Home Tags Cyber Strategy

Tag: Cyber Strategy

The goal is for ISIS not to know the difference between a cyber attack and just needing to reset their router. ISIS has been successful at recruiting supporters in large part because of its well-oiled social media machine, which cranks out PR-type content that encourages militants to attack non-believers. So what's the best way to throw a wrench in it? If you're an average citizen, you might participate in Troll ISIS Day on social media.

But if you're the U.S. military, you launch sophisticated cyber attacks that target the heart of the clandestine organization's networks. At a briefing this week, top military brass revealed that the U.S.

Cyber Command is hard at work disrupting ISIS's communications networks.
It's an emerging war strategy in the Middle East, and it comes from a relatively new agency—Cyber Command was established in 2009. The goal, according to Secretary of Defense Ash Carter, is to overload ISIS's network so that it can't function effectively. "This is something that's new in this war," he said. "It's not something you would've seen back in the Gulf War, but it's an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place." He was tight-lipped on the specifics of the cyber attacks, except to say that the military wants to "overload [ISIS's] network so that they can't function." But he explained that the cyber strategy essentially shadowed the military's conventional operations, which are designed to isolate various ISIS cells in Syria and Iraq to make it difficult for them to coordinate attacks. There is one key difference between conventional and cyber attacks, though: the element of surprise.

Chairman of the Joint Chiefs of Staff General Joseph Dunford, who was also at the briefing, said the most critical part of hacking ISIS networks is that the source of the attacks is untraceable. "Most importantly, we don't want the enemy to know when, where, and how we're conducting cyber operations," he said. "They're going to experience some friction that's associated with us and some friction that's just associated with the normal course of events in dealing in the information age.

And frankly, we don't want them to know the difference."
Cyber attacks constitute a group-level risk that is managed as part of BP’s standard set of risk management processes, according to Bob Dudley, group chief executive of BP. “We recognise cyber threats as a major risk and the need to have a system to manage that risk and minimise the impact of attacks,” he told the Global Cyber Security Innovation Summit in London. Risk management forms part of the governance component of BP’s cyber defence strategy. “Uncertainty is a fact of life, but we can be organised in our approach to managing risks by having a clear set of risk management processes in place,” he said. One key process is aimed at identifying and prioritising each threat based on a risk assessment. However, Dudley said as member of the highly-targeted energy sector, BP has a multitude of risks to manage and is constantly looking to innovations in cyber security to improve its defence capabilities.   “It is important to have a policy that sets out executive accountability and responsibilities of each member of staff, but rules are not effective without real defence capability,” he said. BP regularly reviews its cyber risk policies as well as its cyber defence capabilities to achieve continual improvement. Dudley said BP is constantly targeted by attackers seeking commercial business plans, seeking to disrupt operations and seeking to commit large-scale fraud. “Thousands of pieces of malware try to get through our firewalls every day, and our employees are constantly targeted to steal their user credentials,” he said. In an effort to educate staff to enable them to become frontline defenders, BP conducts regular awareness campaigns around issues such as keeping passwords safe and using unknown USB sticks. “We produce regular videos to demonstrate the risks to staff,” said Dudley. Phishing is also a significant threat, and BP conducts regular simulated phishing attempts with follow-up education sessions on identifying phishing for all those employees who click on risky links. “We see phone phishing as an equal threat, and in the face of thousands of fake emails and calls, employees need to learn to recognise them,” said Dudley. BP has introduced a “report phishing” button into its email application, which Dudley said indicates phishing awareness has risen from 75% to 86% across the group. Awareness campaigns are backed up with regular cyber attack drills to ensure every employee knows what to do in the event of a cyber attack. “Security controls are not enough – employees need to know they have a role to play and how they should respond to the worst-case scenarios,” said Dudley. But threats to business are often threats to government and vice-versa, he said, which is why BP works closely on cyber security issues with the governments in the UK and the US. “We welcome CERT-UK’s involvement of business and international partners, and welcome the opportunity of helping to shoulder the burden of cyber defence,” said Dudley. “Unlike physical attacks, government many not control key assets in cyber attacks, and we are willing to do our share,” he said. Dudley said energy sector firms could do more to help raise public awareness of cyber security issues, and that BP plans to expand its current public outreach programmes. Energy firms could also share practical advice on how to improve cyber security with governments as well as the general public, he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
The International Information Systems Security Certification Consortium (ISC2) panel debated the merit of taking an offensive approach to IT security. When it comes to modern enterprise IT security, the best def...