors.
Initiative11.Developamultiprongedapproachforglobalsupplychainriskmanagement.GlobalizationofthecommercialinformationandcommunicationstechnologymarketplaceprovidesincreasedopportunitiesforthoseintentonharmingtheUnitedStatesbypenetratingthesupplychaintogainunauthorizedaccesstodata,alterdata,orinterruptcommunications.Risksstemmingfromboththedomesticandtheglobalizedsupplychainmustbemanagedinastrategicandcomprehensivewayovertheentirelifecycleofproducts,systems,andservices.Managingthisriskwillrequireagreaterawarenessofthethreats,vulnerabilities,andconsequencesassociatedwithacquisitiondecisions;thedevelopmentandemploymentoftoolsandresourcestotechnicallyandoperationallymitigateriskacrossthelifecycleofproducts(fromdesignthroughretirement);thedevelopmentofnewacquisitionpoliciesandpracticesthatreflectthecomplexglobalmarketplace;andpartnershipwithindustrytodevelopandadoptsupplychainandriskmanagementstandardsandbestpractices.Thisinitiativewillenhancefederalgovernmentskills,policies,andprocessestoprovidedepartmentsandagencieswitharobusttoolsettobettermanageandmitigatesupplychainriskatlevelscommensuratewiththecriticalityof,andrisksto,theirsystemsandnetworks.
Initiative12.Definethefederalroleinextendingcybersecurityintocriticalinfrastructuredomains.TheU.S.governmentdependsonavarietyofprivatelyownedandoperatedcriticalinfrastructurestocarryoutthepublic’sbusiness.Inturn,thesecriticalinfrastructuresrelyontheefficientoperationofinformationsystemsandnetworksthatarevulnerabletomaliciouscyberthreats.Thisinitiativebuildsontheexistingandongoingpartnershipbetweenthefederalgovernmentandthepublicandprivatesectorownersandoperatorsofcriticalinfrastructureandkeyresources(CIKR).TheDHSanditsprivatesectorpartnershavedevelopedaplanofsharedactionwithanaggressiveseriesofmilestonesandactivities.Itincludesbothshort-termandlong-termrecommendations,specificallyincorporatingandleveragingpreviousaccomplishmentsandactivitiesthatarealreadyunderway.ItaddressessecurityandinformationassuranceeffortsacrossthecyberinfrastructuretoincreaseresiliencyandoperationalcapabilitiesthroughouttheCIKRsectors.Itincludesafocusonpublic–privatesharingofinformationregardingcyberthreatsandincidentsinbothgovernmentandCIKR.
SummaryTheaboveprovidesashortoverviewofwhatisbeingconsideredandimplementedthroughouttheworld.Theimportantpointisthis:allthenation-statesoftheworldthataredependingontechnology,towhateverdegree,areatleasttalkingaboutcybersecurity-relatedmattersandmanyareatleasttryingtostarttoaddresstheissuesofcybersecurity,cyberterrorism,andcybercrime.Theyalsoseemwillingtocooperatetoaddresstheissues,astheissuesareasglobalasarethenetworks.
Itisrecommendedthatthecybersecurityofficeridentifyallthebusinessesthatthecorporationisconnectedtoandthenation-statesthattheyareinandconductresearchandanalysestoseewhattheyaredoingasitrelatestocybersecurityandhowitaffectshisorhercorporation.
Thisisjustthestart,butatleastitgivesthecybersecurityofficerabasicunderstandingofthestateofcybersecuritythroughouttheworld.Also,thenation-statesthatarecensoringusersshouldalsobeevaluated.Furthermore,takeitforgrantedthatnation-statesaremonitoringyourtransmissionsintotheircountryandmaybecensoringthem.
Workingwithcorporatemanagement,thelegalstaff,andtheauditstaff,thecybersecurityofficershouldidentifykeyissuesrelatedtotheprotectionofthecorporation’sinformationinforeigncountries.Aprojectplanshouldthenbedevelopedandimplementedtoconductriskanalysesrelatedtothatconnectivity.Furthermore,thecybersecurityofficershouldmeetwithhisorhercounterpartsinthosenation-statesandestablishalineofcommunicationtoaddressissuesofmutualconcern.
1http://www.brainyquote.com/quotes/keywords/world_2.html.4http://eeas.europa.eu/statements-eeas/2014/141205_05_en.htm.5http://www.nbr.org/publications/asia_policy/Free/AP18/AsiaPolicy18_Heinl_July2014.pdf.6http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_octopus2013/Octopus2013_en.asp.7http://www.symantec.com/page.jsp?id%3Dcybersecurity-trends;http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc-annex.pdf.8https://www.accessnow.org/blog/2014/08/22/african-union-adopts-framework-on-cyber-security-and-data-protection.9http://www.publicsafety.gc.ca.10https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative.
CHAPTER4
AGlimpseattheHistoryofTechnology
AbstractInthischapter,technologywillbediscussed,asobviouslythecybersecurityofficermustunderstandtechnology,whichincludeshardware,software,firmware,andallrelatedaspects.
Therevolutionintechnologyhasobviouslycausednation-states,corporations,andindividualstobecomemoretechnology-driven,technology-supported,andtechnology-dependent.
Itisnottheintentheretoprovideadetailedhistoryoftechnology.Theintentistoprovideabriefoverview.Thisoverviewisprovidedbecauseitisobviouslyimportantforthoseinvolvedincybersecuritytounderstandtheirworkingenvironmentasmuchaspossible.Itmayseemobvious,butitisamazinghowmanycybersecurityofficershavelittleknowledgeoftechnologyandhowwegottowhereweare.
KeywordsAdvancedResearchProjectAgency(ARPA);Gopher;Hackertools;High-Tech;Internetprotocols;Internetserviceproviders(ISPs);Microprocessor;Processorserialnumber(PSN);Technology;WorldWideWeb
WhathathGodwrought?SamuelF.B.Morse(Whenthefirsttelegraphmessageeverwassent,1844)
CONTENTS
WhatIsTechnology? 64FromCaveMantoCyberSecurityProfessionalandInformationWarrior 64RevolutionsandEvolutionsinHighTechnology 65FromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnology 66
OtherSignificantTwentieth-CenturyTechnologicalDevelopmentsandEvents 68High-Tech:AProduct,aProcess,orBoth? 69
TheTradeAssociation:AEA 70TheConsultingGroup:RFA 70InformationProvider:OneSource 71TheResearchGroup:BLS 71
TheMicroprocessor 71Moore’sLaw 72OtherSignificantTwentiethCenturyHigh-TechnologyDevelopmentsandEvents 74
TheInternet 75TheHigh-Technology-DrivenPhenomenon 78FasterandMoreMassiveHigh-Technology-DrivenCommunications 79TheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityTools 80OtherHigh-TechnologyToolsinCyberSecurity 82WelcometotheTwenty-First-CenturyTechnology 84Summary 86
CHAPTEROBJECTIVE
Inthischapter,technologywillbediscussed,asobviouslythecybersecurityofficermustunderstandtechnology,whichincludeshardware,software,firmware,andallrelatedaspects.
Therevolutionintechnologyhasobviouslycausednation-states,corporations,andindividualstobecomemoretechnology-driven,technology-supported,andtechnology-dependent.
Itisnottheintentheretoprovideadetailedhistoryoftechnology.Theintentistoprovideabriefoverview.Thisoverviewisprovidedbecauseitisobviouslyimportantforthoseinvolvedincybersecuritytounderstandtheirworkingenvironmentasmuchaspossible.Itmayseemobvious,butitisamazinghowmanycybersecurityofficershavelittleknowledgeoftechnologyandhowwegottowhereweare.
WhatIsTechnology?Accordingtoonedictionary,1technologyisdefinedasfollows:
tech·nol·o·gy[tek näl′ ə j ](pluraltech·nol·o·gies)noun1.Applicationoftoolsandmethods:thestudy,development,andapplicationofdevices,machines,andtechniquesformanufacturingandproductiveprocesses•recentdevelopmentsinseismographictechnology
2.Methodofapplyingtechnicalknowledge:amethodormethodologythatappliestechnicalknowledgeortools•anewtechnologyforacceleratingincubation“…Maryland-basedfirmusesdatabaseandInternettechnologytotrackacompany’sconsumptionofprintedgoods….”ForbesGlobalBusinessandFinance,November1998.
(Earlyseventeenthcentury.FromGreektekhnologia,literally“systematictreatment,”literally“scienceofcraft,”fromtekhne“art,craft.”)
FromCaveMantoCyberSecurityProfessionalandInformationWarriorTheworldisrapidlychanging.Wehumansareinthemidstof,orhavegonethrough,ahunter–gathererperiod,anagriculturalperiod,anindustrialperiod,andnowthemodernnation-state,andoursocietyisinaninformation-basedandinformation-dependentperiod.SomearesayingthatweareapproachingtheKnowledgeAge—nottobeconfusedwitha“smarterage”!
Ourglobalsocietycannolongerfunctionwithouttheaidofautomatedinformationandhightechnology—computersandnetworks.WithcomputersandglobalnetworkssuchastheInternetcomeopportunitiestomakelifebetterforallofus.However,italsomakeseachofusmorevulnerableandincreasestherisktothehightechnologywedependon,aswellasincreasingriskstocybersecurity,ourpersonalfreedoms,andourprivacy.
Throughouthumanhistory,technologyhasplayedaroleinthedevelopmentofourspecies,andithasplayedamajorroleinourlives.Eventhemakingoffirewasprobablyseenasatechnologicalwonderintheearlyhistoryofthehumanrace—andalsousedasaweaponofwarsuchasbysettingfiretotheenemy’sfortifications,houses,andcrops.Itwasalsousedtohelpforgetoolsasweaponsofwar.
Ashortlookbackatthathistoryisappropriate,forassomeoneoncesaid:“Ifyoudon’tknowwhereyou’vebeen,youdon’tknowwhereyouaregoing”—andonemightadd,“youdon’tevenknowwhereyouare.”Andifyoudonotknowwhereyouare,yoursurvivabilityinacybersecurityenvironmentisnotgood.
Technologydriveschange.
AndrewGrove,CEO,IntelCorporation
RevolutionsandEvolutionsinHighTechnologyAswaspreviouslymentioned,onecannotaddresstheissueofcybersecuritywithoutfirstaddressingthechangesbroughtonbytechnologyanditsimpactonbusinesses,governmentagencies,societies,globalandeconomiccompetition,andtheworldingeneral.Technologyobviouslyhasamajorimpactoncybersecurityandthecybersecurityofficer’sabilitytosuccessfullyprotectinformationandnetworks.
Technologyhasmanyuses,andoverthecenturiesithasdrivenhowwehumanswork,live,andinteract.InaspeechtelevisedontheprogramBookTV,asfarbackasApril4,2002,MichaelEisner,ChairmanandCEO,TheWaltDisneyCompany,discussedtheimpactoftechnologyontheworldandusedthefollowingtimelineofthebeginningsofcommunication-related“devices”—whichisasrelevanttodayasitwasthen:
•1455:GutenbergBible
•1689:Newspapers
•1741:Magazines
•1892:Movies
•1907:Radiobroadcasts
•1927:TV
•1975:Microsoft
Lookhowfarwe’vecomeinthelast40-plusyears.Alltheseformsoftechnologyandcommunicationsystemshavehadamajorimpactonourlivesthroughouthistory.Theynotonlyentertainus,butalsoprovideuswithinformation.Someoftheinformationprocessed,stored,andtransmittedwillbesensitiveinformationthatacompanyorgovernmentagencymaywanttokeepprivateandnotreleasetothegeneralpublic.Considerthisasacybersecurityofficer:Ifthatprivate,sensitiveinformationcommunicatedtothepublicisaboutyourcompany,howthatinformationisobtainedmayindicateavulnerabilityinaninformationprotectionprocess.Ifso,youhaveaseriousproblem.Thefreerasocietyis,thefreerthenewsmediawillbe,andconsequently,themorechallengingyourjobtoprotectsensitivebusinessinformation.However,withthatsaid,rememberthatasacybersecurityprofessional,yourjobisalsotoprotecttheprivacyofindividualsinyourcompany.
Someday,onthecorporatebalancesheet,therewillbeanentrywhichreads“Information”;forinmostcasestheinformationismorevaluablethanthehardwarewhichprocessesit.
RADMGraceMurrayHopper,U.S.Navy
FromtheTwentiethCenturytoToday:TechnologyandtheAdventofHighTechnologyTheuseoftechnologyduringtheagriculturalandindustrialperiodssawgreatnumbersofnewinventionsandimprovementsinoldtechnologies.Thiswasalsothetimeofthebuildingofthegreatcitiesoftheworld,aswellastheirtotaldestructioninglobalwars.Thus,technologyforwarfarehadtrulycomeofage.Withtheadventoftheatomicandsubsequentbombs,theentireworldcouldnowliterallybedestroyed.Theperiodalsosawgreatimprovementsintechnologyinventionsandnewinventionssuchasthetelegraph,telephone,airtransportation,andcomputers.Thisperiodsawincreasesineducation,masstransportation,andexponentialgrowthincommunications—thesharingofinformation.
Duringthisperiod,thesharingofinformationbecameeasierowingtotheimprovementofcommunicationssystems,newcommunicationssystems,andincreasedconsolidationofpeopleintolargecities.Thisalsomadeiteasiertoeducatethepeopleintheneededskillsforworkinginthemoremodernfactoriesandofficesoftheperiodandfordeveloping,improving,andimplementingtechnologies.
ThetransitionperiodfromtheIndustrialAgetotheInformationAgeinworldhistoryvarieswitheachnation-state.IntheUnitedStates,thewell-knownauthorstheTofflersestimatedthetransitiontotakeplaceabout1955,whenthenumberofwhite-collarworkersbegantooutnumbertheblue-collarworkers.Somenation-statesarestillinvariousphasesoftransitionfromtheagriculturalperiodtotheindustrialperiodtotheinformationperiod.
Nomatterwhenanationexperiencesthistechnology-driventransition,however,itwillsee,astheUnitedStatesandothermodernnation-stateshaveseen,themostrapidchangesinallaspectsofhumanexistencesincehumansfirstwalkedonthisEarth—includinghowwarsareprosecuted.
Thetwentiethcenturysawtherapidexpansionanduseoftechnologymoresothanallpastcenturiescombined.Itwasalsothebeginningoftheconcentrateddevelopmentoftechnologyspecificallytodevelopnewandimprovednetworksonamassivescale.Thisusheredintheeraofmodernwarfare,anerathatwassponsoredprimarilybygovernmentsandgloballycommittedbusinessesthathadthewillandthemeansforsuchdevelopment,andtheseentitieswereabletousethesenewtechnologiestotheiragendasonaglobalscale.
Thus,thetwentiethcenturywasthetruebeginningoftechnology-basedwarfare.Owingtothetechnologicalimprovementofolderinventions(e.g.,submarine,machinegun)andnewinventionssuchasnuclearweapons,neverbeforecouldsomanybekilledbysofew.Therewerealsothetanks,handgrenades,poisongases,andlandminesthatgavewaytothechemical/biological/nuclearweapons,carpetbombings,smartbombs,andthebeginningoftruecybersecurity.
In1962…theCIAquietlycontractedtheXeroxCompanytodesignaminiaturecamera,tobeplantedinsidethephotocopierattheSovietUnion’sembassyinWashington.AteamoffourXeroxengineers…modifiedahomemoviecameraequippedwithaspecialphotocellthattriggeredthedevicewheneveracopywasmade.In1963,thetinyColdWarweaponwasinstalledbyaXeroxtechnicianduringaregularmaintenancevisittotheSovietembassy.2
2FromanarticlebyDawnStoverintheJanuary1996issueofPopularScience,entitled“TheCIA’sXeroxSpy-cam.”Althoughdated,thisindicateshowfarbackgovernmentagencieshavebeeninvolvedincovertcyberoperations.Imaginetheprogresstheyhavemadesincethen.
Thisperiodincludedmanysignificanttechnology-driveninventionstoonumeroustomentionhereintheirentirety.Inthemedicalfieldalone,wehaveseentherapidinventionofliterallythousandsofnewdrugs,procedures,anddevices,manyofwhichsavedpossiblymillionsoflivesovertheyears.Someothersignificanttechnologicallydriveninventionsduringthiscenturyinclude:
•Zeppelin
•Radioreceiver
•Polygraphmachine
•Airplane
•Gyrocompass
•Jetengine
•Syntheticrubber
•Solarcell
•Short-waveradio
•Wirephoto
Thetwentiethcenturysawthedevelopmentandimprovementofourmodernera’samazingelectronicinventionsleadingtothecomputeranditsperipherals:
Electronicamplifyingtube(triode) PhotocopierRadiotuner ComputerRobot IntegratedcircuitDigitalcomputer BASIClanguageUNIVACI FORTRANSputnik CompactdiskExplorerIsatellite ComputermouseLaser ComputerwithintegratedcircuitsOS/360IBMoperatingsystem RAM,ROM,EEPROMMinicomputer ARPANETOpticalfiber DaisywheelprinterCraysupercomputer Floppydisk
Spaceshuttle Dot-matrixprinterIBMpersonalcomputer Liquid-crystaldisplayVideotaperecorder ComputerharddiskGraphicuserinterface ModemCathoderaytube MobilephoneTelevision TransistorFMradio WorldWideWebVoicerecognitionmachine Browsers
OtherSignificantTwentieth-CenturyTechnologicalDevelopmentsandEventsSomeoftheothersignificanttechnologicaleventsandinventionsthattookplaceinthetwentiethcenturyandhaveledtoourrapidlychanginginformation-basedsocietiesandinformationdependency,andassistedinthedevelopmentofnewmethodsofprosecutingwarfare,includethefollowing:3
1930:Shannon’sdoctoratethesisexplainstheuseofelectricalswitchingcircuitsinmodernBooleanlogic.
1934:Computing–Tabulating–RecordingbecomesIBM.
1936:Burackbuildsthefirstelectriclogicmachine.
1940:AtanasoffandBerrydesignacomputerwithvacuumtubesasswitchingunits.
1943–1946:Mauchley,Eckert,andVonNeumannbuildtheENIAC,thefirstall-electronicdigitalcomputer.
1947:Thetransistorisperfected.
1955:ShockleySemi-ConductorfoundedinPaloAlto,California;Bardeen,Shockley,andBrattainsharetheNobelPrizeforthetransistor.
1957:FairchildSemi-Conductorisfounded.
1962:TandyCorporationbuyschainofRadioShackelectronicstores.
1964:KemenyandKurtz,DartmouthCollege,developtheBASICcomputerlanguage.
1968:Intelisfounded.
1969:IntelproducesintegratedcircuitsforJapanesecalculators;DataGeneralreleasesNova.
High-Tech:AProduct,aProcess,orBoth?Thereisnouniversallyaccepteddefinitionof“high-tech,”noristhereastandardlistofindustriesconsideredtobehigh-tech.Todaynearlyeveryindustrycontainssomeelementoftechnology,andeventhemosttechnologicallyintensiveindustrywillincludelow-techelements.
Nevertheless,severalgroupshavedevelopedlistsofindustriestheyconsiderhigh-techusingU.S.StandardIndustrialClassifications(SIC).
Thebreadthoftheselistsdependsontwofactors:(1)thegoalsoftheorganizationanditscustomersand(2)whethertheorganizationascribestotheargumentthatonlyindustriesthatproducetechnologycanbeconsideredhigh-techortotheargumentthatindustriesthatuseadvancedtechnologyprocessescanalsobecategorizedashigh-tech.
Anyindustry-baseddefinitionsofhigh-techwillbeimperfect,butnoneofthedefinitionsdiscussedhereshouldbeconsideredincorrect.Theimportantfactortoconsideristheperspectivefromwhichanylistisderived.
Mosthigh-techindustryclassificationshavecommonelements,yetmayvarysignificantlyinscope.Let’sconsiderfourclassificationsofhigh-techindustriesdevelopedbythefollowingrespectedandoftenquotedorganizations:theAmericanElectronicsAssociation(AEA),RFA(formerlyRegionalFinancialAssociates),OneSourceInformationServices,Inc.(formerlyCorpTech),andtheU.S.BureauofLaborStatistics(BLS).
Thedifferentmissionsofthesefourorganizationsinfluencehowtheydefinehigh-tech.TheAEAisatradeassociationmadeupofmostlyelectronicsandinformationtechnologycompanies.Itsmembersgenerallyproducetechnologyandascribetothelimiteddefinitionofhigh-techbasedonlyonthenatureofanindustry’sproductratherthanitsprocess.RFAisanationalconsultingfirm.Itsclientsincludebuildersandcontractors,banks,insurancecompanies,financialservicesfirms,andgovernment.Theindustrieswiththegreatestgrowthpotentialandthosereflectiveoftheirclients’interestsareincludedinRFA’slistofhigh-techindustries.WhileboththeAEAandRFAhavenarrowlydefinedhigh-tech,OneSourceandtheBLSusebroaderdefinitionsthatincludeindustrieswithbothhigh-techproductsandprocesses.
OneSourcegathersandsellscorporateinformationontechnologyfirmsforuseinsalesandmarketing.Asithasbuiltitsdatabaseoffirms,OneSourcehasexpandeditslistofwhatshouldbeconsideredahigh-techindustry.TheBLSisafederalagencyresponsibleforcollectingandanalyzingdataonthenationallaborforce.Ithasdefinedthoseindustrieswiththehighestconcentrationoftechnology-basedoccupations,suchasscientistsandengineers,ashigh-techindustries.
TheTradeAssociation:AEATheAEAreleasedCyberstates4.0,itsannualreportontechnologyemployment,basedontheAEA’slimiteddefinitionofhigh-techindustries,whichfallintothreecategories:(1)
computers,communications,andelectricalequipment;(2)communicationservices;and(3)computer-relatedservices.TheAEA’slististhemostrestrictiveofthefourclassifications.Absentfromthelistareareassuchasdrugmanufacturing,robotics,andresearchandtestingoperations.
TheConsultingGroup:RFARFA’shigh-techsectorsaresimilartothoseselectedbytheAEA.However,RFAdoesnotincludehouseholdaudioandvideoequipmentortelephonecommunications,butaddsdrugsandresearchandtestingservices.
InformationProvider:OneSourceUnliketheshortlistscompiledbytheAEAandRFA,theOneSourcelistclassifies48sectorsashigh-tech.Majoradditionsincludeanumberofmanufacturingindustries,suchasmetalproductsandtransportationequipment,andseveralserviceindustries.
TheResearchGroup:BLSBLShasfurtherrefineditshigh-techindustrydefinitionbyseparatingsectorsintotwogroups.Thoseindustrieswithahighconcentrationofresearch-orientedoccupationsarelabeledintensive,whilethosewithalowerconcentrationareconsiderednonintensive.Thedifferencesshownhereillustratewhyknowinghowdataaredefinedisessentialtounderstandingwhatthedatamean.Onceagain,thosewishingforasimpleanswerwillbefrustrated.Itisnotthedatathathavefailedthem,buttherealityofacomplexsystem(theeconomy)andthehumanfactorthatmustdeterminehowtobestreflectthatsystemusingdata.
Aswehavefound,tryingtogetahandleonthisthingcalledtechnology,anykindoftechnology,islikegrabbingair.Evenlowtechnologywasonceconsideredhightechnologyinitsday.Forexample,whenthefirstplowwasinvented,itwasprobablyconsideredatechnologicalwonder.Then,afterbeinghookeduptoahorseorwaterbuffalo,itincreasedtheproductivityofthefarmersanditcertainlydrasticallychangedfarmingmethods.Whenthewoodenplowwasintegratedwithasteelblade,certainlythatwasconsideredhightechnologyinitsday.Onemustrememberthathightechnologytoday
willundoubtedlybeconsideredlowtechnology25–50 yearsfromnow.So,hightechnologyisalsobasedonareferencepointandthatreferencepointistime—perceptionandtimearealsokeyfactorsincybersecurity.
Aswesee,itisnoteasytocometogripswiththisphenomenoncalledhightechnology.Forourpurposes,anarrowlyfocuseddefinitionisbetter.Intoday’sworld,themicroprocessordrivesthetechnologicalproductsthatdrivetheInformationAgeandcybersecurity.So,wewilldefinehightechnologybasedonthemicroprocessor.Hightechnologyisdefinedastechnologythatincludesamicroprocessor.
TheMicroprocessorIn1971,IntelintroducedtheIntel4004microprocessor.Thiswasthefirstmicroprocessoronasinglechipandincludedacentralprocessingunit,inputandoutputcontrols,andmemory.Thismadeitpossibletoprogram“intelligence”intoinanimateobjectsandwasthetruebeginningofthetechnologyrevolutionthathascausedsomanychangesintheworldandusheredinthebeginningsoftheageofcybersecurity.
Themicroprocessorwasdevelopedthroughalonglineofamazinginventionsandimprovementsoninventions.Withoutthesedramaticandoftenwhatappeartobenew,miraculousbreakthroughsinmicroprocessortechnology,today’scybersecurityphenomenonwouldstillbeonlyinthedreamsofsciencefictionwriters,thelikesofJulesVerneandGeorgeOrwell.However,becauseoftheamazingdevelopmentsinthemicroprocessor,cybersecurityisbeginningtocometotheforefrontinmodern-daygovernmentsandbusinesses.
Today,becauseofthemicroprocessoranditsavailability,miniaturization,power,andlowcost,theworldisrapidlydevelopingnewhigh-technologydevices,procedures,processes,networks,and,ofcourse,cybersecurityandconventionalwarfareweapons.Theglobalinformationinfrastructure(GII)isjustoneexampleofwhatmicroprocessorsaremakingpossible.TheGIIisthemassiveinternationalconnectionsofworldcomputersthatcarrybusinessandpersonalcommunicationaswellasthatofthesocialandgovernmentsectorsofnations.SomesaythatGIIwillconnectentirecultures,eraseinternationalborders,support“cybereconomies,”establishnewmarkets,andchangeourentireconceptofinternationalrelations.
TheGIIisbasedontheInternetandmuchofthegrowthoftheInternetisindevelopingnations.TheGIIisnotaformalprojectbutitistheresultofthousandsofindividuals’,corporations’,andgovernments’needtocommunicateandconductbusinessbythemostefficientandeffectivemeanspossible.TheGIIisalsoabattlefieldinthecybersecurityarena.
Moore’sLawNodiscussionofhightechnologyandcybersecurityweaponswouldeverbecompletewithoutashortdiscussionofMoore’sLaw.In1965,GordonE.Moore,DirectorofResearchandDevelopmentLaboratories,FairchildSemiconductor,wasaskedbyElectronicsmagazinetopredictthefutureofsemiconductorsanditsindustryduringthe
next10 years.InwhatbecameknownasMoore’sLaw,hestatedthatthecapacityor
circuitdensityofsemiconductorsdoublesevery18 monthsorquadruplesevery3 years.4TheinterestingthingaboutMoore’scommentsisthattheybecamesortofahigh-
technologydriverforthesemiconductorindustryand,evenafteralltheseyears,ithas
beenprettymuchontrackastohowsemiconductorshaveimprovedovertheyears.Itspower,ofcourse,dependsonhowmanytransistorscanbeplacedinhowsmallaspace.ThemathematicalversionofMoore’sLawis:
Bitspersquareinch = 2(time − 1962)5Someofthe-hightechnology“inventions”ofthetwentiethcenturythatdependedonthe
microprocessorincludethefollowing:
Ethernet(1973)
Laserprinter(1975)
Ink-jetprinter(1976)
Magneticresonanceimager(1977)
VisiCalc(1978)
Cellularphones(1979)
Craysupercomputer(1979)
MS-DOS(1981)
IBMpersonalcomputer(PC)(1981)
Scanningtunnelingmicroscope(1981)
AppleLisa(1983)
CD-ROM(1984)
AppleMacintosh(1984)
Windowsoperatingsystems(1985)
High-temperaturesuperconductor(1986)
Digitalcellularphones(1988)
Dopplerradar(1988)
WorldWideWeb/Internetprotocol(HTTP);HTML(1990)
Pentiumprocessor(1993)
Javacomputerlanguage(1995)
Digitalversatilediskordigitalvideodisk(1995)
WebTV(1996)
ThePioneer10spacecraftusedthe4004microprocessor.ItwaslaunchedonMarch2,1972,andwasthefirstspaceflightandmicroprocessortoentertheAsteroidBelt.
OtherSignificantTwentiethCenturyHigh-TechnologyDevelopmentsandEventsSomeofthesignificanthigh-technologycomputereventsandinventionsthattookplaceinthetwentiethcenturyandledtoourrapidlychangingmethodsofprosecutingawarinclude:6
1971:Inteldevelopsthe8008;WozniakandFernandezbuildthe“CreamSodaComputer.”
1972:KildallwritesPL/1,thefirstprogramminglanguagefortheIntel4004microprocessor;GatesandAllenform“Traf-O-Data”;WozniakandJobsbeginsellingBlueBoxes.
1973:WozniakjoinsHP;KildallandCooperbuild“astrologyforecastingmachine.”
1974:Intelinventsthe8080;XeroxreleasestheAlto;TorodeandKildallbeginsellingmicrocomputersanddiskoperatingsystems.
1975:Microsoft(previouslyknownas“Traf-O-Data”)writesBASICfortheAltair;HeiseropensthefirstcomputerstoreinLosAngeles.
1976:KildallfundsDigitalResearch;workonthefirstRadioShackmicrocomputerstartedbyLeiningerandFrench;firstsaleoftheCPMoperatingsystemtakesplace.
1977:AppleintroducestheAppleII;TRS-80developed.
1978:AppleshipsdiskdrivesfortheAppleIIandbeginsdevelopmentoftheLisacomputer.
1980:HPreleasestheHP-85;AppleIIIisannounced;MicrosoftandIBMsignanagreementforIBM’sPCoperatingsystem.
1981:OsborneIdeveloped;Xeroxcomesoutwiththe8010Starandthe820computers;IBMpresentsthePC.
1982:AppleLisaisintroduced;DECdevelopsalinesofpersonalcomputers(e.g.,DECRainbow100).
1983:IBMdevelopstheIBMPCJr.;OsbornefilesforChapter11asthemicrocomputermarketheatsup.
1984:AppleannouncestheMacintoshmicrocomputer.
1986:Inteldevelopsthe8086chip.
1987:Inteldevelopsthe8088chip.
1990s:Intel,alreadytheleaderinmicroprocessors,announcesthe286,386,and486
chips,followedrapidlybythePentiumchipsnowreachingspeedsof1.7 GHzasweenterthetwenty-firstcentury.
Moore’sLawisstillholdingtruealthoughsomebelievewewillsoonhitthesiliconwall,basedonthelawsofphysics.Someofthesedoomsayershavebeensayingsuchthingsforyears.Othersaremoreoptimisticandbelievethatothermaterialswillbefoundtoreplacesiliconorthatsiliconwillbesomehowenhancedto“defy”thelawsofphysics.Ifthepastisanycluetothefuture,thefutureofhightechnologywillnotbeimpairedbysuchminorimpedimentsasthelawsofphysics.
TheInternet
Therealissueiscontrol.TheInternetistoowidespreadtobeeasilydominatedbyanysinglegovernment.Bycreatingaseamlessglobal-economiczone,anti-sovereignandunregulatable,theInternetcallsintoquestiontheveryideaofthenation-state.7
JohnPerryBarlow
7JohnPerryBarlow,“ThinkingLocally,ActingGlobally,”Time,January,1996,p.57;asquotedonp.197,TheSovereignIndividual,byJamesDaleDavidsonandLordWilliamRees-Mogg,publishedbyTouchstone,NewYork,1999.
ItisinthecontextofthisphenomenalgrowthofhightechnologyandhumanknowledgethattheInternetarisesasoneofthemechanismstofacilitatesharingofinformationandasamediumthatencouragesglobalcommunications.TheInternethasalreadybecomeoneofthetwenty-firstcentury’scybersecuritybattlefields.
TheglobalcollectionofnetworksthatevolvedinthelatetwentiethcenturytobecometheInternetrepresentswhatcouldbedescribedasa“globalnervoussystem,”transmittingfromanywheretoanywherefacts,opinions,andopportunity.However,whenmostpeoplethinkoftheInternet,itseemstobesomethingeithervaguelysinisterorofsuchcomplexitythatitisdifficulttounderstand.Popularculture,asmanifestedbyHollywoodandnetworktelevisionprograms,doeslittletodispelthisimpressionofdangerandout-of-controlcomplexity.
TheInternetaroseoutofprojectssponsoredbytheAdvancedResearchProjectAgency(ARPA)intheUnitedStatesinthe1960s.Itisperhapsoneofthemostexcitinglegacydevelopmentsofthatera.Originallyanefforttofacilitatesharingofexpensivecomputerresourcesandtoenhancemilitarycommunications,ithas,sinceabout1988,rapidlyevolvedfromitsscientificandmilitaryrootsintooneofthepremiercommercialcommunicationsmedia.TheInternet,whichisdescribedasaglobalmeta-network,ornetworkofnetworks,8providesthefoundationonwhichtheglobalinformationsuperhighwayhasbeenbuilt.
However,itwasnotuntiltheearly1990sthatInternetcommunicationtechnologiesbecameeasilyaccessibletotheaverageperson.Priortothattime,Internetaccessrequiredmasteryofmanyarcaneanddifficult-to-rememberprogramminglanguagecodes.However,decliningmicrocomputerpricescombinedwithenhancedmicrocomputerperformanceandtheadventofeasy-to-usebrowser9softwareaskeyenablingtechnologiescreatedthefoundationformassInternetactivity.Whenthesevariablesalignedwiththedevelopingglobaltelecommunicationsinfrastructure,theyallowedarareconvergenceofcapability.
E-mail.Althoughe-mailwasinventedin1972,itwasnotuntiltheadventofthe“modernInternetsystem”thatitreallybegantobeusedonaglobalscale.In1987,therewereapproximately10,000Internetcomputerhostsand1000newsmessagesadayin300newsgroups.In1992,thereweremorethan1,000,000hostsand10,000newsmessagesadayin1000newsgroups.By1995,thenumberofInternethostshadrisentomorethan
10 million,with250,000newsmessagesadayinover10,000newsgroups.10By2014,themajorityofe-mailtrafficoriginatedfromthebusinessworld,whichaccountedfor
morethan108.7 billione-mailsthatweresentandreceivedeveryday.11Internetprotocols.Inthe1970s,theInternetprotocolsweredevelopedtobeusedtotransferinformation.
Usenetnewsgroupandelectronicmail.Newsgroupsandelectronicmailweredevelopedinthe1980s.
Gopher.In1991,personnelattheUniversityofMinnesotacreatedtheGopherasauser-friendlyinterfacethatwasamenusystemforaccessingfiles.
WorldWideWeb.In1991,TimBerners-LeeandothersattheConseilEuropéenepourlaRechercheNucleairedevelopedtheWeb.In1993,theWebhadapproximately130
sites;in1994,about3000sites;inApril1998,thishadgrowntomorethan2.2 millionandinJanuary2015ithadreached1,169,228,000.12
ThemostcommonlyaccessedapplicationontheInternetistheWorldWideWeb(WWW).OriginallydevelopedinSwitzerland,theWebwasenvisionedbyitsinventorasawaytohelpshareinformation.Theabilitytofindinformationconcerningvirtuallyanytopicviasearchengines,suchasGoogle,Bing,AltaVista,HotBot,Lycos,InfoSeek,andothers,fromamongtherapidlygrowingarrayofWebserversisanamazingexampleofhowtheInternetincreasestheinformationavailabletonearlyeveryone.OnegainssomesenseofhowfastandpervasivetheInternethasbecomeasmoreTV,radio,andprintadvertisementsdirectprospectivecustomerstovisittheirbusinessorgovernmentagencyWebsite.Suchsitesaretypicallynamedwww.companyname.com,wherethebusinessisnamed“companyname,”orwww.governmentagency.govforgovernmentagencies.
Fromthepastcenturyuntilnow,theInternethasrapidlygrownfromanexperimentalresearchprojectandtooloftheU.S.governmentanduniversitiestothetoolofeveryoneintheworldwithacomputer.Itisthepremierglobalcommunicationsmedium.Withthesubsequentdevelopmentofsearchenginesand,ofcourse,theWeb,thesharingofinformationhasneverbeeneasier.SitessuchasGoogle.comstatethat,in2013they
searchedthrough30 trillionWebpages!
Ithasnowbecomeasimplematterforaveragepeople—eventhosewhohadtroubleprogrammingtheirVCRs—toobtainaccesstotheglobalInternetandwiththeaccess
searchthehugevolumeofinformationitcontains.Millionsofpeoplearoundtheworldareloggingin,creatingavastenvironmentoftenreferredtoascyberspaceandtheGII,whichhasbeendescribedasthevirtual,online,computer-enabledenvironment,asdistinctfromthephysicalrealityof“reallife.”
Bytheendofthetwentiethcentury,worldwiderevenuesviaInternetcommercehadreachedperhapshundredsofbillionsofdollars,anunparalleledgrowthrateforatechnologythathasbeenreallyeffectiveonlysincetheearly1990s!The“electroniccommerce”oftheearlytwenty-firstcenturyalreadyincludeseverythingfromonlineinformationconcerningproducts,purchases,andservicestothedevelopmentofentirelynewbusinessactivities(e.g.,Internet-enabledbankingandgambling).
Animportantfactforeveryonetounderstand,andwhichisofsupremeimportancetothoseinterestedincybersecurity,isthattheWebistrulyglobalinscope.Physicalbordersaswellasgeographicaldistancearealmostmeaninglessincyberspace;thedistanttargetisaseasilyattackedasthelocalone.
TheannihilationoftimeandspacemakestheInternetanalmostperfectenvironmentforcybercrimeandwarfare.Whenfindingadesiredadversary’s13serverlocatedontheothersideoftheplanetisaseasyandconvenientascallingdirectoryassistancetofindalocaltelephonenumber,informationwarriorshavethepotentialtoactinwaysthatonecanonlybegintoimagine.Undeterredbydistance,borders,time,orseason,thepotentialbonanzaawaitingtheinformationwarriorisachillingprospectforthosewhoareresponsibleforsafeguardinganddefendingtheassetsofabusinessorgovernmentagency.
Becauseofreligiousbeliefsinmanyfaiths,Internetaccesstomaterialconsideredpornographicisgenerallynotacceptable.Oneofsociety’sstruggleswillbehowtoprovideaccesstotheworld’sinformationwithoutcausingsomemoraldecayofsociety.Thiswillbeastruggleformanycountriesanditisbelievedthattheinformationwarriorswillhaveamajorimpactonthesocietyofsuchdevelopingcountries.
TheInternetisthelatestinaseriesoftechnologicaladvancesthatarebeingusednotonlybyhonestpeopletofurthertheircommunication,butalsobymiscreants,juveniledelinquents,andothersforillegalpurposes.Aswithanytechnologicalinvention,itcanbeusedforgoodorforillegalpurposes.Itisreallynodifferentfromotherinventionssuchasthehandgun.Thehandguncanbeusedtodefendandprotectlivesortodestroythem.Italldependsonthehumanbeingwhoisusingthetechnology.
TheHigh-Technology-DrivenPhenomenonTherearethousandsofInternetserviceproviders(ISPs)operatingandconnectedallacrosstheglobe.Itishopedthatweallknowbynowthatoure-mailsdonotgopointtopoint,buthoparoundtheInternet.Theyaresusceptibletobeinggleanedbyallthosewiththeresourcestoreadotherpeople’smailorstealinformationtocommitcrimes(e.g.,identitytheft,competitiveintelligenceinformationcollections,and,ofcourse,usefulinformationforinformationwarriors).
So,whatisthepoint?ThepointisthatthereareISPsallovertheworldwithfewregulationsandabsolutelynoprotectionanddefensivestandards.SomeISPsmaydoanadmirablejobofprotectingourinformationpassingthroughtheirsystems,whileothersmaydonothing.Furthermore,aswelearnmoreandmoreabout“Netspionage”(computer-enabledbusinessandgovernmentspying),welearnmoreandmoreabouthowourprivacyandourinformationareopentootherstoread,capture,change,andotherwisemisuse.
Inaddition,withsuchprogramsasSORMinRussia,InternetmonitoringinChinaandelsewhere,globalEchelon,andtheU.S.FBI’sCarnivore(stillCarnivorenomatterhowoftentheychangethenametomakeitmorepoliticallycorrect),wemightaswelltakeourmostpersonalinformation,tattooitonourbodies,andrunnakedinthestreetsforalltosee.Well,thatmaybeaslightexaggeration;thepointisthatwehavenoconceptofhowwellISPsareprotectinginformationbelongingtogovernments,businesses,individuals,orassociations.ThroughyourISP,howsusceptibleareyoutothethreatsofcybersecurity?DoyouknowifyourISPisprotectingormonitoringyou?Ifitismonitoringyou,forwhom?
FasterandMoreMassiveHigh-Technology-DrivenCommunicationsWearequicklyexpandingintoaworldofinstantmessages(IMs)throughISPs.Afterall,themorerapidlyourworldchanges,themorerapidlywewanttoreactandwewanteverything—now!A2014reportbyJunipernetworksstatedthatinstantmessagingapps
willaccountfor75%ofmobilemessagingtraffic,or63 trillionmessages,by2018.Furthermore,theycanbeusedtotransferfiles,sendgraphics,and,unlikethetelephoneandnormale-mails,withIMoneknowswhetherthepersonbeingcontactedisthere.Interestingramifications—checktoseeifapersonisonline;ifnot(afteralreadysettingupamasqueradeorspoof),takeoverthatperson’sidentityandcontactsomeoneposingastheother—instantly.Ofcourse,thereareperhapshundreds,ifnotthousands,ofexamplesofISPsbeingpenetratedormisused.AsfarbackasapproximatelyNovember1995,forexample,theWallStreetJournalranastoryentitled“AmericaOnlinetoWarnUsersaboutBadE-mail.”WeallknowaboutthebasicissuesofvirusesandothermaliciouscodesbeingsentviaISPs.So,theproblemhasexistedforquitesometime.
SolarStormsCouldAffectTelecommunications.Intensestormsragingonthesun…couldbrieflydisrupttelecommunications….Theeruptionstriggeredapowerful,butbrief,blackoutFridayonsomehigh-frequencyradiochannelsandlow-frequencynavigationalsignals…forecastatleasta30percentchanceofcontinuingdisruptions….Inadditiontoradiodisruptions,thechargedparticlescanbombardsatellitesandorbitingspacecraftand,inrarecases,damageindustrialequipmentontheground,includingpowergeneratorsandpipelines.14
14“SolarFlareGoesOfftheCharts,”http://www.tldm.org/News3/Solar_flare.htm.
Hightechnologyisvulnerabletonatureandtheuniverseingeneral.Whatagreattimetolaunchacybersecurityattackonanadversary,includingmaybecompetitors.Isitsunspotsoranadversarycausingtheseoutages?Bythetimetheadversaryfindsoutitisyouandnotthreedaysofsunspots,thewarcouldbeover.
TheBeneficialEffectofHackerToolsandOtherMaliciousSoftwareonNetworkSecuritywithDualRolesasCyberSecurityToolsThefollowingexamplesofmalicioussoftwarewereselectedasarepresentativesampleofthosethatareavailableandfortheirrangeoffunctionalityand,additionally,fortheirrangethroughtimefrom1991topresent.Thesetoolscanbeandarebeingadaptedandadoptedforuseincybersecurity.15
Hackertools.Ofthehackertoolsthatwerereviewed,whiletheintentionsoftheoriginatorsofthetoolsweremixed,withsomebeingmaliciousandsomewellintentioned,theycanallbeusedtostrengthenthesecurityofanetworkortomonitorthesystemforillicitactivity.Thiscanbeachievedifthesystemowneruseshackertoolstoidentifytheweaknessesthatexistinthesecurityofthesystem,toidentifyappropriateremedialaction,beforeapersonwithmaliciousintentattemptstoexploittheweaknesses.Anumberofthetoolscanalsobeusedtomonitorthesystemforillicitactivity,evenbeforesoftwarepatchesareavailable,sothatthesystemownercanmakeinformeddecisionsonappropriateactiontopreventorminimizedamagetohisorhersystem.Asacybersecurityofficer,howwillyoudefendagainstsuchattacks?
Viruses.Viruseshavenodirectbeneficialeffectonthesecurityofasystemexcepttoprovideavisibleindicationthattherehasbeenabreakdowninproceduresforthetransferofsoftwareordatabetweensystems.Thenegativeeffectofvirusesisthecostintermsoftimeandtheantivirussoftwaretocheckdataandsoftwarebeingimportedorexportedtoandfromthesystem,aswellasthecostofrectifyingaproblemwhenaninfectionhasoccurred,whichcanbeconsiderable.
Inanabstractway,theadventofthevirushasactuallybeenbeneficialtothecybersecurityofficerbecausetheimpactofavirusontheuserisavisibleandconstantreminderoftheneedtoobservegoodcybersecuritypractices.
Inthemajorityofcases,thevirusisdetectedbeforeitcanactivateitspayload,sothedamageisnormallylimitedtotheinconvenienceandcostofthecleaningupthesystemtoremovethevirus.Asacybersecurityweapon,itisavaluableandcheapweaponthatcancausedevastatingresultsagainstyourunpreparedinformationsystems.
Worms.ThereleaseontotheInternetonNovember2,1988,oftheInternetwormwrittenbyRobertT.Morris,Jr.,quicklycausedwidespreaddisruptionandthefailureofalargeproportionofthenetworkthatexistedatthattime.Theproblemwascompoundedbythefactthatsomeoftheserversthathadnotbeenaffectedweretakenofflinetopreventthemfrombecominginfected,thusplacingahigherloadonalready-affectedsectionsofthesystemanddenyingthoseelementsofthenetworkthathadgoneofflineaccesstothepatchesthatwouldprotectthem,asthenormaldistributionmethodforpatcheswasovertheInternetitself.Todate,therehavebeennosecuritybenefitsderivedfromworms,otherthan,inthecaseoftheRobertT.Morrisworm,tohighlighttheurgent
needforeffectiveandearlycommunicationofinformationonincidents.
Thepotentialfortheuseofthistypeofprograminawaythatwouldaidthesecurityofsystemshasbeenpostulated,intheformofautonomousintelligentagentsthatwouldtravelthroughthesystemandreportbackpredefinedinformation,suchasthesystemassets,theconditionandidentityofsystemelements,andthepresenceorabsenceofspecifictypesofactivity.Asaweaponforprosecutingcybersecurity,wormshaveexcellentpotentialandmayevenbeconsidereda“weaponofmassdestruction”becauseofthedamagetheycancauseahigh-technology,informationsystems-dependentadversary.Ofcourse,wenowhavemany“colored”wormsbeingwrittenandtravelingaroundtheGII,NIIs,andothernetworks.
Eastereggs.Eastereggshavenobeneficialeffectotherthantohighlightthatevenproprietarysoftwarecanhavelargesectionsofcodeincludedinthemthatareredundanttothefunctionalityforwhichtheywereintendedandalsothatthequalitycontrolproceduresfortheproductionofsoftwarebywell-knownorganizationsispooriftheEastereggswerenotdetectedduringproduction.Canyouthinkofanywaytousethese“eggs”inacybersecuritybattle?
Trojanhorses.TheTrojanhorse,bydefinition,carriesoutactionsthatarenormallyhiddenfromtheuserwhiledisguisingitspresenceasabenignitemofsoftware.Theyaredifficulttodetectbecausetheyappeartobealegitimateelementoftheoperatingsystemorapplicationthatwouldnormallybefoundonthesystem.GiventhatthepurposeofaTrojanhorseistohideitselfanditsfunctionalityfromlegitimateusers,therehavebeennobeneficialeffectsderivedfromthem—unlessyouareaninformationwarrior.Asacybersecurityofficer,youmustdefendagainstthem.
Logicbombs.Logicbombs,aswithTrojanhorses,carryoutactionsthatareunexpectedandundesirable.Somemaycauserelativelyminordamage,suchaswritingamessagetoascreen,whileothersareconsiderablymoredestructive.Theyarenormallyinsertedbydisaffectedstafforbypeoplewithagrudgeagainsttheorganization.Again,theyaredifficulttodetectbeforetheyhavebeenactivatedand,asaresult,canbeexpensivetorectify.Logicbombsarecorrectlynamedastheycanhavethesameeffectagainstthesystemofanadversaryasaphysicalbombmighthaveagainstabuilding—Boom!Itisgone!
Theclearimplicationfromtheissuesdiscussedaboveisthatsomehackertoolscanhaveabeneficialeffectonthesecurityofcomputersystemsiftheyareusedbythesystemstaffbeforetheyareusedbypersonneleitherwithintheorganizationoroutsideittoidentifyshortcomingsorflawsintheoperatingsystemorapplicationssoftware,theconfigurationofthesystem,ortheproceduresusedtosecureit.Viruses,whileprovidingnodirectbenefit,doprovideadetectableindicationthattherehasbeenabreachinthesecurityofthesystem,eitherbyanexploitationofaflawinthesecurityproceduresorbyashortcominginthesystemsoftware(itallowedavirusthroughanybarriersthathadbeencreatedtopreventaccesstothesystem).
Wormscurrentlyhavenobeneficialeffectonsystemsecuritymanagement.However,
theconceptthatwasusedtodisseminatetheRobertT.Morriswormmayhaveanapplicationinthemappingoflargenetworksifappliedtoautonomousagents.TheTrojanhorseandthelogicbomb,which,bytheirverynature,arecovertlyinsertedintothesystemwithouttheowner’sknowledge,havenobeneficialeffectandhaveonlymaliciousapplications.
OtherHigh-TechnologyToolsinCyberSecurityCyberwars(informationwarfare)throughtechnologyarebeingfoughtonmanyfronts—onthepersonalprivacy,corporateNetspionage,16andnation-statebattlefieldsoftheworld.Evensuchinnocent-soundingwordsas“cookies”takeonnewmeaninginthecybersecurityarena.
Thesecookies—thecomputerkind,nottheonesyoueat—arebeneficial,exceptwhentheyareusedtoprofilecustomerhabitsandgatheranindividual’sprivateinformation,whichisthensold.High-technologycookiesarefilesthataWebsitecanloadontoauser’ssystem.TheyareusedtosendbacktotheWebsiteauser’sactivityonthatWebsite,aswellaswhatWebsitestheuserhaspreviouslyvisited.Theyarealsoapotentialtooloftheinformationwarrior.
Intel’sPentiumIIIincludedauniqueprocessorserialnumber(PSN)ineveryoneofitsnewPentiumIIIchips.IntelclaimedthatthePSNcouldidentifyanindividual’ssurfingthroughelectroniccommerceandotherInternet-basedapplications.ItwasnotedthatbyprovidingauniquePSNthatcanbereadbyWebsitesandotherapplicationprograms,itcouldmakeanexcellentcybersecuritytool.AlthoughthisnumberisdesignedtobeusedtolinkuseractivitiesontheInternetformarketingandotherpurposes,onecaneasilyimagineotheruses,fromacybersecurityperspective,thatcanbemadeofthishigh-technologyapplication.AndasforMicrosoft’snewoperatingsystem,XP,imaginetheIWpossibilities.
Steganographyisanotheruseofhightechnologythatcanbeusedincybersecurity:17
Hidinginformationbyembeddingafileinsideanother,seeminglyinnocentfileisatechniqueknownas“steganography.”Itismostoftenusedwithgraphics,sound,text,HTML,andPDFfiles.Steganographywithdigitalfilesworksbyreplacingtheunusedbytesofdatainacomputerfilewithbytesthatcontainconcealedinformation.
Steganography(whichtranslatedfromGreekmeanscoveredwriting)hasbeeninuse
sinceabout580 B.C.Onetechniquewastocarvesecretmessagesintowoodenobjectsandthencovertheetchedwordswithcoloredwaxtomakethemundetectabletoanuninitiatedobserver.Anothermethodwastotattooamessageontotheshavedmessenger’shead.Oncethehairgrewback,themessengerwassentonhismission.Uponarrival,theheadwasshaved,thusrevealingthemessage—obviouslynottime-dependent.Themicrodot,whichreducedapageoftexttothesizeofatypewriter’speriodsothatitcouldbegluedontoapostcardorletterandsentthroughthemail,isanotherexample.18
Twotypesoffilesaretypicallyusedwhenembeddingdataintoanimage.Theinnocentimagethatholdsthehiddeninformationisa“container.”A“message”istheinformationtobehidden.Amessagemaybeplaintext,ciphertext,otherimages,oranythingthatcanbeembeddedintheleastsignificantbitsofanimage.19
SteganographicsoftwarehassomeuniqueadvantagesasatoolforNetspionageagents.First,iftheagentsuseregularcryptographicsoftwareontheircomputersystems,thefilesmaynotbeaccessibletoinvestigatorsbutwillbevisible,anditwillbeobviousthattheagentsarehidingsomething.Steganographicsoftwareallowsagentsto“hideinplainsight”anyvaluabledigitalassetstheymayhaveobtaineduntiltheycantransmitortransferthefilestoasafelocationortotheircustomer.Asasecondadvantage,steganographycanbeusedtoconcealandtransferanencrypteddocumentcontainingtheacquiredinformationtoadigitaldeaddrop.Theagentscouldthenprovidethehandlerorcustomerwiththepasswordtounloadthedeaddropbutnotdivulgethesteganographicextractionphraseuntilpaymentisreceivedortheagentsaresafelyoutsidethetargetcorporation.Asafinalnote,evenwhenafileisknownorsuspectedtocontaininformationprotectedwithsteganographicsoftware,ithasbeenalmostimpossibletoextracttheinformationunlessthepassphrasehasbeenobtained.
WelcometotheTwenty-First-CenturyTechnologyAsweleftthetwentiethcenturyandbeganthetwenty-firstcentury,ourdependenceontechnologycontinuedtoincreaseaswellasourinterconnectivityonaglobalbasis,ourintegrationofdevices–orplatforms–anduseofwireless,mobiletechnology.Thishasincreasedourvulnerabilitytosuccessfulattacksonaglobalscale.Ithasalsomadeprotectionofoursystems,information,etc.,muchmoredifficult—maybeevenimpossible.
Asweprogressintothetwenty-firstcentury,wecontinuetofallbehindinourdefensesandabilitytoreactquicklyandsuccessfullytoattacksfromaroundtheworld.Asthesophisticationofattackscontinuestoincreasesodothevulnerabilitiesofourvitalinformationinfrastructures.
TopcybersecurityexpertsechoedadirewarningfromatopintelligencechiefonthevulnerabilityoftheU.S.powergrid,withonetellingFoxNews.comthatstate-sponsoredhackerscouldsendAmerica’snervecentersonan“uncontrollable,downwardspiral.”20
20“Intelboss’warningoncyberattacksnojoke,sayexperts,”http://www.foxnews.com/world/2014/11/23/intel-boss-warning-on-cyber-attacks-no-joke-say-experts/.
Defendingourinformationhasbeenmademoredifficultbyadvancesintechnologyandalsoinsocialnetworksofallkinds,throughwhichuserscontinuetoinnocentlyprovideinformationthatisveryusefultocompetitorsandotheradversariesandthatleavesindividuals,groups,corporations,andgovernmentsmoreopentoattacks.
Let’sLookatSomeoftheMajorTechnologyAdvancesThusFarintheTwenty-firstCentury:
ThepowerofcellandWi-Fiphonesastheyhavebecomenotonlytelephones,butmoreall-in-onecommunicationdevices,forexample,voice,text,e-mail,storagedevices,andvideoanddigitalcameras.Notfarbehindarethetablets,whichofferthesamemobilityascellphonesbutbiggerscreensandoftenmorepower,storage,memorycapacity,andspeed.
Twitter,Facebook,YouTube,blogs,andothersoffersocialconnectivityasneverbeforebywhichindividuals,businesses,andgovernmentsonaglobal,mobilescaleshareinformationthatincludesaccidentallyorpurposefullypostingsensitiveormaybeevenclassifiedinformationasusersgounchecked.Itisalsoagreatplatformforblackmail,marketing,andspreadingfalseinformationorpropagandaandofcourseforcollectinginformationusefulinGIWandconventionalwarsandbattles.
Moresophisticatedgamemachinesandgamesthatcanbeusedtohelptraininfo-warriorsandinfactarebeingusedtodoso.
Driverlessvehicles,includingtrams,trains,andcars,thatareturningintocomputersonwheels.Theyareloadedwithtechnology.Imagineoncetheyaretakenover,controlledbyaterrorist,theycaneasilybeturnedintoweapons,givingnewweaponsstatusascarbombswithwhichthedriversdonothavetosacrificetheirlives.
Electricvehiclesovertimewillbecomemoreprevalent.Sinceweareunabletostoreelectricityaswellaswecangas,whatwouldhappentoourabilitytouseelectricvehicles,especiallyforemergencies,onceourpowergridsgodownandtheycannotberecharged.Asweracetobe“eco-friendly,”areweconsideringwhattodotomitigatethisup-and-comingvulnerability?No,ofcoursenot.
Wearealsoapproachingthetimewhenwewilltrulybeabletouseartificialintelligenceandpossiblybecomedependentonit.Whathappenswhenthathappensanditistakenoverandchangedbyinfo-warriorsandmadeintoweaponssupport?
Theuseofnano-technologywillcontinuetobeenhancedandasitis,itcanbeembeddedinourinfrastructurestodestroythemorinjectedintoourbodies.Also,aswedependmoreonroboticsfrommanufacturingtomedicaldevices,evenforsurgeries,whathappenswhentheyaretakenoverbyinfo-warriors?
Lookingbackatwhathasbeenaccomplishedjustinourshortlifetimes,imaginethetwenty-first-centurytechnologyandthecybersecurity-relatedimplicationscominginthefuture.
SummaryIfyouareinvolvedinanyactivityinwhichtechnologyisusedasatooltohelpyouaccomplishyourwork,youareawareofthetremendousandveryrapidadvancesthatarebeingmadeinthatarena.Itissomethingtobehold.Weareinthemiddleofthemostrapidtechnologicaladvancesinhumanhistory,butthisisjustthebeginning.Wearenotevenclosetoreachingthepotentialthattechnologyhastooffer,noritsimpactonallofus—bothgoodandbad.
Itissaidthattherehavebeenmorediscoveriesinthepast50 yearsthanintheentirehistoryofmankindbeforethattime.Wehavejusttoreadthenewspapersandthetradejournalstolookateveryprofessionandseewhattechnologyisbringingtoourworld.Therearenewdiscoveriesinmedicine,onlineandworldwideinformationsystems,theabilitytoholdteleconferencesacrossthecountryandaroundtheglobe,andhundredsofotherexamplesthatwecanallthinkof.
Hightechnologyisthemainstayofbothourbusinessesandourgovernmentagencies.Wecannolongerfunctioninbusinessorgovernmentwithoutthem.Pagers,cellularphones,e-mail,creditcards,teleconferences,smartcards,tabletsandnotebookcomputers,networks,andprivatebranchexchanges(PBXs)areallcomputerbasedandallarenowcommontoolsforindividuals,businesses,andpublicandgovernmentagencies.Informationwarriorsarealsorelyingmoreandmoreoncomputers.Ascomputersbecomemoresophisticated,sodotheinformationwarriors.Asinternationalnetworksincrease,sodoesthenumberofinternationalinformationwarriors.
Networkingandembeddedsystems,thoseintegratedintootherdevices(e.g.,automobiles,microwaveovens,medicalequipment),areincreasinganddrasticallychanginghowwelive,work,andplay.AccordingtoastudyfinancedbytheU.S.ARPAandpublishedinthebookComputersatRisk:
Computershavebecomesointegratedintothebusinessenvironmentthatcomputer-relatedriskscannotbeseparatedfromnormalbusinessrisksorthoseofgovernmentandotherpublicagencies.
Increasedtrustincomputersforsafety-criticalapplications(e.g.,medical)leadstotheincreasedlikelihoodthatattacksoraccidentscancausedeaths.(Note:Ithasalreadyhappened.)
Useandabuseofcomputersarewidespreadwithincreasedthreatsofvirusesandcreditcard,PBX,cellularphones,andotherfrauds.
Anunstableinternationalpoliticalenvironmentraisesconcernsaboutgovernmentorterroristattacksoninformationandhigh-technology-dependentnations’computerandtelecommunicationssystems.
Individualprivacyisatriskowingtolarge,vulnerabledatabasescontainingpersonalinformation,thusfacilitatingincreasesinidentitytheftandotherfrauds.
IfIwanttowreakhavoconasocietythat,insomecases,hasbecomecomplacent,Iamgoingtoattackyourqualityoflife.
CurtWeldon,R-PA.U.S.House,ArmedServicesCommittee21
21SpeakingatanInfoWarConferenceinWashington,D.C.,inSeptember1999.
Personalcomputershavechangedourlivesdramaticallyandthereisnoendinsight.Hightechnologyingeneralhasimprovedthequalityoflifeforsocietiesandmadelifealittleeasier,andyetitmakesaninformation-dependentwayoflifemoreatriskthaneverbefore.Theuseofmodemshasbecomecommonplace,withallnewlypurchasedmicrocomputersystems22comingwithaninternalmodemalreadyinstalledandreadyforglobalaccessthroughtheInternetorothernetworks.WirelessnetworksarebeingincreasinglyusedandtherearenowmillionsofWi-Fi“hotspots”towhichpeoplecanconnecttheirphone,laptop,ortabletwherevertheyare.Therefore,thesedevicesandthenetworksthattheyareusingpotentiallyrepresentsomeofthemostseriousandcomplexcrimescenesoftheInformationAge.Thiswillsurelyincreaseaswebeginthetwenty-firstcentury.
…itiscomputerizedinformation,notmanpowerormassproductionthat…willwinwarsinaworldwiredfor500TVchannels.Thecomputerizedinformationexistsincyberspace—thenewdimensioncreatedbyendlessreproductionofcomputernetworks,satellites,modems,databases,andthepublicInternet.23
NeilMunro
23NeilMunro,“ThePentagon’sNewNightmare:AnElectronicPearlHarbor,”WashingtonPost,July16,1995,p.C3.
High-technologydevelopmentcontinuestoplayadualroleininformation-basednation-states.Thehigh-technologydeviceshavebeenturnedintotoolsthathavebeenusedtodeterminetheadequacyofcyberdefensesandhavebeenadoptedandadaptedbyglobalhackers,terrorists,andothermiscreants.Theynowhavebeenusingthosetoolsforprobingandattackingsystems,especiallythroughtheInternetinterfacesofcorporationsandnation-states,aswellastheGIIandNIIsofnation-states.Thesesamehackertechniqueshavebeenreadilyadoptedandenhancedbytheinformationwarriorsofnation-statesandothers.
1EncartaWorldEnglishDictionary,1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.
3SeeP.FreibergerandM.Swaine’sbook,FireintheValley:TheMakingofthePersonalComputer,Osborne/McGraw,Berkeley,CA,1984.4Schaller,Bob,“TheOrigin,Nature,andImplicationsof‘MOORE’SLAW’:TheBenchmarkofProgressinSemiconductorElectronics,”September26,1996,http://research.microsoft.com/en-us/um/people/gray/moore_law.html.5WinfredPhillips,“Chapter2-ComputersandIntelligence,”TheMindProject,http://www.mind.ilstu.edu/curriculum/extraordinary_future/PhillipsCh2.php?modGUI=247&compGUI=1944&itemGUI=3397.6SeeP.FreibergerandM.Swaine’sbook,FireintheValley:TheMakingofthePersonalComputer,Osborne/McGraw,Berkeley,CA,1984,andhttp://www.swaine.com/wordpress/tag/mike-swaine/foradditionaldetailsofcomputerhistory.8Ibid.,p.11.9SoftwarethatsimplifiesthesearchanddisplayofWorldWideWeb-suppliedinformation.10InternetGuidebyMicrosoftPersonalComputing,http://www.microsoft.com/magazine/guides/internet/history.htm.11“EmailStatisticsReport,2014–2018,”TheRadicatiGroup,http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf.12Internetlivestats,http://www.internetlivestats.com/total-number-of-websites/.13Theterm“adversary”isusedmoreoftenthesedaystodescribeanenemythantheword“enemy”becauseitseemsitisnotasharshaterm,althoughtheintentisstilltodisableorkillthem.15Anumberofothertoolswerereviewedbutcontainednoobviouspropertyorfunctionalitythatwasconsideredtobebothbeneficialandapotentialcybersecurityweapon;thatis,theymodifiedthesystemtoexploitvulnerabilitiesortheywerepurelymaliciousandcausedadenialofservice.Thesearetoolsthatare“pure”cybersecuritytools.16Seethebook,Netspionage:TheGlobalThreattoInformation,publishedbyButterworth–HeinemanninSeptember2000.17Excerpttakenfromthebook,Netspionage:TheGlobalThreattoInformation,publishedbyButterworth–HeinemanninSeptember2000,andreprintedwithpermission.18Steganography,http://www.webopedia.com/TERM/S/steganography.html.19Steganography,http://www.jjtc.com/Steganography/.22Microcomputershadbeenatermusedtodifferentiatethemfromminicomputersandmainframecomputers.Thecomputers’powerandwhatthemanufacturersdecidedtocallthemdifferentiatedthesesystems.However,withthepoweroftoday’smicrocomputerequalingthatoflargersystems,theissueisunclearandbasicallynolongerveryrelevant.Whatthesesystemsarecalled,coupledwithnotebooks,PDAs,workstations,desktops,etc.,isnotthatimportantbecausetheyallbasicallyoperatethesameway.
CHAPTER5
UnderstandingToday’sThreatsintheCyberVapor—“WarStories”fromtheFrontLines1
AbstractWhendiscussingthevariousaspectsofcybersecurity,thecybersecurityofficermustunderstandthatheorsheisalsoaninformationwarriorandisworkinginthemidstofglobalinformationwarfare(GIW).Itisimportanttoalsobeawareoftheactual,varioustypesofinformationwarfareattacksthatarecurrentlybeingconducted24/7aroundtheworldagainstindividuals,groups,businesses,andgovernments.
KeywordsCyberCommand;Globalinformationwarfare(GIW);Informationwarfare(IW)games;Info-warriors;NationalSecurityAgency’s(NSA);Programmablelogiccontrollers(PLCs);SecretService
2Existingandpotentialthreatsinthesphereofinformationsecurityareamongthemostseriouschallengesofthetwenty-firstcentury.Threatsemanatefromawidevarietyofsourcesandmanifestthemselvesindisruptiveactivitiesthattargetindividuals,businesses,nationalinfrastructure,andgovernmentsalike.Theireffectscarrysignificantriskforpublicsafety,thesecurityofnations,andthestabilityofthegloballylinkedinternationalcommunityasawhole.
CONTENTS
ReportedDigitalBattlefieldAttacksandRelatedStories 90Summary 100
Whendiscussingthevariousaspectsofcybersecurity,thecybersecurityofficermustunderstandthatheorsheisalsoaninformationwarriorandisworkinginthemidstofglobalinformationwarfare(GIW).Itisimportanttoalsobeawareoftheactual,varioustypesofinformationwarfareattacksthatarecurrentlybeingconducted24/7aroundtheworldagainstindividuals,groups,businesses,andgovernments.
Beingawareofsuchattacks,onecangetabetterappreciationofthemassivechallengesaheadforthosecybersecurityprofessionals,sometimesalsocalledinfo-warriorsthroughoutthischapter,trying,ofteninvain,toprotecttheinformationandinformationsystemsbeingusedtoday.
Itisalsoimportanttoknowofthelatesttechnologiesbeingdevelopedandbywhom,aswellasunderstandingthepoliticsofthetime,becauseastensionsriseamongpeople,businesses,groups,andnations,theyaremoreapttobecomeaggressivelyinvolvedinGIW.
Asyoureadthroughtheseactualattacksandtheirrelatedcommentaries3,thinkofhowtodefendagainstthemandalsohowtousethem,piggy-backoffofthem,whenconductingmaybe“aggressivedefensive”operationsagainstadversaries.Knowingthe
who,how,where,when,why,andwhatwillhelpdefendagainstGIWattacksaswellasprovidingabasisthatcanbeusedforenhancingyourcorporation’sorgovernmentagency’sdefenses.
Asyoureadthroughthem,considerthatoneormoreoftheseattacksarehappening24/7andyourcorporationorgovernmentagencyisnowunderattack,hasbeen,orwillbe.Detailsarenotprovided,asthepointistogetanunderstandingoftheseattacks,similartooldwarfarebombardmentofourdefenses,ifyouwereinaphysicalwarzone.DetailsofeachoftheseattacksorotherinformationprovidedcanbefoundatreferencedWebsites.Asyouknow,allinformationonlineissubjecttobeingperishable.Evenso,youcansearchthetopicandfindinformationyouneedoneachthreattohelpyoubuildyourdefenses.
ReportedDigitalBattlefieldAttacksandRelatedStoriesLetusstartoffwithoneofthemostsophisticatedattacks,allegedlymadeinJuly2010againstIran’snuclearprogramusingaprogramcalled“Stuxnet.”
StuxnetisacomputerwormthatwasdiscoveredinJune2010.Itwasdesignedtoattackindustrialprogrammablelogiccontrollers(PLCs).PLCsallowtheautomationofelectromechanicalprocessessuchasthoseusedtocontrolmachineryonfactoryassemblylines,amusementrides,orcentrifugesforseparatingnuclearmaterial.4
Allegedly,thisprogramwastheworkoftheUnitedStatesandIsrael,althoughthisisjustspeculation.ThewormenteredtheIraniannetworkanddestabilizedover1000oftheircentrifuges.
Now,onecanonlyspeculatehowitentereda“closed”network.SomeallegeitwasinsertedviaaCD/DVDoraflashdrivebyaninsider.OthersspeculateadiskorflashdrivewasleftinaplacewheresomeoneworkingintheIranianfacilityfounditandentereditintotheclosedIraniannuclearnetworkjusttoseewhatwasonthemediumandthusunleashedtheworm.
The“Regin”malware—allegedlythemostpowerfultodate,evenmorepowerfulthanStuxnet,targetsmostlyRussianandSauditelecommunicationcompanies.Ithasbeenouttheresince2008andevenwhendetected,youcannottellwhatitisdoing.Itissupposedlyin10countries,includingIndiaandIran,withhalfofitsattacksinRussia.Somesayitissogooditisbelieveditcouldbedevelopedonlybyanation-state—aWesternnation-state.Interestingly,attacksarenowbeingreportedintheUnitedStates.
•Varney&Company,businessnewsprogram,FoxBusinessTVChannel,November24,2014
Now,letustalkaboutasimpleattack:
Ajournalisttellsthestory5ofhisdevicesallegedlybeinghackedandhisphotos,e-mails—basicallyhisentirecyberlife—weredeleted.Hewasabletocontactthehackers,whowereteenagers,andtheysaidtheyjustdiditfor“fun.”Heagreednottopresscharges,nottoidentifythem,butwantedtoknowhowtheydidit.
Theyallegedlytoldhimthattheydidnothackhispasswords,butbasicallydidthefollowing:Theybeganby“socialengineering”theirwayintohisaccountstakingadvantageofloopholesinthesystem.
•Theyfirstcalledamazon.comashimandgavethemafalsecreditcardnumber.
•TheyreceivedatemporarypasswordfromAmazon.
•NowtheyownedhisAmazonaccount.
•Theygotthelastfournumbersofhisactualcreditcard.
•Applewasusingitalsoasanidentityverificationmethod.
•Applegave“him”(thehackers)apasswordreset.
•NowtheyownedhisAppleaccount.
•TheythenwenttoGoogleandthentoTwitter.
Note:Asyoucansee,today’sGIWattackscanrangefromthenontechnical,usingsocialengineeringtechniques,tothemoresophisticatedcovertmalwaretypesofattacks,toacombinationofboth,andeverythingin-between.
U.S.militaryacademies’informationwarfare(IW)games:EveryyeartheU.S.militaryacademiesoftheArmy,Navy,CoastGuard,andAirForceputtogetheragroupofcadetinfo-warriorstocompeteinanIWgameusingapointssystemtodeterminethewinner.Itbeginswitheachacademyselectingateamandbuildinga“secure”networkandallarethenattackedoverathree-dayperiodbya“RedTeam.”ThissophisticatedIWgameisusedtohelptraintheU.S.militaryinfo-warriorsofthefuture.6
Doyouevergetthefeelingyouarebeingwatched?Ifyou’vegotawebcam,youmightberight…It’sstunninglyeasysincemostcompanies,inanefforttobehelpful,putinstallationmanualsonline,manualsthatmakepublicthedefaultpasswordsfortheirproducts.
•http://www.foxnews.com/tech/2014/11/21/hacked-webcams-is-your-home-next/?intcmp=ob_homepage_tech&intcmp=obnetwork
TheTaiwanesegovernmentisinvestigatingwhetherXiaomi,Inc.,China’sleadingsmartphonecompany…isacybersecuritythreat…asgovernmentsbecomeincreasinglywaryofpotentialcybersecuritythreatsfromtheworld’ssecond-biggesteconomy.…Thesmartphonemakerrecentlycameunderfireforunauthorizeddataaccess.
