It all started on November 2nd, 1988 when a young grad student named Robert Morris got the brilliant idea to “gauge” the size of the internet. With the push of a button Morris sent his worm across the internet and infected nearly 6,000 systems. For the first time, computer owners began to understand that their systems were potentially vulnerable, and thus was born “cybersecurity”.
Three decades later, “cyber” has become one of the most overused and over-commercialized words in the mainstream media. This has created blind-spots in how many operate.
Corporations, governments and most importantly consumers, now know that the fundamental components of traditional cyber; firewalls, encryption, anti-malware/virus, etc. are no longer optional or nice to have. They are a requisite component of any modern business (thanks Target, Equifax, OPM, and friends). Cyber has become a matter of buying the next next gen, whether it’s firewalls, SIEMs, DLP, or the use of a managed security service. That’s where the definition of cyber gets muddled and loses sight of the real threats.
At Celsus we view the next evolution of cyber as the intersection of technical and psychological disciplines. This domain is known as Information Operations (IO), which may be manifested as campaigns that seek not only to compromise individual systems or networks, but to manipulate the data as it flows through those mediums. These actions are performed in order to directly impact the integrity of that data, or perception of what the data represents.
Does anyone remember when Red Cell / Red Team wasn’t a term heard in the commercial world? Now it’s cool, hip and next-gen. SIGINT, EW, SOCMINT are also common terms used by militaries and governments, but how often have you heard them from your security team? Let’s try another term that can be applied both externally and internally to your organization. COIN.
Modern counter-insurgency doctrine is less focused on destroying the enemy, as it is on winning the hearts and minds of the population at large. From a defensive infosec posture – does YOUR security organization try to win your hearts/minds with methods of “securing the enterprise?”. Convenience is the enemy of sekuritay, & social media platforms are a means to share information, exfiltrate data and shape perception of the battlespace…(cough) or any given environment. To bring it home, who does a better job of winning your heart & mind? Your security wonk who says no to everything and blocks your banking app? Or your group chat on Instagram/Facebook/Snapchat that affirms your confirmation bias? Then consider what happens when a large enough social media flashmob targets you, or any organization. Near instant vitriolic swarms of digital chaos and conflict.
Modern militaries recognize that simply being victorious on the battlefield is not enough. When it comes to cyber, advanced threat actors are no longer using stolen information just to sell credit cards on the dark web. Adversaries are weaponizing information with the intent to assert large scale influence over populations. We have to look no further than the 2016 election to see these principles at work. With roughly 67% of Americans relying on social media for their primary source of news, it’s easy to see the dangers ahead.
What about more direct effects such as Cyber Operations being utilized as a peacetime “show of force”? Think back to the 2007 cyberattacks on Estonia – but at least that was state on state. Fast forward 10 years to June 2017 where the NotPetya campaign was directed at commercial entities in order to express a national show of force. In an age of persistent low intensity conflict – does anyone actually believe in “peace time”? We don’t, and assuming you don’t either, please consider the following.
A more digestible historical analog of the Notpetya narrative might be the 1942-44 U-boat campaigns directed at civilian craft on the east coast of the US. U-boats were sighted as far north as Maine and as far south as the Gulf coast of Mexico. Whether or not Allied craft were legitimately “civilian” in nature, and not being used to shuttle information/fuel/people/weapons is a wonderful historical investigation!
Key take-aways for the reader are:
- The Axis powers targeted commercial entities to seed fear at a national level
- The abundance of disinformation being disseminated by BOTH Allies and Axis powers.
For those readers who are being freshly indoctrinated to the above concepts, welcome to a new world. In this world, if you develop a product, host a service or express an opinion that runs politically afoul of J-Random-Power structure (criminal, private, state) you are now a target. Brace for impact!
In closing, after 30 years of breaches and billions of lost dollars, isn’t it time we consider a new approach?
Let us introduce you to perception management campaigns: comprehensive, unconventional, asymmetric programs designed to specifically safeguard your most valuable asset, your data AND the public’s perception of your enterprise. We believe that perception campaigns and IO deconstruction operations are not IT solutions you can buy off a shelf. They are solutions that are tailored to the specific needs of an organization.
When it comes to defending against the emerging blended Cyber/IO threats…how fast can you run? With proper countermeasures in place, do you even need to run?
To quote one of our esteemed colleagues: “There is no need to be fast if you control time.”
Written by: Matt Russell, Daniel Nowak, & Roel Schouwenberg
P.S. Yes, we’re well aware the Morris worm was far from the first computer virus.