How Do We Succeed in the Cyber Security Battle? – EPISODE IV – Getting to Pre-Active

EPISODE IV – Getting to Pre-Active

23 JUN 2016

Welcome to Episode IV! Much like in Episode II and II.5 where I applied a modified Weinberger-Powell Doctrine to cyber security issues, again, in Episode IV, I will use an existing model, from another industry (strategic communications) and do the same.

Reading note: Regrettably, I cannot give credit to the person I learned this from, as much as I would like to. I was taught this model in a non-attribution forum, so those rules still apply.  I will simply say that this person is a strategic communicator who has been around in the block and was one of the most impressive speakers I have been fortunate enough to meet.  Should I ever get permission to identify them at some future point, I will modify this post to reflect that.

I thought this strategic communications model could apply very well to cyber security because strategic communications were defined as a capability and your personal “environment” defined how powerful your capability would be.

Similarly, the strategic communications domain was further defined as a battle space of information, where old “weapons” (such as press releases) had little applicability.

Furthermore, the “new normal” of this domain is uncertainty. As a result of this uncertainty, people and organizations (and in the case explained to me, governments to be specific), the actors would act in one of four different ways:

  1. Embrace the uncertainty and make the best of it;
  2. Avoid the uncertainty, because they have experienced uncertainty in the past and do not want to relive the experience;
  3. A “go with the flow” mentality (think stuck in the middle of the water with currents taking you in different directions, but you are at least aware that you are being taken in a certain direction by the waves); and finally
  4. Waiting and watching…and then “the wave” comes crashing right on top of you, leaving you with no capability or capacity to act accordingly.

All of this so far sounds pretty familiar to another domain to me. Want to guess which domain I am thinking of?

The communications domain was further defined like this:

  • There is more going on beneath the ground than most of us can see above ground;
  • Whether you like it or not, you have to make an active effort to hunt down and kill off everything that looks wrong;
  • If you can’t kill what is wrong, you have to find ways to constantly correct what is wrong; and
  • Within every event, you need to investigate what role a possible third-party is playing.

All of these characteristics, I believe, apply to the cyber domain. There were even more parallels.  But the way the communications domain was defined made me think “this looks pretty darn close to the cyber domain.” Therefore, I thought it would be interesting to apply the “four strategic communication environments” to the cyber domain, as I have been for some time now in private sector work.

One key concept to keep in mind: in the communication domain, “information communication is warfare” and if you treat it any other way, you have already lost. For those who have more interest in the subject, I highly suggest the book Disinformation by Lt. Gen Mihai Pacepa, a former member of the secret police of Romania and one of the highest ranking defectors ever from the Eastern Bloc. Some may question the truth of the stories, but put that aside and focus on the information warfare techniques that were used by the Soviets. Much like in the cyber domain, almost everything seems to have been fair game.

The Four Strategic Communication Environments

Reading note: I have added in to each environment the position of the enemy, to compare and contrast where you would be versus them.

  1. Passive Communications: You are “responding to a query.” In other words, you are waiting. Enemy’s position: This is one of the most fatal positions for you; your enemy will have a field day to the point that they may be tap dancing on your head and you will not even realize it. 
  2. Reactive Communications: A posture that puts you on the defensive. Effectively, you know “something” is coming, but you are not necessarily prepared for it. Enemy’s position: Your enemy is coming for you, but at least you can put up a fight. But the result of the battle remains highly unknown.
  3. Proactive Communications: You know definitively that “something” is going to happen. You have a pretty good idea of what it is too, so you want to get ahead of it. In other words, you want to be the one defining the message. Enemy’s position: Your enemy, for whatever their reasons, has tipped you off as to what their strategy is; sloppiness on their part, good intelligence on your part, does not matter. You know something is coming. Therefore, you adjust accordingly and beat your enemy to the punch. In this environment, you can still expect a fight, but you are in a much better position to win.
  4. Pre-active Communications: You figure out what that “something” will be before it even happens. In a sense, some may think that this means you have a crystal ball or are reading the tea leaves. But if you are operating in this environment, the truth is that you have highly advanced situational awareness. This is the most attractive posture, because you are effectively ahead of the enemy and are forcing them into a reactive posture. Or put another way, you are inside your enemy’s head…and they may not even know it. Enemy’s position: Not very good for your enemy. You are ahead of them and have effectively boxed them into a reactive position. And if your situational awareness is “that” good, you have effectively put yourself inside your enemy’s head with them so unaware to what is going on. That may be the polite way of saying that you are manipulating your enemy to your own advantage.