•https://ca.news.yahoo.com/taiwan-government-investigates-xiaomi-potential-cyber-security-concerns-044430946—finance.html
ASyrianTwitteruserappearedtobreakthenewsofU.S.-ledairstrikesinSyriaovernightbeforethePentagonannouncedithadlaunchedthem.
•http://news.yahoo.com/us-syria-air-strikes-live-tweets-130215331.html
HomeDepotsaidThursdayarecentcyberattackonitscomputernetworkaffecteda
colossal56 millioncustomerpaymentcards…isbelievedtobethebiggesteverhackofaretailfirm’scomputersystems…usedmalwaretocollectcustomerinformation.
•http://www.foxnews.com/tech/2014/09/19/home-depot-malware-attack-even-bigger-than-targets-56m-payment-cards-affected/?intcmp=obnetwork
Hackerswouldlovetoweaseltheirwayontoyoursmartphoneortablet…mobilegadgetsareabithardertocrack…hackershavetobeevensneakierandusemalicious
appsorhiddenWi-Fiattacksorsimplywalkoffwithyourgadget.
•http://www.foxnews.com/tech/2014/10/19/essential-security-apps-for-your-smartphone-and-tablet/?intcmp=obnetwork
Governmentsallaroundtheworldusemalwareandspywaretokeeptabsonpeople,fromvisitorstoresidents.
TheDetekttoolwasdevelopedandsupportedbyseveralhumanrightsgroups.Detektchecksformalwarethatisoftenusedagainstjournalists,activists,andothers.
•http://www.foxnews.com/tech/2014/11/21/free-tool-detects-government-spyware/?intcmp=ob_homepage_tech&intcmp=obnetwork
AcompanyWebsite,alongwith1.2 billionotherWebsites,wastargetedbyRussianhackersutilizingamassive“bot”attack.ThesebotsaggressivelyattemptedaccesstoWebsiteswithusernameandpasswordoptions.
•http://www.foxbusiness.com/personal-finance/2014/08/29/why-your-passwords-should-be-at-least-24-charcters-long/?intcmp=obnetwork
VotingmachinesthatswitchRepublicanvotestoDemocratsarebeingreportedinMaryland.
•http://www.foxnews.com/politics/2014/10/27/calibration-issue-pops-up-on-maryland-voting-machines/
AustraliandefenseofficialsarepreparingforwhatcouldbeabarrageofpossiblecyberattacksduringtheG20leaders’summitthisSaturdayandSundayinBrisbane.“TargetingofhighprofileeventssuchastheG20bystate-sponsoredorotherforeignadversaries,cybercriminalsandissue-motivatedgroupsisarealandpersistentthreat…”
•http://www.foxnews.com/tech/2014/11/13/australia-braces-for-g20-cyber-attacks/?intcmp=features
Someofthe“FBI’sCyber’sMostWanted”showthatthisproblemisglobalinnatureasthosewantedcomefromallpartsoftheworld.(SeetheirphotosanddescriptionsontheirWebsite—alsonotethattheyarefromallovertheworld—http://www.fbi.gov/wanted/cyber.)
Theiroffensesincludesuchthings7asconspiracytocommitwirefraud,moneylaundering,passportfraud,andtraffickingincounterfeitservicemarks;wirefraud;moneylaundering;passportfraud;andtraffickingincounterfeitservicemarks.Reward:TheU.S.DepartmentofState’sTransnationalOrganizedCrimeRewardsProgramisofferinga
rewardofupto$1 millionforinformationleadingtothearrestand/orconviction…conspiringtocommitcomputerfraud;accessingacomputerwithoutauthorizationforthepurposeofcommercialadvantageandprivatefinancialgain;damagingcomputersthrough
thetransmissionofcodeandcommands;aggravatedidentitytheft;economicespionage;andtheftoftradesecrets.
OnMay1,2014,agrandjuryintheWesternDistrictofPennsylvaniaindictedfivemembersofthePeople’sLiberationArmy(PLA)ofthePeople’sRepublicofChina(PRC)on31criminalcounts,includingconspiringtocommitcomputerfraud,accessingacomputerwithoutauthorizationforthepurposeofcommercialadvantageandprivatefinancialgain,damagingcomputersthroughthetransmissionofcodeandcommands,aggravatedidentitytheft,economicespionage,andtheftoftradesecrets.
ThesubjectswereallegedlyofficersofthePRC’sThirdDepartmentoftheGeneralStaffDepartmentofthePLA,SecondBureau,ThirdOffice,MilitaryUnitCoverDesignator61398,atsomepointduringtheinvestigation.Theactivitiesexecutedbyeachoftheindividualsallegedlyinvolvedintheconspiracyvariedaccordingtohisspecialties.EachprovidedhisindividualexpertisetoanallegedconspiracytopenetratethecomputernetworksofsixAmericancompanieswhilethosecompanieswereengagedinnegotiationsorjointventuresorwerepursuinglegalactionwith,oragainst,state-ownedenterprisesinChina.Theythenusedtheirillegalaccesstoallegedlystealproprietaryinformationincluding,forinstance,e-mailexchangesamongcompanyemployeesandtradesecretsrelatedtotechnicalspecificationsfornuclearplantdesigns.Onesubject,Sun,whoheldtherankofcaptainduringtheearlystagesoftheinvestigation,wasobservedbothsendingmaliciouse-mailsandcontrollingvictimcomputers.
Oneindividualiswantedforhisallegedinvolvementinmanufacturingspyware,whichwasusedtointercepttheprivatecommunicationsofhundreds,ifnotthousands,ofvictims.Aspartofthescheme,thesuspectranaWebsiteofferingcustomersawayto“catchacheatinglover”bysendingspywaremasqueradingasanelectronicgreetingcard.Victimswhoopenedthegreetingcardwouldunwittinglyinstallaprogramontotheircomputers.Theprogramcollectedkeystrokesandotherincomingandoutgoingelectroniccommunicationsonthevictims’computers.Theprogramwouldperiodicallysende-mailmessagesbacktothepurchaseroftheservicecontainingtheacquiredcommunications,includingthevictims’passwords,listsofvisitedWebsites,interceptede-mailmessages,andkeystrokelogs.Theprograminquestionwasinitiallycalled“e-mailPI”andrenamed“LoverSpy”inJuly/August2003.ThesuspectallegedlyhostedtheWebsite,aswellascreatingthecomputerprogram.HerantheoperationfromhisSanDiegoresidencein2003.
Hewaschargedwiththefollowingcrimes:manufacturingasurreptitiousinterceptiondevice,sendingasurreptitiousinterceptiondevice,advertisingasurreptitiousinterceptiondevice,unlawfullyinterceptingelectroniccommunications,disclosingunlawfullyinterceptedelectroniccommunications,unauthorizedaccesstoprotectedcomputerforfinancialgain,andaidingandabetting.
ThissuspectwasintheUnitedStatesonatravelvisaandthenobtainedastudentvisawhilehewastakingcollegecourses.HehastiestoSanDiego,California,andhislastknownlocationisSanSalvador,ElSalvador.
Onesecurityexpertnotedthathealthcare.govisastillahugeripetarget…andthat
unliketheprivatesector,nolawrequiresthefederalgovernmenttoeveninformyouifyourinformationhasbeenhacked.
•http://www.foxnews.com/politics/2014/10/27/is-your-obamacare-information-safe/
Throughoutthefloodofhacksanddatabreachesatretailers,restaurants,healthcareproviders,andonlinecompaniesthisyear—HomeDepot,Target,Subway,Adobe,andeBaywerejustahandful…
•http://www.foxnews.com/tech/2014/11/01/5-steps-to-keep-your-accounts-safe-from-hackers-and-scammers/?intcmp=ob_homepage_tech&intcmp=obnetwork
DefenseAdvancedResearchProjectAgencyleaderstoldlawmakerstheagencyismakingprogresswithanongoingcybersecurityprojectknownasPlanXtoincreasecybervisibilityandprovideanewfoundationforthefast-developingworldofcyberwarfaremovingintothefuture.
•http://defensetech.org/2014/05/14/darpa-sets-cyber-foundations-with-plan-x/#ixzz32V4YPy00
Informationwarfareisoneofthehottesttopicsincurrentdiscussionsofbattlefieldandgeopoliticalconflict.Ithasbeenaddressedinwritings,conferences,doctrinesandplans,andmilitaryreorganizations,andithasbeenproposedasafundamentalelementoftwenty-first-centuryconflict.Inaway,theIWsituationisreminiscentoftheconceptoflogisticsasamilitarydiscipline,c.1940:
•Elementsoftheconcepthadbeenknownandusedformillennia.
•Thevalueofintegratingthoseelementsintoacoherentdisciplinewasjustbeginningtoberecognized.
•Thedisciplinewastobecomeacentralelementofmodernwarfare—itisnowsaidthat“amateurgenerals[thatis,SaddamHussein]talkstrategy,professionalgeneralstalklogistics.”
•FromL.ScottJohnson,whoworksforTeraResearch,Inc.,acontractorperforminganalysisonbehalfoftheDirectorateofIntelligence.
GeneralZhu’scommentswereechoedduringaspiritedquestion-and-answersessionfollowingHagel’sspeech.Inthesession,PLAMajorGeneralYaoYunzhuquestionedAmerica’srepeatedclaimthatitdoesn’ttakesidesinterritorialdisputes,askinghowthatcanbetruewhentheUnitedStatesalsoclaimsthedisputedislandsintheEastChinaSeaarecoveredbyaU.S.treatywithJapan.
•http://www.foxnews.com/world/2014/05/31/chinese-general-warns-that-us-is-making-imporant-mistakes-in-region/?intcmp=HPBucket
VirtualBattlespace3…Usingthesystem,theArmycanbuildbattlefieldscenariosandtailorthegametoreflectspecificrequirements.Soldiers,forexample,cansimulate
drivingaStryker,conductpatrols,engageinclosecombat,anddrivedowntothefiringpositiontopracticegunneryinrealisticterrain.
•http://www.foxnews.com/tech/2014/05/22/army-battles-with-brawn-and-beer-bellies/?intcmp=features
TheU.S.DepartmentofHomelandSecurityisinvestigatingabouttwodozencasesofsuspectedcybersecurityflawsinmedicaldevicesandhospitalequipmentthatofficialsfearcouldbeexploitedbyhackers…
•http://www.foxnews.com/tech/2014/10/22/us-government-probes-medical-devices-for-possible-cyber-flaws/?intcmp=features
BlackBerryhasannouncedadealtoacquireGermananti-eavesdroppingspecialistSecuSmart…providesitstechnologytoGermanChancellorAngelaMerkel,whoisatthecenterofacontroversyoveranallegedNationalSecurityAgencyphonetap.
•http://www.foxnews.com/tech/2014/07/29/blackberry-launches-cyber-snooping-counter-attack/?intcmp=obnetwork
Betweentraffic-lightcameras,blue-lightcamerasthatscanneighborhoodsforviolentcrime,camerasonboardcitytrainsandbuses—nottomentionprivatesecuritycameras—therearefewplacesyoucangoinChicagowithoutbeingmonitored.
•http://www.foxnews.com/politics/2014/05/12/security-camera-surge-in-chicago-sparks-concerns-massive-surveillance-system/
TheUnitedStatesplansto“keepupthepressure”onChinaasitgaugesthatnation’sresponsetothisweek’sindictmentoffiveChinesemilitaryofficialsforallegedlyhackingintoAmericancorporatecomputers…IfChinadoesn’tbegintoacknowledgeandcurbitscorporatecyberespionage,theUnitedStatesplanstostartselectingfromarangeofretaliatoryoptions.
•http://www.foxnews.com/politics/2014/05/24/us-to-rev-up-hacking-fight-against-china/
Thereareatleast19boguscellphonetowersoperatingacrosstheUnitedStatesthatcouldbeusedtospyupon,andevenhijack,passingmobilephones.
•https://us-mg6.mail.yahoo.com/neo/launch?.partner=ftr&.rand=701bmckq23kk8#mail
Morethan1000U.S.retailerscouldbeinfectedwithmalicioussoftwarelurkingintheircashregistercomputers,allowinghackerstostealcustomerfinancialdata,theHomelandSecurityDepartment…
•http://www.foxnews.com/tech/2014/08/22/malicious-software-in-cash-registers-could-affect-more-than-1000-us-retailers/?intcmp=obnetwork
ThedirectoroftheCIA,inarareapology,hasacknowledgedaninternalprobe’sfindingsthatCIAemployeesintheExecutiveBranchimproperlyspiedontheLegislativeBranchbysearchingSenatecomputersearlierthisyear.
•http://www.foxnews.com/politics/2014/07/31/cia-director-apologizes-to-senate-leaders/?intcmp=latestnews
Inthefieldofartificialintelligence,thereisnomoreiconicandcontroversialmilestonethantheTuringTest,whenacomputerconvincesasufficientnumberofinterrogatorsintobelievingthatitisnotamachinebutratherisahuman.Havingacomputerthatcantrickahumanintothinkingthatsomeone,orevensomething,isapersonwetrustisawake-upcalltocybercrime.
•https://www.yahoo.com/tech/a-computer-passed-the-famous-turing-test-for-the-first-88270310244.html
ThemissiondatapackagesnowbeingdevelopedbytheAirForce’s53rdWingaredesignedtoaccommodatenewinformationasnewthreatdatabecomeavailable.ThedatabaseisloadedwithawiderangeofinformationtoincludecommercialairlinerinformationandspecificsonRussianandChinesefighterjets.
•http://www.foxnews.com/tech/2014/06/19/air-force-develops-threat-data-base-for-f-35/?intcmp=obnetwork
TheNationalSecurityAgency’s(NSA)surveillancemachineryisagaininthespotlightafteramediareportclaimedthatitissecretlyprovidingdatatoalmosttwodozenU.S.governmentagenciesviaapowerful“Google-like”searchengine.
•http://www.foxnews.com/tech/2014/08/26/google-like-search-engine-puts-nsa-snooping-back-in-spotlight/
Thefederalgovernmentisspendingnearly$1 milliontocreateanonlinedatabasethatwilltrack“misinformation”andhatespeechonTwitter…monitor“suspiciousmemes”andwhatitconsiders“falseandmisleadingideas,”withamajorfocusonpoliticalactivityonline.
•http://www.foxnews.com/politics/2014/08/26/feds-creating-database-to-track-hate-speech-on-twitter/
TheSecretServicehasconfirmedwhatyou’veprobablysuspectedforalongtime:Publiccomputersathotelsareridiculouslyinsecure,andyou’retakingagamblewithyourpersonaldataeachtimeyouuseone.
•http://www.foxnews.com/tech/2014/07/14/secret-service-warns-hotels-data-theft/?intcmp=obnetwork
Israeli’ssecretserviceinterceptedSecretaryofStateJohnKerry’sphonecallsduring2013MiddleEastpeacenegotiations,accordingtotheGermanpublicationSpiegel.
•http://www.foxnews.com/politics/2014/08/03/israel-spied-on-kerrys-calls-during-2013-peace-talks-magazine-reports/
Chinatookitsinvestigationof“allegedmonopolyactions”byMicrosofttoanewlevelthisweek,raidingfourofthecompany’sofficesandcarryingawayinternaldocumentsandcomputers.
•http://www.foxnews.com/tech/2014/07/30/microsofts-china-woes-increase/?intcmp=obnetwork
SamsungElectronicssaidfiveofitsGalaxy-brandedsmartphonesandtabletsthatcomewithitsenterprisesecuritysoftwarerecentlyreceivedapprovalfromtheU.S.DefenseInformationSystemsAgency,allowingthemtobelistedasanoptionforofficials.
•http://www.foxnews.com/tech/2014/06/09/samsung-devices-get-nod-from-us-defense-agency/?intcmp=obnetwork
AsmoredevicesandapplianceswithInternetcapabilitiesenterthemarket,protectingthosedevicesfromhackersbecomescritical.Unfortunately,manyofthesenoncomputer,nonsmartphonedevices—fromtoiletstorefrigeratorstoalarmsystems—werenotbuiltwithsecurityinmind.
•http://www.foxnews.com/tech/2014/08/26/how-to-secure-your-easily-hackable-smart-home/?intcmp=obnetwork
HotontheheelsoftheNSAsnoopingfirestorm,aleakeddocumentappearstodetailthecyberespionagetricksemployedbyitsU.K.counterpart,GCHQ.
•http://www.foxnews.com/tech/2014/07/15/uk-intelligence-agency-in-cyber-spying-controversy/
Thespyagencyhasreliedmoreonfacial-recognitiontechnologyinthepast4 yearsasaresultofnewsoftwarethatcanprocessthefloodofdigitalcommunicationssuchase-mails,textmessages,andevenvideoconferences…
•http://www.foxnews.com/politics/2014/06/01/nsa-steps-up-digital-image-harvesting-to-feed-its-advancing-facial-recognition/
ConcernedovernetworksecurityfollowingnewslastyearsuggestingGermanleaderAngelaMerkelhadherphonetappedbytheNSA,thegovernmentsaiditwilltransferallitstelecomandInternet-relatedservicestotheGermanfirmDeutscheTelekom…
•http://www.foxnews.com/tech/2014/06/27/german-government-ends-contract-with-verizon-following-nsa-revelations/?intcmp=obnetwork
TheU.K.CyberSecurityStrategy:ProtectingandpromotingtheUnitedKingdominadigitalworld.OurvisionisfortheUnitedKingdomin2015toderivehugeeconomicandsocialvaluefromavibrant,resilient,andsecurecyberspace,whereouractions,guidedbyourcorevaluesofliberty,fairness,transparency,andtheruleoflaw,enhanceprosperity,nationalsecurity,andastrongsociety.
•https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
ManyofAmerica’smilitarysecretscanbestolenbyexploitingthenetworksoverwhichunclassifiedinformationissharedbymilitarycontractorsandsubcontractors…Chinesehackersarebelievedtohavestolenthedesignsfor“morethantwodozenmajorweaponssystems…”
•http://www.cbsnews.com/news/how-chinese-hackers-steal-us-secrets/2/
…ThePentagonwaspushingtoexpanditscybersecurityforces.TheU.S.military’sso-calledCyberCommandwillgrowfivefoldoverthenextfewyears,from900employeesatpresenttoabout5000civilianandmilitarypersonnel,Orrreported.
•http://www.cbsnews.com/news/china-military-unit-behind-many-hacking-attacks-on-us-cybersecurity-firm-says/
U.S.officialsareblamingChinesehackersforanotherseriousdatabreach.Someonebrokeintosecuregovernmentnetworksthatholdpersonalinformationforallfederalemployees.Thetargetappearstobeworkersapplyingforhigh-levelsecurityclearances.
•http://www.cbsnews.com/news/report-chinese-hackers-got-to-federal-workers-records/
Onaverage,thehackerswouldspendnearlyayearperusingatargetedcompany’ssystemslookingforsensitiveinformationtosteal:productdevelopmentplans,manufacturingtechniques,businessplans,andthee-mailmessagesofseniorexecutives.ThepointistohelpChinesecompaniesbemorecompetitive.
•http://gizmodo.com/why-chinese-hackers-stole-4-5-million-us-hospital-recor-1623284602
HackersmayhavebreachedtheOfficeofPersonnelManagement’snetwork…intrusionhasbeentracedtoChina,althoughitisnotclearthattheChinesegovernmentisinvolved.
•http://www.washingtonpost.com/news/morning-mix/wp/2014/07/09/report-chinese-hacked-into-the-federal-governments-personnel-office/
AChinesehackinggrouphasbeenaccusedofstealingdatafromIsrael’sbillion-dollarIronDomemissilesystem.
Thestate-sponsoredCommentCrewhackinggroup,thoughttooperateoutofChina,wasresponsibleforattacksfrom2011onwardonthreeIsraelidefensetechnologycompanies,ElisraGroup,IsraelAerospaceIndustries,andRafaelAdvancedDefenseSystems,allinvolvedwiththeIronDomeproject.
•http://www.theguardian.com/technology/2014/jul/29/chinese-hackers-steal-israel-iron-dome-missile-data
Ballistic-missiledefenses,joint-strikefighters,BlackHawks,andmore—Chinese
hackershavetheirhandsonplansfortheseandmoreofthePentagon’smostsophisticatedweaponssystems,justthelatestsignthatthecultureofhackinginChinacontinuestoputAmericaonthedefensive…
•http://www.thewire.com/global/2013/05/china-hackers-pentagon/65628/
Securityattacks/breachesintheU.S.governmentfromJuly2014toNovember2014,includeHealthandHumanServices,EnergyDepartment,PostalService,WhiteHouse,StateDepartment—thosearejustthereportedones;theremaybemorethatarenotreportedor,worseyet,donotevenknowtheywereattacked.8
SummaryAsyoucansee,attacksandthoseissuesassociatedwithattacksanddefensearenumerousandvaryintheirapproach.Learnfromtheseattacks,soyourgovernmentagencyorcorporationdoesnotbecomeacasualtyofthisglobalinformationwarfare.
1Muchofthischapterisquotedwithpermissionfromtheauthorandhiscoauthor’sbook,GlobalInformationWarfare,secondedition,publishedbyCRCPress.2Report(A/65/201)oftheGroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity.3Allstoriesareedited,generallydirectquotesfromthecitedWebsites,exceptwhereotherwisenoted.4http://en.wikipedia.org/wiki/Stuxnet;Razvan,Bogdan.“Win32.Worm.Stuxnet.A”.RetrievedMarch28,2014.5TVProgramcalled“NOVA,”October8,2014.6CyberWargame,”August25,2014,FoxBusinessChannelTV.7TakenfromtheFBI’sWebsite.8Cavuto,FoxNewTVProgram,November21,2014.
SECTION I I
TheDutiesandResponsibilitiesofaCyberSecurityOfficerOUTLINEIntroduction
Chapter6.TheCyberSecurityOfficer’sPosition,Duties,andResponsibilities
Chapter7.TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlans
Chapter8.EstablishingaCyberSecurityProgramandOrganization
Chapter9.DeterminingandEstablishingCyberSecurityFunctions
Chapter10.EstablishingaMetricsManagementSystem
Chapter11.AnnualReevaluationandFuturePlans
Chapter12.High-TechnologyCrimesInvestigativeSupport
Introduction
SectionIprovidedabasicunderstandingoftheexternalworld,withallitsmanythreatstoinformationandinformationsystems—allofwhichhaveadirectbearingonthecybersecurityofficerandhisorherjob.SectionIIprovidesamoreinternal,businessfocusontheworldofthecybersecurityofficer.
SectionIIbeginswiththeidentificationoftheposition,duties,andresponsibilitiesofthecorporationcybersecurityofficer.Itprogressesthroughadiscussionof:
•establishingandmanagingacybersecurityprogram;
•strategic,tactical,andannualplans;
•developingandmanagingacybersecurityorganizationanditsfunctions;
•measuringcybersecuritycosts,failures,andsuccessesthroughmetricsmanagement;
•supportingtheinvestigativestaff;and
•anoverviewofthecybersecurityprograminanation-state’snationalsecurityenvironment.
CHAPTER6
TheCyberSecurityOfficer’sPosition,Duties,andResponsibilities
AbstractTheobjectiveofthischapteristodefinetherolethatthecybersecurityofficerwillplayinacorporationorgovernmentagency.Inthiscase,itistheroleofthecybersecurityofficerinaninternationalcorporation.Thedutiesandresponsibilitiesofacybersecurityofficervarydependingontheplaceofemployment.However,inthiscase,weareassumingthecybersecurityofficerhastheperfectpositionbecauseitisoneallcybersecurityofficersshouldstrivetoattaininorderto“doitrightthefirsttime.”
KeywordsCellularphones;Cybersecurityofficer;Managementblankcheck;Missionstatements;Projectmanagement;Qualitystatements;Riskmanagement;Visionstatements
Responsible,whowantstoberesponsible?Wheneversomethingbadhappens,it’salways,who’sresponsibleforthis?
JerrySeinfeld1
CONTENTS
Introduction 104WhereItBeganandItsEvolutionandRevolution 104
TheCyberSecurityOfficerinaGlobalCorporation 106CyberSecurityOfficerDutiesandResponsibilities 109GoalsandObjectives 109LeadershipPosition 110
ProvidingCyberSecurityServiceandSupport 110UseTeamConcepts 111
Vision,Mission,andQualityStatements 112VisionStatements 112MissionStatements 113QualityStatement 113
CyberSecurityPrinciples 114ProjectandRiskManagementProcesses 114
ProjectManagement 114RiskManagement 115
CyberSecurityOfficerandOrganizationalResponsibilities 115
CyberSecurityOfficer’sFormalDutiesandResponsibilities 116SummaryofthePurposeoftheCyberSecurityOfficerPosition 116Accountabilities 116
Summary 118
CHAPTEROBJECTIVE
Theobjectiveofthischapteristodefinetherolethatthecybersecurityofficerwillplayinacorporationorgovernmentagency.Inthiscase,itistheroleofthecybersecurityofficerinaninternationalcorporation.Thedutiesandresponsibilitiesofacybersecurityofficervarydependingontheplaceofemployment.However,inthiscase,weareassumingthecybersecurityofficerhastheperfectpositionbecauseitisoneallcybersecurityofficersshouldstrivetoattaininorderto“doitrightthefirsttime.”
IntroductionTheroleofthecybersecurityofficerismoredemandingnowthaneverbefore,owingtoadvancesintechnology,especiallyinminiaturizationandmobility;morenationalandglobalnetworkinterfacestohisorhercorporation;andmoresophisticatedattacks.Thechallengeshaveneverbeengreaterbuttheywillbeovertime.
WhereItBeganandItsEvolutionandRevolutionWebeganwithonlyphysicalsecurity,asafterall,theENIACandothercomputersdidnotconnecttotheworld.Aguard,apaper-authorizedpersonnelaccesslist,analarm,andsuchwereallthatwereneededinthoseearlydays.Butasthecomputerevolvedovertime,sodidtheprofessionofthecybersecurityofficer.
Thesecurityprofessionatthattimewasprimarilymadeupofretiredorformerlawenforcementormilitarypersonnel,whohadnointerestincomputersecurity.Theyknewphysicalsecurity,investigations,andpersonnelsecurity.Thisnewthingcalledacomputerwasbestlefttothecomputerscientistsandengineers.
Assystemsevolved,sodidthedepartmentsresponsiblefortheirsupport.Departmentsthatwereonceengineeringdepartmentsperhapsbecameinformationresourcemanagementdepartmentsandlaterbecameknownasinformationtechnology(IT)departments.TheprotectionofthisnewtechnologystayedwiththeITpeople.However,thecomputersecuritypositionswithintheITdepartmentsalsoevolved.
Asthemicroprocessoranditsrelatedtechnologydeveloped,theonce-separatedtelecommunicationsandcomputerstaffsbegantheirintegration.Consequently,the“computersecurity”professionbegantoalsoconsidertheprotectionofinformationasitflowedthroughtelecommunicationslinks.AstheInternetevolved,theneedforprotectinginformationasitwasdisplayed,suchasonWebsites,alsobecameanimportanttaskforthoseresponsibleforprotectingthehardware,software,andfirmware.
Informationandrelatedsystemsaresomeofabusiness’smostvaluableassets,onecanargue,secondonlytotheemployees.Infact,althoughnooneinmanagementwithinabusinesswouldeverprioritizeassetstoplaceinformationandsystemsabovetheemployees—atleastnotpublicly—peoplecanalwaysbereplaced,andreplacedatlesscostandadverseimpacttothebusiness,thantradesecretsandinformationnetworks.However,thatwillprobablyremainanunspokenissuebecauseofthesensitivenatureofvaluingmachinesoverhumans.
Whenwethinkaboutit,though,informationreallyisbusiness’sNo.1asset.Afterall,employeescanbeterminated,evenreplacedbycomputers,andthebusinesssurvives.Infact,profitsmayevenincreasebecauseoflowerlaborcosts.However,eliminateanintranetornationalorglobalinformationinfrastructureconnectionandthebusinesscouldbelost.
Today,thecybersecurityofficerpositionisgenerallystillpartoftheITdepartment’sfunction.Now,thecybersecurityofficerisresponsiblefortheprotectionofinformation
andthesystemsthatstore,process,transmit,anddisplaythatinformation.Thecybersecurityofficerprofessionhasmaturedintoaseparateprofession,andinmostlarge-to-mediumcompanies,itismorethanapart-timejoboradditionalresponsibilitythesedays.Insmallerbusinessesitremainsmostlyapart-timejoborisoutsourcedwithothersecurity-relatedfunctions.
Informationsystemsofvarioustypes,suchascellularphones,notebookcomputers,personaldigitalassistants,andfaxmachines,areallusedtoprocess,store,transmit,anddisplayinformation.Thesedevicesarebecomingmoreandmoreintegratedintoonedevice.Couplethisphenomenonwiththehardcopiesbeingproduced,andonefindsthatinformationmaybeprotectedonanintranetbutleakedthroughacellularphoneorprintedonpaperandthentakenoutofthebusiness’sfacilities.
CaseStudyCellularphonesarebecomingsmallerandsmaller.Digitalcamerasarealsobeinginstalledintothesecellularphones.Sincemanagementwantstheiremployeestohavethelatesthigh-technologydevicesthathelpsupportthebusinessinthemostefficientandeffectivewaypossible,employeesareissuedcellularphones.Thecellularphoneswithdigitalcamerasintegratedintothemallowemployeestodigitallysendphotographsaspartoftheirbusinesscommunicationsprocesses.Italsoprovidestheopportunityfortheemployeetophotographsensitivedocuments,facilities,andsuchandsendthephotosdirectlytounauthorizedsources.Thus,thereisnowanothermethodofperforming“Netspionage”(network-enabledespionage).Asacybersecurityofficer,doyouhavepolicies,etc.,inplacetomitigatethisnewthreat?
Thecybersecurityofficerpositionmustevolvetoberesponsiblenotonlyforprotectinginformationandsystemsrelatedto,ortheresponsibilityof,theITdepartment,butalsoforprotectingallofthebusiness’sinformationassets.Itisridiculoustohavethebusinesssecurityprofessionalresponsibleforthesecurityofcompanyassets,includinghard-copydocuments,people,andfacilities,andleavetheprotectionofautomatedinformationandsystemsessentiallytoITpeople.Thesepositionsmustbeintegratedtoprovideaholisticassetprotectionapproach.Thismaybeaccomplishedthroughtheevolutionofthecybersecurityofficerprofessionalintomorethana“computerprotector”andthesecuritymanagerintomorethanaphysicalsecuritymanager.Herein2016,weareslowly,grudginglygettingthere,buteversoslowly,exceptwhenitcomestomanagementfixingblame,ofcourse.
Thecybersecurityofficerpositionisevolving,butnoreal,permanent,standardized“home”hasbeenidentifiedforthecybersecurityofficerposition.Itdependsonthestructureandcultureofthecorporationinwhichheorsheisemployed.Wedoseesignsofthischangingasthisevolutioncontinues,fromguard,computerscientist,engineer,ITspecialist,computersecurityspecialist,toinformationsecurity(InfoSec)tocybersecurityofficer,withsomeindicationsofchangetocorporateinformationassuranceofficeror
corporateinformationsecurityofficerorcybersecurityofficer.Insomecases,theevolutionoftheprofessionhasalreadyledtomakingthecybersecurityofficerapartofexecutivemanagementinthepositionofavicepresident.Ofcoursethisvaries,ascanbeexpected,bythecultureofthecorporation.
Still,theevolutionmustcontinueuntilallinformationandsystemsareintegratedintoatotalbusinesscybersecurityprofession.Thisrequiresthecombiningofbusiness(corporate)security,forexample,physicalsecurityandpersonnelsecurity,andthecybersecurityofficerresponsibilities.Itisthebestwaytosafeguardallbusinessassetsinaholisticandcost-effectivemanner,butagain,basedonthecorporateculture.
TheCyberSecurityOfficerinaGlobalCorporationIfyouarechosenasthenewcybersecurityofficerforaglobalcorporation,youshouldhavedeterminedthehistoryofthatposition:
•Whenwasitestablished?
•Why?
•Whatisexpectedofyouasthecybersecurityofficer?
•Whatareyourresponsibilitiesandduties?
•Whatareyouaccountablefor?
•Whathappenedtothelastone?(Youwanttoknowsoyoucanunderstandthepoliticalenvironmentinwhichyouwillbeworking.)
Asyoubeginyournewjobasthecorporatecybersecurityofficer,youmustclearlydeterminewhatisexpectedofyou.Again,thisinformationshouldhavebeenaskedduringyourinterviewprocessfortworeasons:
•Soyouknowwhatyouweregettingintobyacceptingthecybersecurityofficerpositionand
•Soyoucanbetterprepareforthepositionwithamoredetailedcybersecurityprogrampriortobeginningyourfirstdayatwork.
Youneedadetailedplanpriortobeginningyouremploymentbecauseyouwillbebehindschedulefromthemomentyouwalkinthecorporatedoor.Thatisbecauseputtingtogetheracybersecurityprogramfromthestartisatremendousproject.Morelikelythannot,intoday’sworld,youwillprobablybeinheritingsomeoneelsecybersecurityprogram.
Asthenewcybersecurityofficer,itisimportanttoreviewtheprogramyouareinheriting,itsphilosophy,andthelogicbehinditspoliciesandprocedures.Neverchangeanythingunlessyoucanmakeitbetterbasedonriskanalysismethodology,notjustdifferent,asthatcostsmoney.Furthermore,theremaybeverygoodreasonsitiswhatitis,orthechiefexecutiveofficerorcorporateinformationofficer(CIO)wouldnothaveapproveditthewayyouinheritedit.
Youmustalsodeterminetheanswerstothefollowing:
•Whatisimportantandrequiresprotection?
•Whatisbeingprotected?
•Inwhatmanner?
•Isastaffneeded?
•Ifso,howmany?
•Withwhatqualifications,forwhatpositions?
•Whatarethetaskstobeperformed?
•Whatarethemandatory,bestpractices,andoptionalrequirementstobemet?
•Whatprocessesandfunctionsarenecessarytomeetthoserequirements?
•Whatarethenecessarybudgetallocations?
•Whatmetricsmanagementtechniquesarerequired?
andthelistgoeson.
Ontopofallthisistheneedtolearnaboutthecorporateculture,normalcorporatepoliciesandprocedures,andallthatcomeswithjustjoiningacompany.Asthenewcybersecurityofficer,youcannotaffordtowasteanytimeinyour24/7duties.Youmustunderstandandlearnyournewenvironment,thekeyplayers,andtheissuesthatmustbeaddressedfirst.Often,cybersecurityofficerstendtoisolatethemselvesfromtherestofthecorporationandconsideritalmosta“meagainstthem”situation.Intoday’scorporationsthiswillgetyounowherebutpossiblyoutthecorporatedoor.Asacybersecurityofficer,youandyourstaffmustintegrateyourfunctionsintothecorporatemainstreamandintegrateyourselvesintotheprocessesofthebusiness.“Teaming”withothersinthecorporationistheonlywaytosucceedintoday’sinformation-based,information-supported,andinformation-dependentmoderncorporations.
Thecybersecurityofficermusteventuallygetintoaproactivemodetobesuccessful,thatis,identifyingproblemsandsolutionsbeforetheycometotheattentionofmanagement.Cybersecurity-relatedproblemswillundoubtedlygetmanagement’sattentionwhentheyadverselyaffectcostsand/orschedules.Adverseimpactsoncostsandschedulesruncontrarytothecybersecurityprogramgoal,objectives,etc.
Whenacybersecurityofficerisinthepositionofconstantlyputtingoutfires,theproactivecybersecurityprogrambattleislost.Ifthatbattleislost,theresultsareadverseimpactsoncostsandschedules.Thegoalofacost-effectivecybersecurityprogramcannotbeattained.
Asthecybersecurityofficer,youhavebeentoldthatyouareexpectedtoestablishandmanageacybersecurityprogramthatworksandisnotaburdenonthecorporation.Youaretoldtoestablishaprogramthatyoubelieveisnecessarytogetthejobdone.Youhavethefullsupportofmanagementbecausetheyhavecometorealizehowimportanttheirinformationandsystemsaretothecorporationmaintainingitscompetitiveadvantageintheglobalmarketplace.Thishoneymoonwilllastmaybeaboutsixmonths—ifyouarelucky.So,youmusttakeadvantageofit.Todoso,youmusthaveafaststartandthenpickupspeed.
Basedideallyona“managementblankcheck”andyourpriorexperience(orfortheinexperiencedcybersecurityofficer,theinformationgainedfromreadingthisbook),youhaveevaluatedthecorporateenvironmentandhavedecidedthattheoverallgoalofthecybersecurityprogramisto:
Administeraninnovativecybersecurityprogramthatminimizesriskstothesevaluableassetsatleastimpacttocostsandschedules,whilemeetingallofthecorporation’sandcustomers’reasonableexpectations.
Ifthatiswhatisexpectedofyou,thenthatisyourprimarygoal.Everythingyoudoasthecybersecurityofficershouldbefocusedanddirectedtowardmeetingthatgoal.Thatincludesincorporatingthatphilosophyintoyour:
•Cybersecuritystrategicplan,
•Tacticalplan,and
•Annualplan.
CyberSecurityOfficerDutiesandResponsibilitiesAsaglobalcorporation’scybersecurityofficer,youhavecertaindutiesandresponsibilities.Theseincludethefollowing:
•Managingpeople,whichincludes:
Buildingareputationofprofessionalintegrity;
Maintainingexcellentbusinessrelationships;
Dealingwithchanges;
Communicating;
Influencingpeopleinapositiveway;
Buildingateamworkenvironment;and
Developingpeoplethroughperformancemanagement,suchasdirectingandhelpingthecybersecuritystafftoberesult-oriented.
•Managingthebusinessofthecybersecurityprogram,whichconsistsof:
Acommitmenttoresults;
Beingcustomer/supplierfocused;
Takingresponsibilityformakingdecisions;
Developingandmanagingresourceallocations,suchasbudgets;
Planningandorganizing;
Beingaproblem-solver;
Thinkingstrategically;
Usingsoundbusinessjudgment;and
Acceptingpersonalaccountabilityandownership.
•Managingcybersecurityprocesses,whichincludes:
Projectplanningandimplementation;
Persistenceofqualityineverything;
Maintainingasystemsperspective;and
Maintainingcurrentjobknowledge.
GoalsandObjectivesRememberthatyourprimarygoalistoadministeraninnovativecybersecuritythatminimizesinformationprotectionrisksattheleastimpacttocostsandschedules,whilemeetingallofthecorporation’sandcustomers’reasonableexpectations.
Youmusthaveasyourobjectivesatleastthefollowing:
•Enhancethequality,efficiency,andeffectivenessofthecybersecurityprogram.
•Identifypotentialproblemareasandstrivetomitigatethembeforetheyadverselyaffectprocesses,andespeciallybeforemanagementand/orcustomersidentifythem.
•Enhancethecompany’sabilitytoattractcustomersbecauseoftheabilitytoefficientlyandeffectivelyprotecttheirinformation.
•EstablishandmanagetheInfoSecorganizationastheleaderinthewidgetindustry.
LeadershipPositionAsacybersecurityofficer,youwillbeinaleadershipposition.Inthatposition,itisextremelyimportantthatyouunderstandwhataleaderisandhowaleaderistoact.
Accordingtothedefinitionofleadershipfoundinnumerousdictionariesandmanagementbooks,itbasicallymeansthepositionorguidanceofaleader,theabilitytolead,theleaderofagroup;apersonthatleads;orthedirecting,commanding,orguidinghead,asofagrouporactivity.
Asacybersecurityprofessionalandleader,youmustsettheexample:createandfosteran“informationprotectionconsciousness”withinthecompany.
Asacorporateleader,youmustcommunicatethecompany’scommunityinvolvement,eliminateunnecessaryexpenses,inspirecorporatepride,andfindwaystoincreaseprofitability.
Asateamleader,youmustencourageteamwork,communicatecleardirection,createacybersecurityenvironmentconducivetoteaming,andtreatothersaspeersandteammembers,notascompetitors.
Asapersonalleader,youmustimproveyourleadershipskills,acceptandlearnfromconstructivecriticism,takeownershipandresponsibilityfordecisions,makedecisionsinatimelymanner,anddemonstrateself-confidence.
ProvidingCyberSecurityServiceandSupportAsthecybersecurityofficerandleaderofacybersecurityserviceandsupportorganization,youmustbeespeciallytunedtotheneeds,wants,anddesiresofyourcustomers,bothinternal(thosewithinthecompany)andexternal(thosewhoareoutsidethecompanyandareusuallythecompany’scustomers).
Toprovideserviceandsupporttoyourexternalcustomers,youmust:
•Identifytheirinformationprotectionneeds;
•Meettheirreasonableexpectations;
•Showbyexamplethatyoucanmeettheirexpectations;
•TreatcustomersatisfactionasPriority1;
•Encouragefeedbackandlisten;
•Understandtheirneedsandexpectations;
•Treatcustomerrequirementsasanimportantpartofthejob;
•Establishmeasurestoensurecustomersatisfaction;and
•Providehonestfeedbacktocustomers.
Toprovideserviceandsupporttoyourinternalcustomers;youmust:
•Supporttheirbusinessneeds;
•Addvaluetotheirservices;
•Minimizesecurityimpacttocurrentprocesses;and
•Followthesameguidelinesasforexternalcustomers.
Asthecorporatecybersecurityofficer,youwillalsobedealingwithsuppliersofcybersecurityproducts.Thesesuppliersorvendorsarevaluablealliesbecausetheycanexplaintoyouthemanynewcybersecurity-relatedproblemsbeingdiscovered,andhowtheirproductsmitigatethoseproblems.Inaddition,theycankeepyouup-to-dateonthelatestnewswithinthecybersecurityofficerprofessionandaboutthelatestInfoSectoolsavailable.Furthermore,youcanmakeyourselfavailabletobetatestnewcybersecurityproductsandprovidefeedbacksothefinalproductswillmeetyourneeds.
Indealingwithsuppliersofcybersecurity-relatedproducts,youshoulddothefollowing:
•Advisethemofyourneedsandwhattypesofproductscanhelpyou;
•Assisttheminunderstandingyourrequirementsandtheproductsthatyouwantfromthem,includingwhatmodificationstheymustmaketotheirproductsbeforeyouarewillingtopurchasethem;
•Directtheminthesupportandassistancetheyaretoprovideyou;
•Respectthemasteammembers;
•Valuetheircontributions;
•Requirequalityproductsandhighstandardsofperformancefromthem;
•Recognizetheirneedsalso.
UseTeamConceptsItisimportantthatasthecybersecurityofficer,youunderstandthatthecybersecurityprogramisacompanyprogram.Tobesuccessful,thecybersecurityofficercannotoperateindependently,butasateamleader,withateamofotherswhoalsohaveavestedinterestintheprotectionofthecompany’sinformationandinformationsystems.
Itisimportanttorememberthatifthecybersecurityprogramanditsrelatedfunctionsaredividedamongtwoormoreorganizations(e.g.,otherassetprotectionsuchasphysicalsecurityofhardwareunderthesecuritydepartment),therewillnaturallybeatendencyforlesscommunicationandcoordination—andofcoursepoliticalturfbattles.Thecybersecurityofficermustbesensitivetothisdivisionoffunctionsandmustensurethatevenmorecommunicationandcoordinationoccurbetweenallthedepartmentsconcerned.
Thecybersecurityproceduresmustbesoldtothemanagementandstaffofthecorporation.Iftheyarepresentedasalawthatmustbefollowedorelse,thentheywillbedoomedtofailure.Thecybersecurityofficerwillneverhaveenoughstafftomonitoreveryoneallthetime,andthatiswhatwillbeneeded.Forassoonasthecybersecurityofficer’sbackisturned,theemployeeswillgobacktodoingitthewaytheywanttodoit.Everyonemustdoitthe“rightsecurityway”becausetheyknowitisthebestwayandintheirowninterests,aswellasintheinterestofthecorporation.
Inmanyglobalcorporationstoday,successcanbeachievedonlythroughcontinuousinterdepartmentalcommunicationandcooperationandbyformingspecialistsfromvariousorganizationsintointegratedprojectteamstosolvecompanyproblems.Thecybersecurityofficershouldkeepthatinmind.Teamingandsuccessgotogetherintoday’smoderncorporation.
Vision,Mission,andQualityStatementsManyoftoday’smoderncorporationshavedevelopedvision,mission,andqualitystatementsusingahierarchicalprocess.Thestatements,ifused,shouldlinkalllevelsinthemanagementandorganizationalchain.Thestatementsofthelowerlevelsshouldbewrittenandusedtosupporttheupperlevelsandviceversa.
Thefollowingexamplescanbeusedbythecybersecurityofficertodevelopsuchstatements,iftheyarenecessary.Italldependsonthecultureofthecorporationandtheprocessesinplace.Itseemsthatthesetypesofstatementsare“politicallyrequired”butgivenlipserviceastheyarethrustontheemployeesbysomeoutsourcedmarketingfirmorinternalmarketinggroup.
VisionStatementsInmanyoftoday’sbusinesses,managementdevelopsavisionstatement.Asstatedearlierinthisbook,thevisionstatementisusuallyashortparagraphthatattemptstosetthestrategicgoal,objective,ordirectionofthecompany.
Thecorporationmayhaveavisionstatementandrequireallorganizationstohavestatementsbasedonthecorporatestatement.Rememberthatavisionstatementisashortstatementthat:
•Isclear,concise,andunderstandablebytheemployees;
•Isconnectedtoethics,values,andbehaviors;
•Stateswherethecorporationwantstobe(longterm);
•Setsthetone;and
•Setsthedirection.
Thefollowingisanexampleofavisionstatement:Thecorporatevisionistomaintainitscompetitiveadvantageintheglobalmarketplacebyprovidingwidgetstoourcustomerswhentheywantthem,wheretheywantthem,andatafairprice.
ThecybersecurityofficermayreporttotheCIO,andtheCIO’svisionstatement:Inpartnershipwithourcustomers,weprovideacompetitiveadvantagefortheIWCwidgetbycontinuousmaximizationofavailabletechnologyandinnovativeinformationmanagementconceptstoenhanceproductivityandcost-effectivelysupportincreasedproductionofcorporateproducts.
Thecybersecurityvisionstatementmaybe:Weprovidethemostefficientandeffectivecybersecurityprogramforthecorporation,whichaddsvaluetoourproductsandservices,asarecognizedleaderinthewidgetindustry.
MissionStatements
Rememberthatmissionstatementsaredeclarationsofthepurposeofabusinessorgovernmentagency.Belowaresamples:
Missionstatement:Thecorporatemissionistodesign,manufacture,andsellhigh-qualityproducts,therebyexpandingourglobalmarketsharewhilecontinuingtoimproveprocessestomeetcustomers’expectations.
CIOmissionstatement:Themissionofthecorporateinformationofficeistoefficientlyandeffectivelymanageinformationandprovidelow-cost,productivity-enhanced,technology-basedservicesthatwillassistIWCinmaintainingitscompetitiveadvantageinthemarketplace.
Cybersecurityprogrammissionstatement:Administeraninnovativeprogramthatminimizesinformationprotectionrisksattheleastimpacttocostandschedule,whilemeetingallofIWC’sandcustomers’informationandinformationsystemsassetsrequirements.
QualityStatementRememberthatqualityiswhataddsvaluetoyourcompany’sproductsandservices.Itiswhatyourinternalandexternalcustomersexpectfromyou.
Qualitystatement:Toprovidequalitywidgetstoourcustomerswithzerodefectsbybuildingitrightthefirsttime.
CIOqualitystatement:ToprovidequalityinformationmanagementservicesandsystemssupportwhileenhancingtheproductivityopportunitiesoftheIWCworkforce.
Cybersecurityprogramqualitystatement:Consistentlyprovidequalitycybersecurityprofessionalservicesandsupportthatmeetthecustomers’requirementsandreasonableexpectations,inconcertwithgoodbusinesspracticesandcompanyguidelines.2
CyberSecurityPrinciplesThecybersecurityofficer’sdutiesandresponsibilitiesaremanyandsometimesquitecomplexandconflicting.However,asthecorporatecybersecurityofficer,youmustneverlosesightofthethreebasicprinciples:
•Accesscontrol;
•Individualaccountability;and
•Audittrails.
Thistriadofprinciplesmustbeincorporatedintothecybersecurityprogram.Forjustasathree-leggedstoolrequiresthreestrongandlevellegstobeuseful,thecybersecurityprogramrequiresthesethreestrongprinciples.Withoutallthree,thecybersecurityprogramwilltopple,justasatwo-leggedstoolwilltopple.
ProjectandRiskManagementProcessesTwobasicprocessesthatareanintegralpartofacybersecurityprogramareprojectmanagementandriskmanagementconcepts.
ProjectManagementAsthecybersecurityofficeandorganizationalmanagerandleaderforthecorporation,youwillalsoprovideoversightoncybersecurity-relatedprojectsthatarebeingworkedbymembersofyourstaff.
Thecriteriaforaprojectareasfollows:Formalprojects,alongwithprojectmanagementcharts,willbeinitiatedwhereimprovementsorotherchangeswillbeaccomplishedandwherethatefforthasanobjective,hasbeginningandendingdates,and
willtakelongerthan30 daystocomplete.Iftheprojectwillbeaccomplishedinlessthan30 days,aformalprojectmanagement
processisnotneeded.Therationaleforthisisthatprojectsofshortdurationarenotworththecost(intermsoftimeneededtocompletetheprojectplan,charts,etc.)ofsuchaformalprocess.
RiskManagementTobecost-effective,thecybersecurityofficermustapplyrisk-managementconceptsandidentify:
•Threatstotheinformationandinformationsystemsofthecorporation;
•Vulnerabilities(informationsystems’weaknesses);
•Risks;and
•Countermeasurestomitigatethoserisksinacost-effectiveway.
CyberSecurityOfficerandOrganizationalResponsibilitiesAsthecybersecurityofficer,youwillbemanagingandleadingacybersecurityorganization.Youwillberesponsiblefordeveloping,implementing,maintaining,andadministeringacompany-wideprogram.Thefollowingisanexamplescenarioforthedevelopmentofyourorganizationalresponsibilities.
Youhaveevaluatedthecorporateenvironmentandfoundthatacentralizedcybersecurityprogramisrequiredtocost-effectivelyjump-starttheprogramanditsassociatedprocesses.Yourevaluationofwhatisneededledyoutoconsiderthefollowingprogram-relatedfunctionsfordevelopment:
•Managementofallfunctionsandworkthatareroutinelyaccomplishedduringthecourseofconductingtheorganization’sbusinessinaccordancewithcorporatepoliciesandprocedures;
•Systemaccessadministrationandcontrols,includingthedirectuseandcontrolofsystemaccesssoftware,monitoringitsuse,andidentifyingaccessviolations;
•Accessviolationanalysestoidentifypatternsandtrendsthatmayindicateanincreasedrisktosystemsorinformation;
•Computercrimeandabuseinquirieswherethereareindicationsofintenttodamage,destroy,modify,orreleasetounauthorizedpeopleinformationofvaluetothecompany(Note:thisfunctionwascoordinatedandagreedtobytheDirectorofSecurityaslongashisinvestigativeorganizationmanagerwaskeptapprisedoftheinquiriesandcopiesofallreportssenttothatmanager);
•Disasterrecovery/contingencyplanning,whichincludesdirectingthedevelopmentandcoordinationofacompany-wideprogramtomitigatethepossibilityoflossofsystemsandinformationandensuretheirrapidrecoveryintheeventofanemergencyordisaster;
•Anawarenessprogramestablishedandadministeredtoallsystemuserstomakethemawareoftheinformationsystemsprotectionpoliciesandproceduresthatmustbefollowedtoadequatelyprotectsystemsandinformation;
•Evaluationofthesystems’hardware,firmware,andsoftwareforimpactonthesecuritysystemsandinformation;
•Whereapplicable,conductionofriskassessments,withtheresultsreportedtomanagementforriskdecisions;
•Conductionofsystems’complianceinspections,tests,andevaluationstoensurethatallusersandsystemsareincompliancewithIWC’sCIAPPpoliciesandprocedures.
CyberSecurityOfficer’sFormalDutiesandResponsibilitiesBasedontheaboveandinconcertwiththeexecutivemanagementofthecorporation,thecybersecurityofficerhasdevelopedandreceivedapprovalforformallyestablishingthefollowingcharterofthecybersecurityofficerresponsibilities:
SummaryofthePurposeoftheCyberSecurityOfficerPositionDevelop,implement,maintain,andadministeranoverall,corporate-widecybersecurityprogramtoincludeallplans,policies,procedures,assessments,andauthorizationsnecessarytoensuretheprotectionofcustomer,subcontractor,andcorporateinformationfromcompromise,destruction,and/orunauthorizedmanipulationwhilebeingprocessed,stored,and/ortransmittedbycorporate’sinformationsystems.
Accountabilities•Identifyallgovernment,customer,andcorporatecybersecurityrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbycorporate’sinformationsystems;interpretthoserequirements;anddevelop,implement,andadministercorporateplans,policies,andproceduresnecessarytoensurecompliance.
•Evaluateallhardware,firmware,andsoftwareforimpactonthesecurityoftheinformationsystems;directandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporationandapplicablesubcontractorlocations.
•Establishandadministerthetechnicalsecuritycountermeasuresprogramtosupportthecorporaterequirements.
•Establishandadministerasecuritytestandevaluationprogramtoensurethatallofcorporate’sandapplicablesubcontractors’informationsystems/networksareoperatinginaccordancewiththeircontracts.
•Identify,evaluate,andauthorizeforuseallinformationsystemsandotherhardwarewithinthecorporationandatapplicablesubcontractorlocationstoensurecompliancewithred/blackengineeringwhereproprietaryandothersensitiveinformationisprocessed.
•Directtheuseof,andmonitor,thecorporate’sinformationsystemsaccesscontrolsoftwaresystems;analyzeallsystems’securityinfractions/violationsandreporttheresultstomanagementandhumanresourcespersonnelforreviewandappropriateaction.
•Identifyinformationsystemsbusinesspracticesandsecurityviolations/infractions;conductinquiries;assesspotentialdamage;directandmonitorcorporatemanagement’scorrectiveaction;andimplement/recommendcorrective/preventiveaction.
•Establishanddirectacorporate-widetelecommunicationssecurityworkinggroup.
•Develop,implement,andadministerariskassessmentprogram;provideanalysestomanagement;modifycorporateandsubcontractorrequirementsaccordinglytoensurealowest-costcybersecurityprogram.
•Establishandadministeracybersecurityawarenessprogramforallcorporateinformationsystemsusers,toincludecustomersandsubcontractorusers,andensuretheyarecognizantofinformationsystemsthreatsandofsecuritypoliciesandproceduresnecessaryfortheprotectionofinformationsystems.
•Directandcoordinateacorporate-wideinformationsystemsemergency/disasterrecovery/contingencyplanningprogramtoensuretherapidrecoveryofinformationsystemsintheeventofanemergencyordisaster.
•Directthedevelopment,acquisition,implementation,andadministrationofthecybersecurity’ssoftwaresystems.
•Representthecorporationonallcybersecuritymatterswithcustomers,governmentagencies,suppliers,andotheroutsideentities.
•Provideadvice,guidance,andassistancetomanagementrelativetocybersecuritymatters.
•Performcommonmanagementaccountabilitiesinaccordancewithcorporate’smanagementpoliciesandprocedures.
Summary3Theroleoftoday’scybersecurityofficerhasevolvedovertimeandwillcontinuetoevolve.Thecybersecurityofficerprofessionoffersmanychallengestoanyonewhowantstomatchwitswithglobalhackers,criminals,terrorists,andothermiscreants.Inabusinessenvironmentsuchasthatofaglobalcorporation,thecybersecurityofficerhasspecificresponsibilities.Asacybersecurityofficer,youshouldunderstandthefollowing:
•Thecybersecurityofficerpositionisaleadershippositionwithinacompany.
•Therecentlyhiredcybersecurityofficermustknowwhatisexpectedofthecompany’snewcybersecurityofficerandshouldhaveaclearunderstandingofthoseexpectationsbeforetakingtheposition.
•Thethreeprimaryresponsibilitiesofacybersecurityofficerare:(1)managingpeople,(2)managingthecybersecurityprogram,and(3)managingcybersecurityprocesses.
•Thecybersecurityofficermustsetforthcleargoalsandobjectives.
•Thecybersecurityofficerintheleadershiprolemustbeacompanyleader,teamleader,andpersonalleader.
•Thecybersecurityofficermustprovidecybersecurityserviceandsupportusingteamconcepts.
•Thecybersecurityofficershoulddevelopvision,mission,andqualitystatementsasguidestodevelopingasuccessfulcybersecurityprogram.
•Thecybersecurityofficershouldstrivetoadministeracybersecurityprograminwhichallthemajorcybersecurityfunctionsareundertheresponsibilityofthecybersecurityofficer.
1Reader’sDigest,October2002,p.73.2Youwillfindthatthesamethemesofservice,support,cost-effectiveness,customerexpectations,etc.,continuouslyrunthroughthisbook.Itishopedthattheconstantreinforcementwillcausethereadertocontinuouslythinkofthesethemeswhenestablishingandmanagingacybersecurityprogram.3Muchoftheinformationinthischapterprovidesdetailsthatcouldbeusedtofillinthedetailsofthecybersecurityofficer’sportfolio.
CHAPTER7
TheCyberSecurityProgram’sStrategic,Tactical,andAnnualPlans
AbstractTheobjectiveofthischapteristoestablishthestrategic,tactical,andannualplansforthecybersecurityorganization.Theseplanswillalsosetthedirectionforcorporate’scybersecurityprogramwhileintegratingthecybersecurityplansintocorporate’splans,thusindicatingthatthecybersecurityprogramisanintegralpartofthecorporation.
KeywordsCorporateannualbusinessplan;Corporateformat;Corporate’sstrategy;Cost-effectivemethod;Cybersecuritystrategicplan;Cybersecuritytacticalplan
Thoughthisbemadness,yetthereismethodin’t
WilliamShakespeare1
CONTENTS
Introduction 120Corporate’sCyberSecurityStrategicPlan 121
TheCyberSecurityStrategicPlanObjective 122CyberSecurityStrategicPlanandTeamConcepts,Communication,andCoordination 122CyberSecurityStrategicPlanningConsiderations 123MappingCorporate’sCyberSecurityStrategicPlantotheCorporateStrategicBusinessPlan 123WritingtheCyberSecurityStrategicPlan 124
Corporate’sCyberSecurityTacticalPlan 124WritingtheCyberSecurityTacticalPlan 125
CyberSecurityAnnualPlan 125CyberSecurityAnnualPlanProjects 126MappingtheCyberSecurityAnnualPlantotheCorporateAnnualBusinessPlan 127WritingtheCyberSecurityAnnualPlan 127
QuestionstoConsider 128Summary 128
CHAPTEROBJECTIVE
Theobjectiveofthischapteristoestablishthestrategic,tactical,andannualplansforthecybersecurityorganization.Theseplanswillalsosetthedirectionforcorporate’scybersecurityprogramwhileintegratingthecybersecurityplansintocorporate’splans,thusindicatingthatthecybersecurityprogramisanintegralpartofthecorporation.
IntroductionThesaying“Yagottahaveaplan”definitelyappliestosuccessfullyaccomplishingthedutiesandresponsibilitiesofacybersecurityofficer.Withoutstrategic,tactical,andannualplans,theofficerwouldbespendingallofeverydayrunningfromcrisistocrisisandhaphazardlytryingtoprotectinformationandinformationsystemsforthecorporation.Inaddition,theseplansarethecost-effectivemethodofprovidingasecureinformationenvironmentforthecorporation.
Therewillalwaysbecrisestocontendwith;however,evenmostcrisescanbeplannedforsothatwhentheyoccur,anemergencyplancanbeimplemented.Theplanwillprovideatleastguidanceandanoutlineofwhattodo—notonlywhattodo,butwhenandhowtodoitrapidlyandeffectively.Let’sfaceit:Mostcrisescanbeidentified,andwearealreadyaccustomedtodoingsothroughourdisasterrecoveryandcontingencyplanningforsucheventsasfires,typhoons,andearthquakes.Weshoulddothesameforothereventsthatwouldbeclassifiedasanemergency,suchas,butofcoursenotlimitedto,thefollowing:
•Web-siteattackanddefacement,
•Denial-of-serviceattack,
•Wormorvirusattack,and
•Othermaliciousattacksoraccidents.
Asaprofessionalcybersecurityofficer,whenyoulearnofanewtypeofattack,checkyouremergencycontingencyplansanddeterminewhetherthelatesttypeofattackwouldbeaddressedbyoneofthoseplans.Ifso,great!Ifnot,thenit’stimetodevelopanotherplanorupdateacurrentplan.Bytheway,asyoushouldalreadyknow:
•Theseplansmustbedevelopedwithinputfromvariousdepartmentssuchasauditors,legal,andITinaprojectteamenvironment;
•Theymustbekeptcurrent;and
•Theymustbetestedoftentoensurethattheidentifiedemergencyresponseteamistrainedandcanoperateeffectivelyandefficiently.
Aswiththecybersecurityprogram,allplansshouldbeplacedonlinewithreadaccessforallemployees.Itwillalsobeeasiertokeeptheplanscurrent,andthroughtheintranetWebsiteorthroughe-mail,everyonecanbenotifiedofchangestotheplans.Thecybersecurityofficershouldalsohaveaprojecttoensurethatinformationandsystemsprotectionpoliciesandproceduresarekeptonlineforreadaccessbyallemployees.Thecybersecurityofficershouldconsider,asmuchaspossible,havingapaperlesscybersecurityprogramandcybersecurityorganization.
Atthecorporatelevel,allinformationandsystemsprotectionplansareconsideredsubsetsofthecybersecurityprogram,asareallprojectsthatareusedtobuildthesecureinformationenvironment.
Corporate’sCyberSecurityStrategicPlanTobesuccessful,thecybersecurityofficermusthaveacybersecuritystrategicplan).Thatplanshouldbeintegrated,oratleastcompatible,withcorporate’sstrategicbusinessplan.Itisthisplanthatsetsthelong-termdirection,goals,andobjectivesforinformationprotectionasstatedinthecybersecurityprogram,vision,mission,andqualitystatements.
Let’slookatanexampleofapossiblestrategicbusinessplanofacorporation.
Thecorporatestrategicbusinessplansetsforththefollowinginformation:
•Theexpectedannualearningsforthenext7 years;•Themarket-sharepercentagegoalsonanannualbasis;
•Thefutureprocessmodernizationprojectsbasedonexpectedtechnologychangesoffaster,cheaper,andmorepowerfulcomputers,telecommunicationssystems,androbotics;
•Corporateexpansiongoals;and
•Corporate’sacquisitionofsomecurrentsubcontractorandcompetitivecompanies.
Thecybersecuritystrategicbusinessplanisthebasicdocumentonwhichtobuildthecorporatecybersecurityprogramwiththegoalofbuildingacomprehensiveinformationprotectionenvironmentatlowestcostandleastimpacttothecompany.
Whendevelopingtheplan,thecybersecurityofficermustensurethatthefollowingbasiccybersecurityprinciplesareincluded,eitherspecificallyorinprinciple(sinceitispartofthecybersecuritystrategy):
•Minimizetheprobabilityofacybersecurityvulnerability,
•Minimizethedamageifavulnerabilityisexploited,and
•Provideamethodtorecoverefficientlyandeffectivelyfromthedamage.
Let’sassumethatthecorporatestrategicbusinessplancalledforamaturecybersecurityprogramwithinthenextsevenyearsthat:
•Canprotectcorporate’sinformationwhileallowingaccesstoitsnetworksbyitsinternationalandnationalcustomers,subcontractors,andsuppliersand
•Cansupporttheintegrationofnewhardware,software,networks,etc.,whilemaintainingtherequiredlevelofcybersecuritywithoutaffectingschedulesorcosts.
TheCyberSecurityStrategicPlanObjectiveTheobjectivesoftheplanareto:
•Minimizeriskstosystemsandinformation,
•Minimizeimpactoncosts,
•Minimizeimpactonschedules,
•Assistinmeetingcontractualrequirements,
•Assistinmeetingnoncontractualrequirements,
•Buildacomprehensivesystemssecurityenvironment,
•Respondflexiblytochangingneeds,
•Supportmultiplecustomers’informationprotectionneeds,
•Incorporatenewtechnologiesassoonasneeded,
•Assistinattractingnewcustomers,and
•Maximizetheuseofavailableresources.
CyberSecurityStrategicPlanandTeamConcepts,Communication,andCoordinationTohaveasuccessfulcybersecurityprogram,thestrategycallsforonethatalsodealswiththeofficepoliticsaspectofthecorporateenvironment.Akeyelement,whichwasstatedearlierinthisbook,istorememberthattheinformationandinformationsystemsbelongtocorporate,andnottothecybersecurityofficer.Therefore,cooperationandcoordinationareamust!
Manyfunctionalorganizationshaveaninterestinthecybersecuritystrategicplanandothercybersecurityprogram-relatedplans;therefore,theplansshouldbediscussedwithotherteammemberssuchastheauditors,securitypersonnel,humanresourcespersonnel,legalpersonnel,andothersdeemedappropriate.
Theplanshouldalsobediscussedwithandinputrequestedfromkeymembersoftheusercommunityandcorporatemanagers.Afterall,whatyoudoaffectswhattheydo!Itisagreatwaytogetcommunicationandinteractiongoing.Thiswillleadtoabetterplanandonethathasbroad-basedsupport.
Theirinputandtheirunderstandingofwhatthecybersecurityofficeristryingtoaccomplishwillassistinensuringcorporate-widesupportforthecybersecurityprogram.Foronlywiththiskindofcommunicationandinteraction,canthecybersecurityofficer’scybersecurityprogramsucceed.
CyberSecurityStrategicPlanningConsiderationsTheplanningconsiderationsmustincludethefollowing:
•Goodbusinesspractices,
•Qualitymanagement,
•Innovativeideas,
•Cybersecurityvisionstatement,
•Cybersecuritymissionstatement,
•Cybersecurityqualitystatement,and
•Providingchannelsforopencommunicationwithotherssuchastheauditors,systemspersonnel,securitypersonnel,users,andmanagement.
Allthesefactorsmustbeconsideredwhendevelopingacybersecurityprogramstrategyanddocumentingthatstrategyinthecybersecurityprogram.
Thecorporateprocessflowofplansbeginswiththecorporatestrategicbusinessplanthroughthecorporateannualbusinessplan.Eachplan’sgoalsandobjectivesmustbeabletosupportoneanother:top–downandbottom–up.
Oncethisprocessisunderstood,thenextstepistomapthecybersecuritystrategicplanintothecorporatestrategicbusinessplangoalsandobjectives.
MappingCorporate’sCyberSecurityStrategicPlantotheCorporateStrategicBusinessPlanCorporate’sstrategyidentifiedtheannualearningsforthenextsevenyearsaswellasmarket-sharepercentagegoals.Thisclearlyhighlightstheneedforacybersecurityprogramthatwillbecost-effective.
Aswaspreviouslymentioned,cybersecurityisa“parasite”ontheprofitsofcorporateifitcannotbeshowntobeavalue-addedfunction(onethatisneededtosupportthebottomline).Therefore,thecybersecurityprogramstrategymustbeefficient(cheap)andeffective(good).Ifthatcanbeaccomplished,thecybersecurityprogramwillbeinapositiontosupportthecorporatestrategyrelativetoearningsandmarketshare.
Mappingthesepointsinaflowchartorsimilarmanagementtoolcanhelpthecybersecurityofficervisualizeastrategypriortodocumentingthatstrategyinthecybersecuritystrategicplan.Themappingwillalsoassistthecybersecurityofficerinfocusingonthestrategiesthatsupportthecorporatestrategies.2
WritingtheCyberSecurityStrategicPlanWritingtheplanwillcomemuchmoreeasilyoncethemappingiscompleted.Oncethatisaccomplished,thecybersecurityofficerwillwritetheplanfollowingthestandardcorporateformatforplanwriting.
Thecorporateformatwasdeterminedtobeasfollows:
1.Executivesummary
2.Tableofcontents
3.Introduction
4.Visionstatement
5.Missionstatement
6.Qualitystatement
7.Cybersecuritystrategicgoals
8.Howthecybersecuritystrategiessupportcorporatestrategies
9.Mappingcharts
10.Conclusion
Corporate’sCyberSecurityTacticalPlanAtacticalplanisashort-rangeplan(athree-yearplan)thatsupportsthecorporatecybersecurityprogramandcybersecurityfunctionalgoalsandobjectives.Thecybersecuritytacticalplanshould:
•Identifyanddefine,inmoredetail,thevisionofacomprehensivecybersecurityenvironment,asstatedinthecybersecuritystrategicplan;
•Identifyanddefinethecurrentcorporatecybersecurityenvironment;and
•Identifytheprocesstobeusedtodeterminethedifferencesbetweenthetwo.
Oncethatisaccomplished,thecybersecurityofficercanidentifyprojectstoprogressfromthecurrentcorporatecybersecurityenvironmenttowhereitshouldbe,asstatedinthecybersecuritystrategicplan.Inthecorporatetacticalplan,itisalsoimportanttokeepinmind:
•Thecompany’sbusinessdirection,
•Thecustomers’direction,and
•Thedirectionoftechnology.
Oncetheseareestablished,theindividualprojectscanbeidentifiedandimplemented,beginningwiththecybersecurityannualplan.
Thecorporatetacticalbusinessplanstated(again,usinganexampleofacorporateplan),“Inaddition,itisexpectedtobeabletointegratenewhardware,software,networks,etc.,withminimumimpactonschedulesorcosts.”Therefore,itwillbenecessarytoestablishaprojectwiththeobjectiveofdevelopingaprocesstoaccomplishthatgoal.
Thecybersecurityofficermustthenalsoconsiderthatthecorporatecybersecurityprogrammustcontainprocessestoreevaluatethemechanismsusedtoprotectinformationsothatitisprotectedonlyfortheperiodrequired.Therefore,aprojectmustbeestablishedtoaccomplishthatgoal.
Thecorporatetacticalbusinessplanalsocalledforthecompletionofacybersecurityprogramthatcanprotectcorporate’sinformationwhileallowingaccesstoitsnetworksbyitsinternationalandnationalcustomers,subcontractors,andsuppliers.Therefore,anotherprojectthatmustbedevelopedisonethatcanaccomplishthisgoal.
WritingtheCyberSecurityTacticalPlanWritingtheplanshouldbesomewhateasierbasedontheexperiencegainedinmappingthegoalsforthecybersecuritystrategicplanandthecorporateplans.Oncethatisaccomplished,thecybersecurityofficerwillwritetheplanfollowingthestandardcorporateformatforplanwriting.
Thecorporateformatforthecybersecurityplanwasdeterminedtobeasfollows:
1.Executivesummary
2.Tableofcontents
3.Introduction
4.Cybersecuritystrategicgoals
5.Howthecybersecuritytacticalplansupportsthecybersecuritystrategicplan
6.Howthecybersecuritytacticssupportcorporatetactics
7.Mappingcharts(useanorganizationorflowchartifpictorialrepresentationwillhelpthereaderundertheapproachused
8.Conclusion
CyberSecurityAnnualPlanThecybersecurityofficermustalsodevelopacybersecurityannualplantosupportthecorporation’sstrategicbusinessplan,cybersecuritystrategicplan,andthecorporateandcybersecuritytacticalplans.Theplanmustincludegoals,objectives,andprojectsthatwillsupportthegoalsandobjectivesofcorporate’sannualbusinessplan.
Corporate’scybersecurityannualplanistobeusedtoidentifyandimplementprojectstoaccomplishthegoalsandobjectivesasstatedinalltheotherplans.
Remember,thecybersecurityprogramrequiresthefollowing:
•Projectmanagementtechniques,
•Ganttcharts(schedule),
•Identifiedbeginningdateforeachproject,
•Identifiedendingdateforeachproject,
•Anobjectiveforeachproject,
•Costtrackingandbudget,and
•Identificationoftheresponsibleprojectlead.
