BLUF – Whilst cyber catastrophes make headlines, the parallels to natural disasters or acts of war are missing vital pieces necessary for response options to become available. Examining the absent portions – provisions where we stand at present and how far we’ve to go.

Background

Christopher Wray made headlines this week comparing the Bureau’s efforts in ransomware to post 9/11 efforts, turning conversations to whether we are in a post 9/11-ish world for cyber. The effects of SolarWinds, Colonial Pipeline and JBS impacted our day to day, but we still have a ways to go before the comparison holds water for anyone other than the Bureau.

It’s horrible. So why do we not feel it?

As mentioned in a previous post, there is a tidal quality to the cyber threat landscape. Ask coastal communities on the effects of global warming raising sea levels – creating a bigger tide with greater destructive power. However it’s still the tide, with ebb and flow regularity. It requires adaptation for those affected, but rarely do you see more than a new technological addition to the existing practices, an attempt to counter increases in destructive capacity. Cyber is similar in how we bend the existing tools and processes rather than letting it break.

Tsunamis depart from tides both in premise and impact. Instead of a stronger tide, there is a marked seismic event driving it. Two challenges arise: first is the regional crisis focus. This gives a strong impact perception for those directly affected or knowing those who were. The perception lessens with connective distance – except when there is indirect effect to daily life. Even then it’s a passing moment of reflection regarding minor suffering caused by others’ significant loss. Cyber may have a bit of similarity in being a local/ regional crisis, but still on a limited basis. Many simply won’t feel the effects.

Second is the pause before the tsunami swells to fullness. The calm before is stillness well beyond the scale of low tide. The difference is water retreating not a few meters, but a few klicks. In cyber we gauge stillness differently, as the noise threshold is so much higher. Botnet automation is such that we only see the stillness when the connection drops – when TA505 just sold access to another party, for example – which isn’t enough for many to notice.

The comparison of tsunamis to 9/11 is uneven, I’ll admit. Former a force of nature, latter an act of war. Former is easily forgotten by everyone without direct loss, latter holds on for not just years, but generations. Both are catastrophic, but scale differently – in impact and over time. Despite NATO’s rallying cry to invoke Article 5 for cyber, the question remains: to do what?

Say what we will about ransomware – cyber effects aren’t felt enough and currently we haven’t enough momentum to change parameters or response options. The closest we have had was WannaCry/ Notpetya from an event standpoint, but those weren’t enough. There has not been a singular, sufficient rally point with non-recoverable damage or significant loss of life. The criminal/ enemy debate still sides on criminal. Without a momentum concept small children can have ingrained from an early age, there isn’t enough to culturally pivot.

Call it what you will. We aren’t fighting, we are defending. We aren’t moved to act, we poke fun through memes.

Please don’t draw parallels to war or acts thereof. We’ve yet to understand what that means in cyber.

-scl