The Ransomwhere attack of the weekend has brought home to the public the vulnerability of our information systems. In Britain much of the National Health Service has been brought to a standstill, with appointments cancelled and surgery postponed. Spain’s main telecommunications company Telefonica was infected, and other major corporations were forced off-line to protect themselves. In Russian the Interior Ministry admitted that one thousand of its own computers were hacked. In fact, despite the scale of the attacks, it appears relatively low-tech and unsophisticated. Unless more damage is revealed when computers are turned on at the beginning of the week, the impact has been limited, with the hackers estimated only to meet some $20,000. This pales into insignificance compared to the $1.1 million the “Business Club” group of hackers made from an earlier ransomeware attack in 2013 (not to mention the hundred million which this group made from cyber theft from banks). But the 2013 attacks were barely reported. They did not target anything as prominent as Britain’s National Health Service or Spain’s main telecommunications company.
The techies are now working hard to repair the damage of the ransomware attacked. Some will be uploading patches on to computer systems to protect them against renewed attacks. Others will be trying to unblock access to the data that ransomware has frozen. Others will be searching for backup files trying to recover essential information. Most people see cyber security as a technical issue with technical solutions, and as something that can be left to the techies. They are wrong on both points.
Technical measures are only a part of cybersecurity, albeit an important part. Too many companies depend on perimeter security, confident that their technical protection will keep hackers out. History says that this confidence is misplaced. One of the problems is that perimeter security systems tend to be designed to resist the last hack, whereas the hackers are constantly looking forward. In the arms race between cybersecurity and the hackers, the hackers seem to have the advantage. More sophisticated cyber security, for example in the military, accepts that hackers can access their networks, but focuses instead on defensive measures with in these networks, tracking hackers’ movements, building internal defences, and launching countermeasures against the hackers. But such sophisticated defence requires identifying when the hack takes place. Most companies don’t even know that. Recent studies suggest that financial companies take, on average, 98 days to identify an intrusion on their network. Retail companies, on average, take 197 days. One would not anticipate the NHS performing much better. In the ransomware case the intrusion was immediately obvious because of its method of operation (it also appears not to have targeted a specific victim). but you cannot depend on technical solutions if you don’t know if you’ve been hacked.
Believing that cybersecurity can be left to the cyber technicians is like not locking your house because it is the responsibility of the police to protect you against burglary. We all now live in a digital ecosystem and must take responsibility for our digital lives as for our non-digital lives. Unfortunately the creation of cybersecurity departments in large corporations, or the designation of someone responsible for cybersecurity in smaller companies, encourages most employees to ignore their responsibilities. However, it is unlikely to be the cybersecurity expert opens up the attachment from an unknown source or who succumbs to the phishing attack. Beginning my career as a diplomat in the Cold War, it was dinned into our heads, not always successfully, that we were all responsible for security against the Soviet threat, not just the security department. The same is true now.
In the 19th century the Prussian Army held a military exercise that went disastrously wrong. The blame was pinned on a major, who claimed that he had only obeyed orders. The General retorted: “the Kaiser made you an officer because he thought you would know when not to obey orders”. Out of this exchange grew the concept of Mission Command, or Auftragstaktik, that made the German army such effective military machine, even against overwhelming odds. The core idea of Mission Command is that all junior officers, and non-commissioned officers, should understand thoroughly the mission that the army is trying to implement, and within that mission they have extensive latitude to achieve their objectives as they see fit, taking account of local conditions. This makes for considerable flexibility and the ability to adapt to changing circumstances. Mission command could been designed for the digital age. Just as I have argued elsewhere that every executive should be a business diplomat, so every employee should be a cybersecurity officer. Just as in the cold war it was the closest colleagues who would spot the lifestyle changes that indicated a possible betrayal, in the digital ecosystem to the closest colleagues who spot the behaviour that leads to digital exposure.
The upshot is that technical approaches to cybersecurity, while necessary, are not sufficient. They need to be complemented by Business Diplomacy approaches. Business Diplomacy, adapting the techniques and mindset of the diplomat to the needs of the company, can support cybersecurity in six specific areas:
1: Hacker profile analysis of the company: adversaries include state actors and non-state actors; their skills and capacities are wide-ranging, from amateurish hacks using simple tools to highly sophisticated operators. Their motivations vary widely, as do the level of resources they have to pursue their objectives. An analysis of the activities, profile and reputation of the company can help to identify the kinds of hackers who might attack a company and their motivation. This can be reinforced through scraping information (data mining) from hacker (and activist) blogs and chatrooms. Software has been developed to support the latter.
2: Anti-hacker strategies: adversaries will perform malicious activities as long as they perceive that the potential results outweigh the likely effort and possible consequences for themselves. If the motivation of the hack is non-monetary (e.g. ethical or political) business diplomacy strategies can be developed to reduce the company’s vulnerability to attack. These can include developing networks of influence and information among relevant activists and NGOs. These can be used to assess the likelihood of attack, reduce the negative profile of the company, divert attention to other companies (who may be worse), reach out to the hackers or isolate and marginalise them within the ethical or political communities where they seek respect and recognition.
3: Public Diplomacy strategies: A major problem for companies is that public opinion, and its own stakeholders (including its clients), will blame the company for the result of any hack, rather than the hackers themselves (we are already seeing this in the UK, with attacks on the government for not funding the NHS sufficiently to pay for the software upgrades). Hackers seem almost able to achieve a kind of Robin Hood status in the public mind. Marketing or communication campaigns after a hack are doomed to failure. More effective are public diplomacy strategies, using the full range of public and digital diplomacy techniques, designed to shape the political and social environment in such a way that when a cyber attack is launched the public, including the company’s stakeholders, are already siding with the company against the hacker.
4: Collaborative working strategies aimed at government and other companies: collaboration between governments and companies in fighting cyber attacks remains inadequate. There is a need to recognise that as technology cross-connects the risks as well as the benefits are increasingly interconnected. Too often companies react to a cyberattack on a rival with Schadenfreude. Companies can use networking and coalition building to promote the collaborative practices with both governments and other companies to promote a more effective defence against cyberattacks.
5: Collaborative working strategies within the company: as we have seen, in too many companies cybersecurity is left to the technical experts. Protective agencies with an organisation often lack strategic influence, operating independently of one another, conflicting over areas of responsibility and resources. Vital information is not shared across the company. Individual employees do not “own cybersecurity”, not seeing it as their responsibility. By insisting on a holistic approach which integrates communication, corporate reputation and public affairs departments together with cybersecurity, Business Diplomacy strategies break down these silos, improving cyber management across the company.
6: Business Continuity: through developing networks of influence and information among key stakeholders, companies can enhance their business continuity in the event of a cyber attack, minimising the damage, financial or reputational, that a hack can entail, and ensuring a resumption of operations as soon as possible.
Business Diplomacy strategies are no more a one stop solution than technical cybersecurity, any any more than diplomacy can deliver world peace without support of armed force. They complement and reinforce each other. Businesses must learn that cybersecurity is not just the preserve of the technical experts, but the responsibility of all departments and all individual employees, from the Board downwards. Not all of the business diplomacy capacities identified above would have been relevant in the Ransomware case. Where the hackers are criminals interested only in financial gain, strategies to isolate them may be less effective. However, the distinction between criminal, ethical and political hackers is not always clear cut. Eugeniy Bogachev, the Russian hacker behind the Business Club bank thefts and Ransomware four years ago, appears to have been collecting information for the Russian intelligence services as well (possibly without the knowledge of his fellow criminal hackers).