Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
While cybersecurity has been a focus of many highly functioning corporate boardrooms, the growing cyber threat and systemic risks facing corporations today are making it an even more critical topic. Any director seeking to add value to corporate stakeholders should have an appreciation for this growing risk. And with the US Securities and Exchange Commission (SEC) about to publish new regulations requiring publicly traded corporations to document their risk mitigation measures and name who on the board is a cybersecurity lead, we expect all boards will be revisiting the optimal ways to manage cyber risk.
Corporate Directors should not wait for final rules from the SEC to start gap analysis on how the corporation is managing cyber risk. Some steps that can be taken right away:
Following is a reference for corporate directors and other executives seeking to explore the impact of cyber risk on the value creation and fiduciary responsibilities of a board of directors. The reference is organized into the following sections:
The evolving responsibilities of board members to cybersecurity and cyber risk were highlighted as a theme in the OODA Almanac 2023. The OODA Almanac series is intended to be a thought-provoking forecasting of themes the OODA Network thinks will be emergent each year. You can review our 2022 Almanac and 2021 Almanac – both of which have held up well. The theme for last year was exponential disruption, which was carried through into our annual OODAcon event. This year’s theme is “jagged transitions” – which is meant to invoke the challenges inherent in the adoption of disruptive technologies while still entrenched in low-entropy old systems and in the face of systemic global community threats and the risks of personal displacement.
Seeking Security Alpha: In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity. In the financial industry, there is a term called “seeking alpha” for those investment managers looking to exceed standard performance on a risk-adjusted basis. Recent work by the New York Cyber Task Force implies that CISOs can seek security alpha as well – that is spend a dollar on defense that causes an attacker to spend a disproportionate amount on offense. In seeking security alpha you should be deploying strategies and solutions that increase the cost to the attacker and provide you with maximum security return on investment for the threats and risks your organization faces.
Every Director of Every Corporate Board Should Read What Larry Fink Writes: Odds are very high that any publicly traded company has institutional investors. That is just the way the world works these days. Among America’s largest companies, 72% of their ownership is by institutional investors (the big ones being BlackRock, Vanguard, UBS Group, Fidelity, Statestreet, and Morgan Stanley). These and many other institutional investors also invest in smaller publicly traded companies. Since by law and court, precedent Boards work for their shareholders, every director in every publicly traded firm should care about what these big institutional investors think. The biggest and most influential of all is BlackRock with $9.5 trillion under management. So when BlackRock CEO Larry Fink takes time to put his views into writing, we should all pay attention.
Cybersecurity Whack-a-Mole In the Boardroom: Rod Hackman is an experienced business leader whose early career included managing US Navy shipboard nuclear reactors, a position which required him to interview with and work under the famous Admiral Rickover. We found Rod’s insights on how the board of directors should approach cybersecurity to be insightful and in some ways reminiscent of leadership lessons from Admiral Rickover, who long taught that responsibility for critical issues can never truly be delegated.
Four Urgent Actions For The C-Suite To Prepare For High-End Cyberattacks: We recommend leaders consider the following four strategic actions:
C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine: Gourley writes that “One thing a career in the intelligence community taught me is no model for predicting the future is foolproof. Every model and method has flaws. But when an adversary tells you what they will do you have to take that into account. And at this point, all indications from Putin are that Russia intends on invading Ukraine. This post is about what this means for organizational cybersecurity posture.”
First Federal CISO Greg Touhill on Advanced Cybersecurity by Design: Touhill is currently the director of the Carnegie Mellon University Software Engineering Institute’s CERT Division. In this capacity, he leads one of the most highly regarded organizations in the cybersecurity community. The CERT is a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists who work together to research vulnerabilities, contribute to long-term changes, and develop cutting-edge information and training to improve the practice of cybersecurity.
11 Habits of Highly Effective CISOs: Over the past 25 years, I’ve consulted for hundreds of executives on cybersecurity issues including direct support to dozens of CISOs working to effectively manage cyber risk in a wide variety of organizations. With this post, I’ve attempted to capture some of the best practices from the most effective CISOs I know. In future articles, we’ll look at each of the 10 habits in greater detail, including direct input from the CISO community.
A Global CISO’s Ten Rules for Success: Neal Pollard is an OODA Network member and is the Global CISO at UBS. He recently posted his 10 rules for being a successful CISO on LinkedIn and gave us permission to share them here. It is one of the best top 10 lists we’ve seen.
