Due to heavy-handed Mainland Chinese censorship and cover-up, #iTHiNKLabs, like others, missed the COVID-19 (Novel Coronavirus) threat when the original Guide (see above) was drafted, — in, arguably, “the worst intelligence failure” and greatest strategic surprise since Pearl Harbor and 9/11.
The U.S. Navy — currently the hardest-hit military service — will be temporarily weakened and distracted by aircraft carrier Coronavirus outbreak, which will spread to other armed forces and probably peak by summer, even as COVID-19 ill-equipped law enforcement officers also suffer casualties.All of this (click/tap above) underscore arguments — ignored by smug cybersecurity pros lacking (cyber) risk maturity — made in the strategic international perspective (Strategic Deception/Mitigation) series. A superpower's ability to survive strategic surprises, make necessary adjustments in the face of threats and thrive through strategic execution depends on highly competent leadership and priority management (not just time management) stewardship.
Needless to say, the Trump Administration's transfer to China of tons of quality protective medical gear while trivializing the COVID-19 threat, screams endemic lack of strategic foresight. One increasingly evident in various sectors in the West. Cybersecurity included.
In a wired and globally interdependent world, whatever is happening in other countries, including the high seas concerns you. Especially, if you're in the security profession. Especially, if you're a superpower. Certainly, if you hold any kind of leadership position. Indeed, you don't get to pass the buck even if you're primarily a business person — as you'll see further below (around #6) — nor should you, as a cybersecurity professional, lecture others about 'security hygiene' when your security tolerance/IQ is limited to: InfoSec or “computer security is about computer security.”
The Russians, post-Soviet states and Mainland Chinese know better. And indulgent or inefficient Western democracies and poorer nations that have hitherto tolerated dysfunction and/or corruption probably — sad to say — needed this pandemic to get serious, and, to whatever extent, catch up.Not Wearing Masks To Protect Against COVID-19 Is A ‘Big Mistake’ and the face-mask free bravado in the West in particular won't end well for thousands. The likelihood of a sizable number of Western leaders testing positive or even dying from infection due to their blasé attitude to the deadly virus is real. Hence, my publication below hours prior to this one, having survived over 3 months lockdown in China. Shun face mask-free press conferences and gatherings. Be smarter:It goes without saying: If you can't completely self-isolate for (60 to 90 days), wear protective gear and face masks. And by all means, study the above (click/tap) to learn how others have survived.
But the World Health Organization said...?
Precisely why images above and below are hyperlinked with life-saving, time-sensitive, well-sourced data, including personal, first-hand account (below) of how some of us survived China's own lockdown.The quasi-political WHO was purposely late to declare COVID-19 a pandemic even while the likes of Bill Gates were calling a spade a spade can afford to stand “by [their] recommendation to not wear masks if you are not sick or not caring for someone who is sick”. The poor and destitute can't afford to take a chance.
Indeed, as mentioned further below, even in China, the epidemic is far from over. And leaders and most of the public alike, are still visibly cautious, even afraid, when they venture out.
However, with the CCP’s propaganda machine now weakened by the outbreak, despite efforts to rewrite the narrative, and with the U.S. now the epicenter, Guide 2 is here to offer a final, albeit belated and frenetic assessment for serious planners:
COVID-19 Will Dominate & Expose Security (Under Performers) For The Rest of 2020Except for business continuity and disaster recovery/crisis response readiness, and other strategic investment, public health and market watch that requires up-to-the-minute update, the click-intensive resource above is enough for a robust and proactive coronavirus risk mitigation.
Sadly, the great equalizer here is that InfoSec snobs treated (my) COVID-19 (early warning tweets and blogs) as non-computer security related until they, their customers and cliques had to work from home. This reflects a lack of risk maturity, also a (Western) C-suite deficiency I've often warned against.
IT Security that didn't factor in remote work challenges early on when #iTHiNKLabs started covering the Coronavirus outbreak because they assumed it was non-tech, just another — eye roll — political issue, rather than a health security issue with far-reaching cybersecurity implications, effectively losing time just like political leaders who squandered critical time. From Wuhan, to Beijing, Washington, Rome, Madrid, etc.
