The time has come to cast away the traditional defense-in-depth battlefield mindset that has over many years infected and metastasized across our US commercial and public policy-making information-security defense and counter-offense posture.
The corporate defense-in-depth security model is past its prime and usefulness. To be fair, this universally accepted system worked well as a formidable protective wall for many commercial and government organizations for many years. But, as with most things that remain static, cracks in this virtual wall have developed over time. System administrators (CIOs, CTOs and CSOs . . . and some corporate boards) know this. Many are disguising these holes as hard surfaces and hoping for the best . . . or at least going to bed each night praying that the other guy gets hit instead of their own organization. With the proliferation of ‘professional’ hackers, it was only a matter of time before the bad guys devised workarounds (in the form of phishing and other means) to break through and wreak mischief (at first) and increasingly havoc. Indeed, for some time now a loosely affiliated, albeit largely uncoordinated, multi-front insurgency has been waged against our porous US national and commercial electronic lines of defense.
Insurgency? Really? By their very nature, whether they realize it or not, cyber hackers are insurgents. The bad guys have signed on for the long quiet fight; slowly and meticulously, they are picking off their intended targets layer by cyber layer. Intent on upending commercial and/or governing structures, be it for profit or misguided higher principle or nation state intrigue, they slip in undetected, often under cover of friendly forces (e.g. piggybacking on the access lines of friendly vendors), lay their ambush, exfiltrate unmarked and often without a shot fired . . . and then quietly sit back and wait for their chosen moment of exploitation. As history has shown, the only way to resist, fight, and in the end vanquish an insurgency is by engaging in a committed and coordinated counterinsurgency campaign.
Techno-security groupthink, clinging to outdated technologies and electronic counter-tactics, must be discarded. Bolting on a new technology patch to a legacy system is not the way forward. That system ceases being effective the moment the hacker(s) gains access to the inner-perimeter . . . which we all now know they are doing with relative ease day in, day out.
To combat this quiet menace, cyber leaders must emerge to rally and win the hearts and minds of our fellow corporate and policy-making citizens. A new dynamic way of thinking about our cyber enemies – be they rogue, corporate or nation-state (sponsored) – must be embraced and pursued with new found energy and resources, and a fundamentally new mindset. The weapons of choice in this campaign are intelligence, innovation, coordination, creativity, communication, patience . . . and leadership.
To be sure, cyber thought leaders are emerging out of the fog . . . cyber warriors such as Theresa Payton, founder and president of Fortalice Solutions; veteran CISO John Kirkwood of Albertsons-Safeway; cyber crime-fighter (see USSS’s Operation Firewall) and operational wizard George Rettas, chief of staff for Citi’s cyber unit; and Dr. Phyllis Schneck, who heads the cybersecurity division of DHS. These acknowledged and acclaimed leaders among their respective cyber communities are maneuvering asymmetrically against the bad guys. They are combating the old way of doing cybersecurity business and in place prudently creating and enabling new lines and methods of resistance and counterattack. Others must follow their lead; people like cyber guru Manoj Srivastava, co-founder and CEO of Graphus and cyber investor Bill Ryckman, managing principal of Three Kings Capital.
The stakes here are high. A catastrophic breach of a strategic infrastructure asset, one that causes prolonged disruption of essential resources to a large region of America, is not at all unimaginable. We as a nation cannot, must not, simply sit back and wait till post calamity to (finally) be inspired to rally in unified fashion.
To be clear, this author is neither alarmist nor cynic. Indeed, my expectations are that . . .
The Cybersecurity Information Sharing Act (CISA) will ultimately be passed by Congress, despite that esteemed body’s recent dithering around this important piece of legislation.
We as a nation will increasingly look to Israel, long ground-zero for cyber-terrorism and in turn the crucible of integrated cyber counter-offensive measures, as the benchmark for building a dynamic public-private cyber partnership. Establishing the National Council of ISACs was an important and meaningful first step. More can be done.
A stand-alone US Cyber Command will be established as a unified cyber warfighting command, similar in functional model – with all its streamlined dynamic capability – to US Special Operations Command (SOCOM).
Corporate boards in the aggregate will (soon!) come around to understanding that cybersecurity, for their purposes, is really just another form of risk management and cost mitigation, longstanding fiduciary practices of corporate boards. And in that context, boards will look to their CISOs as essentially ‘chief information risk officers’; demanding direct lines of communication on all matters of corporate electronic security; and when necessary enlisting cyber-advisors to gain an informed view and essential understanding of the important questions around information security, which they must continually be asking of their CEOs/CFOs/CIOs/CISOs.
Corporate CIO/CISO teams will increasingly unshackle from their legacy technology platforms to seek out and engage new forms of cyber defense and counter-offense technologies and techniques; and in doing so, will work hand-in-glove with cybersecurity product and service vendors on refining what works well and pushing to discard what doesn’t.
The essence of good counterinsurgency resides as a state of mind; so it is here . . . We must collectively embrace and unleash a coordinated, synergistic and committed counterinsurgent cyber-culture on a broad national front. A generation ago, a brave and brilliant few threw away the playbook on generally accepted business engineering practices and, under the impetus of great national urgency, designed and built heretofore unimaginably and radically effective new technologies in record setting time. Taking a page from the ‘failure is not an option’ mission-oriented Skunkworks model . . . We can do this!
Stephen Spagnuolo leads the CyberSecurity Practice for ZRG Partners, a global executive search and leadership advisory firm. He brings over fifteen years of experience recruiting senior and next generation corporate leaders on behalf of a wide-ranging client base, from leading global investment banks to pre-funded emerging growth companies. A graduate of the US Naval Academy, he formerly deployed to multiple overseas contingencies as a Marine Corps infantry officer.