CyberSecurityAnnualPlanProjectsTheinitialandmajorprojectofthecybersecurityofficer’sannualplanistobegintoidentifythecurrentcorporateandcybersecurityenvironment.Togainanunderstandingofthecurrentcorporateenvironment,culture,andphilosophy,thefollowingprojectsaretobeestablished:
1.Projecttitle:CorporateCyberSecurityOrganization
a.Projectlead:Cybersecurityofficer
b.Objective:Establishacybersecurityprogramtosupportorganization
c.Startdate:January1,2016
d.Enddate:July1,2016
2.Projecttitle:CyberSecurityProgramPoliciesandProceduresReview
a.Projectlead:Cybersecurityofficer
b.Objective:Identifyandreviewallcybersecurityprogram-relatedcorporatedocumentation,andestablishaprocesstoensureintegration,applicability,andcurrency
c.Startdate:February1,2016
d.Enddate:April1,2016
3.Projecttitle:CyberSecurityTeam
a.Projectlead:Cybersecurityofficer
b.Objective:Establishacorporatecybersecurityprogramworkinggrouptoassistinestablishingandsupportingacybersecurityprogram
c.Startdate:January1,2016
d.Enddate:February1,2016
4.Projecttitle:CorporateProprietaryProcessProtection
a.Projectlead:Cybersecurityorganizationsystemssecurityengineer
b.Objective:Identification,assessment,andprotectionofcorporateproprietaryprocesses
c.Startdate:April15,2016
d.Enddate:September1,2016
5.Projecttitle:CyberSecurityOrganizationalFunctions
a.Projectlead:Cybersecurityofficer
b.Objective:Identifyandestablishcybersecurityorganizationalfunctionsandtheirassociatedprocessesandworkinstructions
c.Startdate:January15,2016
d.Enddate:July1,2016
6.Projecttitle:CyberSecuritySupporttoITChanges
a.Projectlead:Cybersecurityorganizationsystemssecurityengineer
b.Objective:Establishaprocesstoprovideserviceandsupporttointegratecybersecuritypolicies,procedures,andprocessesaschangesaremadeintheITenvironment
c.Startdate:March15,2016
d.Enddate:October1,2016
MappingtheCyberSecurityAnnualPlantotheCorporateAnnualBusinessPlanAswaspreviouslyshown,mappingthecybersecurityprogramandthecybersecurityannualplantothecorporateannualbusinessplancanbeeasilyaccomplished.However,inthiscase,thecorporateannualplanobjectiveswerenotindicatedorusedtomapthecorporateplan.3
WritingtheCyberSecurityAnnualPlanAsnotedearlier,writingoftheplansmustfollowthecorporateformat.Thecybersecurityannualplanisnoexception,andthefollowingformatisrequired:
1.Executivesummary
2.Tableofcontents
3.Introduction
4.Cybersecurityannualgoals
5.Cybersecurityprojects
6.Howthecybersecurityprojectssupportcorporate’sannualplangoals
7.Mappingcharts
8.Conclusion
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doesyourcompanyhaveplansthatcanbeconsideredstrategic,tactical,orannual,forexample,long-rangeorshort-rangeplans?
•Haveyoureadthem?
•Ifnot,howdoyouknowyouareprovidingadequateserviceandsupporttothecompany?
•Doyouhavestrategic,tactical,andannualplansthatsupportthecompany’sbusinessplans?
•Ifso,aretheycurrent?
•Howdoyouknow?
•Doyouhaveaprocessinplacetokeepthemcurrent?
•Ifnot,whynot?
•Ifyoudohavesuchplans,doyouhaveaprocessinplaceandflowchartedtoshowhowtheplans,yourinformationandsystemsprotectionfunctions,projects,riskmanagementstrategy,cost–benefitphilosophy,andsuchareintegratedintoyourcybersecurityprogramthatsupportsthecompany’splans?
•Ifnot,whynot?
SummaryPlanningisavitallyimportantandcost-effectivewaytoestablishacost-effectiveandqualitycorporatecybersecurityenvironment.Itwillhelpfocusontasksthatwilleffectivelyandefficientlymeettheplanninggoalsandobjectivesofacybersecurityprogram.Aspartofthatplanning,thecybersecurityofficershouldconsiderthefollowingpoints:
•Thecorporatecybersecuritystrategic,tactical,andannualplansmustbemappedandintegratedintothecorporatestrategic,tactical,andannualbusinessplans.
•Thecybersecurityprogram-relatedplansmustincorporatethecybersecurityvision,mission,andqualitystatementsandtheirphilosophiesandconcepts.
•Thecybersecurityprogram-relatedplansmustidentifystrategies,goals,objectives,andprojectsthatsupportoneanotherandthecorporateplans.
•Bymappingthegoalsofthecorporateplanswiththoseofthecybersecurityprogram-relatedplans,therequiredinformationfusioncantakeplaceandcanbegraphicallyrepresented.
FIGURE1 DepictsmappingofthegoalsofthecorporateplanwiththoseofthecybersecurityprogramwhereIWCstandsforagenericcorporationInternationalWidget
CorporationandCIAAPisthecorporateinformationassuranceannualplan.
•Mappingwillmakeiteasierforthecybersecurityofficertowritetheapplicablecybersecurityplans.
•Thecybersecurityannualplangenerallyconsistsofprojectsthatarethebuildingblocksofthecybersecurityprogramfollowingthestrategiesandtacticsofthecorporateandothercybersecurityprogramplans.Figure1providesanexampleofmappingshowing
therelationshipofplans.What,ifanything,islacking?
1WilliamShakespeare(1564–1616),Englishpoetandplaywright.Polonius,Hamlet(1601),Act2,Scene2.2Forthosereaderswhoareinclinedtoarguethetechnicaldefinitionsofterms,Iconcedethatthedefinitionoftermsvariesbetweencorporationsandthoseusedheremaynotfitnicelyintothedefinitionsusedbythecorporationorgovernmentagencyofthereader.However,thereadershouldnotlosesightoftheprocessbeingdiscussed.Thatistheimportantaspectofthischapter.3Thereaderprobablyunderstandsthisprocessbynowandcaneasilyusethismappingmethod.
CHAPTER8
EstablishingaCyberSecurityProgramandOrganization
AbstractTheobjectiveofthischapteristodescribehowtoestablishacorporatecybersecurityprogramanditsassociatedorganization.A“what-if”approachisusedinwhichacorporatesecurityofficerisshowntoactinacertainwaybasedonwhatisrequiredofhimorherbycorporationinwhichthatpersonisemployed,usingafictionalcorporateenvironment.
KeywordsCorporatecybersecurityprogram;Corporateinformationofficer(CIO);Corporationoverallpolicydocument;Formalprojectmanagementtechniques;Informationenvironment(IE);Off-sitecybersecurityprogram;Strategicbusinessplan(SBP);Tacticalbusinessplan(TBP)
Wetrainedhard,butitseemedeverytimewewerebeginningtoformupintoteams,wewouldbereorganized.Iwastolearnlaterinlifethatwetendtomeetanynewsituationbyreorganizing
PetroniusArbiter1
CONTENTS
Introduction 132CorporateCyberSecurityProgram 132
TheCorporateCyberSecurityProgram—Requirements 139TheCorporateCyberSecurityProgram—InformationAssetsProtectionPolicies 139
TheCorporateCyberSecurityProgramRequirementsandPolicyDirective 148PhysicalSecurityandCyberSecurityProgramPolicy 149
TheCorporationCyberSecurityProgram—CyberSecurityProcedures 150
CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganization 152
DeterminingtheNeedforCyberSecuritySubordinateOrganizations 154DevelopingtheCyberSecurityProgramOrganizationStructure 156DevelopingtheCyberSecurityProgramSubordinateOrganizations 156
ResponsibilitiesofCyberSecurityProgramSubordinateOrganizations 157
CyberSecurityJobDescriptions 160CyberSecurityJobFamilyFunctionalDescriptions 161RecruitingCyberSecurityProfessionals 168
IdentifyingIn-HouseCyberSecurityCandidates 170IdentifyingOutsideCyberSecurityCandidates 171
QuestionstoConsider 172Summary 172
CHAPTEROBJECTIVE
Theobjectiveofthischapteristodescribehowtoestablishacorporatecybersecurityprogramanditsassociatedorganization.A“what-if”approachisusedinwhichacorporatesecurityofficerisshowntoactinacertainwaybasedonwhatisrequiredofhimorherbycorporationinwhichthatpersonisemployed,usingafictionalcorporateenvironment.
IntroductionThecorporation’sinformationandinformationsystemsaresomeoftheirmostvitalassets.Thesevaluableassetsmustbeconsistentlyprotectedbyallthecorporationemployees,contractedpersonnel,associatecompanies,subcontractors,and,infact,everyonewhohasauthorizedaccesstotheseassets.Theymustbeprotectedregardlessoftheinformationenvironment,whetherthroughfaxes,telephones,cellularphones,localareanetworks,Internete-mails,hardcopies,scanners,personaldigitalassistants(PDAs)—anydevicethatprocesses,transmits,displays,orstoresthecorporation’ssensitiveinformation.Whatismeantbysensitiveisallinformationthathasbeendeterminedtorequireprotection.Thatdeterminationisbasedonbasic,commonbusinesssense—forexample,amarketingplanfornextyear’sproductmustbeprotected,anditdoesn’ttakeariskassessmenttodeterminethat.Someinformationmustalsobeprotectedbecausetherearelawsthatmakethatinformationprotectionarequirement—forexample,privateinformationaboutemployees.
Toprovidethatconsistentprotection,thoseindividualswhohaveauthorizedaccesstotheinformationandinformationsystemsmustthereforedothefollowing:
•Beprovidedwithguidance,
•Understandhowtoapplyinformationassetprotection,
•Understandwhysuchinformationassetprotectionisrequired,and
•Understandthecorporationpolicyregardingthatprotection.
Thecorporation’sexecutivemanagementhaddecidedthatapolicydocumentwasneeded.So,thecorporation’scybersecurityofficerwashiredprimarilytofulfillthatrequirementasstatedinthecorporateplans,suchasthecorporationstrategicbusinessplan.
CorporateCyberSecurityProgram2
Thecybersecurityofficerknewthattosuccessfullyprotectthecorporation’sinformation-relatedassetstheremustbeformalguidelinesanddirectionsprovidedtothecorporation’semployees.Theremustalsobesomeformalprocessesthatareusedtoensurethatthecorporation’sinformationassetswereprotectedeffectivelyandefficiently—inotherwords,“cheapandgood.”Itwouldbeobvioustothecorporation’smanagementandthecybersecurityofficerthattodootherwisewouldcauseemployeestoprotecttheseinformation-relatedassetsastheysawfit,ornotprotectthematall.Suchwasalmostthecasenow,anditishopedthatthecybersecurityofficerwouldknowtherewasanurgentneedtoquicklyestablishacybersecurityprogram.
Thecybersecurityprogramwouldbedevelopedtakingintoconsiderationorincorporatingthefollowing:
•Reasonsforthecybersecurityprogram;
•Thecorporation’svision,mission,andqualitystatements;
•Informationandsystemslegal,ethical,andbestbusinesspractices;
•Thecorporation’sstrategic,tactical,andannualbusinessplans;
•Informationandsystemsprotectionstrategic,tactical,andannualbusinessplans;
•Thecorporation’soverallinformationassetsprotectionplans,policies,andproceduresasdirectedbythecorporatesecurityoffice;
•Cybersecurityvision,mission,andqualitystatements;
•Currentcybersecurityprogram-relatedpolicies;
•Currentcybersecurityprogram-relatedprocedures;and
•Othertopicsasdeemedappropriateoncethecybersecurityofficerandthecybersecurityprojectteamhaveestablishedthebaseline.
Thecybersecurityprogramcannotbedevelopedinavacuumifitistowork.Theinputofothersisanecessity:Thecybersecurityprogram,ifnotdonecorrectly,mayhaveanadverseimpactonthebusinessofthecorporation.Rememberthatthecybersecurityofficer’scybersecurityfunctionalorganizationmustbeaservice-andsupport-drivenorganization.Aspartofthatendeavor,thecybersecurityprogrammustsupportthecorporation’sbusinessplans.Itthenfollowsthattheplanscallforcertainactionstoprotectthecorporation’svitalinformationandinformationsystemsassets.
Rememberwhatisbeingdiscussedherearetheplans,processes,policies,andprocedures(P4)thatareestablished,implemented,andmaintainedasapplyingtoallthecorporationdepartments(P4becauseaseachofthe“P’s”isaddedtotheothers,protectionbaselineincreasesexponentially).Thisshouldnotbeconfusedwiththecybersecurityofficer’scybersecurityorganization’splans,policies,andprocedures,suchaswork
instructionsandprocessesthatapplystrictlywithinthatcybersecurityorganization.
Asthecybersecurityofficer,oneofyourfirsttasksistoobtainacopyofthecorporationcybersecurityprogramthatwastobeestablishedbythepriorcybersecurityofficer.Youmayfindthat:
1.Thereisnosuchdocument,
2.Thecurrentoneisnotreallycurrentatallandneedsupdating,or
3.Toyourshockandamazement,thecorporationcybersecurityprogramiscurrentandanexcellentdocument.
Ofthethreeoptions,whichwouldyoupreferandwhy?Actually,therearebenefitstoalloftheoptions,buttheyarelistedinourpreferredorder.Doesitseemstrangethatonewouldnotoptforoption3?Theoneyouchoosewillprobablybebasedonwhereyouarecomingfromandwhereyouaregoing(youreducationandexperience).OK,nomoreriddles.
Option1hassomebenefits.Ifthereisnosuchdocumentasthecorporationcybersecurityprogrambyanyname,onecan“doitrightthefirsttime”anddeveloponethatmeetstheneedsofthecorporationusingyourowntriedandtruemethods.However,thelessexperienceyouhave,themoredifficultitwillbetodoitrightthefirsttime.Ifyouarenewtothecorporationcybersecurityofficerposition,itmaybedoublydifficultandarealproblem.No,notaproblem,becauseyouarenowinahighmanagementposition.Thesearenotcalledproblems.Theyarecalledchallenges.
Havingacorporatecybersecurityprogramthathasbeenapprovedbythosewhomustapproveit(executivemanagement)hassomebenefits,ofcourse.“Approveit?”yousay.“Whydoesanyonehavetoapproveit?Iamthecybersecurityofficer,thesecurityprofessional,theexpertinthebusiness.IknowwhatIamdoing.Idon’tneedanynonsecuritypeopleoutthereplayingamateurinformationsystemssecurityexpert.”Great!Thatmayhaveworkedinthepast,maybeinthetimesofthehunter–gatherers—butnotnow.
Here’stheissue:Asthecybersecurityofficer,youaregoingtoestablishacybersecurityprogramthatwillaffecteveryoneandeverythinginthecorporationinoneformoranother,sinceinformationsystemspermeatealllevelsofthecorporationandthecorporationcannotfunctionwithoutthem.Youarenewtothecorporationandreallydon’thaveagoodhandleonhowinformationassetsprotectionpoliciesandproceduresaffectthecorporationbusinessofmakingwidgets.Youmayhaveagreatwaytoprotectacertain,sensitivecorporationinformation-relatedasset,butfindthatifitwereimplementeditwouldslowdownproduction.Thatisnotagoodideainthecompetitive,fast-paced,globalmarketplaceinwhichthecorporationcompetesforbusiness.Thatmaygetyouawarningfirst,butthenyou’llbefired(aswasthecaseofthelastcybersecurityofficer?);oritmayincreasecostsinotherways(slowingdownproductionisacostmatteralso).
Option2alsohassomeverygoodadvantages,especiallyforthecybersecurityofficer
whohaslessexperienceintheprofessionand/orlessexperienceatthecorporation.Theadvantageisthatyouhaveaframeworkonwhichtobuild,essentiallychangingittohowyouenvisionthefinalbaseline.However,aswithoption1,somecautionisadvised.Option2allowsyou,asthenewcybersecurityofficer,theopportunitytoseewhatexecutivemanagementhasauthorizedtodate.Inotherwords,youknowhowmuch“protection”theexecutivemanagementofthecorporationwillallowatwhatexpensetoproductivity,costs,etc.
Thisisimportantalsobecauseifyouincreasesecurity,youmustprovidesound,convincingbusinessreasonsthatshouldhappen.Inthiscause,youhaveanedgebecauseofthepreviouslossofthecorporationinformationassets,whichcausedthefiringoftheformercybersecurityofficer.Inaddition,thechiefexecutiveofficer(CEO)issupportiveinthatthestrategicbusinessplanandthetacticalbusinessplanbothhavecybersecurityprogramgoals,andthoseplanshadtobeapprovedbytheCEOpriortoimplementation.Thus,thecybersecurityprogramalreadyhashighvisibilityandatleastsomeexecutivemanagementsupport.However,thathoneymoonmaynotlastlongifyourequireprotectionmechanismsthataren’tbackedbysoundbusinesssense.
Option3isgreatifyouarenewtothecybersecurityofficerpositionand/orlackconfidenceorexperienceincybersecurityprogramdevelopment.However,cautionisalsoneededhere,becauseinformationassetswerelostandtheformercybersecurityofficerwasfired.Youmustgetanswersforthefollowingquestions:
•Didtheinformationassetsprotectionprocessesassetforthinthecybersecurityprogramleaveavulnerabilitythatallowedthethreatagenttotakeadvantageofit?
•Wasthecybersecurityprogramnottheissue—didsomeoneorsomegroupfailtofollowproperprocedures?
•Wasthecybersecurityofficerjustnottherightpersonforthejobatthecorporation?(Ifthisisthecase,findoutwhysoyoudon’tmakethesamemistake,assumingyouwanttoworkforthecorporationformorethanayearortwo.)
Asthenewcybersecurityofficer,youshouldfindtheanswerstothesequestionsandthendeterminehowthecybersecurityprogramcanbeenhancedtomitigatefutureattacks.Thebenefitofacurrentcybersecurityprogramisthatithasreceivedtheconcurrenceofexecutivemanagement—butremember,itmaybeabadplan.Afterall,whatdoesexecutivemanagementknowofcybersecurityprogrammattersexceptwhatthecybersecurityofficertellsthem,asidefromthe“commonsense”knowledge?
Letusassumethatnocorporationcybersecurityprogramisinexistence.So,thecybersecurityofficermuststartfromthebeginning.Actually,thatisnotentirelytrue.Asanexperiencedcybersecurityofficer,thecorporationcybersecurityofficerhasbroughtknowledgeandexperiencetothecorporationcybersecurityofficerposition.Inaddition,therearealwayssomesortofinformationandinformationsystemsprotectionpoliciesandguidelinesavailable.Itmaybejustamatterofgatheringthemalltogetherforanalysisaspartofestablishingthecybersecurityprogrambaseline.
Inaddition,thecybersecurityofficerhasswappedandcollectedcybersecurityprogramplansfromothercybersecurityprofessionalsovertheyearsthatmayproveuseful.Severalwordsofcaution:
•Nevertakeanother’scybersecurityprogram(oranydocuments)withouttheapprovalofhisorherappropriatecorporateauthority.Suchplansmaybeconsideredandmarkedascorporate–confidential,corporate–private,corporate–proprietary,orthelike.Thereisanethicsissuehere.
•Furthermore,theothercybersecurityprogramsmaybeoutdatedormaynotmeettheneedsofthecorporation,perhapsbecauseoftechnologychanges,adifferentcorporateculture,oradifferentcorporateenvironment.
Usingformalprojectmanagementtechniques,thecybersecurityofficerdecidestoestablishacybersecurityprogramprojectteamandselectsaprojectlead,leadstheteam,orhasthegroupselecttheirownprojectlead.Ifthecybersecurityofficer’scybersecurityorganizationhasoneormorespecialistsininformationassetsprotectionpoliciesandprocedures,thenoneofthosespecialistswouldbethenaturalonetoheaduptheprojectteam.Otherteammembersshouldincludethosewithinthecybersecurityorganizationwhoareresponsibleforeachofthefunctionsofthecybersecurityorganization.
Theseteammemberswouldnotbeusedfulltimeontheproject,butwouldrepresentthecybersecurityfunctionsandprovideinputasdeemedappropriatebythecybersecurityprogramprojectteamleader.Thecybersecurityofficerdecidedtouseonlyspecialistsfromthecybersecurityorganizationatthistimetospeedupthedraftofthebaselinecybersecurityprogram’sprimarydocument—thatwhichcontainstherequirementsandP4.Todootherwise—toaddauditors,informationtechnology(IT)staff,humanrelationsspecialists,legalstaff,etc.—wouldinvariablycausetoomuchtimetobetakenindiscussingsuchmattersaspoliciesbeingtoorestrictiveornotrestrictiveenough,leadingtoaslowdownorcommitteeparalysis.Thecybersecurityofficerdeterminedthatcoordinationwouldbedoneuponestablishmentoftheinitialdraftdocument.
Let’snowassumethereisaplaninplacewithoutdatedportions.Thecybersecurityofficer,whohasalreadyreadthedocumentanddoesnotagreewithsomeoftherequirementsinitandwhoseesotherrequirementsthatareobviouslylacking,shouldfirstmeetwiththespecialistcurrentlyresponsibleforthecybersecurityprogramandthatperson’smanager(theassumptionisthattherearesomecybersecuritystaffalreadyemployedandthatsomeoneinthecurrentcybersecurityorganizationhasresponsibilityforthecybersecurityprogram—orequivalentplanorprogram).Themainpurposeofthemeetingwouldbetodeterminewhyitisnotcurrentanddiscusstherationaleforalltherequirementsstatedinthedocument.Itmaybethatsomeportionsweredeletedbecauseofexecutivemanagementobjections.Thesemustbeidentified,becauseitisoflittleusetoupdatethecybersecurityprogramifitistomeetresistanceandrejectionwhenitisbriefedtoandcoordinatedwithexecutivemanagement.
Ifthecybersecurityofficerdeterminesthattherewasresistanceanddisapprovalofsomeaspectsofthecybersecurityprogram,thenthecybersecurityofficershouldlookat
thatissuefirst.Theapproachthecybersecurityofficerwilluseistoestablishanothercybersecurityprojectteam,whichwillconductalimitedriskassessmentrelatedtotheidentifiedissues:management’srejectionofsomemuch-neededinformationassetsprotectionrequirements.Theriskassessmentislimitedtoaspecificobjective:determiningtheriskstoaspecificasset,thecostsofmitigatingthatrisk,ortherationalefortherequirement.Itisalsolimitedintime.Foreachoftheseissuesinwhichdifferentinformationassetsanddepartmentshavebeeninvolved,suchasmanufacturingandmarketing,aseparate,limitedriskassessmentwillbeconducted.
Theresultsofthelimitedriskassessmentswillthenbeprovidedaspartofaformalbriefingtothevicepresidentofthatparticulardepartment,andacopyofthereportwillbegiventothecorporateinformationofficer(CIO).ThecopytotheCIO(thecybersecurityofficer’sboss)willbegivenjusttoensurethattheCIOisinthecommunicationsloopandbecauseacopywillbeavailableforusewhenbriefingtheCEOandtheexecutivemanagementteamonthenewcybersecurityprogramanditschanges.Thelimitedassessmentwillbepartofthebackupdocumentationforthebriefing.ThecybersecurityofficerreasonsthatacopytotheCEOwouldnotbeagoodideaatthistime,becausethenthecybersecurityofficerwouldhavetoexplainwhatitisandwhytheCEOhasit.
TheCEOdoesnotcurrentlyunderstandhowthenewcybersecurityofficeroperates,andnowisnotimetotakeawayfromtheprioritycybersecurityprogramprojectmanagementtoprovidea“foryourinformation”reporttotheCEO.Somecybersecurityofficersmaythinkthatsuchthingshelpthecybersecurityofficergainvisibilityandshowthe“great”thingsthatthecybersecurityofficerandcybersecuritystaffareaccomplishing.However,itmayhavetheoppositeaffect,astheCEOwouldaskquestions:
•WhydoIhavethis?
•Whatisit?
•WhatamItodowithit?
•DoIhavetomakeadecisionnowbasedonit?
Whatisyourreplyasthecybersecurityofficer?“Oh,IjustthoughtyouwouldenjoyreadingitbecauseIknowyouarenotthatbusy;youdon’thavebetterthingstodo;mystuffissomuchmoreimportantthanwhatyoudotorunthecorporation;andno,youdon’thaveanyactionitemsthatcomefromthis.IjustwanttoshowyouwhatagreatjobI’mdoing.”Thatwillworkingettingyourecognized—butforallthewrongreasonsandinthewrongway.
Thelimitedriskassessmentwillstatetherisks,themitigationfactors,andtheestimatedcostsoftheincreasedprotectionofthatparticularassetorsetofinformationassets.Ifthevicepresidentofthatdepartment,whoisalsothepersonimmediatelyresponsiblefortheprotectionofthatinformationassetorassets,doesnotconcurwiththeincreasedprotection,thenthevicepresidentmustformallyaccepttherisksinwritingonthelastpageofthereportandsenditbacktothecybersecurityofficer.
Theacceptanceofriskstatementreadsasfollows:Ihavereviewedthefindingsofthelimitedriskassessmentconductedbymembersofthecorporationcybersecuritystaff.Iunderstandthepotentiallossof,ordamageto,thecorporationinformationassetsundermycarethatmayoccurifadditionalprotectiveprocessesarenotputinplace.Iacceptthatrisk.
Youwillprobablyfindthatmostpeoplewillbeunwillingtosignsuchadocumentorwilltrytodelaysigningandhopetheissueisforgotten.Thecybersecurityofficercanneverletthathappen.Toresolvethatissue,areplyofconcurrenceornonconcurrencewillbesetforthinthedocumentwithasuspensiondate.Ifnoreplyisforthcomingbythatdate,thereportstatesthatadditionalsafeguardswillbeputintoeffectnolaterthanaspecificdatebecauseofthefailureoftheactionpersontosignthedocument.Anonreplyistakenasaconcurrence.
Oftentheexecutivewilltrytofindawayoutofthedilemmaand“negotiations”willtakeplaceinwhichvariousoptionswillbeexamined,otherthanthosealreadystatedinthereport.Thecybersecurityofficercannotsaynotosucharequest:Todosowouldallowtheexecutivetosaythatthecybersecurityofficerwasnotbeingcooperative,wasnotateamplayer,hada“takeitorleaveit”attitude.Atthesametime,thisnegotiationcannotgoonindefinitely.Ifaroadblockisreached,thentheexecutiveandthecybersecurityofficershouldagreethatthematterbediscussedatameetingwiththeCIOand/orCEO.
ThecorporationCIOwouldprobablybewonderingiftherewassomeotherwayoutofit.TheCIOthinks:“Herethiscybersecurityofficerhasn’tevenbeeninthejobamonth,andalreadyI’mgettinginvolvedinconflicts.”TheCIOdoesnotlikebecominginvolvedinconflicts.
Asasidenote,nomatterwhatfinaldecisionismade,thecybersecurityofficer’sperformancereviewandprobablymeritraisemaybeaffectedbecausethecybersecurityofficerwasnotabletoresolvetheissue(eventhoughthefaultwasthatofothers).Thecybersecurityofficercouldhaveresolvedtheissuebyjustallowingtheothervicepresidentsormanagerstohaveittheirway.However,thecybersecurityofficerknowsthatalsocontributedtothepreviouscybersecurityofficerbeingfired.Itisano-winsituation,butthat’slifeasacybersecurityofficer.Forthecybersecurityofficertodootherwiseisunprofessionalandanethicsissue.
TheCorporateCyberSecurityProgram—RequirementsIndevelopingacybersecurityprogram,onemustfirstlookattherequirementsthatdrivetheformationofpolicies,whichleadtoprocedures,whichturnintoprocessestobefollowedbyallthosehavingauthorizedaccesstothecorporationinformationandinformationsystemsassets.
Requirements,alsoknownascybersecuritydrivers,arethoselaws,regulations,commonbusinesspractices,ethics,andthelikeonwhichthepoliciesarebased.The
policiesareneededtocomplywiththerequirements;theproceduresarerequiredtoimplementthepolicy;andtheprocessesarestepsthatarefollowedtosupporttheprocedures.
TheCorporateCyberSecurityProgram—InformationAssetsProtectionPoliciesWhendiscussinginformationassetsprotectionpolicy,wedefineitasacodifiedsetofprinciplesthataredirectiveinnatureandthatprovidethebaselinefortheprotectionofcorporateinformationassets.
Itisalwaysthebestpolicytospeakthetruth,unless,ofcourse,youareanexceptionallygoodliar.
JeromeK.Jerome
Thecorporateinformationassetsprotectionpoliciesareaseriesofpoliciesthatdealwiththeprotectionofvariousinformationassetscategorieswithinthecorporation.Thesepoliciesmakeupamajorportionofthecybersecurityprogram,astheyaretheprotection“rules.”Theyarethefirstbuildingblocksofthecorporationinformationassetsprotectionenvironment.Informationassetsprotectionpoliciesarethefoundationforacybersecurityprogram.Itiscrucialthatthey:
•Coverallinformationassetsthatmustbeprotected,
•Coverallaspectsofinformationassetsprotection,
•Donothaveanyloopholesthatcouldcontributetovulnerabilities,
•Beclearlywritten,
•Beconcise,
•Takeintoaccountthecostsofprotection,
•Takeintoaccountthebenefitsofprotection,
•Takeintoaccounttheassociatedriskstotheinformationassets,
•Arecoordinatedwithexecutivemanagementandothersasapplicable,
•Areconcurredinbyexecutivemanagementandothersasapplicable,
•Areactivelysupportedbyexecutivemanagementandallemployees,and
•Includeaprocesstoensurethattheyarekeptcurrentatalltimes.
Onecannotstatetheserequirementstoostrongly.Theyarethekeytoasuccessfulcybersecurityprogram.Ifitisnotstatedinwriting,itdoesnotexist.Aftertheinformation
assetsprotectionpoliciesareestablishedandapprovedinaccordancewiththecorporationrequirements(executivemanagementapprovalforallpoliciesthataffecttheentirethecorporation),theinformationcontainedinthepoliciesmustbegiventoallcorporateemployees.Thiswillbedonethroughthecorporationcybersecurityprogrameducationandawarenesstrainingprogram.
Akeyprocessthatthecybersecurityofficermustestablishisonethatwillmaintainallinformationassetsprotectionpoliciesinacurrentstate.Becausethisisacrucialfunction,thecybersecurityofficerhasassignedonestaffmemberfulltimetoensurethatthepoliciesarecurrentatalltimesandensurethatwhenchangesareconsidered,theyareproperlycoordinated,andtheinformationisdispensedtoallemployeesassoonaspossible.Afterall,thechangesmayjustbeprocedural,ortheymaymitigatearisktosomevaluablecorporationinformationassets.
Thecybersecurityofficer’sfocalpointforinformationassetsprotectionpoliciesisthecentralcybersecuritypersontocollectinformationthatadverselyaffectstheprotectionofinformationandinformationsystems.Thatadverseinformationisanalyzedbythefocalpoint,withhelpfromothersasneeded,todetermineifpoliciesmustbeaddedormodifiedtohelpmitigatetheadverseeffects—vulnerabilities—identified.Ifso,suchchangesaredonebasedonacost–benefitsapproachtomitigatingtheidentifiedvulnerabilities.
Forthepositionofaninformationassetsprotectionpolicyspecialist,thecybersecurityofficerhaschosenapersonalreadyemployedbyHumanResources(HR).Thiswasdoneafterinterviewsandlookingattheexperienceofthecybersecuritystaff.Noneofthecybersecuritystaffwerequalifiedorinterestedinsuchaposition:Thecybersecuritystaffsawitasbeinga“nontechiepapershuffler”job.Thecybersecurityofficerpurposelylookedforaqualifiedemployeewithinthecorporation,sincethatpersonwouldalreadybefamiliarwiththecorporationcultureandprocesses—basically,howthingsweredoneatthecorporation.
ThecybersecurityofficerwasabletogetthisnewpositionapprovedbytheHRDepartmentandratedatasufficientlyhighpositionleveltoattractthebestcandidates.Thecybersecurityofficer’srationalewastorateallnewpositionsatashighalevelaspossible,sothecybersecurityofficercouldattractthebestcandidatesinthecorporationoroutsidethecorporation.Suchapositionwouldbeseenasapromotionbymanyinthecorporation.Thiswasnotaneasytask,butthecybersecurityofficerhadexperienceinworkingwithHRspecialists.Thetaskwasnotasdifficultasitmighthavebeen—andoncehadbeenforthecybersecurityofficer.
ThepersonhiredhadworkedinanHRofficeandwhosedutiesincludedwritingHRpolicyandproceduresdocuments,coordinatingdocumentapprovals,andmaintainingthecorporationdocumentationlibrary.Theindividualrespondedtoacorporation“vacantposition”announcementthatwasavailabletoallemployeesthroughtheonlineHRnetwork.
ThejobdescriptionfortheCyberSecuritySpecialistwasdevelopedbythecybersecurityofficerbasedonpastexperience.ThepersonwasnotactivelyrecruitedwithinHR,asthisviolatedthecorporationpolicy—peoplecannotactivelytryto“steal”
employeesfromoneanother.Aswellasviolatingcorporatepolicy,itisunethical.
Onepersonwhorespondedtothevacancyannouncementhadtwoyearsofexperienceatthecorporationandhadabachelor’sdegreeinjournalism,butnocybersecurityorinformationassetsprotectionexperience.Thecybersecurityofficerwantedsomeonewhocouldwriteandcoordinatepoliciesandproceduresasthefirstpriorityandcouldsecondarilylearnaboutcybersecurity-relatedmatters.Theincentivewasthatthepositionwasapromotionfromtheperson’spreviouslyheldposition,andthepersonwouldbetheleadinthisfunction,ratherthan“justanotheremployee”intheHRorganization.3
Atthecorporation,thecybersecurityofficerdevelopedanadministrativedocumentarchitectureinwhichtherewasanoverallinformationassetsprotectionpolicydocumentfollowedbytheotherassetsprotectionpolicydocuments.Thecorporationoverallpolicydocument(InformationAssetsProtectionPolicyDocument500-1,alsoknownasIAPPD500-1)beginswithaletterfromthecorporationCEOtoshowemployeesthatthisprogramwassupportedbytheCEO:
To:AllCorporationEmployees
Subject:ProtectingtheCorporation’sInformationAssetstoMaintainOurCompetitiveEdgethroughaCorporateCyberSecurityProgram
Wearealeadinginternationalcorporationinthemanufacturingandsalesofwidgets.Today,wecompetearoundtheworldintheglobalmarketplaceoffiercecompetition.Tomaintainaleadershippositionandgrow,wedependfirstandforemostonallofyouandprovideyoutheresourcestohelpyoudoyourjobstothebestofyourability.Youarevitaltooursuccess.
Itisthepolicyofthecorporationtoprotectallourvitalassetsthatarethekeytooursuccess,andamongtheseareourinformation-relatedassets.Theseincludeinformation,automatedmanufacturingtools,technology,information-andsystems-drivenprocesses,hardware,software,andfirmwarethatweallrelyupontobesuccessful.Youandtheseothervitalcorporationinformationassetsmustbeabletooperateinasafeenvironment,andourresourcesmustbeprotectedfromloss,compromise,orotheradverseeffectsthataffectourabilitytocompeteinthemarketplace.
Itisalsocorporationpolicytodependonallofyoutodoyourparttoprotectthesevaluableinformation-relatedassetsinthesevolatiletimes.
Theprotectionofourinformationassetscanbeaccomplishedonlythroughaneffectiveandefficientcybersecurityprogram.Wehavebegunanaggressiveefforttobuildsuchaprogram.
Thisdirectiveistheroadmaptoourcorporatecybersecurityprogramandthecontinuedsuccessofthecorporation.Inorderforthecybersecurityprogramtobesuccessful,youmustgiveityourfullsupport.Yoursupportisvitaltoensurethatthecorporationcontinuestogrowandmaintainitsleadershiproleinthewidgetindustry.
(SignedbythecorporationPresidentandCEO)
ItiscrucialthattheCEOleadthewayinthesupportoftheprotectionofthecorporation
informationassets.Togettheprecedingstatementpublished,thecybersecurityofficerreliedonthepolicycybersecuritystaffmembertodraftastatementfortheCEOtosign.Thecybersecurityofficerreasonedthatitisalwaysbettertowriteadraftforsomeonetoensurethatwhatispublishedmeetstheneedsofthecybersecurityprogramandthecorporation.ThestatementwasdraftedafterreviewingnumerousotherdocumentsandspeechesmadebytheCEOtoensurethatthewordsandformatusedwereconsistentwithwhattheCEOnormallysigned.
ThedraftwaseditedbythecybersecurityofficerandthencoordinatedbythecybersecurityofficerwiththeDirectorofCorporateSecurity,sincethishadtodowiththecorporationassets.TheDirectorofSecurityhadnoissueswiththepolicyandinfactwashappythatthecybersecurityofficerwasaggressivelymovingforwardonthismatter.Inaddition,theDirectorofSecuritybelievedthatthecybersecurityofficerpushingforwardwouldeventuallybenefittheSecurityDepartment.Furthermore,ifthecybersecurityofficerranintotroublewithexecutivemanagement,theDirectorcouldseehowfarthecybersecurityofficerwasabletogoinmeetingtheinformationassetsprotectionobjectives.Helikenedthecybersecurityofficertoaleadscoutgoingthroughthecorporation’sexecutivemanagementminefield.ItwouldhelptheDirectortopoliticallychoosehisground.Afterall,theDirectorwas“oldschool.”Hedidn’tcaremuchforcomputers,andhehadnoproblemlettingthecybersecurityofficertakeonthecybersecuritymatterswhiletheDirectorconcentratedonmore“mundane”securitymatterswhileawaitinghistimeforretirementinanotherfourorfiveyears.
BecausethedraftwasgoingtotheCEO,itwasalsoreviewedandeditedbythecybersecurityofficer’sboss,theCIO.ItwasthensenttotheCEO’spublicrelationsstaffandlegalstaffforeditingandsubsequentlypresentedtotheCEObythecybersecurityofficeraccompaniedbytheCIO,whowasalwaysconcernedwhenthecybersecurityofficerwasinvolvedinanythingthatbroughtCEOvisibilitytoanyaspectsoftheCIO’sdepartment.
Thecybersecurityofficeraccomplishedanotherobjectivetowardbuildingacybersecurityprogramforthecorporation.ThelettersignedbytheCEOwasjustonepartofit.ThecybersecurityofficeralsogotsupportfromtheCEOtoaggressivelyattackthevulnerabilitiesproblems,becausetheCEOdidnotobjecttotheassessmentapproachbriefedbythecybersecurityofficeraspartofthecybersecurityprogramphilosophy.That“hiddenagenda”wasusedtoinitiateamoreproactiveeffortthattheDirectorofAuditsandthecybersecurityofficerhadagreedtopriortothecybersecurityofficer’smeetingwiththeCEO.Thistacitapprovalallowedthecybersecurityofficertoestablishamoreproactiveandaggressivecybersecurityprogram.Allthismayseemalittledeviousbutnotunethical—orisit?Dotheresultsoutweighthetacticsusedtogainthoseresults?Youbethejudge.
Thecybersecuritypolicydocumenthadacoordinationnoteattachedthatshowedallthosewhohadseenthedocument(CEOsrarelysignanythingrelatingtocorporatebusinesswithoutinputfromthestaff).IfthecybersecurityofficerhadjustmadeanappointmentwiththeCEOandaskedforconcurrenceonthedocument,thecybersecurityofficerwouldundoubtedlybeaskediftheCIOhadseenit,haditbeencoordinatedwith
his(cybersecurityofficer’s)staff,etc.Thecybersecurityofficerwouldhavesaidno,wastingtheCEO’stimeandthecybersecurityofficer’stime.TheCEOwouldneversignoffonthedocumentwithoutCEOstaffinput.Thewholeincidentwouldmakethecybersecurityofficerlookfoolishandunprofessional,andperhapsfeelalittleinsecure,asthoughtheCEOdidnottrustthecybersecurityofficer.
Onekeyfactorismissinghere.Doyouknowwhatitis?WouldtheCEOhavesignedthedocumentwithoutseeingthedraftpolicydirective,IAPPD500-1?Theanswerisprobablyyes.Thisisbecausethecybersecurityofficerensuredthattheletterwaswrittenwithoutalludingtooridentifyingany“attachedpolicydocument”oranyotherdocument,forthatmatter.Whyisthisimportant?Itisimportantbecausethisdocumentistimelessandcanbeusedasastand-alonedocument.ThecybersecurityofficerthoughtthatitcouldalsobeattachedtoanyinformationassetsprotectionpolicydirectiveandwouldhelpenforcethepolicydirectivebecauseanyonewouldassumethattheCEO’ssigneddocumentissupportingthepolicydirectivetowhichitisattached.
Thefactis,itisprobablytruethattheCEOwouldsupportthepolicydirective:Thatdirectivecouldnothavebeenpublishedandimplementedwithoutfollowingthecorporationdirectivepublishingprocess.Thisprocess,asstatedinthecorporationdirectiveHRD5-17,includesdirectionsastopropercoordinationwithapplicabledepartmentsthatwouldbeaffectedbythedirective.
Thenextday,thecybersecurityofficerhappenedtobeindiscussionwiththecybersecuritypolicyspecialistaroundthecoffeepot.TheydiscussedtheCEO’sapprovalofthedocument,andthecybersecurityofficerthankedthespecialistforagreatjob.4Thespecialistsaid“Thanks”andalsosaid,“Youknow,ofcourse,thatitiscorporationpolicythatletters,regardlessofwhosignsthem,havenomorethana90-daylifespan?Thatpolicywasputinplacebecausemanyexecutivesandothermanagerswerewritingpolicy‘letters’tocircumventthecoordinationprocessfordirectives.So,thesepolicylettersproliferatedatthecorporation.Nooneknewwhatwascurrentandwhatwasn’t,andmanyfailedtofollowthelettersbecause‘theydidn’tworkforthatperson’(thepersonwhosignedtheletters).So,theletterswereignored.Thelastthingthatthecorporationneededwasabunchofletterpoliciesflowingaroundandbeingignored.Thatlefttheentirecorporationatmospherefullofconflicts,somechaos,andanattitudeoffloutinganyrulesthatonedidn’tlike.Infact,thatcontributedtoourlossofinformationassets,thefiringofmanagers,includingyourpredecessor.So,youdon’twanttoendupstartingthatmessalloveragain.Doyou?”
Thecybersecurityofficerdidn’tknowthatandwasgladthattherightpersonhadbeenhiredfortheinformationassetsprotectionpolicyspecialistposition.It’sfunnyhowthingssometimesworkoutbetterthanexpected.An“cybersecuritytechie”inthatpositionwouldprobablynothaveknownthatvaluablepieceofinformation.
Thecybersecurityofficerthoughtaboutwhattheinformationassetsprotectionpolicyspecialisthadsaid.Thecybersecurityofficerwantedtokeeptoaminimumanyobjectionstotheinformationassetspolicydirectives.
So,thecybersecurityofficerdirectedthatacopyoftheCEO’ssigneddocumentbe
attachedtoanyinformationassetsprotectionpolicydocumentthecybersecurityofficerwastryingtogetthroughthecoordinationprocess,published,andimplemented.Thecybersecurityofficeralsoincludedanoteonthecoordinationsheetthatstated:TheattacheddocumentisanimplementationdocumenttomeetthecorporationinformationassetsprotectionprogramrequirementsasstatedintheCEO’sdocument.ThecybersecurityofficerwasverysatisfiedwiththisapproachandalsodirectedthattheCEO’sletterbechangedtoaformaldirectiveandsoinstructedthecybersecuritypolicyspecialist.Thatdirective,thecybersecurityofficerreasoned,shouldnotrequireanycoordinationbecausetheCEOhadalreadysignedit.Thiswasthecase,andtheCEO’sletterbecamethecorporation’sIAPPD500-1.Therefore,allotherpolicydirectivesflowedfromthatoveralldirective—theCEO’smemo-directive.
Thecybersecurityofficerdirectedthataproject,withthecybersecuritypolicyspecialistastheprojectlead,beestablishedandimplemented.Theobjectivewastobringallinformationassetsprotectionpolicydirectivesuptodate.Thiswouldrequireallthecorporationpolicydirectivesrelatedtoinformationassetsprotectiontobereviewed,updated,coordinated,republished,andplacedonline,andthatallbriefings,training,andotherprocessesbeupdatedaccordingly.Thecybersecurityofficeralsodirectedthattheprojectleadshouldprioritizethedirectivesaccordingtothefollowingschedule:
•Directivesthatdidnotcurrentlyexistbutmustbedevelopedtoaddresstheprotectionofvariousinformationassetsand
•Directivesthatwerethemostoutdated(continuingtothosethatweretheleastoutdated).
Thecybersecurityofficerreasonedthatoutdateddirectiveswerebetterthannoinformationassetspolicydirectives,becausewheresomewereneededanddidnotexist,theinformationassetsweremorevulnerable.Althoughthemissingdirectiveswouldtakethelongesttogetimplemented,theywerethemostimportant.Thecybersecurityofficeralsodirectedtheinformationassetsprotectionpolicyprojectteam,withthepolicyspecialistastheprojectlead,todoasmuchaspossibleinparallel.Thoserequiringtheleastamountofworkcouldbedonefaster,andeveryupdateddirectivewasanothervictoryinthewartoprotectcorporateinformationassets.
War?Thechoiceofwordswasusedinallseriousness.Thecybersecurityofficerandthestaffmustgetona“warfooting”andnottreattheirprofessionaldutiesassome9-to-5job.Corporateinformationassetsarebeingattackedfrominsideandoutsidethecorporation,fromwithinthehomenation-state,andbycompetitorsandnation-statesfromaroundtheworldona24/7basis.Thiscorporationwasnoexception,andinfactbecauseofitsleadershiproleinthewidgetindustry,itwasprobablymoreatriskthansomeotherthecorporations.
Thecybersecurityofficerdirectedthatallpolicydirectivesbelimitedtospecificissues.Thecybersecurityofficerreasonedthattodeveloponelargepolicydirectivethatcoveredallaspectsofthecorporation’sinformationassetsprotectionneedswasnotagoodidea.Doyouagree?Beforeanswering,thinkaboutitfromanemployee’sperspective.Theemployeehasajobdotoasaspecialistinachosenprofession.Employeesarenot,nordo
theywanttobe,cybersecurityspecialists.Toassisttheminatleastcomplyingwiththecybersecurityprogram,the“KISS”principle(keepitsimple,stupid)shouldalwaysbeapplied.
Anemployeewhowantstodotherightthingandcomplywithallthecorporationdirectivesandinformationassetsprotectiondirectivesispartofthegroup.Let’ssaytheemployeeworksinamarketinggroup.Iftherewerejustonelargepolicydocument,theemployeewouldlookatthismonsterandmightbeintimatedbyitssize.Theemployeedoesnotneedtoknowaboutmanyoftheinformationassets’protectionrequirements—forexample,thosethatpertaintothemanufacturingenvironment.Yes,onecoulddokeywordsearchesifthedocumentsareonline,butinallprobability,pertinentinformationwouldbescatteredthroughoutthedocument.Withthecapabilityofputtingdocumentsonlineandmaintainingthemonline,itiseasyintoday’swordprocessingenvironmenttojustcutandpasteapplicableportionsofotherinformationassetsprotectiondocumentsthatapplytomoremultipleinformationenvironments.
Manyemployeeshavelostpatiencetryingtoreadthroughsuchlarge—andboring—documents.Let’sfaceit,evencybersecurityprofessionalsgetboredreadingcybersecuritydocuments.Ironically,somecybersecuritypersonnelneverreadtheentireseriesofcybersecurity-relateddocumentsunlesstheyhaveto,orunlesssomeoneembarrassesthembypointingoutthatthey(cybersecuritypersonnel)areviolatingtheirowncybersecurityrules!
Topic-orientedinformationassetsprotectionpolicydocumentscanbedeveloped,coordinated,andimplementedfaster.Inaddition,employeescaneasilydeterminewhichdirectivetosearchforguidancewithoutreadingvolumes.Also,onelargedirectivewouldbealmostconstantlyinastateofchangebecauseofvariousaspectsrequiringchangesatdifferenttimes.
Thecybersecurityofficerdirectedthat,asaminimum,individualinformationassetspolicydirectivesweretobeestablishedtoprovideguidancefortheprotectionofthefollowingcorporateinformationassets5:
•Overallinformationassetsprotection(CEO’ssignedletter);
•Informationvaluation,marking,storing,distribution,anddestruction;
•Informationprocessed,displayed,stored,andtransmittedbyinformationsystemsonthecorporation’sintranet;
•Thecorporation’stelecommunicationssystemsandvoicemail;
•Cellularphones,PDAs,andpagers;
•Faxmachines;
•Teleconferencing;
•Printersandscanners;
•Automatedmanufacturing;
•E-mail;
•Vital,automatedrecords;and
•Violationsofinformationassetsprotectionpolicies,procedures,andprocesses.
TheCorporateCyberSecurityProgramRequirementsandPolicyDirectiveThecorporationcybersecurityprogramdirectivesfollowedthestandardformatforthecorporationpoliciesandincludedthefollowing:
1.Introduction,whichincludedsomehistoryoftheneedforcybersecurityatthecorporation;
2.Purpose,whichdescribedwhythedocumentexisted;
3.Scope,whichdefinedthebreadthoftheDirective;
4.Responsibilities,whichdefinedandidentifiedtheresponsibilitiesatalllevels,includingexecutivemanagement,organizationalmanagers,systemscustodians,ITpersonnel,andusers.TheDirectivealsoincludedtherequirementsforcustomers’,subcontractors’,andvendors’accesstothecorporationsystemsandinformation.
5.Requirements,whichincludedtherequirementsfor:
a.Identifyingthevalueoftheinformation;
b.Accesstothecorporationsystems;
c.Accesstospecificapplicationsandfiles;
d.Audittrailsandtheirreview;
e.Reportingresponsibilitiesandactiontobetakenintheeventofanindicationofapossibleviolation;
f.Minimumprotectionforthehardware,firmware,andsoftware6;and
g.Cybersecurityproceduresatthecorporationdepartmentandlowerlevels.
PhysicalSecurityandCyberSecurityProgramPolicyThephysicalsecurityfunctionsforthemostpartfallundertheSecurityDepartment.ItwasagreedbytheDirectorofSecurityandthecybersecurityofficerthatthephysicalsecurityprogram,asitrelatedtocybersecurity,wastoremainunderthepurviewoftheSecurityDepartment;however,thoseaspectsrelatedtocybersecuritywouldbecoordinatedwiththecybersecurityofficerorhisorherdesignatedrepresentative.
Thetechnicalcountermeasuresprogramrelatingtoemanationsofsystems’signalsorcovertsignalsthatmaybeplacedinthecorporation’ssensitiveprocessingareashadbeen
initiallyplacedunderthepurviewofthecybersecurityofficer;however,theDirectorofSecurityapparentlybecameconcernedbecausethesystemspermeatethecorporation,whichappearedtogivethecybersecurityofficeragreatdealofauthority.
Thecybersecurityofficer’sauthority,whichtheDirectorequatedtopower,overphysicalsecurityasitrelatedtosystemsfacilitieswasrelinquishedbythecybersecurityofficer.Thecybersecurityofficer’srationalewas:
•ItshowedtheexecutivemanagementandtheDirectorofSecuritythatthecybersecurityofficerwasinterestedingettingthejobdonerightandnotwhohadtheauthoritytodoit;
•Thismove,coupledwiththecybersecurityproceduresresponsibilityplacedonthecorporatemanagement,gaveclearindicationstoeveryonethatthecybersecurityofficerwasinterestedingettingthejobdoneinacooperativeeffortinwhichcybersecurityresponsibilitiesbelongedtoeveryoneinatrueteameffort;and
•Ittookaheavyresponsibilityofftheshouldersofthecybersecurityofficer.Thecybersecurityofficerwasnolongerresponsibleforthephysicalsecurityaspects;thus,thecybersecurityofficer’sattentioncouldbedirectedtomoretechnicalaspectsofthecybersecurityprogram—thosemoreenjoyabletothecybersecurityofficer.
TheagreementreachedbythecybersecurityofficerandDirectorofSecuritywasfortheSecurityDepartmenttoberesponsiblefor:
•Controlofphysicalaccesstoinformationsystemsthroughoutthecorporation;
•Physicalaccesscontrolbadgereaderstoareascontainingsensitiveinformation-processingactivities;
•Physicaldisconnectsofallsystems-processinginformationsosensitivethattheinformationcouldnotbeprocessedoutsidespecifiedareas;
•Review,analyses,andactionrelatedtophysicalaccesscontrolaudittrails;and
•Controlofphysicalaccessofallvisitors,vendors,subcontractors,customers,andmaintenancepersonnelandtheescortingofsuchpersonnelintosensitiveinformation-processingareas.
TheCorporationCyberSecurityProgram—CyberSecurityProceduresOvertheyears,thecybersecurityofficerhashadexperienceinseveralthecorporations.Thecybersecurityofficerlearnedthatthebestwaytoprovideanupdatedcybersecurityprogramistobeginatthehighestlevelandworkdown.Thisformofinformationassetsprotectionevaluation,analysis,andimprovementisbasedonthefactthatinformationassetsprotectionisdrivenandmustbesupportedfromthetopdown.Therefore,thecybersecurityofficerbeganwiththeoverallcorporationassetsprotectionrequirements
(drivers),followedbytheinformationassetsprotectionpolicies.Oncetheywereinplace,thoserelatedproceduresthatwerealreadyinplacewereanalyzedandprojectsestablishedtoupdatethemanddevelopnewoneswhereneeded.
Eachinformationassetsprotectionpolicyrequirescompliancebythoseidentifiedinthepolicydirectives.Eachofthesedirectivesrequiresoneormoreprocedurestobeestablishedsothatthereisastandardmethodusedtosupportandimplementthepolicies,includingtheirspiritandintent.Theinformationassetsprotectiondirectivespreviouslydiscussedrequireprocedurestobeestablishedtocomplywiththosedirectives.Forexample,whatproceduresshouldbeusedtodeterminetheclassificationtobegivenapieceofinformation:corporation–tradesecret,corporation–sensitive,corporation–proprietary?Someproceduresmaybewrittenforeveryoneinthecorporationtofollow,whilevariousdepartmentsmaywriteothersbasedontheiruniqueinformationenvironments.
Therearevariousopinionsastohowbesttogoaboutdevelopingprocedures.Onecontinuestogettoamoredetailedlevelasonegoesfromrequirements(drivers)topoliciestoprocedures.Themainissueisthis:Ifthecybersecurityofficerestablishesaspecificproceduretocomplywithaspecificpolicy,whichinturnassistsinmeetingthecorporationgoalsasstatedinthecorporatestrategicbusinessplan,tacticalbusinessplan,andannualbusinessplan,theproceduresmaynotbepracticalinoneortwoofthecorporation’sdepartments.Thedepartmentheadmaysostateandmayaskforawaiversayingthattheycanstillcomplyiftheyhaveadifferentprocedurethattakesintoaccounttheiruniqueworkinginformationenvironment.Theremaybemorethanonedepartmentwithsimilarcomplaints.So,howdoesthecybersecurityofficerensurethatpeoplearefollowingproperinformationassetsprotectionprocedurestocomplywiththeinformationassetsprotectionpolicies?
Thecybersecurityofficerhasfoundthatthebestwaytodothisatthecorporationistorequirethattheindividualdepartmentsestablish,implement,andmaintaintheirownsetofinformationassetsprotectionproceduresthatcomplywiththepolicies.Thishasseveralbenefits:
•Havingeachdepartmentwriteitsownprocedureshelpsenforcethephilosophythatinformationassetsprotectioniseveryone’sresponsibility.
•Therewillbefewercomplaintsandrequestsforwaiversbecauseoneormoreofthecorporation’sdepartmentscannotcomplywiththeproceduresaswrittenbythecybersecurityofficer’sstaff.Thisbenefitsthecybersecurityofficer,astrackingwaiversmayturnintoanightmare—whohaswhatwaivers,why,andforhowlong.
•Thedepartmentscandevelopproceduresthatmeettheiruniqueconditionsandbecauseofthat,theproceduresshouldbemorecost-effective.
•Thecybersecurityofficerandhisorherstaffwillsavetimeandeffortinwritingandmaintaininginformationassetsprotectionprocedures.Tobeblunt—it’sthedepartments’problem.However,thecybersecurityofficerhasofferedtomakecyber
securitystaffavailabletoanswerquestionsandtoprovideadviceastowhatshouldbeinthedocuments.Thiswasdoneinthespiritofprovidingserviceandsupporttothecorporationemployees.Theliaisoncontactforthecybersecurityofficerwouldofcoursebethecybersecuritypolicyspecialist.
Thequestionthenaroseastohowthecybersecurityofficercouldbesurethattheprocedureswrittenbyeachdepartmentmeetthespiritandintentofthepolicies.Twomethodswereidentified:
•Thecybersecuritystaff,aspartoftheirriskmanagementprocesses,wouldconductlimitedriskassessmentsurveys,andaspartofthosesurveys,theprocedureswouldbereviewed.Thelimitedriskassessmentswouldindicatehowwelltheproceduresinplacehelpprotectthecorporationinformationassetsunderthecontrolofeachdepartmentorsuborganization.
•Thecorporation’sauditstaffwouldcomparetheprocedureswiththepoliciesduringtheirroutineaudits.TheDirectorofAuditsagreedtoconductsuchreviews,sincethatdepartmentisresponsibleforauditingcompliancewithfederal,state,andlocallawsandregulationsandthecorporation’spoliciesandproceduresanyway.Italsohelpedthatsincethecybersecurityofficer’sarrival,thecybersecurityofficerandtheDirectorofAuditsmetandagreedtomonthlymeetingstoshareinformationofmutualconcern.Thecybersecurityofficerlearnedlongagothatcybersecuritypersonnelhaveveryfewtruesupportersinhelpingthemtogetthejobdone,butauditorswereoneofthem.
Procedures,alongwiththeirrelatedprocesses,aretheheartofacybersecurityprogrambecausetheyprovidethestep-by-stepapproachforemployeesastohowtodotheirworkandalsoensuretheprotectionofcorporateinformationassets.Andifthedepartmentswritetheirownprocedures,theybecomeactivelyinvolvedasvaluableteammembersintheprocessofprotectingthecorporation’svaluableinformationassets.
CyberSecurityOfficerThoughtProcessinEstablishingtheCyberSecurityOrganizationThecybersecurityofficeralsoknewthatastaffofcybersecurityspecialistswouldberequiredbecauseofthelargesizeandgeographicallocationsofthecorporationsystemsandassociatedfacilities.Whatthecybersecurityofficerhadtodeterminewashowmanyspecialistsandwhattypeswereneededandhowthecybersecurityofficer’sorganizationshouldbestructured.Althoughtherewasagroupofcybersecurityspecialiststhatmadeupthecorporation’scybersecurityorganizationthatthecybersecurityofficerinherited,theyweredisorganizedandhadbeensortof“throwntogether”bythepreviouscybersecurityofficer,whowasnotemployedlongenoughtogetaroundtoproperlyorganizingthegroup.
Thecorporationcybersecurityofficermust,inparalleltoestablishingacybersecurityprogrambaseline,alsobeginthetaskofestablishingacybersecurityprogram-relatedorganization.Thecybersecurityofficerdecidedthatthesolepurposeoftheorganizationwastoleadandsupportthecybersecurityprogram.Therefore,thecybersecurityofficerintendedtoprovidean“umbilicalcord”betweenthecybersecurityprogramandthecybersecurityofficer’sorganization.Afterall,withoutsomeformofcybersecurityprogram,nocybersecurityorganizationwouldbenecessary.Indoingso,thecybersecurityofficerneededtounderstand:
•Thelimitsofauthority,
•Theamountofbudgetavailable,and
•Theimpactofestablishingacybersecurityprogramonthecorporation—theculturechange.
Thecybersecurityofficeralsohadtodeterminehowtofindqualifiedpeoplewhocouldbuildandmaintainacost-effectivecybersecurityprogram.Thestaffmustalsobeabletodevelopintoacybersecurityteaminwhicheveryoneactsandistreatedasaprofessional.Thecorporationcybersecurityofficerwantedagroupofcybersecurityprofessionalswhowereverytalented,yetcouldleavetheiregosatthedoorwhentheycametowork(notaneasytaskforverytalentedpeople).
Thecybersecurityofficeralsohadtoconsiderthatbuildinganempireandamassive,bureaucraticorganizationwouldnotonlygivethewrongimpressiontothecorporationmanagement,butwouldalsobecostly.Furthermore,thecybersecurityofficerhadtobuildanefficientandeffectivecybersecurityorganization,asrequiredbythecorporationandasstatedinthenumerousplans.Afterall,wasn’tthatoneoftheimpliedconditionsofemployment?
Buildingabureaucracyleadstocumbersomeprocesses,whichleadtoslowdecisioncycles,whichcausethecybersecurityprogramtohaveanadverseimpactoncostsandschedules,whichleadstoacybersecurityprogramthatdoesnotprovidetheservicesandsupportneededbythecompany.Thissnowballingeffect,oncestarted,wouldbedifficult
tostop.Andifstopped,itwouldrequiretwiceaslongtorebuildtheserviceandsupportreputationofthecybersecurityofficer,thecybersecuritystaff,andthecybersecurityprogram.
Indevelopingthecybersecurityprogramorganization,thecybersecurityofficeralsohadtobearinmindallthatwasdiscussedwiththecorporatemanagementandwhatwaspromised.Theseincluded:
•Thecorporation’shistory,business,andcompetitiveenvironment;
•Mission,vision,andqualitystatements;
•Thecorporationandcybersecurityprogramplans;and
•Theneedfordevelopingacybersecurityprogramasquicklyaspossible,fortheworkwillnotwaituntilthecybersecurityofficerisfullyprepared.
DeterminingtheNeedforCyberSecuritySubordinateOrganizationsThecybersecurityofficermustdeterminewhethersubordinatecybersecurityorganizationsareneeded.Ifso,afunctionalworkbreakdownstructuremustbedevelopedtodeterminehowmanysubordinateorganizationsareneededandwhatfunctionsshouldbeintegratedintowhatsubordinateorganizations.
Thecorporation’scybersecurityofficerreviewedthecybersecurityofficer’scharterandcybersecurityprogramfocuspreviouslyagreedtobythecybersecurityofficerandexecutivemanagement.Thatcharterincludedthefollowingcybersecurityprogramfunctions:
•Requirements,policies,procedures,andplans;
•Hardware,firmware,andsoftwarecybersecurityevaluations;
•Technicalsecuritycountermeasures(functionsubsequentlytransferredtotheSecurityDepartment);
•Cybersecuritytestsandevaluations;
•Informationsystemprocessingapprovals;
•Accesscontrol;
•Noncomplianceinquiries;
•Telecommunicationssecurity;
•Riskmanagement;
•Awarenessandtraining;and
•Disasterrecovery/contingencyplanning.
Thecybersecurityofficeranalyzedtheplans,functions,numberofsystems,andnumberofusersanddeterminedthattwosubordinateorganizationswouldbeneededtoprovidetheminimumcybersecurityprogramprofessionalservicesandsupport.
Actually,thecybersecurityofficerthoughtofdividingthefunctionsintothreeorganizations,buttheneedforoneofthosewasborderline.Also,havingthreesuborganizationsmightgivethewrongimpressiontoothersinthecorporation(onemustalwaysrememberperceptionsandappearanceswhenbuildingacybersecurityprogramandorganization).Itwouldalsoprovideanotherlevelofadministrativeoverheadburdenthatwouldnotbecost-effective.Thecybersecurityofficerreasonedthatthetwosubordinateorganizationswouldsufficefornow;theorganizationscouldbereevaluatedattheendofthefirstyear’soperation.
ThecybersecurityofficerdecidedtobrieftheCIO(theboss)ontheplan.TheCIOthoughtitwasreasonable,butwonderedhowthecybersecurityofficerwouldhandletheoff-sitelocationsintheUnitedStates,Europe,andAsia.
Aswithanygoodplan,nothingeverrunscompletelyasexpected.Beinganhonestandstraightforwardcybersecurityofficer,theonlylogicalcomebackwas“Huh?”TheCIOwentontoexplainthattheirgloballocationsaremanufacturingsitesmakingfinalorsubassembliesofthewidgetsandshippingthemtothemainplantorglobalcustomers,asapplicable.
ThecybersecurityofficeraskedtheCIOhowotherorganizationshandledtheoff-site.TheCIOexplainedthattheyhavesmaller,satelliteofficestoprovidetheserviceandsupportneededatthatlocation.Thecybersecurityofficerdeterminedthatbeforedecidingontheneedforasatelliteoffice,theproblemshouldbefurtherevaluated.ThecybersecurityofficerexplainedtotheCIOthattheevaluationwouldbeconductedwithinaweekandadecisionmadeatthattime.
Thecybersecurityofficersubsequentlydeterminedthattoprovidequalityservicesandsupporttotheoff-sitelocations,smallcybersecurityorganizationswithdedicatedstaffshouldbeinplaceatallfacilities.Thiswouldreplacethecurrentstaff,who,asanadditionaldutyassignedbyon-sitefacilityexecutivemanagers,hadtoserveaspart-timecybersecuritypersons.Thisdecisionwasbasedonseveralconsiderations:
•Conversationswithmanagersofotherorganizationswhohadsatelliteofficesattheoff-sitelocation,relativetohowtheyhandledtheproblem;
•Conversationswithmanagersofotherorganizationswhodidnothavesatelliteofficesattheoff-sitelocation,astohowtheyhandledtheserviceandsupportrequirements;
•Conversationswithoff-sitefacilityexecutivemanagers;
•Ananalysisoftheoff-sitelocations’informationsystemsconfigurationsandprocessing;
•Informationflowprocesses;and
•Thecybersecurityprogramneedsofeachlocation.
Basedontheanalysis,thecybersecurityofficerdeterminedthatcybersecurityprogramsatelliteofficeswereindeednecessary,butsomefunctionscouldbesupportedfromthecorporateoffice,suchasriskmanagement,policydevelopment,andrequirements.
ThecybersecurityofficerinformedtheCIOofthedecisionandthebasisforthedecision,emphasizingitscost-effectiveness.TheCIOagreedbasedonthebusinesslogicshownbythecybersecurityofficer,theminimalnumberofcybersecuritystaffneeded,andwhattheCIOsensedasthecybersecurityofficer’sstrongcommitmenttothecybersecurityprogramusingalowestcost/minimumriskapproach.
Thenumberofpeopleinanyworkinggrouptendstoincreaseregardlessoftheamountofworktobedone
CyrilNorthcoteParkinson7
DevelopingtheCyberSecurityProgramOrganizationStructureBasedonthecybersecurityofficer’sanalyses,thecybersecurityofficerestablishedthecybersecurityprogramorganization—atleastonpaper.
Thecybersecurityofficerfoundthatestablishingthecybersecurityprogramorganizationtodatehadbeentheeasypart.Nowcamethebureaucracyofcoordinatingandgainingapprovalofthecybersecurityprogramorganizationfromthedesignatedorganizations,suchasorganizationalplanning,HR,andfacilities,aswellascompletingtheirandotherorganizations’forms.8
Awordofcautiontothecybersecurityofficer:Someserviceandsupportorganizationsaremoreinterestedinpropercompletionoftheadministrativebureaucracythaninhelpingtheirinternalcustomers.Justgrinandbearit.Youcan’tchangeit,exceptovertime,andnowisnotthetime.Thepriorityisgettingthecybersecurityprogramandthecybersecurityorganizationofftheground.Concentrateonthatpriority.
DevelopingtheCyberSecurityProgramSubordinateOrganizationsThecybersecurityofficerdeterminedthatthesubordinateorganizationsmustalsohavechartersthatidentifythecybersecurityprogramfunctionsthataretobeperformedbythestaffofthoseorganizations.Thecybersecurityofficerfurtherdeterminedthattorecruitmanagersforthesubordinateorganizationswaspremature.Thecybersecurityofficerreasonedthatwhatwasneededfirstwasprofessionalcybersecuritypersonnelwhocouldbegintheactualprogramwork.Thecybersecurityofficerwouldmanagealltheorganizationsuntilsuchtimeastheworkloadandcost-effectivenessconsiderationsdeterminedthatasubordinatemanagerormanagerswereneeded.Basedontheworktobeperformed,andtheanalysesdiscussedabove,thecybersecurityofficerdevelopedthe
chartersforthesubordinateorganizations.Intheinterim,thecybersecurityofficerusedamatrixmanagementapproachwiththeoff-sitefacilitymanagerswhowereresponsibletotheCIOforoverallinformationandinformationsystemsmanagement.
ResponsibilitiesofCyberSecurityProgramSubordinateOrganizations
CyberSecurityProgramAccessControlandComplianceThecybersecurityofficeristheactingmanagerofthecybersecurityprogramAccessControlandCompliancesubordinateorganization.
Thefollowingisthesummaryoftheposition:
Providethemanagementanddirectionandconductanalysesrequiredtoprotectinformationprocessedonthecorporation’sinformationsystemsfromunauthorizedaccess,disclosure,misuse,modification,manipulation,ordestruction,aswellasimplementingandmaintainingappropriateinformationandinformationsystemsaccesscontrols;conductnoncomplianceinquiries;andmaintainviolationstrackingsystems.9
Detailedaccountabilitiesinclude:
1.Implement,administer,andmaintainuseraccesscontrolsystemsbyprovidingcontrols,processes,andprocedurestopreventtheunauthorizedaccess,modification,disclosure,misuse,manipulation,ordestructionofthecorporation’sinformation.
2.Monitoruseraccesscontrolsystemstoprovidefortheidentification,inquiry,andreportingofaccesscontrolviolations.Analyzesystemaccesscontrolviolationdataandtrendstodeterminepotentialsystems’securityweaknessesandreporttomanagement.
3.Conductinquiriesintocybersecurityprogramviolations/incidentsandrelatedcybersecurityprogrambusinesspractices,corporationpolicies,andprocedures.Identifytheexposures/compromisescreated,andrecommendtomanagementcorrectiveandpreventiveactions.
4.Direct,monitor,andguidethecybersecurityprogramactivitiesofthecorporation’saccesscontrolsupportgroupsandsystemstoensureadequateimplementationofaccesscontrolsystemsinmeetingcybersecurityprogramrequirements.
5.Establishandmanageaninformationsystemsdefensivesystem,includingfirewallsandrelatedintrusiondetectionsystems.
6.Provideadviceonandassistancewiththeinterpretationandimplementationofcybersecurityprogrampoliciesandprocedures,contractualcybersecurityprogramrequirements,andrelateddocuments.
CyberSecurityProgramPolicyandRiskManagementThecybersecurityofficeristheactingmanagerofthecybersecurityprogramPolicyand
RiskManagementsubordinateorganization.
Thefollowingisthesummaryoftheposition:
Providethemanagementanddirectionanddevelop,implement,andmaintaincybersecurityprogrampoliciesandprocedures,awareness,disasterrecoveryandcontingencyplanning,cybersecurityprogramsystemlifecycleprocesses,cybersecuritytestsandevaluations,riskmanagement,andcybersecurityprogramtechnicalsecurityandrelatedprogramstoprotectthecorporationsystemsandinformation.
Detailedaccountabilitiesinclude:
1.Identifyallcybersecurityprogramrequirementsneededanddevelopthecorporatepoliciesandproceduresnecessarytoensureconformancetothoserequirements.
2.Evaluateallhardware,software,andfirmwaretoensureconformancetocybersecurityprogrampoliciesandprocedures,recommendmodificationswhennotinconformance,andapprovethemwheninconformance.
3.Establishandadministeracybersecuritytestsandevaluationsprogramtoensurecompliancewithsystems’securitydocumentationandapplicablecybersecurityprogramrequirements.
4.Establish,implement,andmaintainacybersecuritytechnicalprogramtoidentifyallelectronicthreatsandmitigatethosethreatsinacost-effectivemanner.
5.Establishandmaintainacybersecurityawarenessprogramtoensurethatthecorporationmanagementandusersarecognizantofcybersecurityprogrampolicies,procedures,andrequirementsfortheprotectionofsystemsandinformationandtheirrelatedthreats.
6.Develop,implement,andadministerariskmanagementprogramtoidentifyandassessthreats,vulnerabilities,andrisksassociatedwiththeinformationforwhichthecorporationhasresponsibilityandrecommendcost-effectivemodificationstothecybersecurityprogram,systems,andprocesses.
7.Establishandmaintainadisasterrecovery/contingencyplanningprogramthatwillmitigatecybersecurityprogram,corporationinformation,andsystems’lossesandensurethesuccessfulrecoveryoftheinformationandsystemswithminimalimpactonthecorporation.
Off-SiteCyberSecurityProgramOrganizationsThecybersecurityofficerisalsotheactingmanageroftheoff-sitecybersecurityprogramsubordinateorganizations.However,thecybersecurityofficerhasdeterminedthatitwillbenecessarytoappointapersonasasupervisortomanagetheday-to-dayoperationsoftheoff-sitecybersecurityprogram.Atthesametime,therearenotenoughpersonnel,asstatedbyHR,toappointamanagerateachoff-sitelocation.However,thesupervisorhasauthoritytomakedecisionsrelatedtothatactivity,withseveralexceptions.Thesupervisor
cannotcounselthecybersecurityprogramstaff,evaluatetheirperformance(excepttoprovideinputtothecybersecurityprogrammanager),makenewcybersecurityprogrampolicy,ormanagebudgets.
Thefollowingisthesummaryoftheposition:
Implement,maintain,andadministeracybersecurityprogramforthecorporateresourcesattheoff-sitelocationandtaketheactionsnecessarytoensurecompliancewiththecybersecurityprogramrequirements,policies,andprocedurestoprotectthecorporation’sinformationfromcompromise,destruction,and/orunauthorizedmanipulation.10
Detailedaccountabilitiesinclude:
1.Implementandadministerthecorporation’splans,policies,andproceduresnecessarytoensurecompliancewithstatedthecorporation’scybersecurityprogramrequirementsfortheprotectionofallinformationprocessed,stored,and/ortransmittedonthecorporation’sinformationsystems.
2.Administeracybersecuritytestsandevaluationsprogramtoensurethatallthecorporation’sinformationsystemsareoperatedinaccordancewithappropriatecybersecurityprogramrequirementsandcontractspecifications.
