Throughout the 1960’s, ala ‘the Cold War’ period, there was a unique approach to deterring war…i.e., countries which declared opposition to one another, i.e., the United States and the former USSR, now Russia, its citizens were told each country possessed sufficient triads of nuclear (war) capability and delivery, i.e., sea, air, and land based launch capable missiles and bombs…
- the consequence of which, if used, would assure mutual destruction – annihilation of both countries and its populations.
Never-the-less, there were consistent references by…governments and their defense sectors’ regarding a relatively new deterrence strategy and war making capability, i.e., MAD (mutually assured destruction).
A somewhat similar analogy is evident today…however its origins do not lie in the delivery of tangible nuclear weaponry, instead, they lie in the asymmetric anonymity of a cyber-attack, or cyberwarfare…
- either, designed to destroy the functionality and confidence in national infrastructure institutions and their global connectivity ala ‘mutually assured disruption’ of a country’s cyber-ecosystem!
To be sure, cyber warfare (a massive, targeted cyber-attack) would produce…substantial loss of life in-many-different ways, aside from the cataclysmic power of a nuclear warhead blast.
In a ‘mutually assured disruption’ context…the outcome of comprehensive – simultaneous acts of cyberwarfare may not produce a definitive winner or loser, as conceived in conventionally fought wars and/or battles by a countries’ military.
Instead, the outcome may be characterized and measured in…almost diminutive contexts based on system redundancies and organizational – resilience.
On the morning of September 11, 2001…I and others presumed the purposeful aircraft strikes in New York City and Washington, D.C., were likely diversionary, to be followed by attacks, cyber, and otherwise, in the U.S.
The probable targets would be public – private components of the national infrastructure…whose services and functionality are beholden to interwoven IT-computer systems, which, at the time, were incredulously vulnerable.
Not unlike others who anticipated this ‘diversionary – follow-up’ (strategy) scenario…it prompted me to contact colleagues, minutes after the attacks occurred, who were employed in various sectors throughout the U.S., one of which was serving at a top-tier university overseeing their ‘super-computing’ center.
My rationale for contacting this individual…lie in the notion that a super-computing center would presumably have the capability to detect, at least the precursors, to impending cyber-attacks occurring elsewhere, or which may have already launched and ‘were on their way’ so to speak.
To my dis-comforting amazement…this rationale, in this instance, at-this-time, proved flawed. So, regardless of the degree-level of familiarity and/or expertise with computer security and system breach detection, recognizing and mounting effective defenses against multi-dimensional cyber-attacks were relatively new concepts, which national infrastructure institutions were largely short, that is, sufficient software-hardware to execute effectively and instantaneously to prevent catastrophic computer system meltdowns and cascading effects that would cause.
The capability to thwart, mitigate, or contain the asymmetric…adverse, and inevitable cascading effects that a coordinated cyber-attack would likely produce, by design, presents obvious challenges and substantial costs insofar as preparing companies and organizations to reasonably keep pace with the infinite and asymmetric ‘stand-off’ methodologies of materialized – materializing cyber-attacks can present…
- and occur anytime, anyplace, and leave little or no (conventional) vapor trail to investigate.
- yet, maximizing disruption and chaos to a company, organization, or infrastructure institution.
I try to remain optimistic today…that management teams, c-suites, and boards of Fortune ranked firms, SME’s (small, medium enterprises), and RBSU’s (research-based startups), etc., sense fiduciary obligations to routinely engage in discussions -tactical and strategic planning regarding the practicalities and costs of deploying good – better -best cyber risk mitigation (data-information security) products.
As an intangible asset strategist and risk specialist, my experience suggests there are, at minimum, two multi-related reasons why these discussions are inevitable and expanding to every business sector…
- it is a universal and irreversible economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability today lie in – evolve directly from intangible assets, primarily, intellectual, structural, relationship-social and competitive capital.
- data-information generation, storage, and at will – on demand retrieval capabilities are continually ratcheting up to infinite levels, variously aligned to the rapid recognition and rise of intangible asset intensive and dependent companies.
To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated...economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering highly specific, targeted, or broad-based cyber-attacks are challenges which cannot be dismissed or relegated to the uninitiated or unfamiliar.
I am certainly not suggesting public-private U.S. entities disregard their fiduciary responsibilities or regulatory mandates to safeguard their – our data…instead, I am suggesting any entities’ mandate to mitigate operational disruptions, re-examine same in organizational resilience contexts to ensure they possess – have in-place capabilities to differentiate proprietary information and data on a continuum, for example…
- differentiate data-information that encompass valuable – competitive advantage intangible assets, e.g., their contributory role, value, and materiality to a particular-project, product, and/or the company’s mission and/or relevance to reputation and brand.
Michael D. Moberly July 21, 2017 [email protected], the ‘Business Intangible Asset Blog’, since May 2006, 650+ published blog posts, read in 137+ countries, ‘where one’s attention span, businesses intangible assets and solutions converge’.
Readers are invited to explore other published posts, video, books, and position papers at https://kpstrat.com/blog