Sun Tze wrote this book of learning many centuries ago. But is appears more relevant in the modern age than we imagine. In one corner with have the Russian Cyber Military Unit, with the Syrian Electronic Army, in the next corner the PLA Unit 61398, North Korean Bureau 121 and Israel Unit 8200.
That’s already five (5) corners and we haven’t talked about the USA yet.
The US Homeland Security, Department of Defence have been leaders in the USA and now they are building a National Guard Cyber Force. It seems that the US Airforce is also positioning themselves to take some leadership in this crowded space.
While our friends in the north in Singapore are taking up the cyber security challenge and they have setup a new Cyber Security Agency. Australia appeared to be just focused on investment in Submarine Technology. But it recently announced $30 million funding through to establish a Cyber Security Growth Centre (CSGC).
Is this just HYPE?
But how bad is the problem? Is this really all hype or is this really a concern?? It was reported by the Former NSA Director Mike McConnell that: “China has hacked every major corporation” in the USA.
In recent months the ABC and Bureau of Meteorology have both been hacked by our friends from the north. The reality is that we can’t keep the bad guys out, so we have to know quickly when they get in and take action.
So it’s war…….and this time the actors are governments that are involved and attacking corporations. Unfortunately when the war has not been officially declared we can be naïve to the goings on and assume someone else is affected.
Getting myself and my team ready for this, what do I need to do?
Read more: Do you have an Insider Threat Program?
Some 2016 reading
Let me suggest that you start by reading the Art of War 孫子兵法 , this is an old and ancient military treatise attributed to Sun Tzu. There are 13 chapters covering different aspects of warfare, military strategy and tactics. Even my old friend (only joking) Donald Rumsfeld has read this book and I’m sure has adopted the learning.
Some of the key chapters have some really insightful points that have real applicability to the cyber warfare that you as CISO and Security Leaders will have to deal with. Here are some of my favourites:
“Supreme excellence consists in breaking the enemy's resistance without fighting”
Particularly chilling when I think about this point.
“All warfare is based on deception”
“Hold out baits to entice the enemy. Feign disorder, and crush him”
Read more: C-suite executives overconfident and underincluded when it comes to data security
Makes me think about Malware and how this gets into an enterprise.
“If he is secure at all points, be prepared for him. If he is in superior strength, evade him.”
“Attack him where he is unprepared, appear where you are not expected.”
Read more: Americans, Romanians most willing to pay ransomware fees – but not for work files
Now, all those vulnerabilities that are documented and have an action plan. Don’t seem to be so well managed or off the radar.
“To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.”
“In battle, there are not more than two methods of attack--the direct and the indirect; yet these two in combination give rise to an endless series of maneuvers”
Read more: Without discipline, the open-source dream can become a security nightmare
This makes me think about how we have to engage the broader enterprise in the cause. In the absence of tackling this we can be easily defeated.
“So in war, the way is to avoid what is strong and to strike at what is weak.”
“Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.”
Our work is never done, building big castle towers will not deter the enemy, as there is always another way in. The enemy is constantly morphing just like water and we all understand the damage that can come from just small leak!
Today we have Advanced Persistent Threats and tomorrow this will change into another model.
World War Three?
Yes, it probably true that this has already started. There are various players on this field and also ISIS. Interestingly it appears that Anonymous has declared war on ISIS and is also already fighting them.
Just recently Anonymous claimed credit for stopping an ISIS attack.
This is where cyber world meets the physical world.