Introduction: Setting the Global Stage for Cyber Resilience

We worried for decades about WMDs – weapons of mass destruction. Now it is time to worry about a new kind of WMDs – weapons of mass disruption.

–John Mariotti

Tuesday, May 1, 2035

Something was not right.

As Julie stood by the front door of her parents' home in Park Ridge, Illinois, her A-ride (slang for autonomous transportation) was nowhere in sight. She was going to be late for work. “My new boss is going to be furious,” she inwardly panicked.

This was the one day a month that she actually was required to be downtown for a team meeting, and her 7:15 a.m. FastUber pickup (with nonstop express service to the Chicago Loop) was nowhere to be found. And FastUbers are never late.

“Miranda – where is my ride? What's going on? Where are all the cars?”

Strange, no response from her automated assistant, which usually answered her questions before she even finished her sentences. Julie momentarily thought about her grandmother as she peered angrily at the small speaker over her glasses. She briefly smiled when she thought about how she nicknamed her personal assistant Miranda, in memory of her grandmother.

“Now I'm pissed! I even paid extra for express today.” As Julie noticed that both the children across the street and Mr. Stevens next door were also waiting for their rides, she realized something else must be happening. A new emotion overcame her – fear.

Julie went back in the house and shouted at the wall. “NEWS!”

A holographic image of CNN lit up the room, showing two reporters standing under a chyron reading: “BREAKING NEWS.” An artificial intelligence voice announced: “Widespread impact is simultaneously hitting global airports, Wall Street firms, international banks, the London Underground, Australian ports, and thousands of educational learning centers.”

Julie posed her question to the hologram: “Do you believe this may be a nation-state attack?”

A reporter standing in front of New York's One World Trade Center responded: “That's certainly a likely possibility. Mass transit has stopped, banks are down, some cities are experiencing power outages, hospitals are on emergency generators, school technology is down, universities have canceled classes, and, most shocking of all – trading floors from London to New York to Chicago are now closed.

“Hold on a moment, please, we are receiving word that the president of the United States has just declared a Nationwide Cyber Emergency, under the authority of the Cyber Disruption Act of 2028.”

A NEW SENSE OF CYBER URGENCY

While this 2035 Mayday scenario is just fiction, the bombardment of daily security incidents is beyond eye-opening in real life. With the ongoing digital transformation, which accelerated even faster in diverse areas of society and every corner of the globe during the COVID-19 pandemic, the impact of cyber emergency incidents has been felt from hospitals to high schools, from elections to electric grids, from main street retailers to Wall Street bankers, and from small-town PTA meetings to United Nations Security Council meetings.

The following quotes are very real, coming after an unprecedented barrage of cyberattacks hit global governments and businesses in 2020 and 2021:

  • President Joe Biden: “We've elevated the status of cyber issues within our government,” President Biden said in a national security speech at the State Department. “We are launching an urgent initiative to improve our capability, readiness, and resilience in cyberspace.”1
  • U.S. Federal Reserve Chairman Jerome Powell: When we talk about cyber risk, what kind of scenarios are we looking at? U.S. Federal Reserve chairman Jerome Powell responded to host Scott Pelley, as part of a 60 Minutes interview, “All different kinds. I mean, there are scenarios in which a large payment utility, for example, breaks down and the payment system can't work. Payments can't be completed. There are scenarios in which a large financial institution would lose the ability to track the payments that it's making and things like that. Things like that where you would have a part of the financial system come to a halt, or perhaps even a broad part.”

    Powell continued: “And so we spend so much time and energy and money guarding against these things. There are cyber attacks every day on all major institutions now. And the government is working hard on that. So are all the private sector companies. There's a lot of effort going in to deal with those threats. That's a big part of the threat picture in today's world.”

    Pelley: “How have we gotten away with not having a disaster like that?”

    Powell: “You know, I don't want to jinx us. I would just say we've worked very hard at it. A lot of us have worked very hard at this and invested a lot of time and money and thought. And worked collaboratively [sic] with our allies and with other government agencies. But there's never a feeling at any time that you've done enough or that you feel safe.”2

  • FireEye CEO Kevin Mandia during U.S. Senate testimony on the Solarwinds breach: “Early in our investigation, we uncovered some tell-tale signs that the attackers were likely working for and trained by a foreign intelligence service. We were able to discover and identify these signs in reliance upon our catalog of the trace evidence of thousands of computer intrusion investigations conducted over the last 17 years. We record the digital fingerprints of every investigation we have undertaken with great rigor and discipline, and we are often able to use this catalog of evidence in order to attribute the threat actors in many of the incidents we respond to.

