Cyber war and Russian view

Keir Giles’ wrote a good paper that you really should read on the Russian view of the information warfare/operations (cyber warfare) legality. This is a fairly neglected aspect of information warfare studies and is completely ignored by cyber warfare experts in the West, who consider the Western view to be the sole view. It is because they are largely WEIRD. The West is largely in introspection around diversity, where diversity now means that everyone has the same values, shares same culture and is working towards the same goals in the similar fashion.

Not everyone is WEIRD

If you are told that you are WEIRD don’t take it as an offence. It likely means that you belong to about 12% of the global population that is Western, Educated, Industrialised, Rich, and Democratic *. Good as it may sound, it also puts you in the disadvantage when dealing with people from different cultural backgrounds. Problem reliance on studies that were done solely with WEIRD participants is that it skews the results and, worst of all, assumes certain cultural background in the decision makers:

Cyber and the art of conversation

Spurred by Justine Aitel’s talk at SOURCE Boston where she supposedly (not being there is a bit hard to confirm that) said that IT risk and/or security industry need to use the term “cyber” in order to reach the business audience more effectively. "Who hates the word cyber? You're all wrong! ;) It's an opportunity to talk to the outside world." - @justineaitel #srcbos — Joshua Corman (@joshcorman) April 8, 2014 Yes, security has a problem communicating. No, it is not what you think it is.

Cyber espionage - the Chinese way

We reviewed the Chinese intelligence community structure, the way they collect data and, as a result of the first two, also tackled the monolith myth of China in order to explain why most things you hear about Chinese cyber activities do not make sense nor survive any closer analysis. Now it is time we have a look at Chinese cyber capabilities and their use. This is Part 4 of the four part series: Chinese intelligence structures The Chinese way of collecting data [China: the monolith myth]((http://playgod.

China: The monolith myth

Diversity that is China China is always seen by the West as a big, monolithic country. That nothing could be further from the truth does not shake that popular wisdom, which is typical of cultural biases and heuristics. After all, our brain is mostly wired to deal with small communities of similar people - it is nigh impossible to consider the country with the population size of China. This is Part 2 of the four part series: Chinese intelligence structures The Chinese way of collecting data This post Cyber espionage - the Chinese way China has

Urbicide, cybercide and living memory

Is revision of history, so thorough that it is impossible to prove it, possible? The short answer, of course, is yes. In the past such revisions would take generations and coercion. In the future, as the bigger and bigger part of our lives relies on digitally stored information such revisions could be done in stealth and take less than a year. Reality is that we rely on our digital extensions for long-term memory. We are constantly bombarded with new data and in order to cope with the data flood we need to use digital extension of our memory.

The Chinese way of collecting data

Just like the Russian intelligence services make a great deal of using traditional tradecraft and Western agencies prefer clear-cut approach which leaves no doubt in the asset’s mind who they are working for so the Chinese approach has a typical modus operandi… This is Part 2 of the four part series: Chinese intelligence structures This post China: The Monolith Myth Cyber espionage - the Chinese way The Chinese agents cultivate their assets for a long period of time, building friendly relations and discussing mutual benefits.

Cyber: what does it even mean?

Cyber is hot property nowadays. There’s not a “thought leader”, an organisation, a think tank, an industry body, government body, and the list goes on and on and on. There’s only one slight problem: no one agrees what ‘cyber’ actually means and what is and isn’t cyber. Every time I do risk related work I try to make sure everyone uses the same terms to mean the same thing, to reduce the risk of misunderstanding. It is such a simple and obvious step that most people forget about it.

Smart CISOs know when not to pay attention to the "wisdom of the crowds"

If Apple followed the ‘wisdom of the crowds’ in 2006-2007 they’d never made an iPhone. If smart CISOs paid too much attention to the article in the Information Risk Leadership Council’s latest article they’d be in as much trouble as they purportedly are right now. There is a lot wrong with CISOs that put all their hope and budget in prevention, but the word itself is definitely not the problem. Nor is the solution that CEB IRLC (Executive Board’s Information Risk Leadership Council) advocated - although they just followed the lead by NIST.

Cybersecurity frameworks - Zimmer frames for organisations

Jack Whitsitt’s great new #NISTCSF B-side looks much better than the NIST effort, but it also has, at least in my view, one glaring issue. It places risk management in the wrong section and thus it propagates the notion that risk management is a reactive function and delegated to tactical area of the organisation. What I like about the framework: it includes the business objectives as the driver and the framing of the work it puts external environment where it sits: atop most other things it shows that security, whilst important, isn’t the guiding force but just another sub-component it is simple yet powerful What I don’t like about the framework: