Crisis management is something most businesses understand. However, these same businesses find that their crisis-management procedures fall short when a major “cyber incident” occurs. For example, albeit extreme, a colleague mentions the company he works for — at the time of their “incident” — had nothing in place to prepare for a congressional inquiry.
With 2014 being a banner year for cyber incidents, and expectations for 2015 being more of the same, my colleague suggests, if it’s been a while, those responsible for managing crises may want to look at the company’s crisis-management procedures as today’s circumstances are different.
Michel Herzog, security researcher at ETH Zurich’s Center for Security Studies, has given this subject much thought, presenting his findings last month at the Swiss Cyber Storm security conference. The title of his talk was Incident and Crisis Management in the Context of Cyber Risk. Herzog acknowledges in the talk’s introduction that cybersecurity strategies are becoming common, a good thing. However, there’s a catch. “They’re (strategies) proving difficult to implement and enforce, writes Herzog. “In this respect, some of the most pressing concerns are associated with key cybersecurity aspects like terminology, attribution and perspective.”
Regarding terminology, Herzog acknowledges three business-operating states: normal, emergency, and crisis. Normal operation is self-explanatory — hopefully. Herzog differentiates between an emergency and a crisis:
● Emergencies are situations that can be handled via business-continuity procedures in the private domain or in the case of the state and public sector, the emergency and security services.
● Crises result from unfolding dilemmas and events. Insufficient capabilities often mean extraordinary measures are required to deal with uncertainties and unstable conditions.
If an emergency escalates into a crisis — something Herzog warns about — one reason for the escalation revolves around information. “A lack of quality and reliable information complicates a decision-maker’s ability to respond to events in an appropriate and timely manner, writes Herzog. “Slower response times risk increased financial costs and a loss of public trust; and mounting pressure from the media, civil society, and other stakeholders. In severe cases, this can cause profound reputational damage.”
As to attribution, Herzog lists the following groups as potential sources:
● States: Organizations with substantial capabilities and a wide range of interests
● Hacktivists/cyber fighters: Heterogeneous group with motivation, goals, and ideological support
● Cybercriminals: Engaging in criminal activities in cyberspace with the goal of gaining profit
● Corporations: Significant cyber capabilities and clandestine activities to further their agenda
● Cyber terrorists: Potentially harming national security and society
● Internal actors/employees: Diverse activities, with main issue being whether intent is malicious or not
While discussing this subject with Herzog via email, he suggests. “It is often impossible to attribute a cyber incident to a specific actor (at least, in an acceptable time frame); this can lead to a cyber incident getting out of control and becoming a full-blown crisis for a company (or government).”
Herzog then cautions, “If a state engages in cyber espionage, it will be very difficult to point out who was behind the operation. The same goes for companies spying on other companies. However, hacktivists will likely claim responsibility for their action.”
Crisis and a cyber crisis, the difference
Lastly, Herzog takes on perspective. He feels it is common for business management to view a “cyber crisis” as a regular crisis with a “cyber component.” An error my colleague’s company made. That presumption, according to Herzog, leads those managing the situation to use “process-oriented” (prioritize how things are done) solutions instead of “scenario-driven” (focus on greatest uncertainty) fixes, which aggravate the problem instead of resolving it. Herzog offers the following reasons. Process-oriented solutions:
● Fail to address the need for increased stakeholder coordination and cooperation between the public and private sphere in the cyber domain, and the centrality of information systems in modern society
● Overlook that stakeholders might not share the same goals and priorities when dealing with a “cyber crisis”
● Miss that confidentiality and integrity are compromised as well as information availability.
● Do not take into consideration that a cyber crisis is more dynamic than a conventional crisis
● Do not account for a cyber-incident’s lack of attribution
Solutions strategies, according to Herzog, should include:
● Establishment of collaboration networks as a way to share what works and what doesn’t when handling a cyber crisis.
● Creation of a common terminology: otherwise misperception and confusion will give the attackers a serious advantage.
● Assurances that the crisis-management procedures used reflect the cyber crisis.
● All departments, including public relations and legal support.
Herzog said, “Cyber incidents are a bit like a bar brawl – you might have a pretty good idea who started it, but you will never be absolutely sure.” This adds emphasis to what can be perceived as the most important element of a solution strategy — that of enhancing an organization’s intelligence and investigative capabilities.