Two teams take the field. On offense, huge adults who are professional athletes. An NFL team. On defense, eleven small, skinny children, barely standing above the belts of their opponents. Both sides square off as the play is set in motion and the NFL team executes its masterful offense. Very strong, athletic men use all of their force to run over and through the helpless children. The field is littered with the small, broken bodies of the defense as the offense easily takes control.
Imagining this scenario is painful and a bit twisted. Unfortunately this is the scenario that we currently face in the United States as we contemplate allegations of foreign interference in our election.
“Invincibility lies in the defense; the possibility of victory in the attack.” – Sun Tzu
Warfighters and chess players are among those that understand that a battle cannot be won with a strong offense alone. Currently, the US offensive capability in cyber is one of the best in the world, but our defenses are sorely lacking due to a misunderstanding of what true cybersecurity is. We have been building cyber weapons but have essentially ignored cyber defense outside of the military. What many are now realizing is that the Internet and cybersecurity have direct analogues to the real world. Our defense must be as strong, if not stronger, than our offense. And our undefended private sector puts us at great risk. There has been a flood of intellectual property theftfrom our defense contractors and companies. The government has not had a coherent approach to protecting its systems, hence the NSA leaks and OPM breach. This has happened because organizations have made the mistake of assuming they could live in obscurity on a globally connected network of billions of devices. Looking back, it’s ludicrous. Having lived through it as a cybersecurity professional has been frustrating to say the least. But it’s clear that the ostrich approach is not just bad for business, it is also dangerous to our national security.
The way forward
We currently cannot afford to wage a cyber war based on our lack of defensive preparation in the private and public sectors. The latest NIST cybersecurity report, however, outlines six major imperatives for ensuring a strong defense and therefore strong cyber future for our country:
- Protect, defend, and secure today’s information infrastructure and digital networks.
- Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
- Prepare consumers to thrive in a digital age.
- Build cybersecurity workforce capabilities.
- Better equip government to function effectively and securely in the digital age.
- Ensure an open, fair, competitive, and secure global digital economy.
To these six I would add:
- Provide a standard and reasonable set of metrics which can be used to determine and drive the basic defensive posture for all organizations.
- Think outside the box when it comes to finding cybersecurity talent. Passion outweighs certifications or degree.
- Provide incentives to small-to-medium size companies to improve their cyber defenses.
- Ensure companies of all sizes are held accountable for taking specific steps to secure their environment and data (i.e. SecurityScorecard).
Implementation will rely on the incoming administration as well as those at the helm of organizations large and small. We are all responsible for cybersecurity in this connected future and we need to defend ourselves properly, lest we find ourselves in the current situation: facing a limited response strategy in the face of attack.