During the last quarter of this year I had a lot of talks with CISOs and CIOs from major European companies about the impact of cyber warfare on their organizations.
Most of them refused even thinking about the impact of cyber warfare, which I can absolutely understand since most of them are not working in the defense industry and thinking about warfare is nothing we like to do. Nevertheless I feel that everybody should be encouraged to think about this topic and what it means to civil organizations in general.
Remember the latest press releases about Stuxnet, Duqu and Flame. What was / is the difference between cyber warfare and traditional war concepts.
The main difference – and that is what makes it so important to me – is that collateral damages can never be linked directly to the armed conflict. In traditional warfare concepts you will always be able to see the collateral damage caused by a bomb. You will see it on TV. You will see it in the press. You will hear it on the radio.
With cyber arms no one really knows who fired the gun – remember distributed attacks – and who is the target. Companies or organizations experience that they are hit by a serious attack but never know if they have been really the target. They just feel like it.
But what does that mean to civil organizations and companies?The situation regarding cyber attacks is heating up. We increasingly see serious attacks which are linked to those three “governmental” viruses (Stuxnet, Doqu, Flame) or experience malicious code like the trojan code built by the German government, called the “Staatstrojaner”. After Stuxnet we saw a huge number of organizations that had security incidents linked to Stuxnet which underpins the opinion that the company might experience a collateral damage without even knowing that it is the result of a (cyber) armed conflict. One nationstate might attack the other using cyber arms turning off the light in small and medium businesses in other, not in this conflict involved, countries, disturb operations in hospitals and so forth.
In the future companies need to built their own “cyber shield” to protect themselves against this kind of “advanced persistent threat”. In case of Stuxnet, Duqu and others we can learn that these intelligent pieces of code have been distributed in a way where traditional concepts like IDSes, IPSes and firewalls have been useless. Distribution was done using eMails, USB sticks, removable media and other very simple vehicles. They did not cross traditional company borders.
The conclusion is: Perimeter security does not work anymore and companies need to rely on safeguards they will have to put around individual assets. We arrived at the absolute need to create asset based security mechanisms instead of big walls! This is another reason why I believe: We reached security 2.0! We need to change the way we are doing security. I absolutely know that I do not meet everyone’s opinion of this serious topic but nevertheless I encourage you to discuss it with me and discuss what you feel what security should look like in the future. Maybe I am wrong. Convince me if I am wrong!