Imagine that:

  • Cybersecurity is a never-ending chess game
  • Your pawns are your cybersecurity capabilities
  • Your named pieces are the rest of your business capabilities
  • Your infrastructure is only the board and provides no inherent (or strategically relevant) defensive capability
  • Your business is controlled by those pieces on your side of the board
  • There are many players – nations, criminal gangs, auditors, competitors and others
  • Their goal is control of your business by outmaneuvering your pieces, not taking them
  • These players’ infrastructure is also part of the board
  • You can’t always identify who made which move or whether a move was made at all
  • Your competitors cannot lose
  • You cannot win, you can only either limit the amount of time your competitors control your side of the board or convince your opponents to invest fewer resources in the cyber game
  • All past, present, and future APT1 activity is a single move by a single player
  • And this chess game connects to all of the non-cyber games as well

Example:

China: My move is to use my military to employ semi-autonomous actors in an ambiguous way that will look like they’re just going for the 3rd row of the board, but I hope you won’t notice that it’s really to tie up your pawns (security capabilities) and misdirect/abuse your named pieces (business capabilities) in a way that will allow my other pieces to reach your side of the board in 2 moves so that I can influence your business’s behavior in a way that will create LONG TERM economic instability in an area important to the other geopolitical chess games I’m playing”

 

APT1 is a tactic – a means to a larger end. Whether China breaks in to a given piece of infrastructure on a given day in a given way is irrelevant. Similarly, “regularly and consistently apply patches” is a tactic  – a move – with a pawn (the security capability) that may have to move differently later (revamp patching) to counter oppositional moves. This is as independent of a given system/vulnerability combo set as is the Chinese-Ops-Capability when they decide to engage in APT1 activities over time (a single move) to create space for Chinese-Secret-Capability to make a “utilize sabotage activities” move if it needs to. A good question to ask here is what are your named pieces doing? (Your CEO’s, your COO’s, your CFO’s?, your sales teams? your marketing teams?) Are they pro-actively being used to strategically minimize access to your side of the board, or are you relying on the limited tactical strength of your pawns (security capabilities) to do all the work?

It’s worth noting that the competition isn’t trying to break into your infrastructure, it’s trying to strategically create value for itself from your business using your infrastructure over time.  Individual attacks (past or potential), attack mechanisms, and even technical vulnerability classes are not meaningful in terms of the kind of risk management required to inform strategy at this level. Here, under these rules, the things we do, both technically and from a risk management perspective, become very different.  Instead of saying “Ok, we need to protect against….APT…..and we need to protect against….the possibility of a DDOS attack…”, we should instead be asking  “how do we optimize decision making in a way that will minimize the ability of others to manipulate our business in the most sustainable, cost effective way?”

And that leads to…that thing everyone says we need but can’t articulate in concrete terms: sustained strategic resilience :)

So…ask yourself:

How well is your organization playing? Does it even know these are the rules?

 

 

About these ads