How do you prepare for truly unknown cyberattacks or threats to physical security?
It's a question that we all have to ask in the aftermath of the missile strikes exchanged with Iran. As many are (rightly) concerned with the possibility of a traditional war starting in the Middle East, it is likely that retaliation will happen over cyberspace, putting all our networks and infrastructure at risk.
What's most worrisome about these initial strikes is the lack of transparency. Most members of Congress had no idea the attack was imminent, and when they were briefed, many complained that their questions went unanswered.
If Congress isn't being told what is happening, you can be sure the CISOs of major corporations aren't being told or aware of any incidents that could have life-altering physical and cyber consequences. So with no possible coordination, how can you possibly be prepared?
Anticipating from the already known
The easy answer is to always be prepared for anything. But an act of cyberwar requires a higher-than-usual state of alertness, one that many organizations may not be able to afford in both human, or financial resources.
The next best thing is to use historical data as the base-level of preparedness. We already know that Iran is one of the top nation-states in cyber expertise in hacking proficiency. Iran's digital fingerprints are on past attacks against critical infrastructures, such as a dam in New York State and more recently, Iranian malware discovered on a Saudi Arabian oil company's network. They also launched physical attacks on Saudi oil fields. These are attacks they've conducted without major provocation.
This history, combined with the most recent action in Iran, should be a warning to CISOs to ensure they have the right systems in place to guard against a potential attack made as an act of cyberwar. But if you weren't sure if you should do anything, the Department of Homeland Security is advising US companies to be prepared, the first time such an alert has been issued by the Cybersecurity and Infrastructure Security Agency, which operates under DHS.
But that's just threats from Iran. We also know that Russia, China, Ukraine, and other countries have used cyberattacks against US entities. As we are focused on what Iran might do, these other countries may see an opening to launch an attack against us. And not only might other countries see a more vulnerable America, they may use Iran as a shield for their attacks.
For example, the Financial Times reported in October of a Russian cyber espionage team that first hacked Iranian hackers, and then under that pretext went on to attack more than 30 countries. Both the US National Security Agency and the UK National Cyber Security Centre, which collaboratively uncovered the attack method, warned that this was a new tactic, used to create a sense of confusion and lead high-profile victims to shift the blame to other known bad actors. It would be very easy for cyber espionage groups from Russia, China and other cyber adversary nation-states to use a similar form of attack against US entities, making it look like Iran is the aggressor, which would escalate tensions with Iran, and the whole cyberwar cycle begins.
How can you prepare for the unknown attack?
This may have been the first such alert, but certainly it won't be the last. When there is a conflict of government on government, the path of revenge is more likely to be government on corporation. CISOs need to ensure their security teams are prepared for a nation-state cyberattack and be able to react in a split second. The processes and technologies in place need to be those that assume the worst is going to happen at every second. These attacks are no longer about financial gain. They are designed for business-value destruction, whether it is destroying an oil field or taking down a financial giant. Nation-state attacks are conducted with a much higher level of sophistication than that of a cybercrime ring. These are military-grade attacks opposed to mob-grade attacks for which most organizations have defenses in place.
What's needed are systems that are resilient and adaptable to these more sophisticated threats. Technologies like AI will play a huge role in this level of preparedness and will allow for a quicker recovery of systems if the worst does happen.
In this new reality, organizations need to be more accepting of the idea that their business could be a casualty of war. The Iran attacks were a warning that we need to come up with ways to be better prepared from the unknown.
I hope this state of heightened alert isn't the new normal, but we have to accept that it could be. With the start of 2020, CISOs and their teams need to be armed and ready with every tool in their arsenal to face more sophisticated attacks.