You have likely read or heard by now that the Musée du Louvre was robbed Sunday morning in a few minutes. Online, someone wrote “check the British Museum.” – cheeky indeed.
Seriously, the wing was closed for construction, the perpetrators used a lift, cut around a window, broke two high security glass cases, and stole jewellery previously worn by queens and empresses. Two of the items have been found, the now damaged crown of Empress Eugénie and the second is yet to be identified, but likely damaged too.
The window was not reinforced. A previous security audit had advised reinforcing/updating/changing a variety security matters but they were not performed, yet the entertainment budget had been increased.
When we look at this, we see insider threat actor involvement. There are a group of people who knew construction was underway, a group of people who knew when the wing was closed, a group of people who knew the security patrol for the closed wing, a group of people who could organize a lift, a group of people who knew of the security issues and the window, a group of people who knewthe type of security glass on the cases and it’s shatter capacity, a group of people who knew precisely what to take… put those circles and more together and you have a sliver of an overlap, a Venn diagram and circles of contacts and connections.
That being said, delaying security updates is fairly common in government and private sector. Couple that with the majority of funding going to IT security or cyber (ITSEC, COMSEC), and you have an entire set of non-technical security domains forgotten or ignored (PHYSEC, OPSEC, and PERSEC). EMSEC is almost completely overshadowed by cyber.
Much like in the 40s, we read advisors to the US were suggesting future wars would be primarily in the air (nuclear + air-to-air), and that ground troops would have significantly less importance. After a decade of focussing on air superiority with US strategy and policy shifting to “flexible response.” this led to less attention in the Army and more attention in the Air Force. A few years later, Vietnam war begins, and the US is poorly prepared for a ground force invasion.
International law of armed conflict calls for proportionality, among many other things, so you can’t just go in with nuclear weapons.
What we are trying to say: don’t just focus on one security domain. You need to focus on all. That’s the premise of the Centre.
Now retired General Hyten said it best, “there is no such thing as war in cyberspace, there is just war.”
In 2017 he went on to say “we have to figure out how to defeat our adversaries, not to defeat the domains where they operate.”
Focus on threats and risks and defend all domains of security, not just the one that was breached last. Sure, cyber is sexy, it gets all the funding, and there’s some really scary stuff written out there about what others can do through it. But traditional methods of crime, espionage, and sabotage still prevail, and cyber is just a different medium to do that.