Simply Cyber (vol 46) – Business Continuity Planning: Adversity, Diversity, Opportunity
Life changes fast.
Life changes in the instant
The ordinary instant.
You sit down to dinner and life as you know it ends.
—Joan Didion, “The Year of Magical Thinking”[i]
Russia’s current invasion[ii] of Ukraine was threatened and predicted. Sabers and doorknobs have been rattling for years. The stacking up of military forces, —the sabers—along Ukraine’s sovereign state boundary demonstrated Russia’s intentions to pursue the geopolitical objectives displayed in its March 2014 annexation of the Crimean Peninsula from Ukraine. Contingency plans for a conventional war scenario were made.
Crisis Scenarios
Military history can inform present scenario development and contingency planning directions. There is a certain economy of resources that are known: troop levels, armaments, resupply lines, exposed targes, and so forth. These resources are characterized by physical constraints. Developing scenarios in anticipation of probable cyberattacks—the digital doorknob rattling piece—is more challenging. Adversarial nations like Russia have been field testing their cyber weapons for years, for example: the 2007 attack against Estonia’s media and financial infrastructure, the 2015 attack, against Ukraine’s power grid (and 2022 attack against its government agencies), the 2020 SolarWinds attack against US government agencies and private corporations.[iii] Add to the list the suspected (but not officially confirmed) nation-state involvement in the 2021 cyberattacks against Colonial Pipeline and the December 2021 cyberattack on global logistics firm Hellman[iv] and the 20 February 2022 cyberattack against Seattle-based logistics and supply firm, Expeditors.
Business Continuity Through Crisis Planning
On its website landing page, Expeditors’ banner today reads “Expeditors is currently managing a global systems downtime due to a targeted cyberattack.”[v] The company also references repeatedly its global business continuity plan that has been activated. It is instructive that the company had gone through a business continuity/contingency planning exercise and was prepared for a multidimensional disruption to normal business operations that included communication to stakeholders and the general public.
Business Continuity Through Diversification (DoD)
DoD business continuity planning through diversification has intensified with respect to its supply chain and the need for greater diversity—and less consolidation among a few big players. As an example, the FTC has sued to challenge Lockheed Martin Corporation’s acquisition of Aerojet RocketDyne.[vi] This aligns with advice contained in a DoD report released 15 February 2022[vii] that states
DoD should take steps to ensure resilience in the supply chain for five priority sectors: casting and forgings, missiles and munitions, energy storage and batteries, strategic and critical materials, and microelectronics.
The report further acknowledges that the current procurement process at DoD does not necessarily favor small businesses. Resources like the US Air Force’s Blue Cyber program,[viii] which was initially geared to SBIR/STTR candidates, are invaluable. Process changes are also underway to address supplier qualification programs like CMMC and reduce associated financial and administrative burdens (as well as confusion surrounding what constitutes controlled unclassified information, CUI). Clearly, there is the desire to expand the DoD playbook by including more players.
Business Continuity: Opportunity
The NIST MEP business resiliency model shows cybersecurity as just one dimension that manufacturers should consider. Other dimensions include personnel security, product safety, and business continuity/disaster recovery planning. Manufacturer’s Edge—and the entire MEP network—are here to help with tools, techniques, and guidance. Opportunities for learning abound, but that learning does not have to be painful (or fatal).
Time is the school in which we learn.
—Joan Didion, “The Year of Magical Thinking”
[i] The trigger event for her reflection was her husband’s death at the dinner table of a massive cardiac event. They were married for 39 years and worked from home together 24/7 throughout that time with a few exceptions.
[ii] 23 February 2022.
[iii] https://www.npr.org/2020/12/15/946776718/u-s-scrambles-to-understand-major-computer-hack-but-says-little
[iv] https://www.zdnet.com/article/billion-dollar-logistics-giant-expeditors-struggling-to-recover-from-cyberattack/
[v] https://www.expeditors.com/
[vi] https://www.ftc.gov/news-events/press-releases/2022/01/ftc-sues-block-lockheed-martin-corporations-44-billion-vertical
[vii] https://www.defense.gov/News/News-Stories/Article/Article/2937898/dod-report-consolidation-of-defense-industrial-base-poses-risks-to-national-sec/
[viii] https://www.afsbirsttr.af.mil/About/Cybersecurity-and-the-Blue-Cyber-Education-Series/