Site icon IT World Canada

Cybersecurity in the age of asymmetric warfare I An interview with Tim McCreight, chief security officer at The City of Calgary

3D face in front of an building
Co-Written by Robert Brennan Hart and Edward Wilson-Smythe

 

War is never easy; but, historically speaking, it used to be at least reasonably predictable.

Sovereign forces arrayed against each other played out foreseeable scenarios and when nations squared off against unorganized opponents, force almost always prevailed. However, when sovereign nations play by the rules of insurgency, or when insurgents amass power and force equivalent to sovereign nations, the world becomes more dangerous and more unpredictable; as we have seen play out in the American and Irish Wars of Independence, the War of 1967, the Vietnam War, the Iranian Hostage Crisis and the wars against Al Qaeda and ISIS.

With the new frontier of warfare moving to the realm of technology, we are faced with a hyper-accelerated variant of these same dynamics, where large state agents act with anarchist zeal to achieve sovereign objectives, and small bands of insurgents have the power to cripple companies and economies with no consideration for size or scale.

This new asymmetric warfare requires new strategies, new rules of engagement, and new tactics for success. Without these in place, companies and economies will face an ever more perilous future where our prosperity and security are subject to the vagaries of enemies both large and small, none of which play by the rules we are used to.

In anticipation of the third chapter of Politik’s Interzone digital gathering in early December, we sat down with one of Canada’s most recognized names in cybersecurity – and Interzone roundtable speaker – Tim McCreight, Acting Chief Security Officer at The City of Calgary and former Chief Information Security Officer at The Government of Alberta.

What practical measures can businesses implement to address the new era of asymmetric cyber warfare?

We live in unprecedented times from a security perspective. Attackers now have so many vectors thanks in no small way to the increase in attack surfaces related to technological innovation. As we embrace digital transformation and find more efficient ways to serve our clients, users, and citizens, we must ensure security risk management is part of our culture.

Along with culture change, let’s recognize that security professionals cannot completely remove the risk of events impacting our organizations. If our organization is targeted as part of an asymmetric cyber campaign, we can’t guarantee we will not be impacted or affected by the attack. Instead, we need to work with our organizations to identify key/critical assets, determine what risks these assets face, and devise risk remediation strategies to reduce the impacts of something like an asymmetric attack can bring to an organization.

Measures we can take today include: maintaining a comprehensive list of information assets, including the supporting infrastructure; documenting who is responsible for these assets from a business perspective; assessing risks facing these assets; and creating resilience plans to address any impacts.

We can also look to layered technical defenses to detect, respond, and minimize these types of attacks. Ensuring we have encryption for our data at rest and in transit is a good first step. Enforcing multi-factor authentication to resources adds to the access protocols surrounding our IT ecosystem. Leveraging technologies like blockchain to enforce controls over supply chain or integrity checking for machine language training data are other ways we can continue to reduce risks.

I’m also a big fan of ongoing, relevant, security training. Folks don’t want to endure an hour-long course to simply “check the box.” What if we looked at awareness as our first and most important control surrounding a user’s behavior? How can we grab their attention and drive home the message that we need their help? Can we look at using micro-training courses – two-minute videos on one topic – to reinforce positive behaviors?

Finally, we need to make sure we have response plans in place and focus on resilience. No one wants to be the victim of a motivated adversary, but we need to be realistic. There are so many reasons why we can become the focus of an attacker’s attention. A perceived slight in a social media post. A bad customer service experience. Workforce reductions to the industry vertical the organization operate within. When we become the focus of an attack, we need to have plans already in place to respond.

What regulations should governments look at implementing to ensure democracies are more resilient to these kinds of campaigns? Are there pragmatic and meaningful ways to legislate on this issue?

Legislation is always great to have, but not very practical to enforce. We’ve seen how long it takes for most levels of government to develop, implement, and enforce legislation regarding security. There are examples of legislation that hasn’t been updated in a few years, making it difficult to enforce because technology has moved forward at such a rapid pace.

Requiring organizations to be more resilient is a better idea! I’m a fan of making companies, governments, and agencies accountable to their stakeholders and that includes being able to recover from cyber incidents. Developing legislation that requires citizen-facing services to recover from events within a short, pre-defined timeframe is a start.

Requiring organizations to attest to their recovery plans would be another option. One example is how many cloud service providers present third party attestation of their controls to potential clients. I think there’s a way to create a similar requirement for other organizations to demonstrate their commitment to their stakeholders. If we’re collecting information from our users, it should be our responsibility to protect that data and, if required, demonstrate how we can recover from an incident.

As we navigate through one of the most divisive and polarizing periods in human history, how can people protect themselves against digitally weaponized psychology?

Such a great question! We’ve always faced a diversity of opinions – that’s part of being human. But during these past few years, we’ve seen a change in the language, a hardening of the rhetoric. Watching the recent US election demonstrates this point better than I can articulate.

I have some personal tricks I like to use when faced with conflicting and diametrically opposed viewpoints. I always try to gather information from different sources – online, in person, and through academic research. Taking a degree program later in life really forced me to be objective in my perspective. I had to learn (all over again) the fundamentals of critical reasoning. In the midst of all the noise and bluster from either viewpoint, there is truth. The trick is finding it on your own, not through some media feeding tube.

As citizens, consumers, and employees, we must be objective. We can’t just accept what one social media feed provides – we must seek out other viewpoints. We need to assert the data we’re seeing is coming from a credible source and not just one personal opinion.

This means we have to do our homework! Check out the links you’re receiving and figure out where the data comes from. Is this one person’s perspective, an obscure online blog, or a national news agency? How are the facts being attributed to sources? Is this an opinion or a summary of scientific data? Is it fraud, a spoof, or misinformation? How outrageous are the claims? Is it completely aligned with your own viewpoints? Does that concern you?

We need to recognize we are all targets for misinformation campaigns. Others who want to sway our opinion are assessing our online viewpoints and perspectives. Algorithms and artificial intelligence engines are assessing our online habits and then targeting us with ads, articles, or videos. It’s amazing to see how technology can do this, but also very frightening.

We need to be mindful of this as we express our thoughts and perspectives. Free speech and thought are rights that must be defended by governments, but also by us. We must be active participants; aware of what technology can influence, and apply our own critical reasoning to the data we’re inundated with every day.

###

Tim will be joining Rohit Ghai, CEO of RSA Security and fellow security luminaries Sophie Alcorn, Founder of the Community for Global Innovation; Michelle Dennedy, Former Chief Privacy Officer at Cisco and Intel; Brent Homan, Deputy Commissioner of the Office of the Privacy Commissioner of Canada and Caroline Wong, Chief Strategy Officer at Cobalt on December 2 for the third chapter of Interzone.  Register now.
Exit mobile version