People, Process and Technology: Learn from traditional warfare strategies to fight cyberwarfare

Poster used by British Army in First World War

By Nisa Vithana

An ancient Chinese military general Sun Tzu, in his book ‘The art of War’ recites that, “The supreme art of war is to subdue the enemy without fighting”. This recital couldn’t have more relevance in today’s cyberworld. In almost every ancient war involved, a general commanded his troops through a signalling process. Alexander the Great was famous in riding on his horse around the battle field instructing officers to change tactics, whereas the Romans directed battles from a nearby place and used trumpets and flags to signal simple commands. African tribes used ‘talking drums’ and Native Americans used smoke signals. During the French revolutionary wars, Napoleon Bonaparte had a sophisticated flag signalling system, called Semaphore.

However, the primary communication method used by almost all of them were ‘Runners’, a young fast-moving human courier who had a good memory and the lay of the land. Runners would be dispatched secretly with a verbal or written message to be delivered to the troops in the field. As the runners were sometimes captured by the enemy and tortured for the message, later Europeans moved to using flying courier animals such as pigeons with coded messages tied to them. 

 

The Great War was all about people and process

Historical warfare is all about people, trust and processes. When the war came in 1914, Britain used a direct and personal appeal to the recruitment process. Men felt proud at the prospect of fighting for their country and queued to join the army. Posters, personal letters, meetings and speeches were delivered by military spokesmen to encourage and empower more people to volunteer. Having trust in your troops increased commitment, communication and productivity. This helped Britain to win the First World War in 1918.

 

What is cyberwarfare

Today’s security threats have become more complex and treacherous. The internet has many benefits. It is as convenient, exciting, and lucrative as it is dangerous and dark. As the technology progresses, so too are cyber criminals with an intention to create destruction and exploit for self-profit. The extensive development in technology is affecting every industry, challenging owners of legacy systems to determine if the impacts are positive or negative to the organisation’s environment. Cyberwarfare is becoming increasingly common, as hackers using computer code and viruses can conduct a digital attack on the enemy’s infrastructure from anywhere in the world. 

Technology doesn’t operate independently. People use and manage technology according to a pre-defined process. Technology used by an organisation’s employees or cybercriminals are all man made. So, why it is hard to foresee? And how do you begin to build trust?

 

You can be the next victim

Although you may not realise it, every day we wake up to a battlespace with the context of computers, online control systems and networks operated and managed by people. Cyberattacks hit businesses every day and while some companies know that they’ve been hacked, the vast majority are blissfully unaware they are headed for ruin. According to a Cisco Annual report, the volume of hacking events between January 2016 and Oct 2017 has seen a fourfold increase. Just like normal warfare, the impact of cyberattacks can also vary by target and severity. Some attackers can gain access to computer systems and take control over a country’s critical infrastructure. 

Imagine they get control over power grids, airport control systems, stock markets or banking systems to name a few, and create massive destruction to a country’s peace and harmony. Hackers armed with computer malware and other tools to break in to systems are just as dangerous as armed troops with guns and missiles. However, unlike traditional military manoeuvres, cyberwar can be waged from anywhere, anytime and be extremely hard to trace back, making retribution difficult and not without its own risks as well.

 

The Information Technology Service Management Framework needs a facelift

There are many military strategies and time-tested techniques which can be applied to today’s cyberwarfare. The holistic business intelligence triangle, People, Process and Technology is often used as a framework in Information Technology Service Management. 

Imagine you install a state-of-the art fire alarm system in your company. This new system will automatically connect with the local fire department, hospital and police allowing them to dispatch emergency services without delay. You have the process documented and retrofit to match the technology. Then you inform your staff to follow the process you’ve already defined. As per the process, in case of a fire in the building they must immediately escape via emergency exits linked to stairways. Suddenly one of your staff members points out that you do not have emergency stair ways in the building. What would you do? This sounds familiar in countless technology companies. In modern technology society we try to solve problems in backward fashion. We pick the technology, define the process and then try get people on board to work on it. This is one major reason that many technologies fail to deliver business value. 

In today’s context, the above people, process and technology framework needs to be modernised. It is not a cycle anymore, but a power game. The framework can be defined as follows depending on the importance of each element. A better order would be; ‘People-process-technology’.