Cybersecurity is not about the (late) conversation. It's about the proactive, holistic mitigation. Computer security is NOT just about tech. The Mainland Chinese get it. Smug Westerners just don't. There's a reason the Chinese say: “Talk doesn't cook rice.” The PRC doesn't have bisons. But having survived China's Coronavirus Lockdown, I'd say, foreign InfoSec needs a Bison mindset upgrade.Currently, millions of orders are being canceled in China and around the world. The Coronavirus pandemic will kill businesses, cost the world economy trillions of dollars,shift the global order, induce a global recession, already in progress — depression likely — and derail tech careers.
Nevertheless, the net positive is that simultaneously, the pandemic will advance VPN Security (consumer AND enterprise), Zero Trust and Cloud Security generally as Microsoft Teams and Azure suffer over-capacity issues. Improved WiFi Security and the freeing up enterprise IT/cybersecurity budget are also likely positive consequences.
Moreover, from a business survival standpoint, startups and small businesses are most at risk, although now is a good opportunity to stress test remote work feasibility across the board.China was already in hibernation when I first started working on this update/Guide from within the country.
Over 70 days later, it's still struggling to return to normalcy, with many businesses still either understaffed or closed. So, your Risk/Crisis Team should make accommodation for individual employees with weak immune systems. Those who frequently fall ill. Teleworking or not.
This is a risk management, supply chain/security, HR, business, public health security, global security, cyber security, strategic security, national security and executive issue. The first hyperlinked image (above) is business-focused. The more popular one directly above, personal health security. Ransomware Attack Tradecraft Graduates To: Your Data, More Than Your Money
Last year by now, InfoSec prognosticators were, as the industry tends to do yearly, way ahead of themselves with fantastical new threats and technologies. But focused on the low-hanging fruit that is ransomware, I watched its steady evolution. Which is why I warned: Don't Buy Any 'Don't Panic' Bluekeep Assurances. Ransomware Attacks Have Only Spiked. See item #5 here, and click/tap (image) above for in-depth #iTHiNKLabs ransomware (solutions) coverage.
Originally, I predicted: Whatever the variants — be they disguised as wiper viruses or not — ransomware will dominate cybercrime, state, national security, and, God forbid, election security in 2020. With COVID-19 changing the equation and BYOD out the window, focus on #1, file integrity, maintaining remote workforce data security and social media security fundamentals.Worst-case scenario, 2020 will prove to be the test run I suspect 2019 was. And what happens when you throw high-impact, high intensity ransomware at a divided superpower's general election?
A cauldron of anarchy.
You suddenly get a national security emergency that at least for anarchists and nihilists, must be fun to watch. After all wouldn't they love to show how ill-prepared America the great is. Ну, дава́й! Nu, daváj! Alright then. Or, come on! As Russians like to say in their language.High-impact Ransomware Attacks Among Chaos Ops (As New Election Interference Weapon)
As the new election interference weapon of choice complementing rather than supplanting social media disinformation campaigns, we will see ingenious albeit depraved attempts not just t disrupt but sabotage elections as well as other democratic institutions. And for sure, businesses will get the special treatment too.
That is what the many Ransomware incidents of 2019 including the ones that caused business, school, and medical facility closures, as well as ransomware-related hospital fatalities proved. Which is why if you haven't bolstered your recovery contingency plans, you have failed.With Donald Trump having survived Impeachment en route to Election 2020, expect 'Chaos Ops' from within and outside the U.S. likely leveraging Ransomware (as cover) to sow deep division in the U.S. electorate, with most targeting Joe Biden now that he's in the driver's seat.
Of course, we know what happened with the Trump Impeachment farce trial.
But more than 'clog the lines' operations that successfully and deliberately disrupted the disastrous Iowa caucuses, and its hotline for reporting results, the COVID-19 Election is here.#iTHiNKLabs Predicts: 90% Domestic 2020 Election Security Threat + Mail-In Voting
Once again, COVID-19 is here to change the equation by forcing political event cancellations, postponements, and — despite the risks of infection and fraud — majority voting by mail. Details below:In Putin's Game of Death II: Dezinformacija & 2020 Election Security, I address the challenges of simultaneously fighting fake news and COVID-19 in 2020.
Most Western so-called cybersecurity pros including CISOs can't enumerate the 7 tenets of fake news let alone connect the dots, if their lives depended on it. Nor are they interested. Indeed their media illiteracy is often as bad as the diehard Trump voter who shamelessly claims to get her news from the proven pathological liar, all of which plays into the hands of sophisticated cyber state actors like Russia.