3.Administerandmonitorthelocaluseofthecorporation’sinformationsystemsaccesscontrolsoftwaresystems,analyzeallinfractions/violations,anddocumentandreporttheresultsofquestionableuseractivityforcybersecurityprograminquiries.
4.Identifyinformationsystems’businesspracticeirregularitiesandsecurityviolations/infractions;conductdetailedinquiries;assesspotentialdamage;monitorthecorporationmanagement’scorrectiveaction;andrecommendpreventivemeasurestoprecluderecurrences.
5.Administeracybersecurityeducationandtrainingawarenessprogramforallthecorporatemanagersandusersofthecorporation’sinformationsystemstoensuretheyarecognizantofinformationsystems’threatsandareawareofthecybersecurityprogrampolicies/proceduresnecessaryfortheprotectionofinformationandinformationsystems.
6.Representthecybersecurityprogrammanagerrelativetoallapplicablecorporationcybersecurityprogrammattersastheyapplytopersonnel,resources,andoperationsattheoff-sitelocation.
7.Provideadvice,guidance,andassistancetomanagement,systemusers,andsystems’custodiansrelativetocybersecurityprogrammatters.
8.Performotherfunctionsasdesignatedordelegatedbythecybersecurityprogrammanager.
CyberSecurityJobDescriptions
Afterestablishingandgainingfinalapprovalforthecybersecurityorganization,andwhiletryingtobeginestablishingaformal,centralizedcybersecurityprogram,thecybersecurityofficerdetermineditwasnowtimetobeginhiringsomecybersecurityprofessionals.
However,beforethatcouldbeaccomplished,andinaccordancewiththecorporationorganizationaldevelopmentandHRrequirements,acybersecurityjobfamilyfirsthadtobeestablished.Afterall,thecorporation,beingahigh-tech,moderncorporation,requiresthatemployeesbeassignedtocareerfamiliestosupporttheircareerdevelopmentprogramasdirectedbytheHRDepartment.And,unfortunately,itseemsthatcybersecurityfunctionshaveneverbeenaformalpartofthecorporation.Therefore,therearenojobfamiliesthatseemtomeettheneedsofthecybersecurityprogramfunctions.
ThecybersecurityofficerandtheHRrepresentativediscussedthematterandagreedthatthecybersecurityofficerwouldwritethecybersecurityfunctionaljobfamilydescriptions.Thecybersecurityofficerwastoldthattheymustbegeneric,sotheyareflexibleenoughtosupportseveralcybersecurityjobfunctionswithineachlevelofthejobfamily.TheHRrepresentativeadvisedthecybersecurityofficerthatthisisnecessarytoensuretheflexibilityneededforrecruiting,hiring,andsubsequentcareerdevelopmentofthecybersecurityprofessionals.Also,itwouldstreamlinetheprocessandensurethatthenumberofcybersecurityjobfamilypositiondescriptionscouldbekepttoaminimum,thusalsodecreasingbureaucracyandpaperwork.
Attheconclusionofthemeeting,theHRrepresentativeprovidedthecybersecurityofficerwiththejobdescriptionsforthesecurity,auditor,andITjobfamily.Alsoprovidedwereseveralformsthathadtobecompletedwhensubmittingthecybersecurityjobfamilydescriptions,aswellasformstobeusedfordocumentingeachjobfamilydescriptionbygradelevel.
Armedwiththechallengesofthisnewonslaughtofbureaucraticpaper,andbiddingadieutothesmilingHRrepresentative,thecybersecurityofficerheadedbacktotheofficetobeginthetaskofwritingthecorporation’scybersecurityjobfamilyassampledescriptions(whilewonderingwhentherewouldbetimetodorealcybersecurityprogramwork).
Afterreviewingtheprovidedjobdescriptionsandreadingthepaperworkneededtomakethisallhappen,thecybersecurityofficerwroteandprovidedtheHRrepresentativewiththefunctiondescriptionsofthecybersecurityjobfamily!Afterseveraliterationsandcompromises,andapprovalsthroughachainoforganizationalstaffs,thejobfamilywasapproved.
CyberSecurityJobFamilyFunctionalDescriptionsThefollowingdetailedcybersecurityjobfamilyfunctionaldescriptionsweredevelopedandapprovedbytheapplicablecorporationdepartments:
1.SystemsSecurityAdministrator
Positionsummary:Providealltechnicaladministrativesupportforthecybersecurityorganization.
Dutiesandresponsibilities:
a.Filing.
b.Typingreportsandotherwordprocessingprojects.
c.Developingrelatedspreadsheets,databases,andtext/graphicpresentations.
Qualifications:Highschooldiploma,1 yearofsecurityadministrationor2 yearsofclericalexperience.Musttypeatleast60wordsperminute.
2.SystemSecurityAnalystAssociate
Positionsummary:Assistandsupportcybersecuritystaffinensuringallapplicablecorporationcybersecurityprogramrequirementsaremet.
Dutiesandresponsibilities
a.Supporttheimplementationandadministrationofcybersecuritysoftwaresystems.
b.Provideadvice,guidance,andassistancetosystemusersrelativetocybersecurityprogrammatters.
c.Identifycurrentcybersecurityprogramandcybersecurityfunctionalprocessesandassistinthedevelopmentofautomatedtoolstosupportthosefunctions.
d.Assistintheanalysisofmanualcybersecurityprogramandcybersecurityfunctionsandprovideinputtorecommendationsandreportsoftheanalysestothecybersecurityofficer.
e.Maintain,modify,andenhanceautomatedcybersecurityfunctionalsystemsofcybersecuritytestsandevaluations,riskassessments,software/hardwareevaluations,accesscontrol,andotherrelatedsystems.
f.Collect,compile,andgeneratecybersecurityprogramfunctionalinformationalreportsandbriefingpackagesforpresentationtocustomersandmanagement.
g.Performotherfunctionsasassignedbythecybersecurityofficerandcybersecuritymanagement.
Positionrequiresbeingassignedtoperformdutiesinoneormoreofthefollowingareas:
•Accesscontrol—Maintainbasicuseraccesscontrolsystemsbyprovidingprocessesandprocedurestopreventunauthorizedaccessorthedestructionofinformation.
•Accesscontrol/technicalaccesscontrolsoftware—Assistaccesscontrolsupportgroupsandsystemsbyprovidingsoftwaretoolsandguidancetoensureadequate
implementationofaccesscontrolsystemsinmeetingcybersecurityprogramrequirements,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.
•Accesscontrol/violationsanalysis—Monitortheuseofthecorporationaccesscontrolsoftwaresystems;identifyallcybersecuritysystemsinfractions/violations;documentandreporttheresultsofquestionableuserandsystemactivityforcybersecurityprograminquiries.
•Cybersecuritytestsandevaluation/cybersecurityprogramsystemsdocumentation—Conductcybersecuritytestsandevaluationsonstand-alone(nonnetworked)systemstoensurethatthesystemsareprocessinginaccordancewithapplicablecybersecurityprogram-approvedprocedures.
Qualifications:Thispositionnormallyrequiresabachelor’sdegreeinacybersecurity-relatedprofession.
3.SystemsSecurityAnalyst
Positionsummary:Identify,schedule,administer,andperformassignedtechnicalcybersecurityanalysisfunctionstoensureallapplicablerequirementsaremet.
Dutiesandresponsibilities
a.Representcybersecurityprogramtootherorganizationsonselectcybersecurityprogram-relatedmatters.
b.Provideadvice,guidance,andassistancetomanagers,systemusers,andsystemcustodiansrelativetocybersecurityprogrammatters.
c.Providegeneraladviceandassistanceintheinterpretationofcybersecurityprogramrequirements.
d.Identifyallcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbytheinformationsystems;developandimplementplans,policies,andproceduresnecessarytoensurecompliance.
e.Identifycurrentcybersecurityprogramfunctionalprocessesanddevelopautomatedtoolstosupportthosefunctions.
f.Analyzemanualcybersecurityprogramfunctionsandproviderecommendationsandreportsoftheanalysestocybersecuritymanagement.
g.Maintain,modify,andenhanceautomatedcybersecurityprogramfunctionalsystemsofcybersecuritytestsandevaluations,riskassessments,software/hardwareevaluations,accesscontrol,andotherrelatedsystems.
h.Collect,compile,andgeneratecybersecurityprogramfunctioninformationalreportsandbriefingpackagesforpresentationtocustomersandmanagement.
i.Performotherfunctionsasassignedbycybersecuritymanagement.
Positionrequiresbeingassignedtoperformdutiesinthefollowingareas:
•Accesscontrol/technicalaccesscontrolsoftware—Administerandmaintainuseraccesscontrolsystemsbyprovidingcontrols,processes,andprocedurestopreventtheunauthorizedaccess,modification,disclosure,misuse,manipulation,ordestructionofthecorporation’sinformation,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.
•Accesscontrol/violationsanalysis—Administerandmonitortheuseofthecorporation’saccesscontrolsoftwaresystems;analyzeallsystemscybersecurityprograminfractions/violations;documentandreporttheresultsofquestionableuserandsystemactivityforcybersecurityprograminquiries.
•Noncomplianceinquiry—Identifyandanalyzecybersecurityprogrambusinesspracticeirregularitiesandcybersecurityprogramviolations/infractions;conductdetailedinquiries;assesspotentialdamage;monitorcorrectiveaction;andrecommendpreventive,cost-effectivemeasurestoprecluderecurrences.
•Riskassessment—Performlimitedriskassessmentsofcybersecurityprogramsystemsandprocesses;determinetheirthreats,vulnerabilities,andrisks;andrecommendcost-effectiveriskmitigationsolutions.
•Cybersecuritytestsandevaluation/cybersecurityprogramsystemdocumentation—Scheduleandconductcybersecurityprogramtestsandevaluationsonstand-alone(nonnetworked)systemstoensurethatthesystemsareprocessinginaccordancewithapplicablecybersecurityprogram-approvedprocedures.
Qualifications:Thisclassificationnormallyrequiresabachelor’sdegreeinacyber
security-relatedprofessionandatleast2 yearsofpracticalexperience.4.SystemSecurityAnalystSenior
Positionsummary:Identify,evaluate,conduct,schedule,andleadtechnicalcybersecurityanalysisfunctionstoensurethatallapplicablecorporationcybersecurityprogramrequirementsaremet.
Dutiesandresponsibilities
a.Providetechnicalanalysisofcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbysystems;interpretthoserequirements;andtranslate,implement,andadministerdivisionplans,policies,andproceduresnecessarytoensurecompliance.
b.Representcybersecurityprogramonsecuritymatterswithotherentitiesasassigned.
c.Provideadvice,guidance,andassistancetoseniormanagement,systemmanagers,andsystemusersandcustodiansrelativetocybersecurityprogrammatters.
d.Performotherfunctionsasassignedbycybersecuritymanagement.
Positionrequiresbeingassignedtoperformdutiesinthefollowingareas:
•Accesscontrol/technicalaccesscontrolsoftware—Implement,administer,andmaintainsystems’useraccesscontrolsystemsthroughtheuseofcontrols,processes,andprocedurestopreventtheirunauthorizedaccess,modification,disclosure,misuse,manipulation,and/ordestruction,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.
•Accesscontrol/violationsanalysis—Coordinate,administer,andmonitortheuseofsystems’accesscontrolsystems;analyzesystemssecurityinfractions/violationsemployingstatisticalandtrendanalysesandreporttheresults.
•Cybersecurityprogramawareness—Prepare,schedule,andpresentcybersecurityprogramawarenessbriefingstosystemsmanagers,custodians,andusers.Actasfocalpointfordisseminationofcybersecurityprograminformationthroughallformsofmedia.
•Disasterrecovery—Coordinateandensurecompliancewithsystemdisasterrecovery/contingencyplanstoensuretherapidrecoveryofsystemsintheeventofanemergencyordisaster.
•Hardwareandsoftwarecybersecurityprogramevaluations—Evaluateallhardware,firmware,andsoftwareforimpactonthecybersecurityprogramofthesystems;monitorandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporation.
•Noncomplianceinquiry—Identifyandconducttechnicalanalysesofcybersecurityprogrambusinesspracticesandviolations/infractions;plan,coordinate,andconductdetailedinquiries;assesspotentialdamage;anddevelopandimplementcorrectiveactionplans.
•Riskassessments—Conductlimitedcybersecuritytechnicalriskassessments;preparereportsoftheresultsforpresentationtomanagement.
•Cybersecuritytestsandevaluations/cybersecurityprogramdocumentation—Scheduleandconductcybersecuritytestsandevaluationstoensurethatalltheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.
•Technicalcountermeasures—Conducttechnicalsurveysanddeterminenecessarycountermeasuresrelatedtophysicalinformationleakage;conductsoundattenuationteststoensurethatinformationprocessingsystemsdonotemanateinformationbeyondthecorporation’szoneofcontrol.
Qualifications:Thisclassificationnormallyrequiresabachelor’sdegreeinacyber
security-relatedprofessionand4 yearsofpractical,relatedexperience.
5.SystemSecurityAnalystSpecialist
Positionsummary:Actastechnicalcybersecurityprogramadvisor,focalpoint,andleadtoensureallcybersecurityprogramfunctionsaremeetingthecorporationrequirements,aswellasdevelopingandadministeringapplicableprograms.
Dutiesandresponsibilities:
a.Actastechnicaladvisorforcybersecurityprogramrequirementsnecessaryfortheprotectionofallinformationprocessed,stored,and/ortransmittedbysystems;interpretthoserequirements;andtranslate,document,implement,andadministerthecorporationcybersecurityprogramplans,policies,andproceduresnecessarytoensurecompliance.
b.Representcybersecurityprogramonsecuritymatterswithotherentitiesasassigned.
c.Provideadvice,guidance,andassistancetoseniormanagement,ITmanagers,systemusers,andsystemcustodiansrelativetocybersecurityprogrammatters.
d.Performotherfunctionsasassignedbycybersecuritymanagement.
Positionrequiresbeingassignedtoperformdutiesinacombinationofthefollowingareas:
•Accesscontrol/technicalaccesscontrolsoftware—Implement,administer,andmaintainsystems’useraccesscontrolsystemsthroughtheuseofcontrols,processes,andprocedurestopreventtheirunauthorizedaccess,modification,disclosure,misuse,manipulation,and/ordestruction,aswellasdefensivesystemssuchasfirewallsandrelatedintrusiondetectionsystems.
•Cybersecurityprogramawareness—Prepare,schedule,andpresentcybersecurityprogramawarenessbriefingstosystemmanagers,custodians,andusers.Actasfocalpointfordisseminationofcybersecurityprograminformationthroughallformsofmedia.
•Disasterrecovery—Coordinateandensurecompliancewithsystemdisasterrecovery/contingencyplanstoensuretherapidrecoveryofsystemsintheeventofanemergencyordisaster.
•Hardwareandsoftwarecybersecurityprogramevaluations—Evaluateallhardware,firmware,andsoftwareforimpactonthecybersecurityprogramofthesystems;monitorandensuretheirmodificationifrequirementsarenotmet;andauthorizetheirpurchaseandusewithinthecorporation.
•Riskassessments—Conductlimitedcybersecurityprogramtechnicalriskassessments;preparereportsoftheresultsforpresentationtomanagement.
•Cybersecuritytestsandevaluations/cybersecurityprogramdocumentation—Scheduleandconductcybersecuritytestsandevaluationstoensurethatalltheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.
•Technicalcountermeasures—Conducttechnicalsurveysanddeterminenecessarycountermeasuresrelatedtophysicalinformationleakage;conductsoundattenuationteststoensurethatinformationprocessingsystemsdonotemanateinformationbeyondthecorporation’szoneofcontrol.
Qualifications:Thisclassificationnormallyrequiresabachelor’sdegreeinacyber
securityprogram-relatedprofessionand6 yearsofcybersecurityprogramexperience.6.SystemSecurityEngineer
Positionsummary:Actasatechnicalsystemsmanagementconsultant,focalpoint,andprojectleadforcybersecurityprogramfunctionsandprogramsdevelopedtoensurethecorporation’srequirementsaremet.
Dutiesandresponsibilities
a.Actasaleadintheidentificationofgovernment,customers,andcorporationcybersecurityprogramrequirementsnecessaryfortheprotectionofinformationprocessed,stored,and/ortransmittedbythecorporation’ssystems;interpretthoserequirements;anddevelop,implement,andadministerthecorporationcybersecurityprogramplans,policies,andproceduresnecessarytoensurecompliance.
b.Representthecybersecurityprogramoffice,whenapplicable,oncybersecurityprogrammattersaswellasservingasthecorporation’sliaisonwithcustomers,governmentagencies,suppliers,andotheroutsideentities.
c.Provideadvice,guidance,andassistancetoseniorandexecutivemanagement,thecorporation’ssubcontractors,andgovernmententitiesrelativetocybersecurityprogrammatters.
d.Providetechnicalconsultation,guidance,andassistancetomanagement,systemsusers,andcybersecurityprogramsoftwaresystemsbyprovidingcontrols,processes,andprocedures.
e.Establish,direct,coordinate,andmaintainadisasterrecovery/contingencyprogramforthecorporationthatwillmitigatesystemsandinformationlossesandensurethesuccessfulrecoveryofthesystemandinformationwithminimalimpactonthecorporation.
f.Actasleadforthetechnicalevaluationandtestingofhardware,firmware,andsoftwareforimpactonthesecurityofthesystems;directandensuretheirmodificationifrequirementsarenotmet;authorizetheirpurchaseandusewithinthecorporationandapprovethemwheninconformance.
g.Developordirectthedevelopmentoforiginaltechniques,procedures,andutilitiesforconductingcybersecurityprogramriskassessments;scheduleandconductcybersecurityprogramriskassessmentsandreportresultstomanagement.
h.Directand/orleadothersinconductingtechnicalcybersecurityprogram
countermeasuresurveystosupportcybersecurityprogramrequirementsandreportfindings.
i.Directandadministercybersecuritytestsandevaluationsprogramstoensurethattheapplicablesystemsareoperatinginaccordancewithcybersecurityprogramrequirements.
j.Providetechnicalconsultationandassistanceinidentifying,evaluating,anddocumentinguseofsystemsandotherrelatedequipmentstoensurecompliancewithcommunicationsrequirements.
k.Investigatemethodsandproceduresrelatedtothecybersecurityprogramaspectsofmicrocomputers,localareanetworks,mainframes,andtheirassociatedconnectivityandcommunications.
l.Identifyandparticipateinevaluationofmicrocomputerandlocalareanetworkcybersecurityprogramimplementations,includingantivirusanddisasterrecovery/contingencyplanningfunctions.
m.Performdevelopmentandmaintenanceactivitiesoncybersecurityprogram-relateddatabases.
n.Recommendandobtainapprovalforproceduralchangestoeffectcybersecurityprogramimplementationswithemphasisonlowestcost/minimumrisk.
o.Leadanddirectcybersecuritypersonnelintheconductofsystemscybersecurityprogramaudits.
p.Participateinthedevelopmentandpromulgationofcybersecurityprograminformationforgeneralawareness.
q.Performotherfunctionsasassignedbythecybersecuritymanager.
Positionrequiresbeingassignedtoperformdutiesinthefollowingarea:
•Supervisor,projectleader—Provideassistance,advice,guidance,andactastechnicalspecialistrelativetoallcybersecuritytechnicalfunctions.
Qualifications:Thisclassificationnormallyrequiresabachelor’sdegreeinacyber
security-relatedprofessionandaminimumof10 yearsofcybersecurityprogram-relatedexperience.
RecruitingCyberSecurityProfessionalsOncethecybersecurityofficerhadgottenthecybersecurityorganizationalstructureandthecybersecurityjobfamilyfunctionaldescriptionsbothapproved,thenexttaskwastobeginrecruitingandhiringqualifiedcybersecurityprofessionals.
Holdit!Notsofast!Thecybersecurityofficermustfirstdeterminethefollowing:
•Howmanycybersecurityprofessionalsareneeded?
•Whatfunctionswilltheyperform?
•Howmanyareneededineachfunction?
•Howmanyareneededinwhatpaycode?
•Howmanyshouldberecruitedfortheoff-sitelocation?
•Doestheoff-sitelocationormainplanthavethehighestpriority?
Thecybersecurityofficermustplanforthegradualhiringofpersonneltomeetthecybersecurityprogramandcybersecurityorganizationalneedsbasedonaprioritizedlistingoffunctions.Obviously,amixtureofpersonnelshouldbeconsidered.Oneortwohigh-levelpersonnelshouldbehiredtobeginestablishingthebasiccybersecurityprogramandcybersecurityprocesses.Personnelwhomeetthequalificationsofasystemsecurityengineershouldbehiredimmediately.Atleasttwoshouldbehired.Onewouldbetheprojectleadtobegintheprocessofestablishingtheformalfunctionsofoneofthecybersecuritysubordinateorganizationsandtheotherwoulddothesamefortheothercybersecurityorganization.Atthesametime,theaccesscontrolfunctionpositionsshouldbefilled,astheyrepresentthekeycybersecurityprogrammechanismofaccesscontrol.
Functionssuchasriskmanagement,noncomplianceinquiry,andtheawarenessprogramcouldcomelater.Therationaleusedbythecybersecurityofficerforthisdecisionwasthatcybersecurityprogrampolicieshadnotbeenestablished,sotherewasnothingonwhichtobasenoncomplianceinquiriesoranawarenessprogram.Thenextpositiontobefilled,afterthetwosystemssecurityengineersandaccesscontrolpersonnel,wasthepositionoftheemergencyplanning,disasterrecoveryplanning,andcontingencyplanningspecialist.
Thecybersecurityofficerreasonedthatwhileaccesscontrolswerebeingtightenedupandanalyzed,theengineerswerebeginningtobuildtheprocessforeachfunction,withmuchoftheaccesscontrolprocessdevelopmentbeingdonewiththeassistanceoftheaccesscontroladministrators.Intheeventofadisaster,thesystemsmustbeupandoperationalinasshortatimeperiodaspossible.Thisiscrucialtothewell-beingofthecorporation.
Unfortunately,thetypeofindividualthecybersecurityofficerwouldideallywanttoemployisnotusuallyreadilyavailable.Inaddition,thecorporation’spolicyisoneof“promotefromwithin”wheneverpossible.So,althoughamorequalifiedindividualmaybeavailablefromoutsidethecorporation,thecybersecurityofficermayhavetotransferalessqualifiedindividualcurrentlyemployedwithinthecorporation,becausethatpersondoesmeettheminimumrequirementsfortheposition—atleastasinterpretedbytheHRpersonnel.
Thecybersecurityofficersoonbegantorealizethatcompromiseandcoordinationwereamustiftherewastobeevenaslightchanceofsucceedinginbuildingthecorporationcybersecurityprogram.Basedonaself-evaluation,thecybersecurityofficerdecidedtofindasmanypeopleaspossiblewithinthecorporationwhowerewillingtotransferand
whomettheminimumrequirementsforacybersecurityprogramposition.ThecybersecurityofficersoonlearnedwhythejobdescriptionsapprovedthroughtheHRDepartmentincludewordssuchas“normally”and“equivalent.”Thecybersecurityofficernaivelythoughtthatthosewordswouldassistinbringingincybersecurityprofessionals.Itneverenteredthecybersecurityofficer’smindthatotherscouldalsousethepositiondescriptionstohelprecruitpersonnel—somewhojustbarelywouldmeettheminimumrequirements!
Forthecybersecurityofficerwhoistryingtoquicklybuildacybersecurityprogramandcybersecurityorganization,thecompromisesonstaffselectionmayhelportheymayhurt.Ineithercase,itisimportanttobeginthehiringprocessquickly.
IdentifyingIn-HouseCyberSecurityCandidatesThoseindividualswithinthecorporationorganizationswhohavebeenprovidingaccesscontrolineitherafull-orapart-timepositionfortheirdepartment’slocalareanetworksmaybegoodaccesscontrolcandidates.
TheITDepartmentmayalsobeaplaceto“recruit”(makepersonnelawareofthepositionsavailable)cybersecuritycandidates.Theauditandcybersecurityorganizationsmayalsoprovideplacestofindcybersecuritycandidates.
Awordofcautiontothecybersecurityofficer:Mostmanagersdonottakekindlytorecruitingoftheiremployees,asitmeanstheywillbeshort-handeduntiltheycanfindreplacements.Inaddition,thecybersecurityofficershouldbewareofindividualswhomthemanagersrecommend.Thesemayjustbethepeoplethatthemanagerhasbeentryingtofindsomewaytogetridofforsometime!
Thecybersecurityofficerhasenoughproblemsbuildingacybersecurityprogram,establishingandmanagingacybersecurityorganization,handlingtheday-to-daycybersecurityprogramproblems,attendingendlessmeetings,tryingtohireaprofessionalcybersecurityprogramstaff,andhavingtotransferpersonnelwhodon’tmeetthecybersecurityofficer’sexpectationstothenbesaddledwithanemployeerecommendedbyanothermanagerwhoturnsouttobea“difficult”employee.
Adifficultemployeewilloccupymoreofthecybersecurityofficer’stimethanthreeotherstaffmemberscombined.ItseemedthatthecorporationITDepartmenthadapenchantforthis.So,bewareofgeeksbearinggifts!
IdentifyingOutsideCyberSecurityCandidatesTherearemanysourcesthatcanbeusedtorecruittalentedcybersecurityprofessionals,manylimitedonlybyimaginationandbudget(especiallybudget!).Regardlessofhoworwhereyourecruit,therecruitmentmustbecoordinatedwiththeHRstaff.
Torecruitcybersecuritypersonnel,theControllermustvalidateandapprove(onanotherform,ofcourse)thatthereisbudgetsetasideforthecybersecurityorganizationtohirestaff.
Thenoncethathurdleisjumped,theHRpersonnelmustvalidatethatyouhavecompletedthenecessaryformdescribingthepositionyouwanttohireagainst,theminimumqualifications,andthepayrangeforthatposition.Luckily,allthecybersecurityofficerhastodointhiscaseisbasicallytranscribethegeneralpositiondescriptionontothenewHRformusedforrecruitingcandidatesandadvertisingtheposition.
Justasthecorporationcybersecurityofficerthoughtthatthedoorwasnowflungwideopentorecruitcybersecurityprofessionals,oneoftheHRpersonnelwalkeduptothecybersecurityofficerandmentionedhowboringtheHRjobwas,andthatitwouldbenicetotransfertoanother,moreexcitingorganization—andthecybersecurityjobseemedtobeaveryexcitingone.Experience?Well,ofcoursethepersonisproficientisusingacomputer!Anotheroften-foundproblemisthemanagerorstaffmemberwhohasacousinjustgraduatingfromcollegewhowouldbeperfectforthecybersecurityposition.
Thecybersecurityofficersoonbegantorealizethatbuildingandmanaginganoutstanding,state-of-the-artcybersecurityprogramandacybersecurityorganizationstaffedbytalentedcybersecurityprofessionalsmightbecomemoreofadreamthanareality.
Oncethecybersecurityofficerwasabletofendofftheseandsimilarcharges,therecruitmenteffortwithinandoutsidethecorporationcouldstartinearnest!Amongthewaystorecruitcybersecurityprofessionalsarethrough:
•Localadvertisementintradejournals,newspapers,etc.,
•Hiringaconsultingfirmtofindtherightpeople,
•Passingthewordamongcolleagues,
•Askingcybersecurityassociationstopasstheword,and
•UsingtheInternettoadvertisetheposition.
Withafewcybersecuritypersonnelonboard,thecybersecurityofficercouldbegintoworkonthecybersecurityprogramandalsobeginworkondevelopingthebaselineprocessesandfunctionswiththecybersecurityorganization.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doyouhaveaformal,thatis,documentedcybersecurityprogram?
•Ifnot,whynot?
•Whatwouldyouconsiderasthebenefitsofsuchaplan?
•Whatwouldyouconsiderasthenegativesofsuchaplan?
•Haveyoueverbriefedexecutivemanagementoncybersecurity-relatedmatters?
•Doyouidentifythecostsofstaffingandprovidingcybersecurityfunctionsusingacost–benefitriskmanagementprocess?
•Ifyouweretodevelopacybersecurityprogramforthecorporation,whatwouldyoudodifferentlyfromwhatwasstatedinthischapter?
•Ifyoucouldbuildandmanageacybersecurityorganizationforthecorporation,howwouldthestructurecomparetotheonecitedinthischapter,andwhy?
•Howwouldyoumanagetheoff-sitelocations—forexample,wouldyoumanagethemfromthecorporateoffice,orasksomeoff-sitemanagertomatrixmanagethestaffforyou?
•Whatotherjobdescriptionswouldyouaddtotheonesprovided?
•Whatotherdutiesandresponsibilitieswouldyouaddtothejobdescriptionsprovidedinthischapter?
•DoyouknowhowtosuccessfullyworkwithHRstafftomeettheirrequirementsandalsoeffectivelyandefficientlygetyourobjectivesaccomplished?
SummaryOnceplanswereinplace,thecybersecurityofficercouldbegintodevelopacybersecurityorganizationtosupportthecybersecurityprogram.Todoso,thecybersecurityofficermustunderstandthefollowing:
•Establishinganeffectiveandefficientcybersecurityorganizationandprogramrequiresadetailedanalysisandintegrationofalltheinformationthathasbeenlearnedthroughtheentireprocessofbecomingacybersecurityofficeratthecorporation.
•Determiningtheneedforcybersecuritysubordinateorganizationsrequiresdetailedanalysisofthecorporation’senvironmentandanunderstandingofhowtosuccessfullyapplyresourceallocationtechniquestothecybersecurityfunctions.
•Oncetheneedforcybersecuritysubordinateorganizationsisdetermined,thecybersecurityofficermustdeterminewhatfunctionsgoinwhatorganizations.
•EstablishingaformalcybersecurityorganizationandcybersecurityjobfamilyrequirescooperationwithHRorganizationsandothers;patienceandunderstandingaremandatory.
•Acybersecurityofficerwhoestablishesaneworganizationforacorporationwillbecompelledtolivewithinalessthanidealcorporateworldinwhichformsandbureaucraciesruletheday.Tosurvive,thecybersecurityofficermustunderstandhowtousethoseprocessesefficientlyandeffectivelytosucceed.
•Inmostcorporations,currentlyemployedpersonnelwhodesireacybersecurityposition,andwhomeettheminimumcybersecurityrequirements,mustbehiredbeforehiringanindividualfromtheoutside.
•Recruitingqualifiedcybersecurityprofessionalscanbeaccomplishedonlythroughawidespreadrecruitmenteffort,usingmanymarketingmedia;andsuccessfuladvertisementissometimesamatterofhowmuchrecruitmentbudgetisavailable.
1PetroniusArbiter(27–66),Romansatirist.Satyricon(firstcentury)asquotedinMicrosoft’sEncartaWorld.2SomeoftheinformationfromthissectionwasmodifiedfromDr.GeraldL.Kovacich’sbookcoauthoredwithEdwardP.Halibozek,TheManager’sHandbookforCorporateSecurity:EstablishingandManagingaSuccessfulInformationAssetsProtectionProgram,publishedbyButterworth–Heinemann,2003;nowpendingpublicationofasecondedition.3Youmaywonderwhywegointosuchdetailastowhoishiredtodowhatorhowitisdoneatthecorporation.Thereasonistoprovide,asnearlyaspossible,real-worldexperiencestothereader.Suchinformationhelpsthereaderbyprovidinginformationthatcanbeappliedinrealcorporations;italsodevelopsanoverallknowledgeofestablishingandmanagingacorporateinformationassetsprotectionprogram.Inthiscase,acybersecurityofficermaylookforsomeonetowritepoliciesbyfirstlookingforsomeonewhoknowssecurity,wheninfactitismoreimportanttohiresomeonewhocanwritepolicy.Whattowritewillcomefrommanysources.Thepolicyspecialistwillnotoperateinavacuum.Howtowriteinclearandconcisetermswithoutambiguitiesisthekey.4Itiseasytotakeforgrantedtheworkofthestaff.Asacybersecurityofficeryoushouldbesensitivetothatandneverforgettosaythanksonceinawhile.Itdoesn’ttakealotofeffort,anditpaysgreatdividends.Justlikeyou,employeesliketoknowtheyareappreciated.5Ofcourse,thislistisjustasample,asthetopicswouldbebasedonthecorporation,thecorporateculture,andthe
methodsusedforpublishingandimplementingdirectiveswithineachcorporation.6ThephysicalsecurityaspectsoftherequirementswouldhavebeencoordinatedwiththeapplicableSecurityDepartmentmanagers,sincetheyhavetheresponsibilityforthephysicalsecurityofthecorporationassets.Thecybersecurityofficer’srationalewasthatphysicalsecurityshouldbeaddressedinthisdocument,becauseitisabasicprotectionprocess.TheDirectorofSecurityagreedandapprovedthatprocess.7CyrilNorthcoteParkinson(1909–1993),Britishpoliticalscientist,historian,andwriter.Parkinson’sLaw(1958),asquotedinMicrosoft’sEncartaWorld.8Sinceeachcorporationhasasomewhatdifferentformsbureaucracy,noattemptwillbemadeheretocompleteanyforms.Thosereaderswhohavetomakeanychangesinanorganizationcanappreciatethemazethecybersecurityofficermustnowgothrough.9Thecybersecurityofficerdecidedthatthepriorityofthecybersecurityprogramwasthesystemsandinformationattheirfacilities.Thestickyproblemofdealingwithcybersecurityprogramissues,suchassubcontractorsandcustomers,wouldhavetowait.Thecybersecurityofficerreasonedthatifithadasuccessful,professionalprogram,itwouldbeeasiertogainthecooperationofthoseoutsidethecorporation.10Becauseofitsoff-sitelocation,thispositionrequirescybersecurityprogramfunctionstobeperformedthataresimilartoorthesameasmostfunctionsnotedfortheentirecybersecurityprogramorganization.
CHAPTER9
DeterminingandEstablishingCyberSecurityFunctions
AbstractWebeganthissectionofthebookwithanoverviewofthedutiesandresponsibilitiesofthecybersecurityofficerandthendiscussedestablishingacybersecurityprogramandtherelatedcybersecurityplansandorganization.Wewillcontinuethetrendtonarrowthefocus:Thischapterdescribesaprocesstodeterminewhatcybersecurityfunctionsareneededtosuccessfullyestablishacybersecurityprogramandrelatedorganization,aswellashowtoincorporatethosefunctionsintothecybersecurityorganization’sday-to-daylevel-of-effortwork.
KeywordsAccesscontrolsystems;Businessinformation;Corporateinformation;Cybersecurityofficer;Firmware;Hardware;Nationalsecurityinformation;Personal/privateinformation;Software;Valuedinformation
Workisnecessaryforman.Maninventedthealarmclock.
PabloPicasso1
CONTENTS
Introduction 176Processes 177ValuingInformation 179
HowtoDeterminetheValueofCorporateInformation 179WhyIsDeterminingInformationValueImportant? 180TheValueofInformation 180ThreeBasicCategoriesofInformation 181TypesofValuedInformation 182DeterminingInformationValue 182
BusinessInformationTypesandExamples 183QuestionstoAskWhenDeterminingValue 184
InternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopment 184
RequirementsIdentificationFunction 184CyberSecurityOfficer’sCyberSecurityProgramFunctions 185
AwarenessProgram 185AwarenessBriefings 186
ContinuingAwarenessMaterial 187AccessControlandAccessControlSystems 187
AccessControlSystems 189EvaluationofAllHardware,Firmware,andSoftware 189RiskManagementProgram 191
WhatIsRiskManagement? 191RiskManagementProcess 191RecommendationstoManagement 192RiskManagementReports 192
SecurityTestsandEvaluationsProgram 193NoncomplianceInquiries 194ContingencyandEmergencyPlanningandDisasterRecoveryProgram 194
WhatIsIt? 194WhyDoIt? 195HowDoYouDoIt? 195TheCEP-DRPlanningSystem 195TestthePlan 198
QuestionstoConsider 198Summary 199
CHAPTEROBJECTIVE
Webeganthissectionofthebookwithanoverviewofthedutiesandresponsibilitiesofthecybersecurityofficerandthendiscussedestablishingacybersecurityprogramandtherelatedcybersecurityplansandorganization.Wewillcontinuethetrendtonarrowthefocus:Thischapterdescribesaprocesstodeterminewhatcybersecurityfunctionsareneededtosuccessfullyestablishacybersecurityprogramandrelatedorganization,aswellashowtoincorporatethosefunctionsintothecybersecurityorganization’sday-to-daylevel-of-effortwork.
IntroductionTherearemanydifferentwaystoconfigureacybersecurityorganization,andtherearemanywaystoconfigurethecybersecurityfunctionsthatarepartofthatorganization.Manycybersecurityofficersbeginestablishingacybersecurityorganization,or“inherit”one,withoutlookingattheneedforthevariousfunctionsandfromwherethatneedwasderived.Asstatedearlier,allfunctionsshouldbederivedfromoneormoreofthefollowingrequirements(drivers):
•Laws,
•Regulations,
•Bestbusinesspractices,
•Bestcybersecuritypractices,
•Ethics,
•Privacyneeds,and
•Corporatepolicies.
Whendevelopingorreorganizingacybersecurityprogram,onecanconsideroneofthreebasicstructuresastheyrelatetothecybersecurityprogramorganizationthatthecybersecurityofficerwillmanageandlead.Thethreebasicoptionsare:
•Centralizedcybersecurityprogramorganizationunderthecybersecurityofficer,
•Decentralizedorganizationthroughoutthecorporation,or
•Acombinationofthetwo.
Oneofthemajorfactorsindecidingwhatphilosophyandapproachtotakeisthecultureofthecorporation,aswellasthecharterofthecybersecurityofficerspellingoutthecybersecurityofficer’sdutiesandresponsibilities.Thecybersecurityofficermustrememberthatthemorecentralizedtheorganization,themoreproblemsandworkforthecybersecurityofficerandstaff.Theoldadage“Ifyouwantitdoneright,doityourself”mayworkforsome,butasacybersecurityofficer,thatapproachwillbringyoumorestressthanusual.Inaddition,youwilldefinitelyageexponentially.Developingandmaintainingaprotectedinformationenvironmentforthecorporationrequirethesupportandactiveinvolvementofallemployees.Sometimesacybersecurityofficerforgetsthatandtriestotakeontheentireprotectionmatterinsteadofleadingacorporateteameffort.Suchanapproachleadstomoreproblemsthansolutionsfordevelopingandmaintainingaprotectedinformationenvironment.
So,whatshouldyoudo?Thebestapproachseemstobeacombination.Forexample,thiscorporatecybersecurityofficerdecidedthattheoverallinformationandinformationsystemsprotectionlogicallyshouldbecentralizedunderthecybersecurityofficerandcybersecurityprogramstaff.Afterall,theyhavetheexperienceandknow-howtolead
thiseffort.However,atthesametime,whygetburdenedwithtryingtowriteandmaintaincurrentcybersecurityprogramproceduresthatmustbeimplementedbythedepartmentstocomplywiththosecybersecurityprogrampolicies?So,procedureswrittenforcompliance,aspreviouslystated,willbetheresponsibilityofthecorporatedepartments.Theiradequacywillbedeterminedthroughaudits,cybersecurityprogramtestsandevaluations,noncomplianceinquiries,andthelike.
Inaddition,thecorporatedepartmentswillberesponsiblefordeveloping,implementing,andmaintainingtheprocessesthatareanintegralpartoftheproceduresneededtocomplywiththecybersecurityprogram.
ProcessesThecybersecurityofficermustalsodevelopprocedures,functions,andprocessestocomplywiththecybersecurityprogrampolicies,asanorganizationalmanager.Inaddition,thecybersecurityofficermustleadtheefforttodevelopfunctionsthatthecybersecurityprogramorganizationwillperformtoleadandsupportthecorporatecybersecurityprogram.
Thiscybersecurityofficerdecidedthatthebestapproachisthroughthedrivers’(cybersecurityprogram–cybersecurityprogramrequirements)baseline.So,basedonthedrivers,oneisthenabletodevelopa“needs”statementorstatements.Thesecanbesetforthinvariousways,suchasthevision,mission,andqualitystatements,andincorporatedintoplans,forexample,strategic,tactical,andannual,aspreviouslydiscussed.Regardlessofhowandinwhatformyoustatetheseneedsforthecybersecurityprogram,theymustsupportcorporateplans,policies,objectives,andgoalsandmustalsoeventuallybetiedtoactionitems.
Theseactionitemsarethenanalyzedandareimplemented—forexample,establishedascybersecurityprogramfunctionsthatarethenincorporatedintothecybersecurityofficer’scybersecurityprogramorganizationasitscharterofresponsibilitiesandaccountabilities,asstatedinthepreviouschapter.Onesteptolookatistheprocess.Aprocessisbasically“aseriesofactionsdirectedtowardaparticularaim.”2Afterthedriversandneedsareidentified,thecybersecurityofficermustestablishaprocessformeetingtheidentifiedrequirements.Theprocessisbasicallythedetailsofhowafunctionistobeperformed.
Theactionitemsshouldbepartofaformalprojectmanagementprograminwhich,asstatedearlier,you,asthecybersecurityofficer,determinethatthereisaneedforsomesortofcybersecurityprogramactionthatwilltaketimeandmustbeincorporatedintothecybersecurityprogramorganization.Remember,theprojectplanshave:
•Objectivestoaccomplish,
•Beginningandendingdates,
•Tasksidentifiedandassigned,
•Personnelassignedtotasks,
•Budgetallocated,and
•Timeallocatedforcompletingthosetasks.
Therearemanycybersecurityprogram-relatedfunctions;however,atthiscorporation,thecybersecurityofficerdeterminedthatthefunctionsidentifiedinthecybersecurityofficer’scharterwerethemainfunctionsthatweredrivenbyorrelatedtothebaselinecybersecurityprogram.Therefore,theyarethebasicfunctionsthatshouldbeestablished,andaflowprocessdescriptionshouldbedevelopedrelativetohowthefunctionsshouldbeperformed.Forexample3:
•Cybersecurityprogramrequirementsidentification;
•Cybersecurityprogramplans,policies,processes,andprocedures;
•Awarenesseducationandtraining;
•Accesscontrol;
•Evaluationofhardware,firmware,andsoftwareforimpactonthesecurityoftheinformationsystems;
•Securitytestsandevaluations;
•Noncomplianceinquiries;
•Riskmanagement;and
•Disasterrecovery/contingencyplanning.
ValuingInformationBeforeaddressingthecybersecurityprogramfunctions,thecybersecurityofficerdeterminedthattoprovideaneffectivecybersecurityprogramwiththeleastimpacttocostandschedule,itisimportanttoestablishaprocesstodeterminethevalueofinformation.
Thecybersecurityofficer’sreasoningwasthatnoinformationshouldbeprotectedanymorethanisnecessary.Therationaleusedbythecybersecurityofficerwasasfollows:
Thevalueofinformationistimedependent.Inotherwords,informationhasvalueforonlyacertainperiodoftime.Informationrelativetoanew,uniquecorporatewidgetmustbehighlyprotected,andthatincludestheelectronicdrawings,diagrams,processes,etc.However,oncethenewwidgetisannouncedtothepublic,completewithphotographsofthewidget,sellingprice,etc.,muchoftheprotectedinformationnolongerneedsprotection.
Thatinformation,whichoncerequiredprotectiontomaintainthesecrecyofthisnewwidget,cannowbeeliminated.Thiswillsavemoneyforthecorporationbecausecybersecurityprogramcostsareaparasiteontheprofitsofthecorporation.Thosecostsmustbereducedoreliminatedassoonaspossible.Itisthetaskofthecybersecurityofficerandstafftocontinuouslylookformethodstoaccomplishthisobjective.
HowtoDeterminetheValueofCorporateInformationDeterminingthevalueofthecorporation’sinformationisaveryimportanttask,butonethatisseldomdonewithanysystematic,logicalapproachbyacompany.However,thecybersecurityofficerbelievedthattoprovidetheprogramthecorporationrequired,thistaskshouldbeundertaken.
Theconsequencesofnotproperlyclassifyingtheinformationcouldleadtooverprotection,whichiscostly,orunderprotection,whichcouldleadtothelossofthatinformationandthusofprofits.
Todeterminethevalueofinformation,thecybersecurityofficermustfirstunderstandwhatismeantbyinformationandwhatismeantbyvalue.Thecybersecurityofficermustalsoknowhowtoproperlycategorizeandclassifytheinformation,andwhatguidelinesaresetforthbygovernmentagenciesorbusinessesfordeterminingthevalueandprotectionrequirementsofthatinformation.Inaddition,howtheinformationownersperceivetheinformationanditsvalueiscrucialtoclassifying4it.
WhyIsDeterminingInformationValueImportant?Iftheinformationhasvalue,itmustbeprotected;protectionisexpensive.Oneshouldprotectonlythatinformationwhichrequiresprotection,onlyinthemannernecessarybasedonthevalueofthatinformation,andonlyfortheperiodrequired.
TheValueofInformationOnemightask,“Doesalltheinformationofacompanyorgovernmentagencyhavevalue?”Ifyou,asthecorporatecybersecurityofficer,wereaskedthatquestion,whatwouldbeyourresponse?Thefollow-onquestionwouldbe“Whatinformationdoesnothavevalue?”Isitthatinformationwhichthereceiveroftheinformationdetermineshasnovalue?Whentheoriginatoroftheinformationsaysso?Whodetermineswhetherinformationhasvalue?
Thesearequestionsthatthecybersecurityofficermustask—andanswer—beforetryingtoestablishaprocesstosetavaluetoanyinformation.Asyoureadthroughthismaterial,thinkabouttheinformationwhereyouwork,howitisprotected,whyitisprotected,etc.
Thecybersecurityofficerknowsthatacentralizedapproachwouldnotworkforvaluinginformation,aseverypieceofinformationmustbeanalyzedaccordingtoaspecificcriterion,identifiedaccordingtoacertainprotectivecategory,suchascorporate-sensitive,andthenmarkedandprotectedaccordingly.Thecybersecurityofficerknewthatthebestapproachwastosetthecriteriaandguidelinesfortheidentification,marking,transmission,storage,anddestructionofcorporateinformationandhavetheinformationownersidentifytheinformationthattheyproduceand,followingthepolicyguidelinesinthecybersecurityprogram,protectthatinformation.Thosecriteriaandrequirementswouldbedevelopedaspartofthecybersecurityofficer’sprojectteam,whichwouldalsoincludevariousdepartmentrepresentatives,suchasmanufacturing,procurement,legal,security,finance,andplanning.
Theholderoftheinformationmaydeterminethevalueoftheinformation.Eachpersonplacesavalueontheinformationinhisorherpossession.Theinformationthatisnecessarytosuccessfullycompleteaperson’sworkisveryvaluabletothatperson;however,itmaynotbeveryvaluabletoanyoneelse.Forexample,toanaccountant,theaccountspayablerecordsareveryimportant,andwithoutthem,theaccountantscouldnotdotheirjob.However,forthepersonmanufacturingthecompany’sproduct,thatinformationhaslittleornovalue.
Ordinarily,theoriginatordeterminesthevalueoftheinformation,andthatpersoncategorizesorclassifiesthatinformation,usuallyinaccordancewiththeestablishedguidelines.
ThreeBasicCategoriesofInformationAlthoughtherearenostandardcategoriesofinformation,mostpeopleagreethatinformationcanlogicallybecategorizedintothreecategories:
•Personal,privateinformation;
•Nationalsecurity(bothclassifiedandunclassified)information(addressedinChapter12);and
•Businessinformation.
Personal,privateinformationisanindividualmatter,butalsoamatterforthegovernmentandbusinesses.Peoplemaywanttokeepprivatesuchinformationaboutthemselvesastheirage,weight,address,cellularphonenumber,salary,andlikesanddislikes.
Atthesametime,manycountrieshavelawsthatprotectinformationundersometypeof“privacyact.”Inbusinessesandgovernmentagencies,itisamatterofpolicytosafeguardcertaininformationaboutemployees,suchastheirages,addresses,andsalaries.Therefore,thisrequirement(cybersecurityprogramdriver)mustbeconsideredindevelopingtheinformationvalueandprotectionpolicyandguidelines.
Althoughtheinformationispersonaltotheindividual,othersmayrequirethatinformation.Atthesametime,theyhaveanobligationtoprotectthatinformationbecauseitisconsideredtohavevalue.
Businessinformationalsorequiresprotectionbasedonitsvalue.Atthiscorporation,thisinformationwassometimescategorizedasfollows:
•Corporate–confidential,
•Corporate–internaluseonly,
•Corporate–private,
•Corporate–sensitive,
•Corporate–proprietary,and
•Corporatetradesecret.
Thenumberofcategoriesusedwillvarywitheachcompany;however,thefewercategories,thefewerproblemsinclassifyinginformationandalso,possibly,thefewerproblemsinthegranularityofprotectionrequired.Again,thisisacost-itemconsideration.Thecybersecurityofficerfoundthatprivate,internaluseonly,andproprietarywouldmeettheneedsofthecybersecurityprogram.
Thiscompanyinformationmustbeprotectedbecauseithasvaluetothecompany.Thedegreeofprotectionrequiredisalsodependentonthevalueoftheinformationduringaspecificperiodoftime.
TypesofValuedInformationGenerally,thetypesofinformationthathavevaluetothebusinessandthatrequireprotectionincludethefollowing:Allformsandtypesoffinancial,scientific,technical,economic,orengineeringinformation,including,butnotlimitedto,data,plans,tools,mechanisms,compounds,formulas,designs,prototypes,processes,procedures,programs,codes,orcommercialstrategies,whethertangibleorintangible,andwhetherstored,compiled,ormemorializedphysically,electronically,graphically,photographically,orin
writing.
Examplesofinformationrequiringprotectionmayincluderesearch,proposals,plans,manufacturingprocesses,pricing,andproduct.
DeterminingInformationValueBasedonanunderstandingofinformation,itsvalue,andsomepracticalandphilosophicalthoughtsonthetopicasstatedabove,thecybersecurityofficermusthavesomesenseofwhatmustbeconsideredwhendeterminingthevalueofinformation.
Whendeterminingthevalueofinformation,thecybersecurityofficermustdeterminewhatitcosttoproducethatinformation.Alsotobeconsideredisthecostintermsofdamagescausedtothecompanyifitweretobereleasedoutsideprotectedchannels.Additionalconsiderationmustbegiventothecostofmaintainingandprotectingthatinformation.Howtheseprocessesarecombineddeterminesthevalueoftheinformation.Again,don’tforgettofactorinthetimeelement.
Therearetwobasicassumptionstoconsiderindeterminingthevalueofinformation:(1)Allinformationcostssometypeofresource(s)toproduce,forexample,money,hours,oruseofequipment;and(2)notallinformationcancausedamageifreleasedoutsideprotectedchannels.
Iftheinformationcoststoproduce(andallinformationdoes)andnodamageisdoneifitisreleased,youmustconsider,“Doesitstillhavevalue?”Ifitcoststoproducetheinformation,butitcannotcausedamageifitisreleasedoutsideprotectedchannels,thenwhyprotectit?
Thetimefactorisakeyelementindeterminingthevalueofinformationandcannotbeoveremphasized.Let’slookatanexampleinwhichinformationisnottimedependent—orisit?ThereisacompanypicnictotakeplaceonMay22,2016.Whatisthevalueoftheinformationbefore,on,orafterthatdate?Doestheinformationhavevalue?Towhom?When?
Ifyou’relookingforwardtothecompany’sannualpicnic,asisyourfamily,theinformationastowhenandwhereitistotakeplacehassomevaluetoyou.Supposeyoufoundoutaboutitthedayafterithappened.Yourfamilywouldbedisappointed,theywouldbeangryatyoufornotknowing,youwouldfeelbad,etc.Tothecompany,theinformationhad“novalue.”However,thefactthattheemployeedidnotreceivethatinformationcausedhimorhertobedisgruntledandblamethecompanyforhisorherlatestfamilyfight.Basedonthat,theemployeedecidedtoslowdownhisorherproductivityforaweek.
Thisisasimpleillustration,butitindicatesthevalueofinformationdependingonwhohasandwhodoesnothavethatinformation,aswellasthetimeelement.Italsoshowsthatwhatisthoughttobeinformationnotworthasecondthoughtmayhaverepercussionscostingmorethanthevalueoftheinformation.
Thefollowingisanotherexample:Anew,secret,revolutionarywidgetbuilttocompete
inaverycompetitivemarketplaceistoenterthemarketonJanuary1,2017.WhatisthevalueofthatinformationonJanuary2,2016?
Again,tostressthepoint,onemustconsiderthecosttoproducetheinformationandthedamagedoneifthatinformationwerereleased.
Ifitcosttoproduceandcancausedamageifreleased,itmustbeprotected.Ifitcosttoproduce,butcannotcausedamageifreleased,thenwhyprotectit?Atthesametime,besensitivetodissemination.Information,tohavevalue,tobeuseful,mustgettotherightpeopleattherighttime.
BusinessInformationTypesandExamplesTypesofinternaluseonlyinformation:
•Notgenerallyknownoutsidethecompany,
•Notgenerallyknownthroughproductinspection,
•Possiblyusefultoacompetitor,and
•Providessomebusinessadvantageovercompetitors.
Examplesarethecompanytelephonebook,companypoliciesandprocedures,andcompanyorganizationalcharts.
Typesofprivateinformation:
•Revealstechnicalorfinancialaspectsofthecompany,
•Indicatesthecompany’sfuturedirection,
•Describesportionsofthecompany’sbusiness,
•Providesacompetitiveedge,and
•Identifiespersonalinformationofemployees.
Examplesarepersonnelmedicalrecords,salaryinformation,costdata,short-termmarketingplans,anddatesforunannouncedevents.
Typesofsensitiveinformation:
•Providessignificantcompetitiveadvantage,
•Couldcauseseriousdamagetothecompany,and
•Revealslong-termcompanydirection.
Examplesarecriticalcompanytechnologies,criticalengineeringprocesses,andcriticalcostdata.
QuestionstoAskWhenDeterminingValueWhendeterminingthevalueofyourinformation,youshould,asaminimum,askthefollowingquestions:
•Howmuchdoesitcosttoproduce?
•Howmuchdoesitcosttoreplace?
•WhatwouldhappenifInolongerhadthatinformation?
•Whatwouldhappenifmyclosestcompetitorhadthatinformation?
•Isprotectionoftheinformationrequiredbylaw,andifso,whatwouldhappenifIdidn’tprotectit?
InternationalWidgetCorporation(IWC)CyberSecurityProgramFunctionsProcessDevelopmentThecybersecurityofficerhaslearnedthatthedevelopmentofanewcybersecurityprogramrequirestheestablishmentofcybersecurityprogramfunctionsforthatprogram.Establishingaprocessforeachfunction,asthefirsttask,willassistinensuringthatthefunctionswillbegininalogical,systematicwaythatwillleadtoacost-effectivecybersecurityprogram.
RequirementsIdentificationFunctionAspreviouslystated,thecybersecurityofficerhasdeterminedthatthedriverforanycybersecurityprogram-relatedfunctionistherequirementsforthatfunction.Therequirementsarethereasonforthecybersecurityprogram.Thisneedisfurtheridentifiedanddefinedandissubsequentlymetbytheestablishmentofthecybersecurityprogramfunctions.
So,tobeginthefunctions’processidentification,itisimportanttounderstandwheretherequirement—wheretheneed—comesfromasseenfromaslightlydifferentperspective.5Forthiscorporation,itisasfollows:
•Aneedforacybersecurityprogramasstatedbyexecutivemanagementtoprotectthecorporation’scompetitiveedge,whichisbasedoninformationsystemsandtheinformationthattheystore,process,display,andtransmit;
•Contractualrequirementsasspecifiedincontractswithcustomers,suchasprotectingcustomers’information;
•Contractualrequirementsasspecifiedincontractswithsubcontractors,suchasprotectingsubcontractors’information;
•Contractualrequirementsasspecifiedincontractswithvendors,suchasprotectingvendors’information;
•Corporate’sdesiretoprotectitsinformationandsystemsfromunauthorizedaccessbycustomers,subcontractors,andvendors;and
•Federal,state,andlocallawsthatareapplicabletothecorporation,suchasrequirementstoprotecttheprivacyrightsofindividualsandcorporationsastheyrelatetotheinformationstored,processed,andtransmittedbyIWCsystems.
CyberSecurityOfficer’sCyberSecurityProgramFunctionsThecybersecurityofficerhasgonethroughtheprocesspreviouslynotedtoidentifythebaselinefunctionsthatareneededwithinthecybersecurityprogramorganizationtosupportthecybersecurityprogram,whichasmentionedearliersupportsbusinessneedsasstatedinthestrategic,tactical,andannualbusinessplans.Thefollowingparagraphsidentify,describe,anddiscusssomeofthefunctionsidentifiedbythecybersecurityofficer.
AwarenessProgramThecybersecurityofficerdecidedtoconcentrate,asahighpriority,onthecybersecurityprogramEducationAwarenessandTrainingProgram(EATP)asamajorcybersecurityprogramorganizationalfunctionandalsoasanintegralpartofthecybersecurityprogram.TheEATPwasneededtomaketheusersawareoftheneed,aswellastheirresponsibility,toprotectinformationandsystems,aswellastogaintheusers’supportintheprotectionofinformationandsystems.
Thecybersecurityofficerreasonedthatoncethepoliciesofthecybersecurityprogramweredevelopedandpublished,theemployeesmustbemadeawareofthemandalsowhytheywerenecessary.Foronlywiththefullsupportandcooperationoftheemployees,couldasuccessfulcybersecurityprogrambeestablishedandmaintained.
Theawarenessprogramprocesswasbrokenintotwomajorparts:
•Awarenessbriefingsand
•Continuingawarenessmaterial.
AwarenessBriefingsTheawarenessbriefingsincludedinformationrelativetotheneedforinformationandsystemsprotection,theimpactofprotectingandnotprotectingthesystemsandinformation,andanexplanationofthecybersecurityprogram.
Thecybersecurityofficerreasonedthattheawarenessmaterialandbriefings,whengivenasageneralbriefing,couldbeusedonlyfornewemployees.Thegeneralbriefingsfailedtoprovidethespecificinformationrequiredbyvariousgroupsofsystemsusers.Thus,theawarenessbriefingsweretailoredtospecificaudiencesasfollows:
•Allnewhires,whetherornottheyusedasystem,therationalebeingthattheyallhandleinformationandcomeincontactwithcomputerandtelecommunicationsystemsinoneformoranother;
•Managers;
•Systemusers;
•InformationTechnologyDepartmentpersonnel;
•Engineers;
•Manufacturers;
•AccountingandFinancepersonnel;
•Procurementpersonnel;
•HumanResourcespersonnel;
•SecurityandAuditpersonnel;and
•Thesystemsecuritycustodians(thosewhowouldbegivenday-to-dayresponsibilitytoensurethatthesystemsandinformationwereprotectedinaccordancewiththecybersecurityprogrampolicyandprocedures).
Aprocesswasestablishedtoidentifythesepersonnel,inputtheirprofileinformationintoadatabase,and,usingastandardformat,tracktheirawarenessbriefingattendanceatboththeirinitialbriefingsandtheirannualrebriefings.Thatinformationwouldalsobeusedtoprovidethem,throughtheIWCmailsystem,withawarenessmaterial.
ContinuingAwarenessMaterialThecybersecurityofficer,inconcertwiththeHumanResourcesandTrainingstaffs,decidedthatensuringthatemployeeswereawareoftheircybersecurityprogramresponsibilitieswouldrequireconstantreminders.Afterall,informationandsystemsprotectionisnotthemajorfunctionofmostemployees.However,awaymustbefoundtoremindtheemployeesthatitisapartoftheirfunction.
Itwasdecidedthatawarenessmaterialcouldbecost-effectivelyprovidedtotheemployees.Thiswasaccomplishedbyprovidingcybersecurityprogrammaterialtotheemployeesthrough:
•Annualcalendars,
•Posters,
•Labelsforsystemsanddisks,
•Articlespublishedinthecorporatepublicationssuchastheweeklynewsletter,and
•Log-onnoticesandsystembroadcastmessages,especiallyofcybersecurityprogramchanges.
AlthoughthisEATPbaselinewasnotall-inclusive,thecybersecurityofficerbelievedthatitwasagoodstartthatcouldbeanalyzedforcost-effectiveimprovementsattheendofthecalendaryear.
AccessControlandAccessControlSystemsThecybersecurityofficerdeterminedthattheaccesscontrolandaccesscontrolsystemsrankedasahighpriorityinestablishingprocessesforthecontrolofaccesstosystems,aswellastheaccesstotheinformationstored,processed,andtransmittedbythosesystems.Therefore,accesscontrolsweredividedintotwosections:
•Accesstosystemsand
•Accesstotheinformationonthesystems.
Thecybersecurityofficerreasonedthateachdepartmentcreatedandusedthecorporatesystemsandtheirinformation.Therefore,theyshouldberesponsibleforcontrollingaccesstothosesystemsandinformation.
Themajorsystems,suchasthecorporate-wideareanetwork,wereownedandoperatedbytheITDepartment,whileindividualsystemsandlocalareanetworks(LANs)wereownedandoperatedbytheindividualdepartments.
Aspartofthecybersecurityprogram,thecorporation,incoordinationwithotherdepartments’managers,establishedaprocessforallemployeeswhorequiredaccesstothesystemstoperformtheirjobfunctions.Suchemployeeswouldhavetoobtainsystemaccessapprovalfromtheirmanagerandfromthemanagerordesignatedrepresentativeofthatsystemand/ortheinformationowner,suchasforfinancialdatabaseaccess.Theowners’approvalwasbasedonajustifiedneedforaccessasstatedbytheemployee’smanager.Ifthesystemand/orinformationownersagreed,accesswasgranted.
Thecybersecurityofficerhadfound,duringtheinitialevaluationofthecybersecurityprogramofthecorporation,thatdepartmentshadlogicallygroupedtheirinformationintocategories.Theyhaddonesotocontrolaccesstotheirownfiles.Thismadeiteasyforthesecurityofficer,becausethemanagersofthedepartmentsagreedthatonceaccesstosystemswasgrantedbythesystemowners,accesstotheinformationonthosesystemsshouldbeapprovedbytheownersofthosegroupsoffiles,databases,etc.
Thus,theaccesscontrolprocessincludedajustificationbyanemployee’smanagerstatingnotonlywhatsystems,andwhy,theemployeeneededaccessto,butalsowhatinformationheorsherequiredaccesstoinordertoperformhisorherjob.
Forthemostpart,thiswasaneasyandlogicalprocess.Forexample,intheAccountingDepartment,personnelgenerallyhadaccesstothegroupsoffilesanddatabasesbasedontheirjobfunctions—accountspayable,accountsreceivable,etc.
Thisaccesscontrolprocesshelpedmaintainanaudittrailofwhoapprovedaccesstowhomandforwhatpurposes.Italsohelpedprovideaseparationoffunctionsthatisavitalcomponentofanycybersecurityprogram.Forexample,anaccountspayablepersonshouldnotalsobetheaccountsreceivablepersonandtheinvoiceprocessingperson.Suchasystemwouldallowonepersontoomuchcontroloveraprocessthatcanbe—andhasbeen—usedforcommittingfraud.
Thebenefitsoftheforegoingprocesstothecybersecurityofficerwerethatitdocumentedaninformalprocessthatforthemostparthadbeeninplace,anditalsoplacedcybersecurityprogramresponsibilitiesforsystemsandinformationaccessexactlywhereitbelonged,withtheidentifiedownersofthesystemsandinformation.
Inoneinstance,acybersecurityofficerfoundthatonemanagerdidnotwanttotakeresponsibilityforaLANinthedepartment,andsinceothersoutsidethedepartmentusedtheinformation,themanagerdidnotwanttotakeownershipoftheinformation.ThemanagerthoughttheITDepartmentshouldbetheowner—afterall,theywereresponsibleforthemaintenanceofthesystem.
Thecybersecurityofficerinthiscaseaskedthemanagerifthecybersecurityofficercouldthenberesponsibleastheownerofthesystemsandtheinformation.Themanagerquicklyagreed.Thecybersecurityofficerthentoldthemanagerthatsinceitwasnowownedbythecybersecurityprogramorganization,accesstothesystemsandinformationwouldbedeniedtoallthosenotinthecybersecurityprogramorganization.
Themanagerobjected,statingthatthepersonnelinhisorganizationneededaccesstothosesystemsandtheirinformationtoperformtheirjobfunctions.Afterfurtherdiscussion,theorganizationalmanageragreedthathisorganizationwouldappeartobethelogicalownersandsubsequentlyacceptedthatresponsibility.
AccessControlSystemsThecybersecurityofficer,incoordinationwiththeIT,Security,andAuditDepartments,determinedthattheaccesscontrolsystems(hardwareandsoftware)belongedtothesamedepartmentsandorganizationsidentifiedasthesystemowners.However,thecybersecurityprogrampersonnelwouldestablishthedetailedproceduresfortheaccesscontrolsystemsandtheauditorswouldevaluatecompliancewiththoseprocedures.
Thesystemownersagreedtothisprocessandalsotoappointingaprimaryandalternatesystemcustodianwhowouldberesponsibleforensuringthatthecybersecurityprogrampoliciesandprocedureswerefollowedbyallthosewhousedthesystems.Inaddition,thecustodianwouldreviewthesystemaudittrails,whichweremandatoryonallcorporatesystems.6
EvaluationofAllHardware,Firmware,andSoftwareAllnewhardware,firmware,andsoftwareshouldbeevaluatedforitsimpactonthesecurityofinformationandsystems.ThiswasdeterminedtobenecessaryinajointagreementbetweenthecybersecurityofficerandtheITDepartmentpersonnel,auditors,andsecuritypersonnel.
Toperformthisfunctionwithminimalimpactoncostandinstallationschedules,itwasdeterminedthatabaselinechecklistwouldbedevelopedandthatthischecklistwouldbecompletedbythesuppliersoftheproduct,inconcertwiththecybersecurityprogramstaff.Anyitemsthatadverselyaffectedthecybersecurityprogramwouldbeevaluatedbasedonariskassessment,usingtheapprovedriskmanagementandreportingprocess.
TheprocessincludedcompletionofthebaselinecybersecurityprogramchecklistandatechnicalevaluationbycybersecurityprogrampersonnelinconcertwithITpersonnel.Iftheitem(hardware,software,etc.)wasconsideredrisk-acceptable,itwasapprovedforpurchase.
Iftheitemwasnotrisk-acceptable,theriskmanagementprocessidentifiedcountermeasures.Althoughthisprocessgenerallyapprovesthepurchaseofalmostallitems,someitemsmighthaveanunacceptablelevelofrisk,butwouldstillbeacceptedbecauseoftheirvaluetothecompany.Inthoseinstances,specialaudittrailscouldbecreatedtomonitortheuseoftheitem.Inanycase,thecybersecurityofficerunderstoodthatitisalwaysbetteratleasttoknowthatasystemisvulnerablethannottoknowthevulnerabilityexisteduntilitwastoolate.
Thecybersecurityofficeridentifiedtheseveralpotentialprocessesrelativetonew,modified,orupgradedsystems’hardware,software,andfirmwareimplementationinwhichtheprotectionofinformationandinformationsystemscouldbesubjecttoincreasedvulnerabilities.Thecybersecurityofficerdecidedtoformaprojectteamtoevaluatetheseandotherprocesses.Theprojectteamwouldincludethecybersecurityofficer’sstaffspecialistastheprojectlead,aswellasITrepresentatives,departmentrepresentatives,aprocurementrepresentative,acontractsrepresentative,andalegalrepresentative.Theserepresentativeswerechosenforthefollowingreasons:
•IT:Theyareresponsibleforthemajorsystems,suchasintranetsandInternetinterfaces.
•Departments:Theyareresponsiblefortheirownstand-alonesystems,suchasmicrocomputers,andfortheirownLANsthatarenotconnectedoutsidethedepartment.
•Procurement:Theyareresponsiblefororderingthehardware,software,andfirmware.
•Contracts:They,basedoncybersecurityofficercoordination,includecybersecurityprogram-relatedspecificationsandclausesinthecorporatecontracts,suchassoftwarefromavendorcertifiedfreeofmaliciouscodes.Furthermore,ifaproductisvulnerableorincreasesthesystems’vulnerabilities,thecontractmaycallforthevendortopatch
thesoftwareorprovidethesourcecodeforprogrammerstopatchthecode.
•Legal:Theyareresponsibleforensuringthatallissuesrelatedtocontractsandprocurementmattersmandatingcybersecurityprogramcriteriaarestatedinsuchawayastoensuretheirenforcementthroughlegalmeans.
RiskManagementProgramTheobjectiveoftheriskmanagementprogramistomaximizesecurityandminimizecostthroughriskmanagement.
WhatIsRiskManagement?Becauseitisthebaselineforallofthecybersecurityofficer’sdecisionsrelativetoinformationandsystemsprotection,thecybersecurityofficerdecidedtoformalizethefunctionofriskmanagementasanintegralpartofthecybersecurityprogramandthecybersecurityprogramorganization.
Thecybersecurityofficerknewthatforcorporateemployees,especiallymanagement,tounderstandthephilosophybehindhowcybersecurityprogram-relateddecisionsweremade,theyshouldhavesomebasicgraspoftheriskmanagementphilosophy.Thus,thecybersecurityofficerdirectedthatthistopicbeanintegralpartofthecybersecurityprogramandEATP.Thecybersecurityofficerknewthattounderstandtheriskmanagementmethodology,onemustfirstunderstandwhatriskmanagementmeans.Thecybersecurityofficerdefinedriskmanagementasthetotalprocessofidentifying,controlling,andeliminatingorminimizinguncertaineventsthatmayaffectsystemresources.Itincludesriskassessments;riskanalyses,includingcost–benefitanalyses;targetselection;implementationandtesting;securityevaluationofsafeguards;andoverallcybersecurityprogramreview.
Thecybersecurityofficerestablishedtheobjectiveoftheriskmanagementprocessasfollows:toprovidethebestprotectionofsystemsandtheinformationtheystore,process,display,and/ortransmitatthelowestcostconsistentwiththevalueofthesystemsandtheinformation.
RiskManagementProcessRememberthatthecybersecurityprogramisacorporateprogrammadeupofprofessionalswhoprovideserviceandsupporttotheircompany.Therefore,theriskmanagementprocessmustbebasedontheneedsofcustomers.
Also,thecybersecurityofficerwantedtobesurethattheriskmanagementconcepts,program,andprocesseswereinformallyandformallyusedinallaspectsofthecybersecurityprogram,includingwhenandhowtodoawarenessbriefingsandtheimpactofinformationsystemssecuritypoliciesandproceduresontheemployees.
Thefollowingstepsshouldbeconsideredinthecybersecurityofficer’sprocess:
1.Managementinterest:Identifyareasthatareofmajorinteresttoexecutivemanagementandcustomers;approachfromabusinesspointofview.So,theprocessshouldbeginwithinterviewsofyourinternalcustomerstodeterminewhatareasofthecybersecurityprogramareadverselyaffectingtheiroperationsthemost.Then,targetthoseareasfirstasthestartingpointfortheriskmanagementprogram.
2.Identifyspecifictargets:Softwareapplications,hardware,telecommunications,electronicmediastorage,etc.
3.Identifyinputsources:Users,systemadministrators,auditors,securityofficers,technicaljournals,technicalbulletins,riskassessmentapplicationprograms,etc.
4.Identifypotentialthreats:Internalandexternal,naturalorhuman-made.
5.Identifyvulnerabilities:Throughinterviews,experience,history,testing.
6.Identifyrisks:Matchthreatstovulnerabilitieswithexistingcountermeasures,verify,andvalidate.
7.Assessrisks:Acceptableornotacceptable,identifyresidualrisk,andthencertifytheprocessandgainapproval.Iftherisksarenotacceptable,then:
•Identifycountermeasures,
•Identifyeachcountermeasure’scosts,and
•Comparecountermeasures,risks,andcoststomitigatedrisks.
RecommendationstoManagementWhentheriskassessmentiscompleted,thecybersecurityofficermustmakerecommendationstomanagement.Rememberinmakingrecommendationstothinkfromabusinesspointofview:cost,benefits,profits,publicrelations,etc.
RiskManagementReportsAbriefingthatincludesaformal,writtenreportisthevehicletobringtheriskstomanagement’sattention.Thereportshouldincludeareasidentifiedthatneedimprovement,areasthatareperformingwell,andrecommendedactionsforimprovement,includingcostsandbenefits.
Rememberthatitismanagement’sdecisiontoeitheraccepttheriskormitigatetheriskandhowmuchtospendtodoso.Thecybersecurityofficeristhespecialist,thein-houseconsultant.Itismanagement’sresponsibilitytodecidewhattodo.Theymayfollowyourrecommendations,ignorethem,ortakesomeotheraction.Inanycase,thecybersecurityofficerhasprovidedtheserviceandsupportrequired.
Ifthedecisionismadethatnoactionwillbetaken,thereisstillabenefittoconductingtheanalyses.Thecybersecurityofficernowhasabetterunderstandingoftheenvironment,aswellasanunderstandingofsomeofthevulnerabilities.Thisinformationwillstillhelpinmanagingacybersecurityprogram.Thecybersecurityofficerhasdevelopedariskmanagementprocesstobeusedasanoverallbaselineforimplementationaspartoftheriskmanagementphilosophyofthecorporation.
