Resilience Ninja

Coaching and ideas to help build agile and resilient practices.

You are here: Home / Conferences / Transference from Cyber to Real world

Transference from Cyber to Real world

Contrasting sessions this morning, providing plenty to think about.

First up was the keynote – Richard Clark on Cyber Security. Clark has held various senior roles in the US Government, including key roles advising the White House on terrorism. Some of you may have read his book –Against All Enemies: Inside America’s War on Terror.

Today he was discussing where he thought the next big threat was – Cyber Attacks, and in particular the real world impacts that may flow from such events.

Clark described 4 general areas of Cyber attack, suggesting that we could visualise these in terms of overlapping circles;

  • Cyber Crime
    • Suggested that this was ignored, and perhaps encouraged by certain Eastern European states
      • I assume this is something they learned from the situation with the Mafia in Batista’s Cuba.
    • Apparently these organised cyber crime cartels are generating revenues similar to drug cartels
  • Cyber Espionage
    • This is undertaken for profit at times, cyber industrial espionage.
    • Also by sovereign states to steal national security secrets.
  • Hacktivists
    • In this case the hackers are aiming to prove that the target has weak security
    • Also to promote their own political cause
  • Cyber War
    • This is the new phenomenon, and seems to be proliferating – the equivalent of a cyber arms race.

Clark described the US Cyber Command, headed up by a 4-star General, and including the US Navy’s 10th Fleet. This fleet does not have any ships, just a flotilla of attack software.

The disturbing part is that the aim of this cyber warfare is not just to damage the other guys computers – but by doing that to cause significant impacts in the real world. He used the case of Stuxnet as an example.

Here is an example that is potentially a cyber clandestine attack – specifically targeted to cause damage/destruction to electro-mechanical equipment by manipulating its controllers.

The same model of attack could be used, Clark argues, to bring down the electricity grid of a country by spinning out the generators and exploding them. They have simulated this, as you can see in this article. This would be a significant challenge for Disaster Management as the numerous generators we install for our offices & Data Centres would stop long before the central generating capacity could be renewed.

And also long before an efficient distribution system for generator fuel could be established.

Expect an escalation of tit-for-tat attacks, it seems after Stuxnet Iran has built up its military Cyber Command.

After Clark it was on to listen to Peter Power with a lighter presentation, “Innovate, Interact and Inspire: New thinking for new problems“. Continuing the focus of many of the other sessions, our world is increasingly inter-dependant, Power presented his argument around the need to integrate our various risk approaches under a ‘resilience umbrella’.

I have reviewed a number of Power’s articles previously, here is an example.

Perhaps the high spot of my morning was the last session, or to be precise walking into the session, where I met Tim Armit. Tim is another person whose writing I have followed in the online world and was very pleased to actually meet in the real world. Thanks to this serendipitous encounter, we had the opportunity to chat and share our heretical views over lunch.

This meeting also made Bruce Blythe’s entertaining session, “Integrating Risk Management and Business Continuity with Crisis Management” even more useful.

Amongst other things, Bruce shared his key acronyms to hep people focus on managing a crisis. Use CIA – to provide some basic rules of thumb for what should be core areas of focus for the Crisis Manager;

  • Core Assets
    • These are what need to be protected
  • Impacted Stakeholders
    • Need to be identified and have their needs and concerns addressed
  • Anticipation
    • You need to be aware if how the situation may develop

The detail of the integration may not have been obvious, to me it is all part of the same fabric – BCM and CM need to be created to operate together.

I guess not all approach it that way.

 

Leave a Reply

Your email address will not be published. Required fields are marked *