A lot of factors can lay claim to being a “key” to cybersecurity. Advocates of information sharing, technology, work force training, public awareness, leadership – all can rightfully declare their subject is a key. I would like to offer another: agility. I am not speaking of “agile development,” but of agility in the sense of thinking, process and execution. It is a mind-set and an attitude, but it is also a chosen and determined way to do business.
Presently, agility is the best friend of the Bad Guys. They do not have to follow rules or regulations. They are only governed by what works. The only tyranny under which they labor is “what is effective, what makes money, what achieves our goals.” This has allowed the various adversaries we face in the cyber realm to stay at least one step (many would say multiple steps) ahead of those defending our networks.
Every day, adversaries devise numerous new pieces of malware and new techniques to penetrate different cyber targets, be they software, hardware or systems. On the defensive side, we labor under a great disadvantage. Development of defensive means is slow and reactive; we have to follow strict rules for commercial deployment of products, and beyond the technical procedures, we have huge hurdles on the legal, policy and regulatory sides. In short, the good guys are anything BUT agile.
How can we improve the agility of the defenders? How can we become more proactive and less reactive? How can we, in our democratic system, vault the barriers that honest debate and differences sometimes erect? It will only be by doing those things that we will have a chance to pull even, and possibly get ahead of the bad guys. The answers are not clear, not easily determined, let alone achieved, and may in fact be beyond our reach altogether.
I believe we can develop and deploy technological solutions in a much more agile and flexible way. We may never be as totally flexible as the bad guys, because we will always have some rules to follow beyond pure effectiveness. It is simply the nature of our organized society, and the fact that we do not have a unified view of either the true nature of the threats or of the best possible method to address them, but we can make improvements.
The biggest impediment to true agility, however, lies in the social and political structure of the US and Western cultures. Even when one factors out fringe political positions, there are still wide gulfs between what different groups along the political spectrum consider acceptable. The debate (in Congress, within the Executive Branch, in the news, and between companies and trade groups) is nearly intractable. Particularly in the Public Sector, which is affected much more by the political debate, it is nearly impossible to move quickly and nimbly, which is exactly what is so badly needed.
The conclusion is unsurprising. We MUST strive for more agility on all levels. We must think agilely, we must plan agilely, and we must TRY to execute agilely. We can do the first two, and every effort needs to be expended in that effort. In the last category, I do not know if we’ll ever get there, but we should never stop trying to improve there either. If we simply capitulate and throw up our hands, the bad guys will continue to ride roughshod over our systems. Agility must be our goal on all levels.