SecurityTestsandEvaluationsProgramThecybersecurityofficersawtheneedforasecuritytestsandevaluationsprogram(ST&E)oncethecybersecurityprogramprocessesofawareness,accesscontrol,andriskmanagementwereimplemented.
TheST&Ewasdevelopedtoincorporatetestingandevaluatingofthetotalcybersecurityprogramprocesses,environments,hardware,software,andfirmwareasaproactivemethodtosupportriskassessmentsandtheevaluationofthesystems’components.
Thecybersecurityofficerbelievedthattheauditors’complianceauditsweremoreofachecklistprocessofensuringcompliancewiththecorporatecybersecurityprogrampoliciesandprocedures.Whatwasneeded,thecybersecurityofficerreasoned,wasawaytoactuallytestcybersecurityprogramprocesses,systems,etc.,todeterminewhethertheyweremeetingthecybersecurityprogramneedsofthecorporation—regardlessofwhethertheycompliedwiththecybersecurityprogrampoliciesandprocedures.
Forexample,theST&EwouldincludeperiodicallyobtainingauserIDonasystemwithvariousaccessprivileges.Thecybersecurityprogramstaffmemberusingthatidentificationwouldviolatethatsystemandattempttogainunauthorizedaccesstovariousfiles,databases,andsystems.Thatinformationwasanalyzedinconcertwithacomparisonofthesystem’saudittrails,thusprofilingthecybersecurityprogramofasystemornetwork.Also,theST&Ewouldincludeareviewofrecordsandprioraudittraildocumentstohelpestablishthe“cybersecurityprogramenvironment”beingtestedandevaluated.
NoncomplianceInquiriesNoncomplianceinquiries(NCIs)wereidentifiedasacybersecurityofficerresponsibilityandtheprocesswasdevelopedbythecybersecurityprogramstaffandcoordinatedwiththeauditandsecuritymanagement.TheNCIprocesswasasfollows:
•Receiveallegationsofnoncompliancebyauditors,securitypersonnel,managers,users,andgenerallyanyoneelse.
•Theallegationwasevaluatedand,ifnotconsideredacceptable,filed.7
•Iftheallegationwassubstantiated,aninquirywasconducted.Theinquiryincludedinterviews,technicalreviews,documentreviews,etc.
•Theinformationgatheredwasanalyzed,collated,andprovidedinaformalreporttomanagementwithcopiestoappropriatedepartmentssuchassecurityandhumanresources.
•Thereportwasprotectedforreasonsofprivacyandalsoincludedrecommendationsandtrendanalysestomitigatefutureoccurrences.
ContingencyandEmergencyPlanningandDisasterRecoveryProgramAcontingencyandemergencyplanninganddisasterrecovery(CEP-DR)programisoneoftheleastdifficultprogramstoestablishandyetalwaysseemstobeadifficulttask.Withthechangeininformationsystems’environmentsandconfigurations—client–server,LAN,distributedprocessing,etc.—thisproblemmaybegettingworse.
PriortodiscussingCEP-DR,itisimportanttounderstandwhyitisneeded.Itisreallyaveryimportantaspectofacybersecurityprogramandmayevenbeitsmostvitalpart.
Thecybersecurityofficermustrememberthatthepurposeofthecybersecurityprogramisto:
•Minimizetheprobabilityofasecurityvulnerability,
•Minimizethedamageifavulnerabilityisexploited,and
•Provideamethodtorecoverefficientlyandeffectivelyfromthedamage.
WhatIsIt?Contingencyplanningismakingaplanforrespondingtoemergencies,runningbackupoperations,andrecoveringafteradisaster.Itaddresseswhatactionwillbetakentoreturntonormaloperations.Emergenciesrequiringactionwouldincludesuchnaturaleventsasfloodsandearthquakes,aswellashuman-causedactssuchasfiresorhackerattackscausingdenialofservices.
Disasterrecoveryistherestorationoftheinformationsystems,facility,orotherrelatedassetsfollowingasignificantdisruptionofservices.
WhyDoIt?Primarilyusersoftenaskthequestion,whyisaCEP-DRprogramnecessary?Everyoneassociatedwithusing,protecting,andmaintaininginformationsystemsandtheinformationthattheystore,process,and/ortransmitmustunderstandtheneedforsuchaprogram:
•Toassistinprotectingvitalinformation,
•Tominimizeadverseimpactonproductivity,and
•Tosupportthebusinessstayinginbusiness!
HowDoYouDoIt?EachCEP-DRprogramisuniquetotheenvironment,culture,andphilosophyofeachbusinessorgovernmentagency.However,thebasicprogram,regardlessofbusinessor
agency,requiresthedevelopmentandmaintenanceofaCEP-DRplan.Itmustbeperiodicallytested,problemsidentifiedandcorrected,andprocesseschangedtominimizethechancesofadverseeventshappeningagain.
TheCEP-DRPlanningSystemThecorporation’sCEP-DRplanmustbewrittenbasedonthestandardformatusedbythecorporation.Thefollowinggenericformatisofferedforconsideration:
1.Purpose:Statethereasonfortheplananditsobjective.Thisshouldbespecificenoughthatitiscleartoallwhoreaditwhyithasbeenwritten.
2.Scope:Statethescopeandapplicabilityoftheplan.Doesitincludeallsystems,alllocations,subcontractors?
3.Assumptions:Statethepriorities,thesupportpromised,andtheincidentstobeincludedandexcluded.Forexample,ifyourareadoesnothavetyphoons,willyouassumethattyphoons,asapotentialdisasterthreat,willnotbeconsidered?
4.Responsibilities:Statewhoistoberesponsiblefortakingwhatactions.Thisshouldbestatedclearlysoeveryoneknowswhoisresponsibleforwhat.Consideragenericbreakdownsuchasmanagers,systemsadministrators,andusers.Also,specificauthorityandresponsibilityshouldbelistedbyaperson’stitleandnotnecessarilybythatperson’sname.Thisapproachwillsavetimeinupdatingtheplanbecauseofpersonnelchanges.
5.Strategy:Discussbackuprequirementsandhowoftentheyshouldbeaccomplishedbasedonclassificationofinformation;statehowyouwillrecover,etc.
6.Personnel:Maintainanaccurate,complete,andcurrentlistofkeyCEP-DRpersonnel,includingaddresses,phonenumbers,pagenumbers,andcellularphonenumbers.Besuretoestablishanemergencyprioritized,notificationlistingandalistingofresponseteammembersandhowtocontacttheminanemergency.
7.Information:Maintainanon-siteinventorylistingandanoff-siteinventorylisting;identifytherotationprocesstoensureahistoryandcurrentinventoryoffiles.Identifyvitalinformation.Thisinformationmustcomefromtheownerofthatinformationandmustbeclassifiedaccordingtoitsimportance,basedonapprovedguidelines.
8.Hardware:Maintainaninventorylisting,includingsupplier’sname,serialnumber,andpropertyidentificationnumber;ensurethatemergencyreplacementcontractsareinplace;maintainhardcopiesofapplicabledocumentsonandoffsite.
9.Software:Identifyandmaintainbackupoperatingsystemsandapplicationsystemssoftware.Thisshouldincludeoriginalsoftwareandatleastonebackupcopyofeach.Besuretoidentifytheversionnumbers,etc.Inthisway,youcancomparewhatislistedintheplanwithwhatisactuallyinstalled.Itwouldnotbeauniqueeventifsoftwarebackupswerenotkeptcurrentandcompatiblewiththehardware.Ifthisisthecase,thesystemsmightnotbeabletoworktogethertoprocess,store,andtransmitmuch-needed
information.
10.Documentation:All-importantdocumentationshouldbeidentified,listed,inventoried,andmaintainedcurrentinbothon-andoff-sitelocations.
11.Telecommunications:Theidentificationandmaintenanceoftelecommunicationshardwareandsoftwarelistingsarevitalifyouareoperatinginanytypeofnetworkenvironment.Manysystemstodaycannotoperateinastand-aloneconfiguration;thus,thetelecommunicationslines,backups,schematics,etc.,areofvitalimportancetogettingbackinoperationwithinthetimeperiodrequired.Aswithotherdocumentation,theiridentification,listing,etc.,shouldbemaintainedatmultipleon-andoff-sitelocations.Besuretoidentifyallemergencyrequirementsandallalternativecommunicationmethods.
12.Supplies:SuppliesareoftenforgottenwhenestablishingaCEP-DRplan,astheyoftentakeabackseattohardwareandsoftware.However,listingandmaintenanceofvitalsuppliesarerequired,includingthename,address,telephonenumbers,andcontractinformationconcerningsuppliers.Besuretostoresufficientquantitiesatappropriatelocationsonandoffsite.Ifyoudon’tthinkthisisanimportantmatter,tryusingaprinterwhenitstonercartridgehasdriedoutorisempty!.
Physicalsuppliesforconsiderationshouldincludeplastictarpstoprotectsystemsfromwaterdamageintheeventofafireinwhichsprinklersystemsareactivated
13.Transportationandequipment:Ifyouhaveadisasteroremergencyrequiringtheuseofabackupfacilityorobtainingbackupcopiesofsoftware,etc.,youobviouslymusthavetransportationandtheapplicableequipment(e.g.,adollyforhaulingheavyitems)todothejob.Therefore,youmustplanforsuchthings.Listemergencytransportationneedsandsources,howyouwillobtainemergencytransportationandequipment,andwhichroutesandalternateroutestotaketotheoff-sitelocation.Besuretoincludemapsinthevehiclesandalsointheplan.Besuretherearefullycharged,hand-heldfireextinguishersavailablethatwillworkonvarioustypesoffires,suchaselectrical,paper,orchemical.
14.Processinglocations:Manybusinessesandagenciessigncontractualagreementstoensurethattheyhaveanappropriateoff-sitelocationtobeusedintheeventtheirfacilityisnotcapableofsupportingtheiractivities.
Ensurethatemergencyprocessingagreementsareinplacethatwillprovideyouwithpriorityserviceandsupportintheeventofanemergencyordisaster.Eventhen,youmayhaveadifficulttimeusingthefacilityifitisamassivedisasterandothershavealsocontractedforthefacility.
Besuretoperiodicallyusethefacilitytoensurethatyoucanprocess,store,and/ortransmitinformationatthatlocation.Don’tforgettoidentifyon-sitelocationsthatcanbeusedorconvertedforuseifthedisasterislessthantotal.
15.Utilities:Identifyon-siteandoff-siteemergencypowerneedsandlocations.Don’tforgetthattheserequirementschangeasfacilities,equipment,andhardwarechange.Batterypoweranduninterruptablepowermightnotbeabletocarrytheloadormightbe
toooldtoevenwork.Theymustbeperiodicallytested.Aswiththeprintercartridgesupplies,systemswithoutpowerareuseless.Inadditiontopower,don’tforgettheairconditioningrequirements.Itwouldbeimportanttoknowhowlongasystemcanprocesswithoutairconditioningbasedoncertaintemperatureandhumidityreadings.
16.Documentation:Identifyallrelateddocumentation;storeitinmultipleon-andoff-sitelocations,andbesuretoincludetheCEP-DRplan.
17.Other:Miscellaneousitemsnotcoveredabove.
TestthePlanOnlythroughtestingcanthecybersecurityofficerdeterminethataplanwillworkwhenrequired.Therefore,itmustbeperiodicallytested.Itneednotbetestedallatonce,becausethatwouldprobablycausealossofproductivitybytheemployees,whichwouldnotbecost-effective.
Itisbesttotesttheplaninincrements,relyingonallthepiecestofittogetherwhenallpartshavebeentested.Regardlessofwhenandhowyoutesttheplan,whichisamanagementdecision,itmustbetested.Probablythebestwaytodeterminehowandwhattotest,andinwhatorder,istoprioritizetestingbasedonprioritizedassets.
Whentesting,thescenariosusedshouldbeasrealisticaspossible.Thisshouldincludeemergencyresponse,testingbackupapplicationsandsystems,andrecoveryoperations.
Throughtesting,documenttheproblemsandvulnerabilitiesidentified.Determinewhytheyoccurredandestablishformalprojectstofixeachproblem.Additionally,makewhatevercost-effectiveprocesschangesarenecessarytoensurethatthesameproblemwouldnothappenagainorthatthechanceofithappeningisminimized.
Thecybersecurityofficerevaluatedthecorporateorganizationalstructurerelativetothecorporation.AftercoordinationwiththeDirectorofSecurity,aprocesswasdevelopedtointegratethecybersecurityofficerandstaffintothecurrentCEP-DRprocess.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doyoubelievethatthebasicrequirements—drivers—discussedinthischapterarevalid?
•Canyouthinkofothersthatyouwoulduseasacybersecurityofficer?
•Aftertherequirementsareidentified,inwhatorderwouldyouprioritizepolicies,procedures,plans,processes,functions,andprocesses?
•Whydidyoudecidetoprioritizeeachintheordernoted?
•Doyouhaveaprocessinplaceforvaluingcompanyinformation?
•Ifnot,howdoyouknowwhattoprotectinacost-effectivemanner?
•Ifyouhavesuchaprocessinplace,isitcurrent?
•Isitworking?
•Howdoyouknowitisworkingcost-effectively?
•Whatarethefunctionsthatyouasacybersecurityofficerbelievearerequiredtobeapartofyourcybersecurityprogramorganization?
•Whichonesareoptional,andwhy?
•Whichoneswouldneverbeauthorizedbymanagementtobepartofyourcybersecurityprogramresponsibilities?
•Doyouuseaformal,documentedriskmanagementphilosophy?
•Ifnot,howdoyoucost-effectivelymakecybersecurityprogramdecisions?
•Ifso,isthatphilosophysharedwiththeemployeessotheycanunderstandwhycertaincybersecurityprogramdecisionsaremade?
•Areyouanintegralpartofthecompany’sCEP-DRprocesses?
•Ifnot,shouldyoube?
•Ifso,areyouinvolvedintestingtheCEP-DRplans?
•Afteranemergencyordisaster,areyouinvolvedinverifyingandvalidatingthatallthesecurityhardware,software,andfirmwareareoperatinginaccordancewiththecybersecurityprogramandsecurityspecifications?
•Ifnot,howwouldyouknowtheywereeventurnedbackonbyITpersonnelafterthesystemswentofflineandwerebroughtbackonlineagain?
SummaryItiscrucialforacybersecurityofficerwhoisnewtothecorporationtoevaluatethecurrentcybersecurityprogramorganizationalstructure,thestaff,andtheirexperienceandeducationandensuretheorganizationiscost-effectivelystructured.Thecybersecurityofficershouldconsiderthefollowingpoints:
•Establishingthepropercybersecurityprogramfunctionsintherightpriorityorderisvitaltoestablishingthecybersecurityprogramorganizationandcybersecurityprogrambaseline.
•Thecybersecurityprogramfunctionalprocessesshouldgenerallyfollowthefunctiondescriptionsnotedinthecybersecurityofficer’scharterofresponsibilities.
•Establishingaprocesstodeterminethecategoriesofinformationidentifiedbythegeneralvalueofthatinformationwouldassistinthedevelopmentofacost-effectivecybersecurityprogram.
•Functionsandprocessesshouldbedevelopedbasedonrequirementssuchaslawsandregulations.
•Flowchartsshouldbedevelopedtohelpvisualizethelinkagebetweenrequirements;plans;vision,mission,andqualitystatements;policies;processes;andfunctions.
1AttributedtoPabloPicasso(1881–1973),Spanishpainterandsculptor.Microsoft’sEncartaDictionary.2EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.3Otherscanbeadded,butthesebasicexamplesgivethereaderagoodideaofwhatisneeded.4Inthecontextusedhere,thetermclassifyhasnothingtodowithclassificationasitrelatestonationalsecurityinformation,suchasconfidential,secret,andtopsecret.5Youmayfindthatthisdriver–requirement,cybersecurityprogram–cybersecurityprogramfunctionstopicisredundant.Ideally,itis,andyouarebeginningtogetitingrainedinyourcybersecurityofficerheadthatthesearethebasicsthateverycybersecurityofficershouldknowanduseasthebaselineforleadingandmanaginganinformationandsystemsprotectionprogramforacompanyorgovernmentagency.Ihopethatafterreadingthisbook,certainbasicphilosophies,suchasthefactthatthecybersecurityprogramisaparasiteontheprofits,willbemadeanautomaticpartofanycybersecuritytypeofprogramandcybersecurityprogramorganizationyouwillleadandmanage.6Atfirst,theaudittrailsrequirementsweretobeappliedonlytothosesystemsprocessingsensitiveinformation;however,itwasquicklydiscoveredthatallthesystems,becauseoftheirnetworking,fellunderthatcategory.Managementagreedthattheadditionalcostofsucharequirementwasbeneficialbasedontheriskoflossofthatinformationtointernalorexternalthreats.7Thecybersecurityofficerwassensitivetoprivacyissuesanddidnotwanttoinitiateaninquirywithoutsubstantiatedinformation,sincesomeonemayhaveagrudgeagainstanotherandusetheprocesstoharasshimorher.
CHAPTER10
EstablishingaMetricsManagementSystem
AbstractThischapterisdesignedtoprovidebasicguidancenecessaryforthedevelopmentofametricsmethodologytounderstandwhat,why,when,andhowacybersecurityprogramcanbemeasured.Usingafictitiouscorporationandfunctionsthatwerepreviouslydescribed,ametricssystemwillbedeveloped.Thechapterincludesadiscussionofhowtousethemetricstobriefmanagement,justifybudget,andusetrendanalysestodevelopamoreefficientandeffectivecybersecurityprogram.
KeywordsCorporateinformationofficer(CIO);Cost-avoidancemetrics;Cybersecurityprogrammetric;Educationandawarenesstrainingprogram(EATP);Metricscharts;Metricsmanagement;Projectchart;Stand-alonemicrocomputers
Don’tworkharder—worksmarterKenBlanchard
CONTENTS
Introduction 202WhatIsaMetric? 202WhatIsaCyberSecurityProgramMetric? 202WhatIsCyberSecurityProgramMetricsManagement? 203
Metrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsers 207
ChartingLevelofEffortthroughNumberofSystemUsers 208WhyShouldTheseStatisticsBeCollected? 208WhatSpecificStatisticsWillBeCollected? 208HowWillTheseStatisticsBeCollected? 208WhenWillTheseStatisticsBeCollected? 209WhoWillCollectTheseStatistics? 209Where(atWhatPointintheFunction’sProcess)WillTheseStatisticsBeCollected? 209
SignificanceoftheSystemUsersChart 209GrantingUsersAccesstoSystems 210
ExamplesofOtherMetricsCharts 211CyberSecurityProgramTestsandEvaluations 212
CyberSecurityProgramEducationandAwarenessTraining 213Cost-AvoidanceMetrics 215MetricsManagementandDownsizing 215
ProjectManagement 218QuestionstoConsider 221Summary 222
CHAPTEROBJECTIVE
Thischapterisdesignedtoprovidebasicguidancenecessaryforthedevelopmentofametricsmethodologytounderstandwhat,why,when,andhowacybersecurityprogramcanbemeasured.Usingafictitiouscorporationandfunctionsthatwerepreviouslydescribed,ametricssystemwillbedeveloped.Thechapterincludesadiscussionofhowtousethemetricstobriefmanagement,justifybudget,andusetrendanalysestodevelopamoreefficientandeffectivecybersecurityprogram.
IntroductionSomeofthemostcommoncomplaintscybersecurityofficersmakearethatmanagementdoesn’tsupportthemand—asthefamouscomedianRodneyDangerfieldisknownforsaying—“Igetnorespect.”Anothercomplaintisthatthecostsandbenefitsofacybersecurityprogramcannotbemeasured.
Asforthefirsttwo,yougetsupport,becauseyouarebeingpaid—andthesedays,moreoftenthannot,quitehandsomely—andyouhaveabudgetthatcouldhavebeenpartofcorporateprofits.Furthermore,respectisearned.Besides,ifyouwanttobepopular,youaredefinitelyinthewrongprofession.
Oneoftenhearsmanagementask:
•“Whatisallthissecuritycostingme?”
•“Isitworking?”
•“Canitbedoneatlesscost?”
•“Whyisn’titworking?”
Thatlastquestionoftencomesrightafterasuccessfuldenial-of-serviceattackorsomeotherattackonthecorporatesystemsorWebsites.Ofcourse,manycybersecurityofficersrespondbysayingthatitcan’tbemeasured.Thatisoftensaidoutofthecybersecurityofficer’signoranceofprocessestomeasurecostsorbecausethecybersecurityofficeristoolazytotrackcosts.
Themoredifficultquestiontoansweris,“Whatarethemeasurablebenefitsofacybersecurityprogramandthefunctionsthatprovidesupportunderthecybersecurityprogram?”Ofcourse,onecouldalwaysusethewell-worn-statement,“Itcanbemeasuredonlyasasuccessorfailuredependingonwhetherornottherehavebeensuccessfulattacksagainstoursystems.”Thetruthisthatmanyattacksgounnoticed,unreportedbytheusersorinformationtechnology(IT)people.Furthermore,separatingattacksfrom“accidents”(humanerror)isusuallynoteasy;however,metricscanhelpintheanalyses.
WhatIsaMetric?Tobegintounderstandhowtousemetricstosupportmanagementofacybersecurityprogram,itisimportanttounderstandwhatismeantby“metrics.”Forourpurposes,ametricisdefinedasastandardofmeasurementusingquantitative,statistical,and/ormathematicalanalyses.
WhatIsaCyberSecurityProgramMetric?Acybersecurityprogrammetricistheapplicationofquantitative,statistical,and/ormathematicalanalysestomeasurecybersecurityprogramfunctionaltrendsandworkload—inotherwords,trackingwhateachfunctionisdoingintermsoflevelofeffort(LOE),
costs,andproductivity.
Therearetwobasicwaysoftrackingcostsandbenefits.Oneisbyusingmetricsrelativetotheday-to-day,routineoperationsofeachcybersecurityprogramfunction.ThesemetricsarecalledLOEandarethebasicfunctionsnotedinthecybersecurityofficer’scharterofresponsibilitiesandaccountabilities.Exampleswouldbedailyanalysesofaudittrailrecordsofafirewall,grantingusersaccesstosystems,andconductingnoncomplianceinquiries.Inmorefinancialterms,thesearetherecurringcosts.
Theotherwayoftrackingcostsandbenefitsisthroughformalprojectplans.Inotherwords,ifthetasksbeingperformedarenotthenormalLOEtasks,thentheyfallunderprojects.Rememberthatfunctionsarenever-endingdailywork,whileprojectshaveabeginningandendingdatewithaspecificobjective.Inmorefinancialterms,thesearethenonrecurringcosts.
So,toefficientlyandeffectivelydevelopametricsmanagementprogram,itisimportanttoestablishthatphilosophyandwayofdoingbusiness.Everythingthatacybersecurityofficerandstaffdocanbeidentifiedasfittingintooneofthesetwocategories:LOEorproject.
WhatIsCyberSecurityProgramMetricsManagement?Cybersecurityprogrammetricsmanagementisthemanagingofacybersecurityprogramandrelatedfunctionsthroughtheuseofmetrics.Itcanbeusedwheremanagerialtasksmustbesupportedforsuchpurposesasbackingthecybersecurityofficer’spositiononbudgetmatters,justifyingthecost-effectivenessofdecisions,ordeterminingtheimpactofdownsizingonprovidingcybersecurityprogramserviceandsupporttocustomers.
Theprimaryprocesstocollectmetricsisasfollows:
•Identifyeachcybersecurityprogramfunction1;
•Determinewhatdrivesthatfunction,suchaslabor(numberofpeopleorhoursused),policies,procedures,andsystems;and
•Establishametricscollectionprocess.Thecollectionprocessmaybeassimpleasfillingoutalogforlatersummarizationandanalysis.Theuseofaspreadsheetthatcanautomaticallyincorporatecybersecurityprogramstatisticsintographsisthepreferredmethod.Thiswillmakeiteasierforthecybersecurityofficertousethemetricsforsupportingmanagementdecisions,briefings,etc.
Thedecisiontoestablishaprocesstocollectstatisticsrelativetoaparticularcybersecurityprogramfunctionshouldbemadebyansweringthefollowingquestions:
•Whyshouldthesestatisticsbecollected?
•Whatspecificstatisticswillbecollected?
•Howwillthesestatisticsbecollected?
•Whenwillthesestatisticsbecollected?
•Whowillcollectthesestatistics?
•Where(atwhatpointinthefunction’sprocess)willthesestatisticsbecollected?
Byansweringthesequestionsforeachproposedmetric,thecybersecurityofficercanbetteranalyzewhetherametricscollectionprocessshouldbeestablishedforaparticularfunction.Thisthoughtprocesswillbeusefulinhelpingexplainittothecybersecurityprogramstafformanagement,ifnecessary.Itwillalsohelpthecybersecurityofficerdecidewhetherheorsheshouldcontinuemaintainingthatmetricafteraspecificperiodoftime.Sincethecorporatecybersecurityofficerhadbegunwithananalysisofcybersecurityprogramrequirements(drivers)thatledtotheidentificationofacybersecurityofficercharterthatledtotheidentificationofcybersecurityprogramfunctionswithprocessflowcharts,thetaskofdevelopingmetricswillbemucheasier.Thatisbecauseeachstepnotedinthecybersecurityprogramfunctions’flowchartscanbeapointofquantifyingandqualifyingcostsofperformingeachspecificfunction.
Allmetricsshouldbereviewed,evaluated,andreconsideredforcontinuationattheendofeachyear,orsooner—whenarequirementchanges,afunctionmayalsochange.Rememberthatalthoughthecollectionofthemetricsinformationwillhelpthecybersecurityofficerbettermanagethecybersecurityprogramdutiesandresponsibilities,aresourcecostisincurredinthecollectionandmaintenanceofthesemetrics.Theseresourcesinclude:
•Peoplewhocollect,input,process,print,andmaintainthemetricsforyou;
•Timetocollect,analyze,anddisseminatetheinformation;and
•Thehardwareandsoftwareusedtosupportthateffort.
Whenusingthesemetricschartsformanagementbriefings,onemustrememberthatthechartformatandcolorsaresometimesdictatedbymanagement;however,whichtypeofchartisbestforanalysisorpresentationtomanagementisprobablyuptothecybersecurityofficer.
Thecybersecurityofficershouldexperimentwithvarioustypesofline,bar,andpiecharts.Thechartsshouldbekeptsimpleandeasytounderstand.Remembertheoldsaying,“Apictureisworthathousandwords.”Thechartsshouldneedverylittleverbalexplanation.
Ifthecybersecurityofficerwillusethechartsforbriefings,thebriefingshouldcommentonlyonthevarioustrends.Thereasonforthisistoclearlyandconciselypresentthematerialandnotgetboggeddownindetails,whichdetractfromtheobjectiveofthecharts.
Onewaytodeterminewhetherthemessageofthechartsisclearistohavesomeonelookateachchartanddescribewhatittellshimorher.Ifitiswhatthechartissupposedto
portray,thennochangesareneeded.Ifnot,thecybersecurityofficershouldthenasktheviewerwhatthechartdoesseemtorepresentandwhatleadshimorhertothatconclusion.Thecybersecurityofficermustthengobacktothechartandreworkituntilthemessageisclearandisexactlywhatthecybersecurityofficerwantsthecharttoshow.Eachchartshouldhaveonlyonespecificobjective,andthecybersecurityofficershouldbeabletostatethatobjectiveinonesentence,suchas“Thischart’sobjectiveistoshowthatcybersecurityprogramsupporttocorporateisbeingmaintainedwithoutadditionalbudgetalthoughtheworkloadhasincreased13%.”
Thefollowingparagraphsidentifysomebasicexamplesofcybersecurityprogrammetricsthatcanbecollectedtoassistacybersecurityofficerinmanagingacybersecurityprogramandbriefingthemanagementontheprogramandtheprogram’sorganization.Bytheway,whenestablishingabriefingtomanagementinwhichthemetricschartswillbeused,asimilarchartcanbeusedtostartoffthebriefing.Thatcharttrackstherequirements(drivers)thatcanbetracedtoeachfunction.Onemayalsowanttoprovidemoredetailedchartstrackingspecificrequirementstospecificfunctions.
Ofcourse,asthecybersecurityofficer,youwouldwanttogetmorespecificandtracktoamoredetailedlevelofgranularity.Infact,thecybersecurityprogramstaffresponsibleforleadingaspecificfunctionshouldbetaskedwithdevelopingthischartorcharts.Thatway,thestaffwillknowexactlywhytheyaredoingwhattheydo.Thenextstepwouldbeforthemtotracktheirworkflow,analyzeit,andfindmoreefficientwaystodothejob.Atthesametimetheywouldalsolookatcurrentcostsandcostsavingsasmoreefficientwaysarefoundtosuccessfullyaccomplishtheirjobs.
Thecybersecurityofficermustrememberthatmetricsareatooltosupportmanyofthecybersecurityofficer’sdecisionsandactions;however,theyarenotperfect.Therefore,thecybersecurityofficermustmakesomeassumptionsrelativetothestatisticaldatatobecollected.That’sfine.Thecybersecurityofficermustrememberthatmetricsarenotrocketscience,onlyatooltohelpthecybersecurityofficertakebetter-informedactionsandmakebetter-informeddecisions.So,thecybersecurityofficershouldnevergetcarriedawaywiththehuntfor“perfectstatistics,”orbecomesoinvolvedinmetricsdatacollectionthat“paralysisbyanalysis”takesplace.2
Thespreadsheetsandgraphsusedformetricsmanagementcanbecomeverycomplicated,withlinkstootherspreadsheets,elaboratethree-dimensionalgraphics,etc.Thatmayworkforsome,butthecybersecurityofficershouldconsidertheKISS(keepitsimple,stupid)principlewhencollectingandmaintainingmetrics.Thisisespeciallytrueifthecybersecurityofficerisjustgettingstartedandhasnoorverylittleexperiencewithmetrics.Onemayfindthattheprojectleadswhoaredevelopingan“automatedstatisticalcollection”applicationareexpendingmorehoursdevelopingtheapplication—whichneverseemstoworkquiteright—thanitwouldtaketomanuallycollectandcalculatethestatisticalinformation.
Itisalsoimportant,fromamanagerialviewpoint,thatallcharts,statistics,andspreadsheetsbedoneinastandardformat.Thisisnecessarysothattheycanbereadyatalltimesforreviewsandbriefingstouppermanagement.Thisstandardisindicativeofa
professionalorganizationandonethatisoperatingasafocusedteam.
Cybersecurityofficerswhoarenewtothecybersecurityofficerposition,ormanagementingeneral,maythinkthatthisissomewhatridiculous.Afterall,whatdifferencedoesitmakeaslongastheinformationisasaccurateaspossibleandprovidesthenecessaryinformation?Thismaybecorrect,butinthebusinessenvironment,standards,consistency,andindicationsofteamingarealwaysaconcernofmanagement.Yourchartsareindicativeofthosethings.
Thecybersecurityofficerhasahardenoughjobgettingandmaintainingmanagementsupport.Thejobshouldnotbemademoredifficultthanithastobe.
Anothernegativeimpactofnonconformanceofformatwillbethattheattendeeswilldiscussthechartsandnottheinformationonthem.Once“nonconformancetobriefingchartsstandards”isdiscussed,managementhasalreadyformedanegativebias.Thus,anythingpresentedwillmakeitmoredifficulttogetthepointacross,gainthedecisiondesired,andmeettheestablishedobjectiveofthebriefing.
Itisbetterjusttofollowtheestablishedstandardsthantoarguetheirvalidity.Itisbettertosaveenergyforarguingforthosethingsthataremoreimportant.Afterall,onecan’twin,andthecybersecurityofficerdoesnotwanttobeseenas“anon-teamplayer”morethannecessary.
Ofcoursethenumber,type,collectionmethods,etc.,thatthecybersecurityofficerwillusewillbedependentontheenvironmentandthecybersecurityofficer’sabilitytocost-effectivelycollectandmaintainthemetrics.
Metrics1:CyberSecurityProgramLevelofEffortDrivers—NumberofUsersTherearetwobasiccybersecurityprogramLOEdriverswithinanorganization,thatis,thosethingsthatcausethecybersecurityprogramworkloadtobewhatitis,increasingordecreasing.Thetwobasicdriversare:
•Thenumberofsystemsthatfallunderthepurviewofthecybersecurityprogramandcybersecurityofficer’soverallresponsibilityforprotectionand
•Thenumberofusersofthosesystems.
Aquestionthatmustbeaskedis:Whyarethesemetricsworthtracking?Theyareworthtrackingbecausetheydrivethecybersecurityprogramworkload—theLOE—whichmeanstheydrivethenumberofhoursthatthecybersecurityprogramstaffmustexpendinmeetingtheircybersecurityprogramresponsibilitiesrelativetothosesystemsandusers.
Asthenumberofusersonthecorporatenetworkschangesorthenumberofsystemschanges,sodoestheworkload;therefore,sodoesthenumberofstaffrequiredandtheamountofbudgetrequired—timetodothejob.Forexample,assumethatthecorporationisdownsizing—acommonoccurrencethatcybersecurityofficerswilleventuallyfaceintheircybersecurityprogramcareers.Ifthecybersecurityofficerknowsthatthecorporationwilldownsizeitsworkforceby10%,andassumingthattheworkforceallusecomputers,whichisnotunusualintoday’scorporations,theworkloadshouldalsodecreaseabout10%.Thismaycausethecybersecurityofficertoalsodownsize(layoffstaff)byapproximately10%.
However,thedownsizing,whetheritismoreorlessthanthecorporateaverage,shouldbebasedontherelatedcybersecurityprogramworkload.Thecybersecurityprogramdriversaremetricsthatcanhelpthecybersecurityofficerdeterminetheimpactofthecorporation’sdownsizingonthecybersecurityprogramanditsorganization.Themetricsassociatedwiththateffortcanalsojustifydownsizingdecisionstocorporatemanagement—toincludepossiblydownsizingby5or12%insteadof10%.Forexample,morelayoffsmaymeanmorecybersecurityprogram-relatedinfractions,whichmeansanincreaseinnoncomplianceinquiriesandthusanincreaseintheworkload.Massivelayoffswouldalsomeanmoreworkforthosewhoareresponsiblefordeaccessingemployeesfromthesystemspriortoemploymentterminations.Themetricscanshowthisworkincreaseandmakeacasetomanagementfornotlayingoffcybersecurityprogramstaffuntilaftertheothermajorlayoffshaveoccurred.
ChartingLevelofEffortthroughNumberofSystemUsersAsacybersecurityofficer,youdecidedthatitwouldbeagoodideatousethedriver’smetricthatisusedfortrackingthenumberofsystemusers.Youhavegonethroughtheanalyticalprocesstomakethatdecisionbasedonansweringthewhy,what,how,when,
who,andwherequestions.
WhyShouldTheseStatisticsBeCollected?Thedriver’smetricthattracksthenumberofsystemusersforwhichthecybersecurityofficerhascybersecurityprogramresponsibilityisusedtoassistindetailingtheneededhead-countbudgetforsupportingthoseusers.Asanexample,thefollowingfunctionsarechartedbasedonthenumberofcorporatesystemusers:
•Accesscontrolviolations,
•Noncomplianceinquiries,and
•Awarenessbriefings.
WhatSpecificStatisticsWillBeCollected?•Totalusersbylocationandsystemsand
•Totalsystemsbylocationandtype.
HowWillTheseStatisticsBeCollected?•ThetotalnumberofuserswillbedeterminedbytotalingthenumberofuserIDsoneachnetworksystemandaddingtoitthenumberofstand-alonesystems.Itisassumedthateachstand-alonesystemhasonlyoneuser.
•Stand-alonemicrocomputersandnetworkedsystems(whichwillcountasonesystem)willbeidentifiedandtotaledusingtheapprovedsystemdocumentationonfilewithinthecybersecurityprogramorganizationontheapprovedsystemsdatabase.Atthecorporation,allsystemsprocessingsensitiveinformationfallingwithinthecategoriespreviouslyidentifiedatthecorporationforidentifyinginformationbyitsvaluemustbeapprovedbythecybersecurityofficer(ordesignatedcybersecurityprogramstaffmembers).Therefore,datacollectionisavailablethroughthecybersecurityprogram’srecords.
WhenWillTheseStatisticsBeCollected?ThestatisticswillbecompiledonthefirstbusinessdayofeachmonthandincorporatedintoMetrics1,cybersecurityprogramdrivers,graphmaintainedonthecybersecurityprogramdepartment’sadministrativemicrocomputer.
WhoWillCollectTheseStatistics?Thestatisticswillbecollected,inputted,andmaintainedbytheprojectleadersresponsibleforeachcybersecurityprogramfunction,suchassystemaccessesandsystemapprovals.
Where(atWhatPointintheFunction’sProcess)WillThese
StatisticsBeCollected?Thecollectionofstatisticswillbebasedontheinformationavailableandonfileinthecybersecurityprogramorganizationthroughcloseofbusinessonthelastbusinessdayofthemonth.
Ofcourse,thenumberofsystemusersaffectsallcybersecurityprogramfunctions.Follow-onchartswouldshowtheworkloadrelativetotheothercybersecurityprogramfunctionsthatareaffected.Boldfontsareusedtohighlightimportantfactsthatthecybersecurityofficerwantstoemphasize—management’seyesarenaturallydrawntoboldfonts.
SignificanceoftheSystemUsersChartThenumberofsystemusersisalsoadriverofcybersecurityprogramworkloadbecausethecybersecurityprogramfunctions’LOEandsomeprojectsarebasedonthenumberofusers.Theyincludethefollowing:
•Thecybersecurityprogramstaffprovidesaccesscontrolsforusers;
•Thenumberofnoncomplianceinquirieswillprobablyincreasebasedontheincreasednumberofusers;
•Thenumberofnoncomplianceinquiriesmayactuallyincreasewhenthecorporationdownsizesbecauseofmorehostilityamongtheemployees(ametricschartshowingcaseloadmayhelpindefendingcybersecurityofficerstafffrommoredrasticlayoffsthanmayhavebeenrequiredbymanagement);
•Thetimetoreviewaudittrailrecordswillincreaseasaresultofmoreactivitybecauseofmoreusers;and
•Thenumberofawarenessbriefingsandprocessingofadditionalawarenessmaterialwillincreaseasaresultofanincreaseinusers.
Rememberthatasacybersecurityofficeryouarealsoacybersecurityprogram“salesperson”andmusteffectivelyadvertiseandmarketinformationandsystemsprotectiontocorporation’spersonnel.Achartcanbeusedbythecybersecurityofficerforthefollowing:
•Justifytheneedformorebudgetandotherresources;
•Indicatethatthecybersecurityprogramisoperatingmoreefficiently,becausethebudgetandotherresourceshavenotincreasedalthoughthenumberofsystemshasincreased;and
•Helpjustifywhybudgetandotherresourcescannotbedecreased.
Whendecidingtodevelopmetricschartstotrackworkload,efficiency,costs,etc.,ofthatfunction,alwaysstartatthehighestlevelandthendevelopchartsatlowerlevels(in
moredetail)thatsupporttheoverallchart.Thisisdoneforseveralpurposes.Thecybersecurityofficermayhavelimitedtimetobriefaspecificaudience,andifitisanexecutivemanagementbriefing,thetimewillbeshorter,asusuallytheirattentionspanisshortwhenitcomestocybersecurityprogrammatters.So,the“top-down”approachwillprobablyworkbest.Ifyouhavetimetobriefinmoredetail,thechartsareavailable.Ifexecutivemanagementhasaquestionrelativetosomelevelofdetail,thentheotherchartscanbeusedtosupportthecybersecurityofficerstatementsand/orpositioninreplytothequestionoftheaudience.
GrantingUsersAccesstoSystemsAmajorcybersecurityprogramserviceandsupportfunctionistoaddnewuserstosystemsandtoprovidethemnewaccessprivilegesasdirectedbytheirmanagementandinformationowners.
Aspartofthatserviceandsupporteffort,thecybersecurityofficerwantstoensurethattheseusersaregivenaccessasquicklyaspossible,becausewithouttheiraccessornewaccessprivileges,theuserscannotperformtheirjobs.
Ifuserscannotgainexpeditiousaccess,thenthecybersecurityprogramiscostingthecorporationintermsoflostproductivityofemployeesorevenpossiblylostrevenueinotherforms.
Thecybersecurityofficer,incoordinationwiththecybersecurityprogramstaffresponsiblefortheaccesscontrolfunction,evaluatedtheaccesscontrolprocessand
determinedthatusersshouldbegivenaccesswithin24 hofreceiptofarequestfrommanagement.
Thecybersecurityofficerdecidedtotrackthisprocessbecauseofitshighvisibility.Nothingcandamagethereputationofthecybersecurityofficerandstafffasterthanahostilemanagerwhoseemployeescannotgetsystemsaccesstobeabletodotheirwork,leading,forexample,toincreasedcostsduetolostdepartmentproductivitycausedbytheslownessofaccessingemployeestosystems.Todevelopametricschart,oneshouldfirstcreateaflowchartofthefunction.
Anythingworthdoingdoesnothavetobedoneperfectly—atfirst.
KenBlanchard
ExamplesofOtherMetricsChartsTherearenumerousmetricschartsthatcanbedevelopedtosupportthevariousneedsofthecybersecurityofficerandthecybersecurityprogram.Thecybersecurityofficermayalsousethisinformationwhenbudgetcutsarerequired.Thechartcanbeshowntomanagementandmodifiedtoshowwhatwouldhappenifthestaffwerecutbyoneperson,twopeople,etc.Inotherwords,theaverageusers’initialaccesstosystemsintermsofturnaroundtimewouldincrease.Managementmayormaynotwanttolivewiththoseconsequences.Thecostcanbequantifiedbytakingtheaveragehourlywageoftheemployee,identifyinghowmuchproductivitytimeislostwithaccesscomingwithinonebusinessday,andcomparingthattotimelostifaccess,becauseanaccesscontrolpersonhasbeenlaidoff,takestwobusinessdays.
Forexample,anemployeeearns$15anhour.Theemployeeshowsupatthedeskofanaccesscontrolleratthestartofthebusinessday,8.00am.Thatemployeeisauthorized
systemaccessby8.00amthenextday.Thislossofatleast8 hofproductivityat$15anhourwouldbethenormalcostofthecybersecurityprogramfunctionofaccesscontrol,or$120peremployee.However,iftheaccesswasnotauthorizeduntilthedayafter,thecostperemployeewouldbe$240.
Thechartcanshowthecybersecurityofficerwherestaffcutscanbemadeandstillmeettheexpectedgoals.Thecybersecurityofficercanalsousethisinformationwhendecidingtoreallocateresources(transferaperson)toanotherfunctionforwhichthegoalsarenotbeingmetandthefastestwaytomeetthegoalsistoaddheadcount.Awordofcautionhere—addingordecreasingheadcountisusuallyconsideredafast,simplesolution.However,itisnotalwaystheanswer.
Sometimeswhenthenumberslookrightthedecisionisstillwrong!
KenBlanchardandNormanVincentPeale
ManyprojectleadersandcybersecurityofficershavefoundovertheyearsthatprojectsandLOEproblemsarenotalwayssolvedbyassigningmorebodiestosolvingtheproblem.Oneshouldfirstlookattheprocessandatsystemicproblems.Thisisusuallyamorecost-effectiveapproachtosolvingthesetypesofproblems.Forexample,usingtheexampleofthenewlyhiredemployeegettingfirst-timesystemaccess,supposeawaywas
foundtocutthattimedownto1 h.Thecostssavingwouldbefromthenormal$120to$15,orasavingof$105pernewemployee.Suchchartscanbeusedformanagementbriefingsandwillshowspecificallyhowthecybersecurityofficerandstaffareloweringcybersecurityprogramcosts,atleastforthatparticularcybersecurityprogramfunction.
Aswithallmetricscharts,adecisionmustalsobemadewhethertocollectthedatamonthly,quarterly,semiannually,annually,orsomewhereinbetween.Thetimeperiodwilldependonseveralfactors.Theseinclude,butarenotlimitedto:
•Whattheywillbeusedfor,suchasmonthlyorannualexecutivebriefings;
•Budgetjustifications;
•Cybersecurityprogramstafffunctionsresourceallocations;and
•Theobjectivesofeachchart.
Asubchartofthischartmaybetheaveragetimespent,inhours,pertypeofinquiry.Oncethetimeelementsareknown,theycanbeequatedtoproductivitygainsandlosses,aswellasbudget,suchasmoney,equipment,andstaff.
CyberSecurityProgramTestsandEvaluationsThecybersecurityofficermaydecidetoestablishaprocessthatwillprovideguidelinesontheneed,establishment,andimplementationofmetricscharts.Thecybersecurityofficerusesacybersecurityprogramfunctiontodeveloptheprocess—themethodology—withthefollowingresults:
•Thecybersecurityprogramwillconductsecuritytestsandevaluations(ST&E)asprescribedbythecorporation’scybersecurityprogrampoliciesandprocedures.
•ResultsofthecybersecurityprogramST&Ewillbecharted.
•Eachchartwillbeevaluatedtodeterminewhetherapattern/trendexists.
•Patterns/trendswillbeevaluatedtodeterminehoweffectivelyafunctionisbeingperformed.
•Resultsandrecommendationswillbepresented,inaccordancewithcybersecurityprogrampoliciesandprocedures,totheapplicablemanagers.
AnothercybersecurityprogramfunctionthatprovidesopportunitiesforusingmetricsmanagementtechniquesisthefunctionofthecybersecurityprogramST&E.
Thecybersecurityofficermayconsiderareallocationofstaffbecauseoftheincreasedworkload.AlsotobeconsiderediswhethertochangetheST&Eprocess.OneconsiderationistoconductfewerST&E.Ifonedoesthat,itwouldbeimportanttomonitorthenumberofnoncomplianceinquiries,astheymaygoup.Forexample,fewerST&Emayresultinincreasedsystemsvulnerabilities,whichmayinturnleadtomoresuccessfulattacksandthustomorenoncomplianceinquiries.AnotherfactorthecybersecurityofficermayconsiderisdoingmoreST&Eusingautomatedcybersecurityprogramsoftwaretoreplacesomecurrentlymanualtesting.
OnecanalsoconsiderprovidingtrainingtodepartmentstaffsotheycandotheirownST&Eandprovidereportstothecybersecurityofficer.Thisisusuallynotagoodidea,astheobjectivityofthetestingmaybequestionable.Forexample,theymayfindvulnerabilitiesbutnotreportthem,becausetheydonotwanttoincurthecostsintimeandbudgettomitigatetherisksidentifiedbythesevulnerabilities.Inaddition,asfarthe
corporationasawholeisconcerned,oneisonlypassingonthecostsintermsofallocationofresourcestoconducttheST&Etoanotherdepartmentandnotdecreasingoverallcybersecurityprogramcosts.
Rememberthatthecorporationisaglobalcorporationwithplantsandofficesonthreecontinents.Sincethecybersecurityofficerhasoverallcybersecurityprogramandcybersecurityprogramfunctionalresponsibilityforalllocations,aprocessmustbeputinplaceformetricsmanagementatalllocations.Thecybersecurityprogram–cybersecurityprogramfunctionalleadsatallthelocationswouldprovidethestatisticsandchartsfortheirlocations.Thesestatisticswouldbeindicatorsforestablishingcybersecurityprogramfunctionalresourceallocationsbasedonthe“worst”locations.
Theissuethatwilloftencomeupwhendesigningchartsiswhattypeofchartstouse—bar,line,pie,etc.Thechoiceshouldbetousetheformatthatmeetsthechart’sobjectiveinthemostconciseandclearway.
CyberSecurityProgramEducationandAwarenessTrainingThecybersecurityprogram’seducationandawarenesstrainingprogram(EATP)isoneofthemajorbaselinesofthecybersecurityprogram.Itfollowsthatitisanintegralpartofthecybersecurityofficer’scybersecurityprogramorganization.Itdoesn’tmatterwhetherbriefings,training,andsucharegivenbyacybersecurityprogramstaffmember,thecorporatetrainingoffice,theDirectorofSecurity’ssecuritytrainingpersonnel,HumanResourcesnew-hirebriefings,oracombinationofanyofthese.Itisacybersecurityprogram,andthereforeacybersecurityprogramcost,anditshouldbemetrics-managed.
Let’sassumethattobesomewhatcost-effective,thegoalistohaveatleast15employeesonaverageattendeachbriefing.Thatbeingthecase,thismetricschartoranotherlikeitwouldshownotonlythenumberofbriefingsandthetotalattendees,butalsotheaveragenumberofattendeesperbriefing.Inaddition,astraightlinecouldbeincludedat15sothattheaverageattendeesperbriefingcaneasilybecomparedagainstthegoalof15employeesperbriefing.
Ifthegoalwasnotbeingreached,asthecybersecurityofficer,youmightwanttodiscussthematterwithyourcybersecurityprogramleaderfortheEATP.Certainlyifthegoalisnotbeingmet,youcan’t,andobviouslyshouldn’t,ignoreit.Thereisnothingworsethansettingagoal,metricsmanagingtoattainthatgoal,andthenignoringitwhenitisnotbeingmet.Furthermore,asacybersecurityofficeryoushouldn’tjustwaituntiltheendoftheyeartoattempttocorrectthematterinadiscussionwithyourEATPleadandthenzapthatpersoninhisorheryear-endperformanceevaluation.
Letusassumethatemployeesmustattendanannualbriefingrelativetothecybersecurityprogramandtheirdutiesandresponsibilities.Assumethattheypreparetoattend
thebriefingandwalktothebriefingroomandthatthattakes15 min.Theyattenda1-h
briefingandreturntotheirplaceofwork,foratotaltimeof90 min.Atanaverageemploymentrateof$15perhour,eachemployee’stime(andlostproductivity,sincetheyarenotperformingtheworkforwhichtheywerehired)fortheannualbriefingis$22.50.Let’salsosupposethatthecorporationemploys100,000peopleworldwideandallofthemmustattendtheannualbriefing.Thatmeansthattheannualbriefingprogram,excludingthetimethecybersecurityprogramspecialisttakesinpreparingtheupdatedmaterialeachyearandotherexpenses,costsanastounding$2,250,000!
Onecanarguethatthebriefingsarenecessary,theysavemoneyinthelongrunbecausevaluablecorporationisprotected,andallthat.However,thatdoesnotchangethefactthatthisisarathercostlyprogram.Infact,thereisnoindicationthatthecost–benefitshaveeverbeenvalidated.Yet,everycybersecurityofficerknowsthatemployeeawarenessofthethreats,vulnerabilities,andriskstoinformationandinformationsystemsisanabsolutenecessity.So,whatcanbedonetolowerthecostofsuchaprogram?
Usingtheprojectteamapproach,thecybersecurityofficershouldestablishaprojectteamtolookatthecosts,benefits,andrisksofnothavinganannualbriefingandothermethodsforprovidingawarenesstoemployees.Possiblytheuseofe-mails,onlinebriefings,andotherelectronicmeanscouldeliminatetheneedfortheemployeestophysicallyattendabriefing.Possiblybriefingscouldbeeliminatedoronlinebulletinsused.
Cost-AvoidanceMetricsAsacybersecurityofficer,youmaywanttousethemetricsmanagementapproachtobeabletoquantifythesavingsofsomeofyourdecisions.Forexample,whenanalyzingyourbudgetandexpenditures,younotethatamajorbudgetitemistravelcostsforyourstaff.Thisislogical,becausestaff,aswellasyou,musttraveltothevariouscorporateofficestoconductcybersecurityprogramtestsandevaluations.
Again,usingtheprojectmanagementapproach,youleadaprojectteamofyourself,staffmembers,andrepresentativesfromthecontractofficeandthetraveloffice.Yourgoalistofindwaystocuttravelcostswhilestillmeetingallthecybersecurityprogram’sandyourcharter’sresponsibilities.Arepresentativefromthecontractofficewilladvisetheprojectteamoncontractualobligationsandwaysinwhichtheycanbemetwithlesstravel,butwithoutviolatingthetermsofthecontracts.Thetravelofficewillgiveadviceonwaystocuttravelcosts.Forexample,becausemanytripsareknownwellinadvance,flightsandhotelscanalsobebookedinadvance.
MetricsManagementandDownsizingAllcybersecurityofficersatonetimeoranotherintheircareersfacetheneedtodownsize—thatis,layoff,fire,orterminate—cybersecurityprogramstaff.However,ifyouareoperatingatpeakefficiencyandhavenotbuiltanyexcessstaffintomeetingyourcharterresponsibilities,youmaybeabletomakeacasefornotterminatingstafforfor
terminatingfewerpersonnel.
Manymanagers,andcybersecurityofficersarenoexception,tendtoforgetthattheyarehiredtodoajob,andthatjobisnottobuildan“empire”orbureaucracy.Thekeytosuccessisgettingthejobdoneefficientlyandeffectively—aswesaidbefore,goodandcheap.Inaddition,themorestaffmembersandthelargerthebudgetyouhave,themorepeopleproblemsyouwillhaveandtheharderthefinancialpeoplewilltrytotakesomeofyourbudget.Soyouareconstantlybattlingtomaintainyourlargebudget.
If,ontheotherhand,youhaveasmallstaffandasmallerbudget,youhaveabetterchanceofprotectingwhatyouhave,becauseitistheminimumneededtogetthejobdone.Thatapproachcoupledwithmetricsmanagementtechniquesandperiodicbriefingstoexecutivemanagementwillhelpyoucontinuetogetthejobdoneasyoudeemappropriate,eventhoughotherorganizationsarelosingstaff.
Let’slookatsomefiguresshowingvariouswaysofpresentinginformationbasedonmetricsmanagement’sdatacollectionefforts:
AnotherchartthatisimportantforbriefingmanagementisonethatshowstheLOEversusthehoursavailableforthecybersecurityprogramstaff.ThedifferencebetweenLOEandtimeavailablecanbeshowntobepartofabriefingonworkbacklogorusedtoshowthedifferenceinovertimebeingworked.Asubchartmayshowdetailsontheamountofbackloganditsimpactonthecostofdoingbusiness.Itcanalsoshowtheovertimecostsbeingpaidandperhapsacomparisonofthatcostwiththecostofhiringoneormoreadditionalstaff.Seeingthiscomparisonwouldhelpinmakingdecisionsastowhichischeaper,payingovertimeorhiringmorestaff.
Thesechartsmustalsobeaccompaniedbyothersshowingproductivityanddriversofworkload,asinsomeofthechartsshownearlier.Thisisnecessarybecausemanagementwillaskwhyyoumustdothethingsyoudoandwhyyoumustdotheminthewayyouaredoingthem.Thisquestforproductivityandefficiencygainswillbeaconstantchoreforthecybersecurityofficer.Itisachallenge,butonethatcanbesupportedbymetricscharts.
Layoffsareafactoflifeinbusiness,andmetricschartscanhelpthecybersecurityofficerjustifyheadcountandwork,asshownbysomeofthesecharts.Thechartcanshowmeasurementintermsofheadcountorhoursthatareequivalenttoheadcount.
Generally,whenmanagementdecidestocutcosts,theylayoffemployeesastheeasiestmethod.Theyalsousuallydirecteachmanagertocutacertainpercentageofstaff,say,20%.However,althoughthismaybetheeasiestway,itisnotthebestway;sometimesitwouldbecheapertokeepsomeofthestaff,becausetheirlosscausesdelayscostingmillionsofdollarsworthofproduction,sales,etc.Asweallknow,executivemanagementoftentakesashort-term,“what’sinitformenow”approachtomanagingtheirpartsofthebusiness.
Metricsmanagementcanhelpthecybersecurityofficerpleadthecasetonotcut20%ofstaff.Onewordofcaution:Thecybersecurityofficershoulddothisobjectivelyandbasedonprovidingeffectiveandefficientserviceandsupporttothecorporation’sdepartments.Itshouldnever,everbebasedonkeepingalargestaffandbureaucracyforthesakeof
status,power,ego,orothernonbusinessreasons.
Thecybersecurityofficerwouldincludeinformationrelativetotheimpactofboththecorporation’sdirectedlayoffnumbersandthoseofthecybersecurityofficer.Thismustbeobjectivelydonebasedonabusinessrationale.Thisinformationwouldincludethefollowing,identifiedasincreasingthelevelofriskstoinformationandinformationsystems:
•Contingencyplanning:Contingency,emergency,anddisasterrecoverytestingandplanupdateswillbedelayed.Theresultwillbeanythingfromnoimpacttonotbeingabletoeffectivelyandefficientlydealwithanemergency.
•Awarenessprogram:Employeesmaynotbeawareoftheirresponsibilities,thusleavingthesystemsopentopotentialattackoranincreaseinthepotentialforthelossofsensitiveinformation.
•Accessviolationsanalyses:Therewillbedelaysofbetween48and72 hintheanalysesofauditrecords.Thus,anattackagainstcorporatesystemswouldnotbeknownforat
least48–72 h.Duringthatperiod,informationcouldbestolen.However,somethinglikeadenial-of-serviceattackwouldbeknownwhenitwassuccessful.Theopportunitytoidentifytheinitialattemptsattheseattacksoveraperiodoftimewouldbelost,andwithitthechancetomountdefensesbeforetheattacksweresuccessful.Theresultwillbesystems,possiblyproductionsystems,thataredownforanunknownperiodoftime.
•Noncomplianceinquiries:Theaveragetimeitwouldtaketocompleteaninquirywould
increasebymorethan2 weeks.Thus,noactiontoadjudicatetheallegedinfractionwouldbepossibleuntilthereportwasdeliveredtomanagement.Furthermore,theallegedinfractionmayhavecalledfortherevocationofsystemprivilegesoftheemployeeoremployeeswhoarethesubjectoftheinquiry.Thus,theirabilitytobeproductiveemployeesduringthattimewouldbenegated.
•Accesscontrol:Itisassumedthatthenumberofnewemployeeshiredwouldbedrasticallyreduced,andthatcouldmitigatesomeoftheLOEexpendedbytheaccesscontrollers.However,employeesrequiringchangesinprivilegewouldhavethose
accesschangesdelayedanadditional48–72 hfromthepresentaverageof8–12 h.Thismayadverselyaffecttheirproductivity.Toallowdepartmentstodotheirownemployees’privilegechangeswasevaluatedunderapreviousprojectandfoundnottoberealistic:Theinformationtowhichtheemployeesneededaccessdidnotbelongtothatdepartment;mostoftenitbelongedtoanotherinformationowner.Theseinformationownersdidnotwantotherstoaccesstheirinformationwithouttheirapproval.Inaddition,thischangewouldjustbetransferringthecostsandwouldnotsavethecorporationanyadditionalresources.
Theforegoingisasmallexampleofhowmetricmanagementtechniquescanbeusedwhentheneedforbudgetcutsoccurs.Theexampleprovidessomeinsightintohowmetricmanagementtechniqueshelpmitigatetherisksofbudgetandstaffdownsizingwhensuchdownsizingwillhurtthecybersecurityprogramandthecorporation.Metricmanagementtechniquescanhelpthecybersecurityofficermakeacasetoexecutivemanagement.Furthermore,ifthecybersecurityofficer,supportedbythemetricmanagementapproach,hasbeenperiodicallybriefingmanagementofthecybersecurityprogramandthecybersecurityofficer’sprojectsandLOE,thecybersecurityofficerwillhavegainedtheconfidenceofmanagementasareliablemanagerwhogetsthejobdoneasefficientlyandeffectivelyaspossible.
ProjectManagementAspreviouslydiscussed,therearetwobasictypesofworkperformedbythecybersecurityofficerandstaff:(1)LOEand(2)projects.WehavediscussedLOEandhaveprovidedsomeexamplesofprocessandmetricsflowchartsrelativetoLOE.
Ithasbeenstatedseveraltimes,butbearsrepeating:Projectsareestablishedwhensometasksrelatedtothecybersecurityprogramand/oritsfunctionsmustbecompletedbuttheyarenotongoingtasks.Itisimperativethatthecybersecurityofficerbeintimatelyfamiliarwithandexperiencedinprojectmanagement—aswellastimemanagement.
Rememberthatwhetherornotsometaskshouldbeaprojectdependsonwhetherithasthefollowing:
•Astatedobjective(generallyinoneclear,concise,andcompletesentence),
•Abeginningdate,
•Anendingdate,
•Specifictaskstobeperformedtosuccessfullymeetthatobjective,
•Aprojectleader,and
•Specificpersonneltocompleteeachtaskandthetimeperiodinwhichthetaskwillbecompleted.
Let’sassumethatthecorporateinformationofficer(CIO)sentamemotothecybersecurityofficerbasedonaconversationthattheCIOhadwiththeDirectorofIT.ItseemsthattheyhadameetingandduringthemeetingthediscussionturnedtoITprojectsrelatedtotheirprojectsofupgradingsystems,suchashardware,software,andtheirgeneralmaintenance.Thecybersecurityprogrampolicycalledforsuchupgradesandmaintenanceeffortstoensurethattheinformationenvironmentismaintainedincompliancewiththerequirementssetforthinthecybersecurityprogram.TheDirectorstatedthattheITstaffdidn’tknowifthatwasalwaysthecasewhentheymadechangestosystems.Consequently,theDirectorsuggestedthatmembersofthecybersecurityofficer’sorganizationbepartoftheITprojectteamswithresponsibilityfordeterminingwhetherthechangeskeptthecorporation’sinformationenvironmentsecure.TheCIOagreedandsentthecybersecurityofficeralettertothateffect.Whenthecybersecurityofficerreceivedthememo,thecybersecurityofficerdiscussedthematterwiththeSeniorSystemsSecurityEngineer.ItwasdecidedthataprojectbedevelopedtoestablishaprocessandfunctiontocomplywiththerequestfromtheCIOandDirectorofIT.
Asacybersecurityofficer,youshouldbeabletoidentifyseveralissuesthatthecybersecurityofficermustresolveapartfrominitiatingthisproject.First,theDirectorofITandthecybersecurityofficershouldbeworkingcloselytogether,andbydoingso,theycouldhavedealtwiththismatterwithoutinvolvingtheirboss,theCIO.Inaddition,thefactthattheCIOsentamemotothecybersecurityofficer,insteadofcallingormeetingpersonallywiththecybersecurityofficer,indicatesthatthecommunicationandworkingrelationship
betweentheCIOandthecybersecurityofficermustbeimproved.ThecybersecurityofficermusttakeactiontoimmediatelybeginimprovingthecommunicationandrelationshipwiththeDirectorandtheCIO.
Aprojectchartshouldincludethefollowing:
•Subject:Theprojectname—SecurityTestandEvaluationFunctionDevelopment
•Responsibility:Thenameoftheprojectleader—JohnDoe,cybersecurityprogramSeniorSystemsSecurityEngineer.
•ActionItem:Whatistobeaccomplished—ITrequirescybersecurityofficersupporttoensurethatinformationandsystemsprotectionareintegratedintoITsystems’integration,maintenance,andupdateprocesses.
•References:Whatcausedthisprojecttobeinitiated—forexample,“SeememotocybersecurityofficerfromCIO,datedNovember2,2002.”
•Objective(s):Statetheobjectiveoftheproject—Maintainasecureinformationenvironment.
•Risk/Status:Statetheriskofnotmeetingtheobjective(s)ofthisproject—Becauseoflimitedstaffingandmultiplecustomerprojectsbeingsupported,thisprojectmayexperiencedelaysashigherpriorityLOEandprojectstakeprecedence.
•Activity/Event:Statethetaskstobeperformed,suchas“MeetwithITprojectleads.”
•Responsibility:Identifythepersonresponsibleforeachtask.Inthiscase,itistheSeniorSystemsSecurityEngineer,JohnDoe.
•Calendar:Thecalendarcouldbeayear-long,monthly,quarterly,or6-monthcalendarwithverticallinesidentifyingindividualweeks.Usingthe6-monthcalendar,theprojectleadandassignedprojectteammemberswoulddecidewhattaskshadtobeaccomplishedtomeettheobjective.Arrowsanddiamonds,forexample,identifiedinthelegend,wouldbeusedtomarkthebeginningandendingdatesofeachtask.Thearrowsarefilledinwhenthetaskisstartedandwhenthetaskiscompleted;thediamondsareusedtoshowdeviationsfromtheoriginaldates.
•Risk—Level:Inthisspace,eachtaskisassociatedwiththepotentialriskthatitmaybedelayedorcostmorethanallocatedinthebudgetforthetask.Using“high,”“medium,”or“low”or“H”,“M”,or“L”,theprojectlead,inconcertwiththepersonresponsibleforthetask,assignsalevelofrisk.
•Risk—Description:Ashortdescriptionoftheriskisstatedinthisblock.Ifitrequiresadetailedexplanation,thatexplanationisattachedtotheprojectplan.Inthisblocktheprojectlead,whoisalsoresponsibleforensuringthattheprojectplanisupdatedweekly,states“SeeAttachment1.”
•IssueDate:Thedatetheprojectbeginsandthechartinitiatedgoesinthisblock.
•StatusDate:Themostcurrentprojectchartdateisplacedhere.Thisisimportantbecauseanyonelookingattheprojectchartwillknowhowcurrenttheprojectchartis.
Othertypesofchartscanalsobedevelopedtoshowprojectcostsintermsoflabor,materials,andthelike.Agood,automatedprojectplansoftwareprogramiswellworththecostsformanagingprojects.
Inthecaseofprojectcharts,thecybersecurityofficercanusethemtobriefmanagementrelativetotheongoingworkofthecybersecurityprogramorganizationandstatesofthecybersecurityprogram.ThecybersecurityofficerreceivesweeklyupdatesonFridaymorninginameetingwithallthecybersecurityofficer’sprojectleaders,during
whicheachprojectleadisgiven5 mintoexplainthestatusoftheproject—forexample,“Theprojectisstillonschedule”or“TaskNo.2willbedelayedbecausethepersonassignedthetaskisoutsickforaweek;however,itisexpectedthattheprojectcompletiondatewillnotbedelayedbecauseofit.”
ThecybersecurityofficerholdsanexpandedstaffmeetingthelastFridayofeachmonth.Allassignedcybersecurityprogrampersonnelattendthesemeetings,whichlast
2–3 h.Atthesemeetings,1 histakenforallprojectleadsandcybersecurityprogramfunctionalleadstobriefthestatusoftheirLOEandprojectstotheentirestaff.Thecybersecurityofficerdoesthissothateveryoneintheorganizationknowswhatisgoingon—avitalcommunicationstool.Alsoduringthistime,othermattersarebriefedanddiscussed,suchasthelatestriskmanagementtechniques,conferences,andtrainingavailable.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doyouuseformalmetricsmanagementtechniques?
•Ifnot,whynot?
•Ifso,aretheyusedtobriefmanagement?
•Areeachofyourcybersecurityprogramfunctionsdocumented,notonlyinworkinstructionsbutalsoinprocessflowcharts?
•DoyouusesimilarchartstodocumentthecybersecurityprogramfunctionalLOE?
•Whatotherchartswouldyoudevelopforeachofthecybersecurityofficerfunctions?
•Doyouhaveatleastonemetricscharttotrackthecostsofeachcybersecurityprogramfunction?
•Howwouldyouusemetricsmanagementchartstojustifyyourbudgetrequests?
•Howwouldyouusemetricsmanagementchartstojustifythenumberofyourstaff?
•Howmanycharts,byfunctionanddescription,wouldyouwanttouseasacybersecurityofficer?
SummaryMetricsmanagementtechniqueswillprovideaprocessforthecybersecurityofficertosupportcybersecurityprogram-andcybersecurityprogram-relateddecisions.Thecybersecurityofficershouldunderstandthefollowingpoints:
•MetricsmanagementisanexcellentmethodtotrackcybersecurityprogramfunctionsrelatedtoLOE,costs,useofresources,etc.
•Theinformationcanbeanalyzed,andresultsoftheanalysescanbeusedto:
Identifyareaswhereefficiencyimprovementsarenecessary;
Determineeffectivenessofcybersecurityprogramfunctionalgoals;
Provideinputforperformancereviewsofthecybersecurityprogramstaff(amoreobjectiveapproachthansubjectiveperformancereviewsoftoday’scybersecurityofficers);and
Indicatewherecybersecurityprogramserviceandsupporttothecorporationrequiresimprovement,meetsitsgoals,etc.
1Itisassumedeachfunctioncoststime,money,anduseofequipmenttoperform.2Dr.GeraldL.Kovacichhasusedapproximately47metricschartsatvarioustimestoassistinmanagingseverallargecybersecurityprogramsandcybersecurityprogramorganizations.
CHAPTER11
AnnualReevaluationandFuturePlans
AbstractThischapterdescribestheprocessthatcanbeusedeachyeartodeterminethesuccessesandfailuresofthecybersecurityprogramandorganizationandamethodologythatcanbeusedtocorrectthefailuresandtoplanfortheupcomingyears.
KeywordsCorporateinformationofficer(CIO);Level-of-effortactivities;Link-analysismethodology;Linkingcybersecurityprogram;Metricsanalysis;One-yearreview
Readnottocontradictandconfute,nortobelieveandtakeforgranted,nortofindtalkanddiscourse,buttoweighandconsider
FrancisBacon1
CONTENTS
Introduction 223One-YearReview 224
Level-of-EffortActivities 225Projects 226
CyberSecurityProgramStrategic,Tactical,andAnnualPlans 228LinkingCyberSecurityProgramAccomplishmentstoCorporateGoals 228MetricsAnalysis 230PlanningforNextYear 231QuestionstoConsider 233Summary 234
CHAPTEROBJECTIVE
Thischapterdescribestheprocessthatcanbeusedeachyeartodeterminethesuccessesandfailuresofthecybersecurityprogramandorganizationandamethodologythatcanbeusedtocorrectthefailuresandtoplanfortheupcomingyears.
IntroductionTheinformationenvironmentofthecorporationisverydynamicandmustbesoforthecorporationtosuccessfullycompeteinthefast-pacedwidgetbusinessintheglobalmarketplace.Consequently,theworldofthecybersecurityofficermustalsobeverydynamic.Thecybersecurityofficermustconstantlybelookingatwherethecorporatebusinessisgoingandmodifythecybersecurityprogramanditsorganizationaccordingly.Thecybersecurityofficercannotsitbackandthinkthatthecybersecurityprogramisinplace,itsorganizationisestablished,andeverythingisrunningsmoothly—evenwhenyouthinkitis.
Asthecorporation’scybersecurityofficeryoumustbeworkingeverydaytoprovideeffectiveandefficientserviceandsupporttothecorporationinthefuture.Youmustprojectaheadandlookatpotentialnewthreatstothecorporation’sinformationandsystemsandbeginnowtomitigatethosefuturethreats,suchascellularphoneswithinstalleddigitalcameras.Thecybersecurityofficer,likeallcybersecurityofficers,mustestablishproactiveprocesses,astoday’scorporationsdependtoomuchoninformationandinformationsystemstohavethosesystemsfailbecausethecybersecurityofficerdidnotseethethreatcoming.Today’scybersecurityofficersmustbeproactiveandnotconstantlyreactive.Proactiveprocessesarepreparedtomitigatethreatsbeforetheycanoccur—anditischeaperthanbeingreactive.
Thecybersecurityofficermustalsoreevaluatethecybersecurityprogramandhaveprocessesinplacetoconstantlyupdateit.Inaddition,allcybersecurityprogramfunctionsmustbereevaluatedandupdatedastheneedarises,butatleastannually.Thecybersecurityofficershouldleadanannualyear-endreviewandanalysisofthecybersecurityprogramandcybersecurityprogramfunctions.Thisisdonesothatthecybersecurityofficerscanhavesomeassurancethattheyareoperatinginthemosteffectiveandefficientwaypossibleandneededchangesareinplace.
One-YearReviewThecorporation’sfiscalyearandcalendaryearbothendonDecember31.Thecybersecurityofficerdecidesthatthebeginningofthefourthquarter(October)isagoodtimetostartplanningforthecomingyearandbeginevaluatingthecurrentyear.
Toplanforthecomingyear,thecybersecurityofficermustfirstdeterminehowsuccessfulthecybersecurityprogramandthecybersecurityprogramstaffhavebeenforthepastyear.Ofinterestwouldbe:
•Whatwasaccomplished?
•Whatwasplannedbutnevercompleted,andwhy?
•Whatwasplannedbutneverstarted,andwhy?
•Whatwassuccessful,andwhy?
•Whatwasn’tsuccessful,andwhy?
•Whatprocessesarecurrent?
•Whatprocessesrequireupdating?
•Ifaprocesswasoutdated,whywasitnotupdatedasneeded?
•Isthecybersecurityprogramorganizationoperatingwithinbudget?
•Ifnot,whynot?
•Whatbudgetisrequiredforthecomingyear,aswellastwoorthreeyearsfromnow?
•Ifmorebudgetisrequired,why?
•Ifmorebudgetisneeded,arethereothermeasuresthatcanbetakentominimizetheneedforalargerbudget?(Rememberthatasacybersecurityofficer,yougetpaidforresultsandnotthesizeofyourcybersecurityprogramstafforthesizeofyourbudget.)
