Michael D. Moberly
A significant transition in language has occurred, away from the mid-1990’s computer/IT security language that primarily emphasized defense, prevention, containment, and criticality mitigation to address vulnerabilities and infiltrations.
The terms now widely used to describe, at least what I believe, are similar phenomena, are cyber-security and cyber-warfare. The distinction between the two is that the latter is generally presumed to occur on a larger scale, with greater frequency, sophistication, and asymmetric elements, which can destroy, deploy malware, or siphon (extract) specifically targeted intangible assets from a single company and/or a ‘pillar’ of our national infrastructure literally, in nanoseconds.
What troubles me most about this ‘language change’ is that the term cyber-warfare particularly, comes with the inference that ‘all things evil’ to a companies’ computer/IT system(s) emanate from afar, that is primarily (foreign) state sponsored, non-state actors, or the growing numbers of global legacy free players. Let’s be clear, I am in no way questioning whether either of the above are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.
The attention and the alarms both the private sector and government agencies furnish regarding cyber threats, security, and warfare are obviously warranted and I seek not to dispute nor diminish their significance. After all, the cascading infrastructure havoc created by a significant offensive cyber attack could be incalculably cataclysmic.
But, identifying the absolute best strategy, tools, and/or practices to address these persistent challenges, especially considering there is no reason to believe (they) will dissipate in the future, represents where much debate lies today in c-suites globally, e.g., amongst CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel.
That is, with respect to the private sector, is it best to remain primarily in a defensive mode consisting of repelling, preventing, and containing? Or, should the private sector engage in independent offensive and/or pre-emptive initiatives, e.g., mounting IT system (cyber) attacks toward known adversaries in hopes such undertakings will produce a deterrent effect versus an escalation?
Before we get too far down a particular strategic path on this issue, it’s important to refresh our memories that the U.S. remains distinctive from most other countries because the key pillars of our national infrastructure are generally privately owned and operated, apart from direct government control. This distinction suggests independent offensive or pre-emptive action taken by the private sector toward known state sponsored actors (cyber adversaries) would produce some unknown reactions and/or consequences that may well exceed our natural inclination to publicly expose ‘who’s doing what to whom’.
From an intangible asset practitioners’ perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by an IT – computer security orientation ala cyber security and cyber-warfare. By continuing to frame this issue in this manner, little or no space is left for recognizing that companies’ mission critical, sensitive, and proprietary information (intangible) assets routinely exist in formats other than electronic ‘ones and zeros and bits and bytes’.
I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare (directed against the private sector) are misguided or misplaced. I am suggesting, that perception and its accompanying strategies gives short shrift to the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital. Thus, the real advantages (value, profitability) belonging to companies may not always be found or housed in a computer or IT system and therefore not specifically vulnerable to the exclusivity of cyber attacks or cyber warfare.
Too, information asset safeguard policies and practices which are dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy. In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames. Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced through an IT – cyber security lens. Instead, responsibilities for safeguarding valuable information (intangible) assets must become embedded in peoples’ respective orientation, ethic, and (company) culture, because increasingly that information – those assets exist in the form of intellectual capital.
As intangible asset protection specialists know well, proprietary – sensitive business information will percolate throughout a company and is not confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. Too, intellectual capital cannot be reduced solely to those electronic ‘ones and zeros or bits and bytes’.
Intangible asset safeguard policies and practices that infer, by having a presumptively superior IT – cyber security program, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably then, a company’s proprietary information is also secure, which we know is not the case. In today’s increasingly predatorial and incessantly thirsty global business environment for information assets, that’s a message no company should accept.
It is certainly not my intent here to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by state-sponsored and independent cyber-attacks.
But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company’s most valuable and treasured trade secrets and literally wreak economic, competitive advantage, and market havoc, one company at a time.
(This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th on Morning Edition.)
Michael D. Moberly February 14, 2013 St. Louis [email protected] ‘A business intangible asset blog where attention span really matters’!