Michael D. Moberly
Language used to describe ‘cyber’ is described, i.e., terms, concepts, and ramifications, adverse effects, etc., have blown past earlier language applied to computer – IT system security that I and colleagues used in university courses in the mid-1990’s. The realities, risks, and adverse effects of cyber-attacks and cyber-warfare have received much warranted public attention in the past 24+ months.
What had traditionally been characterized within the computer-IT security arena as largely defensive actions (products, services, etc.) to prevent, mitigate, and/or be alerted to vulnerabilities and infiltrations (breaches) by largely ‘legacy free’ hackers and/or economic-competitive advantage adversaries has undergone substantial transition to be correctly portrayed as (being more) persistent, targeted, and stealthy incursions on a system-wide basis with the criticality becoming utterly devastating.
The amounts-levels of information and data being sought by economic and competitive advantage adversaries, was, in many instances, quite vulnerable as it was stored in open source conditions, thus becoming the proverbial ‘target rich environment’ which could be readily infiltrated 24/7/365 . The adversaries were – are rapidly growing legions of variously organized, aligned, and legacy free predators operating in the economic, competitive advantage, and information brokering arenas which have become receptive to state sponsorship.
The global business community and accompanying national infrastructure are now confronting a third generation-iteration of variously independent predators – brokers of economic-competitive advantage information and data. We can be assured this current generation of information-data predators and brokers are well versed in the economic fact – business reality that 80+% of most company’s value, sources of revenue, and competitive advantage derive from intangible assets, i.e., primarily intellectual, relationship, and structural capital. Resonate, sound familiar?
However, the language – terminology, i.e., cyber-security, cyber-attacks, cyber-warfare, etc., now common components to the discourse, may well be distinctions without a difference, at least in my judgment.
Obviously, there can be disagreement. Especially, given the gravity, consequence, scope, at will execution, stealth, and asymmetric features of today’s cyber-predator’s. After all, many possess, or can readily form relationships, resources, and upgrade technologies to destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-information. Their motivations, rationales, and objectives have become variously more menacing, disturbing, and threatening, e.g., to undermine – bring into question validity and soundness of long held – assumed intangibles integral to a company, organization, agency, and/or any one of the various pillars to the U.S. national infrastructure.
What troubles me most about terms such as cyber-warfare and cyber-attacks, is the inference that ‘all things evil’ have come to originate in adversarial – malicious use of computer – IT system(s). What’s more, they can originate from afar, be largely anonymous, state sponsored, or merely the product of growing numbers of organized and sophisticated actors acting complicity with economic-geo-political-ideological adversaries to the U.S.
The well intentioned and warranted alarms routinely being sounded regarding the inevitability of executing large scale – multi-pronged cyber-attacks that manifests as cyber-warfare are indeed warranted and certainly worthy of being on every c-suite agenda globally. I seek not to dispute nor diminish either’s significance. After all, the cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic and potentially border on irreversibility absent equally strong counters in the form of organizational redundancy and resilience.
There are, to be sure, discussions – debates on-going throughout public-private c-suites globally regarding the most effective expenditures, strategies, and/or practices to mitigate and become more resilient (organization-wide) to the persistence of cyber risks. I believe, quite strongly, that most notions of actually-preventing cyber-attacks, conceptually or practically, for an organization have been superseded, and instead, focus time-resources to mitigating adverse cascading affects and becoming more resilient. Respectfully, only the uninformed and unfamiliar would assume prevention remains a viable course of action or option.
Insofar as the primary-dominant pillars comprising the U.S. infrastructure are concerned, we, as a nation, are obliged to recognize that the U.S. is distinctive from many other countries, that is, many of the pillars to its national infrastructure, i.e., finance, healthcare, transportation, etc., are generally privately held and operated unlike numerous other countries. So, decisions about safeguarding, mitigating risks, and achieving more resilience for organizations-companies’ intangible assets lies with the leadership of those entities whom we trust are operationally familiar with the universal economic fact that today, and for the foreseeable future, 80+% of most company’s value, sources of revenue, competitive advantage, and sustainability lie in – emerge directly from intangible assets.
I believe today, it is more effective to encourage companies and organizations to focus on a defensive mode consisting of monitoring, mitigating, containing, and repelling. Of course, this multi-dimensional strategy encourages companies to recognize the various types, levels, and criticality of risk before they materialize which presumably can manifest as relevant deterrence and not be a precursor to (risk) escalation. Otherwise, it will surely cause CSO’s (chief security officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel to routinely lose sleep.
Michael D. Moberly July 25, 2017 firstname.lastname@example.org ‘A business intangible asset blog where attention span really matters’!