Retired Lieutenant General Rhett Hernandez, the first commander of US Army Cyber Command, has a great write-up on today’s cyber threats and the types of strategy organizations need to consider to properly defend their assets:

Cybercriminals are just beginning to think about the ways in which they can leverage their abilities. Any belief that if we pay them it will be okay will break down. You can’t trust agreements between people with values and people without values. Paying them will not ease the pain. Defining and mitigating the risk to prevent these threats from making you a victim is the key. And if prevention fails, your resiliency will depend on how prepared you are to recover and restore operations.

Taken together, the overall threat from cybercrime will result in far more expense to companies—not just from the breaches themselves, and working to prevent them, but also from litigation and, in all likelihood, additional regulation. Breaches at companies over the last year, especially Equifax, generated increased scrutiny among lawmakers and regulators around the country—and on Capital Hill. Expect a growing push for companies to start to do some of the necessary security basics.

In this environment, the main issue for CEOs and top leaders isn’t which software to buy. When it comes to cybersecurity, culture is the most important thing because people are the weakest link. It isn’t just in corporate America. In every large organization, including the Army, where high discipline and high standards are expected, people often fall short, given the anonymity the virtual world provides. In my experience, soldiers—and employees—often fail to remember that a risk to one is a risk to all.

After discussing threats, Hernandez gets into techniques leaders should employ to counter the cyber threat. Most of the ideas are common sense, but you would be surprised how many in upper management are unaware of how to develop sound cyber defense strategy.

But Hernandez is right in that the primary issue is culture. The weakest link in the security chain is often what ends up allowing an attacker to breach a network. Ensuring corporate culture prioritizes security pays huge, likely unquantifiable, dividends. It is not what guarantees breach prevention, but it definitely helps ensure employees are far more cognizant of the threat, take is seriously, and employ the necessary individual steps they can to thwart attacks.

Just like how safety is ingrained in most corporate cultures, cyber security needs to be at the forefront of peoples minds when operating or accessing their organizations IT assets, whether they are in private or public cloud environments.

Dark Reading discusses how nation state cyber attacks appeared to have adopted the Russian “Maskirovka” military doctrine:

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

In the context of military operations, cyber space is still relatively new when compared to the traditional domains of land, sea, and air. As a result of this immaturity, it is only natural for nations to iterate and their strategy to evolve. What we saw ten years ago is not what we are seeing today, and will not what we see in ten years from now.

The Russian “Maskirovka” doctrine is actually far easier to pull off in a cyber attack than it is in a kinetic one. It should come as no surprise to see nation states attempting to deceive forensic attempts to attribute an attack to a specific actor.

Alternatively, the idea behind “Maskirovka” is the basis for conducting a false flag operation. This is basically a malicious actor framing a different group for an attack, to thwart attempts to be discovered while deceiving and confusing the intended target(s). Once again, cyber attacks make it exponentially easier to successfully pull off a false flag because of the nature of how these attacks are executed.

One of the reasons why the US government is keen to pass cyber security information sharing legislation (forget the fact that its actually a surveillance bill) is that it recognizes how useful it to learn lessons others have had to endure. This is the standard US government modus operandi for everything it does. So it should come as no surprise to see many industry cyber security professionals proclaim the usefulness of crowdsourcing cyber security (emphasis added):

Consumer healthcare products provider Johnson & Johnson is also a big believer in security crowdsourcing. “Our company gathers intelligence feeds from various sources, internal and external,” says Mary Chaney, director of worldwide information security at Johnson & Johnson.

That includes its relationship with the Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC), which works to improve the resilience of the nation’s critical infrastructure against physical and cyber security threats.

Led by the healthcare industry, NH-ISAC is recognized by such entities as the U.S. Department of Health and Human Services, Health Sector-Coordinating Council, U.S. Department of Homeland Security, National Institute of Standards & Technology, as well as law enforcement agencies.

“Internally, we seek to engage physical, social media relations and other groups that are ‘listening’ for different types of information about the company but could offer insight on things that have a cybersecurity impact,” Chaney says.

The company has an Intelligence and Trending group within its Security Operations Center, whose sole responsibility is to gather intelligence sources and determine how incoming data might apply to Johnson & Johnson’s environment.

The Chief Information Officer has historically ignored the concerns of security because they are primarily invested in ensuring operations continue, even if that means taking on unnecessary risk. That is about to change as companies believe adding cyber security experts to the boardroom will translate to an effective defense strategy (emphasis added):

The privately held Pasadena firm’s latest board member is Suzanne Vautrinot, a retired Air Force major general who helped create the Department of Defense’s U.S. Cyber Command and led the Air Force’s IT and online battle group.