OODA Network Interview: Neal Pollard: This post is based on an interview with Neal Pollard. It is part of our series of interviews of OODA Network members. Our objective with these interviews is to provide actionable information of interest to the community, including insights that can help with your own career progression. We also really like highlighting some of the great people that make our continued research and reporting possible.
Cybersecurity, Enterprise Intelligence, and Leading Change: In October 2020, OODA CTO Bob Gourley had a conversation with Paul Kurtz – an internationally recognized expert on cybersecurity and the Co-Founder and Chairman of TruSTAR. Paul began working on cybersecurity at the White House in the late 1990s. He served in senior positions relating to critical infrastructure and counterterrorism on the White House’s National Security and Homeland Security Councils under Presidents Clinton and Bush. In the same month, Bob spoke with Mark Weatherford. Mark is an icon in the cybersecurity field. He is widely known as a mission-focused leader who builds teams and gets hard things done. His career included success in the US Navy as a cryptologist, leadership, and management in a major defense integrator, CISO for two states (Colorado and California), CISO of the nation’s regulatory organization for our power grid (the NERC), head of security efforts for the newly formed DHS, and operational CISO roles and advisory board positions for several US corporations.
Mark Weatherford on the relationship between CISOs and corporate leadership: Mark Weatherford is an icon in the cybersecurity field. He is widely known as a mission-focused leader who builds teams and gets hard things done. His career included success in the US Navy as a cryptologist, leadership, and management in a major defense integrator, CISO for two states (Colorado and California), CISO of the nation’s regulatory organization for our power grid (the NERC), head of security efforts for the newly formed DHS, and operational CISO roles and advisory board positions for several US corporations.
Will a New Cyber Director Plus a New Cyber Strategy Equal a New Result?: Recent reporting revealed the departure of Chris Inglis as President Biden’s National Cyber Director, the first individual to occupy the position. Inglis assumed the position 17 months ago, boasting a 28-year career at the National Security Agency in a variety of the agency’s mission areas before ending up as its top deputy. The President created the position and selected Inglis shortly after the Colonial Pipeline attack that crippled an important critical infrastructure. Since then, the position has been focused on cyber policy issues and integrating the role into the “existing cyber oversight structure.” Based on his brief tenure in the role, Inglis’ major contribution, besides providing legitimacy to the position, was his instrumental involvement in formulating the National Cybersecurity Strategy.
100 Episodes of OODAcast: Providing actionable insights for future risks and opportunities: In 2020, we launched the OODAcast video and podcast series designed to provide insightful analysis and actionable intelligence to decision-makers. In this 100th episode, co-hosts Matt Devost and Bob Gourley review some of the key insights from the series. Matt and Bob also discuss OODA’s recent assessment of risks and opportunities given the geopolitical and technological environment, leading to a discussion of recommended actions for C-suite leaders.
The Five Modes of HACKthink: HACKthink is the name I use with to describe applying a hacker’s mindset to solving complex problems or finding innovative solutions. It is derived from the original endearing definition of a hacker, which implies someone who likes to tinker and take things apart to figure out how they work and to make them better. As a white hat hacker for over 25 years, I’ve applied HACKthink to a great many information security and technology problems, but have also used the same approach to thinking to solve hard problems in other domains. In addition to HACKthink being used as an overall methodology for decision-making, risk reduction, and opportunity development – there are five unique sub-modes that can provide value as stand-alone elements. After all, problems are just opportunities with different risk profiles.
Mental Models For Leadership In The Modern Age: This is part of a series providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making. The full series is available in our special section on Decision Intelligence. Members are also invited to discuss this topic at the OODA Member Forum. This post reviews the mental models we recommend all business and government decision-makers master, focused on those models which can help improve your ability to make decisions and drive optimal business outcomes.
What Corporate Directors Need To Know About Coming SEC Cybersecurity Rules: For over a decade the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. The SEC is now on the verge of issuing binding regulations for all publicly traded corporations. Our assessment of these regulations is that they hold the potential of transforming corporate governance in ways not seen since the passing of the 2002 Sarbanes Oxley legislation.
What Executives Need To Know About The Annual Threat Assessment from the U.S. Intelligence Community: The Annual Threat Assessment of the U.S. Intelligence Community is an unclassified report released each year concurrent with Congressional testimony to Congress by the Director of National Intelligence. The report focuses on what the ODNI believes are the most direct, serious threats to the U.S. during the next year. OODA leverages the details of this report in our research and reporting, every year we use this as a foundation for updates on our threat assessments and our C-Suite report. We read the report looking for surprises or changes to assessments that need to be immediately highlighted to business leaders. This year we found several interesting nuances to bring to your attention.
