Here's what I’m reading this week:
Security, Not Just Deterrence: While we don’t exactly need another object lesson in why deterrence by itself is an insufficient strategy to reducing network conflict, #NotPetya certainly offered us one last week and this week. Massive attention was paid to the ransomware epidemic, and widespread speculation (with a striking degree of circumstantial evidence to back it up) that it was in fact the work of Russian operatives.
But there has been essentially no indication of any type of pressure or consequences being imposed in response. We’ve said for years that deterrence is hard because attribution is hard, but misses the point in a critical way. Deterrence is hard on the network for many reasons, but one of them is that certainty on the network is hard, and if you can’t be certain who acted or certain what effect your response will have, you most often end up paralyzed.
This is why we need to be focusing as much on operating proactively – making breaches themselves more difficult – as we do on operating reactively.
Ukraine’s Place in Expanding Global Cyber Conflict: Over the past few weeks, many people have focused on the Ukraine as the newest flashpoint in the expanding networked-conflict between Russia and the West. This position on the border is of course nothing new for Ukraine – its geography has placed it squarely between these two worlds for centuries. But it’s also being used as a testing ground for new networked threats – targeting the power grid; weaponizing software updates. This makes it essential that we understand that even though it feels far away from New York, Chicago, or San Francisco, the tools tested there can be deployed across the Atlantic in a matter of days or minutes. It may feel far away, but increasingly it isn’t.
The speakers at last month’s Global Cybersecurity Summit in Kiev experienced a tiny microcosm of the active targeting the entire country is experiencing firsthand (more here). But if you weren’t there, today’s Lawfare post by members of the Army Cyber Institute describing their recent time on the ground in Ukraine might be the next best thing. It discusses recent targeting of Ukraine, how the country is responding to these latest challenges, and offers some insight into what may be to come.
- Wired weighs in on the threat of weaponized software updates, one of the most troubling – although still under-reported – aspects of #NotPetya.
- Getting the board to care about cybersecurity is an ongoing challenge for CISOs everywhere. CFR had a helpful reflection on why this is so hard and what you can do about it.