There have been numerous media reports in recent times about the cyber-attack capabilities of nation states hostile to Western political and business interests. That of course raises the debate about our cyber-defence capabilities and what they should be in this emerging threat landscape. In particular some commentators have raised the issue of the purpose and motive on the part of the attackers – what do they want to achieve? What are their goals?
The more insightful commentators have pointed out that in the Western world we seem to be stuck in a relatively immature state of mind, believing that it’s all about theft of information, fraudulent money transactions, denial of service associated with ransom demands and the like – all very tactical and short term. Yet it’s clear that there are many hostile operators with much more strategic goals. It has been suggested, and there seems to be much evidence (although not necessarily in the public domain) that there is intent to disrupt and indeed destabilise entire Western societies and nation states. The suggestion that there has been interference in the democratic electoral processes associated with the US presidency and the Brexit referendum are examples of such long-term hostile strategies. There have also been suggestions that disruption of world banking systems is a potential goal – undermining confidence in the economic capabilities of Western nations. Is this credible? The Attributer thinks that it is.
If there is immaturity of thought in Western society, it is because we are hooked on technical capabilities rather than the ‘business’ capabilities that technology delivers. Maybe it’s because we collectively invented the Internet and WWW technology that we are still looking proudly at those achievements instead of looking at what value-creation capabilities they enable, whether economic or political.
SABSA says differently, but the traction of this thinking is somewhat limited as yet. The SABSA Business Stack model makes it clear that technological capabilities are merely the means to achieve value-creation capabilities (see Figure 1). Every enterprise (on a scale from a personal level up to huge commercial or government enterprise level) has a set of value propositions that drive its efforts going forward. It has a value chain, whereby value is developed and increased for the benefit of the enterprise. The value chain is supported at the next layer of the stack by capabilities to create, protect and sustain value. The technical capabilities appear much lower down in the stack layers and should not be confused with those at the higher level.
Let’s take a simple analogous example to illustrate this concept. Some years ago, Bosch, the European power tool manufacturer, realised that marketing power drills as tools was not the best way to sell them. They were really selling the capability to make holes of various sizes in various materials. Smart thinking, but still not all the way there. The Attributer is the proud owner of a hi-tech combi-drill/driver power tool (as it happens from a different manufacturer). It has many features such as: cordless; two-speed drill setting, hammer setting, 17 different torque settings for driving, forward and reverse, keyless self-tightening chuck, two interchangeable batteries for continuous working… impressive eh?
The Attributer, being a married man, is keen to impress The Attributer’s Wife, by bringing added value into her life. Do you think that showing her the combi-drill does that? She might feign interest and smile indulgently, but what will really impress her are The Attributer’s capabilities to fix things in the house and garden. Does the technology alone do that? Of course not. It requires someone to plan what is needed to further the household enterprise strategy, to plan some projects, to design some solutions, to do the implementation work and to monitor the success and maintain the state of repair over the future. Does that remind you of the SABSA Lifecycle? (See Figure 2).
What this simple domestic example demonstrates is that technology alone is nowhere near enough to achieve value creation. What is needed is a complex combination of people, process and technology. The technology itself is important but not significant in creating valuable capabilities unless used by skilful, competent people following robust processes.
So it is the same with cyber technology, and it seems that maybe those who are the ‘settlers’ rather than the ‘pioneers’ of this technology are more likely to see the true potential capabilities that it enables. If we remain stuck with the purely technical view we run the risk of being incapable of analysing the way in which we may be attacked, because we are missing the analysis of what motivates our potential enemies, what their goals are and the strategies they are developing to further those goals.
SABSA thinking will help us to comprehend more fully the future of the digital world based on the Internet of Everything. We need always to think in terms of the value chains (both our own and those of our opponents) and the capabilities that enable them. We need to be fully capable at the highest level of enterprise extraction.