What should leaders do when operating in an environment like today’s, where serious threats of Russian cyber attacks against US infrastructure make a very high end attack a very real possibility?
We recommend leaders consider the following four strategic actions:
- Understand what is new about the threat
- Contextualize the threat for your business
- Ensure planning involves business leadership, not just IT and Security
- Monitor execution, especially on actions requiring people to think differently
More on each of those follows:
Understand what is new about the threat
For the last 25 years the cyber threat to the US has primarily been one of espionage and cyber crime. Destructive cyber threats have long been a concern and prudent defenses have been sought. But the highest end of threat actors (like Russia and China) were expected to be deterred since no rational actor would want to attack a nation that is also their market or attack a nation that reserves the right to respond militarily. For years there have been reports of high end Russian, Chinese and even Iranian actors targeting US power, transportation and water infrastructures, but defenses were always raised and expectations were that attacks would not come.
With new tensions including the Russian invasion of Ukraine these perceptions have been proven to be totally wrong and inadequate (we recognized this early on and provided initial insights into what to do about the threat here).
Not only did the theoretical possibility of a Russian attack increase as soon as the invasion started, action attacks were detected. High end Russian actors attacked Viasat, a US company, in an attempt to stop the ability of Ukrainian defenders from using this system. Many other attacks followed, including a major global operation where Russian government attackers placed malicious code on systems across the free world (which was learned about due to FBI action to mitigate the threat which some saw as over-reach, clearly they were desperate).
Other attacks were underway in the infrastructure of the US. The attacks resulted in unprecedented sessions coordinated by the national security council where over 100 CEOs were brought into White House meetings, then later special actions and campaigns of awareness by CISA, then later a first ever statement by a President on the dangers of an ongoing cyber attack. Awareness campaigns continue to this day in an attempt to make things harder on adversaries and reduce risk to our infrastructures.
Contextualize the threat for your business
Every business is different. The threat to your business needs to be contextualized to be mitigated. Although we provide tips on how to do that based on business size here, the new threat means new contemplation of what this means for your business is required. For most large complex organizations this will probably mean convening a strategy session with key leaders from across the organization where the new nature of the threat can be discussed. which leads to the next key recommendation, this needs to be treated as a business issue not just a security issue.
Ensure planning involves business leadership, not just IT and Security
Cyber attacks against the nation’s infrastructure and against infrastructures of other nations where your business or suppliers operate are issues for all leaders, not just cybersecurity and technology leaders. Leaders should examine topics of business resiliency and disaster response with an attitude towards long term business survival vice short term operations and should strongly support actions that will enable improved overall business resilience.
Monitor execution, especially on actions requiring people to think differently
This threat is so different it may be cause for actions many organizations never planned for. For example, organizations may need to rapidly learn to use new “out of band” secure communication systems for executive communications and for communications with staff and all employees. Organizations may need to learn to revert to manual paper copy interactions with suppliers, banks and other stakeholders. Boards may need to meet and exercise governance without access to online data of any sort. All of these are ways that businesses used to operate, but many skills in good governance without technology may have atrophied. Now may be the time to exercise them.
Although we mentioned above that far more than just the security and technology team need to be involved in solutions here, there are very likely many new actions that should be put in place by security and IT that could result in significant risk reduction but may have a short term business impact. For example, what if the IT team could replace a major component of infrastructure, perhaps email, for example, with a newer, more secure version, but what if that would result in a 2 day outage for the entire organization. That may be a good move right now. Another example of a hard decision might be a move to rapidly move to reduce the number of cloud services including SaaS applications used by the organization, or require more stringent login for access to the network.
This is a critically important time for leaders to check that systems have basic security controls in place by engaging outside experts (OODA operates in this space so reach out to us, if we can’t help we will find someone who will).
These are just a few of the types of decisions that organizations may need to make in the face of these new threats. Decisions that require many to do things differently can be hard to execute, which gets to the big point here. Execution on security improvements to mitigate this threat need to be monitored by the C-Suite. It is the only way the will get done.
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast