I’ve realised that, over the last couple of years in cyber, the threats that get deeper, quicker and hide longer inside companies’ IT infrastructures, are the stuff we don’t know about. That doesn’t worry cybersecurity experts all that much, as the very fact of ‘knowing that you don’t know’ about a new virus or malware is actually half the battle. But what if you don’t know what you don’t know?
Tell someone that your work involves cybersecurity and it’s amazing how quickly that they open up about their own experiences.
This is exactly what happened during a recent train journey where I got talking with the guy sitting opposite me. He wasn’t a technologist at all, but turned out to be a board-level management executive at a major international business.
We got chatting about some examples of the latest clever cyber threats I’d heard about, when he suddenly started telling me this story about the mysterious theft of $250,000 from his business.
One Friday the previous month, a colleague at his London headquarters was asked to authorise a transaction by one of the smaller offices in the Caribbean. His company bids for lots of major projects all over the world and it isn’t unusual to submit a bid bond as part of the tendering/RFP process.
A bid bond is a useful way for organisations to ensure that only serious bids are submitted for their projects, and any business tendering for work see them as routine and low-risk.
Anyway, the sum required for this bid bond was $250,000, but the email requesting the money said it had to be lodged by 5:30pm Eastern Standard Time, before the office closed for the weekend and the tender deadline passed.
The amount was transferred at around 11:00am EST and the local office was notified. It was the last time the money was ever seen!
I explained that this sounded like a spear-phishing attack carried out by an intelligent and patient cybercriminal using a combination of inside knowledge and social engineering to deliver the right message to the right person at the right time.
Here’s what he said in response:
“Yes, we know that now. We know a lot more and are vigilant against this kind of trick happening again. Our problem is not having enough known knowns. We would like to know more about threats that we’re supposed to know about, as well as unknown threats we can never predict. We have few known unknowns – and even fewer unknown unknowns.”
This phrase about ‘known knowns’, was introduced by US Secretary of Defense Donald Rumsfeld during a 2002 Pentagon briefing about Iraqi weapons of mass destruction.
“…As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And … it is the latter category that tend to be the difficult ones.”
At the time Donald Rumsfeld came in for a lot of criticism for his comments, because many people felt they didn’t make any sense and were an unnecessarily complex way of explaining the issues around security intelligence.
14 years on, and in the context of new cybersecurity threats that nobody could have predicted back then, the phrase makes perfect sense. Combating known threats is an essential part of a cybersecurity strategy. It goes alongside advanced capabilities to anticipate, capture and – ultimately – learn from unknown threats.
What struck me about the bid bond incident is how unlikely the chances that the threat was also an ‘unknown unknown’ to other organisations. Certain kinds of emails from certain kinds of people asking for money for certain reasons flew around that organisation every day, so the threat went unnoticed. In another business, alarm bells would have started ringing straight away.
Everyone involved in cybersecurity must always keep in mind that customers have different weak spots and different processes, and they each manage risk in different ways.
There are exciting opportunities around those cybersecurity solutions that can take the fear factor out of unknown quantities, and make them ‘known’. But there continue to be significant opportunities around those protection measures that apply the universe of known cyber threat knowledge, to keep us safe every day.