Our Blog

HGWellsPlayingAnIndoorWarGame

In 1996, I managed the Borders.com team that launched the first ecommerce site that directly sold more than one type of media. We sold books, music and video, and when we launched; a little ecommerce company in Seattle that sold only books seemed to be paranoid about us (But as Andy Grove said, “only the paranoid survice“).

The minute we launched Borders.com, traffic from Amazon.com bombarded and pinged our site.

We had actually planned for this. Rick Vanzura, who was brought in to get our technology and back-end infrastructure house in order, asked an important question before we launched: “can we handle a lot of traffic, especially if it is from a company trying to bring us down.’ He trained the team think about our technological contingency plans, something few of the experienced members of our team even considered.” He was convinced that Amazon and Barnes & Noble would visit our site to conduct a cyber-intelligence operation that centered on learning from our years of merchandising.  

{At that time in 1996, we had some of IBM’s leading scientists work on our merchandise database and search technology, leveraging their previous experience in developing the Vatican Library, an extraordinary repository of rare books and manuscripts)

Ricks question enabled me to leverage some of experience at The Johns Hopins University’s School of Advanced International, where I often participated in Crisis Simulation and Conflict Management / War Game excercises.

Today, most discussions related to crisis simulation and planning involves the military and the government, but companies need to start playing in this arena. It still amazes me how many sites do not even do load testing or even hire hackers to try and ‘crack their code’ before launching a high volume website. This will increasingly become a problem especially as more of a companies place their assets in the cloud..

So if you manage a website, a mobile application or touch any interactive platform (i.e. the Electronic Power Grid), you need to ask yourself ‘are we ready’ and if so ‘what is our game plan.’ It seems that only the guys in IT Security and Risk Managers really stay awake at night asking themselves these questions. According to a recent McKinsey report (God, I love their research), stated that only 3% of companies have conducted cyberwar games to help ensure they are ready to defend against cyber-attack. In fact, many corporate cyberwar-gaming efforts have been directly inspired by national-defense-oriented cyberwar games.

I will be the first to admit that Cyberattacks are different than a company trying to DNS Attack. (In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.).

Companies need to prepare for the worst. In fact, it is more important than figuring out and developing a social media plan or Big Data strategy, who areas that attract the most attention in the press.

Here’s some simple suggestions:

  • Set aside 2-3 months to plan weeks, with a manageable impact on security, technology, and business managers’ time.
  • Constantly ask themselves what type of attack they could be susceptible to and what their game plan is
  • Initiate a constant review of the types of attacks others in the industry are suffering and update their own contingency plans
  • Include all functional areas (Legal, Marketing, Privacy, etc.) of the company in discussions (and scenario discussions) about potential threats
  • Identify desired outcomes when there’s an issue
  • Dedicate time each quarter to review plans and work through real scenarios
  • Play the Crisis Simulation Game which requires prioritizing potential threats and then doing scenarios around the top ones (Start simple and focus on a few to start with)
  • Have representatives from different groups design this requires.
  • Document issues and work out different scenarios
  • (IMPORTANT): Assign owners 24*7 to different areas. Often companies have scenarios worked out and then don’t know whow the owners are.

As Mckinsey highlights, a cyberwar game tests for flaws in a company’s ability to react to an attack by answering key questions about the capabilities required for a successful response:

  • Will the security team identify and assess the breach quickly? One organization found that the processes its security team used to address a breach were entirely dependent on e-mail and instant messaging; the organization would have limited ability to respond to an attack that compromised those systems.
  • Will the team make effective decisions in containing the breach? One corporation discovered that it did not have functional guidelines for deciding when to shut down parts of its technology environment. It found that senior executives would have ordered the technology team to sever external connectivity unnecessarily, thereby preventing customers from accessing their accounts.
  • Will the team effectively communicate the breach to the full set of stakeholders? At one financial institution, a war game demonstrated that guidelines had not been differentiated for communicating with customers whose data had been breached. As a result, high-net-worth customers would have received an impersonal e-mail.
  • Can the company adjust business strategies and tactics in the wake of a breach? At one manufacturer, a war game revealed that business managers had never thought through what they would do if competitors or counterparties gained access to sensitive information, and so would be unable to change negotiation strategies quickly after the disclosure of proprietary information about their cost structure.

Similar to the wargames I played at SAIS, scenario playing and crisis simulation can highlight some key gaps that need to be addressed, and how to address these outages.

Sometimes, it is too difficult to predict the type of attacks your site might suffer. In these cases, it’s good to look outside the company. No, I am not talking about consultants. I am talking about hiring or rewarding Hackers to ‘crack the code.’ That’s what company’s like Facebook’s, Microsoft’s and Google’s do where they rewared people for hacking into their sites.

Stay tuned for more Digital Risk thoughts.

Scott Wilder

One Comment