    “Based on the knowledge gained through our years of experience responding to cyber incidents, we concluded that we were witnessing an attack by a nation with top-tier offensive capabilities. This attack was different from the multitude of incidents to which we have responded throughout the years. The attackers tailored their capabilities specifically to target and attack our company (and their other victims). They operated clandestinely, using methods that counter security tools and forensic examination. They also operated with both constraint and focus, targeting specific information and specific people, as if following collection requirements. They did not perform actions that were indiscriminate, and they did not appear to go on ‘fishing expeditions.’

    “Such focused targeting, combined with the novel combination of techniques not witnessed by us or our partners in the past, contributed to our conclusion that this was a foreign intelligence actor. Therefore, on December 8, 2020, we publicly disclosed that we were attacked by a highly sophisticated threat actor – one whose discipline, operational security, and techniques led us to believe it was a state-sponsored attack utilizing novel techniques… .”3

  • Microsoft president Brad Smith: “The Russians did not just want to get inside the houses of the victims. They wanted to find the most interesting valuables, which to them meant reading, examining, and in some cases taking data and information. Just as they used many ways to initially attack their victims and open a back door, they also used a variety of ways to compromise identity.

    “It is important to understand this aspect of the attack: Unlike some attacks that take advantage of vulnerabilities in software, this attack was based on finding and stealing the privileges, certificates, tokens or other keys within on-premises networks (which together is referred to as ‘identity’) that would provide access to information in the same way the owner would access it. This approach was made much easier in networks where basic cybersecurity hygiene was not being observed – that is, where the keys to the safe and the car were left out in the open.”4

  • SolarWinds CEO Sudhakar Ramakrishna: “We believe that the entire software industry should be concerned about the nation state attack as the methodologies and approaches that the threat actor(s) used can be replicated to impact software and hardware products from any company, and these are not SolarWinds-specific vulnerabilities.

    “To this end, we are sharing our findings with the broader community of vendors, partners, and users so that together, we ensure the safety of our environments.”5

  • Federal chief information security officer Christopher J. DeRusha: “We are at a crossroads for the nation's cybersecurity. The SolarWinds incident exposed gaps in our cybersecurity capabilities and risk management programs, not just in the federal government, but in some of the most mature and well-resourced companies in the world. This event should serve as both a wakeup call and a galvanizing opportunity for the federal government and industry to come together and tackle these threats with renewed resolve. This collaboration is critical, as private-sector entities have primary responsibility for the defense and security of their networks. The government must communicate threat assessments to inform private-sector security operations and ensure common situational awareness.

    “This incident comes amid a series of aggressive and high-profile attacks on federal systems, attempted theft of the data used to develop the COVID-19 vaccines, ransomware attacks on U.S. hospitals, and new technology and security challenges that arose with the rapid shift to remote work. These myriad challenges underscore the importance and urgency of modernizing federal IT and strengthening U.S. cybersecurity capabilities.”6

  • U.S. Senator Ben Sasse (R-Neb.) after a critical U.S. fuel pipeline system was shut down by a cyberattack in early May 2021: “There's obviously much still to learn about how this attack happened, but we can be sure of two things: This is a play that will be run again, and we're not adequately prepared. If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors.”
  • Australian prime minister Scott Morrison: “Based on advice provided to me by our cyber experts, Australian organizations are currently being targeted by a sophisticated state-based cyber actor.

    “This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, central service providers, and operators of other critical infrastructure.”7

A PEEK BEHIND THE CURTAINS, AND THE MAKING OF CYBER MAYDAY AND THE DAY AFTER

So why did we write this book?

First, we are passionate about cybersecurity. We love to share true stories and cybersecurity challenges and solutions in numerous ways, including our books, blogs, magazine articles, social media, global speeches, podcasts, and more.

