We need more than big walls and offensive capabilities to win in the cybersecurity contest. A good friend used the concept in this piece’s title – castles and cavalry – and I thought I’d borrow it to illustrate a point.
Many people (too many of them in decision-making positions) see cybersecurity as simply a matter of building a better castle. If we only have higher and thicker walls, maybe a dandy moat, we’ll be safe. Perhaps, once the bad guys figure out how to circumvent those things, we can change the shape of the walls to make them more effective. Remember the innovative star shaped forts that allowed the good guys inside to have more effective fields of fire on the attackers? Yup, they eventually got around that too.
OK, let’s add cavalry to the good guy mix. Let’s send the elegant horsemen out of the gate to attack the enemy, preferably as far away from us as possible. This is a great idea, and for a while it is a game changer. Unfortunately, it doesn’t last. It helps but is still not enough. We need a better system to tell where to send them and when to do it. We also need reaction forces inside the walls.
You see, the bad guys are always going to get through, and the “inside” of our networks are actually a huge area. (You cannot think in terms of physical space here folks; even a small network is an enormous area in the strange world of cyber.)
So, it does not matter much if your cavalry is going after the other guy’s capabilities preemptively, just in case he might attack, or reactively because he has given some indication he is about to attack. (Yes, it does matter a great deal from a legal / policy stand point but not from an operational one.). You still need the sensors and decision-making protocols to get the right action at the right time.
Do we need different “colors” of cavalry? Do we need self healing “walls”? How about “walls” that not only heal but learn from the attack, so they can never be attacked successfully again in the same manner? Now let’s consider sensors that detect the potential penetration, analyze it and morph the “wall” before the attack so as to guarantee the bad guys fail.
These are some of the capabilities that we are working on. We are getting closer every day, but we might not have the time it will take to develop these innovations. As I said above, many decision makers still think we can simply buy a new fire wall and add another required security class (which they will refuse to take by the way), and we’ll be fine. They think the only threat we face is still a couple of script kiddies and an occasional 39-year-old in his mother’s basement. It will take those leaders to wake up and demand of their IT and security folks (they need to be one organization now, in my opinion) to start innovating to protect the networks on which their organizations depend. It will cost money, but it will cost a heck of a lot less than it will when that serious breach occurs.
Oh, and friend, keep waiting to invest in real security (and training and leadership), and I can guarantee that breach will come.