The OODA Network on the 2023 National Cybersecurity Strategy: In March 2023, the White House released the highly anticipated 2023 National Cybersecurity Strategy (OODA CTO Bob Gourley was invited by leaders in the Office of the National Cyber Director (ONCD) to receive a preview of the strategy and to contribute feedback and insights, which better prepared us as we contemplated the strengths and weaknesses of this strategy). Overall, Bob has commented that “the 2023 National Cybersecurity Strategy is the best the government has ever produced. It is really amazing work and the best of all the strategy documents produced over the decades – and a job well done by the leaders at the White House Office of National Cyber Director.”
The Missing Piece of the National Cybersecurity Strategy: A good strategy has three major components: a description of the goals you are trying to achieve, an explanation of how you are going to achieve those goals, and what things look like when your strategy is working, or a definition of “success.” As fine a piece of work as the new National Cybersecurity Strategy is, and it is a substantial and well-produced piece of work, its hand-wavy definitions of success are a shortcoming that threatens to render all this good work moot.
CISA JCDC Sets 2023 Planning Agenda: The Joint Cyber Defense Collaborative (JCDC) is proud to announce its 2023 Planning Agenda—a major milestone in the collaborative’s continued evolution and maturation. Economic prosperity, national defense, and public health and safety depend on interconnected digital technologies. Widespread security flaws and configuration missteps in these technologies create opportunities for malicious actors to steal information, destroy valuable data, and cut off access to critical goods and services. JCDC’s planning agenda addresses these important and complex security challenges.
Strategic Plan for 2023-2025 Announced at 4th Meeting of the CISA Cybersecurity Advisory Committee: The inaugural meeting of the CISA Cybersecurity Advisory Committee (CSAC) was held in December 2021. For highlights and our analysis of the meeting, see A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg. The second meeting of the committee was held in March 2022. For highlights from the 2nd meeting, see Takeaways from the Second Meeting of the CISA Cybersecurity Advisory Committee. The third meeting of the committee was held in June 2022 in Austin, TX. For highlights from the 3rd meeting, see Takeaways from the Third Meeting of the CISA Cybersecurity Advisory Committee. The fourth meeting of the committee was held in September 2022.
The CISA Shields Up! Initiative: Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
A Guide For Business: Final checks for reducing risks in the face of nation-state cyber attacks based on White House advisory: The President has announced he has indications that the Russians are targeting our national infrastructure for a possible cyberattack, saying all companies should prepare and raise defenses asap. This is an important announcement that should be taken seriously by all companies in every sector of the economy and by individuals as well. It is also the first time in history that a President has announced specific indications of a potential cyber attack from an adversary nation. This is absolutely worth paying attention to and worth thinking through your actions in response.
Preparing for Cyber Attacks: The CISA Online Resource Hub: The Cybersecurity and Infrastructure Security Agency (CISA) launched a new hub that organizations can use to discover free public and private sector resources to strengthen their cybersecurity. “Many organizations, both public and private, are target-rich and resource-poor. The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment. This initial catalog will grow and mature as we include additional free tools from other partners,” CISA Director Jen Easterly said in a statement.
CISA Releases Voluntary Cross-Sector Cybersecurity Performance Goals: These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts. The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners, and operators will not only reduce risks to critical infrastructure operations but also to the American people.
CISA Granted Subpoena Power as Cyber Incident Reporting Bill Signed into Law: On March 2nd, overshadowed by the State of the Union that evening, the Senate unanimously passed the Strengthening American Cybersecurity Act, which was actually various bills made into one piece of legislation. A vital piece of the consolidated legislation was a cyber incident reporting bill, mandating critical infrastructure owners notify the Homeland Security Department within 72 hours of a hack and 24 hours if the organization made a ransomware payment.
FTC Expectations For Corporate Board-Level Oversight of Cybersecurity: The Federal Trade Commission (FTC) has published expectations for corporate board level oversight of cybersecurity. They advise every member of every board: “Don’t underestimate your role in data security oversight.”