Second, we believe that our unique backgrounds, experiences, and cultures offer a powerful combination of award-winning cybersecurity leadership experiences, partnerships, and stories. This book is intended for a global audience; in addition to a rich resource of insights brought in from around the world, Dan brings a U.S. perspective, while Shamane lives in Australia and works extensively throughout the Asia-Pacific region.

Third, this is a vital topic for the world at this time. The earlier quotes make that abundantly clear.

Fourth, other materials on this cyber topic tend to cover cyber incident response, cybersecurity emergency planning, cyber exercises, and related people/process/technology materials from one of two approaches. Some take an academic approach and offer checklists and detailed frameworks, such as walking the reader through the implementation of the five-function NIST Cybersecurity Framework: identify, protect, detect, respond, and recover. Other materials offer ad hoc stories and fun facts about statistics and costs associated with data breaches, ransomware, and a long list of other security incidents.

While we reference many of these works at the end of the book and point readers to helpful resources throughout, our goals are to bring cyber incident response and the associated planning, response, and recovery to life with true stories that offer compelling lessons and provide practical, actionable advice from leading global technology and security leaders and business executives who have been through the storm. We want to provide CxOs, directors, managers, technology professionals, and frontline business people with the tools they need to prepare for inevitable security incidents.

Bottom line, we offer powerful stories that motivate, along with cyber plans and free resources with practical steps that can be taken from small businesses to large enterprises in the public and private sectors. The goal: cyber resilience that will prepare your team and get you through most cybersecurity challenges you will likely face.

THE THREE-PART BREAKDOWN

The book is presented in three parts: Part I: A Leader's Guide to Preparing for the Inevitable; Part II: Cyber Mayday: When the Alarm Goes Off; and Part III: The Day After: Recovering from Cyber Emergencies.

Part I presents the gift of a time machine, seeking hindsight from top industry leaders around the globe and things we can do differently before having to go through any cyber emergencies. We cover playbooks from cyber disruption to risk transfer options, and explore the power of “perfect practice.” We also unpack a handbook specifically for leaders at the top, and the keys of proactive leadership.

Part II is when Cyber Mayday hits! We walk through real-life cyber emergency incidents and what actually happens when the alarm goes off. In that split second when the virtual walls are crumbling down, what are the most important steps to take and where to go? Who are the players you should be working with in times of crisis and immense pressure? And, in the midst of your Mayday, what can go right?

The chapters in Part III address critical issues when you finally have some breathing space. This is the opportune time to be intentional and reflect on what went wrong, how to recover, and how to level up in your strategy.

This comprehensive exploration of tales, woes, and lessons of leaders is a gift of hindsight and insights, which will enable and position current and next-generation business leaders with the required foresight to continue leading at the frontline. We hope you gain lots of invaluable takeaways from your time spent with us; enjoy.

NOTES

  1. 1. President Joe Biden speech, quoted in Maggie Miller, “Biden: US Taking ‘Urgent” Steps to Improve Cybersecurity,” The Hill, February 4, 2021, https://thehill.com/policy/cybersecurity/537436-biden-says-administration-launching-urgent-initiative-to-improve-nations.
  2. 2. “Jerome Powell: Full 2021 60 Minutes Interview Transcript,” 60 Minutes, April 11, 2021, https://www.cbsnews.com/news/jerome-powell-full-2021-60-minutes-interview-transcript/.
  3. 3. “Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence,” February 23, 2021, https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf.
  4. 4. “Testimony of Microsoft President Brad Smith before the United States Senate Select Committee on Intelligence,” February 23, 2021, https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf.
  5. 5. “Written Testimony of Sudhakar Ramakrishna, Chief Executive Office, SolarWinds Inc. before the United States Senate Select Committee on Intelligence,” February 23, 2021, https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf.
  6. 6. “Testimony of the Federal Chief Information Security Officer Christopher J. DeRusha, United States Senate Homeland Security and Governmental Affairs,” March 18, 2021, https://www.hsgac.senate.gov/imo/media/doc/Testimony-DeRusha-2021-03-18.pdf.
  7. 7. Gloria Gonzalez, Ben Lefebvre, and Eric Geller, “‘Jugular’ of the U.S. Fuel Pipeline System Shuts Down after Cyberattack,” Politico, May 8, 2021, https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984.