The results paid dividends by initiating a shared understanding of the environment, who was responsible for doing what and how cyber operations related to other activities across government. Fundamentally, defining a common language set the scene for how we approached risk and the governance required to ensure the necessary checks and balances were in place.
The same should be true for your organisation. In this series of posts I’ll be looking at some of the terms that could form the basis of your common language around cyber security.
Cyber security itself means different things to many people, so let’s begin with the basics.
What is Cyber Security and what does it involve?
“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat” Anon (but attributed to Sun Tzu)
Cyber security is an emotive mix of many fields of security. Some in the industry treat the term with a rolling of eyes as just another management catchphrase, while others think it’s just a technical consideration. Cyber security should rather be viewed holistically, bringing together legal, national, energy, physical, information, Radio Frequency (RF) spectrum, personnel and commercial considerations, to name a few.
Challenging the view that cyber security is more technical than holistic is the first obstacle that must be overcome.
A cyber security strategy should be comprehensive in its coverage, adequately resourced and be the mandate by which other activity is driven. Having lots of activity without a strategy is ineffective as duplication of effort may occur, or worse, there may be unseen holes in its coverage that could be exploited. The strategy should include a rigorous examination of risk in all its forms which in turn helps the cyber security expert visualise the gaps between the risks and the controls needed to mitigate them.
The cyber security regulatory landscape
Cyber security specialists need to be aware of the regulatory landscape to make sure everyone, from directors down, meets their legal obligations. There is little in the way of pure cyber security legislation in New Zealand, rather, it is expressed through Common Law such as the Crimes Act and the Privacy Act, while exposure to negligence is covered under Tort Law. The UK has legislation in the Computer Misuse Act, The Wireless Telegraphy Act and the Regulation of Investigatory Powers Act which regulate certain aspects of cyber security activities. There is scant international law on the subject and again, the statues are vested in other instruments such as International Humanitarian Law and United Nations General Assembly and Security Council Resolutions. The Tallin Manual is the only substantial document of guiding principles on international cyber law though it is not formally recognised or ratified in the international community. When seeking guidance on what is permitted cyber security activity or what protections are offered to you, awareness of these statutes and guidelines provides a good baseline.
There are no current New Zealand laws about compulsory data breach notifications, however it is the New Zealand government’s intent to keep in step with such laws in Australia and Europe. Hopefully New Zealand doesn’t go to the extent of the EU General Data Protection Regulations (GDPR), where data breaches attract fines of up to 4% of global revenue, but it is important to note that if you are holding data on EU citizens then you are bound by EU GDPR globally. Data breach notification is a means to an end. It should be enforced to protect people’s privacy through deterrence of corporate negligence, however embarrassing it may be. Over-regulation of any industry is traditionally expensive to administer and unlikely to be enforceable in this case. While there are obvious reputational issues about partial, late or non-disclosures, the industry has always been best served by learning from early, full and honest disclosures of those that have been breached.
Cyber security and national security
Cyber security underpins security of the nation. The ability for a government to govern, to defend itself, to provide essential services and to ensure prosperity for its people is inextricably linked to its ability to defend itself from cyber attack. The New Zealand government has invested wisely in the NZ CERT and CORTEX for these very reasons but governments can only do so much. Understanding how you contribute to the attack surface of a national infrastructure provider, a primary industry or a financial services organisation is a critical component of the cyber security and prosperity of the nation. The UK has taken step further by publicly acknowledging that it will actively seek out and disrupt cyber threats using offensive cyber operations in support of UK security objectives with some notable successes.
Cyber security and the RF spectrum
An oft-forgotten orphan of the information environment is the RF spectrum. We rely entirely on it for mobile phone and satellite communications; short range communications such as Bluetooth and wifi; positioning, navigation and timing information and accessing remote sites. It is also a critical enabler for the emergency services. Yet the RF spectrum provides myriad vectors for cyber attack, known in the military as electronic warfare. Any device that transmits will have an RF signature from which an adversary can collect information. And if a device can transmit then it is also likely that it can receive and process incoming signals. Unauthorised injection of RF waveforms into devices is at the heart of electronic warfare but the step up to cyber attack comes when the information or code on the device has been changed and that change persists when the energy from the RF attack stops. Recent examples of this include the theft of high-end cars that have keyless entry. This is only a step away from cyber clampware – the disabling of vehicles using cyber attacks until a ransom is paid (thanks @anunayar for highlighting this to me). This attack is unlikely to be weaponised on any large scale since there are few common vulnerabilities across the car industry that can be easily exploited by a single technique, especially where physical proximity to the vehicle is required. This contrasts with the computer industry where computers running Microsoft Windows (especially older versions of Windows) have a large market segment, making the return on the attacker’s investment more viable and it’s possible to make an attack remotely. Still, like we saw with the WannaCry ransomware attack, the attackers just need to structure their ransom demands cleverly to make it cheaper than calling for technical security support.
Mitigating RF vulnerabilities is not always easy. However, understanding your organisational reliance on the RF spectrum is a vital step in improving your cyber security. If reliance on a particular RF-enabled device is critical then having both redundancy and resilience are valid techniques. For example, if you require access to the GPS signal for accurate timing of financial transactions or phase synchronisation of power supplies, then you may wish to consider a holdover timing reference in case the signal is lost or jammed. If a device attached to an industrial control system has an RF capability but it is not required, then it should be disabled by default to prevent unwanted interference or injection of malicious RF signals.
Commercial agreements and cyber risk
There are increasing overlaps between cyber security and the world of commercial agreements. Organisations are ramping up information security compliance demands on their supply chains to minimise exposure to their own information environment. Seeking assurances and establishing risk ownership is a routine process when initiating contractual service agreements. However, the risks need to be carefully examined. While professional indemnity cover may insulate certain aspects of these agreements, transferring the risk out to cyber risk insurance policy may not actually cover the cost of any non-compliance.
Imagine a situation where a New Zealand firm provided services to an organisation responsible for holding data on EU citizens covered by EU General Data Protection Regulations (remember EU GDPR can fine up to 4% of global revenue). The NZ service provider had an agreement whereby they would be responsible for any fines that resulted from a security breach as a data controller or processor, which is fairly common, particularly for payment card industry (PCI) issues. But it’s ok because the NZ firm has professional indemnity and cyber liability insurance, right? Many cyber policies have a limit of liabilities of around NZ$10 million. If the European company has a global revenue of more than US$172.5 million (and there are thousands that do), that insurance cover would not be enough to cover the potential fines. Worse, if gross negligence were involved then it is possible that the insurance would not pay out at all. This is an extreme example to make a point but ironing out the limits of liability and the reasonable division of any responsibility in commercial agreements is a key role of those involved in cyber security.
A holistic view of cyber security
Those responsible for cyber security need to have a broad understanding of all organisational risk and not just focus on the technical challenges. Integrating with governance and risk processes is required to ensure that your exposure is properly managed and elevated to the appropriate level. This is especially important when dealing with regulatory issues but understanding the consequences of failure when dealing with national security or critical national infrastructure is non-discretionary. Looking beyond networks and appreciating your dependencies, such as the RF spectrum, sounds more like a business resilience task but we should be alert to all means where attacks can penetrate and disrupt our operations. More on that in my next post…