Parsons is at the forefront of a fast-expanding trend in corporate governance: the elevation of cybersecurity experts to the boardroom, a perch traditionally occupied by former CEOs and specialists in marketing and finance.

In recent months, AIG, Blackberry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years.

The reasons are clear. Cyberattacks on large companies skyrocketed 44% last year from 2013. Cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.

Boards are responsible for advising chief executives on setting goals and plans to achieve them, and to question the challenges standing in the way. Not adequately addressing a cybersecurity risk could prove costly — in money, reputation, legal bills, lost time and lost customers.

Just ask Target. Since hackers breached its payment systems two years ago, Target has spent $256 million cleaning up the mess, with insurance expected to cover about a third. Though costing a small slice of revenue, the damage was enough to sack the chief executive and scare away many customers for several months. Government investigations and several lawsuits from affected customers and business partners are ongoing.

Defense-in-depth is not a new concept but the layered security architecture continues to evolve as new technologies are adopted by IT departments to save money and increase efficiency (emphasis added):

If blocking Flash and embracing HTML5 aren’t enough to protect businesses from unknown threats – because, as we all know, it’s just a matter of time before another zero-day vulnerability is discovered – what can you do that’s practical, reliable, and cost-effective?

Businesses shouldn’t assume that their existing prevention-based tools are doing the job; because chances are, they aren’t. But it’s not because the tools in themselves are necessarily flawed or out-of-date. It’s because they aren’t working together to cover as much of the attack surface as possible. And that’s where adopting a layered approach makes all the difference.

A layered approach involves implementing defensive measures at the four most vulnerable points on the attack surface:

There is not much new here most security professionals do not already know, but it is a good reiteration of what is necessary.

Federal Times on how the new Department of Defense cyber strategy stresses more deterrence and offensive power than its primarily defensive-oriented predecessor (emphasis added):

While the idea of deterrence may hark back to the Cold War, it is a critical piece of the new strategy and one that Carter underscored in an April 23 address at Stanford University in which he unveiled the new plan.

“Adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary,” Carter said. “And when we do take action — defensive or otherwise, conventionally or in cyberspace — we operate under rules of engagement that comply with international and domestic law.”

Those rules of engagement might not include a military retaliation to a high-profile hacking incident like the one that recently hit Sony. But when such events happen and all eyes are on cybersecurity, the cyber strategy signifies the U.S. military’s presence and capabilities if something similar were to happen to a .mil network or another network deemed to be a U.S. national interest meriting defense from DoD. It also outlines how the Pentagon may coordinate with other key agencies in such a situation.

“This fits into strengthening deterrence, which is important after Sony, and even more important to signal to the Russians and Chinese,” said Jim Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies. “They also want to get the public more comfortable with what DoD can and can’t do in cyberspace. It reiterates the defensive mission outside borders, offensive and defensive capabilities, and also an objective to support the Homeland Security Department and the FBI.”

Details related to those offensive or defensive capabilities in DoD’s cyber arsenal may be new to the DoD cyber discussion, at least as far as the general public is concerned. But insiders say it’s no different than the ways weapons are discussed in relation to operations on land, in the air and at sea.

This is exactly where DoD needs to be headed. They need to get out in front of cyber rather than being left behind by the likes of Russia, China, Iran, and other highly sophisticated nation states.

FierceGovernmentIT on ODNI arguing the idea of cyber warfar overshadowing the concept of “netwar” puts the US at greater, unnecessary risk:

While many government officials are focused on cyberwarfare following a spate of high-profile cyberattacks including the recent Office of Personnel Management data breach allegedly by Chinese hackers, a new paper states that another concept called “netwar” – a psychological force that’s increasingly related to cyber – deserves more attention.

The paper (pdf), released June 11 by the Office of the Director of National Intelligence, defines netwar as “intentional activities [meant] to influence the domain of human perception via either overt or hidden channels, in which one or more actors seeks to impose a desired change upon the perception of another actor, in order that this change facilitate second-and third order effects of benefit to them.”

Specifically, the term, coined in the 1990s and redefined in this paper, refers not to physical force but to elements of psychological force such as propaganda, although netwar perpetrators might use cyber systems and tools to carry out their objectives.

“Would any national security scholar or practitioner dispute that at least some components of netwar – for example, deliberate combinations of diplomacy, propaganda, and manipulation of media – seem to be growing in the modern geopolitical space?” poses the paper’s author, Robert Brose, who is lead for futures and capability development at ODNI.

Interesting read.