Can We Rethink Critical Infrastructure Cybersecurity? The United States has developed several strategies and roadmaps during different presidential administrations to address critical infrastructure security including but not limited to: Executive Order 14028 on Improving the Nation’s Cybersecurity, a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, a National Infrastructure Protection Plan, Presidential Policy Directive 21, and NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The most current effort to safeguard these infrastructures is in Congress where a bill seeks to amend the annual defense policy legislation that incorporates cyber security for the nation’s “most vital infrastructure.” It is clear that the highest levels of government acknowledge the need to ensure that these vital sectors do not suffer a catastrophic or debilitating cyber attack.
Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates: Following is a ‘big picture’ update of CISA press releases, global incidents, and impacts to assess more of the strategic challenge ahead with the Log4Shell vulnerability and the potential for executables within your systems.
CISA Releases Red Team Assessment on Critical Infrastructure: In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.
10 Red Teaming Lessons Learned Over 20 Years: I’ve been a red teamer for twenty years now, perhaps even longer, but I didn’t know what to call it until 1995 when I started working with the Department of Defense. I’ve also been fortunate to participate in or lead hundreds of red teams within many divergent disciplines ranging from strategic and tactical cyber to physical security threats like infectious diseases or nuclear power plant targeting to more abstract items like Joint Operating Concepts. I often get asked what lessons I’ve learned over the past twenty years, so I started putting together this list of 10 lessons learned over 20 years of red teaming a few years ago. Given that I’ve officially hit the twenty-year mark, I figured it was time to hit the publish button. While many of these feel like concepts, vice lessons learned, I hope the reader finds them thought-provoking as they formulate and execute red teams of their own. As always, feedback and comments are welcome.
OODA Releases a Traveling Executive’s Guide to Cybersecurity: One of the most frequent questions we are asked by global executives and their security teams is how to protect their information and technology systems while traveling abroad. With this in mind, we built this reference with an eye toward serving the OODA members who travel abroad for business, especially those who will operate in a nation that is not a Western-style liberal democracy. Of course, these tips also apply to individuals traveling abroad for non-business purposes or who just want to improve their overall individual security posture.
For Executive Protection, Physical and Cyber Security Have Fully Converged: Corporate and private security teams have well-established procedures and practices for protecting the safety and security of their executives and clients which can include high net-worth families and celebrities. This can include tried and true measures like bodyguards, physical security measures around facilities and homes, secured vehicles with trained drivers, and a whole suite of protective monitoring technologies such as cameras, sensors, alarm systems, and panic buttons. In the cyber domain, security teams are less practiced in personnel protection and often focus their efforts on protecting work systems and credentials. In today’s hyper-connected world, physical and cyber security have fully converged and must be looked at as one unified security effort. Consider the following ways in which cybersecurity can impact the physical security of an at-risk executive.
Scenario Planning for Global Computer Chip Supply Chain Disruption: Results of an OODA Stratigame: This report is the outcome of our first OODA wargame, which we have branded as a Stratigame (Strategic Game), focusing on the global computer chip supply chain issues. Over 25 members of the OODA Network of Experts participated in this Stratigame where the OODA research team developed four scenarios and then led a structured discussion in which experts provided unique insights into potential impacts of these scenarios, adjacent risks, and opportunities, and recommended actions that would allow us to avoid the negative impacts of a particular scenario or nudge us into a more favorable scenario.
With the U.S. Delegation in Asia, We Revisit our OODA Stratigame Insights about Taiwan: We thought the best version of OODA Loop ‘coverage’ of the recent trip by Pelosi et. al. to Taiwan is to return to our Fall 2021 Stratigame. The objective here is a “cheat sheet” of questions the OODA Loop readership should bring to bear in their analysis of the impact of the visit – a list of alternative, more sophisticated framing of the issues at hand. Our analysis is neither prescriptive nor predictive but offers a framing of the issues which achieves better and more informed questions and insights about the impact of this geopolitical maelstrom.
“The Worst-Case Scenario is the Least Probable” and Other Cognitive Biases: Global Drought, Catastrophic Monsoons and Floods and “Zombie Ice”: It is also our responsibility to position some negative metrics and trends as part of our overall sensemaking on behalf of the membership. And we consider even our own aversion to bad news part of our research discipline as well, and we have mechanisms to break through it and achieve something resembling a stoic, balanced stance on most information we are handling at any given time. OODA Network Member Dr. Lisa Porter describes” a risk-based approach that recognizes I am always making a tradeoff. And to do it with my eyes open.” We think that captures what we are trying to provide here on a daily basis. We also use scenario planning to tell the story of the future as we are seeing it – to influence risk strategies and decision-making processes for our member organizations. So, with that: Are you sitting down? Because I have some bad news, along with a mental model through which to analyze its implications.
