Addressing Espionage in Cyber Awareness Month

Espionage is a very current theme for cyber awareness month, and was the also the subject of last weeks’s CSARN event in London, where we had the privilege of presenting.
Our presentation focused overwhelmingly on evidence that organisations [with notable exceptions in the defense sector] are very poorly prepared. Unfortunately the professional debate around espionage is still immature, and it is still necessary to continue highlighting the risks. More importantly it remains a priority to point out how preparedness is lagging the increasing complexity of the threat from industrial espionage, whether it is perpetrated by corporations or backed by nation states.
The main symptoms evident are: a lack of awareness, and a lack of preparedness, and there is a very strong causal link between the two. The awareness is incomplete and outdated, and hence the risk is chronically undervalued to the organization. Moreover the awareness that exists is not demonstrated sufficiently where is exists, and it is not prompting action: certainly not appropriate action. A partial explanation for this is the location of that awareness, which is specifically weak at senior executive level and symptomatic of the limited involvement that senior management has in security matters.
It therefore is entirely predictable that preparedness for espionage in its 21st century converged form is very weak among firms that have not been the subject of a significant breech.  When assessing whether preparedness is appropriate,  whether defensive measures are effective, and whether security measures in place are relevant to the nature of the threat, the vast majority of firm are found wanting. Typically, the advanced defensive measures & methods required to combat espionage are typically obsolete, incomplete, and imbalanced. Few firms enjoy any reassurance about their counter-espionage programs, as they have few steps in place to check and maintain the efficacy of their response.
Espionage is a complex problem, requiring a sophisticated and elegant solution, which requires a very different organizational mindset and approach to the security of their digital assets, and the management of vulnerable human elements in their business processes. As a starting point, they should call upon specialists that will do more than sweep for bugs in boardrooms, and those specialists could usefully start with addressing the for underlying assumption that blocks progress towards a more effective counter-espionage posture: The assumption of immunity.
The majority of firms genuinely feel that they are not a target, that they are not vulnerable, and that no adversary would want to breech them; and this underlies the mindset of most executives. Even among firms that have been breeched there is an alarming proportion that are oblivious to this fact, or have no idea of the consequences and implications of the breech, let alone that the main causes were NOT the exploitation of an single application.  
So lets position a new assumption that there are no trade secrets: That what firms wish to keep confidential is always exposed to someone, and either hope that they are friendly spooks, or that the long term effects are not catastrophic. If companies start with the assumption that they have been the victim of espionage, and that data is still being exfiltrated consistently, then they will quickly change their security dialogue & agenda considerably. For many firms it is complex to look for evidence of victimhood unless they bring in specialists. To executives who still believe that industrial espionage is for the conspiracy theorists, changing the assumption may prompt they to look for proof that they have NOT been breeched. While that also requires specialists to facilitate that assessment, establishing the hypothesis it is a process that will represent a first step in challenging risk perceptions.
It is not supposed to be a short cut to establishing honey pots, decoys or countermeasures, but it is a first step in valuing what is at risk [in all senses of the word], and considering the 360 degree implications. If firms remain confident of their immunity, then firms should ‘take the test’, employing a red team to demonstrate where and how assets, processes, and staff are vulnerable to espionage and it may prove to be the wake up call that they have needed.
Ultimately what are we aiming for in awareness month? Security professionals recognize that espionage will always represent ‘the unexpected’. But  organisations need accept this, in order to develop the ability to anticipate the unexpected; and prepare for it without calling it a ‘black swan’ and raising their hands.

Posted: 16 October 2013 by Optimal Risk Admin | with 0 comments
Filed under: attack, converged, convergence, counter, cyber, e-espionage, espionage, foresight, insight, intelligence, preparedness, security, threats, vulnerabilities