Michael D. Moberly July 25, 2017 email@example.com ‘A business intangible asset blog where attention span really matters’!
In the recent 24+ months, the realities and adverse effects of cyber-attacks and cyber-warfare has received much warranted attention. This attention, along with accompanying descriptive language, i.e., terms, concepts, and ramifications, outcomes, adverse effects, etc., which has, in many respects, blown right past previous language used to computer – IT system security breaches I and others were initially applying in our university academic courses in the mid-1990’s.
What had traditionally been characterized within the computer-IT security arena as largely defensive actions (products, services, etc.) to prevent and/or mitigate vulnerabilities and infiltrations (breaches) by largely ‘legacy free’ hackers and/or economic-competitive advantage adversaries was undergoing substantial transition to more persistent, targeted, targeted, and stealthy incursions in on a system-wide basis. In other words, the amounts-levels of information and data being sought by economic and competitive advantage adversaries, was, in many instances, quite vulnerable as open source and became the proverbial ‘target rich environment’ which could be readily entered 24/7/365 by rapidly growing legions of variously organized, aligned, and legacy free predators operating in the economic, competitive advantage, and information brokering arenas which were becoming receptive to state sponsorship.
In my judgement, the global business community and accompanying national infrastructure are now confronting a third generation-iteration of variously independent predators – brokers of economic-competitive advantage information and data. We can be assured this current generation of information-data predators and brokers are well versed in the economic fact – business reality that 80+% of most company’s value, sources of revenue, and competitive advantage derive from intangible assets, i.e., primarily intellectual, relationship, and structural capital. Resonate, sound familiar?
However, the language – terminology, i.e., cyber-security, cyber-attacks, cyber-warfare, etc., now common components to the discourse may well be distinctions without a difference?
Obviously, there can be disagreement. Especially, given the gravity, consequence, scope, at will execution, stealth, and asymmetric features of today’s cyber-predator’s. After all, many possess, or can readily form relationships, resources, and upgrade technologies to destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-information. Their motivations, rationales, and objectives have become variously more menacing, disturbing, and threatening, e.g., to undermine – bring into question validity and soundness of long held – assumed intangibles integral to a company, organization, agency, and/or any one of the various pillars to the U.S. national infrastructure.
What troubles me most about terms such as cyber-warfare and cyber-attacks, is the inference that ‘all things evil’ have come to originate in adversarial – malicious use of computer – IT system(s). What’s more, they can originate from afar, be largely anonymous, state sponsored, or merely the product of growing numbers of organized and sophisticated actors acting complicity with economic-geo-political-ideological adversaries to the U.S.
The well intentioned and warranted alarms routinely being sounded regarding the inevitability of executing large scale – multi-pronged cyber-attacks that manifests as cyber-warfare are indeed warranted and certainly worthy of being on every c-suite agenda globally. I seek not to dispute nor diminish either’s significance. After all, the cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic and potentially border on irreversibility absent equally strong counters in the form of organizational redundancy and resilience.
There are, to be sure, discussions – debates on-going throughout public-private c-suites globally regarding the most effective expenditures, strategies, and/or practices to mitigate and become more resilient (organization-wide) to the persistence of cyber risks. I believe, quite strongly, that most notions of actually-preventing cyber-attacks, conceptually or practically, for an organization have been superseded, and instead, focus time-resources to mitigating adverse cascading affects and becoming more resilient. Respectfully, only the uninformed and unfamiliar would assume prevention remains a viable course of action or option.
Insofar as the primary-dominant pillars comprising the U.S. infrastructure are concerned, we, as a nation, are obliged to recognize that the U.S. is distinctive from many other countries, that is, many of the pillars to its national infrastructure, i.e., finance, healthcare, transportation, etc., are generally privately held and operated unlike numerous other countries. So, decisions about safeguarding, mitigating risks, and achieving more resilience for organizations-companies’ intangible assets lies with the leadership of those entities whom we trust are operationally familiar with the universal economic fact that today, and for the foreseeable future, 80+% of most company’s value, sources of revenue, competitive advantage, and sustainability lie in – emerge directly from intangible assets.
Today, I believe it is more effective to encourage companies and organizations to focus on a defensive mode consisting of monitoring, mitigating, containing, and repelling. Of course, this multi-dimensional strategy encourages companies to recognize the various types, levels, and criticality of risk before they materialize which presumably can manifest as relevant deterrence and not be a precursor to (risk) escalation. Otherwise, it will surely cause CSO’s (chief security officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel to routinely lose sleep.