Cyber Warfare Is The Last Competitive Advantage No One Sees & Why SolarWinds Is The Wakeup Call No One Heard. – Forbes

Solarwinds, Orion Platform, a scalable infrastructure monitoring and management platform designed to ... [+] simplify IT adminstration recently fell victim to Russian Hackers. STAR MAX File Photo: A Solarwinds Logo shot off an iPhone. Photo by: STRF/STAR MAX/IPx 2020 12/24/20

Afghanistan was not the USs longest war. Not even close.Weve been at cyberwar for half a century and were losing.Globally,the US is losing, and the homeland is far from safe.Hell, why not just hack a municipality for a few hundred k?Its easy.Theres no cybersecurity strategy good enough to win a cyberwar. Sure, everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare.

Its Sometimes Horrible to Be Right

I predicted this:

The number of severity of cyberattacks will explode in 2020.Cyberwarfare has now leveled the playing field in industry, in government, and in national defense:why spend ten or fifteen billion dollars on an aircraft carrier when you can disable it digitally?Why spend billions on new product R&D when you can hack into your competitions strategic plans?Why not just phish around municipalities for a quick $100K?Cyberwarfare is a cost-effective solution to all sorts of problems and opportunities:cyberwarfare is a revenue stream, a new business model, digital transformation with its own unique flavor but regardless of inexplicably unheeded warnings, (its) much worse than its ever been.Why?Simply because its the cheapest, easiest, fastest and most effective form of warfare weve ever seen, and because cyberwarfare defenses are more vulnerable than theyve ever been.

Tom Steinkopf, writing here,offered more predictions:

Hello, Is Anyone There?

So why do long lists of valid threats go unheeded and under-funded?As Ive reported here frequently, years ago, I assessed a huge enterprises vulnerability to cyberattacks.When my team finished its assessment, the results were downright scary.When I took the results to the CFO (to which technology weirdly reported), his only question was,whats all this going to cost me?,which of course was the wrong question.

Cyberwarfare is also inevitable because governments are reluctant to police themselves.Listen to what Andy Greenberg, writing inWired Magazinein 2019 said about why governments have been unwilling to deal with cyberthreats:

More fundamentally, governments haven't been willing to sign on to cyberwar limitation agreements because they don't want to limit their own freedom to launch cyberattacks at their enemies.America may be vulnerable to crippling cyberattacks carried out by its foes, but US leaders are still hesitant to hamstring Americas own NSA and Cyber Command, who are likely the most talented and well-resourced hackers in the world.

As usual, the US is the best, but in this case, it isnt.First,as Nicole Perlroth suggests, theres the hubris:

The hubris of American exceptionalism a myth of global superiority laid bare in Americas pandemic death toll is what got us here.We thought we could outsmart our enemies.More hacking, more offense, not better defense, was our answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second.

But way back in 2016,Paul D. Shinkman suggested that America Is Losing the Cyber War:

Russia, China, Iran and North Korea routinely launch cyberattacks on civilian areas, hacking private companies or undermining foreign militaries, using online tools to manipulate information or digital propaganda to shape others' opinions, and employing digital mercenaries to do the work.

The Chinese military stole U.S. plans to the technically sophisticated F-35 Joint Strike Fighter, allowing Beijing to create the copycat J-31.Hackers with connect-ions to the Iranian government were charged earlier this year for attacks on U.S. banks and a dam in New York.North Korean operatives released a trove of damaging emails from Sony as the entertainment company planned to release a comedy with an unflattering portrayal of the country's leader.And Russia is widely suspected in a hack of the Democratic National Committee that could amount to a bid to undermine the integrity of the upcoming U.S. election the U.S., as of right now, is not fully prepared to match incidents like these.

John Donnelly and Gopal Ratnam, reporting forCQ-Roll Call, believe the US is Woefully Unprepared for Cyber-Warfare:

This inadequate attention is manifest in how infrequently U.S. leaders talk about cyber issues.On congressional defense committees, cyber is essentially an afterthought compared to weapons hardware and military pay and benefits.In the Senate Armed Services press release in May on its fiscal 2020 authorization bill, cyber was barely mentioned at the end.

Likewise, Bayer and his team found a dearth of cyber references in Navy leaders' speeches and a scarcity of cyber-related events on their calendars.

"You wouldn't even know that cyber is a Top 20 problem," he says.

Measured in dollars, cyber also does not stack up. Unclassified cyber spending across the federal government in fiscal 2020 budget request totals just over $17 billion, considerably more than it was a few short years ago, but that is only a bit more than 2% of the roughly $750 billion annual national defense budget.

Is Cyber Warfare the Last Competitive Advantage & Risk?

