For movie lovers, Phil Robinson’s 2002 adaptation of Tom Clancy’s 1991 novel, The sum of all fears, remains a must-see masterpiece. Starring Ben Affleck as Clancy’s “mythic” CIA agent Jack Ryan achieving to avoid at the last minute a 3rd World War between the USA and Russia, it shows well how insider threats, lack of trust, mistakes, inappropriate decisions, obsolete strategies and wrong intel could lead to the worse disaster when a major crisis strikes the system.
We recalled the crisis imagined by Clancy, as we lived personally two historical events which could have been catastrophically managed. The first one was the Russian 2nd putsch attempt in 1993. If we stayed home October 2nd and 3rd, when gunfights around the parliament and the TV tower made up to 2000 casualties, the very day of the Parliament’s assault, October 4th, we have been able to take the subway and go to work at the Historical Museum, located on the Red Square! Our father being then deputy Ambassador of Switzerland, our flat was located in one of the enormous buildings made by Soviet Union to host Western diplomats, right next to one of the most strategic points of Moscow: the “3 stations” square, where you can find both the 3 most crowded Railway Stations (Yaroslawsky, Kazansky and Leningradsky) and the most crowded subway station, “Komsomolskaya”. In a period where daily security and political power were at their worse, the impressive security system and its perfectly oiled organization let us absolutely wordless. Besides snipers on the station’s roofs, tanks and armored vehicles belonging respectively to the Kantemrovskaya and to the Tamanski elite divisions, the square and the accesses of the subway had multiple check-points run by ordinary militians (policemen), guns in their holsters, under strict orders of elite units of the Alpha groups and other Spetsnaz special forces. Check points were fluid, elite troops self-control helping greatly to calm down the visible nervousness of the policemen, and trains ran, as usual, every 50 seconds. At no time, Tom Clancy’s scenario, as during the 1st putsch (1991) would have been possible, the vertical of power of all military and intelligence forces being secured and loyal to both Presidents despite their extreme unpopularity within the whole military and “deep state”.
The second historical moment we lived was in Amman, when the Al Qaeda bombs exploded right during an archaeological congress we co-directed, on November 9th, 2005. After a day of curfew, we went to visit with our car several places out of the capital. Not a single sign of nervousness in all the military check-points we crossed each five kilometers. Only one soldier, in the background, had his finger on the trigger, the commanders and the other ones not.
Those two events show well that if the core of the security system (here the State one) is humanly prepared to face the worse, i.e. an insider enemy, as in Russia, or an outsider enemy, like in Jordan, there is no place for panic or nervousness, hence no chance for chaos.
This long “non-cyber” parenthesis was necessary as our digital world is mainly vulnerable because of its weakest link, the human, and by the consequences of wrong management and decisions taken by administration boards as well as CEOs. In this sense, in many European countries, mostly the “latin” ones (Italy, France, Romania, Spain, Portugal), 2018 is the worse year for cyber-resilience strengthening since decades. Sadly, it is a consequence of a poorly explained and poorly understood adaptation of businesses to the new EU directive on private data protection (GDPR). This rule obliged companies to invest massively, their boards being terrified by the perspective of being found guilty of a leak and fined 4 % of their yearly turnover.
The consequences of taking the data protection outside of a complete global resilience and security system strategy, due to a total lack of security culture at all levels of business decision-making, are tragic. We witnessed it on the most concrete way possible by visiting recently the headquarters of the Romanian branch of one of the world’s major telco companies. There, we watched with no astonishment the list of department by floors posted besides the elevator. 28 out of 30 floors had offices allocated by the usual “pyramid of power” so typical in our liberal world: the open-office zones with all the less-paid employees occupied the lower floors, then each floor gathered the more ‘important’ departments of the company, and the whole culminated with the 28th floor, the “office of the CEO“. Up to that, everything normal. Yet what was – and is now in all companies – above the CEO, as a Damocles’ sword? The almighty “compliance department“, which was settled in the two top floors, 29th and 30th, with a beautiful view on all Bucharest.
