A few weeks ago, I read an article that provided significant insight into the Spy vs Spy battles between the Unites States and Russia.
Title: Russia carried out a ‘stunning’ breach of FBI communications system, escalating the spy game on U.S. soil
It was one of the few times in recent months that the headline of an article actually managed to be accurate and not just super-sensational or click-bait.
More importantly, however, the article provides lessons that can, and should, be learned by businesses small and large. It is important for us to realize that these nation state spy games are taking place in the same physical space and cyberspace in which we operate our professional and personal lives. And it should not be forgotten that various countries have already shown that they are not opposed to attacking business organizations as a conduit to cyberwar against “enemy” governments.
Thus, every business owner, business leader and senior management team needs to consider the risks of doing business in cyberspace, just like they make allowances for geopolitical disturbances and risks. #Cyberpolitical risks are now “a thing”.
Here are some of the most critical quotes that stood out to me from the article, and how they apply to businesses and business operations:
Bad guys are seeking constant improvement
American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams.
Yes, security spending tends to increase year over year.
No, there does not seem to be any end in sight to that trend.
No, last year’s successes are not enough for tomorrow’s threats. The threats just keep on coming.
Organizations that rely on last year’s marketing efforts will get passed by in this competitive business landscape. Likewise, organizations that rely on last year’s security initiatives to put a stop to all the threats they face today and in the future, are essentially treading water until they are inevitably breached.
And we’re not just talking about about tools or technology. Tactics and approaches need to be improved and adapted as well. If you’re willing to spend on new technology to move your business forward, then you need to be willing to spend a corresponding amount on new security tools, security training and security personnel to protect those assets and business advantages.
A chain is only as strong as the weakest link
“When I was in office, the counterintelligence business was … focused entirely on its core concern, which is insider threats, and in particular mole hunting,” said Joel Brenner, the head of U.S. counterintelligence and strategy from 2006 to 2009. “This is, in fact, the core risk and it’s right that it should be the focus. But we were neither organized nor resourced to deal with counterintelligence in networks, technical networks, electronic networks.”
A chain is only as strong as the weakest link. It is a well-known cliché, but not well heeded. If your organization can find the funds to upgrade servers and networks and applications, but not security tools or processes, then you’ve just made it easier for the bad guys, and harder for your own team to protect you.
It is like giving someone a motorbike, but providing all the body guards whose job it is to protect that person, with skateboards. Don’t be surprised at the outcome.
Money may be finite, but don’t make bad decisions to save a buck
The FBI teams were using relatively lightweight radios with limited range, according to former officials. These low-tech devices allowed the teams to move quickly and discreetly while tracking their targets, which would have been more difficult with clunkier but more secure technology, a former official said. But the outdated radios left the teams’ communications vulnerable to the Russians. “The amount of security you employ is the inverse of being able to do things with flexibility, agility and at scale,” said the former official.
A former senior counterintelligence official blamed the compromises on a “hodgepodge of systems” ineffective beyond the line of sight. “The infrastructure that was supposed to be built, they never followed up, or gave us the money for it,” said the former official. “The intelligence community has never gotten an integrated system.”
Yes, being secure is hard. It costs more and it takes more time.
But so does a breach. Ask the city of Baltimore.
Although it took many years to get here, many organizations are now relatively quick to update at least some part of their technology stack – especially those parts which are closely and more obviously connected to revenue. But they don’t pay nearly as much attention to security, which is essentially revenue protection.
That’s akin to earning good money every days, but putting it into pockets full of holes.
Insider Threats are real, yet regularly ignored
While the Russians may have developed this capability by themselves, senior counterintelligence officials also feared that someone from within the U.S. government — a Russian mole — may have helped them, said former officials. “You’re wondering, ‘If this is true, and they can do this, is this because someone on the inside has given them that information?’’ said another former senior intelligence official.
No one likes to work in a “martial law” or “super nanny” organization, but that’s not what we’re talking about here. Total distrust of your employees is a perfect way to undermine productivity and destroy morale. But an organization needs to be able to protect its critical secrets so that they are only available on a need-to-know basis. And they need to provide enough checks and balances and oversight so that people are not tempted to sell out the organization for (a) material gain, or (b) because they have been put into a compromised position.
Employee mistakes are still among the greatest sources of breach and data loss that organization’s face. But insider threats are way up there, and so many of them fail to be discovered unless the perpetrator gets too greedy.
Either you pay, or you pay
After the FBI discovered that its surveillance teams’ cellphones had been compromised, they were forced to switch back to encrypted radios, purchasing different models, according to two former officials. “It was an expensive venture,” said one former counterintelligence official.
It almost always costs more to fix the issues after the fact, than it would have before, especially when you factor in the public nature of breaches, and the accelerated time-frame for implementation. And that doesn’t take into consideration any fines or legal fees or soft costs such as a reputation damage.
Either you pay it up front, in a thoughtful and well-planned out manner, or you pay for it under duress. Just ask Equifax.
You can gamble with paying less for security and hoping it doesn’t bite you too early, but given the frequency and intensity of security attacks these days – to say nothing of their sophistication – that gamble might not pay off for you or your organization.
It’s always amazing how much money people are willing to spend after a breach, when they wouldn’t before. On second thought, they’re not really willing to spend that money – they just haven’t figured out how to say that and keep their jobs, so they spend it.
It’s not fear mongering if the threats and risks are real and significant
“It caused a really big rift within the [National Security Council] on how seriously they took analysis from the agency,” said the former CIA official. Senior administration leaders “went along with” some of the more optimistic analysis on the future of U.S.-Russia relations “in the hopes that this would work out,” the official continued.
The article highlights how senior officials were more willing to take an optimistic view of the threat landscape, and this was ultimately the wrong view. It’s usually worse than you think.
If national security professionals are having that much trouble making their case understood with the stakes as high as they are, it is no wonder that cybersecurity professionals run into similar roadblocks at the corporate level.
To be ultimately successful, there needs to be executive sponsorship
The former committee chairman said he wanted the intelligence community to make counterintelligence a higher priority. “Counterintelligence was always looked at as the crazy uncle at the party,” he said. “I wanted to raise it up and give it a robust importance.”
And that sponsorship shouldn’t just be the CISO. It needs to be someone on the board level who understands how vital security is to the organization – both strategically and tactically – and helps to keep it a part of the real discussions of the organization.
There’s much more information in that article that can be of benefit to both the private and public sector organizations and agencies.
It is my hope that those who read the article will not just see it as the USA vs Russia, but that they will make some attempt to understand how it applies to their organizations and their operations as well.
The cybersecurity landscape is getting more complex, not less complex, and the consequences are getting worse and worse each day.