Michael D. Moberly, Principal, Founder, kpstrat
Readers are encouraged to consider (merely for comparative purposes) present-day ransomware (targeted) (1.) IT system attacks and function seizures, (2.) proprietary data extractions, with (3.) same being held for – to await ransom payment, in a crypto-currency, ala bitcoin, etc.
Businesses are experiencing ransomware (cyber) attacks, which by design and upon execution, hold a component of the U.S. national infrastructure hostage, much of which is privately held-owned.
Practically speaking, when one (targeted, company specific) component goes ‘offline’ (ala necessary shutdowns or slow-downs, etc.) for even short periods of time, its likely other (consumer influenced) components, i.e., supply – distribution chains, may be adversely affected – experience disruptions as is repeatedly evidenced.
Understandably, a practical emphasis today by potential target-victim companies (of ransomware attacks) appear to be to isolate, as rapidly as possible, and mitigate potential disruptions to business side operations…
- which we are obliged to acknowledge, can materialize further as reputation risks (ala intangible assets) held by a company, and are operationally embedded in its products, services, and culture.
Conceivably ‘cyber – ransomware attacks’ as they routinely materialize, are akin to ‘the 1960’s cold war era’ perspective of deterrence ala MAD (mutually assured destruction) ala paralysis of the target – victim company’s IT dependent functions.
The premise that MAD may serve as a deterrent to ‘first strike’ and/or irrational escalation ‘second – retaliatory strike’, hence, the possibility of all-out-nuclear war…lies variously with combatants recognizing…
- ‘first strike destruction’ may be less relevant when ‘second – retaliatory strike capability’ will be equally devastating, i.e., indeterminate – irreversible destruction and paralysis of a target country’s infrastructure and large scale human death.
To dismiss either, essentially destines nuclear arms competing governments to presume it is their (fiduciary) responsibility to…
- develop nuclear arms delivery capability – capacity to assure there will be ‘mutually assured destruction’ strike capabilities,
- irrespective perhaps of which, when, how, from where, or why a country-government-military strikes first with its full arsenal or subset thereof of nuclear weaponry, which presumably,
- emerges from the belief – perception that the other (adversary) country possesses the capability to comparably retaliate, irrespective of the destruction imposed – caused by being the target of a first strike,
- therefore, there would be ‘mutually assured destruction’ to both countries.
Ransomware (cyber) attacks are, by design – intent, extortion attempts, whereby arrays of global adversaries – criminals have…
- at will capabilities to access + abduct (particular tangible and proprietary) data assets,
- held by a company, organization, and/or institution, and
- hold same for demanded (digital $) ransom,
- under threat of releasing those assets to open sources (online) if payment is not received accordingly.
- hence an assumed economic – competitive – reputation destruction of a target company which may elect to not pay a ransom.
In these circumstances (as they repeatedly materialize today in the U.S. and elsewhere) the victim business’s options and/or choices are, in most (known) circumstances, framed narrowly, i.e.,
- the potential of irreversible public exposure – loss of extraordinarily valuable, competitive advantage, proprietary, reputational, and (mission essential) operating data, or
- pay the ransom with a hope to move on in the coming week, and also,
- the (data owners) dubious presumption that the criminals who accessed – acquired and ‘stored a company’s proprietary data elsewhere’ (for ransom),
- during the ‘threat – ransom receipt and negotiation’ period, those assets remain fully intact, i.e., untampered – unmolested. Readers recognize the dubiousness – risk of such assumptions!
For some leaders, investors, and stakeholders, etc., these options – choices presented in this manner, may well be considered ‘boardroom no brainers’…i.e., assume the ‘near term’ reputational risks that will inevitably materialize, ‘pay the ransom’, employ communication – social media strategies to downplay adverse impacts, and prepare to ‘ride out the storm’.
Important realities associated with ‘global ransomware cyber-criminal attacks’ are, the options – choices businesses are suddenly confronted (@ keystroke speeds) to mitigate are…
- becoming increasingly complicated (politically, ideologically, economically, and competitively) and are embedded with various shades of gray and residual risk, all-of-which can and does,
- affect a business’s intangible assets which most businesses, whether they recognize it or not, are reliant – dependent, i.e.,
- various forms, contexts, and applications of intellectual, structural, relationship, reputation (brand) and operating culture capital.
kpstrat argues that these ‘sorts of scenarios and perspectives’ variously held by ‘the cyber attackers’ and essentially acquiesced to by the ‘company victims – targets’ is unsustainable and carries various prospects for devasting outcomes…
To date, there is no ‘open source’ indications which I am aware to suggest cyber – ransomware attacker entities/groups may-be receptive to civil – rational thought aside from…
- inflicting the risk.
- maximizing credence of the risk, i.e., public release of stolen reputational harm data, and
- assuring their ‘crypto’ ransom payment on time.
