It's official. We are at war again. Cyber war. On Friday the NY Times broke the story that Presidents Bush and Obama developed and unleashed the Stuxnet worm to cripple the Iranian nuclear facilities. This is the first time in US history that the government has publicly accepted responsibility for a cyber-attack. This is a game changer. Much like the A-bomb use of World War II, it signals a new frontier in combat. A new arms race if you will.
Should the US utilize any and all efforts to protect our citizens, our national interests, and our economic vitality? Absolutely. Are offensive or preemptive attacks a necessary military strategy? Yes. However we have opened a door that cannot be closed.
In traditional warfare, there is huge cost in the development and deployment of weapons and the personnel to use them. The US has been able to use our robust economy (comparative to the rest of the world) to crush most any opposition. They simply could not design, manufacture and transport enough weapons to keep pace with US.
Not anymore. Cyber war is unlike anything we've ever faced. The weapons are cheap desktops and laptops, some rented server and storage space and a broadband internet connection. One could launch a crippling attack with "weapon" costs clearly under $5,000. What country, terror organization or crime syndicate can't scrape together $5,000 for computers? We are at somewhat of a disadvantage when a war is fought with weapons that are cheap.
We also have a lot more in this game than many of our enemies. Who in the world has more critical infrastructure to protect than us? Who has more to lose from corporate espionage than US companies? Who has more to lose from a crippled economy than US investors? It's easy to fight in a war when your side has very little to lose.
The face of information security has changed forever. There is no organization that is safe. Every business, small and large, every non-profit organization, every social media site, everything is now a target. If corporate executives thought information security was costly before, they haven't seen anything yet. The vulnerabilities and threats are increasing exponentially which means risk is increasing as well. The question used to be can we afford to improve information security practices? The question will become can we afford not to?
I firmly believe in our ability to fight this war and be successful. The difference is there will be no end to this war. The president has said he may use a physical response to a cyber-attack. Only time will tell if this would truly be carried out. Only history will tell if it would be prudent.
In my role as a business owner and information security consultant I talk to a lot of people. Some of these people are business owners or leaders like me. Others are security or IT professionals. There is one common theme that I see frequently. Outside of the Fortune 500 circle (and even inside it at times) there seems to be a lack of clarity on IT risk management in the company.
From my CEO peers I hear "I can't believe (fill in manager name here) made that decision. Didn't (he/she) understand the risk and what was at stake?" What I hear from this comment is that there may be a communication issue if operational management is making business decisions that "shock" the CEO. Perhaps the manager isn't fully aware of the risk that is seen by the CEO. My question becomes why? A good risk management process works to identify, communicate and mitigate risk within an organization. CEOs who are "shocked" by risky decisions should really evaluate their risk management programs to make sure the people they entrust daily decision making to have the proper information to make good decisions.
On the flip side I hear my IT and security peers say things like "My CEO read my report, couldn't see the risk and chose to ignore my recommendation." What I hear in this is that the individual failed to make a compelling case as to why the risk was so great that it shouldn't be ignored. The CEO read the report, considered the risk and made a decision. While the decision wasn't what the individual had hoped for, it wasn't ignored. The recommendation was considered but the CEO chose not to follow it.
What this tells me is there is a disconnect between business leaders and their operational management or IT and security management. When the two groups aren't on the same page from a risk perspective, bad things happen. CEOs must communicate what they are worried about to their teams if they expect those teams to help them manage risk. And operational teams must find ways to explain risks they discover in terms their CEO will understand and appreciate. Until both teams are working together to identify, communicate and mitigate risk, the bad guys will continue to have big victories.
The IC3 2011 Internet Crime Report was recently released. The IC3 is where many smaller crimes such as identity theft, email scams and other internet crimes are reported. It does not cover all reported crime and is only an indicator or the trends we see across multiple industry sectors and reporting agencies. There are some very interesting numbers for the "Average Joe" and small business owner in this report.
Total complaints received: 314,246
Complaints reporting loss: 115,903
Total Loss: $485,253,871
Median dollar loss for those reporting a loss: $636
Average dollar loss overall: $1,544
Average dollar loss for those reporting loss: $4,187
This should be a wakeup call to all individuals and small business owners out there that internet crime is real. It targets everyone. When approaching small businesses to help them ensure information security we're often told "We're too small to be a target." or "We don't have enough revenue to make it worth the time to target us." Hopefully this information will dispel that myth. The average loss was $4,000. How big does a company need to be before losing $4,000 at a time isn't worth the effort to stop it?