Applying to Cyber Security

The above environments have much to do with situational awareness, so I thought when applying to cyber security, it would be best to view from a “cyber awareness” lens. The result would be trying to assess in which environment you are operating in.  Like above, I have also added position of your enemy.

  1. Passive Cyber Awareness: You believe you are not affected by cyber security issues, or worse, have the naïve belief that whatever you have protecting you is good enough. Enemy’s position: Your enemy is in a position to cause you catastrophic damage. You can be affected by anything, ranging from ransomware to intellectual property theft to damage to your reputation. 
  2. Reactive Cyber Awareness: Call this your “basic protection” environment. You are aware that cyber security is an issue you should be concerned about, but are not really sure how to deal with it. So you farm out decisions to IT personnel and firms, thinking that they know best and leave it to them. Enemy’s position: Your adversary, if knowledgeable (and they are), will know what the latest defense measures are. They will use things such as Advance Persistent Threats, Spear Phishing campaigns, and so on to try to chip away at your system. Similarly, they will take advantage of the human element for their benefit. The problem for you in this environment is that you are always behind, chasing the problem, without a real good understanding of it.
  3. Proactive Cyber Awareness: In this environment, you have moved to more sophisticated measures, perhaps using best practice models and tools. You may have an in-house threat intelligence center, are employing real-time monitoring, and using some of the best techniques out there today. (Reading note: I won’t list what my beliefs are here, as that could open up a debate not necessarily focused on this conversation. Similarly, different jobs require different techniques; there is no “one-size-fits-all” solution here.) Enemy’s position: You and your enemy are going at it pretty good, exchanging punches, but you are holding your own. It may be difficult to ascertain are your enemy’s motivations though. You know you’re fighting, you know what your enemy is going after, but you still not may be sure about a few things, such as: is this really the enemy or is there something else behind? And I know they’re trying to “steal my stuff” but for what reason? Is it as simple as theft or are they trying to manipulate something else?
  4. Pre-active Cyber Awareness: The best way to characterize this environment I believe would be to say that you are playing a game with your adversary. You know who they are, you know what their motivations are, you know what they are going after, and you begin to toy with them. Whether you believe these stories or not, this environment is akin to planting fake Concorde plans so the Tupolev Tu-144 has a series of issues (because you knew the Concorde plans were about to be stolen, but didn’t want to tip off that you knew). For the truly curious, I suggest looking into the Siberian pipeline sabotage of the early 1980s. The alteration of software in the sophisticated control systems is not really the story; the story is how the Americans knew that the Soviets would try to acquire the technology from the Canadians and what the response to that was. In essence, you are making your enemy waste resources on something that will lead them to nowhere. I am not sure anybody is here in the cyber domain yet (at least publicly). Enemy’s position: If you do this right, your enemy will be perpetually cursing you. That’s a good place to be, but don’t get sloppy or lazy, because payback may hurt.

So, my question is: in which of the four environments, from a cyber awareness perspective, are you? In a perfect world, you would like to get to Pre-Active, but I would suggest to you, the majority of us are operating in the Passive or Reactive environments.  Feel free to discuss and comment!

That’s all for Episode IV. See you in Episode V (no, you will not see the Cyber Emperor’s face for the first time…we are still trying to figure out who that is!).

As always, a huge THANKS to all those helping to spread the word!