By Richard Bejtlich, Director of Incident Response, General Electric
Last month, I posted a story called “Reaction to Cyber Shockwave” on my TaoSecurity Blog. Cyber Shockwave was a real-time simulation of a U.S. National Security Council meeting, where former government, military and national security officials acted as the NSC principals (National Security Advisor, Director of National Intelligence, Attorney General, and so on). The participants dealt with a malware outbreak that disrupted telecommunications and critical infrastructure. CNN recorded and then broadcast the event. Overall my reaction was positive, yet online commentary was mixed at best. What was the disconnect? The answer, strangely enough, involves the title of this BT Blog — “Secure Thinking.”
Please forgive me as I share some professional history. I am a former U.S. Air Force military intelligence officer. One of the programs that prepared me for that role involved a graduate degree at the Harvard Kennedy School, then known as the Kennedy School of Government. As a candidate in the Master of Public Policy (MPP) program, I interacted with students, faculty and guests who were former, current or aspiring public servants. These included other military officers, members of Congress and their staffs, lobbyists, non-government organizations (NGOs), and others involved with developing and delivering public policy. All of them brought unique points of view to the national security and domestic policy debates at HKS.
What does this have to do with secure thinking and Cyber Shockwave? The reason I found the event fascinating had nothing to do with the realism of the scenario or the accuracy of the technical details. I found Cyber Shock Wave intriguing because it taught me how high-level officials think. I consider knowing how a person thinks to be one of the most important factors in any professional relationship. When you know how a person thinks, you can tailor your message to make an impact.
Watching Cyber Shockwave, the participants revealed how they think about digital incidents. For example, the simulated Secretary of Defense assured the simulated National Security Advisor that the nation’s nuclear weapons and command-and-control were secure. That is so very important, but if he hadn’t made that statement, I would never have considered it in the context of this scenario.
One of the President’s simulated advisors advocated deploying the National Guard in order to maintain the peace and assure citizens that the government was still in charge of the country. Again, I would not have imagined that recommendation during a digital incident. Some simulated advisors advocated taking action despite lack of Presidential or Constitutional authority, while the simulated Attorney General said she would not be bullied into “signing an order” because her name had to appear on it. All of these vignettes revealed very important aspects of policy-making at the national level.
For me, the lesson of Cyber Shockwave is to first determine how your leaders think, then recommend policy actions. In the realm of digital security, this requires identifying what priorities your management places on digital security. With a better understanding of their thought process, you can tailor your message to match their strengths, weaknesses, hopes, fears, and biases. Please note this does not mean “learning to speak the language of the business.” Trying to shoehorn digital security problems into “return on investment” or “value at risk” formulas is a recipe for disaster. Rather, determine how your listener is likely to receive your message, and make sure that he or she hears what you want to convey.
Richard Bejtlich is Director of Incident Response for General Electric, and serves as Principal Technologist for GE’s Global Infrastructure Services division. Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote, “The Tao of Network Security Monitoring” and “Extrusion Detection,” and co-authored “Real Digital Forensics.” He also writes for his blog (taosecurity.blogspot.com) and TechTarget.com, and teaches for Black Hat.
