More than 30 years ago, I warned a number of executives that “the criminals will destroy the Internet. We have to work to prevent this now, I warned”. A few people heard my message and requested that I assist them with waking their executive ranks to this emerging danger. While working with these executives to alert them to the challenge, I found that I had to repeat my message about “Cyber Terror” five to seven times before anyone heard me once. Colleagues asked me if I ever worried about repeating myself so many times. “Won’t they become upset,” they would ask. I simply replied, “You heard me the first time, but they haven’t heard me yet. Repetitio est mater studiorum.” Newkirk’s law 92 was at play: The scarier the message, the greater the effort required to be heard. Eventually colleagues began to recognize the problem as well as they exclaimed: “Amazing, they really aren’t listening.”
Hans Holmer wrote a potent article recently discussing some of the differences between the cyber and “kinetic eras”. Holmer sums up the historical situation quite well. I can personally relate to his statements. I built my first computer in 1962 using vacuum tubes and oxide core memory. I wrote programs in machine language, employed actual addressing to directly control system processes, transformations, and data flows. I even enlisted instrumentation to test the code using several well-designed techniques.
We valued “code coverage” as a metric. It was great fun and made you one smart technical specialist. I must confess that it is a bit strange today to see so much code in production that has undergone minimal qualification. How can anyone adequately test a single system with twenty million lines of code? No team I know. Agile and lean programming does not make anyone more secure. These are simply current terms used to explain old practices. Historically, many programming departments practiced “lean methods”. Their lean budgets informed their development practices. The current focus of Agile and Lean development approaches on cost reduction and under-conceptualized simplicity undervalues the role of cyber security in delivering resilience. Prototyping and rapid implementation is not new. Remember: “If it works, it is production; if it doesn’t it’s a test.
The Dawn of Cyber Security and the Transformation of Kinetic Threats
When I moved from the hobby room to the computer department at General Motors, I had to be a really smart technical specialist (because very few people were). Even back then, we concerned ourselves with glitches and bugs. Thankfully, Admiral Grace Hopper woke-up many people about the threat of accidental carelessness, and indirectly, the potential damage that can occur through human agency, accidental or otherwise. It was a natural step for many of us to become concerned about data theft, software theft, and programming fraud as our principal cyber security threats, although management did not specifically view the problem as a cyber security challenge. Generally, management looked at these situations as mere instances of individual craziness. An executive once remarked in reply to my concern: “Why would anyone steal our customer and employee data? It is useless to them.” That was back then. History has answered his question.
In that early cyber era, we worked in a world marked by Insider Threats. Everything else was still a “Kinetic” concern. We did not worry about “external actors” or their maliciously delivered bugs, or even the real bugs. It all seemed so far-fetched to the bill-payers. Automated Data Processing Department budgets (that’s what we used to call it) had to be practical as far as possible because computers and everything associated with them cost an unbelievable amount by today’s standards. Look at the cost of PCs back in the 1980s. My first slow and anemic PC cost more than $15,000.
So here we are today, living in a cyber world challenged by malicious and careless Insider and External Threat Actors. Each Threat Class becomes increasingly more dangerous each day simply due to progress in the capacity and speed of hardware, refinement of methodologies, and skills of industrious software engineers. We hear about it daily. Somewhere, sometime, somehow, someone wreaks havoc on our digital world and people suffer in many ways. They are casualties in the new global theatre of Cyber Warfare.
Expanding Awareness at Mud-Puddle Depth
Not everything has changed. Executives, managers, and employees prefer to ignore the very real threat of Cyber Terror. As to be expected, (based on historical performance) many CEOs in this country cannot say with any level of certainty whether their in-house Cyber Security programs deliver sufficient security. "The more things change, the more they stay the same."
That is a bit of an exaggeration. Not everything stays the same. Cyber Security has generated a lot of interest, mainly in the Cyber Security community. Look at the present state of Cyber Security. We have a lot of ideas about what we should do. Our challenge is to generate this kind of interest within many other communities. Several challenges require immediate attention. We know many of the scenarios. The following list identifies fifteen noteworthy scenarios that will impact short and long-term efforts to deliver robust Cyber Security effectiveness. A couple of these scenarios may be surprising.
