OODA Loop – Four urgent C-suite actions to prepare for high-end cyberattacks
What should leaders do when operating in an environment like today, where serious threats from Russian cyberattacks against US infrastructure make a very high-end attack a very real possibility? We recommend leaders consider the following four strategic actions:
- Understand what’s new in the threat
- Contextualize the threat to your business
- Make sure planning involves business leadership, not just IT and security
- Monitor execution, especially on actions that require people to think differently
More on each of these follows:
Understand what’s new in the threat
Over the past 25 years, the cyber threat to the United States has been primarily espionage and cybercrime. Destructive cyber threats have long been a concern and careful defenses have been sought. But the most threatening actors (like Russia and China) were expected to be deterred, because no rational actor would want to attack a nation that is also its market or attack a nation that reserves the right to respond militarily. . For years there have been reports of Russian, Chinese and even Iranian high-end actors targeting US power, transportation and water infrastructure, but defenses have always been tightened and expectations were that attacks would not happen.
With new tensions, notably the Russian invasion of Ukraine, these perceptions have proven to be totally wrong and inadequate (we recognized this early on and provided a first glimpse of what to do about the threat here ).
Not only did the theoretical possibility of a Russian attack increase from the start of the invasion, but action attacks were detected. High-end Russian players attacked Viasat, an American company, in an attempt to prevent Ukrainian defenders from using the system. Many more attacks followed, including a major global operation where Russian government attackers placed malicious code on systems across the free world (which was learned through FBI action to mitigate the threat that some considered it too extensive, they were clearly desperate).
Other attacks were underway in the infrastructure of the United States. The attacks resulted in unprecedented sessions coordinated by the National Security Council where more than 100 CEOs were brought to White House meetings, then later special actions and awareness campaigns by CISA, then later a first-ever statement from a president on the dangers of an ongoing cyber attack. Awareness campaigns continue to this day in an attempt to make it harder for adversaries and reduce risk to our infrastructure.
Contextualize the threat to your business
Every business is different. The threat to your business must be contextualized to be mitigated. While we provide guidance here on how to do this based on company size, the new threat means new thinking about what it means for your business. For most large, complex organizations, this will likely mean convening a strategy session with key leaders from across the organization where the new nature of the threat can be discussed. which leads to the next key recommendation, this needs to be treated as a business issue and not just a security issue.
Make sure planning involves business leadership, not just IT and security
Cyberattacks against the country’s infrastructure and against the infrastructure of other countries where your company or suppliers operate are problems for all leaders, not just cybersecurity and technology leaders. Leaders must look at the topics of business resilience and disaster response with an attitude toward long-term business survival versus short-term operations and must strongly support actions that will improve overall business resilience. businesses.
Monitor execution, especially on actions that require people to think differently
This threat is so different that it can cause actions that many organizations never anticipated. For example, organizations may need to quickly learn how to use new secure “out-of-band” communications systems for communications with management and for communications with staff and all employees. Organizations may need to learn to revert to manual, paper-based interactions with suppliers, banks, and other stakeholders. Boards of directors may need to meet and exercise governance without access to online data of any kind. All of these methods were used by companies to operate, but many good governance skills without technology may have atrophied. Now might be the time to exercise them.
Although we mentioned above that much more than just the security and technology team needs to be involved in the solutions here, there are most likely many new actions that should be put in place by security and IT which could lead to a significant reduction in risk but which could have a commercial impact in the short term. For example, what if the IT team could replace a major infrastructure component, perhaps email, with a newer, more secure version, but what if that resulted in an outage? 2 days for the entire organization. It might be a good decision right now. Another example of a difficult decision could be a decision to act quickly to reduce the number of cloud services, including SaaS applications used by the organization, or to require stricter logging to access the network.
This is an extremely important time for leaders to verify that systems have basic security controls in place by engaging outside experts (OODA operates in this space, so contact us, if we can’t help, we’ll find someone one who will).
These are just some of the types of decisions organizations may need to make in the face of these new threats. Decisions that require many to do things differently can be difficult to execute, which brings us to the important point here. The execution of security enhancements to mitigate this threat should be monitored by the C-Suite. This is the only way to do the will.
OODA Loop provides intelligence, analysis and actionable insights on global security, technology and business issues. Our members are global leaders, technologists, and intelligence and security professionals who seek to inform their decision-making process to understand and manage global risks and opportunities.
You can choose to be an OODA Loop subscriber or a member of the OODA Network. Subscribers get access to all site content, while members get all site content plus additional member benefits such as attendance at our monthly meetings, unlocked exclusive OODA discounts, training discounts and conference attendance, job opportunities, our weekly research report, and other great benefits. Join here.
Black swans and gray rhinos
Now more than ever, organizations need to apply rigorous thinking to business risks and opportunities. In doing so, it helps to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in an Era of Continuing Crisis
Cybersecurity Sensemaking: Business intelligence to inform your decision-making
OODA’s management and analysts have decades of experience understanding and mitigating cybersecurity threats and apply this knowledge from real-world practitioners in our research and reporting. This site page is a repository of the best of our actionable research as well as a news feed of our daily reports on cybersecurity threats and mitigations. See: Cybersecurity Awareness
Corporate Sensemaking: Establishing a Smart Enterprise
OODA’s management and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success in the future. This includes helping to set up competitive intelligence and business intelligence capabilities. Our Intelligent Enterprise Special Series highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Creating meaning in business
The OODAcast video and podcast series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and information to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing as well as discussions of global risks and opportunities. See: The OODAcast