Risk Insider: Jack Hampton

Cybersecurity Doomsday: Bring in the Seals

By: | January 25, 2016

John (Jack) Hampton was a Professor of Business at St. Peter’s University, a core faculty member at the International School of Management (Paris), and a Risk Insider at Risk and Insurance magazine where he was named a 2018 All Star. He was Executive Director of the Risk and Insurance Management Society (RIMS), dean of the schools of business at Seton Hall and Connecticut State universities, and provost of the College of Insurance and SUNY Maritime College in New York City.

A cyber security doomsday scenario is possible and would cause total destruction of most of the computer and communications systems on earth.

It would be the final day of judgment for IBM, Amazon, Google, Netflix, and others. It is as unimaginable as the destruction of the global financial system and collapse of AIG, Lehman Brothers, and Merrill Lynch.

Or is it?

We may not be able to avoid doomsday for the world. We can try to avoid a cyber disaster for our own organization. Let’s start by taking a quick detour into the world of cryptography.

Rivest Cipher 4 (RC4) is a widely used cryptographic protocol. This is what it does to encrypt data: For as many iterations as are needed, the algorithm modifies the state and outputs in a byte of the keystream.

In each iteration, it increments i, looks up the ith element of S, S[i], and adds that to j, exchanges the values of S[i] and S[j], and then uses the sum S[i] + S[j] (modulo 256) as an index to fetch a third element of S, (the keystream value K) which is bitwise exclusive OR’ed. Each element of S is swapped with another element at least once every 256 iterations.

Still with us?

Use state-of-the-art encryption even if we don’t understand it.

We could read more of this Wikipedia description but that would not be helpful. Most of us do not understand cryptography even as our organizations rely on encryption for securing our computer systems.

Experts can explain it to us and our senior management and the board. It sounds impressive but will it really work? Security experts do not calm our fears.

One of them said, “We can no longer count on keeping the hackers out. Let’s work on ensuring we can catch them once they break in.”

Catching the bad guys and fixing the damage changes the game, particularly since we know that a number of state cryptologic agencies possess the capability to break any cryptographic system.

The danger of attack is augmented with 10,000 or so hackers possessing ultra-sophisticated computer software skills. Vulnerability is now the “normal” cyber security world. All hope is not lost.

We can take steps to reduce the harm from these parties:

  • Use state-of-the-art encryption even if we don’t understand it.
  • Abandon obsolete and unsecure legacy systems.
  • Build business applications on relatively secure, private and trustworthy enterprise cloud computing platforms.
  • Monitor all data and systems 24 hours a day.

These security practices help us, but we must do more to prepare for a cyber security doomsday attack.

    • Backup our data off the grid.
  • Store it securely on guarded systems far away from our people, computers, networks and mobile devices.
  • Isolate highly sensitive data on the system and severely restrict access to it.
  • Create and train a Cyber Security Seal Team Six.

The last recommendation may seem extreme but a serious cyber failure cannot be ruled out. The possibility demands a reaction force. Not actual U.S. Navy personnel. Rather, a cyber special operations force to be activated when needed to avoid our own organization’s cyber doomsday scenario.

The team needs to be composed of the most skilled and capable people, trained to do the job and available to be activated on a moment’s notice. This is the strategy to respond to a cyber security attack.

Bring in the Seals.

More from Risk & Insurance