An unsettling number of unknown students enrolled in a Cyber Security education programs will use their education and training to engage in malicious Cyber-attacks with an advantage because they will enjoy first-hand knowledge of the counter-measures and strategies to be used against them.
One malicious employee or contractor with access to information and data can destroy a company, quickly (In less than 10 minutes). This is something new, aside, from a bomb going off in the critical place.
A large percentage of Malicious Insider attacks create unrecoverable damages leaving target companies lost forever.
Many of the solutions we think work, mostly do not work. Organizations habitually use software products that are known to fail.
Around 10% of the employee population of a company enjoys access to every digital file in an organization, even when unnecessary. Management trusts them to do the right thing because HR tells us that trust is a must. Even God wouldn’t say that.
Organizations continue to use and pay for an unreliable Cyber Security tool or technique even when management knows it is not effective.
A single thumb drive can severely damage the value of an organization, quickly.
Experimenters exist that occasionally interfere with the communications of a range of global targets. In-depth Cyber Security has to ensure that these intrusions can be mitigated and that private and commercial flight operations be shielded. Cars, drones, and planes have been hacked by students.
Technologies will increasingly become artifacts of cyber warfare directed against national populations as teams of malicious cyber actors target individual citizens in roving attacks at random times.
Technologies that people do not understand are expanding into every aspect of human life without moral consideration so that technologists will become the core influencer of society.
Cyber terrorist will use advanced methods of psychological warfare to turn citizen groups against each other.
The continuous conflict and turmoil of the Government as it continuously feeds on itself by fragmenting and weakening its own internal political alliances will increasingly distract the attention of agencies from the fundamental responsibility of Cyber Security.
Executives will continue to launch experimental business models based on trust and openness that reduce the effectiveness of Cyber Security.
Organizations will continue to focus on remedial workplace strategies that reduce the effectiveness of Cyber Security programs designed to ensure business process resilience and organization effectiveness.
Human Resources teams will implement processes and programs that focus on inadequate criteria of performance that conflict with the Cyber Security Imperative.
A Systemist Response
An interesting observation about these fifteen scenarios is that if one cares to take the time, (s)he can identify the traditional archetypes associated with each scenario. We would see that serious Cyber Security programs require unified (not integrated) political, educational, sociological, behavioral, technical, legal, methodological, economic, and management solutions. Cyber Security is really a complex transdisciplinary concern. Little to nothing in human historical experience compares to this threat. For example, Cyber Terrorists from protected locations in several dozen countries can simultaneously execute a Cyber Attack on a single U.S. Citizen just as a training exercise. The person would not know what had just occurred. Moreover, our Country continually has threats emerging from violations against trust here on the home-front and yet executives continue to implement organization models that highlight trust and openness between employees and management as the framework for successful performance. Think Continuous Performance Management or CPM. Organization models such as these are incompatible with stringent Insider Threat Prevention frameworks that advocate “Zero Trust” security and control to safeguard business operations.
Unless a radically new technology comes on line that negates every Cyber Attack strategy known to science, we will have to make a choice. Either we throw our arms up in despair and say “enough is enough” and abandon digital networks, or we redesign our relationship with technology. This, of course, means that our workplace experience as well as the home-front will change. In the workplace, we will be watched, monitored, and cleared like never before. No purse, thumb drive, laptop, and other miniature device will freely float around the workplace. Every environment will become extremely secure because so much is at stake. The workplace could become a place nobody wants to visit.
Cyber Security will consume a lot of money, intelligence, commitment, and support to win this emerging Cyber War which is currently waging along several fronts. How we eventually resolve all of this is open to conjecture and serious study. One thing we doubtlessly know already: The drive for Cyber Security effectiveness will change life in unimaginable ways. A new paradigm for work and play is being thrust upon us whether we choose to participate or not. If we continue responding as we are, we will become a self-fulfilling prophecy: We have met the enemy, and the enemy is Us.
Think about it
Raymond L. Newkirk, Psy.D., Ph.D., PhD., Th.C.
Founder & CEO Systems Management Institute
Una Vita e non Basta!
Hans Holmer, “The Danger of Stone-Age Habits in a Cyber World”, September 24, 2019. GTSC, Government, Technology and Services Coalition’s. Homeland Security Today.US