You bet it is.Theres not a government or company on the planet that can ignore cyberwarfare and cybersecurity.Everyone must developboth offensive and defensive cyber capabilities. Competitiveness depends upon digital security on every level.Without security, governments and companies cannot operate.Public companies are especially vulnerable because they have shareholders and (sometimes) responsible Boards of Directors looking after the shareholders. Not to mention the entire US infrastructure which whenever a break occurs its treated like a Black Swan event, not a pattern or a predictor of things to come. No, just an isolated event to which a response is uniquely crafted.

Even60 Minutesthinks SolarWinds was a big deal.On Sunday, July 4, 2021,60 Minutes examined the SolarWinds breach of government systems.The segment felt like a voice crying in the wilderness.As a professional in the field of business technology, I was stunned to hear descriptions of how the attack occurred and how trusted systems management software was used to breach and infect thousands of computers and the networks on which they run.But what stunned me the most was when one of the experts said the only way to guarantee that the virus is completelygone is to replaceallof the computers it touched.I was immediately reminded of the CFOs question:whats this all going to cost me?But then I remembered another axiom:pay me now or pay me later.Common sense?Obviously.Commonly shared sense?Not even close.If the SolarWinds breach is not enough to see massive increases in cybersecurity spending and fundamental changes in preparation and response protocols, theres nothing that will move CFOs to open their wallets or C-Suiters to about face in spite of how many times they assure their shareholders and customers that everything is under control (when its clearly not).

Whats It Going to Take?

Cyber warfare and cybersecurity are human challenges.Not in the traditional definition of human, but in the human inability toproactivelydeal with most anything.Individuals abuse their health even though they know that will pay later.Companies underinvest in infrastructure even though they know eventually they will have to pay later.How many times do floods occur in exactly the same place? Or why public transportation isnt there?Or why hospital beds, ventilators, masks and toilet paper cant be found when we need them most?Or why crisis management is an oxymoron?I wrote about that too:

How many companiespreparefor cyberbreaches, infrastructure failures, terrorist events, environment problems, sexual harassment lawsuits, product safety recalls, social media attacks, regulatory surprises and talent shortages, among lots of other events that everyone knows will occur.Yes, this costs money, but its cheaper to prepare than react in a state of chaos.Everyone knows that, right? Then why do so few companies invest in the inevitable?Companies should work from anticipatory playbooks, not reactionary debates over Zoom, Webex, Skype and Teams.But do they?Hardly any.

Way back in 2003by Mitroff and Alpaslan described a 20-year study about crisis preparedness:

For most of the two decades, crisis-prepared companies were in a small minority:between 5% and 25% of theFortune500 companies at most.In other words, at best, 75% of companies are not equipped to manage an unfamiliar crisis.At worst, 95% are unprepared, which, of course, is extremely worrying.

Much more recently, Butler, Menkes and Michel suggest:

Whether the original crisis is self-inflicted or caused by external events, lack of preparation almost always makes the outcome much worse.And only one in 10 companies is prepared only one in five companies had ever simulated what a crisis might look like, four in 10 had no plan at all, and 53 percent of companies struck by crisis did not regain their previous share price.

Worse:

Many executives at even well-managed companies secretly believe that they can work their way out of a crisis when the time comes without having a plan beforehand.As a result, they treat crisis preparation as a less-than-useful scenario-planning exercise that, if it must, can be conducted sporadically.

All this suggests theres no cybersecurity strategy good enough to win a cyberwar.Sure, everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare.Only Congress can spend money trillions of dollars to prepare for wars the country will never fight.Thats because the government has no shareholders or Boards of Directors, just lobbyists. Companies simply cannot even if they actually have the money invest heavily preparing for crises whose occurrence are uncertain and infrequent, even if the crises are crippling.Once crises occur, of course, theres always money to fight the competition, the government and hackers, Russian and otherwise.CEOs love to talk about how effective theyre managing the crisis at hand, while shockingly no one ever asks why they didnt avoid the crisis in the first place or prepare adequately for the crisis before it arrived.

Another reason why60 Minutesstories like SolarWinds are only interesting, is because individual leaders almost always seek immediate tactical gratification, seldom long-term strategic success.Thats because corporate leaders too often optimize personal gratification over long-term corporate health since in all likelihood the leader will be gone in the long-term. Its the same reason why newly public company C-Suiters dump stock shortly after their IPO lockups expire.Personal rewards within the control of corporate leaders are usually maximized over long-term corporate rewards (which may have something to do withGordon Gekkos famous greed is good advice).

If, on the other hand, corporate boardsandshareholdersinsistthat management invest in cybersecurity and cyber warfare regardless of the impact on profitability or prices thingscould change,but only if the insistence is both positively and negatively incentivized:boards would have to pay C-Suiters to do the right thing or remove them if they failed to do what they ask.Thats the wakeup call they would take.Until then, we can expect more devastating cyberwars, more denials about whos to blame and more grandstanding about how well the wars are being managed.All that is also all too predictable.

See the article here:

Cyber Warfare Is The Last Competitive Advantage No One Sees & Why SolarWinds Is The Wakeup Call No One Heard. - Forbes