NEW YORK -- During a crisis, collaboration may have to give way to command: one key takeaway from a cyber incident response "war gaming" simulation staged here today by Deloitte Cyber Risk Services.
Deloitte leads client organizations in war game exercises like these to "stress test" their incident response plans, and identify the strengths and weaknesses of their communications, protocols, and cyber disaster preparedness.
War Game Scenario
For the purposes of today's exercise, Deloitte cast six real corporate executives in the roles of a fictional incident response team: the CISO, CIO, CEO, CFO, COO, CMO, and General Counsel of YouLiving (YLV), a fictional publicly traded, global retail company planning further global expansion.
According to the simulation: an attacker obtained a 12-month purchase history for millions of US consumers, including names, addresses, and what they bought. This morning at 6 a.m., an unknown entity in another country created a searchable website with all of that data.
By noon, the site had gone viral and news reports were saying that a breach at YLV, and/or at its application developer Mobile Analytics Solutions (MAS), was to blame.
The execs were given a data breach scenario, and were periodically hit with new situations and information -- news reports, public statements by competitors, responses from the public via social media, messages from law enforcement investigators and forensics investigators, requests from the chairman of the board, etc.
The pace was quick. The information was insufficient and difficult to verify. At first it appeared the breach was at MAS. Then MAS flatly denied it in the media. Then it looked like a zero-day attack on a variety of companies. Then they discovered that YLV admin credentials were used to steal data from MAS systems.
Later, a report surfaced that the YLV computer systems may have contained data from a competing company, prompting the competitor to publicly insinuate corporate espionage.
Ultimately, a cyber terror group accepted responsibility for the attack, saying it was in protest of one of YLV's planned acquisitions.
Designate a Crisis Officer
In the war game simulation, the CEO ended up taking the role of de facto "crisis officer," directing the response decisions. While those involved in today's exercise agreed that someone has to fill that role, they did not necessarily think the CEO is the right one for the job.
At Deloitte, there is a full-time Crisis Officer designated to this exclusive purpose. Chuck Saia, Chief Risk, Reputation and Regulatory Officer -- who also played the CMO role in the war game simlulation -- said they call the Crisis Officer "the cicada," because he shows up once in a while, makes a lot of noise, and then disappears again.
This crisis officer, who reports into the risk office, is vested with all the authority necessary to "run the crisis," and thereby avoids much of the usual corporate politics.
Of course, not all companies can afford to have someone on staff for that exclusive purpose. In other situations, the appointed crisis leader may vary from company to company, or from incident to incident. But whoever they are, they have to be given the authority, and it has to be clear.
After the war game, Deloitte & Touche LLP director and retired Navy Captain John Gelinne explained the value of "clear, concise, unambiguous control" in military conflict situations; Gelinne retired from the Navy in June as Chief of Staff for Vice Adm. Mike Rogers, who is now director of the National Security Agency.
"How do you adjudicate friction?" said Gelinne, in an interview. "That was not a problem in the Navy. Everyone knows the plan."
He explained that the in the Navy, they create task forces -- usually the most senior official who is closest to the conflict is declared the "supported commander," with everyone else providing supporting roles. However, Gelinne also provides the example of when a Navy Marine Corps Intranet was breached in 2013, and Admiral Rogers was made "supported commander" of the incident, with four-star admirals who technically outranked him providing supporting roles.
A CEO may not be the right person to "run the crisis," so to speak, because they someone needs to run the business. The CEO might appoint someone to run the crisis, and make sure everyone follows their instructions -- even if those instructions are "stay out of it."
Mary Galligan, director of Deloitte & Touche LLP Cyber Risk Services, explained how the collaborative, innovative culture that's so productive in day-to-day operations is the instinct that organizations must fight against in a crisis.
"It's human nature for someone to want to get involved," says Galligan. She says that in most situations people will be "like 5-year-olds playing soccer" -- you might try to give them their own specific position to play, but they'll all just chase the ball anyway. The war game exercise, she says, "gives them an appreciation of why they have to be disciplined."
Without that discipline, there might be no business to return to once the crisis has passed.
Be Skeptical About The Information You're Receiving
During the simulation, the information and intelligence the team had to base their decisions upon changed constantly -- putting them always on the defensive.
If they had come out too strongly against their app provider, before learning that their own user credentials had been stolen, it certainly would have made them look bad. The CIO in the simulation expressed that the report that a competing company's data was found on YLV's system might have been a fabrication.
Throughout the simulation, questions arose: was the breach at a partner company or at theirs? Did the attacker come from them or just through them? Could it be a nation-state? A competitor? A disgruntled insider?
"[The private sector doesn't] have the exquisite intelligence," the military enjoys, says Gelinne. The benefit of that intel is "it allows you to minimize the fog of war."
Complicating matters, said Christopher Novak, managing principal of Verizon Global Investigative Reponse in a panel discussion after the war game, is that "a lot of times we find people within the organization will leak information," to the media or elsewhere. And that information is not always accurate.
"There needs to be more skepticism about the information you're getting," says Galligan.
Resist Finger Pointing In Any Direction
Overall, the people in this war game simulation were very careful to not point fingers -- not at one another or at anyone outside the organization. A real-life incident might not be quite as fair-minded and cordial.
However, there were some moments when the blame impulses kicked in.
The CISO's first impulse was to state that the breach was at the app developer. But the CEO noted that the relationship with the vendor was important -- not just the relationship with the customers -- and pointing the finger at them early in the process might not be the right move. He recommended they "rather approach it with them in partnership, as opposed to adversarial."
However, the CEO was less gracious later. When a competitor essentially accused them of corporate espionage, the CEO wanted to respond, saying "if he can allege it, why can't we deny it."
The other members of the team cautioned against a vocal denial, particularly because they couldn't be sure that the attack did not derive from within YLV. The CMO warned that denying responsibility, then later having to retract that denial, could cause even worse reputational damage. The CISO concurred, saying that it's impossible to provide attribution with 100 percent certainty, even in the best circumstances.
The CEO also cautioned the CIO and CISO against finger pointing, saying that their teams are particularly prone to it, and asking them to "please set the right example."
Novak says that, if it is a fair assessment, it could be because CIOs and CISOs are feeling defensive, worried about losing their jobs. He also says that cyber incident response has historically been a lot like a Ouija board -- everybody puts their hands on and just waits to see where it lands.
Those were the big takeaways, but there are a few other lessons from the war gaming experience:
You'll never have enough time. Galligan says that even top executives with lots of experience with managing emergencies aren't always equipped to handle cyber incidents. "It's not that they can't handle crisis," she says. "They've just never seen anything at this pace with such little information."
Bring in help. The CFO and CMO wanted to hire a crisis communications specialist. The CISO wanted to hire a forensics expert and invest in new network monitoring and behavioral analytics tools. The CEO said to ignore the usual procurement procedures to obtain whatever they needed in the crisis circumstance.
Don't forget about your employees. While the media, the regulators, and the customers are usually top of mind, many companies tend to forget about how they need to communicate about a security incident to their own employees. In the simulation, the chief operating officer was the one who brought it up first.
Don't just do this once. Staff come and go, plans change, practice makes perfect.