The Humble CISO, 2022

Last year, on December 31, I sat down and thought about the past year in cybersecurity. Then, looking at the devastating supply chain attacks in 2021, I realized that people working to keep organizations safe could work as much as they want and even do everything right, and still — a supply chain attack may hit them on the head.
To me, diving into the technical details of the Sunburst attack, was like gazing into the starry sky on a cold and crisp clear winter evening. Galaxies of cyber attacks and vulnerabilities as far as the eye can see.
That was a profoundly humbling experience.

This year, the war in Ukraine has come on top of this. With nation-state actors entering the cyber security domain, the lines between civilian and military targets become more blurred. As a result, our critical IT systems are much more fragile than most people are willing to admit in public.

Once the intention flips from good to evil, the level of sophistication needed for wrecking havoc in cyberspace is frighteningly low… © Maximilian Werner, wernerwerke

In my career, I have had the opportunity to see some of these systems up front and close in different sectors — in the financial industry, in critical infrastructures, and in clinical healthcare. In none of these sectors would attackers need an outlandish level of sophistication to wreak havoc¹.
Russia has shown that it can cause immense damage to physical critical infrastructures with Iranian-build attack drones called “Shahed.” Shahed drones are guided bombs that know how to do one task with high precision — land on a pre-programmed spot. They are relatively cheap (their manufacturing cost is around 7000 USD) and dumb devices that were derogatory nicknamed “mopeds” by the Ukrainians for the monotonous buzzing sound of their engines. Yet so far, they have done the job. Half of the physical components of the Ukrainian electricity and water grid have been destroyed.

With innovative crime-as-a-service players, the world in 2023 will witness adversaries that use tools ranging from low sophisticated tools to AI-powered attack frameworks — the next version of chatGPT will most likely be a considerable cyber threat. © Maximilian Werner, wernerwerke

The humbling aspect of all of this is that the sophistication of the drones is low, their success rate is low, and still, their impact is devastating. Millions of people are left without electricity, water, and heat.
Unlike in the physical world, where the explosion of one drone can do only so much damage, in the highly interconnected world of information technology, things are different. One successful attack on one organization can lead to devastating compounding and cascading effects. Two years ago, the European Systemic Risk Board published a report in which one of the eeriest scenarios that I know of for the financial sector was spelled out:

“The prolonged disruption of a significant part of a country’s payment system combined with uncertainty and fake news spreading through social media could trigger large-scale financial instability. In this hypothetical scenario, it is possible to imagine a number of further aggravating circumstances and failing business continuity plans [at Bank X]. A key point to consider is that a loss of confidence in one financial institution may quickly spread to become a general loss of confidence in similar institutions or the financial sector at large. The hypothetical example illustrates how a perceived cyber incident that initially leads to the unavailability of deposits and account information could spiral into liquidity problems for other banks that were initially not affected by the cyber incident but are suffering from the loss of confidence in the financial sector.” ²

Note that in this scenario, the assumption has been that the incident at Bank X was not malicious. But today, a deliberate attack on a bank or a central data center has become much less hypothetical. The likelihood of intentional damage to our digital infrastructures has increased substantially due to the war. And the level of sophistication needed for creating large-scale and long-lasting operational disruptions due to compounding and cascading events on critical infrastructures is low enough for any nation-state actor.

A profoundly humbling conclusion drawn in a recent study from the National Academies of Sciences, Engineering, and Medicine is that we don’t know how to model such impacts — not even in theory. There is a fundamental lack of understanding and modelling of the interconnected-ness of various systems and the impacts of multiple events on different system components. It is often unclear who has access to data about how systems and infrastructure are connected in the first place. Even if we were able to change this, we would still be light years away from knowing how these models can be incorporated into the engineering and design of critical systems so that our infrastructures become more resilient.³
In light of such facts, I don’t see how anyone in our domain could be overly optimistic, self-confident, arrogant or egotistical. The cyber domain’s complexity, novelty, and unpredictability increase massively every year.
The Shaheds of information security are here.

The digital equivalent of paper airplanes can already pose serious threats to our critical infrastructures. “Resilience engineering” is what organisations need to focus on in 2023 ⁴. © Maximilian Werner, wernerwerke

References

(1) Rispens, Sybe Izaak “Why we need a normalized scale for attacker sophistication”, Medium, 2021.
(2) European Systemic Risk Board, “Systemic cyber risk”, February 2020, p. 32.
(3) National Academies of Sciences, Engineering, and Medicine 2022. Resilience for Compounding and Cascading Events. Washington, DC: The National Academies Press.

(4) Erik Hollnagel; Jean Pariès; David D. Woods; John Wreathall. Resilience Engineering in Practice: A Guidebook (Ashgate Studies in Resilience Engineering), Ashgate Publishing Ltd., 2011.