Yesterday’s War

Applying lessons learned from Operation Iraqi Freedom to the current state of cyber-security

In honor of cyber-security awareness month I have decided to write a multi-part blog series that compares lessons I learned from my time in the military and serving in Operation Iraqi Freedom with the lessons I have learned from the last decade in cyber-security. Before we get started, there are a few things I would like to note. First, the opinions expressed are my own and do not necessarily represent the opinions of my employer. Second, my observations and conclusions are my own. I do not intend to start a political or military strategy debate on this series. Finally, this content is designed to be thought-provoking and entertaining. I would love to hear your opinions on the topic, so please feel free to comment.

Cyber-security is Warfare

“In a world gushing blood day and night, you never stop mopping up pain.” 

-Aberjhani

It is clear that Aberjhani is speaking of kinetic warfare, but if you were to abstract the references to mortality, wouldn’t it seem familiar? In a world hemorrhaging sensitive data, where identity theft is so common that parents take identity protection precautions on behalf of their children from birth, do we ever stop mopping up the pain associated with a breach, whether it be monitoring or freezing credit for ourselves or loved ones or dealing with the volatility in the enterprise valuation of compromised entities?

According to Security Intelligence, profits from cyber-crime exceeded $1.5 trillion dollars in 2017. For perspective, that is equal to the entire US technology sector and ranks just below Russia and just above Spain in terms of Gross Domestic Product (GDP). Of the 27 member countries of the European Union after Brexit, cyber-crime would out-produce all of them with the exception of Germany, France, and Italy. These are staggering numbers that are hard to put into perspective. Cyber-crime is certainly not a homogeneous activity, and its actors span many countries, but if you look at it as an economic terrorist movement, it is among the most effective the world has ever seen.

One aspect of cyber-security that has always struck me coming from a military background is the extent to which many security practitioners don’t understand that cyber security is warfare. Let me state this as clearly as I can: cyber-security is not like warfare, it is warfare. It is not kinetic warfare, most of the time no one is physically hurt or killed, but there are many types of economic warfare. Many terrorist and organized crime elements that have simply moved their operations to the digital world because it offers them better scale, lower risk, and a better return on their investments. In many ways, it is not dissimilar to organizations moving workloads and applications to the cloud. This brings me to another point. Well-run cyber-crime organizations run very similarly to a business. They evaluate their investments for a return and perform a cost/benefit analysis in many cases prior to launching an operation. Understanding this is important, because as we will discuss later, knowing your enemy is a powerful way to understand his or her calculations and influence his or her behavior.

Merriam Webster has two definitions of warfare. The first certainly covers nation state actors, corporate espionage, and cyber terrorism. It defines warfare as “an activity undertaken by a political unit (such as a nation, terrorist group, hacktavist group, or even a company) to weaken another.”

According to the Center for Strategic and International Studies, the impact of cybercrime to the global economy is equal to a full percent of global GDP at about $600 billion. What’s worse is according to a previously cited statistic, the benefit to the attackers on an annualized basis is over $1.5 trillion.

Is it any surprise that cyber-crime continues to increase when the proceeds are worth nearly three times as much as the damage?

It could be said that cyber-crime is a net value creator for the global economy to the tune of $900 billion dollars per year, but that’s a conversation for another time. The bottom line is the stakes are high enough to rise to the level of what Webster’s primary definition represents as a definition of warfare.

The second definition offers a more broad definition. It defines warfare as “a struggle between competing entities”. All cyber security attackers and defenders meet that definition.

Therefore, cyber-security isn’t like warfare, it is a type of warfare. Many concepts that apply to a kinetic battlefield also apply to cyberspace, and certainly many do not. It is similar to a Venn diagram, many concepts are applicable only a traditional battlefield, and many are unique to cyberspace. However, a surprising number of concepts are applicable to both. This is useful because it means the many centuries of military philosophy are at least in some ways relevant to the problems we face in the digital age.

The Art of War

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

― Sun Tzu, The Art of War

If you believe the general premise behind what I am writing, that cyber-security is warfare, then Sun Tzu, someone who lived many centuries before the computer was invented, is among the most relevant philosophers on the topic of cyber-security. There are many quotes from Sun Tzu that are applicable about preparation and appearing stronger than you are that can truly help guide cyber-security strategy. In many cases, the idea of winning the battle before it is fought by psychologically defeating an adversary is the only hope an organization has, as offensive security measures, or hacking back, for civilian companies is not currently feasible.

However, I default to the quote about knowing the enemy and knowing yourself, because that is exceedingly important. Knowing yourself in a cyber-security context is all about knowing what you are trying to protect and determining which assets matters most. I would argue that all of information security is about protecting information. Without being overly simplistic, it’s right there in the title. Many people are so focused on perimeters, networks, and endpoints that they fail to see the forest through the trees. It is all about information. Network or perimeter-based programs are fighting yesterday’s war. If the center of your security strategy is a Next Generation Firewall, for example, you should definitely re-evaluate your approach.

Not all information is created equally either. I generally define information into three buckets: Information that doesn’t need to be protected, information you protect because someone tells you that you must, for example regulated data, and information you protect because it is vital to your business and competitive advantage, which I like to refer to as critical information.

Knowing yourself means knowing which information elements in your environment fall into which category, what controls you have to protect that information, and a realistic assessment of how much you can protect at a high level with the financial and human resources available to your team. If you can honestly say that you’ve done a thorough and comprehensive information assessment, you have the mechanism to update that data assessment as things change, and you have a thorough knowledge of the people, process, and technologies necessary to operate the program, you know yourself, and that is the first step.

The next step is to know your enemy or adversary. It’s important to note that this does not mean you simply know the list of adversaries that exist. This means that on a data element by data element basis, you know who is likely to put those data elements at risk, how they would do so, and how you can prevent them from doing so. When you are evaluating the threat landscape against your information assets, it is important that you do not limit your analysis to external actors. In many cases, external actors are the minority of adversaries. If you count external actors posing as internal actors using stolen credentials, which look to your systems as internal actors, the numbers are far less. Examples of adversaries could be poorly trained internal resources, compromised or malicious insiders, disgruntled employees, cyber criminals, or in some cases advanced threats sponsored by nation states.

Later in this series, we will discuss the concept of empathy and that is an important element of knowing your adversary as well. Unless you can truly understand an adversary’s motives it will be difficult to understand the level of advancement and persistence they are likely to deploy against you.

Understanding the stolen data economy is critical to understanding adversaries. Understanding whether public markets exist for certain types of information, for example, can provide insight into who may attack that information and who would profit from it. Threat feeds aren’t entirely useless, but they are a crutch. To be truly effective at understanding your adversary, you need to do your research.

Follow the Series!

This is the first of a six part series. Each new part from the series will be published Tuesday until all six parts are available.

Part Two: Real World Context: https://www.dhirubhai.net/pulse/yesterdays-war-part-2-real-world-context-jeremy-wittkop-cissp

About the Author

Jeremy Wittkop is the Chief Technology Officer for InteliSecure, the world's leading Managed Services Provider focused on the protection of critical information assets. Jeremy was also InteliSecure's first Managed Services Director. Jeremy has also written a book about securing critical information assets called Building a Comprehensive IT Security Program available from Apress publishing on Amazon at https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines/dp/1484220528/