Gentry Lane is the CEO and founder of ANOVA Intelligencea national security software company, consultant and cyber power strategy expert.
The word “cyber warfare” instantly conjures the clicking of keyboards in a windowless room of military hackers, all eyes glued to giant screens to see whether the precision, high-risk cyber attack evades detection and reaches its remote target. But that’s just the problem. This is not what cyber warfare looks like. This image persists not because it is accurate, but because it is provocative, easy to understand, provokes an emotionally charged reaction, and seems credible because the tense war room trope is already so familiar.
This mismatch between reality and expectations creates a serious problem: If this is what we expect cyber warfare to be like, how will we recognize it when it is actually here?
Contrary to popular belief, cyber warfare will not begin with the proverbial Cyber Pearl Harbor. Not because it can’t, but because all militaries understand that kinetic effects are easier, more precise, and generally have a greater damaging impact than cyberattacks. For example, a high-altitude electromagnetic pulse would damage every electronic component, from networks and cell towers to toasters and everything else within a radius of more than 400 miles. Achieving the same result with cybernetic effects would be impossibly complicated to synchronize and unattainable on the same scale.
So what will cyber warfare look like?
Cyber warfare will not plunge the entire country into darkness. But I believe it will feel like every aspect of life as we know it is gradually deteriorating, and then suddenly stagnating as access to essential goods and services declines. At its most extreme, it will throw the economy and social order into chaos, forcing the entire country into a survival mode for which no one is prepared. Or, less extreme, the conveniences of Western life will be frustratingly unstable.
We’ve seen cyberattacks that have caused panic buying, closures of K-12 schools, and shutdowns of airport websites. The effects are temporary but extremely inconvenient. Cyber warfare will be similar to these types of events, happening more frequently in more places.
Worse still, service irregularities will likely be misattributed to corporate incompetence or greed because incremental, unrelated disruptions are not what cyberwarfare “should” look like. It’s an understandably large cognitive leap from “Why doesn’t my phone ever get good reception anymore?” to “My phone reception is terrible because persistent state-sponsored cyber aggression is destroying critical infrastructure.”
Adjust and move on
Companies with contingency plans for a catastrophic cyber event are preparing for the wrong kind of battle. To avoid being the one with the knife in a gunfight, here are some ways to align your company’s cyber posture with the actual threat at hand.
1. Make friends with the FBI. The most important thing to do right away is to contact your local FBI office, ask the receptionist to connect you to the cyber expert, and set up a meeting to start building a relationship now. You want this connection to be established and established, before a crisis happens. The FBI has the expertise and resources to help with remediation, loss recovery, and resilience. When it comes to cyber warfare, the G-men are your best friends.
two. Know your ABCs. If your company is a telecommunications service provider, infrastructure operator or critical infrastructure entity, DHS, CISA and JCDC shouldn’t just be a random string of acronyms. The Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Joint Cyber Defense Collaborative (JCDC) are essential resources for cyber risk information, planning, defense, and response.
3. Measure the frequency. When performing security assessments, add frequency as a metric to assess your cyber posture. Recording and understanding the frequency of cybersecurity events is as important as quantifying the severity. Incremental death-by-a-thousand-paper-cut tactics are hard to watch, and that’s exactly what makes them so effective and detrimental to your business.
4. Understand your value. Know your value as a target and understand where you fit in critical supply chains. Even if your company is just a small supplier, proximity to critical infrastructure can increase your value as a target. Throwing sand into the gears of a well-oiled machine can be as harmful as blowing it up. For example, pharmaceutical manufacturers are clearly a high-value target. This means that companies that provide pharmaceutical packaging, refrigeration, storage spaces and shipping logistics software are also high-value targets, as it is impossible to ship essential medicines without boxes and bottles, storage, refrigerated trucks and the software to track it all. Security events that disrupt business continuity at more discrete points in a critical supply chain are less likely to be investigated or attributed.
5. Make sure you have a plan B and C. Add or adjust contingency plans for small and persistent business disruptions. All good companies have disaster plans, but few are prepared for second-order inconveniences caused by repeated, temporary, or relatively minor security events.
6. Prepare for a public relations crisis. When critical services fail, it incites outrage and distrust in the systems that are meant to serve us. The fruits of American prosperity – abundant energy, internet, water and phone service – are so reliable that when they don’t work, they can feel personal to your customers. Budget compensatory measures to maintain the faith and loyalty of your customer base when the going gets tough.
Cyber warfare is not an abstract threat that emerges in the distant future; is an unfortunate certainty. It’s here today, but by taking these first steps, you can be better prepared than your competitors to face the real battle.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?