It’s nothing we don’t already know: cyber threats still hold the potential to disrupt a wide berth of policy areas from national security, public health and safety, foreign relations and economic stability. Regardless of today’s advanced technological countermeasures, military and government departments still feel the pain in implementing and maintaining security frameworks, primarily in instituting strategic planning and timely implementation of countermeasures. With limited resources, budget, and skills, organizations are often faced with trade-offs and competing priorities when addressing cyber threats that continually outpace legislation.

Why are cyber threats still a growing issue despite the billions spent countering it?

Fluidity is one reason. By the very nature of technology, these threats span semantic and syntactic attacks (data theft and data modification) and malicious damage to critical systems and evolve faster than organizations can operationalize responses. In recent years, attacks have become increasingly sophisticated through the use of emerging technologies, complex planning and multi-factored approaches that expanded to incorporate investigative and social engineering.

Hear from military personnel what Canada needs to enhance its C4ISR capabilities. Click on the logo below

C4ISR

The result has been hard-hitting, asymmetrical threats with mounting costs to the global economy. In the 2014 report, Net Losses: Estimating the Global Cost of Cybercrime, MacAfee and the Center for Strategic and International Studies’ estimated that the global annual cost of cyber-crime was between $375 billion and $575 billion.

However, for military and defence organizations the damage that cyber threats could potentially wreak go beyond the financial costs.

Members of HMCS Fredericton perform their duties during an emergency stations exercise during Operation Reassurance on February 11, 2016
Members of HMCS Fredericton perform their duties during an emergency stations exercise during Operation Reassurance on February 11, 2016

Threat complexity is another reason for some stalled efforts. The term cyber threat and similar terms, such as cyber crime, are broad in their definitions and are more than the theft, modification or destruction of sensitive information. They encompass unauthorized access to any device, system, network or infrastructure with illegal or malicious intent, ranging from theft of emails to blackmail, embarrass or discredit to the distribution of persistent malware to gather credit card numbers. When viewed at this level, it becomes obvious cyber security requires more than technological solutions to protect assets, control access and limit damage and risk.

As well, organizations tend to view cyber threats as a local phenomenon and within silos; however, from trusted partners to the general public, all systems are interconnected making cyber threats a global concern. But the foundational ‘human’ reason that cyber threats persist is that no single threat event has penetrated cross-sector and with a significant, long-lasting impact, enough to evoke a massive change in approach and behaviour.

Threat and domain knowledge, rather than technological solutions, hold the keys to establishing the agility, intelligence, information sharing and balancing of offensive and defensive action required in the security planning and analysis phases.

Cyber-threats: assessing assessments

Regardless of their technological sophistication, attacks normally follow a similar process: identifying the target (reconnaissance), identifying the vulnerabilities (scanning), gaining access (access and escalation), exploration and laying in wait (exfiltration and sustainment), the attack (assault) and then the clean-up (obfuscation) or sometimes a calling card. Understanding this process allows for layered countermeasures for prevention, response, circumvention and enabling of in-depth threat assessment and analysis.

Many organizations have relied on threat reports (advice, bulletins, etc.) and threat risk assessments to analyse and internally communicate cyber threats, with limited success. The problem with these tools? One-way communication tools often lack sufficient background information and are generally ineffective in influencing immediate, informed action and most threat-risk assessment methodologies, such as the Harmonized Threat Risk Assessment, tend to emphasize risk more than the actual threat, which abbreviates analysis and intelligence formulation.

Read more from the Feb-Mar 2016 Vanguard issue:

Threat risk assessment approaches are still relevant, especially where threat, risk, asset, and vulnerability are still central to analysis activities. However, threat definition, the overall degree of harm, single and all-hazard approaches, pre- and post-event analysis and classification of event data to develop useful intelligence need to be better elaborated in these assessments. More importantly, threat risk assessments need to be a viewed as a recurring program activity, not a one-time event that is initiated only when an environment changes or when a breach occurs.

In the context of threat risk assessments, the following sections examine three of the above six areas – threat definition, the overall degree of harm and single and all-hazard approaches. As well, cross-sector, cross-departmental communication will be referenced as a horizontal activity.

Threat definition: battles define the war

In the Art of War, Sun Tzu said, “… if you know your enemies and know yourself, you can win a hundred battles without a single loss”. He also made the distinction between war and battles, as should military and government executives when in strategizing against cyber threats. Along with this, it is important to acknowledge that behind every piece of code there is a human (for now) and technology is not the actual threat, nor is it the only measure in devising the solution.

