Information security — or what is commonly referred to as ‘cyber’ — has dominated the narrative in this week’s hearings on Capitol Hill about the Russian interference in the 2016 elections. Despite the political noise, a fact-based public debate on how to deal with strategic and targeted attacks is what’s needed now to develop better defenses for all – businesses or government organizations. There is a universal agreement that a highly-motivated and unapologetic entity has conducted an advanced and persistent campaign to disrupt, undermine and gain power over its strategic adversary. The questions become – what have we learned from the 2016 campaign and how are we going to adapt to prevent similar cyber campaigns in the future? The alleged attempt by Russia to influence the outcome of the US elections is today’s news. Yet this has not been and will not be the last time such operations have been conducted by nation-states, including our own.
From the Titan Rain in the early 2000s, Operation Aurora/Hydraq in 2009-2011 to Red October, Eurograbber and the infamous Sony intrusion, to name just a few, we see that well-funded global technology providers may still bend under the pressure of the advanced and persistent intrusion ran by highly-skilled cyber teams. In every circumstance, the pattern is: break in, harvest information and use it to gain influence.
If recent history is any lesson, the 2016 election has shown that complexity is often the primary source of weakness. Take the 2016 election campaign -– years-worth of private, high-value conversations were extracted from an unauthorized communication system and later strategically exposed to the public for a larger political effect. It is unlikely that any decisions to retain high-target sensitive information were made because sanctioned technologies were too simple and convenient.
Why do we still hope to teach end users to use complex products in the name of security? Do we, for example, rely on employees to never take a picture of a whiteboard or to ensure their phone settings are such that the picture is not stored in the cloud? Do we train our teams to make sure all IP is permanently deleted when it is no longer useful? Do we provide corporate phones that won’t talk to the internet and expect people not to use their personal devices? Or do we realize that they will default to the convenience of their own machines and provide them an easy-to-use application that auto-deletes proprietary information?