As such — going back to #1 above — that too is an added Election Security and National Security risk, with many Western social media giants acting as vectors and "useful idiots" with an InfoSec industry that increasingly specializes in playing catch up while it waits for Booz Allen Hamilton, major news outlet, some social media “influencer” or even InfoSec buddy from the clique to do the thinking for them. And sadly, it's really all a smokescreen. Because an InfoSec pro who avoids politics, geopolitics, and the million nebulous 'cousins' of cyber security such as strategic deception or the role of human nature all in the name of let's “stick to” computer security, will never appreciate the blind spot between say, social engineering and strategic execution of the type that indirectly annexes and weakens a superpower like the United States.
For example, although the CCP dislikes Nancy Pelosi, Joe Biden is China's choice for President (not that I support the National Review). But as one of President Obama's own former strategists will tell you, Joe Biden has (exploitable) problems. A forward-thinking CISO or security expert would want to know WHY, plus its far-reaching cybersecurity implications, long before the 2020 Election.
Yet, with Coronavirus (cyber security) personal branding in vogue, everybody who ignored #iTHiNKLabs' early COVID-19 blogs and tweets is currently opining about remote work cybersecurity when in fact I started warning about COVID-19 while connecting the dots long before all current go-to hashtags and social media themes became popular. Just as my pre-2016 Election Obama-era Cyber Deterrence/Putin's Russian Threat alerts warnings fell on deaf ears.CISOs and InfoSec pros needn't be begged to take politics and geopolitics seriously — which is actually good security hygiene if you want to be as media literate as Ukrainians and Baltic States are — any more than U.S. or Western physicians, leaders and so-called 'experts' need to be reminded to wear face masks in a pandemic being taken more seriously in East Asia.
I happen to hold a BSc. in Political Science & History that I earned while working full-time in tech. I was also the same nobody studying boring Huawei-U.S. IP theft cases by the late 1990s to the point of the latter influencing my law postgrad decisions. Why? Because “security is a mindset, not a series of courses or a test you passed.” I was connecting the very dots that had Huawei 5G security and geopolitics in the news especially prior to COVID-19 by the early noughties. Yet dysfunctional HR is as much a problem as lazy thinking is, for giving us inept, smug, naïve corporate leadership —whether we're talking offshoring and COVID-19 shortages or tech giants being duped in China, say — and political leadership. Hence, bottom-line driven InfoSec pros who pass the geopolitics buck, are actually part of the cybersecurity and election security problems Americans can expect this year. Media literacy elevates risk maturity, bolstering decision-making effectiveness.
Yet as it is, content with an architecture of chaos whose henchmen, much like their boss (Trump), are known to flout basic security hygiene and national security best practices while blocking attempts (detailed above) to legally secure the 2020 Election, plus known agents of chaos such as Putin's Russia and other adversaries are ready to throw in a powder keg of both high impact and subtle attacks in a COVID-19 Election that is likely to see active Iranian, North Korean and Chinese interference. Not just Russian.
Nevertheless, while Wired believes “Covid-19 will mark the end of affluence politics...reveal our inability to make and distribute the things people need—just in time for a presidential election” I tend to side with George Carlin. “Never underestimate the power of stupid people in large groups” intent on keeping America great again. Because many of those 'stupid people' work in tech.
Will a $2 Coronavirus Trillion Stimulus Package with "strong bipartisan vote" secure or buy the 2020 Election? We'll see. And, for whom. But for cybersecurity pros, your job is to exclude your users from the next victims list. 2020 Will Be More Of The Same Or Worse For The Retail Industry
With VoIP app flaws (WhatsApp, in particular) and sophisticated surveillanceware often leading the way, with the Coronavirus outbreak, heads previously buried in the sand will now be forced to take note. Because as retailers close their doors, hackers are open for business.
#iTHiNKLabs tracked several reminders throughout 2019 of mobile apps and other device and firmware flaws rendering “the best” and “most secure” or expensive smartphones along with much vaunted E2EE messaging solutions useless and vulnerable to hackers. And that trend is likely to continue in 2020.
Yes, cash is king. Yes, I'm known to advocate cash only transactions as much as possible. Yes, cash IS a COVID-19 vector. But, precisely THAT is why tech-only solutions exposes users. After all (as above), I've already clocked over 70 days in Chinese COVID-19 lockdown. Which means, at some point, as part of my preparations, I stepped out to get self-isolation/social distancing supplies. With cash. Because I treat my data like cash.