CISA Provides Scenario Planning/Strategy Foresight “Secure Tomorrow” Toolkit: CISA’s National Risk Management Center released the first Secure Tomorrow Series Toolkit “to assist stakeholders across the critical infrastructure community to self-facilitate and conduct strategic foresight activities that will enable them to derive actionable insights about the future, identify emerging risks, and develop risk management strategies that, if taken today, could enhance long-term critical infrastructure security and resilience to implement now.” Central to the Secure Tomorrow Series effort is the selection of topics likely to have a highly disruptive impact across multiple National Critical Functions. To this end, the National Risk Management Center worked with subject matter experts from academia, think tanks, the private sector, and the National Labs to help build and refine the knowledge base that underlies the Toolkit activities These free voluntary resources are available to stakeholders in every critical infrastructure sector. More specifically, the Toolkit will assist users in identifying and examining risk mitigation strategies, managing uncertainty, and encouraging strategic foresight methods in their long-term planning.
Log4Shell Activity: Non-State Actors (Global): [For coverage of the press conference by CISA Director Jen Easterly last week and a general summary of U.S.-based Apache Log4j alerts and mitigation efforts, see Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates. For incidents and mitigation activities of government agencies worldwide, see Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global). See also: Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global):
CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners: Relative to other cyber incidents, Log4j proved severely problematic. Hands down the most important resource available are the webpages CISA launched to address Apache Log4j Vulnerability Guidance. OODA CEO Matt Devost wants the OODA Loop membership to know that “this is a great page and we should highlight that it exists for OODA Loop members. CISA has done a great job here.”
Full Log4Shell Attack Chain-Enabled Conti Ransomware Gang Supports Russia; Ukrainian Gang Member Retaliates: CISA Update: US-CERT NCAS Alert (AA21-265A – Conti Ransomware) – The US-CERT National Cyber Awareness (NCAS), Alert AA21-265A entitled “Conti Ransomware” was first released on September 22, 2021. The Alert was recently updated on February 28, 2022: “Conti cyber threat actors remain active and reported Conti ransomware attacks against the U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike.”
CISA Insights Bulletin Urges U.S. Preparation for Data-Wiping Attacks: Recent data-wiping attacks, targeting Ukrainian government agencies and businesses, prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses. In what felt like coordinated attacks last Friday, the data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. To clarify: This CISA Insights Bulletin is in addition to the Joint Cybersecurity Advisory (CSA) from CISA, FBI, and NSA: Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, dated January 11, 2022. These announcements are very much aligned with our risk awareness coverage of the current tensions in Ukraine and the role of cyber and information threat vectors in gray-zone conflicts.
Industroyer2 and Pipedream ICS/SCADA Malware: DOE, CISA, NSA, and the FBI Release Joint Cybersecurity Advisory: Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) device vulnerabilities are, arguably, the threat surfaces that are of the utmost concern to cyber and homeland security professionals. If ICS/SCADA devices are mission-critical to your organization, the Joint Cybersecurity Advisory (CSA) released this week by multiple U.S. agencies is a must-read.
Five Eyes Release Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure: Overall, as OODA CTO Bob Gourley recently pointed out: “We are so pleased with the quality of work and the professionalism in recent reporting from our government agencies on the nature of the cyber threat. In particular, the Joint Cybersecurity Advisory (CSA) released yesterday is one of the best.” The Joint CSA to which Bob refers was released by eight cybersecurity organizations from within the Five Eyes nation’s intelligence agencies – which, to date, is unprecedented. The Five Eyes intelligence organizations have released joint advisories in the past, but never has a joint CSA been “coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the CISA Joint Cyber Defense Collaborative (JCDC).”
A Joint Cybersecurity Advisory from CISA, FBI and NSA: Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure: As we have mentioned a few times here at OODA Loop, we are very discerning in our amplification of US-CERT e-mail notifications. Emergency Directives and Joint Cybersecurity Advisories (CSAs) are the exceptions. The Joint CSA released today by CISA, the FBI, and the NSA is very much aligned with our coverage of the current tension in Ukraine and the role of cyber and information threat vectors in gray-zone conflicts.
