Is the novel coronavirus a cyber problem?
Since 2000 the nation has experienced four significant virus outbreaks (Severe Acute Respiratory Syndrome, H1N1 influenza, Ebola, and now the novel coronavirus). With this latest iteration, social distancing has dispersed the workforce and exposed all our teammates to the potential of sickness. With human populations spreading into previously uninhabited areas and ever-expanding transportation links, the spread of virulent sicknesses is likely to increase in the years to come. So, what does this have to do with cybersecurity?
Well, the three central pillars of cybersecurity and resilience are maintaining the confidentiality, integrity, and availability of key systems and data. While threat actors often keep us focused on confidentiality, availability can receive short shrift. This is because headlines and threat intelligence can keep us focused on protecting sensitive information, such as controlled unclassified information, from prying eyes. However, if systems and data are not available, especially to a dispersed workforce, the organization can lack the ability to achieve its mission for an unacceptable period of time.
Recently, Lunarline built a simple simulation (called a Monte Carlo simulation) using the seven days of data ending March 21, 2020 for the District of Columbia. Now let us say you are an organization of 500 IT professionals working in DC. At the assessed rate of increase of confirmed DC coronavirus cases, your organization could be certain to have at least one to two confirmed case of coronavirus among your IT professionals by the early August, perhaps as early as the end of April.
This number sounds small. However, in many IT organizations, individuals specialize and may be the single holder of key knowledge or access to support a critical system. For your IT-service organization, this means that that one or two people may become unable to work for one to two weeks, perhaps taking those key knowledge and skills with them. If the one person who knows how to manage a critical system or approve an action is unavailable, then your organization will be unable to respond to contingencies with that system. How will your chief information officer explain that out of 500 IT professionals, the IT organization was unable to answer the front office’s need for another one to two weeks?
A best practice for cybersecurity professionals is to maintain risk register to track, assess, and manage mitigations of IT risks to the organization. According to NIST SP 800-39, Managing Information Security Risk, “Risk assessment identifies, prioritizes, and estimates risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” A risk register ensures the organization maintains visibility of the existing and residual risks facing the organization. The availability of key personnel is one of those risks.
To assess that risk, start by creating an inventory of critical functions that must take place and cannot wait for a person to return to work from a prolonged absence. We are not assessing people at this point, but rather the asset that must be managed or the service that must be performed. Next, prioritize these functions according to the impact to the organization if not performed. While doing this, consider other functions that rely on that asset or service. A single unavailable capability could cascade throughout the rest of the IT organization’s services.
Next, identify personnel who must be available to manage the asset or perform the service. Assume the worst. For instance, what if two people can perform the function, but one is sick and the other is on vacation. The Army, for instance uses the acronym PACE (primary, alternate, contingency, emergency) to ensure support is available, even if degraded, to perform a function. If someone is identified to back up a capability, make sure he or she knows it and the expectations the organization will have for him or her.
Also, look for personnel who, if they are not available, make an excessive number of functions exceedingly difficult or even impossible. Each organization has that workhorse who is the strong, ever-dependable performer and to whom a lot of tasks stick. At this point, do not eliminate assigning people to a capability who are not yet capable but may be quickly cross trained to perform the function.
Now, look for current shortcomings. Often if one person has primarily performed the function for a long time, institutional knowledge can be overly concentrated in that person. That person performs the function by instinct, so cross training may have been neglected or documentation like job books are out of date or non-existent.
Where there are shortcomings, there are risks. Document them on the register. Identify mitigations for those risks in the form of cross training, documentation, and perhaps even outside training through sources like vendor sites or providers like Lunarline’s School of Cybersecurity (shameless plug). Much of our training and even that of some of our competitors is available online.
Now let us say that your IT organization supports a larger DC-based organization of 10,000 people. By the results of our simulation, your overall organization will likely have between 21 and 34 confirmed coronavirus cases by the end of August, and perhaps others who become ill without being confirmed cases. While this number seems low, what if it included key individuals your IT organization depended on like contracting, budgeting, or HR? What will you do if the one person who knows how to execute the contract action your IT organization needs right now is unavailable to work for one to two weeks? Project schedules could slip, resulting in unnecessary costs and a loss of, you guessed it, availability.
In the same way you identified the functions, incumbents, and risks for internal resources, you should also identify the external providers on whom your IT organization depends. Because, as a cybersecurity professional, you deal in risk as a core of your profession, you may be the first person in your organization to have thought about a threat actor like the novel coronavirus as a risk source for your IT functions. For a few extra steps, you could save your organization from unforeseen availability risks and enable everyone to sleep better while we all wait out the viral storm.
Looking at the risk profile of your IT functions from all three components of the CIA triad: confidentiality, integrity, and availability, can ensure your organization will continue to receive the IT services on which it depends. There is nothing ghoulish or pessimistic about looking risk in the eye and being prepared.
We at Lunarline stand ready to help your agency in building a sustainable and effective cybersecurity program that meets your agency’s needs and available resources. To learn more about us, visit us online or contact one of our experts today.