The problem, as far as GDPR is concerned, it that all over-paid paper-pushers generated by this rule are, in the companies’ bookkeeping register, set under the chapter “security”. Meaning, for a manager, that security is now a very expensive chapter in the business plan and, without understanding the broader threat context, new investments in this field are, as we heard from the mouth of not a few European CEOs, “out of question this year and in the next ones“.
Conclusions drawn by several specialists in Italy and France is that not a few companies, victims of unmoral consultants, just built a very expensive “data vault” in the desert, in the heart of an obsolete cyber-security system unable to face the persistent mutant threats and the astonishing and daily-growing cyber-criminal skills and capacities (human and technological).
In countries with a more consolidated security background, like Luxemburg, the U.K. or Germany – not to mention Switzerland –, cyber-security investments are a little lower than in the previous years but they are constant and have as a clear target to beef up the business’ resilience at a regular pace. In those countries, nobody forgot that, last year, some companies loss much more than 4 % as a consequence of the global attacks nicknamed “Wannacry” and “Goldeneye“.
For this reason, while drawing the concept of the 6th UN-endorsed “Cybersecurity-Romania” macro-regional congress, which will take place in Sibiu, September 13th and 14th, we decided to offer to decision-makers of any kind of business the opportunity to understand and to interact with some of the main actors of two resilient-by-design sectors (transport and energetic critical infrastructures).
As a matter of fact, these are domains of activity where a breach can have tragic if not deadly consequences. Yet facing exactly the same problems and threats that any other business, their constant focus on security made that GDPR, for instance, was not an issue. For most of them, data protection, no matter of which data we are speaking about, is an obligation within a much broader perimeter of defense.
The air transport sector will be of particular interest to the decision-makers, as airlines are now responsible to collect every data from a passenger, from the personal data to the financial ones up to, since a few years, the passport data. Was it a problem? No. Their organization model has always been organized in well-defined “siloes” which interact only when it is needed and only with the third part which is concerned.
Companies in charge of the production or the transit of energy, without direct contacts to the end-user, faced challenges in the personal data secrecy of their collaborators, and to what is one of the core problems of nowadays security, the necessary convergence between all kinds of security (physical, digital and logical) to ensure new IoT devices will not endanger the ecosystem or, for instance, to prohibit the use of 4G technologies in critical departments.
In brief, in these two sectors defense is the core of the business, everybody knowing well the famous 2012 quote of former FBI director Robert Mueller: “There are only two types of companies: those that have been hacked, and those that will be“, cynically reformulated at the WEF-Davos 2015 by CISCO’s CEO, John Chambers: There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked“.
To be hacked, GDPR or not, is not a shame if a company did everything possible to build a state-of-the-art resilience and security defense. It turns into major consequences, with huge losses of credibility and hence up to long-term business losses, if the first crisis is caused by a known attack type bypassing an obsolete security system and then dealt with amateurism.
The specially designed war-games made by BeST for both sectors, will be performed at Sibiu in real time under the guidance of their creator, Dotan Sagi. In an impressive speech he delivered recently, as specialist of this field, he pointed out that the most catastrophic part of the war-games he led – up to the Israeli government – was not the communication between different actors. It is… the total lack of trust between CEO’s, departments and employees within a single company. When immerged in such a real situation and obliged to answer to third parts, the human antagonisms in the very heart of the company can even overcome any sense of duty and rationality… turning a “simple” crisis into a major one, the “sum of all fears“.
Examining in detail the whole security systems of a company, analyzing every strong and weak point and taking the necessary cultural, human and technical measures should be a yearly compulsory task for a board and a CEO. But for that, they first need to know what the threat panorama is made of, and then, being able to make the right choices, to create a culture of security in their company. Full-stack security is not an expense, it is the only investment that can ensure business continuity and prosperity.
By Laurent Chrzanovski