Ransomware: Diplomatic Approaches Must Complement Techie Solutions

IMG_2078

The Ransomwhere attack of the weekend has brought home to the public the vulnerability of our information systems. In Britain much of the National Health Service has been brought to a standstill, with appointments cancelled and surgery postponed. Spain’s main telecommunications company Telefonica was infected, and other major corporations were forced off-line to protect themselves. In Russian the Interior Ministry admitted that one thousand of its own computers were hacked. In fact, despite the scale of the attacks, it appears relatively low-tech and unsophisticated. Unless more damage is revealed when computers are turned on at the beginning of the week, the impact has been limited, with the hackers estimated only to meet some $20,000. This pales into insignificance compared to the $1.1 million the “Business Club” group of hackers made from an earlier ransomeware attack in 2013 (not to mention the hundred million which this group made from cyber theft from banks). But the 2013 attacks were barely reported. They did not target anything as prominent as Britain’s National Health Service or Spain’s main telecommunications company.

IMG_2079

The techies are now working hard to repair the damage of the ransomware attacked. Some will be uploading patches on to computer systems to protect them against renewed attacks. Others will be trying to unblock access to the data that ransomware has frozen. Others will be searching for backup files trying to recover essential information. Most people see cyber security as a technical issue with technical solutions, and as something that can be left to the techies. They are wrong on both points.

IMG_2080

Technical measures are only a part of cybersecurity, albeit an important part. Too many companies depend on perimeter security, confident that their technical protection will keep hackers out. History says that this confidence is misplaced. One of the problems is that perimeter security systems tend to be designed to resist the last hack, whereas the hackers are constantly looking forward. In the arms race between cybersecurity and the hackers, the hackers seem to have the advantage. More sophisticated cyber security, for example in the military, accepts that hackers can access their networks, but focuses instead on defensive measures with in these networks, tracking hackers’ movements, building internal defences, and launching countermeasures against the hackers. But such sophisticated defence requires identifying when the hack takes place. Most companies don’t even know that. Recent studies suggest that financial companies take, on average, 98 days to identify an intrusion on their network. Retail companies, on average, take 197 days. One would not anticipate the NHS performing much better. In the ransomware case the intrusion was immediately obvious because of its method of operation (it also appears not to have targeted a specific victim). but you cannot depend on technical solutions if you don’t know if you’ve been hacked.

IMG_2081

Believing that cybersecurity can be left to the cyber technicians is like not locking your house because it is the responsibility of the police to protect you against burglary. We all now live in a digital ecosystem and must take responsibility for our digital lives as for our non-digital lives. Unfortunately the creation of cybersecurity departments in large corporations, or the designation of someone responsible for cybersecurity in smaller companies, encourages most employees to ignore their responsibilities. However, it is unlikely to be the cybersecurity expert opens up the attachment from an unknown source or who succumbs to the phishing attack. Beginning my career as a diplomat in the Cold War, it was dinned into our heads, not always successfully, that we were all responsible for security against the Soviet threat, not just the security department. The same is true now.

IMG_1917

In the 19th century the Prussian Army held a military exercise that went disastrously wrong. The blame was pinned on a major, who claimed that he had only obeyed orders. The General retorted: “the Kaiser made you an officer because he thought you would know when not to obey orders”. Out of this exchange grew the concept of Mission Command, or Auftragstaktik, that made the German army such effective military machine, even against overwhelming odds. The core idea of Mission Command is that all junior officers, and non-commissioned officers, should understand thoroughly the mission that the army is trying to implement, and within that mission they have extensive latitude to achieve their objectives as they see fit, taking account of local conditions. This makes for considerable flexibility and the ability to adapt to changing circumstances. Mission command could been designed for the digital age. Just as I have argued elsewhere that every executive should be a business diplomat, so every employee should be a cybersecurity officer. Just as in the cold war it was the closest colleagues who would spot the lifestyle changes that indicated a possible betrayal, in the digital ecosystem to the closest colleagues who spot the behaviour that leads to digital exposure.

IMG_2082

The upshot is that technical approaches to cybersecurity, while necessary, are not sufficient. They need to be complemented by Business Diplomacy approaches. Business Diplomacy, adapting the techniques and mindset of the diplomat to the needs of the company, can support cybersecurity in six specific areas:

1: Hacker profile analysis of the company: adversaries include state actors and non-state actors; their skills and capacities are wide-ranging, from amateurish hacks using simple tools to highly sophisticated operators. Their motivations vary widely, as do the level of resources they have to pursue their objectives. An analysis of the activities, profile and reputation of the company can help to identify the kinds of hackers who might attack a company and their motivation. This can be reinforced through scraping information (data mining) from hacker (and activist) blogs and chatrooms. Software has been developed to support the latter.
2: Anti-hacker strategies: adversaries will perform malicious activities as long as they perceive that the potential results outweigh the likely effort and possible consequences for themselves. If the motivation of the hack is non-monetary (e.g. ethical or political) business diplomacy strategies can be developed to reduce the company’s vulnerability to attack. These can include developing networks of influence and information among relevant activists and NGOs. These can be used to assess the likelihood of attack, reduce the negative profile of the company, divert attention to other companies (who may be worse), reach out to the hackers or isolate and marginalise them within the ethical or political communities where they seek respect and recognition.
3: Public Diplomacy strategies: A major problem for companies is that public opinion, and its own stakeholders (including its clients), will blame the company for the result of any hack, rather than the hackers themselves (we are already seeing this in the UK, with attacks on the government for not funding the NHS sufficiently to pay for the software upgrades). Hackers seem almost able to achieve a kind of Robin Hood status in the public mind. Marketing or communication campaigns after a hack are doomed to failure. More effective are public diplomacy strategies, using the full range of public and digital diplomacy techniques, designed to shape the political and social environment in such a way that when a cyber attack is launched the public, including the company’s stakeholders, are already siding with the company against the hacker.
4: Collaborative working strategies aimed at government and other companies: collaboration between governments and companies in fighting cyber attacks remains inadequate. There is a need to recognise that as technology cross-connects the risks as well as the benefits are increasingly interconnected. Too often companies react to a cyberattack on a rival with Schadenfreude. Companies can use networking and coalition building to promote the collaborative practices with both governments and other companies to promote a more effective defence against cyberattacks.
5: Collaborative working strategies within the company: as we have seen, in too many companies cybersecurity is left to the technical experts. Protective agencies with an organisation often lack strategic influence, operating independently of one another, conflicting over areas of responsibility and resources. Vital information is not shared across the company. Individual employees do not “own cybersecurity”, not seeing it as their responsibility. By insisting on a holistic approach which integrates communication, corporate reputation and public affairs departments together with cybersecurity, Business Diplomacy strategies break down these silos, improving cyber management across the company.
6: Business Continuity: through developing networks of influence and information among key stakeholders, companies can enhance their business continuity in the event of a cyber attack, minimising the damage, financial or reputational, that a hack can entail, and ensuring a resumption of operations as soon as possible.

image

Business Diplomacy strategies are no more a one stop solution than technical cybersecurity, any any more than diplomacy can deliver world peace without support of armed force. They complement and reinforce each other. Businesses must learn that cybersecurity is not just the preserve of the technical experts, but the responsibility of all departments and all individual employees, from the Board downwards. Not all of the business diplomacy capacities identified above would have been relevant in the Ransomware case. Where the hackers are criminals interested only in financial gain, strategies to isolate them may be less effective. However, the distinction between criminal, ethical and political hackers is not always clear cut. Eugeniy Bogachev, the Russian hacker behind the Business Club bank thefts and Ransomware four years ago, appears to have been collecting information for the Russian intelligence services as well (possibly without the knowledge of his fellow criminal hackers).

digital

Macron’s Victory: The EU Ducks Another Bullet

FRANCE2017-VOTE

Europe has ducked another bullet. Following the poor showing of the far right in the elections in the Netherlands, Macron’s victory last night in the French presidential election means that the European Union has again avoided a meltdown moment. Not many more to go this year. It does not, however, mean that the EU is out of the woods yet, or that it has resolved any of its crises. Nor does it amount to a decisive defeat of right-wing populism in favour of a return to liberal progressive politics.

IMG_2021

At first sight Macron’s victory is decisive. But a more careful examination of the data tells a different story. Defeating Le Pen by a margin of 65-35 is not the humiliation her father suffered in 1982 against Chirac. 11% of those who voted spoiled their papers or left them blank. A further 25% of eligible voters did not bother to vote. Given that many of those who voted for Macron did soi to block Le Pen rather than because of any liking for the youthful candidate, it hardly amounts to a resounding endorsement of his reformist policy agenda. Indeed in the first round of the election, when voters voted for the policy agenda they most supported rather than to block Le Pen, three quarters of voters rejected Macron’s reformist agenda.

French President elect Emmanuel Macron and his wife Brigitte Trogneux celebrate on the stage at his victory rally near the Louvre in Paris

Much in that agenda is unpopular across the French political spectrum. France may need labour reform, but French voters don’t want to give up their social and economic model. While Macron looks youthful and fresh now, he is still a member of the French administrative elite (enarque and former investment banker. Unless he delivers quickly the lustre he enjoys now will swiftly fade. It will not be easy. He may find it difficult to construct a parliamentary majority folllowng the Assembly elections. His economic and social policies will come under attack from Le Pen on the right and Melanchon the left. Given his lack of political experience, there is every chance that Macron may be little more successful as president than his one-time mentor Hollande. In that case, Europe may not so much have ducked the bullet, as postponed it for five years, when reinvigorated far right and far left contest the next presidential election.

French President Francois Hollande reacts leaves a polling station in Tulle, during the second round of the 2017 French presidential election

Even if Macron is able to construct a de facto coalition in the National Assembly for his domestic reform agenda, it will still leave the EU confronting multiple existential crises, which will require more than the leadership of Macron to resolve. The recent Commission White Paper offered a number of options for going forward, none of which offer straightforward further integration. Managing multiple speeds and geometries would test far more competent leadership than the Commission enjoys. Brexit risks becoming a dangerous distraction from developing effective foreign, security and foreign policies. Reconstructing the Franco-German axis will be essential, as will be revamping the European commission. What a new Franco-German axis will look like will not be clear until after the German elections in the autumn. However, who ever wins those, there will remain fundamental differences between Paris and Berlin, especially over long term solutions for the Euro Zone. Macron’s election victory against Le Pen did not solve any of these problems. At best it has bought the EU time to begin tackling them. The question now is whether the other European leaders have the ability or the will to do so. The omens are not great.

IMG_2022