Speaking of which, Chinese hackers have weaponized coronavirus data for new cyber attack(s). We know Cyber criminals are exploiting coronavirus disruptions. And #iTHiNKLabs has covered various COVID-19 themed malware lures and scams. So the question is: Will you knowingly encourage your users to be overly dependent on mobile apps? Will 2020 be the year consumers and so-called security “experts” in the States go the pragmatic European and European Union way and be more open to being minimalist in their electronic payment enthusiasm, in the interest of cyber security?Consumers love their smartphones and generally don't care about the latest WhatsApp flaw or a million other attack vectors putting their data, privacy, or personal security at risk. Nor are they fazed by some rich crypto-investor they don't know who lost millions.
Like the Retail industry and its constantly breached customer data, from the NSO Group to data privacy-Killing, Russian-made advanced mobile multi-use surveillanceware, consumers and in particular, North American so-called security experts alike have a choice. Like the Germans who are known to carry cash in their pockets or 'dumb phones', they can adopt data stinginess to protect their digital life, privacy and security. Or, they can go all-in with every new technology, oblivious of threats.
With COVID-19 still playing out, 2020 may end with, so-called cybersecurity “experts” lacking elevated strategic thinking and in-depth security expertise (i.e., true risk maturity) and typically too emotionally attached to mobile devices — just like some CxOs who lack true risk intelligence AND maturity — beginning to acknowledge the seriousness of mobile as an attack surface too large to continue to ignore, whatever its benefits to enterprise. And with that reality check as data breaches pile on, reconsidering more secure alternatives discussed (in links) above.Remote Workforce & Small Businesses Now Hackers' Prime Targets; Just Don't Count On CxOs
As above (click or tap image), CxOs may tell journalists “...at least 50% of their employees are now remote... [and] that cybersecurity risks have increased as a majority of their employees work from home.” Except we know from the 2019 Marsh/Microsoft Study in 2019 that in many cases, “busy board members and senior executives...responsible for their organization’s cyber risk management” actually spend less than one day on cyber risk.
In fact, securing the home business computer of a couple who were previously hacked and frequently receive spam texts and countless phishing and spook and fake site attacks in the States at the end of 2019, one can only imagine how smug CxO are about to add to the problem.
Despite previously being victims, the family invoicing and business computer remained password-less until I secured it. Basic security hygiene or Cyber Security 101 (freely available on the web), would have taught them that for starters, the Windows Admin account needed a strong password, with regular activities left to Standard User account. Instead, the husband, a smug executive addicted to bluetooth pairing and disinterested in being threat smart — despite frequent call-drops and all — with mobile security apathy and disdain for both Faraday bags and cyber security experts in general (called me “paranoid schizophrenic”) was already exposing his family to jaw-dropping data leaks and threats the wife could only privately complain to me about.So while hacked small business entrepreneurs, owners, or executives with bad cybersecurity sometimes learn and change bad habits if not fired or blown out of business, only leaders and entrepreneurs already actively seeking robust radical solutions many InfoSec pros overlook — typically at the personal/home office/remote work level, and — with a clear head, will dodge pending 2020 cyber attacks.
Coronavirus-related remote workforce cyber security tips abound and keep proliferating. But like the pathogen, hackers can choose to play the silent data exit game with low-hanging fruit. And neither the clueless user nor security team can do much about lost data. Put differently, good luck if you're one of those hoping to use this inopportune period to attempt to get cyber risk management right. COVID-19 Recruitment vs. Applicant Tracking System (ATS) Data Goldmine
With recruiters and organizations making a big deal about all hiring and interviewing being conducted online, hackers may soon turn their attention to another target-rich attack surface: Data-greedy ATSs I've been warning about for years (click/tap above).
Applicant Tracking Systems ARE a security risk. And except for CHROs, leaders and organizations that haven't been tone deaf, or most European employers who keep both application and data collection lean and often reduced to half a page, recruitment industry particularly in North America, may be in for some rude awakening if depraved hackers decide to exploit the new COVID-19 remote workforce reality to make things messy.
Even in China, the pandemic is far from over. Whatever your Disaster Recovery and Business Continuity Plan entails — and yes, I worked for DRP/BCP/BIA leader in the past — better think beyond the below.
Breakthrough Ideas for March 2020