Category Archives: Corporate Cyber Strategy

Business leaders need to own cyber security

Consultants and IT staff often have more degrees of freedom than needed. Corporate cybersecurity requires a business leader to make the decisions, be personally invested, and lead the security work the same way as the business. The intent and guidance of the business leaders need to be visible. In reality, this is usually not the case. Business leaders rely on IT staff and security consultants to “protect us from cyberattacks.” The risk is obvious – IT staff and consultants are not running the business, lack complete understanding of the strategy and direction, and therefore are unable to prioritize the protection of the information assets.
Continue reading Business leaders need to own cyber security

Inflation – the hidden cyber security threat

 


Image: By Manuel Dohmen – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=185802

In cyberspace, the focus is on threats from malicious activity — a tangible threat. A less obvious threat to cyber is inflation which undermines any cyber organization by eroding budget and employee compensation. Inflation can create unseen resignation rates if not addressed, and jeopardize ongoing cyber efforts and the U.S. Defense Department’s migration to cloud-based services. The competition for cloud security talent is razor-sharp in the private sector already.

There are different ways to build and maintain a cyber workforce: recruit, retrain and retain. The competition between the DoD and the private sector for talent will directly affect recruitment and retainment. Inflation and the shortage of skilled cyber professionals create increasing competition between the federal and private sectors for much-needed talent. Retraining professionals to become a part of the cyber workforce is costly, and if the incentives are not in place to stay in the force, it is short-lived as retrained cyber talent moves on. Inflation creates a negative outlook for recruiting, retraining, and retaining cyber talent.

The inflation expectations in 2022 are the highest in decades, which will directly impact the cost to attract and retain a cyber workforce. Even if the peak inflation is temporary due to COVID-19 as well as disruptions in the supply chain and the financial markets, the pressure on increased compensation is a reality today.

What does it mean in practical terms?

According to the Wall Street Journal, salaries will increase in 2022 for white-collar professionals in the range of 10%, and the federal workforce can expect an increase of less than a third of the gains in the private sector. These signs of growing salary gaps are likely far more severe and exacerbated in the cyber workforce.

For example, by browsing the current jobs ads, a manager for incident response in Rhode Island offers $150,000-$175,000 with the ability to work from home with zero commuting. A fair guess would be there’s a federal GS pay scale at 20-30% less, with work taking place from 8:30 a.m. to 4:30 p.m. in a federal facility; not to mention cloud security, where large players such as Amazon Web Services are actively recruiting from the federal sector.

An increasing salary gap directly impacts recruitment, where the flow of qualified applicants dries up due to the compensation advantage of the private sector. Based on earlier data, the difference in salary will trigger decisions to seek early retirement from the DoD, to pursue a second civilian career or to leave federal service for the private sector as a civilian employee.

The flipside of an all-volunteer force is that in the same way service members volunteer to serve, individuals have the option at the end of their obligation to seek other opportunities instead of reenlistment. The civilian workforce can leave at will when the incentives line up.

Therefore, if we face several years of high inflation, it should not be a surprise that there is a risk for an increased imbalance in incentives between the public and the private sectors that favor the private sector.

The U.S. economy has not seen high inflation since the 1970s and the early 1980s. In general, we all are inexperienced with dealing with steadily increasing costs and a delay of adjusted budgets. Inflation creates a punctured equilibrium for decision-makers and commanders that could force hard choices, such as downsizing, reorganization, and diluting the mission’s core goal due to an inability to deliver.

Money is easy to blame because it trespasses other more complex questions, such as the soft choices that support cyber talent’s job satisfaction, sense of respect, and recognition. It is unlikely that public service can compete with the private sector regarding compensation in the following years.

So to retain, it is essential to identify factors other than the compensation that make cyber talent leave and then mitigate these negative factors that lower the threshold for resignation.

Today’s popular phrase is “emotional intelligence.” It might be a buzzword, but if the DoD can’t compete with compensation, there needs to be a reason for cyber talent to apply and stay. In reality, inflation forces any organization that is not ready to outbid every competitor for talent to take a hard look at its employee relationships and what motivates its workforce to stay and be a part of the mission.

These choices might be difficult because they could force cultural changes in an organization. Whether dissatisfaction with bureaucracy, an unnecessary rigid structure, genuinely low interest for adaptive change, one-sided career paths that fit the employer but not the employee, or whatever reason that might encourage cyber talent to move on, it needs to be addressed.

