Search Results

The question “How do I assess our cyber risk?” addresses how to identify and characterize cyber risk unique to an organization’s critical systems, networks, and data. The chapter begins with a case study about a cyberattack on Ukraine’s electric grid. It details risk assessment for three types of critical systems: mission-critical systems, business-critical systems, and safety-critical systems. It explains the three types of networks critical to many organizations: business and administrative networks, operational and service delivery networks, and communication networks. In outlining the “CIA triad,” it shows how cyber risk can be characterized as a confidentiality, integrity, or availability issue relating to digital assets. Further, it describes how to assess the importance of different digital assets and how to prioritize them using a business impact analysis (BIA). The chapter concludes with real-world Embedded Endurance strategy lessons Rosenbach gained in Saudi Arabia in the wake of one of the world’s most destructive cyberattacks.

The question “Why is cyber risk an issue?” pinpoints the leadership challenge that cyber risk poses. The chapter begins with a WannaCry case study that demonstrates how cyberattacks can impact every aspect of organizations given the pervasive nature of digital systems. The chapter describes how leadership must address cyber risk by analyzing the organization’s unique threats, its vulnerabilities, and the impact an attack can have on the organization. It describes how mitigation measures minimize cyber vulnerabilities and maximize an organization’s ability to respond to cyberattacks. It emphasizes that leadership must strategically manage cyber risk through carefully selected mitigations. This chapter introduces how an Embedded Endurance cyber risk strategy offers a systems-level approach to mitigating cyber risk by addressing interdependent components of the organization’s risk and preparing for the inevitability of cyber threats over the long term, and details real-world Embedded Endurance cyber risk strategy experiences.

The question “Who is attacking us?” explains cyber threat actors and their motivations for attacking organizations. The chapter begins with a Colonial Pipeline case study that describes the ransomware attack against the U.S. fuel pipeline, a cyberattack on critical U.S. infrastructure. The chapter explains different types of cyberattacks, including social engineering, denial of service, advance persistent threats, brute force attacks, and artificial intelligence attacks. Further, the chapter details the suite of threat actors who launch cyberattacks, including lone hackers, hacktivists, petty criminals, organized criminals, professional criminals, and nation-states. Finally, the chapter describes the importance of sectoral threat intelligence, including Information Sharing and Analysis Centers (ISACs), and types of threats to specific sectors, including finance, healthcare, manufacturing, education, power and utilities, and retail. The chapter concludes with Embedded Endurance strategy lessons from Falco’s experience addressing these issues at NASA’s Jet Propulsion Laboratory.

Advances in undersea technology have made the seabed more accessible to human activity, both civilian and military. All states may emplace military installations and structures on the seabed beyond the territorial sea of other nations for purposes other than exploitation of economic resources. The placement of nuclear weapons and other weapons of mass destruction on the seabed is prohibited by the Seabed Nuclear Arms, although it does not prohibit the use of nuclear weapons in the water column provided they are not affixed to the seabed. Also, the emplacement of sensors and conventional weapons on the ocean floor, like the U.S. Hydra Distributed Undersea Network and Upward Falling Payloads, is not prohibited. The importance of the undersea cable network for both civilian and military communications cannot be overemphasized, but this network remains vulnerable. In peacetime, submarine cables are protected by several international treaties. But in times of armed conflict, belligerents can degrade, damage, or sever submarine cables, or use them to launch cyberattacks. However, attacks on the network could have third-order effects beyond belligerents, affecting neutral states.

The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the US Constitution allocate power to use that capability? And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy? This chapter offers a way to think about the constitutional distribution of powers between the president and Congress governing the use of US cyberattack capabilities. It argues that as a conceptual and doctrinal matter, cyberattacks alone are rarely exercises of war powers—and they might never be. They are often instead best understood as exercises of other, non-war military powers, foreign affairs powers, intelligence powers, and foreign commerce powers, among other constitutional powers not yet articulated. Additionally, it argues that a rush to treat cyberattacks as implicating war powers misguides criticisms about the role Congress is or is not playing in regulating cyberattacks.

When a state suffers an internationally wrongful act at the hands of another state, international law allows the injured state to respond in a variety of ways. Depending on the nature, scope, and severity of the initial wrongful act, lawful responses can range from a demand for reparations in response to a low-level violation to a forcible act of self-defense in response to an armed attack. Countermeasures offer an additional way for a state to respond to an internationally wrongful act. Countermeasures are acts that would in general be considered internationally wrongful but are justified to address the wrongdoing state’s original international law violation. As states increasingly employ cyber tools to commit hostile acts against their adversaries, countermeasures are poised to play a growing role in interstate relations. This chapter explores the role that countermeasures can play in the US cyber strategy known as Defend Forward.