Level-of-EffortActivitiesThecybersecurityofficertaskedeachcybersecurityprogramfunctionalleadtoformaprojectteamwithselectedmembersofthecybersecurityprogramfunctionalstaffandevaluatetheprocessesusedforcompletingtheirassignedlevel-of-effort(LOE)function.Ofcourse,ifthecybersecurityprogramfunctionwasaone-personjob,thatpersonwouldconductthereviewbyhim-orherselfandaskforinputasneededfromotherstaffmembersandthecybersecurityofficer.RememberthattheLOEactivitiesarethoseactivitiesorfunctionsthataretheday-to-daycybersecurityprogramtasksperformedbythecybersecurityprogramstaff.Theseactivitieswerethoseidentifiedasthecybersecurityofficerresponsibilitiespreviouslydiscussedandincluded:
•Accesscontrol,
•Awarenessprogram,
•Noncomplianceinquiries,and
•Securitytestsandevaluationsprogram,etc.
Thisistobeaccomplishedbyeachfunctionalteamsittingdowntogethertodetermine:
•Whatworked?
•Whatdidn’twork?
•Whyitworked(processmaybeusefulforotherfunctions)?
•Whyitdidn’twork?
•Howmuchtimetheyspentdoingeachtaskorsubtaskonaverage?
•Howthejobmightbedonebetter?
•Howtheprocessesmightbechanged,why,andwhatarethepotentialsavings?
•Whichforms,ifany,shouldbemodifiedoreliminated?and
•Otherconsiderations.
Thecybersecurityofficerdirectedthatanyrecommendedchangesbequantifiedintimeand/orcostsavings,asapplicable.Ifthechangescouldnotbequantified,thestaffmemberswouldhaveadifficulttimechangingtheprocess.Thecybersecurityofficerreasonedthat,withfewexceptions,processchangesthatdidnotsavetimeormoneywereprobablynotworthmaking,asnonquantifiedchangescostmoneywithusuallynoreturnvalue.
ThecybersecurityofficerdirectedthatallmembersofeachfunctionsupporttheirfunctionalleadinthisendeavorandprovideabriefingtobeheldthefirstweekinNovemberaspartofthecybersecurityofficer’sexpandedstaffmeeting,whichallcybersecurityprogramstaffattended.Duringthatbriefing,thefunctionalprocesseswouldbediscussedandmodificationsapprovedwherenecessary.Ifthemodificationscouldnotbe
accomplishedwithin30 days,aformalprojectplanwouldhavetobedevelopedandbriefedatthatNovembermeeting.
ProjectsDuringthefirstweekofOctober,thecybersecurityofficerwillalsobegintheevaluationofthecybersecurityprogramforthepastyear.Thecybersecurityofficer,inconcertwiththecybersecurityprogramstaff,willreviewtheprojectsthatwerebegunthisyear,aswellasthoseprojectsthatwerebegunlastyearandcompletedthisyear.
Thecybersecurityofficerwilldeterminethefollowing:
•Dideachprojectaccomplishitsobjective?
•Wastheprojectcompletedinaccordancewiththeprojectplan?
•Forthoseprojectsnotcompletedontime,whatwasthecauseofnotmeetingthecompletiondate?
•Forthoseprojectscompletedaheadofschedule,whyweretheycompletedaheadofschedule?(Thecybersecurityofficerwantsthisinformationbecauseitmaybeduetopoorprojectplanning,whichmustbecorrected,oritmaybeduetoauniqueapproachthatcouldbeusedonotherprojects.)
•Whatwasthecostofeachproject?
•Weretheprojectedbenefitsoftheprojectsrealized,andifnot,whynot?
Thecybersecurityofficerwill,inconcertwiththecybersecurityprogramstaff,analyzealltheprojectsand,basedonthatevaluation,modifytheprocessusedforinitiating,determiningcosts,determiningresourceallocations,anddeterminingschedulesforallnewprojects.
Alsoofimportanceisfeedbackfromcorporateemployees:theirevaluationofserviceandsupportprovidedtothembythecybersecurityofficerandcybersecurityprogramstaff.Theemployees’opinionsastowhatimprovementscanbemadeinthecybersecurityprogramtominimizecostsandprovidethenecessarylevelofinformationenvironmentprotectionarealsoimportant.Thecybersecurityofficerandstaffwilldevelopasurveytobesentouttoalldepartments.Thefeedbackreceivedwillalsobeincorporatedintotheyear-endevaluation–analysis.Somecybersecurityofficersmaynotwanttotakethissurveyapproach,becausetheymaybereluctanttoreceivecriticismandcomplaintsfromnon-cybersecurityprogramprofessionalsabouthowthecybersecurityofficerandcybersecurityprogramstaffcanbetterdotheirjobs.However,suchfeedbackisimportantandshouldbewelcomedandconsideredatalltimes.
Oncetheanalysisiscomplete,thecybersecurityofficerandstaffmemberswilldeterminewhatnewprojectswillberequiredforthefollowingyear.Thoseprojects,onceidentified,willbeassignedtotheapplicablemembersofthestaff,thatistotheproject
leads.Thestaffmemberswillthenbegiven30 daystocompleteadraftprojectplan.Thatplanwillidentifythespecificobjectivetobeaccomplished,alltasks,milestones,resourcesrequired,etc.
DuringthestaffmeetingheldduringthefirstweekofNovember,alltheprojectleadswillpresenttheirprojectplanstothecybersecurityofficerandthestaff.Theprojectplanswillbeevaluatedanddiscussedbythecybersecurityofficerandthestaff.Anyrecommendedchangestotheprojectplanswillbecauseforactionstobetakentochangetheplansasappropriate.Inaddition,theoverallprojectplanprocesswillbediscussedandmodifiedasneeded.
Itistheresponsibilityofthecybersecurityofficertoensurethatadequateresourcesareallocatedforthecompletionoftheprojectsasplanned.Whereseveralmembersofthecybersecurityprogramstaffareassignedtoleadorsupportmultipleprojects,thecybersecurityofficerwillprioritizetheprojectsandthenallowtheprojectleadandprojectsupportstafftoworkoutthedetails.Whereconflictsinworkarise,thematterwillbediscussedwiththecybersecurityofficer,whowillmakethefinaldecisionbasedontheinputofallthoseconcernedandtheproperallocationofresources.
Thisapproachfollowsthemanagementphilosophyofhavingdecisionsmadeatthelowestpossiblelevelwheretherequiredinformationonwhichtobaseadecisionisknown.Italsomeetsthecybersecurityofficer’sphilosophyoftrustingyourprofessionalcybersecurityprogramstaffandtreatingthemaspartoftheprofessionalcybersecurityprogramteam.
CyberSecurityProgramStrategic,Tactical,andAnnualPlansOncethecybersecurityofficerhasbeenbriefedontheaboveLOEandprojects,theresultswillbemappedagainstthecybersecurityprogramstrategic,tactical,andannualplans.TheLOEandprojectresultscouldbeidentifiedassomeofthespecificbuildingblocksofeachoftheplans.
Thecybersecurityprogramannualplan’sgoalsshouldhavebeenaccomplished.Ifso,thecybersecurityofficerthenidentifiesthelinksbetweenthesuccessfulaccomplishmentofthosegoalswiththecorporation’sannualbusinessplanandthecybersecurityprogramandalsothestrategicandtacticalplansasappropriate.
Ifadirectlinkbetweentheaccomplishmentsofthecybersecurityprogramstaffandthegoalsoftheplancannotbeshown,thecybersecurityofficermustquestionwhythespecificprojectsorLOEidentifiedwereeverdoneinthefirstplace.Theremaybeaveryvalidreason;however,thisshouldalwaysbequestioned,asanyresourceallocationsthatcannotbedirectlylinkedbacktotheaccomplishmentofstatedgoalsareprobablymisallocations.Theyareanaddedcostburdenonthecybersecurityprogrambudgetaswellasanadditionaloverheadcosttothecorporation.
LinkingCyberSecurityProgramAccomplishmentstoCorporateGoalsThecybersecurityofficerbelievesthattheinitialreasonsforthecorporation’scybersecurityprogramandthecorporation’sreasonsforestablishingthecybersecurityofficerpositionhavenotchanged,butareverificationandvalidationwouldprobablybeagoodidea.Tobesurethatthecybersecurityprogramandthecybersecurityofficer’saccomplishmentsaremeetingtheirstatedpurpose,thecybersecurityofficerdecidesonthefollowingcourseofaction:
•Usingalink-analysismethodology,thecybersecurityofficermapsalltheLOEandprojectresultstoallapplicablecybersecurityprogramandcorporateplansand
•Thecybersecurityofficerdevelopsaformalpresentationtobegiventothecorporateexecutivemanagementinwhichthecybersecurityprogramstatusisbriefed(assumingthatthecybersecurityofficer’sbossagrees).
Ifthecybersecurityofficerdoesalinkanalysis,itmaydisclosethatoverallcybersecurityprogramgoals,LOE,projects,andobjectiveswere,withsomeminorsetbacksandexceptionsovertheyear,meetingtheneedsofthecorporation.
Let’slookatsomepossiblescenarios:Thecybersecurityofficerdiscussedthematterwiththecorporateinformationofficer(CIO).TheCIOagreedthatabriefingwouldbeagoodidea,especiallysincethiswastheendofthefirstyearoftheformalcybersecurityprogramunderthecybersecurityofficer.Theexecutivemanagementwouldwanttoknow:
•Whatwasaccomplished,
•Thecostofthecybersecurityprogram,
•Thestatusoftheoverallprotectionofthecorporation’sinformationenvironment,and
•Whatelsewasneededtoensureasecureinformationenvironment.
TheCIOprovidedseveralrecommendations:
•Thebriefingshouldtakenolongerthan15 minandallow15 minforquestions;•Thecybersecurityofficershouldnotuseanytechnicaljargonbutspeakinbusinesstermsofcosts,benefits,andcompetitiveadvantageandgivethemanagementsomesenseofassurancethattheinformationandsystemsarebeingprotectedasneeded;
•Thebriefingchartsshouldbeclear,concise,andmoreofagraphicalpresentationthantext—anotherreasonfor“managementbymetrics”;
•Thebriefingshouldbegivenprofessionallyandobjectively;itshouldnotbeusedasasoapboxforrequestingadditionalresourcesortoshowhowgreatjobthecybersecurityofficerisdoing;
•Allbriefingchartsshouldbeprovidedinapackageforeachmemberoftheaudiencewithsupportingdetailedcharts;and
•Atleast5ofthe15 minshouldbeusedtobriefonnextyear’sprojectsandgoals,theircosts,andhowtheywouldbenefitthecorporation.
Thecybersecurityofficerhadnotbeenpreparedtopresentthenewyear’splansandprojectsaspartofthebriefing.However,itappearedthatthenecessaryinformationwouldbeavailablebasedonthepreviousbriefingsanddiscussionswiththecybersecurityprogramstaff.
ThecybersecurityofficersuggestedabriefingtobeheldthefirstweekofDecember.TheCIOagreedtosetitup.Thecybersecurityofficer’srationaleforameetinginDecemberwasthatthecybersecurityprogramstaff’sLOEandprojectinputwouldbeavailableonoraboutthefirstweekofNovember,andthatwouldprovidesufficienttimetodevelopthebriefing.
Thecybersecurityofficerwantedtoensurethatthebriefingaccomplisheditsgoals,andthatcouldbejeopardized,notbythematerial,butbythemannerandformatused.Thecybersecurityofficerhadheardofseveralbriefershavingtheirmessagesignoredbecausetheformat,fonts,colors,orwhateverwasusedtopresentthefactswasnotlikedbyoneormoreoftheexecutivemanagement.
Thecybersecurityofficerknewthatsuchtriviashouldnotbeaprimeconcernofexecutivemanagement,butthecybersecurityofficeralsoknewthatsuchthingsdidoccur.Toensurethatthecybersecurityprogrambriefingwassuccessful,theproperformatwouldbethefirstitemofbusiness.
Thecybersecurityofficerstoppedbythedesksofseveralofthekeyexecutivemanagers’secretaries,whoprovidedinsightastothecorrectformat,fontsize,andcolorofslidestouse.Atthesametime,thecybersecurityofficerwasgivensomevaluabletipsfromseveralofthesecretariesastohowtopresentthematerialinamannerthattheexecutivespreferred.(Note:Althoughthroughoutthisbookthecybersecurityofficeractionsarediscussed,somemaybedelegatedbythecybersecurityofficer,suchasthistasktothecybersecurityofficersecretaryoradministrativeassistant.)
Thecybersecurityofficerlongagolearnedthatthesecretariesoftheexecutivemanagershadgreatinsightintowhatworkedwiththeirbossesandwhatdidn’t.Thecybersecurityofficer’srespectforthemandinformalassistancetothemovertheyearhadmadethemcloseallies.Now,thatfriendshipwouldbeabletohelpensureasuccessfulbriefingformat.
Aspartofthisbriefing,thecybersecurityofficerdevelopedanannualreportforeachcorporatedepartmentvicepresidentbasedonthemetricschartsusedthroughoutmostoftheyear.Thatannualreportcontainedsomenarrativeandanalysessupportedbymetricschartsshowingthestatusofeachdepartment’scompliancewiththecybersecurityprogramandthesecurityoftheirinformationenvironment.Itincludedanexecutive
summaryinthefrontofthereportandrecommendationsforimprovementsthatcouldbemadeinthefuture,aswellasthebenefitsoftherecommendedimprovementversusthepotentialcostsandcostsavings.
MetricsAnalysisAspartoftheyear-endreview,thecybersecurityofficerdidacompleteanalysisofthemetricschartsthathadbeendevelopedandusedthroughoutthefirstyearofthecybersecurityprogram.
Thecybersecurityofficernotedthatthechartshadgrowntomorethan47separatemetricscharts.Thecybersecurityofficerwasconcernedthatsomeofthechartshadoutlivedtheirusefulness,whileotherscontinuedtobeofvalue,andpossiblysomenewchartswereneeded.
Theanalysisofthemetricschartsindicatedthatseveralofthechartshadbeennecessarytotrackparticularproblemareas.However,someoftheproblemsappearedtohavebeen
resolvedandthemetricscharts,fortheprevious4 months,hadsupportedthatview.Somemetricschartsweredevelopedandbriefedperiodicallytomanagementbecause
somemanagerswereinterestedinperiodicallyknowingtheamountofLOEbeingusedtosupportsomespecifictasks.Thecybersecurityofficerdecidedtoidentifythosechartstothemanagerswhowereinterestedintheinformationandgaintheirapprovaltoeliminatethosecharts,asitappearedtheinformationprovidedhadmettheirneeds.Ifnot,itmightbepossibletoprovidethatinformationtomanagementonanannualorsemiannualbasisinsteadofthecurrentmonthlyorquarterlyreport.Thefinaldecisionshouldbemadebythecybersecurityofficer’scustomer2.
Thecybersecurityofficertookallthemetricschartsandidentifiedthembytheirobjectives—inotherwords,theirpurposeforbeingdevelopedandused.Thosewouldalsobelinkedtospecificareasthatsupportthecorporatecybersecurityprogramandcybersecurityprogramorganizationalplans.Thecybersecurityofficerwantedtobesurethatthemetricsusedtohelpmanagethecybersecurityprogramanditsorganizationmettheneedsofthecybersecurityprogram,ofmanagement,andofthecybersecurityprogramorganization.
Thecybersecurityofficerknewthatmetricschartstendtoincreaseandseemtosometimestakeonalifeoftheirown.ThecybersecurityofficerwasconcernedthatthetimeittooktotrackspecificLOEsandprojectsusingmetricswassometimesnotcost-effective.Byidentifyingthechartsagainsttheirpurposeinamatrix,thecybersecurityofficerfoundthatitwaseasytoanalyzethemetricschartsandtheirpurpose.
PlanningforNextYearThecybersecurityofficerhadreceivedtheinputfromthecybersecurityprogramstaffattheNovembermeetings.Basedonthatinput,thecybersecurityofficerwaspreparedtowritenextyear’scybersecurityprogramannualplanandupdatethecybersecurityprogramstrategicandtacticalplans.However,toaccomplishthosetasks,thecorporateplansmustbereceived.Afterall,thecybersecurityprogramplanshadtosupportthecorporateplans.
ThecybersecurityofficerknewthatthedraftofthecorporateplanswouldnotbeavailableuntilJanuary.Therefore,thecybersecurityofficerdraftedthecybersecurityprogramannualplanandupdatedthecybersecurityprogramstrategicandtacticalplansbasedoninformationgatheredthroughdiscussionswithvariouslevelsofmanagementinvolvedindevelopingthecorporateannualplanandupdatingthetacticalandstrategicplans.
ThecybersecurityofficerimplementedthecybersecurityprogramplansonJanuary1,withoutwaitingforthedraftcorporateplans.Thecybersecurityofficerdidsotobeginthemuch-neededLOEmodificationsandprojectsthatweretime-dependent.Iftheywerenotstartedrightafterthefirstoftheyear,theirschedulesmighthavetobeslipped.Thecybersecurityofficercouldnotaffordtodothatandtooktheriskthattheinformationgatheredtodatewasaccurateandthatanychangesatthecorporatelevelwouldcauseonlyminoradjustmentstothecybersecurityprogramschedules—ifany.
Aspartofthecybersecurityofficerandcybersecurityprogramstaffyear-endanalyses,aflowchartwasdeveloped,whichwouldbeusedforbriefingsandalsowouldletcybersecurityprogramstaffseehowtheirjobssupportedthecorporation.
Thecybersecurityofficerandstaffalsotookalltheirriskmanagementreportsfortheyearandevaluatedwhatwasaccomplishedtocorrectcybersecurityprogramdeficienciesanddeterminewhatneededtobedoneinthecomingyeartocorrectotherdeficiencies.Thesethenwerelinkedthroughavulnerabilities–projectsflowcharttoidentify“StrategicDirection:CyberSecurityProgramProjectstoAddressVulnerabilities.”
Aftercompletionofalltheexecutivemanagementbriefingcharts,andoneweekpriortobriefingexecutivemanagement,thecybersecurityofficergavethebriefing,withadditionalanalysisofthecybersecurityprogramandcybersecurityprogramfunctionalaccomplishments,tothecybersecurityprogramstaff.Theone-weekintervalwastoensurethatthebriefingwasaccurateandthatthechartssaidwhatneededtobesaid.Thecybersecurityprogramstaffcouldevaluatethebriefingandprovideanavenueforconstructivecriticism.Afterall,thecybersecurityofficerwanted,asasideissue,toshowexecutivemanagementtheoutstandingjobdonebythecybersecurityprogramstaffduringthepastyear,withoutsayingso.Inotherwords,letthebriefingspeakforthat.
TheCIOwasinvitedtoattendthecybersecurityofficer’s“expandedstaffmeeting”sothattheCIOwouldnothaveanysurprisesattheexecutivemanagementbriefing.Inaddition,thecybersecurityofficerwantedtheCIOtoattendtosayafewwordsafterthebriefing,thankingthecybersecurityprogramstafffortheirfineworkoverthepastyear.
Thecybersecurityofficerbelievedthatsuchvisibilityofcybersecurityprogramstafftoexecutivemanagementwouldalsoboostmorale,astheywouldseethattheirhardworkwasappreciated.
Uponthecompletionofthesuccessfulbriefing,thecybersecurityofficerscheduledanotherexpandedstaffmeetingtobeheldonaFridaybeforetheholidaysandscheduledtolastallday.Atthatexpandedstaffmeeting,thecybersecurityofficerhadacateredlunchbroughtinasaspecialmeasureofthankstothecybersecurityprogramstaff.Afterall,ifthecybersecurityprogramstaffwasnotsuccessful,thecybersecurityofficercouldnotbesuccessful.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsand,asacybersecurityofficer,howyouwouldreplytothem:
•Doyouhaveaprocessinplacetoconductaformalyear-endanalysisofyourcybersecurityprogramandcybersecurityprogramfunctions?
•Ifnot,whynot?
•Ifso,doesitincludecost–benefitanalyses?
•Doyouprovidea“state-of-the-cybersecurityprogram”reportofthecorporateinformationenvironmentatyear’send?
•Ifso,isitbriefedtoexecutivemanagement?
•Are“subreports”providedtoeachdepartmentheadaddressingspecificallythestatusoftheprotectionoftheirinformationenvironment?
•Doyouinvolveyourcybersecurityprogramstaffintheyear-endreviews,analyses,andplanning?
•Doyourewardyourcybersecurityprogramstaffforajobwelldoneatyear’send—bymorethanwords?
•Howwouldyougoaboutconductingandimprovingontheprocessdescribedinthischapter?
SummaryEvaluationsandanalysesoftheentirecybersecurityprogramandcybersecurityprogramorganizationhelpmaintainaproactiveandcurrentprotectedinformationenvironment.Thecybersecurityofficershouldrememberthefollowingpoints:
•Itisagoodideatoevaluatetheentirecybersecurityprogramandcybersecurityprogramfunctionsonanannualbasis.
•TheevaluationshouldincludeallprojectsandLOEs.
•Changesshouldbemadebywhichvalueisaddedintermsofcostdecreases,productivitygains,ortimesavings.
•Executivemanagementshouldreceiveaclear,concise,business-orientedbriefingonthestateofthecybersecurityprogramandthecorporation’scurrentprotectedinformationenvironmentatleastonanannualbasis.
•Metricschartsshouldbeevaluatedatleastannuallyandtheneliminatedormodifiedasnecessary.
•Link-analysismethodologiesareusefulindeterminingthesuccessofacybersecurityprogram.
1FrancisBacon(1561–1626),Englishphilosopher,lawyer,andstatesman.Essays“OfStudies”(1625)—EncartaBookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.2Dependingontheworkingenvironmentofthecorporation,thecustomermaybeinternal,e.g.management,external,e.g.corporation’scustomer(s),orboth.
CHAPTER12
High-TechnologyCrimesInvestigativeSupport
AbstractThischapterdiscussesthedutiesandresponsibilitiesofacybersecurityofficerwhenitcomestoprovidingserviceandsupportfordeterringhigh-technologycrimes,conductingnoncomplianceinquiries,assistingwithcomputerforensicssupport,anddealingwithlawenforcement.Afictionalcasestudyscenariowillbeused.
KeywordsComputerforensics;Corporateexecutiveofficer(CEO);Cybersecurityofficer;Director;High-technologycrimepreventionprogram(HTCPP);Lawenforcement;Non-complianceinquiries(NCIs)
ItwasacommonsayingofMysonthatmenoughtnottoinvestigatethingsfromwords,butwordsfromthings;forthatthingsarenotmadeforthesakeofwords,butwordsforthings
DiogenesLaërtius1
CONTENTS
Introduction 235DutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimes 236AssistingwithComputerForensicsSupport 238DealingwithLawEnforcement 240QuestionstoConsider 242Summary 243
CHAPTEROBJECTIVE
Thischapterdiscussesthedutiesandresponsibilitiesofacybersecurityofficerwhenitcomestoprovidingserviceandsupportfordeterringhigh-technologycrimes,conductingnoncomplianceinquiries,assistingwithcomputerforensicssupport,anddealingwithlawenforcement.Afictionalcasestudyscenariowillbeused.
IntroductionNotlongafterthecybersecurityofficertookoverthejobasthecybersecurityofficer,ameetingwasheldbetweenthecybersecurityofficerandtheDirectorofSecurity.Atthattime,anagreementwasreachedastothecybersecurityofficer’sdutiesandresponsibilitiesandthoseoftheDirectorofSecurity.TheDirectorofSecurityagreedthatthecybersecurityofficer’sdutiesandresponsibilitieswouldconflictwiththoseoftheSecurityDepartmentifthecybersecurityofficerconductedanytypeofinvestigation.TheDirectorofSecurityandthecybersecurityofficerreachedacompromiseandagreedthatanyinfractionsofthecybersecurityprogramcouldbelookedatbythecybersecurityofficeraslongastheyrelatedtononcompliancewiththecybersecurityprogram,suchasviolationofautomatedinformationprotection.
Theybothagreedtothefollowing:
•Todifferentiatebetweenaninvestigationandthecybersecurityofficer’sinquiriesbyhavingthecybersecurityofficercallthatfunction“noncomplianceinquiries”(NCIs)andfocusingonthecybersecurityprograminfractions;
•AninformationcopyofeachNCIwastobeforwardedtotheDirectorofSecurity;
•ThecybersecurityofficerwouldprovidetechnicalandforensicssupporttotheSecuritystaff,whenrequested;
•TheDirectorofSecuritywasthecorporatefocalpointforlawenforcementliaisonactivities,andanyneedtocontactalawenforcementagencymustbeapprovedbytheDirectorofSecurity,aswellasotherssuchasthePublicRelationsstaffandthelegalstaff;
•Intheeventofthecybersecurityofficerormembersofthecybersecurityofficer’sstaffwerecontactedforanyrequestsbyoutsideagenciesforinvestigativeassistance,thatrequestmustbecoordinatedwiththeDirectorofSecurityandothersatthecorporation;
•Thecybersecurityofficer’sstaffwouldprovidein-housecomputerforensicstrainingtotheSecuritystafftwiceayear;
•TheSecuritystaffwouldprovidein-housetraininginassetsprotectionandbasicinvestigativetechniques,suchashowtoconductaninterview,tothecybersecurityprogramstafftwiceayear;and
•TheSecuritystaffwouldprovidethebudgetforcomputerforensicssoftwaretobeusedinsupportofSecurityinvestigations,onanas-neededbasis.
Aftercompletionofthediscussionwiththecybersecurityofficer,theDirectorofSecurityknewthatthecybersecurityofficerandthecybersecurityprogramorganizationunderthecorporateinformationofficer(CIO)werewheretheyshouldbe.ThecomplicatedjobandheadachesofthecybersecurityofficerrelativetoNCIsandtheentirecybersecurityprogrammatterweresomethingthattheDirectordidnotwanttobe
responsiblefor.
DutiesandResponsibilitiesofaCyberSecurityOfficerinDeterringHigh-TechnologyCrimesAlthoughinvestigationsatthecorporationarethepurviewoftheSecuritystaff,thecybersecurityofficerandtheDirectorofSecuritybothknewthatmanysuchinvestigations,orNCIs,arehigh-technologybased,suchasthoseinvolvingmicroprocessors(computers).Therefore,thecybersecurityofficer’sstaffwouldbeactiveinsupportingSecurity’santicrimeprogramaspartofSecurity’sassetsprotectionprogramforthecorporation.Theybothknewthattheentirecorporateassetsprotectionprogramwouldbebestserved,thatis,moreeffectivelyandefficientlyaccomplished,ifthecybersecurityofficerandthecybersecurityprogramfunctionsreportedtotheDirectorofSecurityinsteadoftotheCIO.
However,atthecorporation,asatmanycorporations,theDirectorofSecurityreallydidnotwantthatresponsibility,andpolitically,itwasadifficultselltoexecutivemanagement.Furthermore,thecybersecurityofficerposition,whichnowreportstotheCIO,whoreportstothecorporateexecutiveofficer(CEO),wouldbedowngraded,asthecybersecurityofficerwouldreporttotheDirectorofSecurity,whoreportstotheVicePresidentofHumanResources,whoreportstoCorporateOfficeExecutiveVicePresident,whoreportstotheCEO.Thepositionwouldalsomeanlessprestige,lessmoney,andtheinabilitytoexercisemanagementauthorityatasufficientlyhighlevel.
However,theDirectorandthecybersecurityofficeragreedthatahigh-technologycrimepreventionprogramshouldbeestablishedatthecorporationaspartofthecorporation’stotalassetsprotectionprogram,whichwasledbytheDirectorofSecurity.Therefore,theDirectorandthecybersecurityofficerdecidedtoestablishaprojecttoprovidesuchaprogramandensurethatitinterfacedwiththecybersecurityprogram.Itwasalsoagreedthatalong-termgoalwouldbetointegratethecrimeprevention,cybersecurity,andcorporatephysicalassetsprotectionpoliciesintoanoverallcybersecurityprogramundertheauthorityofboththeDirectorandthecybersecurityofficerusingamatrixmanagementapproach.
TheDirectorandthecybersecurityofficeragreedthatthecybersecurityofficer’sapproachtothecybersecurityprogramanditsrelatedfunctionswasadaptabletothedevelopmentofahigh-technologycrimepreventionprogram.Afterthatinitialbaselinewasdevelopedbythecybersecurityofficer,theDirectorwouldintegrateantitheft,antifraud,andothercrime-relatedpolicies,procedures,andprocessesintotheprogramandbaselinethemaspartofthecorporateassetsprotectionprogramundertheauthorityoftheDirectorofSecurity.
Theybothagreedthatthebasisonwhichtobuildthecorporationhigh-technologycrimepreventionprogram(HTCPP)wasthedevelopmentofacomprehensivehigh-technologycrimepreventionenvironmentatlowestcostandleastimpacttothecorporation.
TheDirectorandthecybersecurityofficerdecidedtocategorizeHTCPPinvestigationsandNCIssothattheycouldmoreeasilybeanalyzedandplacedinacommondatabaseforanalysessuchastrendsorvulnerabilitiesofprocessesthatallowsuchincidentstooccur.Thecybersecurityofficeragreedthatthecybersecurityofficer’sorganizationwouldmaintainthedatabase,buttheSecuritystaffwouldhaveinputandreadaccess.However,modifications,maintenance,upgrades,anddeletionswouldbecontrolledbythecybersecurityofficertoensurethattheintegrityofthedatabasewasmaintained.TheinitialcategoriesagreedtobytheDirectorandcybersecurityofficerwere:
•Violationsoflaws(requiredbylawtobereportedtoagovernmentinvestigativeagency);
•Unauthorizedaccess;
•Computerfraud;
•Actionsagainstusers;
•Actionsagainstsystems;
•Interruptionofservices;
•Tampering;
•Misuseofinformation;
•Theftofservices;
•Othercrimesinwhichcomputerswereused,suchas:
Moneylaundering
Copyrightviolations
Intellectualpropertythefts
Mailfraud
Wirefraud
Pornography
•Othercrimes
•Violators:
Internal
External
Itwasfurtheragreedthatthesecategorieswouldbeexpandedbasedonanalysesofinvestigationsandnoncomplianceinquiriesconductedtodate.
AssistingwithComputerForensicsSupportBusinesses,publicagencies,andindividualsincreasinglyrelyonawiderangeofcomputers,oftenlinkedtogetherintonetworks,toaccomplishtheirmissions.Becausecomputershavebecomeubiquitous,theyareoftenahighlyproductivesourceofevidenceandintelligencethatmaybeobtainedbyproperlytrainedandequippedcybersecurityprogramandinvestigativeprofessionals.Equippingthespecialiststobeabletocompetentlysearchcorporationsystemsisessential.Inmanycases,asuspectwilluseacomputertoplanthecrime,keepdiariesorrecordsofactsinfurtheranceofaconspiracy,orcommunicatewithconfederatesaboutdetailsviaelectronicmail.Inotherschemesthecomputerwillplayamorecentralrole,perhapsservingasthevehicleforanunauthorizedintrusionintoalargersystemfromwhichvaluablefilesorotherinformationisdownloadedortampered.
Surprisingly,evenmanysophisticatedcriminalswhoarehighlycomputerliterateremainunawareofthemanysoftwareutilitiesavailablethatallowevidencetobescavengedfromvariousstoragemedia,includingharddrives,randomaccessmemory,andotherlocationsintheoperatingsystemenvironmentssuchasfileslack,swap,andtemporaryfiles.Therefore,everyinvestigationofcrimesandunauthorizedactivitiesshouldnowassumethatsomeeffortwillbeinvestedinexaminingcomputersandcomputerrecordstolocaterelevantevidencethatwillproveordisproveallegationsorsuspicionsofwrongdoing.
Whethercomputersarethemselvesusedasthetooltocommitothercrimesormerelycontaindocuments,files,ormessagesdiscussingtheschemeorplans,computerscanprovideawealthofusefulinformationifproperlyexploited.Amajorbarriertoobtainingthispotentiallyvaluableevidenceistherelativelackofknowledgeofmanycorporateandlawenforcementinvestigatorsconcerninghigh-technology—computertechnology.Thislackoffamiliarityandexperiencehampersthecomputerforensicsspecialists’abilitytoconducteffectivesearches.Whenthecrimesceneitselfisacomputeroranetwork,orwhentheevidencerelatedtotheillegalorunauthorizedactivitiesisstoredonacomputer,thereisnosubstitutefortheuseof“computerforensics”togatherrelevantevidence.
Webster’sDictionarydefinesforensicsas“belongingto,usedin,orsuitabletocourtsofjudicatureortopublicdiscussionanddebate.”2Thus,computerforensicsisatermthatwedefineasdescribingtheapplicationoflegallysufficientmethodsandprotocolsandtechniquestogather,analyze,andpreservecomputerinformationrelevanttoamatterunderinvestigation.Operationally,computerforensicsencompassesusingappropriatesoftwaretoolsandprotocolstoefficientlysearchthecontentsofmagneticandotherstoragemediaandidentifyrelevantevidenceinfiles,fragmentsoffiles,anddeletedfiles,aswellasfileslackandswapspace.
ThecybersecurityofficerandcybersecurityprogramNCIspecialistassignedastheSecuritysupportfocalpointsprovidedacomputerforensicsawarenessbriefingtothecorporationSecuritystaff.ThebriefinggaveanintroductiontocomputerforensicsandalsodiscussedthesupportthecybersecurityofficerstaffwouldgivetheSecuritystaff.
ThecybersecurityofficeragreedtosupportthecorporationSecuritystaffbyprovidinghigh-technology-relatedforensicservices.
DealingwithLawEnforcementThereisagreatlackofcommunicationbetweencybersecurityprofessionalsandlawenforcementagencies.Neitherprofessionseemstoknowwhattheotherdoesorhowtheycanassisteachother.Thecybersecurityofficerworksprimarilyintheinternalworldofthecorporation.Therefore,cybersecurityofficersusuallyareignorantofwhatinvestigationsarebeingconductedbylawenforcementagencies,eveninthecitieswherethecorporationhasfacilities.
Thislackofcommunicationmeansthatthecybersecurityofficer,andmoreoftenthannottheDirectorofSecurity,isnotawareoflocalhigh-technologycrimeinvestigationsthatlawenforcementareconducting.Thus,thecybersecurityofficerisunawareofsomehigh-technologycrimetechniquesthatwouldbeusefultoknowaboutwhendevelopinginternaldefensesandcontrolstoprotectthecorporationagainstsuchattacks.
WhentoCallforHelp—andWhom.
IfyouoroneofyourstaffisconductinganNCIorsupportingaSecuritystaffmemberconductinganinvestigation,thereismorethanonepersonwhocanbeofassistance.Theseinclude:
•Victims,
•Witnesses,
•Consultants,
•Vendors,
•Suspects,and
•Lawenforcementofficers.
Whatifahigh-technologycrimeisperpetratedatthecorporationandthelawrequiresalawenforcementagencytobecontacted?Whatifmanagementdecidesthattheywanttheperpetratorcaughtandprosecuted?Theywillfileacomplaintwiththeappropriatelawenforcementagency,andthecybersecurityofficerhasanimportantroletoplaytosupportprosecutionofthecriminal.Therefore,thecybersecurityofficershouldbeawareoftheprocessesinvolved.Someofthethingstoconsiderare:
•Doesthecorporationhaveacompanypolicyastowhenorwhennottocallanoutsidelawenforcementagency?
•AreLegalstaffinvolved?
•AreHumanResourcespersonnelinvolved?
•ArePublicRelationspersonnelinvolved?
•Isbudgetavailabletosupporttheinvestigationandprosecution?
•Isthequestion“Canthecorporationstandthebadpublicity?”consideredinmakingthedecision?
•Isexecutivemanagementpreparedfortherequiredcommitment?
•Isreportingrequiredbylaw?
•Ifyes,shoulditbereported?
•Ifno,shoulditbereported?
Whendecidingwhethertocalllawenforcement,oneshouldalsoconsider:
•Costsversusbenefits,
•Extentofloss,
•Probabilityofidentifyingandsuccessfullyprosecutingthesuspect,
•Potentiallawsuitsthatwillfollowifsomeoneisidentified(whetherornotheorsheissuccessfullyprosecuted),and
•Timeinsupportingthecriminaljusticeprocess:investigationthroughprosecution.
Therearesomeadvantagestocallinglawenforcement,whocan:
•Performactsthatareillegalifdonebycitizens,
•Obtainsearchwarrantstorecoverproperty,
•Gainaccesstorelatedinformation,and
•Protectvictimsundersomeinstances.
Someofthedisadvantagesofcallinglawenforcementforhelpinclude:
•Controlovertheincidentislost,
•Itisprobablycostlyandtime-consuming,and
•Thecompanymustbewillingtocooperateintheprosecution,duringwhichthecasemayreceivehighvisibilityfromnewsmedia,stockholders,andothers.
Ifyoudecidetocallinalawenforcementagency,corporatemanagementmustalsodecidewhichonetocallandwhy—national,state,orlocal.Nomatterwhichoneiscalled,corporatemanagementmustalsobepreparedtohelpthemforanextendedperiodoftime.Initially,thecybersecurityofficerinconcertwiththeDirectorofSecurityshould:
•Prepareabriefingforinvestigators;
•EnsurethatexecutivemanagementandtheLegalStaffDirectorattend;
•Besureofthefacts;
•Briefinclear,concise,andnontechnicalterms;
•Identifytheloss,thebasisfortheamount,andtheprocessusedtodeterminethatamount;
•Gatherallrelatedevidence;
•Knowtherelatedlaws;
•Describeactiontakentodate;
•Explainthereal-worldimpactoftheallegedcrime;
•Identifyanddetermineifanyvictimswillcooperate;
•Explainwhatassistancetheycanprovide.
Iftheincidentistobehandledinternally:
•Whatistheobjective?
•Whatistheplantoaccomplishthatobjective?
•Whatexpertiseisavailabletohelp?
•Whatisthecost?
•Whataretheconsequences?
•Whatcanbedonetobesureitdoesn’thappenagain?
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doyouthinkthecybersecurityofficer’sresponsibilitiesshouldincludeconductinganytypeofinvestigationorinquiry?
•Ifso,why?
•Ifnot,whynot?
•Doyouthinkitisthejobandprofessionalresponsibilityofacybersecurityofficerandstafftosupportinternalandexternalinvestigationsbyprovidingforensicssupport?
•Ifso,whatlimitationswouldyousetonthatsupport?
•Asacybersecurityofficer,doyouhaveapolicy,plan,process,andprocedureinplaceastowhenandhowyouwouldsupportaninternalorexternalinvestigation?
•Ifso,aretheycurrent?
•Havetheybeencoordinatedwithapplicableinternalcustomers,suchasauditorsandSecuritystaff?
SummaryUsually,asecuritydepartment’sstaffisnottrainedtoconducthigh-technologyinvestigations,whereasthecybersecurityofficerandstaffareinthebestpositiontosupportthesecuritydepartmentoranoutsidelawenforcementagencyinconductingtheirinvestigations.AnagreementshouldbeworkedoutbetweentheDirectorofSecurityandthecybersecurityofficerastowhohaswhatauthorityforinvestigationsrelevanttoviolationsofcorporatepoliciesaswellasthosethatwouldalsobeacriminaloffense.
Corporationsmusthavecurrentpoliciesdetailingwhenanoutsidelawenforcementagencyshouldbecalledandwhenamatteridentifiedasaviolationoflaw,criminalorcivil,shouldbeinvestigatedinternally.Itisabsolutelymandatorythatsuchdecisionnotbemadebythecybersecurityofficer,butbytheexecutivemanagementsupportedbytheLegalstaff,PublicRelationsstaff,andHumanResourcesstaff.Ifalawenforcementagencyiscontacted,thecorporationmustbepreparedforusuallymanymonthsofsupporttotheinvestigativeagencyaswellasbadpublicity.
High-technologycrimeinvestigationsandNCIsarebasedonbasicinvestigativetechniquesandansweringthequestionsofwho,how,where,when,why,andwhat.
High-technologycriminalsarebeginningtoinstallmoresophisticatedsecuritysystems,includingencryptionsystems.Suchdeviceswillrequireverysophisticateddevicesandexpertisetoaccessthem.Somehavefocusedonmethodsofdestroyingevidenceiflawenforcementorinvestigatorstamperwiththesystem.
Thechallengestohigh-technologycrimeinvestigatorsandcomputerforensicsspecialistsaremanyandquicklyincreasing.Onlythroughconstanttrainingwillinvestigatorsandcybersecuritystaffmembershaveanyhopeatallofkeepingupwiththesechanges,includingsearchingmediaforevidence.
Keystosuccessfulsearchesincludeknowingthetechnology,havingaplan,usingcommonsense,andusingaspecialistwhoisanexpertinthetechnologyandaccompanyingsoftwaretobesearched.
1DiogenesLaërtius(thirdcentury?),Greekhistorianandbiographer.LivesofthePhilosophers“Myson”(thirdcentury?)—Encarta®BookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.2Merriam–Webster’sCollegiateDictionary.G&CMerriamCompany,1973.
SECTION I I I
TheGlobal,Professional,andPersonalChallengesofaCyberSecurityOfficerOUTLINEIntroduction
Chapter13.IntroductiontoGlobalInformationWarfare
Chapter14.TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssues
Chapter15.ACareerasaCyberSecurityOfficer
Chapter16.ALookatthePossibleFuture
Introduction
Inthefirsttwosectionsofthisbook,youwereintroducedtotheinternalandexternalworldofthecybersecurityofficer.Thethirdandlastsectionofthisbookdiscussesthemajorchallengesforthecybersecurityofficer,nowandintothefuture.Themostchallengingthreattothecybersecurityofficer—andagrowingthreat—isthatofinformationwarfare(IW),includingterrorism.AlthoughvarioustypesofIWhavebeenaroundsincesomeonefirstusedtheterminformation,becauseofhightechnologythatthreatisrapidlygrowing.Therefore,SectionIIIbeginswithanintroductionandoverviewofIW.
TheIWchapterisfollowedbyachapteronthecybersecurityofficerandhisorherresponsibilitiesrelatedtoethicalconduct,privacy,andliabilityissues.Thischapterisconsideredimportantsincesuchissuesandbeingacybersecurityofficerprofessionalgohandinhand.
Thefinalchapterofthisbooklooksintothefutureanddiscussesthechallengesandrisksthecybersecurityofficerwillfaceinthetwenty-firstcentury.
CHAPTER13
IntroductiontoGlobalInformationWarfare
AbstractThischapterprovidesanintroductionanddiscussionofglobalinformationwarfare(IW).Asaprofessionalcybersecurityofficeryoumaynotknowitasorcallitinformationwarfareonaglobalscale,butwecertainlyareinacyberwar.Furthermore,ifyouaretoprotectthegovernmentagencyorcorporateinformation,systems,andnetworksthatareyourpartoftheglobalornationalinformationinfrastructure,youbetterstartthinkingandactingasifyouwereinawarbecause,likeitornot,youare.
KeywordsCommandandcontrolwarfare(C2W);First-generationwarfare;Informationenvironment(IE);Informationwarfare(IW);LocustSwarm;Locustsprogram;Second-generationwarfare;Waterpumpingstations
Wardoesnotdeterminewhoisright—onlywhoisleft.BertrandRussell
CONTENTS
ThePossibilities 248IntroductiontoWarfare 250FourGenerationsofWarfare 250IntroductiontoGlobalInformationWarfare 251InformationWarfareWillHitYouinYourPocketbook 254BusinessIsWar 256IWBroadlyEncompassesManyLevelsandFunctions 257WhatIWIs…andIsNot 257BeingPrepared-BadThingsWillHappen 260ThePossibleBreakdownsinanInformationEnvironment 261GoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReference 261InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantage 268HowtoUseIWtoAchieveGoalsandObjectives 269CoherentKnowledge-BasedOperations 270Network-CentricBusiness 271KnowledgeManagement 271
Summary 272Note 272
Thischapterprovidesanintroductionanddiscussionofglobalinformationwarfare(IW).Asaprofessionalcybersecurityofficeryoumaynotknowitasorcallitinformationwarfareonaglobalscale,butwecertainlyareinacyberwar.Furthermore,ifyouaretoprotectthegovernmentagencyorcorporateinformation,systems,andnetworksthatareyourpartoftheglobalornationalinformationinfrastructure,youbetterstartthinkingandactingasifyouwereinawarbecause,likeitornot,youare.
Itbeginswithafictionalscenariothatsooncanbecomealltooreal—someofitalreadyhasoccurred.SomeaspectsofIWattackshavealreadybeentestedbygovernmentagencies,terrorists,hackers,organizedcrimemembers,andthegeneralcriminalouttogetrichatourexpense,througheithertheftorblackmail,ortodenytheiradversarytheabilitytofunction.
ThisfictionalscenarioispresentedaspartofanintroductiontoglobalIWsothatthereadercanseewhatdevastationcanbecausedbyglobalIW,globalbecauseitcanhappenfromanywheretoanywhere.ItissomethingthattheglobalIWdefendermustconsiderwhenaddressingglobalIWissues.
Let’slookatthepossibilitiesofaworst-caseIWattackscenarioontheUnitedStates.
ThePossibilitiesAtfirst,somethoughtitwasamassivesolareruptionworsethanthatof1998,sincecommunications,includingmicrowaveandcellphonetowers,weremadeinoperable.Thenitwastheorizedasasoftwareglitchsimilartothescareofthe2000millenniumbugyearsearlier.Then,alltoosoon,therealreasonforthepowerlossanditsdominoeffectbecameclear—aglobalIWattackonamassivescale.
ItfirststartedonChristmasEveintheUnitedStates,fortheyknewonlyminimalstaffingwouldbeinplace,manyonvacationandoutofthecommunicationloop,thosebeingvitaltogettingsystemsupandrunningagain.Theyunleasheditlateatnighttocausethemosthavoc;itstartedintheNorthwest,intheSeattlearea,movedsouthtoPortland,SanFrancisco,andLosAngeles,andatthesametimemovedEast.Thepowerwentout,firstonthewesterngrids,shuttingdownpowerstationafterpowerstation,blackeningeachneighborhood,eachtown,eachcity,fromthePacificOceanmovingslowlyeastwardlikeaswarmoflocuststotheAtlanticOcean,intopartsofCanadaandMexicothatwereunfortunateenoughtoshareAmerica’spowergrids.Theycalledtheattackprogram“LocustSwarm.”
America’senergygridslowlywentdown,andforthosewhohadcontingencyplansthatincludedgenerators,theyboughtthemmoretime,buttimewasnotontheirside.Eventually,thegas-poweredgeneratorsranoutofgas.Gaswasnotforthcomingaselectricalpowerwasoutfromgasstationstooilrefineriesandtheoilpipesleadingtothemhadnopowertomovetheoil.Gaspumpswereclosed,panicensued.Thealarmsystemsinstores,banks,andeverywhereelseinthecountryceasedoperation.
Localpowercompaniesfoundthatsometransformershadexploded,takingdaystomonthstofindreplacementsassomanyweredead;someestimateditwouldtakeaslongassixmonthstoreplacemanyofthem,electricitybeingcrucialtopoweringtechnology,andtechnologyrunningeverything.Whethertheyusedsolarcells,windmills,coal,naturalgas,ordieselfuel,itdidn’tmatterasallwerecontrolledandrunbycomputers.Eventhemonitoringsystemswererunbytechnologyandwhenfalsereadingsweresentthroughthem,theyalsohelpedcausethechaosandtheoverloadsthatensued.Systemsmonitoringnuclearfacilitiestodamswereaffected.
Justbeforetherollingblackouthitanarea,therewereanumberofTwitterbroadcasts—“Powerisout,bankalarmsareout,storealarmsareout,cometakeyourshareofthebounty.”Whenthemiscreantsofeachareawherepowerfailedgotthemessage,theyjoinedtheirfriendsandsoonpoliceandfirefighterswereoccupiedwithemergencies.Mobsbrokeintoanyplacethatofferedthemmoney,furniture,televisions,andothergoodsfreeforthetaking,settingfireastheywent.TheyactedwithimpunityasevenCCTVcameraswereout.
Firedepartmentswereoverwhelmedandfiretruckseventuallyranoutofgasandcouldnotrespond.Thesamethingappliedtopolicedepartments,eventheNationalGuardandothermilitaryfacilities.
Medicalequipmentinhospitalsvitaltokeepingpeoplealiveceasedtooperateas
generatorsfailed,andthousandsofpatientsacrossthecountrydied,manyontheoperatingtables.
Insteadofaircraftlosingcommunicationswiththetowers,theLocuststhathadinfectedthecountrydidnotshutdownthecontroltowersasrapidly.Noonethoughttoaskwhyuntilitwastoolate.AnditwastoolatewhentheLocustswereuploadedtoaircraftandwormedtheirwayintothecomputersystemschangingtheinstrumentationsettingsontheaircraftwithouttheknowledgeoftheflightcrews,onbothcommercialandmilitaryaircraft.
Aircraftpilotshadlearnedtoflyusingcomputersandtheirinstruments.Longgonewerethepilotswho“flewbytheseatoftheirpants,”programmingerrorscausingplanestocrashandthousandstodie.Somethatwererunningoutoffueltriedlandingbutreliedonfalseinstrumentreadingsandburneduponrunways,stoppingotheraircraftfromtryingtoland.Whilesomemadeitdownsafely,otherscrashedandburnedinadjacentfieldsandtaxiways.Theskiesglowedwiththefiresofcrashedaircraft,bodiesstrewneverywhere.Somesurvivedforawhilebuttheemergencyteamswereoverwhelmedandmanydied.
TheLocustsprogramwormeditswayintoautomatedhomesystems.Itwasthemiddleofwinterandheaterswereturnedoffandairconditionersturnedon.Manyvulnerablepeopleinthenorthernregionofthenationfrozetodeath.Andthoseinnursinghomesandanimalsinshelterscouldnotbecaredfor.
Waterpumpingstationsceasedoperation,sewersystemsfailed.Sowhenwaterwasneededthemost,bottledwaterstartedflyingoffstoreshelvesuntilitranout.Peopleturningontheirwaterfaucetsfoundnothingbutstinking,brownwatercomingout,andthennoteventhat.
Allmodernnationsreliantontechnologyarevulnerabletosuchattacks.Ofcoursetherearethosewhosayitcan’thappen.Really?
IntroductiontoWarfareWarshavebeenfoughteversincetherewerehumanbeingsaroundwhodidnotagreewithoneanother.Theseconflictscontinuetothisday,withnoendinsight.Theuseofinformationinwarfareisnothingnew.Thosewhohadthebestinformationthefastestandwereabletocorrectlyactonitthesoonestwereusuallythevictorsinbattles.
IsitanywonderthatsincewearenowintheInformationAgeweshouldalsohaveinformationwarfare?Becausewenowlookatalmosteverythingonaglobalscale,itshouldalsonotbesurprisingthatinformationwarfareisviewedonaglobalscale.Informationwarfareistoday’smuch-talked-abouttypeofwarfare.AsearchoftheInternetonthetopicusingGoogle.comdisclosedthatin2002therewere472,000hitsbutin2014therewere27,700,000hits.Informationwarfareisbecominganintegral,digitalpartofwarfareofalltypesinthemodernera.
FourGenerationsofWarfareMilitaryhistoriansandprofessionalsovertheyearshavediscussedthevariousgenerationsofwarfare.Somebelievetherearefourgenerationsofwarfaretodate:1
•First-generationwarfarestartedwiththeriseofthenation-stateandincludedatop-downmilitarystructure,limitedweapons,andarmiesmadeupofserfs.ItendedintheearlynineteenthcenturyaboutthetimeoftheNapoleonicWars.
•Second-generationwarfarebeganabout1860intheUnitedStateswithitsCivilWar.Thisgenerationofwarfareincludedartillery,machineguns,massweaponsdevelopment,andlogisticssupportedbytrains.ThisgenerationofwarfareendedsometimeafterWorldWarI.
•ThebeginningofthethirdgenerationofwarfareisattributedtotheGermansinWorldWarII,inwhich“shock-maneuver”tacticswereused.
•In1989,theU.S.MarineCorpsGazette2containedanarticlebyseveralmilitarypersonnel.Thearticle,entitled“ChangingtheFaceofWar:IntotheFourthGeneration,”discussedthefourth-generationbattlefield,whereitislikelythatitwillincludethe“wholeoftheenemy’ssociety….Thedistinctionbetweencivilianandmilitarymaydisappear….Televisionnewsmaybecomeamorepowerfuloperationalweaponthanarmoreddivisions.”Ifoneweretohaveanydoubtsabouttheaccuracyofthatstatement,onejusthastoremembertheU.S.televisionnewsshowingadeadAmericanmilitaryman’sbodybeingdraggedthroughthestreetsofMogadishu.ThelossofnationalwillcanbecloselycorrelatedwithhowquicklytheUnitedStatesdepartedthatcountry.This,too,ispartoftheinformationwarfarecampaignsbeingwagedonaworldwidescale.
Onecanarguethatinformationwarfarehasexistedinallgenerationsofwarfareandincludedspying,observationballoons,breakingenemycodes,andmanyotherfunctionsandactivities.True,informationwarfareisasoldashumans,butmanyaspectsastohowitisbeingappliedinourinformation-dependent,information-basedworldarenew.
IntroductiontoGlobalInformationWarfareIntheearly1990s,severalpeopleintheU.S.DepartmentofDefense(DoD)articulatedauniqueformofwarfaretermed“InformationWarfare.”TheChinesesaytheyweredevelopingIWconceptsinthelate1980s.Whoiscorrect?Doesitmatter?TheareasembracedbyIWhavebeendevelopedoverthecenturiesandmillenniaandhavebeenanormalpartofhumanactivitiesfromhumankind’sbeginning.WhatisuniqueaboutIWisthatitisthefirstinstantiationoftryingtotietogetheralltheareasthatmakeuptheinformationenvironment(IE).TheIErunsthrougheverypartofyourcountry,organization,andpersonallife.Atthepresenttime,thereisnocookbookrecipetodotheextremelycomplextaskofbringingtogetheralltheareas.
WhatisIW?ThegeneralworkingdefinitionofIWemployedinthisbookisasfollows:IWisacoherentandsynchronizedblendingofphysicalandvirtualactionstohavecountries,organizations,andindividualsperform,ornotperform,actionssothatyourgoalsandobjectivesareattainedandmaintained,whilesimultaneouslypreventingcompetitorsfromdoingthesametoyou.Clearly,thisembracesmuchmorethanattackingcomputerswithmaliciouscode.Thelitmustestisthis:ifinformationisusedtoperpetrateanactthatwasdonetoinfluenceanothertotakeornottakeactionsbeneficialtotheattacker,thenitcanbeconsideredIW.
Thedefinitionisintentionallybroad,embracingorganizationallevels,people,andcapabilities.Itallowsroomforgovernments,cartels,corporations,hacktivists,terrorists,othergroups,andindividualstohaveapart.Itisuptoeachenlightenedenterprisetotailorthedefinitiontofititsneeds.Thisshouldnotbeadefinitionofconvenience,to“checkthebox.”
Youareasked,andmanytimesforcedbygovernmentandbusinesses,todependontheInternet;theInternetthatishometohackers,crackers,phreakers,hacktivists,scriptkiddies,Netespionage(network-enabledespionage),andinformationwarriors;theInternetthatishometoworms,Trojanhorses,softwarebugs,hardwareglitches,distributeddenial-of-service(DDoS)attacks,viruses,andvariousformsofmalware.Allthis,andtheInternetisonlyaportionoftheareasthatIWaddresses.AlthoughtheInternettouchesmanycriticalinfrastructures,andtheseinturnaffectthemanyIEswithwhichyouinterface,mostoftheIWareaswerearoundbeforetheInternet.
As“competition”isanalogousto“enemy”or“adversary,”otherbusiness–militaryanalogiescanbemadewithprofit,shareholdervalue,competitiveedge,andindustryranktoachievebrandrecognition,customerloyalty,exertionofpower,influence,andmarketshare.Abusinessleaderormilitaryleadermusttrainandequipforces;gatherintelligence;assemble,deploy,andemployforcesatdecisiveplacesandtimes;sustainthem;formcoalitionswithotherbusinessesandnation-states;andbesuccessful.Therearemanyphysicalandvirtualworldparallels,ascanbeseeninthefollowingheadline:“CiscotouseSNAasweaponagainstcompetition….CiscobelievesitsexperienceinmeldingSNAandIPinternetworkscanbeusedasaweaponinthecompany’sbattlewithLucentandNortelforleadershipinconvergingvoice,video,anddataoverIPnetworks.”2
Puristswillfocusonwarfareasastateofaffairsthatmustbedeclaredbyagovernmentandcanbeconductedonlybyagovernment.Butconsiderguerrillawarfare,economicwarfare(onecountry“forcing”anothercountrytospenditselfintobankruptcy,asallegedlytheUnitedStatesdidtotheSovietUnion),oracompanyadjustingpricestodamageitscompetition(e.g.,takingalongtimehorizontousevolumeandtimetoadjustpricesdownward).“Conflict”or“that’sbusiness”doesnotcarrythesamesoundofultimatestruggleasreferringtobusinessas“war.”Clausewitzstated,“Warisanextensionofpolitics.”Byanalogy,becausebusinessistheimplementationofacountry’slaws,economicpolicy,andvalues,businessisalsoanextensionofpolitics.
Inafreemarketeconomy,competitioniscentraltobusinessstrategytowincustomersandmarketshare.Competition,likewar,isastruggleforawinningposition.Themarketplacecanthenbereferredtoanalogouslyasabattlefieldwithwinnersandlosers.Itfollowsthatbusinessisanalogoustowar.Therefore,usingmilitaryphraseologyinabusinesscontextisappropriate.Infact,onejusthastorememberSeptember11,2001,andNewYork’sWorldTradeCenterstoseethatintoday’sworld,warfareiswagedonmanylevelsbyvariousadversariesagainstvarioustargets.Thesetargetscanbenation-states,theirgovernments,groups,businesses,orindividuals.Thetoolswillbeanythatcanbeappliedforattackerstosuccessfullyattaintheirgoals.
Thecounterargumentisthatsomeinsurancecompanies’contractsstatethatifalossisduetoanactofterrorismorwar,theywillnotpayfordamages.IntheUnitedStates,attacksoncomputersbydefaultarecriminalactsandarethusinthepurviewoflawenforcement.Often,afteraninvestigationdeterminesthatthecriminalactisanationalsecurityissue,theintelligenceagenciesandothergovernmentorganizationswilltakethelead.
Thereareadversaries,winners,andlosers.AllthewritingonIWfocusesonweaknesses,defenses,andlosses.Despitethegloomyforecastsbygovernmentofficialsandthemedia,IWisalsoaboutstrengths,offenses,andgains.Thesepositivefeaturesarewithinthegraspofanygovernmentorbusinessorganizationwithadesiretoseizeandmaintainacompetitiveadvantage—tobeawinnerontheIWbattlefield.Importantly,unlikesomeoftoday’sphysicalwarsandthoseofthepast,withoutagreatdealofresources,asmallnation,forexample,NorthKorea,hasthepowertosuccessfullyattackglobalandanation’sbusiness,aswellasgovernments.
WhatpossibleapplicationcanIWhaveoutsidespecializedmilitarycircles?Fromapracticalviewpoint,howdoesIWshortendecisioncycletimes,raiserevenue,loweroravoidcosts,andimproveperformance?IfIWcannotimproveeffectivenessorefficiency,orbringaboutinnovation,whydoit?IWdoesdothesethingsandoughttobetheapproachusedratherthanthetopmanagementfadsthatcomeandgo,leavingbusinessesworseofffortryingthem.ThepurposeofIWistogainpowerandinfluenceoverothers.Powerandinfluenceareattheheartofallsuchrelationships.BecauseIWrequireseffort,theeffortneedstoresolveintosomeaspectofpower,suchasprofitoreconomicormilitarydominationonthebattlefieldorinthemarketplace.
InformationWarfareWillHitYouinYourPocketbookTherehavebeensomeeventsthatwerenotexpected.HannibalcrossedtheAlps.ClaydefeatedListonfortheheavyweightboxingtitle.CDUniversedidnotthinkcrackerswouldbreakintoitssystems.Buy.comdidnotexpectaDDoSattack,nordidSony,Target,orvictimstoonumeroustomention.ItseemsnewwebsitesarediscoveredandhackedwithinminutesofbeingontheInternet.Onehoneypotprojectwasattackedwithin
5 min.Itwillhappen:onedayyourIEdefensesaregoingtobebeaten.Whentheygodown,yourrevenuesandprofitswillgodown.TheInternetAgehasagainproventhe
adagethat“timeismoney.”SupposeacompanyhasUS$1 billioninelectronicandmobile-commercerevenue.Thatequatesto$2,739,726perday,$114,155perhour,$1903perminute,and$32persecond.3Howlongcanyourbusinessaffordtobeadverselyaffectedbyanattack?Inotherwords,whataretherisksandconsequencesyouarewillingtoaccept?
Inaportentofcripplingeventstocome,sinceearly2000therehavebeenthousandsofautomatedcomputer-baseddistributedattacks,extortionattemptsfortensandhundredsofmillionsofdollars,andpostingontheInternetofmillionsofsupposedlyprotectedcreditcarddetailsandotherprivateinformation.Apparently,thelawsandcourtsentencesforcomputercrimeslackdeterrentvalue.Ofcourse,ifhardwareandsoftwareproducts,communicationssystems,e-commercesites,andotherinformationtechnology(IT)componentsweredesignedwithsecurityinmind,wewouldnothavethispredicament—somethingthatevenBillGatesofMicrosoftfinallyrealized.
Inmanycases,thedollarlossissecondarytothelossoftrust.Banksandinsurancecompaniesespeciallyfeelcustomers’wrath.Whencustomersbelievetheirtrusthasbeencompromised,theyvotewiththeirpocketbooksandtaketheirbusinesselsewhere.Thatiswhenrevenuesandprofitsdecline,whichleadstoadeclineinthestockprice,whichinthenottoodistantfuturewillleadtoshareholderlawsuitsfornegligenceandotherclaims.
IWconjuresupmanyimages:computers,networks,andtelecommunications-savvyexpertsinthemilitaryandintelligencecommunities,corporateespionage,andpale14-year-oldlookingliketheycouldbethenextdoorneighbor’skids—oryours.Direprognosticationsabouthowan“electronicPearlHarbor”threatensnationalsecurityandthedailymediacoverageofvirusesanddenial-of-serviceattacksinterchangeablyusingphrasessuchasinformationwarfare,cyberwarfare,andcyberterrorismmaymakeIWseemdistantandsurreal.
Someoftheattacks,premeditatedorunintentional,resultedinbillionsofdollarsindamages.Computeremergencyresponseteamsandlawenforcementagenciesstressprotectionanddefenseofinformation,informationinfrastructure,andinformation-basedprocessestowardoffmaliciousattacks.WhatdotheseandmanyotheraspectsofoperatingintheIEhavetodowithmanagingagovernmentorganizationorrunninga
business?Forbusinesses,thismaymeannewbusinessgeneration,costavoidance,profit,customerretention,marketleadership,andpositivepowerpublicperception.Fornation-states,thismaybeeconomic,political,ormilitarypower,influence,ordefeat.
Theoncehigh-profileeventssuchastheMorriswormandCitibank’s$400,000loss
($10 millionwasstolen,andallbut$400,000allegedlyrecovered)shouldhavebeensufficientwarningshotsacrossthebowthatadifferentapproachwasneeded.However,suchattacksof“longago,”intechnologyterms,paleincomparisontothenumber,sophistication,andscaleoflossesoftoday’sattacks.
Note:Manyofussincethelate1980sandintothe1990sforwardhavebeenwarningofthepotentialforIWattacksandwhatshouldbedonetoprepareforthem.Ofcourse,asusualwhenitcomestosecurity,managementinbusinessesandingovernmentagenciesignoredourwarningsandarenowreapingtheresults.Wepredicttheworseisyettocome.
Themuch-neededsecurityfixesareyearsawayasdefensescontinuetolagbehindtheattackersinsophistication.However,therearepocketsofgovernment-sponsoredsophisticatedattacks;somemayevenbecalled“defensiveattacks”orpreemptivestrikesagainstanadversary.Demandislowbecausethegeneralpublicappearstobeuninterestedincrackerexploits,madeindifferentbythealmostdailynewsstories.Saiddifferently,thepublichascometoexpectidentifythefts,theftoftheircreditcards,andsuch.However,sincecorporationsareheldliableinmostcases,andcreditcardcorporationsabsorbthelossesoftheircustomers,thegeneralpublicremainscomplacentingeneralbutpersonallyoutragedonlywhenitistheirownidentityorfinancialinstrumentsthathavebeencompromised.
BusinessIsWarAnadvertisingcampaigncanbeconsideredasubsetofanIWcampaign.Hereisaperhapsnotsohypotheticalexample.Takinggrocerystoreshelfspace,owingtoproductorpackagingredesign,fromacompetitorisnotionallynodifferentfromdenyinguseofaradaroraseaporttotheenemy.Insteadofcerealboxesthatstoodandpouredvertically,whatiftheystoodhorizontallyandhadspoutsforpouring(besides,verticalboxesarepronetotipping)?Thiswouldresultinmoreshelfspaceneededforthesameamountofcerealboxes.Thepackagingwillcarryamessagethatconveys“new”and“improved.”Theboxeswillbeateyelevel—easyfortheconsumertospot.In-storeadvertisingwillattempttovectorshopperstothecerealaisle.Newspaperandmagazineadvertisingwillattempttoconvincecustomerstotrythe“new”and“improved”product,andcouponswillbeusedasfurtherenticement.Theremayevenbeanin-storedemonstration.Becausethereislimitedshelfspaceandifthecerealcompanyhasbargainingpower,othercerealshavetolosespace.Lostspace,itishoped,thentranslatestolostproductsales,whichinturnleadstoreducedrevenueandprofitsaswellasalowerstockprice.
Inbusiness,theIWtargetcanbethecustomer,thecompetition,oranotherentity.ThepurposeoftheIWcampaignistohavethecompetitortakeactionthatwillresultinincreasedprofitsforyourcompany.Inthebestofalloutcomes,yourrevenuesgoupandthecompetitors’revenuesdecline.Evenifyoursaleswereconstant,justhavinglessspacetosellshouldmakecompetitors’salesdecline,soyourindustryrankingwillimprove.Whatwillthecompetitiondo?Redesignpackaging?Alteringredients?Lowertheproduct’sprice?Counterwithcoupons?Haveatelevisioncampaignemployingadoctortoextolthehealthbenefitsoftheircereal?Playhardballwiththesupermarketchain?Acombination?Nothing,takingawait-and-seeapproach?ThisisphysicalandvirtualIWatthecorporatelevel.Itembracesthemedia,perceptionmanagement,physicaloperations,intelligencecollection,andmore.
Thisisnodifferentfromonecountryobservinganotherandbringingtobeareconomic,diplomatic,andmilitarymeans.Thesemeansmayincludeveryadvancedopensourcesearchesandanalysesandcovertmeansinvolvingmanipulationoftheradiofrequency(RF)spectrum.Fromabusinessperspective,operations,marketing,publicrelations,manufacturing,finance,transportation,andotherpartsofthecompanymustoperateinasynchronizedandcoherentfashion.Thecompetitionmustbemonitored,intelligencecollectedsothecompanycanbeinpositiontoagilelyandeffectivelyrespondtoanycountermoves.
IWBroadlyEncompassesManyLevelsandFunctionsIWisnotthesolepurviewofamodern,technology-based,anddependentgovernment;otherwise,onlythewealthycountriescouldpracticeit.AnarrowinterpretationofIWfliesinthefaceofreality.Otherthanauniquesetofcapabilitiesthatarebasedonunlimiteddeeppocketsandspecializedespionagecapabilities,morebrainpowerand,perhaps,morecapabilitiesresideexternaltoagovernment.Anyorganization,andevenindividuals,canconductoffensiveanddefensiveIW.Itisaboutseizingcontrolofperceptions,physicalstructures,andvirtualassets.Seizingcontrolcanbedonefrombothoffensiveanddefensivepositions.Thatputsanyorganizationsquarelyincontrolofitsdestiny.Thosethatareunenlightenedwillneverperformatornearthetopofthepackandmaywellgooutofexistence.ThosethatembraceIWhaveamuchbetterchanceofsurvivingandreapingtherewards.
Themilitary,intelligencecommunity,andlawenforcementgenerallydonotembracethisperspective.Why?Theyhavecapabilitiesthatarehighlyclassified.Ifusedbyindustry,then“allhellwouldbreakloose.”Certainly,thereareuniqueoffensiveanddefensivecapabilitiesthatcanbedevelopedonlybythegovernmentbecauseoftheirhighriskoffailureandthenecessaryfunding.However,therehasbeenanexplosionofbrainpowerwithregardtophysicalandvirtualcapabilities.Themajorityofbrainpoweringenetics,robotics,nanotechnology,microelectromagneticsystems,andhydrogentechnologiesresidesoutsidethemilitary,intelligencecommunity,andlawenforcement.Whatistopreventthesecapabilitiesfromfallingintothehandsofnation-states,individuals,businesses,andorganizationsthatwishtoperpetratesomeformofhostilebehavior?Absolutelynothing.
WhatIWIs…andIsNotInformationwarfareisnotaboutaone-timesilverbulletforaquickfixandlookinggoodonaquarterlyfinancialreport.IWisnotrestrictedtousingcomputerstoattackothercomputers.Itisnotconfinedtothecyberrealm.“Virtual”meanselectronic,RF,andphotonicmanipulation.Organizationsneedtousethecapabilitieswithinthevirtualandphysicaldomainsinamannerthatoptimizeswhattheywishtodo.ThebestapproachforIW,asitshouldbewithabusinessorgovernmentorganization,istoconductphysicalandvirtualoperationsinasynchronizedandcoherentfashion.Easiersaidthandone.Goddard’sexperimentscontributedtomannedspaceflight—fourdecadeslater.Asvirtualcapabilitiesbecomemorepracticalforthegovernment,military,andbusiness,thegreatertheirimportancebecomesinoperations.Fifteenyearsago,laptops,mobilephones,andpersonaldigitalassistants—rememberthem?—werebulky,seldommorecapablethantheirtraditionalcounterparts,andmuchmoreexpensive.Forsomepeople,thetime-savingandcost-reducingcapabilitiesofthegadgetsbordersontechnologicalcocaine,andthesepeoplealmostcannotfunctionwithouttheirgadgets.Somebusinessandgovernmentorganizationshaveboughtintotechnologysomuchsothattheiroperationscantrulybetermed“network-centricbusiness.”WhatbetterwaytocounterthisthanwithIW?Notmanyyearsfromnow,IWwillbemainstream,andthosewhodonotparticipatewillfail.
Muchhypesurroundshackerexploitsandcomputer-basedviruses.Mosthacker,cracker,andphreakerexploitsandvirusesqualifyasfallingwithinIW,albeitatthelowendofthespectrum,becausethereisanattempttoinfluence,eitherdirectlyorindirectly,otherstotakeanaction.Approachesrangefromaltruistic(“Ifoundaholeinthesoftware.Developapatchforit.”)toanger(“Iwillmakethemmiserableforfiringme.”)tosocialawareness(“Stopdrugresearchonanimals.”)tocriminal(“Hereishowtodefeatthefraudcontrolandcomputersecuritysystemsoffill-in-the-blankcorporationasallarevulnerable,moreorless.”).Almostalloftheeventsandattacksfallintotherealmoftheft,extortion,fraud,andrelatedcriminalbehavior.Measuresmustbeemployedtoprotectanddefendcorporateandgovernmentsystemsbecauseindividuallosseshavealreadybeeninthetensandhundredsofmillionsofdollars.
Evenifyouhavetakenalltheappropriatemeasurestoprotectandsecureyourphysicalandvirtualassets,muchfallsoutsideyourspanofcontrol:protectedandsecuredpower,finance,communications,transportation,water,andcontinuityofgovernmentinfrastructures;security-richandbug-freecommercialoff-the-shelf(COTS)software;andthecreativityofcrackersandphreakerstofindnewvulnerabilitiesintechnologytoexploit.Also,youprobablycannotcontrolyourbusinesspartners’,customers’,financialstakeholders’,andsuppliers’IEsthatareconnectedtoyours.IfyouareanInternet-basedcompany,thenelectronicandmobile-commerceaccountsforthemajorityofyourrevenue.Anydisruptionandyourcustomerswillgotoyourcompetitors.Ifyouareatraditionalbricks-and-mortarcompanyexpandingintotheInternettoenhanceyourcustomers’abilitytodobusinesswithyou,businessinterruptionsanddisclosureofcustomerdatawilltaintyourreputationandcredibility.Businessinterruptioncanbecostlyonmanylevels.4
Whenproperlyemployed,IWisanagilecapabilitythatcanbetailoredtoanysituation.
Itcanbringamultitudeoffunctionstobear.Itcanbeimplementedinboththephysicalandthevirtualworlds.CentraltoIWishowitisusedtoinfluencedecision-makers.Magazines,radio,television,newspapers,leaflets,e-mail,webpages,socialmedia,andotherformsofmediacanallbeusedasavehicletodeliverIW.
