Some of those businesses drawn into "cyber conflict" will be little more than collateral damage, some will be primary targets, others will be secondary targets, some will be a means to an end, e.g., an intel source or a back door to the primary target. Flesh out some of the scenarios that "cyber conflict" gaming and preparation should take into consideration?
Dietz: The National Infrastructure Protection Plan (NIPP); National Response Plan (NRP) ... Cyber War - The Republic of Delmarva (ROD) decides it is going to update its submarine fleet. It targets the Country of East New World (ENW) that has just launched a new submarine with a stealth nuclear power plant. ROD's Army has a cyber war unit that launches an array of bots targeting defense contractors and naval organizations with ENW that deal with submarines. The bots are designed to transmit design information back to the ROD through a chain of servers designed to obscure the origin of the attack and the destination of the data. ROD also plants sleeper agents within defense contractors and the ENW Navy department.
Cyber Terror - The Radical Violence Network (RVN) targets an athletic facility in a prominent city. They place a Vehicle Borne Improvised Explosive Device (VBIED) in the evacuation zone (a parking lot) of the athletic facility. They hack into the stadium's sprinkler and alarm system causing the sprinklers to go off. When sufficient crowds gather at the evacuation zone they set off the VBIE. For a more protracted effect they can use two VBIEDs setting off the second one when first responders get close to it. Information Warfare - The Nation of Freedom (NOF) decides to give press members a tour of a nuclear facility in order to show its peaceful intent to use its nuclear industry. It has secretly or not so secretly paid leading broadcast journalists in the region to provide favorable coverage. The government releases a story of a medical success using an isotope developed from the nuclear reactor.
Information Operations - take the cyber terror example above. Change the target to a military headquarters and add jamming the cell phones for an electronic warfare component. Add video recordings sent live as the VBIEDs are exploded much like the Internet streaming of video from the Turkish ship stopped by the Israeli's on its way to Gaza.
Over the years, the field of information security has matured, there is a robust body of common policies and standards to adapt, there are a plethora of cyber security technologies to implement, programs are pretty well-defined, the basic buildings blocks and best practices are documented, so what does this mind map of "Cyber Conflict & the Commercial Sector" alter or add to? How is a program that has taken it into account different from a program that has not?
Dietz: Three key differences are the inclusion of Global Situational Awareness, Common Operating Picture and Legal Consequences. These are essential components in planning for cyber incidents that differ from the more traditional, natural disaster focused planning.
Organizations need a highly focused Global Situational Awareness because they must be sensitive to the adversary universe. The rise of certain adversaries will heighten the threat level and danger to the organization. For example an organization that experiments on animals needs to know that an organization opposed to that effort has used cyber attacks in conjunction with kinetic attacks to rescue animals.
A common operating picture in this context means the ability to see across the IT infrastructure to understand what possible attacks have been launched against the organization, how effective they have been and best practices concerning defense and mitigation. It would also be useful to know what other organizations have done from the same perspectives. This combined knowledge would help to optimize the organizations' actions to secure its personnel and assets.
Lastly the legal consequences are critical here. If the attack is a nation state then the organization will have a forced working relationship with its country's defense department. If the attacker is a non-state actor, especially a terrorist, this is likely to mean a protracted relationship with the nation's federal and possibly state or provincial law enforcement and judicial systems.
Long-term relationships within the judicial system, especially those involving criminal prosecution will result in extensive discovery. Organizations need to be zealous and out front so as to protect their intellectual property from exposure and to safeguard the brand against degradation due to governmental interaction and cooperation.
Let's go through some of the elements of the Mind Map, and the issues involved and/or any recommendations you might offer, specifically for commercial sector organizations: Outside Resources and Partners Agreements? Common Operating Picture? Global Situational Awareness?
Dietz: In the event of a serious cyber incident most organizations will not have the organic resources they need to cope with the incident, minimize the harm, absorb the lessons learned to apply going forward and defensively prepare for legal actions as a result of the incident.
Partners who will likely figure into the picture include: federal, state/provincial and potentially law enforcement; outside law firms; data forensics experts; IT recover resources beyond those already contracted for to deal with potential natural disasters; investigators; security management, executive protection, etc.
Other partners might include hot/cold sites; decontamination (cyber and physical) teams/resources; managed service providers; alternative sources of various goods and services should be considered and if possible negotiated ahead of time. The exact nature of the needed goods and services depends on the organization, the likely threats, geographic location, etc.
Yet one more set of partners are those who might be called upon to deal with the legal after math of cyber incidents. Outside specialty counsel, government prosecutors and e-discovery vendors are potential partners for these endeavors.
Evidence Protection and Collection?
Dietz: This is a particularly tricky one. The classic lawyerly answer is "it depends". It depends on the nature of the attacker, the gravity of harm caused and who will be prosecuting for what. Federal prosecutors seeking to prosecute for treason, terrorist acts, war crimes and the like will be particularly aggressive and intrusive.
Resource poor local prosecutors, especially those with no track record in computer crimes will likely be less of a challenge.
General Counsel can provide insight as to the level of care and detail the organization needs to consider when planning its evidence collection and data forensics strategy.
Combat forensics will likely be the order of the day during the initial phases of an attack when it is unclear who the attacker is and what legal courses of action are likely to occur once the immediacy of the attack is over and dealt with.
Organizations may opt for expediency in data forensics to help determine the nature and source of the attack that may be vital to mitigating its effects and deterring similar attacks in the future.
Given the lack of precedent it is difficult to predict what level of data forensics and evidence preservation the federal government will require where they suspect a nation state or terrorist attack. ##
Critical Infrastructure Sectors:
* Information and communication
* Banking and Finance
* Water Supply
* Transportation (Aviation, Highway, Mass Transit, Pipelines, Rail, Waterborne Commerce)
* Emergency Law Enforcement
* Emergency Fire Services, Continuity of Government
* Electric Power, oil and gas production and storage
* Public Health Services
Source: CRITICAL INFRASTRUCTURE PROTECTION
Significant Challenges in Developing National Capabilities
http://www.gao.gov/new.items/d01323.pdf; page 28
Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab and a frequent contributor to CSO Magazine. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in forty countries. Power is the author of five books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.