Joint Cybersecurity Advisory Released by CISA, FBI, AUS CSC and UK NCSC Regarding Iranian Government-Sponsored APT: CISA reports that an advanced persistent threat (APT) group since March of 2021 has been exploiting Fortinet vulnerabilities and, since October 2021, a Microsoft Exchange ProxyShell vulnerability “to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.” Both the Fortinet and Exchange vulnerabilities may have existed before March and October 2021, respectively.
The FBI and CISA on Information Manipulation Tactics for 2022 Midterm Elections: The Federal Bureau of Investigation (FBI) and CISA have published a joint public service announcement that describes methods that foreign actors use to spread and amplify false information—including reports of alleged malicious cyber activity—in attempts to undermine trust in election infrastructure, and confirms “the FBI and CISA have no information suggesting any cyber activity against U.S. election infrastructure has impacted the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.”
Matt Devost on Hacking Entrepreneurship and Identifying Threats and Opportunities: In this OODAcast, the tables are turned as OODA Network Expert Jen Hoar interviews CEO Matt Devost and they discuss how Matt consistently identified new threats and opportunities by blending eccentric interests into a career as a serial entrepreneur and become an established expert on cybersecurity, counterterrorism, and technology issues. Having been educated in a one-room schoolhouse in the rural Northeast Kingdom of Vermont, Matt identified a way to blend his interests in emerging national security threats and computer science into a bespoke career path and took persistent risks to realize non-obvious opportunities.
Breakthroughs and Beyond: Technology advances in 2022 that will shape 2023: We live in an incredibly exciting time where technology is enabling new business models and new ways of making life better. This report captures some of the advances in 2022. We focused on topics that seem to hold great potential for improving business and government operations in the near term.
2022 Year-end Review: Cybersecurity: Not much unlike 2021 (and actually quantifiably worse), 2022 was marked by security professionals reacting to threats, incidents, and vulnerabilities of a constant, unrelenting frequency, volume, and scale. At the end of 2021, in a series of posts entitled The New Normal, we provided case studies of a few of the major cyber incidents which, cumulatively by the end of last year, made it abundantly clear that we were on terra incognito in a way which would clearly carry over into 2022. Also included in our analysis at the time were new threat vectors that were met by new corporate, governmental, and legal mechanisms for response to cyber incidents of all kinds (cyber fraud, crypto theft, data breach, ransomware, etc.) – a trend in this ecosystem which has continued over the course of 2022 as well.
OODA Loop – What’s 2023 Cybersecurity Look Like? Trust: Cyber malfeasance comes in a variety of forms and is conducted by an almost equally diverse threat actor ecosphere. The news is rife with examples of big and small cyber theft of money or data; disruptive attacks directed against public and private sector organizations; increasing threat activity against critical infrastructures; severe vulnerabilities that continue to emerge and need patching; and of mundane and innovative attacks types and methodologies that are forever knocking on the cyber perimeter. It has become so that the benefits of increasingly advanced and connected technologies are almost on par with the dangers associated with them in the fashion of a true double-edged digital sword. A quote by the French culturalist Paul Virilio captures this sentiment perfectly: “The invention of the ship was also the invention of the shipwreck.” And so is the dichotomy of cyberspace where hostile actors race to compete with the rate of its innovation.
Secure Global and Domestic IT Supply Chains and the Future of Emerging Technology Innovation: Last year, we launched the Opportunities for Advantage Series (which will continue in 2023) to explore how exponential disruption and innovation require organizations to focus efforts to gain advantage, including the crucial opportunity for advantage realized by securing global and domestic IT supply chains for the future of emerging technology innovation.
Cybersecurity Investment, Due Diligence, Innovation, and Growth: In May of 2020, OODA CTO Bob Gourley had a conversation with Boston Merdian’s co-founder and partner JC Raby. Boston Meridian is an innovative investment banking firm focused on providing strategic M&A advisory and capital raising services to fast-growing private and small-cap public growth companies. Since its founding in 2004, they have closed more than $6 billion in transaction value In July 2020, Bob spoke with Andrew (Andy) Lustig, a partner at the high-tech law firm Cooley where he focuses on private equity investments, mergers, and acquisitions, and the general corporate representation of high-growth technology companies in both the commercial and government marketplace.
Masha Sedova, Co-Founder Elevate Security on Human Risk Management: Masha Sedova is an award-winning people-security expert, speaker, and entrepreneur focused on helping companies transform employees from a risk into a key element of defense.
