Win the undeclared cyber war with a military approach

Win the undeclared cyber war with a military approach

James Gerber, CFO of SimSpace, unpacks why organisations should take a ‘train-to-failure’ approach to prepare for their worst day in cyber, for our Cybersecurity Awareness Month coverage.

We are in an undeclared cyber war. Recent geopolitical unease has ushered in the first hybrid war, incorporating espionage, cyberattacks, and online disinformation alongside the more traditional military onslaught. The Ukraine ministry says it has faced constant attacks against its government and private infrastructure networks. However, the cybersphere has no borders, and without proactive defensive tactics, the failure of retrospective cybersecurity remediation in the GCC area has led to a mean time of 349 days to contain a cyberattack.

Cyberattacks are often the weapon of choice for nation-state actors, occurring in a ‘grey zone’ of conflict between peace and outright war. In this atmosphere, protecting Middle Eastern infrastructure and networks is as critical as protecting our airspace and our shores. Ex-NATO general Ben Hodges recently suggested that cybersecurity has become just as important as missile defences.

A cyberattack on critical functions like oil and gas (O&G), energy or finance risks the way of life that we take for granted. The US-based colonial pipeline attack of 2021 resulted in fuel shortages and stockpiling, representing a canary in the coalmine warning of the potential dangers sewn by a ransomware attack. Cybercriminals from nation-state actors and ransomware-as-a-service gangs alike are always probing for vulnerabilities that would allow them to cause chaos and extort money from businesses and government organisations.

Security teams need to develop a military mind-set

Security teams tasked with protecting government and business networks need to see beyond the illusion that the Middle East is immune to the threats often targeting eastern European infrastructure. If there are any weaknesses in their defences they will be discovered and exploited by the cybercriminals probing day and night for a chink in their armour. Security teams at businesses and critical national infrastructure organisations should be training like the military. That is, they should train as they fight and train to failure as they are on the front line of an undeclared cyber war which is now transcending geographical boundaries.

The Bin Laden raid back in 2011 was successful because the Navy SEAL operatives rehearsed the mission exhaustively in advance, using like-for-like replicas of Bin Laden’s compound beforehand. Operational success can only be achieved when you rehearse in realistic environments and focus not only on the primary plan but also on the backup plan.

Conversely, the IT community’s focus revolved around uptime and functionality, the defence of these IT operating systems now mirrors urban warfare. Security teams are doing the equivalent of building-to-building street fighting in a city full of people, vehicles, hospitals and other vulnerable infrastructure which they must avoid damaging. There needs to be a mind-set shift to a military-like proactivity, whereby IT security teams are transformed into combat-ready cyber defenders who are trained to withstand even the most sophisticated attacks.

For this reason, more and more governments and organisations are mission-rehearsing for combat with cyberattackers in cyber ranges – a high fidelity replica of a company’s network, able to be hit with three years’ worth of attacks in just 24 hours. A cyber range is a simulated environment used for cybersecurity training, testing, and research. It is designed to replicate real-world networks and systems, allowing professionals to practise and hone their skills in a safe and controlled environment so they are prepared for the real thing.

A proactive approach to training and preparation

Currently, we are performing inadequately when protecting our critical national infrastructure and our way of life. Despite years of investment, the people, processes and technologies tasked with keeping hackers at bay are unprepared to meet the necessities of modern cyber warfare. Any one of an organisation’s people, processes and technology may not be up to the task, or perhaps the three are not working well in unison. Only by stress testing security systems with combat-like cyber warfare simulations can businesses, such as oil and gas conglomerates, gain visibility into what they are doing well and where they are falling down.

Cyberattacks are forecast to cost the global economy AED38.5 trillion a year by 2025, with the GCC region suffering an average loss of AED25.3 million, as opposed to the global average of AED15.4 million. Most cyberattacks go undetected and those that are identified tend to remain publicly unreported, making accurate estimates of the true cost of cybercrime very difficult. Companies and critical national infrastructure organisations at risk of cyberattack now need to take best practices from the military’s approach to training and readiness and apply a mission rehearsal approach to protecting their critical assets. We have become adept at protecting ourselves on land, at sea and in the air, now we need to take those approaches to protecting the infrastructure that underpins Middle Eastern prosperity.

Security teams should train as they fight. They should be pushed to train to failure because it is better to fail in training than to fail in a real attack and allow the next Colonial Pipeline attack occur on their watch.

James Gerber, CFO of SimSpace