In a large organization like the DoD and the supporting defense infrastructure, numerous leaders are already addressing the fact that talent competition is not only about compensation and building a broad, positive trajectory. Inflation intensifies the need to overhaul what attracts and retains cyber talent.

Jan Kallberg, Ph.D.

Prioritize NATO integration for multidomain operations

After U.S. forces implement the multidomain operations (MDO) concept, they will have entered a new level of complexity, with multidomain rapid execution and increased technical abilities and capacities. The U.S. modernization efforts enhance the country’s forces, but they also increase the technological disparity and challenges for NATO. A future fight in Europe is likely to be a rapidly unfolding event, which could occur as an fait accompli attack on the NATO Eastern front. A rapid advancement from the adversary to gain as much terrain and bargaining power before the arrival of major U.S. formations from the continental U.S.

According to the U.S. Army Training and Doctrine Command (TRADOC) Pamphlet 525-3-1, “The U.S. Army in Multi-Domain Operations 2028,” a “fait accompli attack is intended to achieve military and political objectives rapidly and then to quickly consolidate those gains so that any attempt to reverse the action by the [United States] would entail unacceptable cost and risk.”

In a fait accompli scenario, limited U.S. Forces are in theater, and the initial fight rely on the abilities of the East European NATO forces. The mix is a high-low composition of highly capable but small, rapid response units from major NATO countries and regional friendly forces with less ability.

The wartime mobilization units and reserves of the East European NATO forces follow a 1990s standard, to a high degree, with partial upgrades in communications and technical systems. They represent a technical generation behind today’s U.S. forces. Even if these dedicated NATO allies are launching modernization initiatives and replace old legacy hardware (T72, BTR, BMP, post-Cold War-donated NATO surplus) with modern equipment, it is a replacement cycle that will require up to two decades before it is completed. Smaller East European NATO nations tend to have faster executed modernization programs, due to the limited number of units, but they still face the issue of integrating a variety of inherited hardware, donated Cold War surplus, and recently purchased equipment.

The challenge is NATO MDO integration and creating an able, coherent fighting force. In MDO, the central idea is to disintegrate and break loose to move the fight deep into enemy territory to disintegrate. The definition of disintegration is presented by TRADOC Pamphlet 525-3-1 as: “Dis-integrate refers to breaking the coherence of the enemy’s system by destroying or disrupting its subcomponents (such as command and control means, intelligence collection, critical nodes, etc.) degrading its ability to conduct operations while leading to a rapid collapse of the enemy’s capabilities or will to fight. This definition revises the current doctrinal defeat mechanism disintegrate.” The utility of MDO in a NATO framework requires a broad implementation of the concept within the NATO forces, not only for the U.S.

The concept of disintegration has its similar concept in Russian military thought and doctrine defined as disorganization. The Russian concept seeks to deny command and control structures the ability to communicate and lead, by jamming, cyber or physical destruction. Historically, Russian doctrine has been focused on exploiting the defending force ability to coordinate, seeking to encircle, and maintain a rapid advancement deep in the territory seeking for the defense to collapse. From a Russian perspective, key to success of a fait accompli attack is its ability to deny NATO-U.S. joint operations and exploit NATO inability to create a coherent multinational and technologically diverse fighting posture. The concept of disorganization has emerged strongly the last five years in how the Russians see the future fight. It would not be too farfetched to assume that the Russian leadership sees an opportunity in exploiting NATO’s inability to coordinate and integrate all elements in the fight.

The lingering concern is how a further technologically advanced and doctrinally complex U.S. force can get the leverage embedded in these advances if the initial fight occurs in an operational environment where the rapidly mobilized East-European NATO forces are two technological generations behind — especially when the Russian disorganization concept appears to be aiming to deny that leverage and exploit the fragmented NATO force.

NATO has been extremely successful safeguarding the peace since its creation in 1949. NATO integration was easier in the 1970s, with large NATO formations in West Germany and less countries involved. Multinational NATO forces had exercises continuously and active interaction among leaders, units and planners. Even then, the Soviet/Russian concepts were to break up and overrun the defenses, and strike deep in the territory.

In the light of increased NATO technical disparity in the multinational forces, and potential doctrinal misalignment in the larger Allied force, add to the strengthened Russian interest to exploit these conditions, these observations should drive a stronger focus on NATO integration.

