Protecting Data Requires Investing in Imagination
The hardest punch is the one you don’t see coming.
Jack Finney’s science fiction classic Invasion of the Body Snatchers offered a frightening premise. In the novel, aliens in seed vessels descend to Earth, landing in a small California farming community. As the townsfolk sleep, these seeds replicate the earthlings and, by morning, replace them. The only discernible difference between the clones and their host bodies is that the clones lack emotion. In essence, the aliens have stolen the earthlings’ DNA, and the humans never saw it coming.
The idea of this happening is unimaginable—in the case of human bodies at least. However, one company replacing another company’s DNA then killing off the original entity is happening now in the invisible world of cyber.
Data is the DNA within an organization’s “bones,” which means it is possible for a competitor to clone that DNA and use that it in ways never imagined. One key factor in a business’s ability to survive and remain competitive is its leaders’ understanding of data’s true value and the steps they take or do not take to protect this digital DNA.
Organizations need a strategy to defend against the unimaginable by evaluating the assumptions that drive how their data security risk is assigned and valued. By ignoring certain types of risk, companies leave themselves vulnerable to attacks that can wipe them out almost overnight.
While many factors affect the ability to protect against and fend off these types of invasions, one key element is recognizing that the theft of a company’s data has multiple consequences with different levels of danger. Data has more than one value.
Managing cyber risk requires new thinking because it does not follow the same guidelines as traditional risk-management tools that reference past experiences to predict the cost of future incidents. Technology changes faster than an organization’s dynamics and defenses; in cyber, past incidents often bear no connection to new ones that could wipe out a business tomorrow. As a result, an organization’s ability to imagine the unimaginable provides a more realistic risk-assessment model than traditional budgeting for protecting physical property such as a computer or intellectual property such as software design.
Caterpillar Incorporated’s experience serves as an example for potential cyber attacks with unforeseen consequences. The company is a global heavy equipment and construction manufacturer that worked closely with the Chinese government to bring its world-class machines to that market.
While Caterpillar was committed to the business venture, another actor was actively—and quietly—acquiring the company’s intellectual property through reverse engineering and data theft. The offender’s intent was to set up a mirror business: a doppelgänger of the original. The goal was to subvert control over the market by creating a heavy manufacturing business out of thin air, completely displacing Caterpillar by tapping into nation-state level support.
Caterpillar did not imagine that its business could be replaced by a previously unknown threat. However, in this case, the inconceivable was actually quite conceivable.
Unfortunately, what happened at Caterpillar is not an isolated case. A CNBC report indicates some experts believe China continues to steal intellectual property from U.S. defense companies. Years of hacking is one reason China has been able to “narrow the gap” in advanced missiles, drone technology and stealth aircraft, the report notes. Experts also believe industrial espionage helped the Chinese build the J-20 stealth fighter jet, which bears a strong resemblance to the Lockheed Martin F-22. Furthermore, China’s FC-31 Gyrfalcon, a smaller stealth fighter under development, looks a lot like Lockheed’s F-35.
Some cases even demonstrate that a business’s DNA can be cloned and a replica installed in its place not by a foreign invader but by one or more of its own employees. In 2009, Starwood Hotels accused its rival Hilton of stealing thousands of electronic files of luxury hotel plans and luring a team of senior executives to help bring the plans to life.
Organizations need to expand their thinking about how they value information and how that data can be used. These examples lay bare how data is often misvalued and how a capable adversary can steal digital DNA, wreaking havoc on a company.
Much of the thinking about information’s value pertaining to business operations is considered in its present condition, known as present value (PV). However, because data has worth, perhaps the time value of money formula, used in accounting and investing circles, is a better way to look at it. The formula incorporates a present value of the currency, a finite period to be considered for the investment horizon, and a reasonable expectation of return or interest. This creates a future value of the money.
If we accept the idea that data is currency, then we should consider that it will increase in value when combined with the acquisition of new knowledge. Though the time value of money is a good first step in assessing value, cybersecurity demands an even more expansive model that calls for stretching the imagination—something Caterpillar and other organizations did not consider soon enough.
Not integrating imagination into cybersecurity risk formulas is an example of how data is often undervalued. A physical property, such as a product, has an assigned value that can go up or down with demand. But in cybersecurity, you are dealing with issues of space and time, as well as data with multiple values. A different calculation is required when investing in cybersecurity to protect data used for operations as compared to data that can be weaponized by a competitor to assume control of the original company’s share of a market. The people conducting these cyber attacks are not limiting their imagination. Their imagination is their strongest weapon.
Imagination also can be stretched in many ways to predict and play out a number of what might be considered unimaginable situations. Brainstorming sessions, creativity workshops and input from cyber experts who challenge thinking are just a few methods.
Regardless of the approach, the road begins by acknowledging that within every decision lies an assumption—information or an idea we take for granted and treat as true. It is different than a belief or an opinion. Assumptions are neither good nor bad, are part of everyday decision-making and are often subconscious. The more we acknowledge them, the greater the likelihood we can turn them into opportunities that work in our favor.
For example, on a cybersecurity agenda for a board of directors meeting, one starting point of discussion was “Are we doing enough?” But in cybersecurity, “doing enough” assumes the same quantifiable parameters as “Did we budget enough for salaries to compete for the best talent?” or “Have we spent enough time analyzing the information to make the right decisions?” These are good questions, but focusing on “enough” assumes there are finite numbers when dealing with cybersecurity. It is the difference between looking at the universe that has a beginning and an end versus considering the universe as infinite and then reconciling what that means. The latter viewpoint allows for a shift in perspective.
The true value of data requires rethinking how it is utilized in ways not easily imagined. To accomplish this, organizations must acknowledge the assumptions around who is most qualified to identify potential attacks. A great place to start is by rejecting the notion that cyber experts are the go-to people in identifying potential cyber attacks.
For example, a common assumption is that the chief security officer and chief information officer are the sole accountable parties for bringing cybersecurity issues to the attention of the organization. Although these leaders and experts are important, they are only part of the overall equation for a strong cyber defense.
Each employee is a source of ideas. Each knows the day-to-day details and responsibilities the job entails. The operations team will look at the problem from the viewpoint of processes and distribution. The human resources department might consider moral issues or the repercussions of releasing personal data. Even the mailroom will have a viewpoint that the CEO and board of directors would never imagine.
Given permission to imagine the worst, employees will provide diverse scenarios that lead to a more comprehensive evaluation of their company’s data. Gathering these insights can be accomplished by asking them a series of questions, including “What is the worst possible thing that could happen to your business unit?”
Organizations must provide guidelines and processes in this exercise to make the analysis of these black-swan scenarios more manageable; otherwise, too many ideas can create organizational paralysis. There are many innovative ways to do this. One example includes forming an independent panel that represents the divisional diversity of the organization and having this panel review the collective scenarios and make recommendations.
All of us are in the cyberspace ring whether we like it or not. In cybersecurity, we must admit that traditional ways of thinking do not always apply, especially around valuing data that affects an overall cyber budget. And, when it comes to thinking differently, talent, IQ and cyber experience need to be balanced with an imagination that allows one to see the punch before it hits, not after.
Andy Cohen is a thought leader in cybersecurity, an author at The New York Times, a contributor to The Cyber Defense Review, and a TEDx and Google Talk speaker. Maj. James Twist, USA, is a published academic author and research scientist at the Army Cyber Institute. His focuses are cyber threat intelligence, offensive cyberspace operations, and critical infrastructure. The views expressed are those of the authors and do not represent the official position of the U.S. Military Academy, the U.S. Army, nor the Department of Defense.