 

Why ‘people’ are the most important element in managing security

Tactics mean nothing without an organised, motivated, creative and responsive army. Learning from the ancient military leaders, people are the key to win any battle. You need to identify the issue before you implement any technology advancement. Your organisation’s information security management is not just the IT department’s responsibility anymore. It is a business issue and everyone has a role to play. You need a collective mission to accomplish a common goal. Give people enough power to make their own decisions. 

The ability to move and make decisions faster could save you from extensive damage. Ensure your employees are properly trained on the key information security risks. You must invest in a sustainable security culture. Educate them and ensure they stay up-to date with the current industry best practices. Food for thought: Diverse teams could bring more creativity and innovation to your organisation.

If you segment your employees in to independent groups, they can be more creative and efficient. Keep motivating them, understand their personal interests and link them towards a worthy cause that everyone will want to fight for. This is where communication matters. People need to understand the process clearly and concisely, as they will be operating and managing technology.

On the other hand, hackers are also a segment of people who are usually motivated by personal gain. They can launch a cyberwar at the least expected time. They will find gaps in your defences and attack you. 

According to warfare strategy you can weaken your opponent’s support base by making them appear evil and visible. So next time when you come under an attack, identify your best line of defence and make a formation to fight. At the end, reward and recognise those people who do the right thing for security.

 

Effective implementation of your security strategies are based on processes

As technology evolves, the risks become more complicated and rapid. Therefore, you need processes to adapt for transformed cyber threats. Processes describe how things are done and hinge on clear articulation of cyberattack visualisation. It can mitigate the risks to security management systems. It could define the organisation’s activities, roles, policies and documentation. A process includes four major mission commands; Planning, preparing, executing and evaluating. It needs periodical reviews and audits to make sure it’s working effectively and aligns with the common business goal.

For an example; most companies collect and process large amounts of customer information on a regular basis. If you do not have an information system management process, your employees may not know where to record, how to process and why it is important to secure all the data they associate with on a day to day basis. They might unintentionally transfer sensitive information to a third party without your consent, as they do not know the value of the information they hold. This is where you need a clearly define records management process.

However, processes aren’t anything without the right people to manage. It’s everyone’s responsibility to follow the correct process as it’s defined.

 

Technology can reduce the impact of a cyberattack

When you’re equipped with the right people and right processes, it makes it a lot easier to find the right technology. Technology is crucial when it comes to cyberwarfare. There are number of suppliers with sophisticated cybersecurity tools. Most importantly you need to remember that your attackers might have access to similar technological capabilities in this fast-paced world.

Today’s internet of things (IoT) have more data points tracked and more points to enter in to systems. Hackers can develop technology to gain full control of your system in seconds without notifying you in advance. To address some of these issues, computer scientists have developed Artificial Intelligence (AI) to detect and analyse high risk incidents and deploy real time solutions instantly according to your developed processes.

 

Make your ‘first line of defence’ is the ‘best line of defence’.

In conventional warfare, when you don’t have people with the right mindset on the battlefield, there’s no use in having the best weapons and best tactics. When the war advanced, the battlefield expanded from land to the sea and air. As technology developed, the battles started engaging in cyberspace between hackers and cybersecurity professionals.  

The Information Technology officer in your organisation must have adopted the best tools and technology to keep your computer system safe from attackers. They may have installed firewalls, anti-virus protection, encryption algorithms, security policies and might be doing regular inspections to identify potential threats. However, a gifted social engineer can break through all the above and gain access to your system and steal your valuable assets. Cybersecurity is far broader and a more challenging issue. A hacker will exploit your weakest link, not through firewalls, not by hacking in to your encryption or coding system but, people, your employees. 

Uninformed people are the weakest security link, not technology. Your technology and processes aren’t effective if you encourage stupidity and gullibility in your organisation. This is where you need a professional cybersecurity consultant to asses and identify risk areas in your organisation’s infrastructure. When your primary business isn’t security, you need professionals to take care of these most important areas, the same way you consult the best-known health care professional to deal with your health issues.

(The writeris the Regional Head of South East Asia and serves in the board of directors for Met Defence Labs a cybersecurity service provider in the UK and Sri Lanka. She also volunteers as the Programme Director for SHe CISO Exec., global training platform for Cybersecurity | Leadership & Women Empowerment. She is a passionate individual with diverse experience and skills and keen on innovation and technology that matters and committed to protect data and privacy of all concerned. She is a lover of exploring and learning new skills.Connect with Nisa on LinkedIn: https://www.linkedin.com/in/nisavithana.)