Are institutions and businesses prepared for an attack by a potentially unknown and likely unseen enemy?
Well, if the trifecta of events that occurred on July 8, 2015 can be used as a guide, then the answer to that question may be an emphatic NO (NYSE, Wall Street Journal and United Airlines)!
And that NO is not only in the area of adequate system defenses, but also in the way that the crisis was handled in the eyes of the public.
Guest Post By Cedric Leighton, Chairman Cedric Leighton International Strategies
I am honored to be able to present the thoughts of Cedric Leighton whose background includes stints as Deputy Training Director, National Security Agency (NSA), Deputy Director, Warfighter Support & Integration and Air Force Senior Service Advisor, Joint Staff, Deputy Division Chief, Current Capabilities, Joint Staff and much more.
Cedric also appears as a guest on Fox Business News among others.
These are his thoughts in the area of Crisis Management in the Cyber-Age…
The almost simultaneous technical “glitches” affecting the NY Stock Exchange, United Airlines and The Wall Street Journal this past July 8 should serve as a wake-up call to business and government leaders that our IT infrastructure is far from resilient. Although the headlines have faded already, it’s worth noting that the day began with the crash of United’s website, with customers unable to access the airline’s app and ticket agents unable to print passengers’ tickets. Flights were grounded nationwide as the airline dealt with the problem. Then, it was the NY Stock Exchange’s turn. A “technical anomaly” made it impossible to process buy and sell orders, resulting in one of the most renowned stock exchanges in the world being shut down for three hours and 38 minutes. That was followed by the Wall Street Journal’s website being forced offline. The press tried valiantly to make sense of it all, but none of the organizations involved were able to provide the public with credible and reassuring answers. In an era of 24/7 news coverage that is a serious failing and casts a long shadow over crisis management efforts in the Cyber Age.
Today, the public is still no closer to receiving a credible explanation of what actually happened than we were when these events first happened. Although all the companies involved, as well as the White House and the Department of Homeland Security told us these events were not linked and did not “appear” to be a cyber attack, I, as well as many other cybersecurity professionals, have my doubts about the accuracy of those statements. While IT networks are notorious for crashing when you can least afford a service interruption, there are too many coincidences involved in each of these events for anyone to jump to the conclusion that nothing nefarious happened. There is also ample evidence in the recent past that cyber attacks have happened to each of these organizations.
Take the case of United Airlines. It was not the only airline to fall victim to an IT issue within the past month. On June 21, the Polish airline LOT reported that it had been hacked and, as a result, it could not send flight plans to its departing pilots. The attack resulted in the cancellation of ten flights, delayed 12 others and temporarily grounded approximately 1400 passengers. A month prior to the LOT incident, United Airlines itself experienced a similar issue with its flight plan dissemination system. Some reports indicate that these incidents may have been caused by a weak – or nonexistent – authentication system. That would mean that there’s an open invitation for hackers and saboteurs to provide false flight plans to unsuspecting pilots. The prospective damage such a hack could cause to the global civil aviation industry runs in the billions.
When a key national newspaper like The Wall Street Journal is silenced by its website going down, security professionals can’t help but think sinister thoughts. Between previous hacks to The Wall Street Journal itself and those that have affected The New York Times, it doesn’t take much to realize how vulnerable our news organizations are to deliberate hacks as well as to IT glitches. Then, there’s the crazy event back in April 2013 at the AP wire service, where the Syrian Electronic Army planted a false tweet purporting to come from the AP. That tweet said the President had been injured in an explosion at the White House. When traders first heard the story the S&P 500 lost 1% – wiping out about $136 Billion in stock market value before the situation was rectified.
So it’s no wonder that when the NYSE shut down its operations on July 8 there was a great deal of concern that a cyber attack was to blame for the outage. Although NYSE officials later said the outage was due to problems with a software release, that information did not flow to investors and traders quickly…and there’s reason to believe that that may not be the whole story.
As events unfolded at the NYSE, the exchange’s leadership apparently did convene its crisis management team. Unfortunately, that team seemed to be more focused on internal issues than on external ones. That type of response may have worked in the pre-cyber era, but it proved to be woefully inadequate to assuage the concerns of today’s investors. People like former SEC Chairman Harvey Pitt, former New York City Mayor Rudy Giuliani, and myself, just to name a few, were highly critical of the NYSE’s approach to crisis management. To all of us it seemed as if the NYSE leadership had not prepared for such an event. What makes this event even more disconcerting is the fact that such an outage – no matter what its cause is – was, and is, completely foreseeable.
In fact, it is the failure to foresee such events that can be at least as troubling as the inadequacy of our cyber infrastructure. Both are huge problems that need to be solved, but business leaders need to engage their staffs in what the military calls contingency planning exercises to fix their responses to such issues. These exercises allow organizations to practice their responses to everything from the worst imaginable disasters to the most likely events that could affect the business. It’s all about preparation, anticipation and prediction.
Lessons learned from these exercises can lead to revisions in organizational structures, as well as a better understanding of individual roles within those organizations. It is the organization that rigorously practices for foreseeable as well as one-off, “Black Swan”-style events that will come out on top. Judging by what happened earlier this month, most of us have a long way to go before we achieve that goal.
____________________________________
Article author Michael Haltman is the President of Hallmark Abstract Service in New York.
HAS is a provider of title insurance in New York State for residential and commercial real estate transactions.
Google+