In my last post, “Calling All CEOs”, I reviewed the nature of the cyber threat, which is an organized, often well-funded, effort to systematically damage our economy or our nation directly by exploiting information imbalances to create an asymmetric threat that, according to Defense Secretary Panetta, will cause “panic, destruction, and even loss of life.”
In order to understand the solution to the problem, it is important first to focus on the root cause of the threat—the information imbalance which permits the organized actors seeking to do us harm by understanding and exploiting our weaknesses—i.e. creating an asymmetric threat. Notice what I did not say—I did not say that this is a technology problem, or one where we simply need to spend more, or buy better technology. If the problem is information, the solution is information.
And to those of you who do not believe this, I will point you to 9/11, where the private sector spent a significant amount on technology for security in airports, and the “technology” the enemy used was utility knives (or perhaps even box cutters), coupled with extensive information about our system of air travel. Al Qaeda was able to gain an information advantage, which they turned into an asymmetric threat, with very rudimentary “technology”. That is the nature of the threat we face, even in the cyber domain, because the technology that is used to attack us is often rudimentary and very available—the utility knives of the cyber world–and we must address the root cause of 9/11 in the private sector in the cyber domain, or risk facing the same consequences.
While the threats are different, the challenges for the public and private sector are the same—reduce information imbalances that can lead to disruptive or asymmetric threats. So if the solution is information, what does that really mean? It means that the private sector needs to realize that it is facing an information-based problem, created by a well-organized foe, and it must organize to combat it. The way to do that is to implement information governance solutions that reduce the information imbalances that exist, and also increase information sharing.
Information Superiority.
The reason this problem is really a governance problem is that the senior executives in private companies typically have no idea what information or systems their company have that are truly sensitive, or important, and there are inherent barriers to information sharing in any organization. Information is typically kept in stove-piped verticals that often do not talk to each other and information imbalances inherently result. This is what helps to create the environment where organized actors can exploit the cyber domain, but, as will be discussed in future posts, it also creates business issues for the private sector.
The good news for the private sector is that the public sector has already had to try to address these issues post-9/11. While there isn’t a “plug-and-play” solution from the public sector, the private sector can learn from, and adapt, some of the doctrines and governance methodologies that the public sector has created to help deny our enemies an information advantage, and break down information verticals that create risk. The first doctrine the private sector must try to utilize is Information Superiority.
The Department of Defense defines Information Superiority as “A relative state achieved when a competitive advantage is derived from the ability to exploit an ‘Information Advantage’”, and as “The ability to develop and use information while denying an adversary the same capability.” Under DoD doctrine, an “Information Advantage” is achieved when one competitor outperforms its competitors in the information domain. In order to implement Information Superiority, according to the DoD, technical and behavioral modifications to how data is collected and processed had to be made, so it could drive value for DoD. It is important to note that technology was viewed as enabling Information Superiority, but it was not the center of the doctrine, which illustrates that Information Superiority is more focused on governance of information, not the technology that enables its use.
For the private sector, it must implement Information Superiority by focusing on making superior use of information by getting the right information, to the right executives, at the right time, which will help companies achieve a variety of goals, including:
- Avoiding the next 9/11;
- Increasing profit for businesses;
- Reducing costs;
- Optimizing risks;
- Reducing the industrial espionage threat; and
- Reducing brand damage.
The focus of these posts to date has been to focus on the first point, but as noted above, implementing Information Superiority will also help companies achieve a variety of other goals that are core to business. There are four key steps that the private sector must take in order to implement Information Superiority.
The first step companies must take to implement Information Superiority, and reduce the chances of an exploitable information imbalance, is understand what information they have. Most companies do not completely understand what information they have, including what information is critical to their business. By creating an information inventory, particularly of systems with critical information, private companies can begin to understand what information they have, and where it resides.
The second step companies must take is to create a governance structure that includes key senior stakeholders from departments that are relevant to governing information. This can include IT, HR, Privacy, Audit, Legal, Treasury, Security, and others. This governance structure will enable companies to better understand the results of the information audit, and hopefully help each department understand what information exists, with the goal of having the key stakeholders better understand how information can be effectively utilized for executive decision-making, including to increase cyber security.
The third step companies must take is to create a framework that classifies the company’s information based upon sensitivity. Again, the public sector has some tools that can be instructive for the private sector. The intelligence community utilizes an information classification system that bases controls, security, and use of the information upon information sensitivity, and the categories, with the general descriptions are below.
- Top Secret–Information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
- Secret–Information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.
- Confidential–Information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
- Unclassified.
While the descriptions the private sector should use are different, data classification is a key issue. The private sector should modify the terminology used and create a structure that focuses on sensitivity—both to the business and to consumers. I have previously written extensively on data classification, arguing that proportionality is central to privacy, and I created a modified version of the intelligence community’s data classification system called “Privacy 3.0—The Principle of Proportionality”, which used tiers labeled:
- highly sensitive;
- sensitive;
- slightly sensitive; and
- non-sensitive.
This structure should be utilized by the private sector both for individuals’ data to focus appropriate privacy protections, but it is even more applicable in the Information Superiority structure for business data, as it will help your company understand what information it has, and what systems are critical, so that focused effort can be made to reduce a potential information imbalance that can be exploited by an organized adversary. The Lares Institute has done ground-breaking research on consumer perceptions of data sensitivity, which can serve as a guide on the privacy issues, but this does not define sensitivity for business data, and this can vary widely between companies. The governance structure can help guide your business to understand how business information should be categorized, and this is a key early step in the information governance program.
The fourth step companies must take is to make systematic behavioral changes to how information is collected and processed, so that information is appropriately shared with key stakeholders, both internal and external. The Information Governance structure that I recommend companies put in place must play a key role in changing behavior and encourage horizontal information sharing. Horizontal information sharing is a sharing of information across departments, or organizations. It is customer service sharing complaints with the engineering department so that issues are resolved in products. It is engineering department sharing solutions with customer service to improve customer satisfaction. It is also, for the public sector, different agencies sharing intelligence to prevent the next 9/11.
And that really illustrates a final key point—the public and private sector face the same issue, and need to work together to solve it. Whether it is the engineering and customer service divisions in a private company, or the CIA and FBI, information gathering and sharing are critical issues that must be addressed to deny our adversaries the information advantage they seek to gain. While much of this post has been about increasing information sharing in the private sector, the fact remains that we still face an organized, often state-sponsored, threat on the other side. As recognized by the Obama Administration when it issued Executive Order 13549:
The need to share actionable, timely, and relevant classified information among Federal, State, Local, Tribal, and Private Sector (SLTPS) partners in support of homeland security is self-evident.
The way to do that is for the public and private sector to create structures, and share doctrines, such as Information Superiority, that facilitate this sharing, and increase our homeland security by working to eliminate the information advantage our enemies seek to exploit. Solving this problem will not be easy, and it will take time and resources, but there are resources that can assist. By drawing on the experience of its Advisory Board, the Lares Institute fuses the experience of the public and private sector together to: help create doctrines to facilitate information sharing; provide a forum to facilitate a public-private sector dialogue; as well as help the private sector implement structures and governance that will help reduce information imbalances and promote business goals.
Through systematic and focused effort, coupled with the adoption of better information governance–Information Superiority–and sharing, we can address this threat, but to defeat an organized threat, we must organize our efforts, or we will fail to protect ourselves as we should.