What does the corporate world bring to cyber warfare? I asked this question in a conference setting surrounded by military types and to stunned amazement listened to twenty minutes of how the corporate world has no place in cyber warfare. War is an inherent government task and corporations have not part in this ultimate act of governance. Even though contractors outnumber government employees in all the halls of government. There are as many (more) contractors on the ground supposedly as there are soldiers in two different wars. Why the scathing reply? One would be the preponderance of intelligence types who glaringly protect their turf from others. The other reason is that government types don’t understand corporate types and that gulf is vast. When senior government types seem to move into the private sector they move into special preserves of think tanks or corporate gigs that rarely really reflect the reasoned world of corporate profit and loss statements. Cyber warfare is important to a few constituencies in the corporate world.
Beyond the common realm of cyber crime and entering the path of conflict between nations and non-state actors the corporate interest in some cases supersedes that of the government. It was and has been common practice in the use of kinetic weapons to bomb factories, and transportation hubs of countries even where those targets are owned by private entities. Disrupting and degrading the capability of a nation is inherently integrated with the destruction of private property. As such corporations during the last two world wars rarely took up arms, but in the last few decades they have expanded their intelligence gathering networks and ability to protect themselves. If on the one hand the cyber warfare meme is of low intensity conflict, and on the other hand erosion of the nation state is actually occurring. Then it is not without support that a corporate multi-national might take an active stance against attack.
We’re going to pass on an in depth discussion of United States law and the concepts of corporate personhood (assumption of civil rights), and the inherent right to protect yourself, balanced on the laws against using computers in nefarious ways. Simply outside the scope of the discussion it is a larger topic and more importantly we are in this case talking about multi-national corporations. We know that corporations exist as private military contractors, and that they have corporate clients for personnel and infrastructure protection. The question then becomes could we ever (if we haven’t already) end up with corporation cyber warfare.
There are suggestions that corporate espionage does occur. There have been a few cases reported of companies gaining secrets from each other and then suing or creating patent claims on that type of espionage. In a shrinking market could we find corporations using this kind of attack more often? If this does occur what kind of risks do the corporations end up taking? Securing systems against attack is the primary mitigation strategy. The use though of internal trusted entities to use systems as they are expected to be used is very hard to protect against. Watermarking and other forms of traitor tracing can assist in capturing or identifying individuals but the utility is primarily in after the exploit investigation. There are tools that can protect against exploits and there are strategies that will help (like only hiring perfect people).
Corporate entities are subject to all the same tools, tactics, and issues that military communities are subject to through cyber means. Prohibitions on corporation’s actions are not necessarily prohibitions on nation states or non-state actors. As such corporate communities have attempted to protect against physical transgressions by controlling entry points. In this same thread of thought most corporate security reflects a hardened exterior with a gooey center. The rare corporation (usually defense contractors) utilize substantive defenses to multiple vectors of attack. The incentive structure for corporations is the primary reason why expenditures are not more aligned with risks. The incentive is to accept risk rather than mitigate that risk due to the low percentage chance of attack and the real costs versus perceived costs of a loss. As such a lot of security is frosting rather than substance. With minimal regulation loss of customer data or even corporate intellectual property may not reflect actual impacts on profit and loss sheets.
The corporate community risks though do not begin or end at the headquarters or main office. Supply chain hacking, up market forces, delays and actions from adversarial entities anywhere in the corporate inventory system can have larger than expected effects. This has been well documented in the case of labor unions, damaged factories, and the risks of tightly coupled systems. A freight strike on the west coast dramatically effected supply chains across North America. This is special concern when regarding cyber risks. Though a major corporation may be substantially protected does that same protection extend to all of the smaller companies in the supply chain? If you think of the entity relationship matrix of a major corporation as a hierarchical pyramid with many suppliers below, supported by even more suppliers and so on. Then the risk to disruption grows.
Not all organizations (or corporations) have this issue. There are corporations that have considered the myriad problems they face in security. The bias of corporations though is to consider this in regards to how they make money. In publically held corporations the shareholder dynamic can lead to the following of less than stellar security models. However, in larger organizations this is contrary to common understanding not for failure to consider the risks. Corporations as collective entities usually have knowledge of the high volume of risks against them. Taking action on all risk against a corporation (person, nation state, building, etc.) simply is not possible. Unfortunately business professionals who all take the same classes and learn the same static risk formulations run corporations. This form of educational bias infects many professional career paths. In the case of corporations it leads to fairly standard responses that can be predicted with confidence. If the risk analysis model is known then an external adversary can exploit it. Not all manipulation will have any specific harmful result but it may allow for probing by an adversary.
Close coupling of corporate business processes can also be created by regulation and governmental oversight. Specific regulations (taxes through licensure) can require specific technologies or processes be in place to support the external requirements. These processes are usually known elements. Without getting into deep detail all of these exploit paths can be laid out into a matrix/graph and analyzed without exposing the attacker. Points of contact then can be found between exploitable paths and in a worst-case scenario for the corporation be used for a cascading catastrophic attack. Most of these techniques are simply those that are taught to penetration testers in security programs and expanded outside the information technology channel.
Unfortunately the same biases that keep corporations from considering the security issues in information technology also expand into other areas of the organization. As a community the corporate world has had a hard time understanding the breadth of these issues, and silos within the organizations keep them from perceiving the different avenues to exploitation.