Opinion Stress-testing security is the only way to be sure it works. Until then, the worst security looks much the same as the best. As events in Ukraine show, leaving the stress-testing of assumptions until a threat is actually attacking is expensively useless.
Yet if an untested solution is no solution at all, the problem becomes how you define an adequate test. In security, that means how far do your responsibilities go?
There has been no shortage of attacks on Ukrainian IT over the past few weeks, with new and nasty malware and DDoS ramping up. Any more widespread aggression will follow the same model.
We may be about to find out together. As of the time of writing, the horrific aggression against Ukraine hadn’t spilled out as cyber-attacks beyond the territory.
It would be folly to bet on that continuing, especially as sanctions start to hurt and isolation freezes around Russia: commercial interests, personal data and national infrastructures around the world will all be legitimate targets.
That much is clear from the newly decloaked Putin. By way of justifying the invasion, he made a speech saying that Ukraine is not a country, that the West is an evil empire and that Russia’s security concerns are paramount. This thinking lets him give himself licence to pursue attacks on anyone and anything online.
A man prepared to commit two-thirds of his armed forces to invade a democratic neighbour in the face of universal revulsion is not going to have qualms about lashing out at anything within reach on the internet.
What defence is available? Red-team testing your cyber-resilience is one thing. Dealing with the successor to the Red Army is quite another. There has been no shortage of attacks on Ukrainian IT over the past few weeks, with new and nasty malware and DDoS ramping up. Any more widespread aggression will follow the same model. On that assumption, the Western intelligence agencies have started issuing warnings that the attacks are likely to extend worldwide.
Take the Canadian government’s Centre for Cyber Security, which issued a post-invasion update for national infrastructure operators that is typical of the coordinated advice coming from intelligence agencies: Be prepared to isolate mission-critical systems from networks. Patch. Monitor. Make sure all staff are focused on detecting threats. And monitor alerts from CISA.
Expect a lot more of that sort of advice over the days to come, including much aimed at all sectors of business and private citizens. It will seem tiresomely familiar to security professionals, but that doesn’t make it wrong, especially in the face of a new aggressor with nation-state capabilities and not much to lose. Complacency is not in fashion.
If that’s not enough to shake up your thinking, put yourself in the shoes of Ukrainian data techs and security ops. Beyond the unthinkable realities of surviving war, they have the extra responsibilities of how to safeguard systems and information so that they can’t be used by the invader. Dictators love data, it gives them control over economies and people. That’s a reasonable concern if you’re looking at a future where you and those around you have ceased being citizens and become suspects.
Unthinkable, yes, except it’s happening in a modern European democracy right now. While it’s still unlikely that data centres in Swindon or San Francisco are going to be staffed by Spetsnaz any time soon, if the data is safe from physical compromise then it’s doubly so from virtual. There are some laws even the lawless can’t ignore – those of the mathematics behind encryption – and they’ll protect your data in flight and at rest, if you let them. Key management. Audited policies. You know the drill.
There should be posters on office walls: Best Practice Saves Lives. If you’re not behaving as if your livelihood, even your life, depends on this, you’re not stressing enough.
As to where responsibilities end, that’s trickier. History, that academically sanctified hindsight, will decide on the details, but Putin’s Ukrainian adventure will be seen as a failure of politics to protect security. This is decades of small decisions, each of which felt wrong to many but none of which was big enough to provoke a corrective reaction.
We can do better in that part of security entrusted to technology, because for many that’s the daily job. Not only can we de-hype the rhetoric and test it against reality, we have to.
Time and again, the politicians attack data security that works, such as strong encryption, but even when as most recently that’s wrapped up in distraction – such as age verification to protect minors – the alarm bells ring. That’s an important part of security professionalism, to raise your voice when something is wrong, no matter what the arena.
It doesn’t take a Ukraine for those who understand data security to make the connection between deliberately weakening safety and increasing danger for individuals and organisations. Yet the bitter reality of Europe at war should drive the point home: we cannot afford to abandon any protection, to take as granted any assumption. The stress-test will come whether we like it or not, and our responsibility to be as prepared as possible is absolute. ®