You are currently browsing the tag archive for the ‘siege’ tag.
A couple of people have asked me to clarify what I mean by Sieges (and parasites) in terms of the first Siege post and the subsequent strategy/problem space framework post. Here’s a quick email I wrote that might help:
Sieges and Parasites:
From a collective non-aggressor entity perspective, cybersecurity “conflict” is functionally a siege of the collective environment: Non-combatants trying to maintain a minimum level of survivability while they’re surrounded, being drained of resources, and lack sufficient environmental influence/position to make effective risk decisions.
Compare/Contrast Siege and Parasitic Environment as conflict types to: crime, espionage, battlefield warfare, natural events. These latter tend to be incident/event driven, where the risk and responses to a siege are more environmental over time, with incidents to individuals happening but being largely irrelevant except as they contribute to the overall lack of stability/freedom to operate.
This though process got kicked off for me while reading about the siege of Sarajevo in particular. Imagine – you (a private org standing in as a citizen for this narrative) are in a city surrounded by artillery and snipers and you have to decide how best to keep getting water, which involves cross several streets through town. Some streets are vaguely safer than others, usually, but not necessarily. You occasionally can see or have insight into the people on the hills, but not usually. There are dedicated defenders around, but theyre not well positioned and lack the capacity to defend everyone all the time. Your resources are limited and your freedom to operate is constrained further over time as resources diminish. You can be hit at any time once you move from a standstill from your base/home (and even then, without change, you are at some risk). You sort of make up criteria for decisions that help you feel safer (has anyone crossed that street recently? Were they shot at?) but aren’t really indicative of actual risk.
In this case, trying to decide how and when to get water as a risk based decision is almost a nonsensical proposition: You don’t control your environment, you have a lot of exposure, and you lack relevant information that would change your situation significantly (this isn’t the same as lacking data, just helpful data).
This scenario is substantially different from how we look at cybersecurity and infosec today: Individual defenders, with sufficient skill and competency, access to resources indefinitely and as needed, on a relatively level playing field, trying to prevent, manage, or mitigate individual events on their own.
Ultimately, right now, we’re asking a bunch of non-combatants (you know, most businesses) to have the capacity to effectively and sustainable participate in what is becoming a low level global conflict (inclusive of state to state, criminal, hacktivist, etc activity) while under siege.
This is a broken model and will never, ever get us where we want to be (for more reasons than I’ll lay out here). We have to break the siege (thoughts on that being out of scope for the moment), which involves a level of strategic cooperation and unity that present culture, politics, business realities, and law do not allow.
(The Parasitic environment analogy is more specific to single-organizations, as it allows for specific targeting: https://sintixerr.files.wordpress.com/2015/01/hackervaluechain2.jpg )
Aside: Interestingly, though, from an aggressor standpoint, it might or *might not* look like either a siege or a parasitic environment – ie, aggressors acting individually and *without* coordination are contributing to creating a separate conflict type for defenders (Siege).
Pulled from a posting I made to SCADASEC:
Hard to believe that only 54 percent of those surveyed knew who to call in the event of a cyber incident or attack.
Why is this hard to believe? I think it’s not only hard to believe but
also somewhat astounding that we live in a world where we legitimately
expect a substantial percentage of our control systems operators to
have to know this information. Think about it. We’re not asking them
to be prepared for a hurricane, we’re asking them – businesses – to
have the knowledge and capability to participate (even if, in some
cases, minimally) in what is becoming global conflict (the delineation
between crime, war, espionage, vandalism, etc is really immaterial to
that statement). This isn’t a series of potential incidents, it’s an
effective siege environment. Sieges drain resources, drain morale,
and need a serious strategy to break, or those inside get overwhelmed
eventually. Even with or without actual (public) incidents, the effect
is the same here.
Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets— ** that they were aware of- ** within the past 24 months“. – WOW!
I can’t emphasize enough how…irrelevant….”incident” and “attack”
incidences are when taken individually, or even as concepts that can
be individualized and counted. The long term damage will be in
environmental predictability, resource allocation, trust, and
increasing cost of doing business. Maybe something really bad might
happen as an event, but whether it does or not, the foundational
environment can’t sustain this level of conflict and risk indefinitely
without cascading consequences.
Instead of concentrating on managing incidents, responding to
incidents, etc, we should be taking a serious look at what
environmental (technical, legal, social, political) changes we can
make to break the overall siege. Anything focused on incident
management directly is a two edged sword: It keeps us feeling like
we’re treading water at the cost of resources dedicated to fixing the
long term problems (and incident management capability for individual
organizations is *not* solving a long term problem).
All In My Late Night Humble Opinion. Take it as you will.