IWshouldnotberestrictedtoasmallcadre.CertainlyonlyafewpeopleshouldknowaboutthesensitivedetailsthatwillmakeorbreaktheexecutionoftheIWplan.Allpartsofanenterprise,notjustanorganization,needtobelinkedforthemosteffectiveimplementationofIW.Anyorganizationhasafiniteportionofresources.Partnerships,alliances,consortia,andotherrelationshipscanservetoexpandanorganization’scapabilities.
Properuseofinformationiscentraltoprofitablebusinessandsuccessfulmilitaryoperations.IWisusedtoprovideyourorganizationacompetitiveadvantagewhilelimitingthecompetition’scapabilitytoreduceyouradvantageandincreasetheirown.EffectiveIWisnotpossiblewithoutcontrolofyourinformationenvironment.
AnIEisaninterrelatedsetofinformation,informationinfrastructure,andinformation-basedprocesses.Dataincludethemeasurementsusedasabasisforreasoning,discussion,orcalculation.Dataarerawinput.Informationappliestofactstold,read,orcommunicatedthatmaybeunorganizedandevenunrelated.Informationisthemeaningassignedtodata.Knowledgeisanorganizedbodyofinformation.Itisthecomprehensionandunderstandingconsequenttohavingacquiredandorganizedabodyoffacts.Informationasusedheremeansdata,information,andknowledge.Nodoubthorrifictopurists,thereisnoonegoodwordintheEnglishlanguagethatembracesallthreeconceptstogether.Allthreeprocessesexistwithinanyorganization.Atanygiventime,oneoftheprocesseswillbeofgreatervaluethantheothers.Yourcompetitionwantsyourinformation,sodonotbelievethat“gentlemendon’treadothergentlemen’smail.”
Informationmovesacrossinformationinfrastructuresinsupportofinformation-basedprocesses.Theinformationinfrastructureisthemediawithinwhichwedisplay,store,process,andtransmitinformation.Examplesarepeople,computers,fiber-opticcable,lasers,telephones,andsatellites.Examplesofinformation-basedprocessesaretheestablishedwaystoobtainandexchangeinformation.Thisincludespeopletopeople(e.g.,telephoneconversationsandofficemeetings),electroniccommerce/electronicdatainterchange,datamining,batchprocessing,andsurfingtheweb.Attacking(i.e.,denying,altering,ordestroying)oneormoreIEcomponentscanresultinthelossoftensofmillionsofdollarsinprofitorindegradednationalsecurityandcanbemoreeffectivethanphysicaldestruction.Degradeordestroyanyoneofthecomponentsand,likeathree-leggedstool,theIEwilleventuallycollapse.5
BeingPrepared-BadThingsWillHappenBadthingshappen,suchasfloods,hurricanes,andearthquakes;powersurgesandsags;andfires.Disgruntledemployeescansteal,manipulate,ordestroyinformation.Crackersworktheirwaythroughtheelectronicsieveofprotectionmechanisms(e.g.,firewallsandintrusiondetectiondevices)intoinformationassets.
Sounddisasterrecovery,businesscontinuity,andcontingencyoperatingplansareessential.Foreveryminuteinformationsystemsarenotupandfullyrunning,revenues,profits,andshareholdervaluearebeinglost.Thelastthingageneralcounselneedsisalawsuitfromunhappyshareholderswhoaresuingformillionsbecausethecorporationdidnotfollowbestpracticestoprotectinformation.OneproblemisthatCOTShardwareandsoftwareareverydifficulttoprotect.Anotherconcernisthatfirewalls,intrusiondetectiondevices,andpasswordsarenotenough.Thestate-of-the-artininformationassuranceisagainstscriptkiddiesandmoderatelyskilledhackers.Whataboutthecompetition,drugcartels,andhostilenation-statesthataresignificantlybetterfunded?Thereisnofirewallorintrusiondetectiondeviceonthemarketthatcannotbepenetratedorbypassed.Passworddictionariescancoveralmostanyentirelanguage,andthereareveryspecificdictionaries(e.g.,sports,StarTrek,orhistoricdatesandevents).
ThePossibleBreakdownsinanInformationEnvironmentIEsexistinternalandexternaltoanorganization.AnIEistailorablesoitcansupportmanyactors.AnIEcanconsistofacorporation,itscustomers,andthegovernment.AnotherIEcanbeamilitary,itsalliesandcoalitionpartners,andthegovernment.WhatevercomprisesaspecificIE,theimportantfactremains:ifitselementsarenotprotectedandsecured,theconsequencescanrangefromirritantstocatastrophes.
Anorganizationhasemployees.Theseemployeesdeliverproducts,services,andprocessestotheorganizationanditscustomers.Tokeeptheorganizationrunning,suppliersdeliverproducts,services,andprocesses.Financialstakeholders—venturecapitalists,banks,stockholders,andothers—providecapital.Thepublichasapositive,neutral,ornegativeviewoftheorganization.Strategicteamingpartnersprovidephysical,financial,cerebral,andothercapabilities.EveryentitywithwhichtheorganizationislinkedhasitsownIE.IEsareconnectedto,andareinterdependenton,otherIEs.
GoingbeyondThreeBlindMenDescribinganElephant:InformationWarfareTermsofReferenceIWcutsacrossnationalborders,educationalbackground,andculturalviews.Toensureaconsistentunderstandingduringthisdiscussion,workingdefinitionsofIWandmanysupportingtermsareoffered.Thisdoesnotprecludenationalinterpretationsandcertainlydoesnotattempttorationalize,harmonize,andnormalizedefinitions.Commontermsofreference(TOR)permitasharedunderstanding,aswellasapointofdepartureforapplyingtheTORwithinspecificorganizations.
GeorgeSantayanasaid,“Thosewhoignorethelessonsofhistoryarecondemnedtorepeatthem.”
Hereisanexampleofhowparochialismcausedadisaster.
InAugustandOctoberof1943,theAllieslaunchedairraidsagainstSchweinfurtwithdisastrousconsequences—fortheAllies.IntheAugustraid,of600planes,60werelostalongwith600crewmen.Why?Therewasnolong-rangefighterescort.Why?Inthe1920sand1930s,resourceswereallocatedforstrategicbombardmentoverpursuit.Why?GeneralEmilioDouhetandotherspostulatedthatairpoweralonecouldwinwarsbystrikingtheenemy’sstrategiccenters.Lessonlearned:Thedecisionsmadeinthe1920sand1930sledtothewrongtacticalemploymentadecadelater.WemustnotmakethesamemistakewithIW.Ifwedo,nationalsecurity,economicviability,andcorporatecapabilitieswillbelost.
ItseemsthatthereareasmanydefinitionsofIWandrelatedtopicsastherearepeople.Itisreminiscentofthreeblindmendescribinganelephantbytouchingtheanimal’svariousparts.Oneblindmansaid,“Anelephantisareptileandisthinandlong,”ashewastouchingthetail.Touchingthetusks,anotherblindmansaid,“Anelephantislikeabigfishwithitssmoothandpointedbody.”Thethirdblindmansaid,“Anelephantresemblesalargeleafwithaholeinthemiddle”becausehewastouchingtheears.Noneofthemcouldextrapolatetheirinterpretationstoarealelephant.Similarly,whatoneseesisnotnecessarilywhatonegets.“Ques-quec’est?”willbemispronouncedifonedoesnothaveabasicunderstandingofFrenchdiction.So,too,isitwithtermsusedtodescribevariouspracticesintheinformationrealm.
Althoughthenamesareinitiallyobtusetothosewhodonotworkinthoseareas,theseinformationpracticeshavebeenanormalevolutionincommunicationsandcomputersandalsothedark-sidemove/countermove/counter-countermove“coolwar.”Therearemanyothervariations.Littlewonderthetermsareunderstoodbyfewpeopleanderroneouslyusedinterchangeably.Fewunderstandthedifferencebetweenahacker,acracker,andaphreaker,muchlessawhite-hathacker.
Insomecases,moreterminologyonlydetracts.“Cyber”istoolimiting.Itisasif,ratherthanpushingthroughdifficultpointstoachievephilosophicalinsightsandtechnical
understanding,peoplecreatetermstodifferentiatethemselveswithoutknowingwhattheyaredoing.
Informationandknowledgearenowinvogue.WeareintheInformationAgeandrapidlytransitioningintotheKnowledgeAge.Acquiringtherightdata,derivinggoodinformation,andapplyingittomakesounddecisionstopositivelyaffectthebottomlineareessential.SearchengineshavemadefindinginformationontheInternetverysimple.
Witness,duringthepastatleast40 years,theexplosionofterminologyrelatedtotheprotectionofinformationandusinginformationfornationalsecuritypurposes.Themostimportantpointistounderstandthemeaningofthesetermsandwhatthedifferentfunctionscan—andcannot—dotomakeaninformeddecisionwhethertocommitresources(i.e.,people,money,andtime).
Manycountrieshavedevelopeddefinitions.IW,informationassurance,informationoperations,informationsuperiority,informationdominance,andotherconstructspopularintheU.S.militaryarepartoftherevolutioninmilitaryaffairsandinsecurityaffairs.Governmentorganizationsandbusinesseshavedevelopedadditionalterms,andsomedonotagreewiththenationalversion.Sotherecanbeapointofdepartureforthisdiscussion,definitionsacceptedbymanyareputforth.Insomecases,workingdefinitionswillbeused.ThefollowingdefinitionsarefromtheU.S.DoDDictionaryofMilitaryandAssociatedTerms:6
Commandandcontrolwarfare(C2W):Theintegrateduseofoperationssecurity,militarydeception,psychologicaloperations,electronicwarfare,andphysicaldestruction,mutuallysupportedbyintelligence,todenyinformationto,influence,degrade,ordestroyadversarycommandandcontrolcapabilities,whileprotectingfriendlycommandandcontrolcapabilitiesagainstsuchactions.C2Wisanapplicationofinformationwarfareinmilitaryoperationsandisasubsetofinformationwarfare.C2Wappliesacrosstherangeofmilitaryoperationsandalllevelsofconflict.C2Wisbothoffensiveanddefensive.
Defenseindepth:Thesitingofmutuallysupportingdefensepositionsdesignedtoabsorbandprogressivelyweakenattack,topreventinitialobservationsofthewholepositionbytheenemy,andtoallowthecommandertomaneuverthereserve.
Information:Facts,data,orinstructionsinanymediumorform.Themeaningthatahumanassignstodatabymeansoftheknownconventionsusedintheirrepresentation.Herearesome“oldiesbutgoodies”termsthatarestillvalidtodayastheydescribetheIW-relatedenvironment:
•Informationassurance:Informationoperationsthatprotectanddefendinformationandinformationsystemsbyensuringtheiravailability,integrity,authenticity,confidentiality,andnonrepudiation.Thisincludesprovidingforrestorationofinformationsystemsbyincorporatingprotection,detection,andreactioncapabilities.
•Information-basedprocesses:Processesthatcollect,analyze,anddisseminateinformationusinganymediumorform.Theseprocessesmaybestand-aloneprocessesorsubprocessesthat,takentogether,comprisealargersystemorsystemsofprocesses.
•Informationenvironment:Theaggregateofindividuals,organizations,orsystemsthatcollect,process,ordisseminateinformation;alsoincludedistheinformationitself.
•Informationsecurity:Theprotectionofinformationandinformationsystemsagainstunauthorizedaccessormodificationofinformation,whetherinstorage,processing,ortransit,andagainstdenial-of-servicetoauthorizedusers.Informationsecurityincludesthosemeasuresnecessarytodetect,document,andcountersuchthreats.Informationsecurityiscomposedofcomputersecurityandcommunicationssecurity.AlsocalledINFOSECorcybersecurity.
Anolderdefinitionfocusedononlyphysicalprotections:locks,alarms,safes,markingofdocuments,andsimilarphysicalworldcapabilities.
•Informationsystem:Theentireinfrastructure,organization,personnel,andcomponentsthatcollect,process,store,transmit,process,display,disseminate,andactoninformation.
•Informationwarfare:Informationoperationsconductedduringtimeofcrisisorconflicttoachieveorpromotespecificobjectivesoveraspecificadversaryoradversaries.
WecanexpandonthisbecauseofthedefinitionofIW.WhatisIW?Itismorethancomputernetworkattackanddefense.Thatalmosteveryoneagreeson.ButwhatelseisencompassedbyIW?HeateddebatesgoontodayaboutwhatIWshouldembraceandaccomplish.IWisanumbrellaconceptembracingmanydisciplines.IWismosteffectivewhenperformedinasynchronizedandcoherentfashion.Thatiswhyknowledgemanagement(KM)complementsitsowell.Allcomponentsofanorganization,aswellasacrosstheenterprise,needtobeincludedinanIWactionplan.
ThegoodnewsisthatIWembracesthemarketing,publicrelations,counterintelligence,andotherfunctionsyounowperform.IWisnotthesefunctionsrenamed.Theycontinuetoberunbythesubjectmatterexperts.IWisthecoherentapplicationandsynchronizedapproachofthesefunctions.Whatisneededareexpertswho,byanalogy,areconductorsoftheorchestra.Theyknowwheretheexpertiseresideswithintheorganization,understandwhatthefunctionscanandcannotdo,andbringthemtobearforoptimumperformance.Atpresent,onlythemilitaryinafewcountriescomesclosetounderstandingtherelationshipsandfunctionsoflinkingthephysicaldomainwiththevirtualrealmandhasbegunpolicydevelopmentandallocationofresources.Forthemostparttheequivalentdoesnotexistinindustry—yet.
ThepurposeofIWistocontrolorinfluenceadecision-maker’sactions.Anareaofcontrolcanbedirectlymanipulated,whereasanareaofinfluencecanbeonlyindirectlymanipulated.Controlandinfluencearetheessenceofpower.Fromabusinessperspective,sectorandindustry-leadingmarketshareandprofitaretheresultsofproperIWexecution.
Whatwouldmakeadecision-makeractornotact?Perhapsfalseormisleadinginformation,ananalysisofopensourceinformation,documentsmysteriouslyacquired,orintelligencefromanemployeehiredawayfromthecompetition.IWatthecorporatelevelmanifestsitselfinmarketing,publicrelations,legal,researchanddevelopment,
manufacturing,andotherfunctions.Withtheintroductionofcommercialhigh-resolutionsatellitephotography,somecompanieshavealteredtheirdeliveryandshipmentschedules,toincludeusingemptyrailcarsandsemitrailerstomaskinventory,productioncapability,andcustomerquantities.IWisafullspectrumofcapabilities.Ingredientsarecarefullyselectedandtailoredtoeachcase.
IWcanbeconductedwithoutusingphysicaldestruction.Bothmilitarypsychologicaloperationsandcommercialadvertisingdependheavilyonpsychologyandsociology,thestudyofindividualandgroupbehavior.Theimplicationsofthisinsightareenormous.BusinessesengageinIWallthetime,orisitthatonlytheeffectiveonesdo?
IWenablesdirectandindirectattacksfromanywhereintheworldinamatterofseconds.Physicalproximitytoatargetisnotnecessary.Howisthispossible?Becausewehavemadeconsciousandunconsciousdecisionstohavespeedandconnectivitywithoutcomplementarysecurity.InSunTzu’sandGenghisKhan’seras,physical,personnel,andoperationalsecuritywereallthatwasneededforprotection.Todaywehavefiberoptics,satellites,smartphonesandtabletcomputers,infraredandlasercommunications,interactivecabletelevision,andahostofothertechnologymarvelsthatallowusinafewsecondstoreachanywhere.Now,inseconds,ourinformationcanbeintercepted,modified,manipulated,andstolen.
NosimplesentenceorparagrapheffectivelydescribesIW.Therearebroadandnarrowinterpretationswithinnationalandinternationalgovernment,business,andacademiccommunities,andsomeeventotallyrejectthenotionofIW.TheoverallviewofIWmustbeexpansive.Informationiseverywhere.Wefindinformation,forexample,inmassmediasuchasradio,television,andnewspapers,atWorldWideWebsites,incommunicationssystems,andincomputernetworksandsystems.AnyandallmaybesubjectedtoattackviaoffensiveIW.ItfollowsthatalltheseareasmustbedefendedwithdefensiveIW.
OffensiveIWcanmakeagovernment,society,nation,orbusinessbendtothewilloftheattacker.Attackscanbeverylarge,devastating,andnoticed,suchaseconomicorsocialdisruptionorbreakdownanddenialofcriticalinfrastructure(e.g.,power,transportation,communications,andfinance)capabilities.Theycanalsobesmall,lowkey,andunassuming,suchasarequestforpublicationsandtelephonecalls(asthebasisforsocialengineering).Businessesdonothavethedeeppocketsofagovernment,butthatdoesnotrestrictthemfromengaginginIW.
Abusinesswantstodenythecompetitionorders,customers,andinformationaboutitsresearchanddevelopment.Industrialespionagehasitsshareofillegalactivities:theft,monitoringcommunications,anddenyinguseofserverstoconductelectroniccommerce.Governmentsengageinpsychologicaloperations(withthesubsetsofmis/disinformationandpropagandausingleaflets,television,andradiobroadcasts).Businessesmustidentifywhendisinformationisbeingusedtolurecustomersawayandhavethemeanstocounterit.Ofcourse,thatisstartingfromapositionofweakness.Whatisaproactive,defensiveIWapproachtocountertheattack?Inoculatethecustomers,suppliers,businesspartners,andothersintheIE.
DefensiveIWistheabilitytoprotectanddefendtheIE.Defensedoesnotimplyreactive.
Measurescanbetakentoforewarnofattacksandtoprepositionphysicalandvirtualforces.Examplesofvirtualforcesaresoftwareandbrainpower.Theacmeofskillistopresentaposturetopreventacompetitorfromattackingandtoachievevictorywithouthavingtoattack.Perceptionmanagementisasimportantasdemonstrablephysicalandvirtualcapabilities.
•Informationoperations(IO):Asstatedabove,forthepurposesofthisbook,IWisnotrestrictedtowar,soIOasdescribedbelowisincludedinIW.Actionstakentoaffectadversaryinformationandinformationsystemswhiledefendingone’sowninformationandinformationsystems.
•DefensiveIO:Theintegrationandcoordinationofpoliciesandprocedures,operations,personnel,andtechnologytoprotectanddefendinformationandinformationsystems.Defensiveinformationoperationsareconductedthroughinformationassurance,physicalsecurity,operationssecurity,counterdeception,counterpsychologicaloperations,counterintelligence,electronicwarfare,andspecialinformationoperations.Defensiveinformationoperationsensuretimely,accurate,andrelevantinformationaccesswhiledenyingadversariestheopportunitytoexploitfriendlyinformationandinformationsystemsfortheirownpurposes.
•OffensiveIO:Theintegrateduseofassignedandsupportingcapabilitiesandactivities,mutuallysupportedbyintelligence,toaffectadversarydecision-makerstoachieveorpromotespecificobjectives.Thesecapabilitiesandactivitiesinclude,butarenotlimitedto,operationssecurity,militarydeception,psychologicaloperations,electronicwarfare,physicalattackordestruction,andspecialinformationoperationsandcouldalsoincludecomputernetworkattack.
•Informationsuperiority:Thedegreeofdominanceintheinformationdomainthatpermitstheconductofoperationswithouteffectiveopposition.InformationsuperiorityistherelativestateofinfluenceandcontroloftheIEbetweentwoormoreactors.Somearguetheoppositeof“superiority”is“inferiority.”Thisisnotthecase.Allactorshaveequalaccesstoopensourceinformation.Restricted,sensitive,andclassifiedinformationcanbeacquiredthroughovertorcovertoperations.Havingthedata,information,andknowledgeisnotthekeytoattainingandmaintaininginformationsuperiority.Whatisdonewiththeinformationandthespeedatwhichitisdoneisthegoldnugget.Informationsharing,automation,cross-platforminformationsharing,andautomatingprocesses(suchasairtrafficcontrol,sales–manufacturing/production–inventory–transportation,andmilitaryintelligence–platformmaneuver–weaponsselectionandrelease–battledamageassessment)areessentialtohaveexecutioncyclesfasterthanthoseofthecompetition.
•Operationssecurity:Aprocessofidentifyingcriticalinformationandsubsequentlyanalyzingfriendlyactionsattendantonmilitaryoperationsandotheractivitiesto:(1)identifythoseactionsthatcanbeobservedbyadversaryintelligencesystems;(2)
determineindicatorsthathostileintelligencesystemsmightobtainwhatcouldbeinterpretedorpiecedtogethertoderivecriticalinformationintimetobeusefultoadversaries;and(3)selectandexecutemeasuresthateliminateorreducetoanacceptablelevelthevulnerabilitiesoffriendlyactionstoadversaryexploitation.AlsocalledOPSEC.
•Vulnerability:Ininformationoperations,aweaknessininformationsystemsecuritydesign,procedures,implementation,orinternalcontrolsthatcouldbeexploitedtogainunauthorizedaccesstoinformationorinformationsystems.
Inadditiontotheabovedefinitions,theU.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC)4009,NationalInformationSystemsSecurity(INFOSEC)Glossary14offersthefollowing:
•Attack:Typeofincidentinvolvingtheintentionalactofattemptingtobypassoneormoresecuritycontrols.
•Confidentiality:Assurancethatinformationisnotdisclosedtounauthorizedpersons,processes,ordevices.
•Criticalinfrastructure:Thosephysicalandcyber-basedsystemsessentialtotheminimumoperationsoftheeconomyandgovernment.
•Integrity:Qualityofaninformationsystem(IS)reflectingthelogicalcorrectnessandreliabilityoftheoperatingsystem;thelogicalcompletenessofthehardwareandsoftwareimplementingtheprotectionmechanisms;andtheconsistencyofdatastructuresandoccurrenceofthestoreddata.Notethat,inaformalsecuritymode,integrityisinterpretedmorenarrowlytomeanprotectionofunauthorizedmodificationordestructionofinformation.
•Nonrepudiation:Assurancethatthesenderofthedataisprovidedwithproofofdeliveryandtherecipientisprovidedwithproofofthesender’sidentitysothatneithercanlaterdenyhavingprocessedthedata.
•OPSEC:Processdenyinginformationtopotentialadversariesaboutcapabilitiesorintentionsbyidentifying,controlling,andprotectingunclassifiedgenericactivities.
•Probe:TypeofincidentinvolvinganattempttogatherinformationaboutanISfortheapparentpurposeofcircumventingitssecuritycontrols.
•Risk:PossibilitythataparticularthreatwilladverselyimpactanISbyexploitingaparticularvulnerability.
•Riskmanagement:Processofidentifyingandapplyingcountermeasurescommensuratewiththevalueoftheassetsprotectedbasedonariskassessment.
NeitherNSTISSC4009northeU.S.DoDDictionaryofMilitaryandAssociatedTermsdefinesconsequenceandconsequencemanagement.Risksaretheintersectionofthreatsandvulnerabilities.Residualrisksarethosethatremainaftermitigatingactions.Toplan
effectively,decision-makersneedtoknowtheconsequencesofvariouscoursesofactions.Theresidualrisksinfluencetheoutcomes.Theoutcomesarebestrepresentedviaconsequencemanagementcascadingeffects.Third-andfourth-ordereffects,orfurther,needtobewellestimatedforthebestcourseofactiontobechosen.
InformationWarfareIsaPowerfulApproachforAttainingandMaintainingaCompetitiveAdvantageThepurposeofabusinessistocreatevalueforitsshareholders,andthepurposeofagovernmentistoprovideforthecommongood.Fromabusinessviewpoint,beingeffectiveandefficientincurrentmarketsandopeningnewlinesofbusinessarekeytosustainedrevenuegenerationandprofits.Fromanationalsecurityperspective,weshouldexpectthemilitary,intelligencecommunity,andlawenforcementtodevelopandusecapabilitiestomaintainsovereignty,createandsustainpeaceandeconomicprosperity,andensurepublicsafetyfromcriminalsandmonopolies.Theseentitiescannotsurvivebyinsulatingthemselves.Theymustembrace,withintheirvaluesystem,whateverittakestogobeyondsurvivingto“thrive.”
HowtoUseIWtoAchieveGoalsandObjectivesComplexityinterwovenacrossgovernment,industry,andsocietypresentsadauntingchallengeforIW.Itisinthebestinterestofanygovernment,business,andotherorganizationtotakeprudentactiontodefendagainstinformationwarfareattacksandtobeabletolaunchthem.
Theadvancedhackerbreaksintoonlineshoppingexchanges,manipulatesorders,stealsmerchandise,plunderscreditcardnumbers—themodern-daypirate,highwayrobber,andWildWestoutlaw.Thosewhowouldbepartoftheonlineshoppingpopulationcometoexpectthismaliciousbehaviorbutarenotdissuadedfromshoppingonline.
Espionage,disinformation,physicaldestruction(normallypermittedbylawonlyforthemilitaryandlawenforcement),andotheractionsareameanstoanend.IWisahigher-level,cerebralactivity.Thetargetcanbeapopulation(thenationalwilloraspecificpolitical,religious,orethnicgroup),adespot,ageneral,oranyoneinanorganization.How,then,shouldIWbeappliedtoindustry?Afterall,iswarnotadeclarationofCongress,Parliament,orothergovernmententity?Ifabusinessisdestroyedbyanactofwarorterrorism,itwillnotberemuneratedbyinsurance.Isthisamisnomer?Bynomeans!
Becausebusinessiswar,theprinciplesofwarnormallyassociatedwiththemilitaryoughttobeapplied.Thesearenotrigid,andtheirapplicationistailoredtoeachuse.Objective,offensive,mass,economyofforce,unityofleadership,maneuver,security,surprise,andsimplicityaregenerallyrecognizedprinciplesthatwillbenefitanyorganization.ApplyingtheprinciplestocoherentandsynchronizedIWwillproduceapositivereturnoninvestment(ROI).
IntheITworld,determiningROIisconsideredtheHolyGrail.TheproblemforquantitativemetricsforIWisthatordersofmagnitudearemoredifficultbecauseofthemanydisciplines,manyorganizationallevels,andsheerscopeinvolved.Somepreferitthatwaybecauseitallowsthemtohidebehindclassifiedinformationandblackmagic.IfIWistobesuccessful,metricsarenecessary.Existingtraditionalmeasuresareagoodstart(e.g.,howmanyprobesdidourintrusiondetectionsystempickup?),butarenotsufficientlyexpansiveandprecise.Whatisthevalueofadatabase?Whatisthevalueofthatdatabaseafterithasbeensuccessfullydatamined?Becausequantitativemetricsneedtobedeveloped,qualitativeoneswillneedtobeused.
IWisanembracingapproach,customizabletoproducepositiveresultsinanyorganizationandtailorabletomeetthedemandsofthemarketplace.Bybalancingtriedandtruecapabilitieswithleading-edgetechnologiesandconcepts,IWremainsafreshandusefulapproachforachievinggoalsandobjectivesonthewaytoattainingandmaintainingacompetitiveadvantage.
CoherentKnowledge-BasedOperationsIWforIW’ssakeissenseless.IWmusthelpcountriesachievetheirnationalsecurityobjectivesandhelpbusinessesattaintheirgoals.WhenIWiscombinedwithKMandhowbusinessisdone,thecombinationprovidesapowerfulcapability.ApplyingIWwithKMresultsininformationsuperiority.WhenKMisappliedtohowbusinessisdone,situationalawarenesswillresult.CombiningIWwithhowbusinessisdonedeliverstactics,techniques,andprocedurestoattainacompetitiveadvantage.TheintersectionofIWwithKMandhowbusinessisdoneiscoherentknowledge-basedoperations(CKOs).CKOenablesacountryorabusinesstoattainandmaintainacompetitiveadvantagethroughthesynchronizationandcoherentapplicationofallofitscapabilitiesintheextendedIE.
Organizationsdabbleinmanypopmanagementfads.Well-intentionedornot,theseoftenarestovepipesolutionsthatdivertfiniteresources—people,money,andtime—fromtheorganization’scentralinterestsandobjectives.CKObringstogetherwhatappeartobeseveraldisparatecomponents.Coherentmeansanorderlyorlogicalrelationofpartsthataffordscomprehensionorrecognition.Thepartsarenetwork-centricbusiness(NCB)(howbusinessisdone),KM,andIW.Whenusedinconcert,theirsumisfarmorepowerfulthantheindividualcomponents,creatingapowerfulmeansofattainingandmaintainingacompetitiveadvantage.CKOcanbeusedtoexecuteandtosurviveIWattacks.
Network-CentricBusinessWearetoldthatweareintheInformationAge,ridetheinformationhighway,andarepartoftheknowledge-basedeconomy.Weconductelectroniccommerce,haveelectronicdatainterchangebetweencomputers,allowemployeestotelecommuteandhaveremoteaccess,andspendmillionsofdollarsonwebsitestoattractcustomerstobuyproductsandservices.Computersandrobotsareinthemanufacturingplants,personnelandmedicalrecordsareautomated,andmanyofusparticipateinautomateddepositsandbillpayments.Ifthecomputersstopped,notenoughtrainedandskilledpeoplecouldtakeoverthefunctionsinamanualsystem,andmanybusinessesandgovernmentfunctionswouldquicklycometoahalt.Computers,databases,andnetworksareasvitaltoabusinessasthecirculatoryandnervoussystemsaretoyourbody.Computersandnetworkshavebecomeasubiquitousastoasters,andnetwork-centricappliancesareintheworks.Thecurrentgenerationofsmartphonesaretheforerunnersoftoolswithtremendouscapability,limitedonlybyhumancreativity.IfyoudonotquicklygaincontrolofyourIE,doingsointhefuturewillbeexponentiallymoredifficult—andexpensive.ThemainadvantageofcontrollingyourIEisthatyourbottomlinewillimprove.
Thereisnofaster,moreeffective,ormoreefficientmeanstobeatthecompetitionthantouseNCB.NCBallowsanorganizationtotakemaximumadvantageofitsbusinessprocesses:takingandplacingorders,usingthesupplychain,conductingjust-in-timeproduction,andusingdistributionchannelstofieldproductsandservices.NCBleveragesnotonlyalltheresourceswithinanorganization,butalsoitscustomersandbusinesspartners.Theyareallpartofthesolutionsetthatdrivesthebottomline.Theresourceswithintheorganization—people,money,andtime—arefinite,butcanbeeffectivelyandefficientlyallocatedtoprovideoptimalsupporttocustomersandtomaximizethebottomline.5
KnowledgeManagementKMintegratestechnologies,processes,andculturalchangestoprovideameansforwell-informed,rapiddecision-makingviacollaborativeinformationandknowledgesharingbyvariedanddispersedorganizationsandindividuals.KMtenetsincludesupportfororganizationalprocesses,tailoredcontentdelivery,informationsharingandreuse,capturingtacitknowledgeaspartoftheworkprocess,situationalawarenessofinformationandknowledgeassets,andvaluation.KMenablesanorganizationtobemoreagile,flexible,andproactive.Theapproachisidealforintegrating,forexample,intelligence(e.g.,economicandopensource)andsecurity(e.g.,physical,personnel,andoperations),salesandproduction,andresearchanddevelopmentwithbusinessdevelopment.5
SummaryInformationwarfareisanembracingconceptthatbringstobearalltheresourcesofanation-stateorbusinessorganizationinacoherentandsynchronizedmannertocontroltheinformationenvironmentandtoattainandmaintainacompetitiveadvantageandgainpowerandinfluence.JudicioususeofIW,whencoupledwithKMandNCB,leadstoreducedoravoidedcosts,increasedrevenues,moresatisfiedcustomers,andlargerprofitsandnationalsecurity.GovernmentsandbusinessescanuseIWoffensivelyanddefensivelyinthephysicalandvirtualdomains.CounterstoIWdonothavetobeinkind;theycanbeno,low,orhightechnology,andtheycanbeasymmetric.NotconductingIWwillresultinareducedmarketpresenceandlowernationalsecurity.Althoughthenamemaychangeovertheyears,IWwillevolvefromitsnascentstageandbecomemainstreamin
20 years.Weprojectedthatin2002.Weareinfacttherealready.
IWoccurswhen,inthephysicalandvirtualdomains,youattackyourcompetitionortheyattackyou.IWisaboutsynchronizedandcoherentrelationshipsandcapabilities.Aspreviouslydiscussed,centraltoIWarethosephysicalandvirtualcapabilitiestocontroltheIE.
CKOcouplesIWinausefulapproachwithKMandhowtheorganizationdoesbusiness.Notonlyisthecorporation’sIEengaged,theresourcesofitsenterprisearebroughttobeartouseallitscapabilitiesinacoherentandsynchronizedmannertoseizeasgreatacompetitiveadvantageaspossible.Inthisfashion,acountrycancallonitsalliesandcoalitionpartners,andabusinesscancallonitssuppliersandbusinesspartnerssoasmuchknowledgeandasmanycapabilitiesaspossiblecanbebroughttobear.
NoteTheinformationpresentedthischapterwasliberallyquotedfromtheauthor’scoauthoredbookwithDr.AndyJonesentitledGlobalInformationWarfare,secondedition,andusedwiththekindpermissionofCRCPress,whopublishedthebook.
1TakenfromaGannettNewsServicearticle,September27,2001.2NetworkWorld,August10,1998.3“IfMostofYourRevenueIsfromE-Commerce,thenCyberInsuranceMakesSense,”PerryLuzwick,“SurvivingInformationWarfare”column,ComputerFraudandSecurity,aReed-Elsevierpublication,March2001.4Seefootnote3.5“What’saPoundofYourInformationWorth?ConstructsforCollaborationandConsistency,”PerryLuzwick,AmericanBarAssociation,StandingCommitteeonLawandNationalSecurity,NationalSecurityLawReport,August1999.6DepartmentofDefenseDictionaryofMilitaryandAssociatedTerms,April12,2001.
CHAPTER14
TheCyberSecurityOfficerandPrivacy,Ethical,andLiabilityIssues
AbstractThischapterdiscussestheissuesofethics,privacy,andliabilityastheyrelatetothecybersecurityofficer.
KeywordsBusinesspractices;Codeofethics;Corporateethics;Corporatevalues;Ethicalbehavior;Liability;Whistleblower
Ethicsisnotapolicingfunction.It’saboutcreatingthekindofclimateinwhichpeopleareencouragedtomaketherightdecisionsinthefirstplace.1
KentKresa
CONTENTS
IntroductiontoPrivacyIssues 273IntroductiontoEthicsIssues 274CodesofEthics 277CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValues 278LiabilityIssues 279QuestionstoConsider 280Summary 280
CHAPTEROBJECTIVE
Thischapterdiscussestheissuesofethics,privacy,andliabilityastheyrelatetothecybersecurityofficer.
IntroductiontoPrivacyIssuesMuchismadeoftheword“privacy”andtheprotectionofprivacy,privacyofanindividual’spersonalinformation,forexample.However,unlessyouhavebeenhiding
underarockforthelast,oh,50 yearsormore,youknowthatonlylipserviceisgiventoprivacyasanythingotherthanaconcept,a“nicetry,nowlet’smoveon”thing.
Forexample,whennetworksanddatabasesareattackedandcompromised,users’/customers’names,addresses,socialsecuritynumbers,creditcardnumbers,andthelikearestolenliterallybythemillions.
Whatdowemeanbyprivacyanyway?Well,accordingtotheSharpelectronicdictionary,privacyis“thestateorconditionofbeingfreefrombeingobservedordisturbedbyotherpeople.”
TheU.S.government’sDepartmentofJusticewebsitestatesthefollowing:
ThePrivacyActof1974,5U.S.C.§552a(2006),whichhasbeenineffectsinceSeptember27,1975,cangenerallybecharacterizedasanomnibus“codeoffairinformationpractices”thatattemptstoregulatethecollection,maintenance,use,anddisseminationofpersonalinformationbyfederalexecutivebranchagencies.However,theAct’simpreciselanguage,limitedlegislativehistory,andsomewhatoutdatedregulatoryguidelineshaverendereditadifficultstatutetodecipherandapply.Moreover,evenaftermorethanthirty-fiveyearsofadministrativeandjudicialanalysis,numerousPrivacyActissuesremainunresolvedorunexplored.AddingtotheseinterpretationaldifficultiesisthefactthatmanyearlierPrivacyActcasesareunpublisheddistrictcourtdecisions.Aparticulareffortismadeinthis“Overview”toclarifytheexistingstateofPrivacyActlawwhileatthesametimehighlightingthosecontroversial,unsettledareaswherefurtherlitigationandcaselawdevelopmentcanbeexpected.
Theinterestingthingisthatthereseemstobemoreexceptionsthannotforgovernmentagenciesandcorporations.Onejusthastolookatthemassivecollectionofinformationbeingconducted24/7byU.S.agenciesandthenation-statesofprettymuchtheworld.Ofcourse,theycitetheirneedtoinvadeourprivacyasbeingforourowngood;youknow,forourwell-beingandsecurity.Asacybersecurityofficer,youmaybeinvolvedinthisendeavor.
Corporationsdon’tdoitintheinterestofnationalsecuritybutintheinterestofgettingthatcompetitiveedge,identifyingandsellingtotargetedpotentialcustomers.Suchtechniquesaregettingmoresophisticateditseemsbytheday.Ofcourse,youvolunteertogiveupmuchofyourprivateinformationjusttobeabletomakeapurchaseordoanythingwithaboutanyoneonline.
Now,althoughweallabhorsuchinvasionofprivacy,asacorporateorgovernmentagencycybersecurityofficeryoumaybeinvolvedinsuchinvasionofprivacyasa
minimumbyensuringthattheinformationcollectedisproperlyprotected.Weknowfromthenumerousattacks,forexample,onTargetandSony,thatsomearen’tdoingaverygoodjob.
Asacybersecurityofficer,youMUSTfindadequatewaystoprotecttheinformationofthegovernmentagencyorcorporation.Afterall,thatiswhatyouaregettingpaidtodo—protecttheprivacyofindividualsandthecorporationorgovernmentagency.Sofar,how’sthatworkingforyou?
IntroductiontoEthicsIssuesWehearalotaboutethicsthesedays,whenitseemseveryoneisoutforthemselves,fromtheexecutivesofmajorcorporationstoasecretaryinasmallcompanyofficewhoperpetratesafraud.Onethingthatmakesaprofessionalatrueprofessionalisethicalconduct.Thatisespeciallyarequirementforacybersecurityofficer.
Whenyouthinkofethicsandethicalbehavior,whatcomestomind?Forsomeitmeans“doingtherightthing.”Butwhatisthe“right”thingtodo?Forsome,itisanythingthattheycangetawaywithwithoutviolatinganylaws.Infact,somenarrowlydefinebeingethicalasdoinganythingaslongasitdoesnotviolatelaws.However,ethicsandmoralitygohandandhand,butwhatismoral?Forexample,communistsbelievethatwhateverfurtherstheadvanceofcommunismismoralandactinginamannerthatdoesnotfurthercommunismisimmoral.
Rememberthatwetalkedearlierinthisbookaboutcommittingcrimes,andcommittingcrimestakesopportunity,motive,andrationalization.Thesameappliestoethicalbehavior.Youcanuseopportunity,motive,andrationalizationtodothe“right”thingortonotdowhatisright.
eth·ics[éthiks]noun
1.studyofmorality’seffectonconduct:thestudyofmoralstandardsandhowtheyaffectconduct(takesasingularverb);alsocalledmoralphilosophy;
2.codeofmorality:asystemofmoralprinciplesgoverningtheappropriateconductforanindividualorgroup(takesapluralverb).
[15thcentury;viaOldFrenchethiquesfrom,ultimately,Greekēthikē,fromēthikos“ethical”(seeethic).]2
Ifyoufindsomeone’swallet,youhavetheopportunitytokeepit.Supposethemotiveisthatyoudonothaveajobandyouhaveafamilytosupport.Youcanrationalizeitbysayingthatthemoneycanbuymuch-neededfoodforthefamily,andbesides,thepersonmustbewelloffbasedonthenumberofgoldandplatinumcreditcardsinthewallet.Let’ssaythatyoujustfoundthemoneyandthereisabsolutelynoevidenceindicatingtowhomitbelonged.Woulditthenbeoktokeepit?Theanswerinbothcasesisno.Why?Itdoesnotbelongtoyou.Therefore,evenifitwerenotagainstthelawtokeepthemoney,itwouldbestillunethical.However,sometimestheprocessisthatyouturnitovertothelocalpoliceandif,afterasetperiodoftime,nooneclaimsthemoney,itisyours.Thatwouldbeethicalbecauseyoufollowedthelocallyestablishedprocesses.Whataboutillegallycopyingsoftwareinviolationofcopyrightlaws?Isn’tthatalsounethical?
Theinterestingthingaboutethicsisthatitmayalsodependonyourculture.Forexample,thebusinesspersonwhogivesgiftstoaprocurementofficerinacorporationthatheorshewantstodobusinesswithmaybebreakingthelawinsomecountries,butsuchgiftsareexpectedinothers.Isitwrongtoacceptthegiftsinthosecountrieswherethatisatradition?No.Ofcourse,ifitviolatedalaworcompanypolicy,itwouldbeunethical
becauseviolatingalawisinitselfunethical.Addtoallthisthemoralissues,knowingwhatisrightandwhatiswrong,consideringwhatyouweretaughtgrowingup,andallthisbroughttogetherandintegratedineachofuswithourculture,workingenvironment,andthelike.Thephilosophyofmoralsandethicshasbeenthesubjectofstudyanddiscussionforcenturies.Wesurelywillnotprovidethedefinitiveanswershere.However,wemustunderstandthebasicsofethicsbecauseitdoeshaveanimpactonprotectingcorporateassets.
mor·al[máwrəl]adjective
1.involvingrightandwrong:relatingtoissuesofrightandwrongandtohowindividualsshouldbehave;
2.derivedfrompersonalconscience:basedonwhatsomebody’sconsciencesuggestsisrightorwrong,ratherthanonwhatthelawsaysshouldbedone;
3.intermsofnaturaljustice:regardedintermsofwhatisknowntoberightorjust,asopposedtowhatisofficiallyoroutwardlydeclaredtoberightorjust;amoralvictory;
4.encouraginggoodnessandrespectability:givingguidanceonhowtobehavedecentlyandhonorably;
5.goodbyacceptedstandards:goodorright,whenjudgedbythestandardsoftheaveragepersonorsocietyatlarge;
6.tellingrightfromwrong:abletodistinguishrightfromwrongandtomakedecisionsbasedonthatknowledge;
7.basedonconviction:basedonaninnerconviction,intheabsenceofphysicalproof.
noun(pluralmor·als)
1.valuablelessoninbehavior:aconclusionabouthowtobehaveorproceeddrawnfromastoryorevent;
2.finalsentenceofstorygivingadvice:ashort,preciserule,usuallywritteninaratherliterarystyleastheconclusiontoastory,usedtohelppeoplerememberthebestormostsensiblewaytobehave.
pluralnounmor·als
standardsofbehavior:principlesofrightandwrongastheygovernstandardsofgeneralorsexualbehavior.
[14thcentury;fromLatinmoralis,frommor-,stemofmos“custom,”inplural“morals”(sourceofEnglishmoraleandmorose).]3
Ethicalbehaviorisexpectedofeveryonewhoworksinacorporation.Few,ifany,corporationsoranytypeofbusinessorgovernmentagencywanttobeseenasdoinganythingunethical.
Somepeoplebelievethatifitisnotagainstthelaw,itisethical.Oftenitseemsthatcorporationsthatwalkafinelinebetweenlegalandillegalbehavioruseagreatdealofrationalizationtojustifytheiractions.However,inmostcircumstances,theethicalquestionremains:Yes,itislegal,butisittheethicalthingtodo?
Ifyouseesomeoneinyourcorporationdoingsomethingthatviolatescorporatepolicy,shouldyoureportthatpersontomanagement?Thisisprobablyanemployee’smostdifficultethicaldilemma.Insomenation-states,itisbettertonotreportanyone,evensomeonecommittingaseriouscrime,becausemanychildrenwerebroughtupnottobea“squealer,”a“fink,”a“snitch.”Insomesocieties,thatisalmostasbad,ifnotworse,ascommittingtheoffensethatisbeingreported.
Becauseoftheamountofunethicalbehaviorwithinsomecorporationsandnation-states,thereareprocessesbywhichone,sometimescalledawhistleblower,canreceivefinancialrewardsforidentifyingillegalorunethicalbehavior.However,asmuchascorporationsliketosaythattheyhaveanethicsprogramwithintheircorporation,whenanemployeecomesforthandreportsillegalactivities,itseemsthat,moreoftenthannot,heorsheisthesubjectofharassment,receivesnopromotions,andismadetofeelunwantedinthecorporation.Managementlooksuponthatpersonasonewhocouldnotbetrusted.Ironic,isn’tit?Apersonreportssomeone’sunethicalbehaviorinaccordancewiththecorporatepolicy.Thatperson,insteadofbeingconsideredanhonestandloyalemployee,isconsideredtobeuntrustworthy.TherearemanyexamplesofsuchconductwithinthecorporationsoftheUnitedStatesandothernation-states.Sufficeittosaythatcorporatemanagementcantoutanethicsprogram,butonethattrulyworksasstatedinthebrochuresisanothermatter.
CodesofEthicsMost,ifnotall,professionalassociationshaveacodeofethics.Theyareallaboutthesameinthatonemustdowhatisrightandreportwhatiswrong.Asacybersecurityprofessional,youmustbehaveinaprofessionalmanneratalltimesand,therefore,complywiththeprofessionalcodeofethics.
Itisquitepossiblethatmembersofassociationswithacodeofethicshaveactuallyneverreadthecodeofethics,eventhoughasacybersecurityprofessionalandmemberofoneormoresecurity-relatedassociations,youarerequiredtocomplywiththeassociation’scodeofethics.Infact,itcanevenbeconsideredunethicalnottohaveeverreadthecodeofethicsforthevariousassociationstowhichyouasacybersecurityprofessionalbelong.
Whatdoesthatsayaboutyouandyourprofessionalism?Onemaycounterbysayingthatheorshealwaysactsinanethicalmanneranddoesn’thavetoreadanycodeofethics.This“know-it-all”attitudeisasymptomofpossiblyamoreseriousmatter:theideathatonehasnomoretolearnaboutaninformationsecurity-relatedtopic.Thatnotonlyisimpossiblebutwillendupcostingthecorporationintermsofeffectivenessandefficiency.How?Becausethecybersecurityofficerwhoisnotcontinuouslylearningandapplyingnewandbettertechniquesdoesnottakeadvantageofnew(andpossiblybetterandcheaper)waysofprotectingassets.
Nowisagoodtimetotaketheopportunitytoreadsomecodesofethicsfromsecurity-relatedprofessionalassociations.Pleasetakethetimetosearchonline,read,understand,andapplythecodesofethicsasanintegralpartofyourjobandprofession.
CorporateEthics,StandardsofConduct,BusinessPractices,andCorporateValuesManycorporationsinmanycountriesoftheworldtodayconcernthemselveswithethics,standardsofconduct,businesspractices,andvalues.Whatdoesallthatmean?Basically,itstillmeansthatonemustknowthedifferencebetweenrightandwrong,acceptableconductandunacceptableconduct.Intoday’sworld,corporationsaresuccessfullysuedbecauseoftheunethicalconductoftheiremployees.Therefore,iffornootherreasonthanlossofrevenue,suchmattersareaseriousconcernofcorporatemanagement.
Therearecorporatepoliciesandawarenesstrainingsessionsgiventoemployeesandoftenspecialtraininggiventomanagement.Thisisbecauseitseemsthatitismostlymanagementthatisinvolvedinunethicalconduct.Forexample,managementmaydirecttheiremployeestoactinanunethicalmannerbytakingashortcutinamanufacturingprocesssuchasaqualitychecktogettheproductoutthedoorfaster.
Cybersecurityprofessionalsincorporationsareofteninvolvedinfollowinguponethicsmattersthathavebeenreportedbymanagersoremployees,eitherdirectlyorthroughacorporateethicshotline,forexample,noncompliancewiththecybersecurityprogram.Theethicshotlineprovidesacommunicationsmediumtoobtainreportsofunethicalbehavior.Itshouldneverbeusedtotrytoidentifythecallerifthatcallerdidnotleaveanyinformationrelativetohisorheridentity.Infact,todosowouldbeunethicalinitself,andoncewordgotoutofsuchconductbymanagement,thechancesofobtainingfurtherinformationconcerningunethicalbehaviorwouldbealmostzero.Ifthatdidoccur,thatmanagerseekingtheidentityofthecallershouldbethesubjectofanethicsinquiry.Oneshouldneverdwellsomuchonthemessengerasthemessage.Afterall,isn’tthattheobjectiveoftheethicsprogramandethicshotline?Itisamazinghowmanymanagersincorporationsfocusonidentifyingthecallerinsteadofactingontheinformationthecallerprovided.Thatalonetellsagreatdealabouttheethicsofsomemanagers.
Oneoftenhearsaboutmanagers“shootingthemessenger.”Anymanagerwhoverballyorotherwiseattacksthemessengeris“notgettingthemessage.”So,whatdoesthishavetodowiththeISSOandprofessionalism?Asanemployeeofacorporation,youhaveprobablybeenononeendortheother—orboth—ofsuchincidents.Thinkaboutit.Noonelikestoreceivebadnews,andfindingoutthroughsomeethicschannelthatsomeassetswerestolen,thatsomeonewasnotcomplyingwiththeassetsprotectionpolicies,andthatthispersonwasaseniorexecutivemaycausemanagementto“shootthemessenger.”
Asacybersecurityprofessional,youhaveaprofessionalresponsibilitynottoallowtheshootingofmessengers.Instead,youmustdirectmanagementeffortstotheidentifiedproblem.Ifyouarerequestedordirectedtodoallyoucantoidentifytheanonymousreporterofethicsviolations,youshouldexplainthatsuchconductisinviolationofthecorporateethicspolicyand,therefore,therequestordemanditselfisunethical.Unfortunately,itmaycostyouyourmeritraise,alessthanfavorableperformancereview,andthelike,butthatisapricethatyoumustbewillingtopay.Itisamatterofprinciple—
yourprofessionalintegrity—andthatmeansamatterofethicalconduct.
LiabilityIssuesOneoftheconsequencesofnotprovidingadequatecybersecurityisthesuccessfulattacksthatleadtoviolationsofprivacyandethics.Theseresultinoftenmassivelawsuitsinwhichthecorporationthatemploysyoumustpayout.Wearetalkingmillionsofdollars.
Yourjobisofcourseonthelinebecauseregardlessofyourtellingmanagementwhatneedstobedonefallingondeafmanagementears,youwillbeheldresponsible.Saying“Itoldyouso”and“Ididn’thaveenoughbudget”orsuchwillnothelpyou.Thebestyoucandoiscontinuallydocumentallthe“Itoldyouso’s”andrequestsforwhateveryouneededthatyoudidn’tget,forexample,staff,securitysoftware,etc.Itprobablywon’tstopyoufromgettingfiredbutmaybewillhelpwitha“wrongfuldischarge”lawsuit.
Theotherwaytohandlesuchissuesistoconvinceyourlegaldepartment,andthenforbothofyoutoadvisemanagement,oftheneedforinsurancetocoversuchlossesdueto,forexample,successfulhackerattacks.Inmanycases,itisaprudentbusinessdecision.
Cyberattackriskrequires$1 bnofinsurancecover,companieswarned4
4ft.com,April20,2015.
QuestionstoConsiderBasedonwhatyouhaveread,considerthefollowingquestionsandhowyouwouldreplytothem:
•Doesyourcompanyhaveethicsandprivacyprograms?
•Areyouandyourstaffactivelyinvolvedintheprograms?
•Doyousupporttheprogramsbyconductinginquiriesintononcompliancewiththecybersecurityprogramorcompanyethicspolicies?
•Doesyourcorporationhaveanethicshotline?
•Doyoudiscussproperbehaviorwithyourstaff?
•Ifnot,whynot?
•Ifso,whatdoyoudiscussandhowoften?
•Doyouusethecorporateethicsandprivacyprogramstosupportfollowingthecybersecurityprogram?
•Ifso,doyoutrytogetmanagementtoviewacybersecuritynoncomplianceissueasalsoanethicsorprivacyissue?
•Haveyoudiscussedliabilityinsurancewithyourlegalstaff,maybeauditorsandmanagement?
SummaryCybersecurityprofessionalsmustbeextremelyhonestpeopleofhighintegrity.Afterall,theyknowthevulnerabilitiesofthecorporateinformationandinformationsystemsassetsaswellastheprotectionmechanisms.Thatisveryvaluableinformation.Cybersecurityofficersmustconductthemselvesinanethicalmanneratalltimes.Iftheybelongtoaprofessional,security-relatedassociation,theymustalsoadheretotheassociation’scodeofconduct.
Cybersecurityprofessionalsmustalsodotheirbesttoencourageallcorporateemployees,ledbyexecutivemanagement,toactinanethicalmannerwhendoingtheirworkatthecorporation.Thecybersecurityprogramwillbenefitthroughfewerinformationthefts,lessdamage,lessunauthorizedmodification,andfewercybersecurityviolationsandwillprovideforacorporatecybersecurityenvironmentthatisbetteroverall.
Aspartoftheirjob,theymustalsoprotecttheprivacyofthecorporation,employees,associates,subcontractors,andofcoursecustomers.Youmaybepersonallyliableifyourcybersecurityprogramfails.Certainlyyourcorporationwillbe.
1KentKresaisChairmanoftheBoardandCEOofNorthropGrummanCorporation.2EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.3EncartaWorldEnglishDictionary,©1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.
CHAPTER15
ACareerasaCyberSecurityOfficer
AbstractThecybersecurityofficerprofessionalsofthetwenty-firstcenturymustpossessmanyskillsthatdifferfromthosepossessedbysomecurrentandpastcybersecurityofficerprofessionals.Inthischapter,thediscussionwillcenteronwhatarethenecessaryskillsthatacybersecurityofficerandprofessionalcybersecuritystaffshouldpossesstobesuccessful,aswellashowtoestablishandmaintainacybersecuritycareerdevelopmentprogram.2
KeywordsAdvisoryservices;Assessmentservices;Augmentationservices;Coldcallingpotentialcustomers;Cybersecurityconsultant;Cybersecurityoffice;Education;Securityimplementation
Amanmustservehistimetoeverytradesavecensure—criticsallarereadymade.1
LordByron
CONTENTS
Introduction 284TheCyberSecurityOfficer’sCareerDevelopmentProgram 285Education 286
HowtoMarketYourselfasaCyberSecurityOfficer 288InterviewingfortheCyberSecurityOfficerPosition 288BecomingaCyberSecurityConsultant 292EngagementSetup 296EngagementProcess 297AssessmentServices 298AdvisoryServices 299SecurityImplementation 299Augmentation 299LegalIssues 299InternationalAspects 299
Questions 300Summary 300
CHAPTEROBJECTIVE
Thecybersecurityofficerprofessionalsofthetwenty-firstcenturymust
possessmanyskillsthatdifferfromthosepossessedbysomecurrentandpastcybersecurityofficerprofessionals.Inthischapter,thediscussionwillcenteronwhatarethenecessaryskillsthatacybersecurityofficerandprofessionalcybersecuritystaffshouldpossesstobesuccessful,aswellashowtoestablishandmaintainacybersecuritycareerdevelopmentprogram.2
IntroductionChangesthathaveoccurredovertheyearsinthedutiesandresponsibilitiesofthecybersecurityofficerprofessionalincludeaworkingenvironmentthatinvolvesincreasing:
•Complexity;
•Rapidityofchange;
•Technologydependence;
•Technologydrivenness;
•Sophisticationoftheworkforce;
•Competitivenessinthebusinessworld;
•Instantcommunication;
•Informationavailabletomorepeoplethaneverbefore;
•Incidentsofcorporatefraud,waste,andabuse;
•Threatsto,andvulnerabilitiesof,corporateinformation-relatedassets;and
•Competitionforhigh-levelcybersecuritypositions.
Sincethistwenty-firstcenturyenvironmentmeansmorecompetitionforcybersecuritypositions,thosewhowanttosucceedinthiscareerfieldmustgainmoreexperienceandhavemoreeducationthaneverbefore—oratleastmorethantheothercybersecurityprofessionalstheyarecompetingagainst.
Thecorporateculture,cybersecurityduties,responsibilities,andpositionsvaryalmostasmuchasthenumberofcorporations.Manyoutsourcemuchoftheircybersecurityserviceandsupportfunctions,whileothersfinditmorecost-effectivetouseemployees.Nomatterwhattypeofcorporation—orgovernmentagencyforthatmatter—thatyouworkfor,themaingoalisstilltoprotecttheinformationandinformationsystemsassetsofthecompany(orgovernmentagency).
Corporationswanttohirecybersecurityprofessionalswhocandothatsuccessfullyatleastimpacttocostandschedules.
pro·fes·sion·al[prōféshən’l,prōféshnəl,prəféshən’l]adjective
verycompetent:showingahighdegreeofskillorcompetence
noun(pluralpro·fes·sion·als)
memberofaprofession:somebodywhoseoccupationrequiresextensiveeducationorspecializedtraining
somebodyverycompetent:somebodywhoshowsahighdegreeofskillorcompetence3
3Encarta®WorldEnglishDictionary©&(P)1999MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.
Ifyouconsideryourselfacybersecurityprofessionalandwanttobetheworld’sbest,thenyouneedacareerdevelopmentprogram.
TheCyberSecurityOfficer’sCareerDevelopmentProgramSomequestionsyoumaywanttoaskyourselfaboutacybersecurityofficercareerare:
•Whatcybersecurity-relatedcareerdoIwanttogetinto?
•Why?
•Whatarethequalifications(educationandexperience)fortheentrylevelandothersecuritypositions?
•Whatarethepositions(specializations)withinthatprofession?
•ArethereanythatIwouldliketospecializein?
•Why?
•WhataretheotherpositionswithinthecybersecurityprofessionthatImaywanttospecializein?
•CanIlisttheminorderofpriority,includingtheireducationandexperiencerequirements?
Thecybersecurityofficerprofessionshouldberesearchedtoobtaintheanswerstotheabovequestionsby:
•Interviewingvariouscybersecurityofficerprofessionalsindifferenttypesofbusinesses,nonprofitentities,andgovernmentagencies;
•ResearchingthecybersecurityofficerprofessionanditsvariousspecialtiesthroughtheInternet;
•DiscussingtheprofessionwithrepresentativesfromtheAmericanSocietyforIndustrialSecurity,HighTechnologyCrimeInvestigationAssociation,AssociationofCertifiedFraudExaminers,InformationSystemsSecurityAssociation,andvarioustraininginstitutesanduniversitiesthatteachcybersecurity-relatedcourses;and
•Readingjobdescriptionsforcybersecurityofficerpositionsinthetradejournalsandnewspapersandthroughinterviewswithrecruiters.
Basedonthisresearch,youasacybersecurityprofessionalcanestablishacareerdevelopmentplanbeginningatahighlevelwithsubsectionsforeducationandexperienceforeachposition.
Thefuturecybersecurityofficermightalsosettwolimits:
•Experienceandeducationmustberelevanttoeventuallybecomingacybersecurityofficer.
•Timelearningthrougheducation,training,andgainingexperiencemustbescheduledso
thattheintermediarymilestonesandultimategoalcanbemet.
Thecybersecurityofficershouldalsoincludethegoalofsupervisoryandmanagementexperienceaswellasexperienceintheworldsoffinance,marketing,sales,accounting,investigations,communications,technology,internationaltravel,andhumanresources.Thecybersecurityofficershouldsetagoalofgraduallygainingincreasedresponsibility,experience,andeducationinsecurityjobsthatwouldpreparethecybersecurityofficerforahighlypaidcybersecurityofficerpositioninaninternationalcorporation.
Basedontheresearch,youmaycomeupwiththeideaofa“fourparallellines”approachtocareerdevelopment.Theseareitemsthatshouldbeintegratedintothecareerdevelopmentplan:
•Money—HowmuchdoIwant,andbywhen,tomeetmygoals?
•Position—WhatcybersecuritypositionspaymethemoneyIwanttomeetmygoalsbasedonmytimelineofgoals?
•Education—WhataretheeducationrequirementsforeachpositionIwanttoget?
•Experience—WhataretheexperiencerequirementsforeachpositionIwanttoget?
Thecybersecurityofficer’sgoalshouldbetobethemostqualifiedpersonforeachpositioninthecybersecurityofficer’sprofession.
Alsoduringresearch,thecybersecurityofficermayfindthattobethebestcybersecurityprofessionalrequiresonetohaveknowledge,education,andexperienceinareasotherthancybersecurity,including:
•Business
•Investigations
•Technology
•Dealingwithpeople
•Communicationsskills
•Management
•Writing
•Projectplanning
•Publicspeaking
•Majorforeignlanguageorlanguages
EducationTherearetwodifferentapproachesthatsomecybersecurityofficershaveused:
•Theybeganwithatechnicaleducationsuchasadegreeordegreesincomputerscience,mathematics,ortelecommunications.Becauseoftheirdegree,orprobablysomerelatedcybersecurityexperience,theywerechosenorvolunteeredtobethecompany’scybersecurityofficer.
•Theybeganwithageneraldegreesuchasbusiness,security,criminaljustice,orliberalartsandeventually,somehow,foundthemselvesinthecybersecurityofficerposition.Andonceinthatposition,theylikeditanddecidedtostayinthecybersecurityofficerprofession.
Intoday’senvironment,acollegedegreewithamajorincomputerscienceortelecommunicationsisoneofthebestwaystostartacybersecurityofficercareer.Analternativeistomajorincybersecurity.Ascollegesanduniversitiesseethedemandforsuchsubjects,theywilloffermorecybersecuritycoursesandprograms.Astheneedforcybersecuritygrows,moreuniversitiesandcollegeswillbegintooffermajorsincybersecurity.
Analternativetoacollegeoruniversityisatechnicalschoolthatofferscybersecurity-relatedspecializedprogramsinvariousaspectsofthecomputerandtelecommunicationsfunctions.Thistrainingusuallyoffershands-onexperienceandmayprovideafasteravenueintothecybersecurityprofession.Also,manycollegesanduniversitiesoffercertificatesinaspecializedcybersecurityofficer-relatedfieldsuchaslocalareanetworksandtelecommunications.Thesecoursescanalsobeappliedtothedegreeprogram,butcheckthecollegeoruniversitytobesure.Thosewhochoosethetechnicaltrainingpathshouldstillpursueacollegedegreethatwillenhancepromotionopportunitiesinthecybersecurityofficerprofession.
Education,whethertechnicaloracademic,providesthefuturecybersecurityofficerwithanopportunityformorecybersecurityofficerpositions.
Intoday’smarketplace,theneedforexperiencecoupledwithadvanceddegreesandcertificationshasincreased.Ithasincreasedtothepointatwhichallyoureducation,experience,andcertificationsonlygetyouthroughthefirstresumefilteringprocess.Itistheinterviewthatwillgetyouthejob.
Whatelsecanonedotoprepareforsuchapositionandalsomaintainaworkingknowledgeofallthatisassociatedwithandneededtobeacybersecurityofficer?Theseincludeknowledgegainedthrough:
•Conferencesandtrainingclasses;
•Networkingwithothersintheprofession;
•Usingtradejournalsandmagazinestolearnmore;
•Experience,whichisalwaysagoodtrainer;
•Certifications—knowledgegainedstudyingforcertifications;and
•Joiningassociationsandattendingtheirmeetings,whereinformationcanbegained.
HowtoMarketYourselfasaCyberSecurityOfficerWorkisaresponsibilitymostadultsassume,aburdenattimes,acomplication,butalsoachallengethat,likechildren,requiresenormousenergyandthatholdsthepotentialforqualitative,aswellasquantitative,rewards.
MelindaM.Marshall4
4TheColumbiaWorldofQuotations.1996(http://www.bartleby.com/66/2/38002.html);MelindaM.Marshall(20thcentury),U.S.writerandeditor.GoodEnoughMothers,introduction(1993).
Sometimesacybersecurityofficerwillhavesomeconflictswhenitcomestoseekingoutanewpositioninsteadofstayinga“loyalcompanyemployee.”Thereshouldnotbeanysuchconflict,becauseintoday’sbusinessworld,itseemsthatitisseldomthatthecorporationisloyaltotheemployees,sowhyshouldtheemployeesbeloyaltothecorporation?
Ifyouarehappydoingwhatyouaredoingandwouldliketodothesamethingfortherestofyourlifeinthesamecompany,thendoit.However,onewordofcaution—intoday’scorporateworld,nopositionseemstolastforever,anditappearsthattoday’scorporationsdonotwanttheiremployeestostayforever.So,itisalwaysbettertobepreparedbyhavingabackupplanintheeventyouarenotifiedthatyourservicesarenolongerwanted.
Alsorememberthatitiseasiertofindajobifyoualreadyhaveajob.So,thebesttimetofindoutyourworthasacybersecurityofficeristolookforadvancementopportunitiesorlateralopportunitiesforothercybersecuritypositionswhileyouarestillemployed.Ifnothingelse,theemploymentinterviewswillkeepyouinpracticeandhelpyoufine-tuneyourinterviewskillsandyourpersonalportfolio.
InterviewingfortheCyberSecurityOfficerPositionCongratulations!Yourresumehasfinallymadeitthroughthefilteringprocessandyouarebeingaskedtoappearforaninterview.Youwillprobablyfindthatcybersecurityofficerpositionsareverycompetitive,withtalentedcybersecurityofficerprofessionalscompetingagainstyouforeachofthosepositions.So,youmustbeprepared.Aswithmostjobinterviewsthesedays,youwillprobablybesubjectedtoaseriesofinterviewsconsistingofmembersofthehumanresourcesdepartment,informationsystems
organization,auditors,andsecuritypersonnel.
Don’tbenervous,butthisinterviewiswhatwillputyoubackontheroadtocybersecurityofficerjobhuntingorofferyouthechallengesofthenewcybersecurityofficerposition.So,youmustbeprepared!
Therearemanybooksonthemarkettellingyouhowtointerviewforaposition.Theyofferadviceoneverythingfromhowtodresstohowtoanswerthe“motherofallinterviewquestions”—Whatareyoursalaryexpectations?
Itisnotthepurposeofthisbooktohelpyouanswerthosecommoninterviewquestions.Itisassumedthatyouwillhavereadthosebooks,andthatyouhavepreparedandpracticedfortheupcominginterview.Thepurposeofthissectionistoshowyouhowyoumaybeabletoseparateyourselffromyourcybersecurityofficercompetition.
Youhaveprobablyalreadyinterviewedmoretimesthanyoucaretoadmit.Inallthoseinterviews,youprobably,likeyourpeers,walkedinwearingdark,conservativebusinessattire,neatlygroomed,andpreparedtoansweranyquestionthrownatyou.Thequestionis,whatseparatedyoufromyourcompetitors?Whatwasitthatwouldmaketheinterviewersrememberyouandchooseyouabovetherest?
Youprobablyansweredmostquestionsinthemostpoliticallycorrectway,forexample,“Whatisyourmajorweakness?”Answer:“MymajorweaknessisthatIhaveverylittlepatienceforthosewhodon’tliveuptotheircommitments.Whensomeoneagreestocompleteaprojectbyaspecificdate,Iexpectthatdatetobemetunlesstheprojectleadercomestomeinadvanceofthedeadlineandexplainsthereasonthatdatecan’tbemet.Ibelieveinateameffort,andallofus,asvitalmembersofthatteam,mustworktogethertoprovidetheserviceandsupportneededtoassistthecompanyinmeetingitsgoals.”
Willthatanswertothatquestionbeconsideredaweaknessorstrengthbytheinterviewers?Probablyastrength,butthatishowthegameisplayed.
Manyintervieweeshave“beenthereanddonethat”butstilldidn’tgettheposition.Why?Maybebecauseouranswers“float”intheinterviewroomair.Theyhangthereminglingwiththoseoftheothercandidatesbeforeusandwillbeminglingagainwiththecandidatesthatcomeafterus.
Theonlyreal,lastingevidenceoftheinterviewiswhatwaswrittendownbytheinterviewersandwhatimpressionsyou,theprospectivecybersecurityofficer,leftintheirminds!Manyoftheinterviewersare“screeners,”humanresourcepeoplewhohavenoclueastowhatcybersecurityisallabout.Theyaretherebecausewedoteamingtoday.
Weoperatebyconsensus.So,gettingselectedmaybemuchmoredifficult.
So,youneedonething—onethingthatwillleavealastingimpressionontheinterviewers.Onethingthatwillshowthemyouhavethetalents,theappliededucation(that’seducationthatyougainedincollegeandotherplacesandsomethingthatyoucanactuallyuseinthebusinessworld!),theexperience,andthegameplan.You’vedoneit!You’vebeensuccessfulinbuildingacybersecurityprogrambefore,andyouwillbesuccessfulagain.Youcanprovethatyoucandoitbecauseyouhaveyourcybersecurity
officerportfolio!
Thenextquestionthatthereadermayaskis,“Whattheheckismycybersecurityofficerportfolio?”Youprobablyhaveseenmoviesinwhichthemodelsshowupatthemodelstudioormoviestudioandpresentafoldercontainingphotographsofthemselvesinvariousposes.No,sorry—yourphotowillprobablynothelpyougetthecybersecurityofficerposition—butthinkaboutit.Theytookwiththemtotheirinterviewphysicalevidenceintheformofphotographs,meanttoprovethatheorshewasthebestpersonfortheposition.
Whatyoumustdoisdevelopyourownportfoliototakewithyouandleavewiththeinterviewers—proofthatyou’vebeenthere,donethat.Youarethebestpersonfortheposition.It’sallthereintheportfolio.
Yourcybersecurityofficerportfolioissomethingyoushouldbeginbuildingassoonasyoubeginyourfirstcybersecurityofficerjoborbefore.Itshouldcontainanindexandidentifiedsectionsthatincludelettersofreference,lettersofappreciation,copiesofawardcertificates,projectplans,metricchartsyouuseformeasuringthesuccessofyourcybersecurityprograms,and,probablymostimportant,yourcybersecurityphilosophyandcybersecurityplanoutlinethatyouwillimplementassoonasyouarehired.
Thecybersecurityplanisprobablythemostimportantdocumentinyourportfolioandshouldbethefirstpageafteryourindex.Alltheotherdocumentsarejustproofthatwhatyouplantodo,you’vedonebefore.
Inthecaseofsomeonewhohasneverbeenacybersecurityofficer,theprospectivecybersecurityofficercanbuildhisorhercybersecurityplanandcybersecurityportfoliofromtheinformationprovidedinthisbook.Builditforanimaginarycorporation.
Thenextquestionthatmayariseis,“IfIneverworkedthere,howdoIknowwhatIshoulddoifIgethired?”Again,gobacktodoingsomeresearch.Rememberthatifyoureallywantthisjob,youhavetoworkatleastashardtogetitasyouwillonceyoudogetit.
YourfirststopshouldbetheInternet.Findoutaboutthecompany.Someinformationthatyoushouldknowis:
•Whenwasitstarted?
•Whatareitsproducts?
•Howisthecompanystockdoing?
•Wherearetheirofficeslocated,etc.?
Youshouldalsostopbythecompanyandpickupanapplication,anycompanybrochuresavailable,theirbenefitspamphlets,etc.
Youshouldstudytheinformation,completetheapplication,andplaceitinyourportfolio.Afterall,iftheydecidetohireyou,you’dhavetofilloneoutanyway.Youshouldgointotheinterviewknowingasmuchifnotmoreaboutthecompanyasthe
peopleinterviewingyou.Thisisinvaluable,especiallyifyouareinterviewingforasenior-levelposition.Theseinterviewswillundoubtedlyincludemembersoftheexecutivemanagement.Yourabilitytotalkabouttheircompanyinbusinesstermswithanunderstandingofthecompanywillundoubtedlyimpressthemandindicatethatyouarebusiness-oriented.
Allyouranswerstotheinterviewers’questionsshouldbedirectedtosomethinginyourportfolio.Forexample,iftheyaskyouhowyouwoulddealwithdownsizinginyourdepartmentandwhatimpactthatwouldhaveonyourabilitytoadequatelyprotectthecompany’sinformationanditsrelatedsystems,howwouldyouanswer?
Youshouldbeabletodirectthemtoaprocesschart,ametric,somethingthatindicatesthatyouhavedoneitbefore,orthatyouhaveabusiness-orientedapproachtodealingwiththeissue.
Ifyouhavenotdoneitbefore,writedownhowyoucould,andwould,performthesefunctions,assessthecybersecurityprogram,etc.
Theportfoliocanworkforanynewcybersecurityofficerinanycompany.Thefollowingisasampleportfoliooutline,whichcanbeusedasaguidebyaneworexperiencedcybersecurityofficer.Inthiscase,itisthecybersecurityofficerapplyingforthecybersecurityofficerposition.It’suptoyoutofillinthedetails.Manyoftheideasofwhattoputinyourcybersecurityportfoliowillbefoundinthisbook.
Youwillnotethattheprospectivecybersecurityofficerapplyingforthecorporatepositionhasdonetheresearchnecessarytotailoracybersecurityprogramforthecorporation.Thebeautyofbuildingthistypeofportfolioisthatitseemsspecific,andyetit’sgeneric.
Thecybersecurityofficershouldalsopracticeinterviewingskills.Theresumeorpersonalcontactsmaygetyoutheinterview,buttheinterviewwillgetyouthejob.Beforeanyinterviews,andduringtheinterview,youmustdothefollowing:
•Learnallyoucanaboutthepotentialemployer;
•Readandlearnfrombooks,magazines,andthelikeaboutinterviewsandproperclothingtowear;
•Prepareanswerstotypicalquestionsthatwillbeasked,andpracticeansweringthemwithoutseemingasthoughtheanswerswererehearsed;
•Developandmaintainanupdatedworkportfolio;
•Duringtheinterviewalwaysreferto“we”or“us”insteadof“I”and“you”asmuchaspossible,soitseemsasifyoualreadyhavethejobandarejustbriefingfellowemployees;and
•Referinterviewerstoyourportfolioinansweringtheirquestions.
Thefollowingisafictionalscenarioofoneindividual’scybersecurityjobhunt:
Thecybersecurityofficerestablishedacareerdevelopmentplanasaformalprojectplanwithanobjective,goals,milestones,andtasks.Theprojectplanhelpedthecybersecurityofficerfocusoncareerprogression,andalsothatfocusmadeiteasiernottogetsidetrackedandwastetimeonmattersthatdidnotlendthemselvestomeetingtheprojectplanmilestones.Thecybersecurityofficercontinuallyupdatedtheplan.Attheendofeachcalendaryear,thecybersecurityofficerwouldanalyzetheprogressinmeetingtheplangoalsandobjective.Regardlessofwhethertheplanprogressedaheadofscheduleorbehindschedule,thereasonsforthechangewerenotedandlessonslearned.Thentheupdatedplanwouldbeusedforthenextyear.
Overtheyears,thecybersecurityofficerdevelopedaportfolio.Intheportfolio,thecybersecurityofficermaintainedaplanthatwouldbecontinuallyupdatedandusedduringallinterviews,withextracopiesavailablefortheinterviewers,andthecybersecurityofficersuccessfullyuseditforthecorporation.
Whenotherswentthroughtheinterviewprocessansweringtheinterviewers’questions,theirresponseswerelostintheairlikesmoke;however,thiscybersecurityofficer’sthoughts,experience,education,planforacybersecurityprogram,andotherinformationrelevanttomeetingthecorporation’sneedsweredownonpaperandcouldbereferredtobytheinterviewers.
Thisportfolioalsoindicatedapersonwhowasorganizedandcameinwithanactionplan.Furthermore,sincethiscybersecurityofficerresearchedthecorporationpriortobeinginterviewed,thecybersecurityofficerwasintimatelyfamiliarwiththecorporationandevenofferedsomeinformationaboutthecorporationthatwasnewtosomeoftheinterviewers.
BecomingaCyberSecurityConsultantIfyouwishtosucceed,consultthreeoldpeople.
ChineseProverb
Tobeinanytypeofprofessionworkingforoneselftakesaspecialtypeofpersonalitytosucceed.Afterall,thereisnoonetocontinuetopayyouwhenyouareonvacation,nobenefitsthatyoudon’thavetopayfor,andifyoudecidetojusthangaroundtheofficeandnotwork,youwon’tgetpaidforthat,either.Thereisnosafetynet,nopaidtimeoffwhensick.Nowork—nopay.Fortheindependentconsultant,theoldsaying“timeismoney”iscertainlytrue.Inaddition,thereisaconstantneedtomaintaincontacts(potentialcustomers)andkeepupwithhightechnology,andofcoursethereisthealmostconstanttravel.
Somecybersecurityofficersandmanagersmayhavetheconnectionsandbelievethattheyarewellthoughtofascybersecurityprofessionals,calledupontolectureatconferences,assistclientswiththeircybersecurityneeds,andthelike.However,thosethatdosoasamemberofalargefirm,suchasalargeaccounting–consultingfirm,believethatitistheywhoaretheonesthatdrawclientstothemforhelp,wheninfactitisusually
notthatatall.Itisusuallythelargecorporatenamethatbringstheseclientstothecybersecurityperson.
Somecybersecuritymanagersandtechniciansdon’trealizethisfact.Thenwhentheydecidetogooutontheirownascybersecurityconsultants,theyfindthatwhattheythoughtwasagreatclientbaseonwhichtobuildtheirbusinesstradeturnsouttobetheclientbaseoftheirformeremployer,andtheyaren’tswitchingtoyourfirm.Furthermore,therearelegalandethicalmattersrelatingto“stealing”clientsawayfromaformeremployer.Whentheshockofthisfacthitsthem,theyfindthemselvesscramblingforclients.
Someadviceforthosewhomaybereadytotakethecybersecurityconsultingplunge:Besurethatyouobjectivelyinventoryyourskillsandpotentialclientbase,andalsohaveatleasttwoyearsofyourcurrentsalary(includingfundsforequivalentbenefits)safelyinthebank.Thatemergencyfundwillprovideayearormoreofincomeasyougrowyourbusiness.Ifnothingelse,itwillprovideagoodemergencyfundforsomeleantimesorforthetimeswhenyouwillwanttotakeabreakforaweekortwoandgoonvacation.Afterall,youhavetopayforyourowndaysoffnow.Oh,anddon’tforgetinsurancessuchas“errorsandomissions,”alsoknownasprofessionalliabilityinsurance,generalliability,andworker’scompensation.
Someclientsrequireproofofsomeorallofthesepoliciesbeforeyousetfootinthedoor.Withallthatsaid,ifyouhavetheeducation,experience,businesssense,andpersonalitytohandlebeingoutonyourown,itdoesofferitsownrewards.
Theserewardsincludesettingyourownscheduleandhours,beingyourownboss,vacationingwheneveryoulike,doingityourway—butwaitaminute,that’snotcompletelytrue.
Yourhourswillbesetbyyourworkloadandyourclients.Youwillbeabletodotheworkprettymuchyourway,butdoingonlytheworkthatmeetstheclients’needs.Andvacationscanbecutshortbyanurgentclientneed.Youreallycan’taffordtopostponeanurgentclientrequest,asyourisklosingtheclienttoacompetitor.Paymentsfromclientsmaybeslowincomingandtheymaybeshockedbytheirbillforservicesrendered,causingyoutonegotiateorgetyourlawyertonegotiateforyou.Thatmeansadditionalcostsifyoucan’tgetyourlawyer’scostsportedovertotheclients.However,onethingiscertain:Whensuchissuesarise,youmayeventuallygetyourmoney,butyouwillprobablyneverdobusinesswiththatclientagain.Howmanyclientscanyouaffordtolose?
Beingacybersecurityconsultantlooksgreatonpaperanditmaydoyouregogood,butafterawhiletherealworldtakesover.It’satoughlifeandnotforthefaintatheart.So,beforeyouthinkaboutit,besureyouhaveagoodbusinessplanandonethatisdoneobjectively.Also,besureyoucansupportyourselfandyourfamilywithoutworkforextendedperiodsoftime.Yes,itsoundsgreat,butmaybethatsalary,thoseworkingconditions,andthatbossweren’tallthatbad?
However,youhavesuccessfullyworkedyourcareerplanandhavedevelopedthe
educationandexperienceovertheyearsthathavegivenyoutheconfidencetothinkaboutgoingoutonyourownasacybersecurityconsultant.Youhavehadarticlespublishedinmagazines,havelecturedinternationally,andhavedevelopedareputationasaprofessionalcybersecurityofficer.So,youthinkyouareaboutreadyforthiscareermove.Ifso,youneedaplan.
Ifyoudecidetobecomeanindependentcybersecurityconsultant,thefirstthingyoushoulddoisdevelopabusinessplan—beforeyouresignfromyourcurrentjob.Developingtheplanmayultimatelymakeyoudecidethatyoudon’twanttoorcan’tmakeitasanindependentcybersecurityconsultant.Therearemanysamplebusinessplansavailableinbooksandassoftwareprogramsthatcanhelpyougetstarted.
Regardlessofhowyouproceedtodevelopyourcybersecuritybusinessconsultingplan,youmustbeobjective.Ifyouaretoassumeanything,assumetheworst.Thatway,youwillbepreparedfortheworst-casescenarioandwillbeabletosuccessfullydealwithit.Yourplanshouldbelookedatasaprojectplanand,asaminimum,shouldaddressthefollowing:
•Yourbusinessgoalsandobjectives;
•Whyyouwanttostartthisbusiness;
•Youreducationandexperienceskillsandwhethertheywillfityourconsultingbusiness—berealistic;
•Howmuchmoneyyouwillneedtobegin;
•Howmuchmoneyyouhave;
•Howyouwillgetthemoneyyoudon’thavebutneed;
•Howyouwillfinanciallysurvivewhenbusinessisslow;
•Ifyouhaveafamilyorsignificantother,whethertheywillsupportyou;
•Ifnot,whetheryoumighthavetodecideyourrelationship–businesspriorities;
•Whetheryouarewillingtotravelthemajorityofyourtime—afterall,youmustgotoclientsandnotthemtoyou;
•Whatstepsyouwilltaketobeginthebusinessandthecostforeachlineitemortask;
•Whetheryouwillincorporateyourbusiness;
•Whetheryouknowthemarketplace—yourcompetitors;
•Whetheryouofferbetterservicesatlowerprices;
•Yourcompetitors’strengthsandweaknesses;
•Yourstrengthsandweaknesses;
•Acompletecompetitiveanalysis;
•Acompletemarketscope;
•Whetheryoushouldhavealogoandbusinessmotto,andifso,whattheywillbeandwhy;
•Whetheryoushouldgetalawyertoassistyou;
•Whetheryouwillhavecopyrightedmaterial,trademarks,and/ortradesecretsand,ifso,howyouwillhandlethoseprocesses;
•Whetheryouhavestandardinvoices,proposals,confidentialityagreements,contracts,andbillingandgeneralbusinessprocessesandformsinplaceandreadyforuse;
•Whetheryouhavetrustedcybersecurityspecialistsavailabletosupportyourcontractsassubcontractors(afterall,youcan’tbeexperiencedineverything);
•Howyouwillobtainbusiness;
•Howmuchyouwillchargeforwhatwork;and
•Whetheryouareawareofthelawsandregulationsthataffectyoudoingbusiness.
Thesearebutafewofthemanyquestionsthatyoushouldanswerbeforemakingtheplungeintothecybersecurityconsultingservicesbusiness.Rememberalsotheguidingprinciplesthatyoushouldemploy:
•Confidentiality;
•Objectivity;
•Professionalism;
•Respect;
•Integrity;
•Honesty;
•Quality;
•Efficiency;and
•Clientfocus(“we”).
Onceyouhaveyourbusinessplaninplaceandhavedecidedtobecomeanindependentcybersecurityconsultant,yourplanshouldprovideyouwithastep-by-stepapproachtogettingstarted.5Let’sbreakdownthecybersecurityconsultingbusinessintosections:
•Engagementsetup
•Engagementprocess
•Assessmentservices
•Advisoryservices
•Securityimplementation
•Augmentation
•Legalissues
•Internationalaspects
EngagementSetupTobegin,youneedan“entryintothebusiness”strategy.Youmusthaveestablishedandcontinuetorefineyourinformationnetwork(trustedcontactswithinyourbusinessarenawhocantellyouwhatisgoingonwhere,etc.).Youmustalsouseothersourcestofindyourpotentialcustomers—orclients,assomeliketocallthem.Suchothersourcesincludereferralsandmarketingthroughbrochures,pamphlets,lectures,books,articles,andyourbusinesswebsite.Italsoincludes“coldcalling”potentialcustomersandexplainingtothemwhatservicesyouoffer.
Onceyouhavemadecontactwithapotentialclient,youmustclearlyandpreciselycommunicateyourservices;youmust“findtheirpain”andexplainhowyoucanhelpsolvetheirproblems.Trytomakethisaquestion-and-answersessioninwhichadialogtakesplace.Youshouldalsousetheopportunitytoexplainyourexperiencebycitingexamplesofyourpastservicestoclients,withoutprovidingspecificnames,ofcourse.
Assumingthemeetingwentwellandtheyaskyouforaproposal,youshouldprovideoneinthemostexpeditiousmannerpossibleandbesurethatyouunderstand:Eachclientrequiresadifferentapproachdependingonthesizeoftheclient—small,medium,orlargeorganization—asthescale,tactics,andstrategywillvarywitheach.Intheproposalyoushouldbeprecise;includeaprojectschedulewithlogisticsrequirements,roles,andresponsibilities(forbothyouandyourclient);andaddressliabilityissues.Othermatterstoconsiderare:
•Understandwhoyouaredealingwithandbesuretogettotherightlevelofauthoritytomakedecisionsthataffectyourwork;
•Identifytheirneedsasspecificallyaspossible;
•Understandtheirbudget(sizeandcycle);
•Getthe“bigpicture”;
•Besureyouhaveaclearunderstandingoftheirexpectationsandyourdeliverables,beforeleavingthepotentialclient;
•Determineanytimefactorsthattheywanttoconsider;and
•Ifneeded,exchangeencryptionkeyssocorrespondencecanbedoneinprivate.
Aspartofyourengagementsetup,youshouldhaveaspecificwrittenproposalprepared,aswellasoneinthestandardformatyouhavedeveloped.Bothshouldbeonyournotebookcomputersothattheycanbemodifiedimmediatelytofitthesituation.Ifyoubelieveyourspecificwrittenproposalisjustrightforyourpotentialclient,besuretohaveseveralhardcopiesavailabletopresenttothepotentialclient.Theproposal,asaminimum,shouldinclude:
•Proposalstructure,
•Worktobeperformed,
•Projectschedule,
•Timingandfees,
•Rolesandresponsibilities,
•Assumptionsandcaveats,
•Legalissues.
EngagementProcessOnceyoubegin,remembertodocumenteverythingtoinclude:
•Timeanddates,
•Whomyouspoketo,
•Whatwassaid,
•Anyactionitemsresultingfromtheconversations,
•Tasksyoucompletedandtheirtimeanddate,
•Notableeventsthatoccurred,and
•Allothermattersthatcanbeusedtosupportyouractivities,position,timespent,andthelike.
Morethanoneconsultanthasfoundthattheyperformedworkbasedonconversationswithaclient’semployeeandthenfoundthattheclientbalkedinmakingpaymentsforthatwork,sincetheyconsidereditunauthorized—thepersonhadnoauthoritytodirectaconsultanttoperformthatfunction.Itisimperativethatyouandtheclientbothhaveaclearunderstandingofwhatisagreedto,whenitwillbeaccomplished,proofthatitwasaccomplished,andthefeesrelativetocompletingthework.
Noteshelpwhendiscussingtheworkperformedandespeciallyindealingwiththebillingprocess.Anexcellenttechniquetouseduringtheengagementmanagementprocess
istomonitortheprogressoftheengagementonadailybasis.Constantlycommunicatewiththeclienttheprogress(orlackofit)anddelineatewhytherearedelays.Iftherearedelaysduetoafaultonthepartoftheclient,informtheclientoftheimpacttotheengagementandgivechoicessuchas:
•Askforadditionalfunding,
•Abbreviatecertaintasks,or
•Eliminatecertaintasks.
Thistechniquehelpsavoidunpleasantsurprisesandmisunderstandings.It’sa“we”mentality.Youapproachyourcounterpartprojectmanagerandsay“Joe,we’vegotaproblem.Theprojectisbehindbecauseofthis,this,andthis.Howdoyouthinkwecanfixthis?”Iftheprojectisscrewedup,Joehasjustasmuchtolosepoliticallyasyoudomonetarily.Ifthereisadebateastowhythingsaren’tgoingwell,theeventsarefreshineveryone’smindsandit’seasytosortoutandcorrectorcompensate.Acommonmistakeistowaituntilneartheendoftheengagementwhenthingsarewaybehindscheduleandinformtheclient,thinkingthatsomehoweverythingmightworkout.
Thiswillendupinabest-casescenarioassouringtheclientrelationshipandworstcase,incourtarguingoverwhodidwhatwhen.
Iftherearedelaysduetoyourownperformanceorlackofplanning,workextrahoursandaccepttheloss.Dowhateveryouhavetodotomeettheobjectivesoftheproposal,anddon’tcomplainaboutit.Makecarefulnotesastowhyyoumiscalculatedorundermanagedtheengagement,andusethatknowledgewhenwritingyournextproposal.
AssessmentServicesYoumaywanttobreakyourservicesintovariousgroups.Onegroupmaybe“assessmentservices.”Thisshouldhavebeendecidedaspartofyourbusinessplan.Theseservicesincludesuchthingsaspenetrationtestingandsecuritytestsandevaluationsofsoftwareandsystemsanditmayincludesupportingdocumentationanalyses.Alsoincludedmaybetechnicalsecuritycountermeasures,audits,andriskassessments.
AdvisoryServicesAdvisoryservices,alsopreviouslyconsideredaspartofyourbusinessplan,includethefollowing:
•Technicaldesignreview;
•Policies,procedures,andguidelines;
•Securitychangemanagement;
•Systemsandnetworksecurity;and
•Securityarchitecture.
SecurityImplementationTheservicestobeconsidered,basedonyourexpertise,ofcourse,includeensuringthatproductstobeinstalledonsystemsdon’tmakethesystemsandnetworksmorevulnerableandanysecuritysoftwaremeetstheneedsofthebusinessandoperatesasadvertised.Again,besuretodocumenteverything.
AugmentationAugmentationservicesmayincludesuchthingsasterminationsurveillanceandassistinginclientinvestigationsofemployees,suchascomputerforensicservices.Youmayalsoberequestedtorespondtoincidents.Ifso,thisshouldbeaddressedinyourcontractandalsothebillingforsuchresponses—whichoftenseemtohappenaftermidnight.
LegalIssuesLegalissuesmayariseastoyourauthorityinconductingorassistinginhightechnologycrimeinvestigations;aswellasissuesrelatedtoyourcontract.Itisimperative,toavoidlegalproblemslater,thatallmattersbeclearlyandconciselystatedinthecontract.Theworstthingyouwouldwantisconflictsincontractinterpretations,delayedpayments,orrefusaltopaywhatyoubilledtheclient,nottomentiontheproblemofyourreputation,whichwillfollowyou(goodandbad)fromclienttoclient.
Aboveall,neverbeginanengagementwithoutasignedcontract.Makecertainthatthepersonsigningithasthelegalrighttodosofortheorganization(usuallyanofficerordirector).
InternationalAspectsMoreandmorecybersecurityconsultantsareworkingallovertheworldandwithforeignclients.Indealingwithsuchclients,itisimportantto:
•Avoidslangandcolloquialterms,
•Learnasmuchoftheforeignlanguageandcultureaspossible,
•Makepositivecommentsonthefoodandarchitecture,
•Uselocalhandgesturesandvolumeofspeech,
•Understandtheforeigngovernmentswhereyouwillbeworking,
•Understandthelatestterroristthreatsintheregion,
•Explaincybersecuritytermsinlocalcontext,
•Don’tcomplainabouttheircountryorcultureorbragaboutyours,and
•Avoidpoliticaldiscussionsor,ifyouaredraggedintoaconversation,remainneutral.
Questions•Doyouhaveacareerdevelopmentplan?
•Doyoukeepitcurrent?
•Doyoudocumentallyourexperiencesandeducation?
•Doyoukeepyourresumecurrent?
•Doyouhaveyourinterviewtechniquesdownsoyouranswersseemnatural?
•Doyoukeepagenerallistofquestionstoaskduringtheinterviewsothatyoucomeacrossasinterestedinthatjobandthatcorporation?
•Doyouhaveaplantocontinuetokeepupwithchangesinyourprofession?
•Doyouwanttoeventuallybeaconsultant?
•Ifso,areyoupreparingforthattime?
•Doyouhaveabusinessplan?
•Areyoupreparedfor“feastorfamine”times?
•Doyouhavewhatittakestobeaconsultant?
SummaryHavingandkeepingcurrentacareerdevelopmentplan,keepingupwithchangesintheprofession,andalwaysbeingpreparedforthatnextjobsothatyoucancompeteatthehighestpossibleleveltakeplanningandhardwork.However,ifdoneright,itisworththeeffortasitcanleadtoyoursuccess.
1EncartaBookofQuotations,©&(P)1999,MicrosoftCorporation.Allrightsreserved.DevelopedforMicrosoftbyBloomsburyPublishingPlc.;LordByron(1788–1824),Englishpoet.“EnglishBardsandScotchReviewers”(1809).2SomeoftheinformationnotedinthischapterwasexcerptedfromanotherButterworth–Heinemannbook,TheManager’sHandbookforCorporateSecurity:HowtoDevelopandManageaSuccessfulAssetsProtectionProgram,publishedin2003,andcoauthoredbyGeraldL.KovacichandEdwardP.Halibozek.5SomeoftheinformationprovidedinthischapterwasprovidedbySteveLutz,President,WaySecure,averysuccessfulinternationalsecurityconsultantandCybersecurityspecialistfordecades.
CHAPTER16
ALookatthePossibleFuture
AbstractInthisfinalchapter1,welooktothefutureandsomeofitspossibilitiesastheyrelatetoourglobal,moreinterconnectedthaneversociety;governments,businesses,groups,andindividuals’actionsandreactions;technology;andtheimpactthatallthesetopicshaveoncybersecurity.
KeywordsAdvancedpersistentthreat(APT);Globaltrends;Globalization;Internet;Leadership;Offensive–defensivecyberattacks;Pervasiveinsecurity;Security—defensiveapproach
CONTENTS
SurvivingintotheFuture 303NewOldApproachtoSecurity—DefensiveApproach 304TheChangingEnvironment 305TheNeedforEnlightenedandDedicatedLeadership 305GlobalTrends 306
ImpactofGlobalization 307NewChallengestoGovernance 308PervasiveInsecurity 309TransmutingInternationalTerrorism 309PolicyImplications 309
Offensive–DefensiveCyberAttacks 310TheFutureoftheInternet 311Questions 311Summary 311
Ifyouconsciouslytrytothwartopponents,youarealreadylate.MiyamotoMusashi,Japanesephilosopherandsamurai(1645).
Thefutureisdisorder.Adoorlikethishascrackedopenfiveorsixtimessincewegotuponourhindlegs.Itisthebestpossibletimetobealive,whenalmosteverythingyouthoughtyouknewiswrong.
TomStoppard,Arcadia
Inthisfinalchapter,1welooktothefutureandsomeofitspossibilitiesastheyrelatetoourglobal,moreinterconnectedthaneversociety;governments,businesses,groups,and
individuals’actionsandreactions;technology;andtheimpactthatallthesetopicshaveoncybersecurity.
Whenthefirsteditionofthisbookwaspublishedin1998,wediscussedthefuturebasedontheimpactoftopicslikethoseidentifiedabove.Muchofwhatisrequiredforcybersecurityanditsprogramisbasedonprovencybersecuritytechniquesthathavebeenaroundfordecades,albeitundervariousnamessuchascomputersecurity,networksecurity,andinformationsystemssecurity.
Althoughyouwillfindmuchofthefollowingredundantwiththisbook’sfirsttwoeditions,itisnotbeingrepeatedbecausewearetoolazytostartanew.Itisbecausethesameissuesandsamebasicmethodstosolvethemhavenotchangedanymorethanthethreatsthatthefutureholds.So,let’stakeoutourcrystalballandseewhatthefuturecontinuestoholdforallofus.
Unfortunately,eventhebasicsofcomputersecuritystandardsthathavebeenaroundfordecadeshaveoftennotbeenmeet.Infact,evenU.S.federalgovernmentcomputersecuritystandards,requiredtobefollowedbygovernmentagencies,oftenarenotfollowed.
U.S.SecretServicerefusedtoprovidedataonitscomputersecuritysystemstotheDepartmentofHomelandSecurity…preventingitfrombeingabletoverifyifitwascomplyingwithsecuritypolicies,…Theservice…“refusedtocomplywithmandatedcomputersecuritypolicies,”accordingtothereportbytheDHSinspectorgeneral.2
2http://news.yahoo.com/secret-needs-beef-security-report-193616952.html.
Willthischangeinthefuture?Maybe,butprobablynot,ifhistoryisanyindication;andifso,probablynottotheextentneeded.
Inthebusinessworld,thesameappliesundertheguisethatitisnotcost-effective.However,nowandintothefuture,aslackofsecurityinfluencesthebottomline,wehopethatthatwillchange.
Oneoftheproblemsisthatwebaseoursecurityrequirements,includingcybersecurityrequirements,on“risk,”andbusinessisfundamentallybasedonrisktaking.Whenyoubaseyoursecurityrequirementsontheconceptofmanagingrisk,youareacceptingthatyouareonlybuyingtimeandthat,atsomepoint,anincidentwillhappen.
However,asconstantsuccessfulattacksshow,thecoststopatchsystems,topayoutmoneyinlawsuits,andoftheadversepublicrelationsissuesthatfollowandthelossesinstockvaluesastheyplummetbasedonallthatarehigherthanto“doitrightthefirsttime”andcontinuouslyupdateandimproveovertime.Corporatemanagementjustdoesn’tgetit,maybeneverwill.Governments,groups,andindividualshavedeclaredwar.Willthat
increaseordecreaseinthefuture?Allindicationspointtoanincrease.
Althoughnotofficiallyconfirmed,atleastonemajorbusinesswassuccessfullyattackedbecausethedefaultpasswordsthatcamewiththesoftwarewereneverchanged.Thatwasidentifiedasanissueatleastasfarbackasthe1980s,ifnotbefore.Thatfirsthackerattackbasedonthatvulnerabilitycanbetracedtoatleastthefirst300-baudexternalmodembasedonahackersoftwareprogramusingtheBASICprogramlanguage.Forthoseofyouwhodon’tknowwhatwearetalkingaboutbecauseyouweren’tevenbornatthattime,itprovesmypoint.
Whywon’ttheseleadersinbusinesses,industries,andgovernmentschange?Someofthe“blame”restsindemocraticnationswherepeopleenjoyatleastsomesemblanceoffreedom,andbeingtoldwhattodoandhowtodoitissomethingthattheydon’tlikeandtrytoavoid.Securityandlawenforcementpeople,andauditors,arealwaystellingpeoplewhattodoandwhatnottodo.Inthefuture,awaymustbefoundtomakethemwillingtodoitormakesecuritytotallyinvisibletothem,sothatnotevenapasswordorbiometricaccesscontrolwillbeneeded,unlesserror-free,andtheuserdoesnothavetotakeanyaction.An“avatar”thatissecure,maybe?Notaneasytask.
SurvivingintotheFutureSeniorcorporateandgovernmentleadershipsupportcontinuestobemissingandisnecessarytodeveloptheappropriateplanning,guidance,strategy,skilledworkforce,plant,andequipment.Corporationsandnation-statesneedtoboldlyacceptthenewrealitylesttheywishtoloseandnotbeabletoreattainthecompetitiveedge.Bureaucracyhasnoplaceinacybersecurity-protectedenvironmentwithnanosecondattackweaponsrequiringnanosecondresponses.Asthepastandpresenthaveshown,theyhavenotchanged,andpersonallyIdonotholdoutmuchhopeforthattochangeinthefuture.
Seniorleadershipisessentialforsecuritytobemeaningfultothebottomlineornationalsecurityofnation-states.Corporateespionagewillcontinuetobeasbigathreatasgovernmentespionage—maybemoreso.Netspionage3hasbecomeavaluabletacticinsupportofacorporationorgovernmentagency’soverallespionageandcompetitivebusinessstrategy.
Informationwarfareattacksagainstglobalcorporationshavedramaticallyincreasedsincethattopicandtermwascoinedmorethanadecadeago.Let’sfaceit,wecertainlyareinaglobalinformationwarwhoseagentsareallthosewhoattackoursystemsandnetworksforfun,profit,andpower.
Theyhavegrowninsophisticationandareexpectedtodoso,fromgovernmentstoindividualsaroundtheworld.Sadly,ithasalsoneverbeeneasier.Financiallossesduetoattackshavebeencausedbysuccessfulsecuritybreaches,fromfinancialfraudandtheftofproprietaryinformationtoidentitythefttosabotageandblackmail.Anewtermhascomeintousageoverthepastfewyears—“advancedpersistentthreat,”orAPTforshort.APTisusedtodescribeanongoingsetofstealthycomputerhackingattacks,oftentargetingaspecificbusinesssector,organization,orsystem.
ThemotivationforanAPTcanbeforbusinessorpoliticalgain.Asthenameimplies,APTconsistsofthreeelements:theattackisofanadvancedtype,itispersistent,anditposesathreat.ThetermwasfirstusedtodescribeanongoingseriesofattacksthatoriginatedinChina,butisnowmorewidelyused.Whatisclearisthatwecanexpectthesetypesofattacknotonlytocontinue,butalsotoincrease.Whywouldn’tthey?Wearen’tverygoodatdetectingandrespondingtothem,andaslongasthebenefitsoutweighthecost,itisworthwhileforthenation-stateorgroupthatisdoingthem.Therehavenotbeenanyrepercussions.
Attacksfromanation-stategoonaswetradewiththem.Therearenopenaltiesforattackingournetworks.Soadversaries,andthatincludesgeneralhackers,attackwithimpunity.
Thereisnosilverbullet,noone-timeexpenditureofmoneyto“fixtheproblem,”andnomeanstoputthegeniebackinthebottle.Enlightenedanddedicatedleadershipwillingtostaythecourseisnecessarytoguidegovernmentsandbusinessesintothefuture.
NewOldApproachtoSecurity—DefensiveApproachTheapproachthatresponsiblegovernments,businesses,andotherentitiesmusttakeinthefuturetoensurethatwehavethecorrectenvironmenttoendureistoatleastgetthebasicsecurityprocessesinplace!
Thiswillrequireasignificantchangeintheattitudeandapproachthataretakenatalllevelsofgovernanceandmanagement.Wehavebeensayingthissincethe1980sandwesayithereonceagainin2016.Wemustgetonawarfooting.Goodgrief!
Whatwillberequiredinorderforthestructuresthatweunderstandtosurviveisalarge-scaleadjustmentintheattitudestakenonthewholesubject.Thetruthofwhatwehavesaidinthepast,“…thethreatsarereal;andtheadversariesareseriousaboutit,”mustberealized.Toacertainextent,thatrealizationtakesplacegenerallyonlyafteramassive,successfulattack.However,afteritisover,andeveryonehascalmeddownandbeguntoforgetit,managementgoesbacktobusinessasusualandsodogovernmentagencies.Wedonotseemtobeabletolearnfromeitherourownpastorthatofotherorganizationsandseemtobedoomedtocontinuetorepeatit.
Therehasbeenfear(andstillis)thata“pearlharbor.com,”asWinnSchwartauputsit,iscoming.Wehavealreadyseenitinthephysicalworld.Canthevirtualworld’sPearlHarborbefarbehind?Minionesaretakingplacegloballyanddaily.However,asthoseofusintheprofessionhavesaidthisforsolong,itisliketheboycryingwolf,orliketheYear2000“worldwillendasweknowit”owingtothemillenniumbugcrashthatneverhappened;wemustinthefuturechooseourwordsmorecarefullyandpresenttheprobablerisksinamoreobjectiveway.
TheChangingEnvironmentTothepresentday,wehaveahistoryofunderstandingtheissuesthatarerelatedtoattacksandcybersecuritythatareimposedbyphysical,procedural,orpersonnelmeans.Wealsonowunderstandtheattacks’offensiveanddefensiveworldsbetterthaneverbeforeandwehopewewillgetbetteratunderstandingtheissuescominginthefuture,butunderstandingtheissuesanddoingsomethingaboutthemaretwodifferentthings.
TheNeedforEnlightenedandDedicatedLeadershipIfanenvironmentinwhichorganizationscanfeelsafefromsuccessfulattacksistobeachieved,thereneedtobesignificantchangesintheattitudesofbothgovernmentandmanagementatalllevelsoforganization.
Aninfrastructure,ataninternationallevel,forcollaborationbetweengovernmentsandlawenforcementagenciesalreadyexists,butuntilALLcountriessignuptothisandallocatesufficientresourcestomakeiteffective,therewillcontinuetobeissues.
Therearecurrentlycountriesthatprovide“safeharbor”tobothorganizedcriminalsandterroriststhatareusingtheInternettocarryoutcyberattacks.AllegedlyChinaisdoingthatrelativetoNorthKorea’sinformationwarriorsoperatinginfacilitiesontheChinesemainland.Therearealsoothercountriesthatare,themselves,conductingcyberattackoperations.Whilethiscontinues,ourdefensesneedtobeimprovedtomeeteverypossibility.
Perhapsoneofmeasuresthatcanbeputinplacewillbeforumsinwhichincidentscanbereportedinasuitablemannerbyindividuals,companies,andgovernmentsandwherebestadvicecanbegained—withoutworryingaboutthepoliticalandpower-playgames.
Whiletheseexistinsomecountriesandcommunities,theymustbeubiquitousandeasytoaccess.Ifattacksaretakingplaceatnanosecondspeedsoverstructuresthatdonotrecognizenationalborders,thenanyimpedimentthatthecurrentstructuresandorganizationsimposewillencouragetheperpetrator.
Ingovernment,inmostofthedemocraticnations,anindividualwhowillchampionthecauseofcreatingthecorrectenvironmentfortheprotectionofinformationsystemsisaconundrum.Itwouldrequireapoliticalnomineewhoiswillingtoputthecausethatheorsheissupportingnotonlyabovehisorherownambitions(cybersecurityisnotanareathathasatrackrecordofproducingnewpartyornationalleaders)butalsoabovepartyloyalty.Heorshewouldneedtohavesenioritywithinhisorherownparty,cross-partysupport,andtenureinthepostforaperiodofmorethanonetermofofficetohaveanysignificanteffect.
Willthathappen?Idoubtit.Whensomethinghappens,theywillholdpublichearings,lookforscapegoats,gettheirfacesonthenews,pontificatefromonhigh,butafterwardgobacktotheiroldways.Iftheywanttofindthosepartiallyresponsibletheyhavebuttolookinthemirror.
GlobalTrends4Itisimperativethatwhenlookingatcybersecurity,cyberattacks,andthelike,oneshouldbeginbyunderstandingtheglobaltrendsbecausethatistheenvironmentthatwilldictatemuchoftheoffensiveanddefensiveenvironmentsandtacticsandhelponeunderstandthereasonforsuchattacks,aswellashelpingtounderstandthedefensiveneedsandsolutions.
EveryfouryearstheU.S.NationalIntelligenceCouncil(NIC)publishesanupdateofits“GlobalTrends”seriesthatidentifieskeydriversanddevelopmentslikelytoshapeworldeventsacoupleofdecadesintothefuture.
Inthe“ReportoftheNationalIntelligenceCouncil’s2020Project,”theNICincludedanexecutivesummary,someofwhichisquotedbelow:
…AtnotimesincetheformationoftheWesternAlliancesystemin1949havetheshapeandnatureoftheinternationalalignmentsbeeninsuchastateofflux…TheroleoftheUnitedStateswillbeanimportantvariableinhowtheworldisshaped,influencingthepaththatstatesandnonstateactorschoosetochoose…
NewGlobalPlayers:ThelikelyemergenceofChinaandIndiaaswellasothers,asnewmajorglobalplayers—similartotheadventofaunitedGermanyinthe19thCenturyandapowerfulUnitedStatesintheearly20thCentury—willtransformthegeopoliticallandscape,withimpactspotentiallyasdramaticasthoseintheprevioustwocenturies…howwementallymaptheworldin2020…
Newglobalplayersarenotreallythatnew;however,theyhaveincreasedinpowerandimpactontheworldstage.Suchshiftsandchangesarecausingthestatusquotofadeaway.Thus,therewillbemorenationfightingandwiththattheuseofcybertacticstoassistnationsingainingdominance.
ImpactofGlobalization…Globalizationasanoverreaching“mega-trend”,aforcesoubiquitousthatitwillsubstantiallyshapeallothermajortrendsintheworldof2020…theworldeconomyislikelytocontinuetogrowimpressively:by2020,itisprojectedtobeabout80%largerthanitwasin2000,andaveragepercapitaincomewillberoughly50%higher…Yetthebenefitsofglobalizationwon’tbeglobal…Thegreatestbenefitsofglobalizationwillaccruetocountriesandgroupsthatcanaccessandadoptnewtechnologies…ChinaandIndiaarewellpositionedtobecometechnologyleaders,andeventhepoorestcountrieswillbeabletoleverageprolific,cheaptechnologiestofuel—althoughataslowerrate—theirowndevelopment…
…Morefirmswillbecomeglobal,andthoseoperatinginaglobalarenawillbemorediverse,bothinsizeandorigin,moreAsianandlessWesterninorientation.Suchcorporations,encompassingthecurrent,largemultinationals,willbeincreasinglyoutsidethecontrolofanyonestateandwillbekeyagentsofchangeindispersing
technologywidely,furtherintegratingtheworldeconomy,andpromotingeconomicprogressinthedevelopingworld…Thussharperdemanddrivencompetitionforresources,perhapsaccompaniedbyamajordisruptionofoilsupplies,isamongthekeyuncertainties.5
Today’seconomicwarshaveincludedoffensiveoperationsandtheseareexpectedtoincreaseinvolumeandsophisticationasthedemandforeconomicpowerissupportedandmademorevulnerablebytheworld’sdependencyontechnology.
NewChallengestoGovernanceThenation-statewillcontinuetobethedominantunitoftheglobalorder,buteconomicglobalizationandthedispersionoftechnologies,especiallyinformationtechnologies,willplaceenormousnewstrainsongovernments…politicalIslamwillhaveasignificantglobalimpactleadingto2020,rallyingdisparateethnicandnationalgroupsandperhapsevencreatinganauthoritythattranscendsnationalboundaries…Theso-called“thirdwave”ofdemocratizationmaybepartiallyreversedby2020—particularlyamongthestatesoftheformerSovietUnionandinSoutheastAsia,someofwhichneverreallyembraceddemocracy…
…Withtheinternationalsystemitselfundergoingprofoundflux,someoftheinstitutionschargedwithmanagingglobalproblemsmaybeoverwhelmedbythem…6
Technologycanfreeusorhelpenslaveus.WeareevensomuchclosertoGeorgeOrwell’spredictionsinhisbook,1984.Italldependswhohasdominantpoweroveritineachnation,business,orgroup,includingreligiousgroups.OnehastojustlookatthelatesteffortsbytheNSA,CIA,andtheircounterpartsinRussia,China,Iran,andtheliketoseethatwecitizensoftheworldareindangeroflosingmoreofourfreedoms,butmaybeevenourhumanity.Ofcourse,manyagenciescitedoingthisinthenameofsecurityforusall.Manyalsowouldgiveupmorefreedomforsecurity,butwhenisitenough?
LiketheAsianviewoftheworldandlifeinYin–Yangterms,weshouldlookatoursecurityversusourfreedominasimilarfashion.
Whendoweknowwhenwearegivinguptoomuchofourfreedomandhowdowegetitback,orwillitalreadybetoolate?
Sincethefirsteditionofthisbookwaswritten,therehasbeenadramaticincreaseinterrorism.Terrorists’offensiveuseofcyberwartactics,techniques,andcyberweaponshasdrasticallyincreasedanditisexpectedtodosointothefuture.Terroristsstillpreferthepropagandaeffectorbarbaricactssuchasbombing,kidnappings,beheadings,andthelike;however,theyareeverincreasinglyrelyingoncyberweaponstoexploitthe
vulnerabilitiesoftheirenemies—whicharebasicallymostofus.
Inthepasttheyhavehadtorelyonthenewsmediaofthenationsinvolvedtopropagatetheirmessages,whereasnowtheyhavethemeanstogettheirmessagestoanyonewhoiswillingtolisten.Blogsandsocialmediaaregreatpropagandatoolsforspewingtheirhatredandarealsogreatrecruitingtools,aswehaveseenwith“lone-wolfattacks.”Physicalattacks,yes,butrecruitedonline.
PervasiveInsecurityEvenasmostoftheworldgetsricher,globalizationwillprofoundlyshakeupthestatusquo—generatingenormouseconomic,cultural,andconsequentlypoliticalconvulsions…Thetransitionwillnotbepainlessandwillhitthemiddleclassesofthedevelopedworldinparticular…Weakgovernments,laggingeconomyandextremism,andyouthbulgeswillaligntocreateaperfectstormforinternalconflictincertainregions…
…Thelikelihoodofgreatpowerconflictescalatingintototalwarinthenext
15 yearsislowerthanatanytimeinthepastcentury,unlikeduringpreviouscenturieswhenlocalconflictssparkedworldwars…Countrieswithoutnuclearweapons—especiallyintheMiddleEastandNortheastAsia—mightdecidetoseekthemasitbecomesclearthattheirneighborsandregionalrivalsaredoingso…7
Wemustalsorememberthepowerthatindividualsnowhavetoexploitthosethattheyfeelareagainstthem,whethertheybegovernments,businesses,groups,orotherindividuals,forexample,evenschoolbullyingcausingsometocommitsuicide—andonaglobalwarfront.Theworsetheeconomygets,themorehostileanddissatisfiedanation’scitizensbecome.So,wemaynothaveaglobalWorldWarIII,butcertainlywearehavingthousandsofglobalcyberattackskirmishes24/7andthis,too,iscertaintoincreaseintothefuture.
TransmutingInternationalTerrorismThekeyfactorsthatspawnedinternationalterrorismthathasnosignsofabating
overthenext15 years…Weexpectthatby2020al-Qa’idawillbesupersededbysimilarlyinspiredIslamicextremistgroups…Ourgreatestconcernisthatterroristsmightacquirebiologicalagentsor,lesslikely,anucleardevice,eitherofwhichcouldcausemasscasualties…8
ThishasalreadytakenplacewiththeadventofISIS,andsurelymoregroupswillfollowandevenlookatotherterroristgroupsastheirenemiesastheyallcontinuevyingforglobaldomination.Surelytheiruseofcyberattackswillnotbelimitedtoonlynonterroristgroups.
PolicyImplications…Althoughthechallengesaheadwillbedaunting,theUnitedStateswillretainenormousadvantage,playingapivotalroleacrossthebroadrangeofissues—economic,technological,politicalandmilitary—thatnootherstatewillmatchby2020…WhilenosinglecountrylookswithinstrikingdistanceofrivalingUSmilitarypowerby2020,morecountrieswillbeinapositiontomaketheUnitedStatespayaheavypriceforanymilitaryactiontheyoppose.Thepossessionofchemical,biological,and/ornuclearweapons…alsoincreasethepotentialcostofanymilitaryactionbytheUS…
…Acounterterrorismstrategythatapproachestheproblemonmultiplefrontsoffersthegreatestchanceofcontaining—andultimatelyreducing—theterroristthreat…
Overthenext15 yearstheincreasingcentralityofethicalissues,oldandnew,havethepotentialtodivideworldwidepublicsandchallengeUSleadership…9
Whilegovernmentsaroundtheworldcontinuetothinkintermsoftwentiethcenturyweaponsinthistwenty-firstcenturyworld,wemustrememberhowvulnerableourtechnology-dependentgovernmentsandbusinessesaretosuccessfulcyberattacks.Themore“advanced”anationisandthegreateritsdependencyontechnology,thegreatertheexposuretocyberattacks.
Itisasadcommentary,butchancesaretheuseofcyber-offensiveoperationswillcontinuetoincreaseandthelackofviabledefensiveoperationswillallowmoreandmoreattackstobesuccessful,causinggreaterscalesofdamageasthesecyberweaponscontinuetoincreaseinsophisticationwhiledefensivetoolscontinuetolagbehind.
Offensive–DefensiveCyberAttacksWhenwillwegettothepointatwhichaperson,group,business,orgovernmentisgoingtosay:“I’mmadashellandI’mnotgoingtotakeitanymore!”Wearefastapproachingthattime,ifnotalreadypastit.
Ifanentityisattacked,itisabouttimethatthevictims,inself-defense,goafterthoseattackingthemandnotrelyonsomeoneelsetoprotectthem.Obviously,agenciessuchastheFBIandlocalpoliceinvestigatorscomeinaftertheattacks,runtheirinvestigations,andmayevenidentifytheadversary.Thenwhat?Nojurisdiction,sonoprosecution.So,basically,maybetimeforalittle“WildWest”independentaction?
Whatweneedinthefutureisacovert“mirror-image”softwareprogramthatwillnotonlydeflecttheattackbuthavethatprogramturnonitselfandbouncebacktoattacktheattacker.
Yes,somegovernmentagenciesarebeginningtotakecovert,offensive–defensiveactions.However,moreisneededatalllevelsofvictimization.The“reapwhatyehavesown,”“eyeforaneye,”old-stylephilosophyandjusticemaybeneedtocomebackinvogue?
Somewillcriticize“vigilante”justice,warningthatwecan’tbelikethem;chaoswillreign.Theonessayingthatareprimarilythoseinlawenforcementwhofearthatdependencyonthemwillwane,politicianswhofearlosingpower,andthosewhohaveno“skininthegame,”amongothers.
TheFutureoftheInternetBecauseofthepowerandinfluenceoftheInternet,somenationswanttocontrolit,otherswanttohavetheUnitedNationsberesponsibleforitsmanagement.Governmentsdon’tlikesomethingtheycannotcontroltotheirbenefit.ThedaytheInternetfallsintopoliticalhandstocontrolit,ourfreedomontheInternetaswenowenjoyit,weasusers,isdoomed.Iwouldhopethat,asusers,wewillnotallowthattohappen.
Thatbeingsaid,someareoptimisticthatnewtechnologywillallowglobaluserstoreconnectonaglobalscaleusinganotherformoftechnologyasitsupersedesthe“old-fashioned”Internet.Infact,globalusersmayevenbeabletoestablishtheirownmini-Internetsandconnecttoothermini-Internetsthroughadvancedcommunications,evenembeddedmicroprocessortechnologyasaformofcyber-telepathy.TheybecometheirownInternetserviceproviders.Onecanonlyhope.
Questions•Areyoupreparingnowforthefutureofcybersecurity,informationwarfare,cyber-terroristattacks,andthelike?
•Doyoukeepupwithtechnologyandprojectwhat-ifnewtechnologiesintoyourfuturecybersecurityplansandprogram?
•WhatdoyouthinkthefutureholdsforallofusiftheInternetfreedomwenowhaveistakenaway?
•Willyoubeafreedomfighteroracybersecurityofficerthat“justfollowsorders?”
•Doyoumaintainadatabaseofdefensivesoftwareandoffensivesoftware(thatusedbythecyberattackers)thatyoucanusewhenneededandalsocompareyourdatabaseofcyberattacksoftwaretoincomingeventstoseeiftheyareanattack?
•Whatareyou,asacybersecurityofficer,goingtodonowtomeetthefuturechallengesofcybersecurity?
SummaryThesaying“themorethingschange,themoretheystaythesame”certainlyseemstobeholdingtrue.Althoughwehaveandwillcontinuetohaveadvancesintechnologyallowingformoresophisticatedoffensivecyberattacksanddefenses,wearefightingmorecyberbattlesandlosingmoreofthemthaneverbefore.
Inthefuture,wemustreconsiderourdefensiveapproaches,fundthemasahighpriorityineveryentity,andgoontheoffensiveasadefensiveapproach.
Thefutureisdisorder.Adoorlikethishascrackedopenfiveorsixtimessincewegotuponourhindlegs.Itisthebestpossibletimetobealive,whenalmosteverythingyouthoughtyouknewiswrong.
TomStoppard,Arcadia
1Muchoftheinformationpresentedistakenfromtheauthor’sbook,coauthoredwithDr.AndyJones,GlobalInformationWarfare,secondedition,publishedbyCRCPressandquotedwiththeirpermission.3Forabasicoverviewonthattopic,seetheclassicNetspionagepublishedbyButterworth–Heinemann.4Seehttp://www.dni.gov/index.php/about/organization/national-intelligence-council-global-trends.5ReportoftheNationalIntelligenceCouncil’s2020Project.6Seefootnote5.7Seefootnote5.8Seefootnote5.9Seefootnote5.
Index
Note:Pagenumbersfollowedby“f”,“t”and“b”indicatesfigures,tablesandboxesrespectively.
A
Accesscontrol,187,217–218
accesscontrolsystems,189
benefits,188
LANs,188
systems,189
Accessviolationsanalyses,217
Accountabilities,116–117
Advancedpersistentthreat(APT),304
AdvancedResearchProjectAgency(ARPA),75–76
Advisoryservices,299
AEA,SeeAmericanElectronicsAssociation(AEA)
Africa,55
“Aggressivedefensive”operations,90
AgriculturalAge,11
AirForce’s53rdWing,97
Allegedmonopolyactions,97
Amazon.com,91
AmericanElectronicsAssociation(AEA),70
Annualreevaluation
cybersecurityofficer,223–224
cybersecurityprogramstrategic,tactical,andannualplans,228
linkingcybersecurityprogram,228–230
metricsanalysis,230–231
one-yearreview,224
LOEactivities,225–226
projects,226–227
planningfornextyear,231–233
APT,SeeAdvancedpersistentthreat(APT)
ARPA,SeeAdvancedResearchProjectAgency(ARPA)
Asia,53–54
Assessmentservices,298
Augmentation,299
Awareness
briefings,186–187
program,185–186,217
B
BlackBerry,96
BLS,SeeU.S.BureauofLaborStatistics(BLS)
Blue-lightcameras,96
Business
information,181
practices,278–279
Businessmanagers
SeealsoGlobalbusinessandmanagementenvironment
andcybersecurity,42
companymanagers,43
corporatemanagement’sknowledge,42
cybersecurityprogram,42
principles,44
responsibilities,43
cybersecurityofficeras,40–41
C
C2W,SeeCommandandcontrolwarfare(C2W)
Canada,55
Cellularphones,105b
CEO,SeeChiefexecutiveofficer(CEO),Corporateexecutiveofficer(CEO)
CEP-DR,SeeContingencyandemergencyplanninganddisasterrecovery(CEP-DR)
Changingcriminaljusticesystems,21–24
Chiefexecutiveofficer(CEO),135,138,144
Chinesehackinggroup,99
CI,SeeCounterintelligence(CI)
CIKR,SeeCriticalinfrastructureandkeyresources(CIKR)
CIO,SeeCorporateinformationofficer(CIO)
CKO,SeeCoherentknowledge-basedoperations(CKO)
Classifiednetworkssecurity,60
CNCI,SeeComprehensiveNationalCybersecurityInitiative(CNCI)
Codesofethics,277–278
Coherentknowledge-basedoperations(CKO),270
Coldcallingpotentialcustomers,296
Commandandcontrolwarfare(C2W),263
Commercialoff-the-shelfsoftware(COTSsoftware),258–259
Communicationstechnology,12
Companymanagers,44–45
ComprehensiveNationalCybersecurityInitiative(CNCI),55–57
initiative,55–57
Computerforensics,238–240
Contingencyandemergencyplanninganddisasterrecovery(CEP-DR),194
adverseevents,195
contingencyplanning,194–195
needs,195
planningsystem,195–198
testingplan,198
Contingencyplanning,217
Corporatecybersecurityprogram,132–152
SeealsoCybersecurityofficer
cybersecurityprocedures,150–152
cybersecurityprogrampolicy,149–150
informationassetsprotectionpolicies,139–150
physicalsecurity,149–150
policydirective,148–149
requirements;alsoCybersecurityofficer,139,148–149
Corporateethics,278–279
Corporateexecutiveofficer(CEO),237
Corporateformat,124–125
Corporateinformation,determiningvalue,179–180
Corporateinformationofficer(CIO),107,137–139,144,155,219,229,236
Corporateleader,110
Corporatemanagement,241–242
knowledge,42
Corporatestrategicbusinessplan,123,127
Corporatevalues,278–279
Corporation,customers,andcompetition(threeC’s),32
Corporationoverallpolicydocument,142
Cost-effectivecybersecurityprogram,9
Cost-effectivemethod,120
COTSsoftware,SeeCommercialoff-the-shelfsoftware(COTSsoftware)
Counterintelligence(CI),60
Criticalinfrastructureandkeyresources(CIKR),61–62
Cumbersomeprocesses,153
CyberCommand,98–99
Cybereducationexpansion,60
Cyberoperationsconnection,59
Cybersecurity,52,123,305
Africa,55
Asia,53–54
Canada,55
CNCIinitiative,57–62
EuropeanUnion,53
evolutionoflaws,standards,policies,andprocedures,50–51
globalviaUN,51–53
policydocument,144
principles,114
procedures,150–152
professionals,45
program,7,31
policy,149–150
strategic,tactical,andannualplans,228
programlevelofeffortdrivers,207
chartinglevelofeffortthroughnumberofsystemusers,208–209
grantingusersaccesstosystems,210–211
significanceofsystemuserschart,209–210
programmetrics,202–203
cybersecurityofficer,204,207
examples,205
management,203
metricsmanagement,206
security-associatedrisks,35
SouthAmerica,54
strategicplan,121–124
mappingtocorporatestrategicbusinessplan,123
objective,122
planningconsiderations,123
strategicbusinessplan,121
teamconcepts,communication,andcoordination,122
writingplan,124
tacticalplan,124–125
techie,145
writingplan,125
UnitedStates,55–57
Cybersecurityfunction,29,176
SeealsoAccesscontrol
annualplan,125–127
mappingtocorporateannualbusinessplan,127
projects,126–127
writingplan,127
CEP-DR,194–198
consultant,292
businessplan,296
consultingplan,294
cybersecuritymanagersandtechnicians,293
guidingprinciples,295
cybersecurityofficer,185
awarenessbriefings,186–187
awarenessprogram,185–186
continuingawarenessmaterial,187
firmwareevaluation,189–191
job
descriptions,160–161
familyfunctionaldescriptions,161–168
NCIs,194
processdevelopment,184
requirementsidentificationfunction,184–185
processes,177–179
riskmanagementprogram,191–193
softwareevaluation,189–191
ST&Eprogram,193
valuinginformation,179
corporateinformationvalue,179–180
informationcategories,181–182
informationvalue,180–184
questions,184
valuedinformationtypes;alsoAccesscontrol,182
Cybersecurityofficer,6–8,28–29,34,104,125,152–171,185,202,235–236
SeealsoCorporatecybersecurityprogram
awareness
briefings,186–187
program,185–186
asbusinessmanager,40–41
careerdevelopmentprogram,284–286
continuingawarenessmaterial,187
corporateculture,284
cybersecurityjobdescriptions,160–161
cybersecurityjobfamilyfunctionaldescriptions,161–168
dutiesandresponsibilities,109,236–237
Directorand,238
HTCPP,237
violationsoflaws,238
evolutionandrevolution,104–106
inglobalcorporation,106
CIO,107
corporateculture,107–108
managementblankcheck,108
goalsandobjectives,109–110
leadershipposition,110–112
missionstatements,112–113
needforcybersecuritysubordinateorganizations,154–156
organizationstructuredevelopment,156
andorganizationalresponsibilities,115
formaldutiesandresponsibilities,116–117
professional,283
projectmanagement,114–115
qualitystatements,112–114
recruitingcybersecurityprofessionals,168–171
in-housecybersecuritycandidatesidentification,170
outsidecybersecuritycandidatesidentification,171
riskmanagement,115
subordinateorganizationsdevelopment,156–160
cybersecurityprogramaccesscontrolandcompliance,157–158
cybersecurityprogrampolicyandriskmanagement,158–159
off-sitecybersecurityprogramorganizations,159–160
visionstatements,112–113
Cybersecurityprogramandorganizationestablishment,132
corporatecybersecurityprogram,132–152
cybersecurityprocedures,150–152
cybersecurityprogrampolicy,149–150
informationassetsprotectionpolicies,139–150
physicalsecurity,149–150
policydirective,148–149
requirements,139,148–149
cybersecurityofficerthoughtprocess,152–171
cybersecurityjobdescriptions,160–161
cybersecurityjobfamilyfunctionaldescriptions,161–168
needforcybersecuritysubordinateorganizations,154–156
organizationstructuredevelopment,156
recruitingcybersecurityprofessionals,168–171
subordinateorganizationsdevelopment,156–160
CyberSecuritySpecialist,141–142
Cyberwars,82
Cyber-informationworldenvironment,4
changingcriminaljusticesystems,21–24
GII,10
humanfactor,24–26
information,5–6
information-drivenenvironment,6
computersystems,7
computers,8
cybersecurityandmitigatingrisks,6
cybersecurityofficer,6–8,10
cybersecurityprogram,7
microprocessors,7–8
protectionofinformationsystems,8–9
NII,11
Cyberspace,14–15,77
CyberspacePolicyReview,57
D
DDoS,SeeDistributeddenial-of-service(DDoS)
DefenseAdvancedResearchProjectAgencyleaders,95
“Defensiveattacks”,255–256
DefensiveIO,266
DepartmentofHomelandSecurity(DHS),50b,57,59,61–62
NationalCybersecurityCenter,59–60
Detekttool,92
Deterrencestrategiesandprograms,61
DHS,SeeDepartmentofHomelandSecurity(DHS)
Digitalbattlefieldattacks,90
allegedmonopolyactions,97
America’smilitarysecrets,98
Australiandefenseofficials,93
BlackBerry,96
blue-lightcameras,96
Chinesehackinggroup,99
CIA,96
companyWebsite,92
crimes,94
CyberCommand,98–99
DefenseAdvancedResearchProjectAgencyleaders,95
Detekttool,92
diskorflashdrive,90
FBI’sCyber’sMostWanted,93
federalgovernment,97
floodofhacksanddatabreaches,94
GeneralZhu’scomments,95
GIWattacks,91
hackers,92,99
healthcare.gov,94
informationwarfare,95
Israeli’ssecretservice,97
IW,91
malwareandspyware,92
missiondatapackages,97
NSA,97
snoopingfirestorm,98
offenses,93
PLA,93
PLCs,90
“Regin”malware,91
SamsungElectronics,97
SecretService,97
securityattacks/breaches,100
socialengineering,91
spyagency,98
spyware,94
SyrianTwitter,92
Taiwanesegovernment,92
TuringTest,96
U.K.CyberSecurityStrategy,98
U.S.DepartmentofHomelandSecurity,95
U.S.officials,99
votingmachines,93
Director,237–238
DirectorofSecurity,235–237,240
Disasterrecovery,195
Distributeddenial-of-service(DDoS),252
DoD,SeeU.S.DepartmentofDefense(DoD)
E
E-mail,76
PI,94
Eastereggs,81
EATP,SeeEducationAwarenessandTrainingProgram(EATP)
Education,286
advisoryservices,299
assessmentservices,298
augmentation,299
cybersecurityconsultant,292–296
engagement
process,297–298
setup,296–297
internationalaspects,299–300
interviewingforcybersecurityofficerposition,288–292
legalissues,299
marketyourselfascybersecurityofficer,287–288
securityimplementation,299
EducationAwarenessandTrainingProgram(EATP),185–186,213–214
EINSTEIN2approach,57–58
EINSTEIN3approach,58–59
Electroniccommerce,77
Electronicmail,76
Engagement
process,297–298
setup,296–297
Environment,changing,305
“Errorsandomissions”,293
Ethicsissues,274–275
businessperson,275–276
committingcrimes,275
standardsofbehavior,276
unethicalbehavior,277
EuropeanUnion(EU),53
F
FederalEnterpriseNetworkmanagement,57
Federalroleinextendingcybersecurity,61–62
Firmwareevaluation,189–191
First-generationwarfare,250
Formalprojectmanagementtechniques,136
FrameworkCore,25–26
FutureShock,15–16
G
GII,SeeGlobalinformationinfrastructure(GII)
GIW,SeeGlobalinformationwarfare(GIW)
Globalbusinessandmanagementenvironment,28
businessmanagersandcybersecurity,42
companymanagers,43
corporatemanagement’sknowledge,42
cybersecurityprogram,42
principles,44
responsibilities,43
casestudy,33,33b
changes,28
company
managers,44–45
team,29
business,31
competitiveadvantagethroughcybersecurityprogram,39
cybersecurityofficerasbusinessmanager,40–41
examples,39
cybersecurity
function,29
officer,28–29,32
professionals,45
program,31
growingnetworks,28
Internet,30
ISPs,29–30
managementresponsibilitiesandcommunicatingwithmanagement,33–34
additionalchoices,36
businessmeetings,38
company’scultureandpolicies,34
consequences,35
cybersecurityofficer,34,37–39
cybersecurity-associatedrisks,35
decisions,34,36–37
document,38
excellentgesture,35
InfoSec,36
problemanddecisiontomanagement,35
risks,34
“touchy-feelydon’t-hold-me-responsible”management,39
“oldiesbutgoodies”programs,30
OODAloop,32
service,support,andbusinessorientation,41–42
telecommunicationsbusinesses,29
WorldWideWeb,30
Globalcorporation,cybersecurityofficerin,106
CIO,107
corporateculture,107–108
managementblankcheck,108
Globalinformationinfrastructure(GII),10,28,72,77
Globalinformationwarfare(GIW),89,251
SeealsoInformationwarfare(IW)
freemarketeconomy,253
Internet,252
IW,252–254
Globalnervoussystem,13,75
Globaltrends,306
impactofglobalization,307
newchallengestogovernance,308
pervasiveinsecurity,309
policyimplications,309–310
transmutinginternationalterrorism,309
Globalizationimpact,307
Gopher,76
Government-widecyberCIplan,60
H
Hackers,92,99
tools,80
Handgun,78
Hardwareevaluation,189–191
healthcare.gov,94
Hightechnology,66
SeealsoTechnology
AEA,70
BLS,71
electronicinventions,68,68t
factors,69
industryclassifications,70
industry-baseddefinitions,69
inventions,67
Microprocessor,71–72
Moore’slaw,72–73
OneSource,71
revolutionsandevolutionsin,65–66
RFA,70
sharingofinformation,66
technologicallydriveninventions,67–68
technology-driventransition,67
toolsincybersecurity,82–84
transitionperiod,66–67
twentiethcenturyhigh-technologydevelopmentsandevents,74–75
twentieth-centurytechnologicaldevelopmentsandevents,68–69
High-technologycrimepreventionprogram(HTCPP),237
High-technologycrimes
SeealsoCybersecurityfunctions
CIO,236
computerforensics,238–240
cybersecurityofficer,235–236
Directorand,238
dutiesandresponsibilities,236–237
HTCPP,237
violationsoflaws,238
lawenforcement,240–242
NCIs,236
High-technology-drivencommunications,79–80
High-technology-drivenphenomenon,78–79
HR,SeeHumanResources(HR)
HTCPP,SeeHigh-technologycrimepreventionprogram(HTCPP)
Humanfactor,24–26
HumanResources(HR),141
I
IAPPD500–1,SeeInformationAssetsProtectionPolicyDocument500–1(IAPPD500–1)
IE,SeeInformationenvironment(IE)
IMs,SeeInstantmessages(IMs)
IndustrialAge,12
Info-warriors,89
Information
assurance,263
categories,181–182
InformationAge,12
information-basedprocesses,263
superiority,267
value,180,182
businessinformationtypesandexamples,183–184
timefactor,183
InformationAssetsProtectionPolicyDocument500–1(IAPPD500–1),142,145–146
Informationenvironment(IE),132,151,251,263
breakdownsin,261
components,260
Informationoperations(IO),266
Informationsecurity(InfoSec),36,106,263–264
SeealsoCybersecurity
Informationsystem(IS),264,268
Informationtechnology(IT),104,136–137,202,254
Informationwarfare(IW),91,95,247,252,264
forattainingandmaintainingcompetitiveadvantage,268–269
business,256–257
CKO,270
COTSsoftware,258–259
goalsandobjectives,269–270
governmentorganization,257–258
information,259–260
KM,271–272
levelsandfunctions,257
NCB,271
inpocketbook,254
defensiveattacks,255–256
high-profileevents,255
possibilities,248
aircraftpilots,249
localpowercompanies,249
“LocustSwarm”program,248
waterpumpingstations,250
TOR,261
C2W,263
cyber,262
decision-makeract,264–265
defensiveIW,266
informationsuperiority,267
IW-relatedenvironment,263
KM,264
militarypsychologicaloperations,265
NSTISSC4009,268
warfare,250
generations,250–251
InfoSec,SeeInformationsecurity(InfoSec)
INFOSEC,SeeNationalInformationSystemsSecurity(INFOSEC)
Instantmessages(IMs),79
Intel’sPentiumIII,83
Internaluseonlyinformationtypes,183
InternationalSecurityinCyberspace,53
Internet,17,30,52,75
annihilationoftimeandspace,77–78
ARPA,75–76
communicationtechnologies,76
cyberspaceandGII,77
electroniccommerce,77
future,311
globalnervoussystem,75
handgun,78
impact,17–19
Internet-enabledcommunications,15
organizationalimpacts,19–20
protocols,76
toshareinformation,20–21
society’sstruggles,78
WorldWideWeb,77
Internet,Birthof,13–15
InternetGovernanceDevelopments,53
Internetserviceproviders(ISPs),29,78
Interviewingforcybersecurityofficerposition,288
cybersecurity
officerportfolio,290
plan,290
interviewprocess,292
interviewees,289
Intrusiondetectionsystemdeployment,57–58
Intrusionpreventionsystemsdeployment,58–59
IO,SeeInformationoperations(IO)
IS,SeeInformationsystem(IS)
ISPs,SeeInternetserviceproviders(ISPs)
IT,SeeInformationtechnology(IT)
IW,SeeInformationwarfare(IW)
K
“Keepitsimple,stupid”principle(“KISS”principle),147,206
KnowledgeAge,8–9
Knowledgemanagement(KM),264,271–272
L
LANs,SeeLocalareanetworks(LANs)
Laws,24–26
enforcement,240–242
Leadership
needforenlightenedanddedicated,305–306
position,110
providingcybersecurityserviceandsupport,110–111
usingteamconcepts,111–112
“Leap-ahead”technology,60–61
Legalissues,24–26
Level-of-effort(LOE),202–203,225–226
Liabilityissues,279–280
Link-analysismethodology,228
Linkingcybersecurityprogram,228–230
Litmustest,252
Localareanetworks(LANs),188
“LocustSwarm”program,248
Locustsprogram,250
LOE,SeeLevel-of-effort(LOE)
Logicbombs,82
M
Managementblankcheck,108
Message,83
Metric(s),202
analysis,230–231
cybersecurityprogramlevelofeffortdrivers,207
chartinglevelofeffortthroughnumberofsystemusers,208–209
grantingusersaccesstosystems,210–211
significanceofsystemuserschart,209–210
projectmanagement,218–221
Metricscharts,211
cost-avoidancemetrics,215
cybersecurityprogram
EATP,213–215
testsandevaluations,212–213
managementanddownsizing,215
foregoing,218
informationandinformationsystems,217
subchart,216
Microdot,83
Microprocessors,7–8,71–72
Mission
datapackages,97
statements,112–113
Moore’slaw,72–73
Multiprongedapproach,61
N
NationalCybersecurityCenter,59–60
Nationalinformationinfrastructure(NII),11,28
NationalInformationSystemsSecurity(INFOSEC),267
NationalSecurityAgency(NSA),58–59,97
NationalSecurityPresidentialDirective54/HomelandSecurityPresidentialDirective23(NSPD-54/HSPD-23),56
NCB,SeeNetwork-centricbusiness(NCB)
NCIs,SeeNoncomplianceinquiries(NCIs)
Netspionageagents,84
Network-centricbusiness(NCB),270–271
NIC,SeeU.S.NationalIntelligenceCouncil(NIC)
NII,SeeNationalinformationinfrastructure(NII)
Noncomplianceinquiries(NCIs),194,217,236
NSA,SeeNationalSecurityAgency(NSA)
NSTISSC,SeeU.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC)
O
Observe–orient–decide–actloop(OODAloop),32
OctopusConference,54
Off-ramp,16
Off-sitecybersecurityprogramorganizations,159–160
OffensiveIO,266
Offensive–defensivecyberattacks,310
On-ramps,16
OneSource,71
One-yearreview,224
LOEactivities,225–226
projects,226–227
OODAloop,SeeObserve–orient–decide–actloop(OODAloop)
Operationssecurity(OPSEC),267–268
Organizationalresponsibilities,115
cybersecurityofficer’sformaldutiesandresponsibilities,116
accountabilities,116–117
cybersecurityofficerposition,116
cybersecurityprogram,115
P
P4,SeePlans,processes,policies,andprocedures(P4)
PDAs,SeePersonaldigitalassistants(PDAs)
People’sLiberationArmy(PLA),93
People’sRepublicofChina(PRC),93
Personaldigitalassistants(PDAs),132
Personalinformation,181
Personalleader,110
Pervasiveinsecurity,309
PLA,SeePeople’sLiberationArmy(PLA)
PlanX,95
Plans,processes,policies,andprocedures(P4),133
PLCs,SeeProgrammablelogiccontrollers(PLCs)
Policyimplications,309–310
PRC,SeePeople’sRepublicofChina(PRC)
Preemptivestrikes,255–256
Privacyissues,273–274
Privateinformation,181
Privateinformationtypes,184
Processorserialnumber(PSN),83
Programmablelogiccontrollers(PLCs),90
Project(s),226–227
chart,219–221
management,114–115,218
CIO,219
cybersecurityofficer,221
projectchart,219–221
PSN,SeeProcessorserialnumber(PSN)
Q
Qualitystatements,112–114
R
R&D,SeeResearchanddevelopment(R&D)
Radiofrequencyspectrum(RFspectrum),256–257
Recruitingcybersecurityprofessionals,168–171
in-housecybersecuritycandidatesidentification,170
outsidecybersecuritycandidatesidentification,171
“Regin”malware,91
RegionalFinancialAssociates(RFA),70
Regularemployees,43
Regulations,24–26
Requirementsidentificationfunction,184–185
Researchanddevelopment(R&D),59
Returnoninvestment(ROI),269
RFspectrum,SeeRadiofrequencyspectrum(RFspectrum)
RFA,SeeRegionalFinancialAssociates(RFA)
Riskmanagement,115,191
process,190
process,191–192
program,191
recommendationstomanagement,192
reports,192–193
RoadMapforInternet,16–17
ROI,SeeReturnoninvestment(ROI)
S
SamsungElectronics,97
SBP,SeeStrategicbusinessplan(SBP)
Second-generationwarfare,251
SecretService,97
Securityimplementation,299
Securitytestsandevaluations(ST&E),193,212–213
Security—defensiveapproach,304–305
Seniorcorporateandgovernmentleadership,303
Seniorleadership,303
Sensitiveinformation,132,184
SIC,SeeU.S.StandardIndustrialClassifications(SIC)
Softwareevaluation,189–191
SouthAmerica,54
Spyagency,98
Spyware,94
ST&E,SeeSecuritytestsandevaluations(ST&E)
Stand-alonemicrocomputers,208
Standards,24–26
ofconduct,278–279
Steganography,83
software,84
Strategicbusinessplan(SBP),135,151
Stuxnet,90
Subordinateorganizationsdevelopment,156–160
cybersecurityprogram
accesscontrolandcompliance,157–158
policyandriskmanagement,158–159
off-sitecybersecurityprogramorganizations,159–160
SyrianTwitter,92
T
Tacticalbusinessplan(TBP),135,151
Teamleader,110
Technology,63–64
SeealsoHightechnology
fromcavemantocybersecurityprofessionalandinformationwarrior,64–65
revolutionin,63
Telecommunications,196–197
businesses,29
Termsofreference(TOR),261
informationwarfare,261
C2W,263
cyber,262
decision-makeract,264–265
defensiveIW,266
informationsuperiority,267
IW-relatedenvironment,263
KM,264
militarypsychologicaloperations,265
NSTISSC4009,268
TICinitiative,SeeTrustedInternetConnectionsinitiative(TICinitiative)
Timefactor,183
Tofflers’modeloftechnologicalevolution,11
Topic-orientedinformationassetsprotectionpolicydocuments,147
TOR,SeeTermsofreference(TOR)
“Touchy-feelydon’t-hold-me-responsible”management,39
Traf-O-Data,74
Transmutinginternationalterrorism,309
Trojanhorses,81–82
TrustedInternetConnectionsinitiative(TICinitiative),57
Turfbattles,43
TuringTest,96
Twenty-firstcenturytechnology,84–86
U
U.K.CyberSecurityStrategy,98
U.S.BureauofLaborStatistics(BLS),70–71
U.S.DepartmentofDefense(DoD),251
U.S.DepartmentofHomelandSecurity,95
U.S.federalgovernmentcomputersecuritystandards,302
U.S.NationalIntelligenceCouncil(NIC),306
U.S.NationalSecurityTelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC),267
U.S.StandardIndustrialClassifications(SIC),69
U.S.–EUCyberSecurity-RelatedCooperation,53
UnitedStates,55–57
US-CERT,57–58
Usenetnewsgroup,76
V
Valuinginformation,179,182
corporateinformationvaluedetermination,179–180
importanceofdetermination,180–181
informationvalue,180
categories,181–182
determination,182–184
questions,184
types,182
Viruses,80–81
Visionstatements,112–113
Vulnerability,267
W
Waterpumpingstations,250
Webster’sDictionary,239
Whistleblower,277
Work,287b
WorldWideWeb(Web),14,76–77
Worms,81