Of particular concern today, and going forward, are private sector (business) targets (of paralyzing cyber – ransomware attacks) whose existence, i.e., production-sales-delivery, etc., of specific products and/or services…
- designated as essential – contributing to ‘national infrastructure’,
- the sustainability, defensibility, and resiliency of which can be at risk.
Of course, U.S. business operating culture, i.e., particular processes, services, products, etc., identified as being contributorialy essential to national infrastructure, exist in various shades – states of obviousness.
An unfortunate reality is that most IT systems…
- can be surreptitiously scrutinized (from afar) for vulnerabilities, entrée to, acquisition of, and transfer of proprietary and reputationally distinctive data for purposes of theft and sale to the highest bidder and/or held for ransom.
Cyber criminal’s capability to differentiate – assess target businesses information (intangible) assets’ relevance to (a.) a country’s national infrastructure, and (b.) their near-term reputation risk and sustainability, e.g., a cyber-attack – ransomware will…
- slow, limit, and/or temporarily deny access to particular – goods, products, and/or services, etc., which-in-turn will
- adversely influence ‘speculatively instantaneous’ reactions (public, consumer, supply chain partners, government officials, agenda driven politicians, and scores of media pundits)
Targets of – for cyber ransomware attacks can be differentiated – selected at will by global adversaries, e.g.,
- independent criminal operations which may (variously) be state sponsored, encouraged, and/or ‘purposefully overlooked-in-plain-sight’, while
- others may be predatorially aggressive economic – competitive advantage adversaries.
kpstrat encourages business leadership to avoid focusing – dramatizing who the culprits may be and where they reside.
Instead, kpstrat urges business leadership to seek objective recognition regarding why adversaries may determine a particular business would be a ‘vulnerably lucrative’ target for a ransomware cyber-attack.
Through kpstrat’s lens, a company’s decision to pay – not pay (an anonymized) ransom to criminals (which have successfully executed a cyber-ransomware attack as a prelude for the return of proprietary – mission essential data assets),
- often encompasses arrays of intangible considerations and issues, e.g., the potential for and likelihood of) interpretation – reaction by inter-connected consumers, stakeholders, investors, insurers, partners, suppliers, clients, and assorted influencers and media pundits, etc.,
More specifically, the various ways either may (tangibly – intangibly) influence a company’s value chain, e.g.,
- competitive stature, goodwill, image, brand, and reputation, etc., and
- fiduciary obligations, i.e., recognition, preparedness, and mitigation of particular-risks to product – service quality and sustainability, which can include,
- the attractivity of – value attached to buying – holding – being associated with the victim company’s products and/or services, in the near term and going forward.
Recently conveyed policy – practice by various U.S. Attorneys (in response to cyber – ransomware attacks on critical infrastructure companies) introduce more complexities – pressures for (private sector) decision makers of national – critical infrastructure companies…
- ransom payments are the fuel that propels the digital extortion engine, and
- need to render cyber-attacks more costly and less profitable for criminal enterprises, and the
- use cryptocurrency to launder these transactions and new financial technologies that attempt to anonymize (ransom) payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans, and, as an
- experienced cyber security professional recently advocated…in the Bitcoin era, the only way we are going to be able to strike back against that, as an entire society, is by making it illegal (for companies to pay ransom to cyber criminals)…that is going to be really tough for the first companies to get hit, once it’s illegal to pay (ransom), those companies are going to be in a very tough spot, and we’re going to see a lot of pain and suffering…
Public (government) pronouncements as this while appropriate and necessary, to influence action and convey an administration’s position, perhaps also are…
- perspectives which victim companies of ransomware attacks are (perhaps fiduciarily) obliged to consider insofar as framing and deciding what to do, how to respond, and when to respond, etc.
- probably irrespective of perceptions – realities of cyber criminals ‘land-based’ origins, or whether they are (directly, indirectly, or passively) state sponsored or convenient networks of independent operators
Company leadership, when confronted with – recognize the vulnerability of their business’s near-term sustainability (to cyber-attacks) will likely face tougher – more complex, and variable (intangible) ridden decisions…
- not-the-least-of-which will be how – ways which consumers, investors, insurers, competitors, and various government entities may be influenced to act – react to companies, products, and/or professional services in which cyber-attacks have materialized.
One likely outcome, should cyber- ransomware attacks proliferate further, as expected, is that more businesses, especially those with national – critical infrastructure roles…
- will be influenced to assume the costs of shoring up their internal (cyber) defenses and alerts, which may also include…
- negotiating a restructure of cyber insurance policies and coverage, and
- demanding specific (law) enforcement and investigation support,
- not unlike what emerged in the mid-1990’s with the initial proliferation of ‘computer initiated – facilitated criminal activities.
Readers of the ‘Business Intangible Asset Blog’ are invited to examine papers, books, and other blog posts available @ https://kpstrat.comblog .