A member of Bravo Company 3rd Battalion Royal 22e Régiment fires a C9 light machine gun during the final assault during Exercise RAFALE BLANCHE in Valcartier
A member of Bravo Company 3rd Battalion Royal 22e Régiment fires a C9 light machine gun during the final assault during Exercise Rafale Blanche in Valcartier

By moving away from risk-based approaches, where technology and its implications constitute the tactical threat, to adopting a strategic approach in threat-based analysis, the focus shifts to profiling actor characteristics and understanding their capabilities and means (knowledge and information, skills and technology to exploit a vulnerability), intent (interest in the target and its assets) and degrees of harm. The benefit in the detailed profiling of threat actors and the rejection of homogenized terms, such as ‘hacker’ or ‘espionage’, allows for the collection of information that can be analysed into usable intelligence and epistemological contexts.

Having a communication and collaboration strategy with stakeholders allows for compounding  historical intelligence to improves prevention, detection and response processes that will rapidly close ‘command and control’ of active threats. Incorporating communication and collaboration with stakeholders as a horizontal process is analogous to strategically immunizing against disease to eradicate it in an entire community compared to handing out vaccines to just one neighbourhood.

Overall degree of harm: it’s not just data

While the degree of harm is crucial to establishing risk, identify appropriate countermeasures and closing gaps and addressing vulnerabilities, assigning it is complex.  Analysts are required to hypothesize scenarios of an exploit and its immediate and downstream impacts; the tendency to associate with harm with cost (dollar value) of replacement and recovery and ignore physical harm in this process is always a risk.

Hacker code free for commercial use no attribution required

While immediate impacts may be the loss of data loss, loss of reputation and credibility, the broader, secondary impacts may result in financial, economic, competitive or national security implications; physical harm or loss of life may also emerge as an impact.

For example, contamination of water source may present a primary impact of physical harm or loss of life but loss of credibility and economic stability may emerge as long-term impacts. Broadening analysis and soliciting in-depth detail on immediate and long-term impacts help define effective and prescriptive countermeasures that harden environments based on their harm potential.

Single versus all-hazards approaches

All-hazards approaches were mostly encountered with disasters management, such chemical spills or an energy plant fire due to a natural disaster. These static elements that make an all-hazards approach a reasonable means to manage and mitigate certain types of emergencies and events. However, where cyber-threats are by nature much more fluid and unpredictable due to unknown, and sometimes never known, actors and evolving technologies, single-hazard approaches should be explored and tested.

Single-hazard does not imply that for every threat type there is a custom approach; single hazard approaches should have a mandatory foundation of characteristics and optional characteristics that allow for a properly designed security response – and might best be renamed as cyber-hazard. A cyber-specific approach to the impacts of cyber threats would assist in overall agility, performance measures and would convey a means to collect information and enact appropriate processes while maintaining those that are repeatable.

There is no silver bullet

While it is appropriate to question whether we clinging are to what used to work because the prospect of starting anew is monumental but to throw away old axioms in favour of new ones, is only prudent if they are well-researched and designed and governed by effective policy.

At the preventative layer, the benefits of adopting cross-sector strategies strengthened by in-depth analysis that addresses detailed loss and impact will outweigh the commitment of resources and investment in the long run. Renewal should start with new practices, not best practices, that target behavioural change and enhanced capabilities and tools, processes and skills should be assessed to ensure they align with strategic end goals. Realizing the value of efforts at the tactical level starts with an agile security foundation and a communications framework for sharing vulnerability and recovery information.

As mentioned earlier, fighting a global threat with a local response is neither smart nor effective. Successfully preventing, detecting, identifying and disabling these complex threats will require global perspective in formulating responses and actions that are scalable to cross-sector stakeholders and the global community.

Valarie Findlay

Valarie Findlay has over decade of senior expertise in Canadian federal government and is President of HumanLed, Inc. (www.HumanLed.com). She is currently developing the Threat Information Gathering and Incident Reporting System (TIGIRS) and its algorithm, with Alphinat and their SmartGuide solution. She has also produced research papers and preliminary studies on cyber-terrorism, security capabilities and vendor markets in Canada and recently her dissertation, “The Impact of Terrorism on the Transformation of Law Enforcement“. She has a masters degree in Terrorism Studies and is currently working on her doctoral thesis, the sociology of terrorism and the Elias’ process of civilisation. She can be contacted at: vfindlay@humanled.com