This is a pet peeve of mine, but when I hear somebody from the cybersecurity community refer to a web-defacement as cyber warfare, my soul dies a little. Really? A hacktivist converts the corporate logo on a company web site into a Guy Fawkes mask and it's cyber warfare? Hardly.
A criminal steals customer credit card data from a retail database and we call that cyber terrorism? Not likely. A cyber spy steals a collection of intellectual property secrets and we call that a cyber crime? Yes, but while it’s a criminal offense to break into a corporate network, good-luck prosecuting a nation state that wants your secrets.
This lack of thought behind the terms, and how interchangeably we seem to use them, drives me crazy. It’s just our community being sloppy. Even though the bad guys behind each of these attacks has to travel down the same kill chain as the others to be successful, the defender must understand each attacker’s different motivations to martial the necessary resources to protect their networks. Whether you’re a government entity or a commercial enterprise, you have to understand how specific threats may impact your organization.
For example, if the biggest risk to your organization is the material impact cyber criminals cause by stealing and selling your customers’ credit card data, then by all means focus your resources on protecting it. If your largest concern is the competitive disadvantage your organization will suffer if a cyber espionage campaign steals your secret sauce, focus your resources there. If the reputation loss your organization will suffer after a successful cyber hacktivism campaign is concerning, take action to block those kinds of attacks. If the greatest risk to your organization, and perhaps your country, is a cyber terrorism campaign designed to promote fear among the general populace (or even death and destruction) by targeting your organizational assets, focus your efforts there. And finally, if your biggest worry is a cyber warfare attack launched by a nation-state that destroys critical infrastructure to influence some political issue on the international stage, you know what you have to do.
The point is you have to understand what these motivations are and how they apply to your organization before you can decide how to defend against different adversaries. It’s no longer sufficient to lump them all under a generic “cyber attack” label and it is absolutely wrong to miscategorize the attack out of laziness or lack of understanding. With that in mind, in my next two posts I’ll be sharing my thoughts on the different kinds of cyber adversaries and why it's important for your security posture to define them accurately.
Leave a comment and let me know what you think.