The future fight will not occur at a national training center. If it happens in Eastern Europe, it will be a fight fought together with European allies, from numerous countries, in a terrain they know better. As we enter a new era of great power competition, the U.S. brings ability, capacity and technology that will ensure NATO mission success if well-integrated in the multinational fighting force.

Jan Kallberg, Ph.D.

Private Hackbacks can be Blowbacks

The demands for legalizing corporate hack backs are growing – and there is significant interest by private actors to utilize hack back if it was lawful. If private companies were able to obtain the right to hack back legally, the risks for blowback is likely more significant than the opportunity and potential gains from private hackbacks. The proponents of private hackback tend to build their case on a set of assumptions. If these assumptions are not valid, private hackback is likely becoming a federal problem through uncontrolled escalation and spillover from these private counterstrikes.

-The private companies can attribute.

The idea of legalizing hack back operations is based on the assumption that the defending company can attribute the initial attack with pin-point precision. If a defending company is given the right to strike back, it is based on the assumption that the counterstrike can beyond doubt determine which entity was the initial attacker. If attribution is not achieved with satisfactory granularity and precision, a right to cyber counterstrike would be a right to strike anyone based on suspicion of involvement. Very few private entities can as of today with high granularity determine who attacked them and can trace back the attack so the counterstrike can be accurate. The lack of norms and a right to strike back, even if the precision in the counterstrike is not perfect, would increase entropy and deviation from emerging norms and international governance.

-The counterstriking corporations can engage a state-sponsored organization.

Things might spin out of control.  The old small tactics rule – anyone can open fire, only geniuses can get out unharmed. The counterstriking corporation perceives that they can handle the adversaries believing that it is an underfunded group of college students that hacks for fun – and later finds out that it is a heavily funded and highly able foreign state agency. The counterstriking company would have limited means to before a counterstrike determines the exact size of the initial attacker and the full spectrum of resources available for the initial attacker. A probing counterattack would not be enough to determine the operational strength, ability, and intent of the potential adversary. Following the assumption that the counterstriking corporation can handle any adversary is embedded the assumption that there will be no uncontrolled escalation.

-The whole engagement is locked in between parties A and B.

If there is an assumption of no uncontrolled escalation, then a follow-up assumption is that ,the engagement creates a deterrence that prevents the initial attacker from continuing attacking. The defending company needs to be able to counterattack with the magnitude that the initial attacker is deterred from further attacks. Once deterrence is established then the digital interchange will cease. The question is how to establish deterrence – and deterring from which array of cyber operations – without causing any damages. If deterrence cannot be establish it would likely lead to escalation or to a strict tit-for-tat game without any decisive conclusion and continue until the initial attacker decides to end the interchange.

-The initial attacker has no second strike option.

The interchange will occur with a specific set of cyber weapons and aim points. So the interchange cannot lead to further damages. Even if the initial striker had the intent to rearrange the targets, aims, and potential impacts there will be no option to do so. A new set of second strikes would not be an uncontrolled escalation as long as the targeting occurred within the same realm and values as the earlier strikes. The second strike option for the initial attacker could target unprecedented targets at the initial attackers discretion. Instead, it is more likely that the initial attacker has second strike options that the initial target is unaware of at the moment of counterstrike.

-The counterstriking company has no interests or assets in the initial attacker’s jurisdiction.

If a multi-national company (MNC) counterstrikes a state agency or state sponsored attacker the MNC could face the risk of repercussions if there are MNC assets in the jurisdiction of the initial attacker. Major MNC companies have interests, subsidiaries, and assets in hundreds of jurisdictions. The Fortune 500 companies have assets in the US, China, Russia, India, and numerous other jurisdictions. The question is then if MNC “A” counterstrike a cyberattack from China, what will the risks be for the “A” MNC subsidiary “A in China”? Related is the issue if by improper attribution MNC “A” counterstrikes from the US targeting foreign digital assets when these foreign assets had no connection with the initial attack, which constitutes a new unjustifiable and illegal attack on foreign digital assets. The majority of the potential source countries for hacking attacks are totalitarian and authoritarian states. A totalitarian state can easily, and it is in their reach, switch domain and seize property, arrest innocent business travels, and act in other ways as a result of corporate hackback. I am not saying that we should let totalitarian regimes act any way they want – I am only saying that it is not for private corporations to engage and seeking to resolve. It is a government domain to interact with foreign governments.

The idea to legalize corporate hack backs could lead to increased distrust, entropy, and be contra-productive to the long-term goal of a secure and safe Internet.

Jan Kallberg, PhD

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy.

The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.