Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Bureaucracy is choking our security

image of Curtis Levinson - Security advisor to NATO

27-Sep-2014 - Mitigating attacker’s intent as well as effect

As the USA Cyber Security Advisor to NATO – a volunteer position – Curtis Levinson is tasked with considering the various methods cyber attackers might choose, as well as the locations.  

He’s advancing a new philosophy about business continuity and cyber security. Here’s what he told Securebuzz…


Most organization function are solely separate… they report to separate points and are not coordinated. I believe that to be an extreme error, because of today’s complex world of cyber-attack. While we can manipulate the odds of attack, and we can manipulate the vulnerabilities, the threats are always going to move faster than we can remediate.

In part we’re choked by our own bureaucracy. The bad guys don’t have bureaucracy and can attack at will.

We have budget cycles and discussions and contracts and federal programs that cost billions of dollars. They have none of that and don’t care. They’re already moving and attacking, so we will never ever catch up.

Therefore, if the collective we in North America are willing to be big kids, and admit that no matter what we do at some point cyber-attack is inevitable, it can be avoided. It cannot be prevented.

If we’re willing to admit that, then continuity comes into play. Being able to recover an organization or part of an organization quickly does two things…
1.    It mitigates the effect of the attack
2.    It mitigates the intent of the attacker.

For example, I come up on the street and punch you out, and I expect you to be down on the ground for 10 minutes. If you get up in three, my plans have just changed considerably.

By recovering quickly not only do you mitigate the effect; you also mitigate the intent of the attackers. To do that we need to be able to change the paradigm of continuity and recovery… link them with cyber security… and create a 360-degree defense and response capability.

Right now all we’re doing is defending. Disaster Recovery is the science of smoking hole in the ground.

At the World Conference in Disaster Management we discussed topics that included passive airplanes, HAZMAT, and if we’re building on seismic zones. Yet there are precious few smoking holes in the ground. Which is good.

There needs to be a paradigmal shift in how continuity and cyber defense relate to each other as a discipline. They should be grouped together… not as different parts of the organization.

We – collectively our governments and industries – are going to get hit. We are going to get knocked down, and recovery has to be built into cyber defense and system hardening.

Particularly in this age of cloud based technology. There’s the unanswered question of what cloud really is. And there is no such thing as THE Cloud. There’s your cloud, my cloud, his cloud, her cloud, SaaS, PaaS, and XaaS, which means “pick your own as a service”.

Cloud computing is outsourcing. You rent a portion of somebody else’s. Are you outsourcing responsibility for the risk?

It’s part of the contract organizations need to decide – who’s on the hook for that cloud-based environment? And it’s something we collectively don’t think about.