Two teams take the field. On offense, huge adults who are professional athletes. An NFL team. On defense, eleven small, skinny children, barely standing above the belts of their opponents. Both sides square off as the play is set in motion and the NFL team executes its masterful offense. Very strong, athletic men use all of their force to run over and through the helpless children. The field is littered with the small, broken bodies of the defense as the offense easily takes control.
Imagining this scenario is painful and a bit twisted. Unfortunately this is the scenario that we currently face in the United States as we contemplate allegations of foreign interference in our election.
Warfighters and chess players are among those that understand that a battle cannot be won with a strong offense alone. Currently, the US offensive capability in cyber is one of the best in the world, but our defenses are sorely lacking due to a misunderstanding of what true cybersecurity is. We have been building cyber weapons but have essentially ignored cyber defense outside of the military. What many are now realizing is that the Internet and cybersecurity have direct analogues to the real world. Our defense must be as strong, if not stronger, than our offense. And our undefended private sector puts us at great risk. There has been a flood of intellectual property theftfrom our defense contractors and companies. The government has not had a coherent approach to protecting its systems, hence the NSA leaks and OPM breach. This has happened because organizations have made the mistake of assuming they could live in obscurity on a globally connected network of billions of devices. Looking back, it’s ludicrous. Having lived through it as a cybersecurity professional has been frustrating to say the least. But it’s clear that the ostrich approach is not just bad for business, it is also dangerous to our national security.
We currently cannot afford to wage a cyber war based on our lack of defensive preparation in the private and public sectors. The latest NIST cybersecurity report, however, outlines six major imperatives for ensuring a strong defense and therefore strong cyber future for our country:
To these six I would add:
Implementation will rely on the incoming administration as well as those at the helm of organizations large and small. We are all responsible for cybersecurity in this connected future and we need to defend ourselves properly, lest we find ourselves in the current situation: facing a limited response strategy in the face of attack.