People, Culture, Organizations, Cybersecurity, and Technology: In December 2020, OODA CEO Matt Devost had a conversation with Masha Sedova. She is the co-founder of Elevate Security, delivering an employee-risk management platform that provides visibility into employee risk while motivating employees to make better security decisions. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and a regular presenter at conferences such as Black Hat, RSA, ISSA, Enigma, OWASP, and SANS. In May 2021, OODA CTO had a conversation with Bryson Bort, the Founder of SCYTHE, a start-up building a next-generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy. He is widely known in the cybersecurity community for helping advance concepts of defense across multiple critical domains.
Deception Needs to be an Essential Element of Your Cyber Defense Strategy: In the cyber defense community, we talk about a wide range of risk-mitigating technologies, strategies, and activities. We talk about attacker deterrence and increasing costs for the attacker. We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. One of the most compelling emerging use cases for increasing attacker costs is through the use of deception. Because the term “deception” has negative connotations, it has rarely been mentioned amongst executive teams and boards, but that is rapidly changing as it is demonstrated to be a viable, cost-effective, and valuable component of any cyber defense approach.
About the OODA Loop Talent Superpower Strategy (The Human Factor) Series: Amidst our research on exponential innovation and national cognitive infrastructure protection, it is easy to take a purely technology-based perspective and neglect the human factor: the role of trained talent and future innovators in building the technology and platforms to solve the most pressing problems and address future risks, opportunities, and threats. The OODA Loop Talent Superpower Strategy (The Human Factor) Series of posts over the course of this year is designed to track, research, and synthesize these vital strategic issues: Emerging Tech Talent, Human Targeting, Cyber Workforce Development, STEM Stay Rates, and National Security.
Is Your Insider Threat Risk Management Program Ripe for Innovation? Part 1: There are two questions you should be asking yourself about your organization’s insider threat program: What is the probability that your organization will experience an insider threat? What will be the impact if your organization experiences an insider threat incident or damage linked to insider activity? A robust insider threat program that protects government resources, employees, and contractors can deliver significant value and reduce associated risks.
The New Enterprise Architecture Is Zero Trust: Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security, and productivity all go up.
OODA Network Member Junaid Islam on Zero Trust Architecture: In this OODAcast, we provide insights into Zero Trust architectures from an experienced practitioner, Junaid Islam. Junaid is a senior partner at OODA. He has over 30 years of experience in secure communications and the design and operations of highly functional enterprise architectures. He founded Bivio Networks, maker of the first gigabyte speed general-purpose networking device in history, and Vidder, a pioneer in the concept of Software Defined Networking. Vidder was acquired by Verizon to provide Zero Trust capability for their 5G network.
Zero Trust Will Yield Zero Results Without A Risk Analysis: One of the common mistakes we see enterprise IT leaders and many cybersecurity experts make is to think of Zero Trust as a product. it is not. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier, or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first. To help enterprises benefit from Zero Trust concepts here is a modified OODA loop-type process to guide your strategy development and execution:
Future Cybersecurity Architectures: DoD’s Zero Trust Pilot Program and Native Zero Trust Design: In response to the SolarWinds Orion and Hafnium Microsoft Exchange breaches in the late Winter of 2020/early Spring of this year, the U.S. Senate Committee on Armed Services, Subcommittee on Cyber, held a hearing on April 14th. Entitled “Future Cybersecurity Architectures“. The specific breaches were actually only the context for a larger conversation about (and a general update on) DoD implementation of the recently approved DoD Zero Trust Architecture Framework.
The Past, Present, and Future of ChatGPT, GPT-3, OpenAI, NLMs, and NLP: As the Tok-Tok security threat, Elon Musk’s Twitter debacle, and ChatGPT all vied for the top spot as the final big story in the technology-obsessed zeitgeist for 2022, we focused on ChatGPT in the context of OODA Loop research and analysis over the course of the year on AI, machine learning, GPT-3, large language models (LLMs) neural language models (NLM), and natural language processing (NLP).
OODA Loop – [Legal and Business Risk] + AI: Partners and Counsel from the law firm WilmerHale consider how [Legal and Business Risk] + AI = early learnings from the explosive popularity of generative AI to develop guardrails to protect against their worst behavior and use cases before this technology pervades all facets of commerce. To that end, businesses should be aware of the following top 10 risks and how to address them.
