Daniel Lohrmann - Cyber Mayday and the Day After

In a time where radicalization was little understood, particularly by young vulnerable people, Roshonara Choudhry, a final-year student at King's College, London, and from a good Bangladeshi family, brought two knives to Beckton Globe Library, where MP Stephen Timms was conducting his constituency clinic. Choudhry stabbed Timms twice in his abdomen.

“She missed his life organs by two millimeters. He nearly died.” John further explained that Timms was the most popular MP in the country at that time, and he represented a community with a large population of Muslim residents. Yet Choudhry targeted him because he voted for the Iraq war. Despite Timms's work in the community, Choudhry had been radicalized online.

John continued, “This case was initially dealt with by the local homicide squad. It took us over 24 hours to realize that this was in fact a terrorist attack, being that it clearly fit the long accepted definition – the unlawful use of violence and intimidation for political or ideological aims.

“It was actually the first successful terrorist attack in London since the July bombings in 2005. So at the time, the case was taken over by the counterterrorism command and Choudhry was convicted and sentenced to life imprisonment.

“But we stopped there. For two years, we didn't really do anything, and then suddenly the whole problem of people being radicalized began to play out in developed countries, particularly in the Western world. ISIS emerged and the online community became an effective vector to radicalize people.

“What happened in 2010 was a significant event. What we failed to do was to identify the broader implications – that Al Qaeda and, later, ISIS were using social media and other online means to target vulnerable people – and pose the question, could this happen again and what should we be doing about it now?

“One of the duties of leaders is to take any extraordinary or unusual events and reflect on the underlying issues, to consider what the themes are that need to be addressed. Is there something that we need to be doing here in the education environment? Is there something that we should consider about the public warnings?

“We didn't do any of that for a number of years and then we got way behind in terms of our ability to understand the motivations of these people and to understand the impact it was having, particularly on young people.

“And then you fast-forward seven years, you've got a 14-year-old child in the Northwest of England being convicted of terrorism for trying to radicalize young people in Australia to carry out an attack in Melbourne on Mother's Day.

“All those factors were there in 2010; Choudhry was the first manifestation, and with serious consequences, in the developed world. We didn't open our eyes to the broader issues back then. We just dealt with it as a very serious attempted murder, and put it back in the box. We did not sit back, reflect, debrief, and consider the implications more broadly. It's something we should have done at that time, and it was most regrettable that we did not.”

John's lessons are even more applicable in today's modern digital world. There is merit in studying the past and present incidents, considering the context of each, trying to gain a macro perspective and thinking about the bigger picture of what it could evolve into in the future.

When an event is looked at in isolation, it will always project a narrow view, which limits one's ability in preempting and preparing for the best defense response.

Likewise, in examining a cyberattack, it cannot be viewed in isolation. Effort and care should be taken in studying the source – is it just a random phishing attack, where is this coming from, are there other breaches instigated by an insider threat, is it a competitor that is trying to undermine your shareholder value, or did you happen to fall prey as a pawn in the grand scheme of geopolitical affairs?

When we look at the advancement and sophistication of these cyberattacks over recent years, we need to retain a holistic view of what these changing implications might mean for the overall organizational and individual risk.

Military leaders point out that capabilities take a long time to develop, but intentions can change overnight. In other words, the cyberattack impacts and response will not only center on current technology solutions, but also on what scenarios could happen in the future.

While there are numerous management actions competing for attention, one clear priority that cuts across the public and private sectors is ensuring the leadership skills and capabilities of your team –especially the CISO or equivalent leadership role. To achieve any measure of success at dealing with cyber incidents, a CISO with the required background, accountability, training, real-life experiences, relationships, and tools to do the job is a must.

One such CISO is Mark Weatherford, currently the chief strategy officer at the National Cybersecurity Center and CISO at AlertEnterprise. Mark served previously as the deputy undersecretary for cybersecurity in the U.S. Department of Homeland Security (DHS) and vice president and CSO for the North American Electric Reliability Corporation (NERC), in addition to other senior leadership roles in cybersecurity.

While Mark was the CISO for the State of California in the mid-2000s, he experienced what organizations should not be doing when hiring for this vital role.

Because Mark was the first CISO in the state, it was important to him to put a face to the name of cabinet secretaries and agency heads. As such, he made the rounds to visit each of them and also to tell them about the governor's vision of Mark's statewide role and what he hoped to accomplish across state government. Mark also offered his assistance in everything from procurement to policy development to technology infrastructure to staffing. His proactive outreach seemed to be well-received and generally met with enthusiastic support.

At the same time, Mark also met the security leaders and their teams at all of the agencies. During the mid-2000s, almost none had a formally appointed CISO, but most had someone they could point to and call their security leader.

One exception was a large agency with significant citizen privacy responsibilities. Chief privacy officers were even more rare than CISOs at the time, so privacy issues were typically part of the CISO's portfolio of responsibilities. When Mark met with the leadership of this particular agency, he encouraged them to fill the CISO/security leader role as soon as possible since they were accepting a significant amount of risk by failing to have a single point of contact to guide the security and privacy efforts of the agency.

Mark recounts what happened next:

“A few months after the conversation with this agency head, I received a call from someone who said they had just taken the CISO role at this agency and would be very interested in meeting with me to understand how they could quickly integrate into the statewide security leadership group. I remember thinking how odd it was that, even though I had no real authority within this agency and they were under no formal obligation to ask my opinion, they had hired a CISO without consulting with me about writing the job description or even being part of the interview process. Red flag number one.

“When I met the new CISO for the first time I was impressed by their attitude and enthusiasm to pitch in and help me, as we were educating the legislature, crafting statewide security policies, and realigning statewide procurement of security products and services. Once again, however, I remember having a strange feeling that this person didn't seem to really have the kind of experience you would expect for someone taking over the security and privacy responsibilities of a fairly large organization. Red flag number two.