If your organization is connected to the Internet, you are very likely engaged in cyber warfare whether you like it or not.
Nation States, organized crime, terrorist and hacktivists are either attacking or exploiting your systems, or they are using your organization’s systems as a platform to conduct cyber warfare.
The question you need to ask is, “Does my organization have sensors on systems to even know that we’ve been compromised and or currently under attack?” More than your job may depend on the answer.
Not all attacks are equal in the eyes of the U.S. government. And while the focus in this article is on the United States, it’s important for any company in any country to understand the extent and limitations of government involvement in the event of a breach.
If you are under a potentially catastrophic attack, who are you going to call for help? According to the redacted and unclassified U.S. Department of Defense (DoD) Joint Publication 13-12 (R) Cyberspace Operations, released Feb. 5, 2013 http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf , it greatly depends on your organization’s relevancy to national security as to how much the government is willing and able to assist your organization.
‘The Interview’ that Shamefaced Sony
If your organization is a commercial enterprise, you are on your own even if your company is on the scale of, say, Sony Pictures. The only exception to this would be if your organization’s systems are being used by attackers as a platform for cyber warfare against national security assets such as critical infrastructure or military assets.
You can call the FBI and they will assist with a criminal investigation against the attackers; however, you are responsible for defending your systems with little to no support from the government. Sony Pictures contracted with FireEye, a private cybersecurity contractor, to help the company assess damage done by a massive data breach rumored to originate with North Korean hackers. But by the time the nation state level attack was finished the only recourse Sony had was to disconnect from the Internet and start a long, painful and costly remediation.
While it was not an attack against a U.S. physical national security asset, news media widely proclaimed the attack was an attempt to stop a U.S. based business from releasing the satirical film The Interview, which heavily mocks the leader of North Korea and details a fictitious plot to assassinate him.
Given that there was not an overt public U.S. military response, it is logical to conclude that the Sony attack did not rise to the level of a cyber warfare attack that warranted a military response. As a result, the Sony attack has become the latest defining event in the evolving lines of what is and what is not considered cyber warfare.
Commercial board rooms and executives should take notice and develop risk-based cybersecurity strategies to defend their systems knowing that the cavalry is not coming and that they are on their own in the wild-wild west of the cyber frontier.
Taking a Crack at Critical Infrastructure
“Critical infrastructure” is a broad term, but 16 types of vital assets qualify, as defined by the National Infrastructure Protection Plan. If your organization is considered “critical infrastructure” and is under an active and potentially catastrophic attack, you should contact the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). They are charged with coordinating the 24/7 defense of your organization as a critical U.S. economic (i.e. bank) or military (i.e., electrical grid) asset while under active potential catastrophic attack.
If DHS does not have the capabilities to stop the attack, DHS will contact the FBI, which will coordinate with the National Security Agency (NSA) through authorities provided within U.S. Code Title 50. This law allows intelligence agencies to provide technical assistance with foreign intelligence capabilities regarding the attack. If return “fires” are needed to stop the attack, the DOD USCYBERCOM will be engaged through authorizations provided through U.S. Code Title 10. This law outlines the roles of the Department of Defense to defend against foreign attackers.
Ultimately, it is up to the President to decide if the United States is under a cyber attack worthy of a military response, which could include cyber and or traditional kinetic weapons. After the active cyber attack is over, you are on your own to remediate your damaged systems.
When a Defense Industrial Base is under Siege
If you work for a defense contractor on the scale of, say, an organization like Northrop Grumman, the Department of Defense is tasked with your defense if you are under an active and potentially catastrophic attack. The DoD Defense Information Systems Agency (DISA) will handle attacks against the Secret Internet Protocol Router Network (SIPRNet), while the Defense Intelligence Agency (DIA) will handle attacks against the Joint Worldwide Intelligence Communications System (JWICS). If return “fires” are needed, the response will be elevated to USCYBERCOM to take the appropriate actions.
It is imperative that all organizations accept that they are a part of a global and fluid cyber cold war and develop cyber warfare plans to either address cyber attacks directly and or have an established communications plan with the appropriate U.S government agency to ensure they are able obtain assistance as soon as possible to avoid catastrophic damage to the organization.
Organizations under attack should also “circle the wagons” like the old pioneers by joining the appropriate Information Sharing and Analysis Center (ISAC) for their industry (i.e., Electrical Sector-ISAC) and become active in peer-to-peer sharing of strategic defensive strategies, tools and cyber intelligence.
Finally, organizations should consider the practical and sage advice of Bob Bigman, former CIA CISO, who when asked to provide advice to CISOs facing the realities of cyber warfare offered: “Most cyber security products simply don’t work, and smart architecture and sound governance, policies and procedures always trump sexy technology.”