Reducing the Risk of the Exponential Growth of Automated Influence Operations: Of the research outlets we have discovered since the launch of OODALoop.com, the Center for Security and Emerging Technology (CSET), OpenAI, and the Stanford Internet Observatory are best-in-class sources on topics of vital interest. A new report – “Generative Language Models and Automated Influence Operations: Emerging Threats and Potential Mitigations” – is the result of a partnership between these three organizations “to explore how language models could be misused for influence operations in the future and provide a framework for assessing potential mitigation strategies.
OODA Network Member Junaid Islam on Security Automation and Automated Continuous Threat Testing: In a series of posts entitled Autonomous Everything, we are exploring automation in all its technological forms, including legacy working assumptions about the term itself. Autonomy is not just for the future of the automobile and personal mobility but includes a broad autonomous future in areas such as Security Automation, Automation and the Workforce, Automation – or Augmentation – of the workforce, and Automation of AI/Machine Learning Training Models and Industry Standardization. We checked in with Junaid Islam, a well-known cybersecurity expert, about security automation and what is known as “Automated Continuous Threat Testing”.
Lawrence Gasman on Assessing the Business Impact of Quantum Technologies: Lawrence Gasman has researched and reported on quantum technologies from the beginning of the discipline of quantum computing. He is now the President of Inside Quantum Technology (IQT), which provides in-depth business intelligence for the quantum technology industry. IQT also runs several major quantum technology conferences as well as a quantum industry news service. On this OODAcast we ask Lawrence to provide us with frameworks for understanding the state of quantum computing, quantum sensing, quantum security, and the business around each of these major fields.
OODA Loop – “The Greatest Cryptographic Migration in History”: The Quantum Cybersecurity Preparedness Act to be Signed into Law: The Quantum Cybersecurity Preparedness Act passed the Senate last week (on Friday, December 16th) and is ready for the President’s signature. The bill is an outgrowth of National Security Memorandum 8 (NSM8): “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems”. NSM8 appeared to have been inspired by Project Warp Speed – specifically, the elimination of layers of reportage and bureaucracy when trying to innovate with unprecedented speed and scale. With NSM8 and National Security Systems (NSS), the goal was not so much the acceleration of innovation, but the ability to “defend forward” at speed and scale – with a tight OODA Loop between the White House and the NSA.
NSA sets 2035 post-quantum cryptography deadline; Joint Advisories with CISA and FBI: A compilation of developments over at the NSA which will impact current cyber security conditions and the future of national security.
The 3rd Annual Report of The National Quantum Initiative: “The National Quantum Initiative (NQI) Act became Public Law 115-368 in December 2018 to accelerate American leadership in quantum information science and technology. This is the third Annual Report on the NQI Program, as required by the NQI Act. The United States has invested in fundamental QIS R&D, with core efforts underway in over a dozen agencies. This report recognizes annual highlights of the entire Federal QIS R&D ecosystem.
In 2022, the Federal Ecosystem for Accelerating (at Scale) Quantum Computational Power and Quantum Networks Emerged: The U.S. Government’s (USG) strategic alignment on all things quantum security has been encouraging over the course of 2022, culminating with the passage of the Quantum Cybersecurity Preparedness Act in the Senate on Friday, December 16th. The bill is an outgrowth of National Security Memorandum 8 (NSM8): “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems”. With NSM8 strategic directives made into law, the goal is not so much the acceleration of innovation, but the ability to “defend forward” at speed and scale. Dedicated new physical infrastructure and collaborative operational structures (designed as platforms and ecosystems to induce network effects) are also in place to support the computational power requirements, physical access, and enhanced security concerns unique to quantum innovation. Our coverage of these efforts can be found below.
Space and the Future of National Security and Cybersecurity: The future of space is of keen strategic interest here at OODA Loop. The following is a compilation of our research, analysis, risk awareness, pattern recognition, and sensemaking efforts over the course of 2022 related to the future of space and its impact on cybersecurity and national security, and the future of American competitiveness.
The Future of Commercial Space: The future of space (especially as it relates to commercialization, exponential technologies, national security, cybersecurity, and the future of American competitiveness) is of keen interest here at OODA Loop. The following is a compilation of our research, analysis, risk awareness, pattern recognition, and sensemaking efforts related to the future of the commercial space industry over the course of 2022.
OODA has specific expertise in Board Cybersecurity including supporting the nexus between technical cybersecurity and corporate governance risk management and looks forward to supporting a wide range of companies by either placing a cybersecurity expert directly on the board or working as a consultant to the board to help guide their strategic initiatives and ensure they are exercising due care in managing cyber risks.
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence