While binge-watching Star Wars over the holidays, I could not help see similar tropes in my chosen field of cyber defence:
Stormtroopers, despite training their whole life for combat, really suck at it! They can't hit anything they aim at. It all falls apart in a real engagement. Conventionally cyber security training does not prepare folks to conduct active cyber defence operations against a sophisticated adversary within contested environment.
A great deal of time is spent monologuing, instead of acting in the movies. Endless meetings or hours in an office or spending budgets are a poor measurement of performance. We can’t talk, work or spend our way into better security posture or mission assurance. Organizations often suffer from red tape, processes and paralysis by analysis. Mission performance in cyber defence is to stop attacks. Period!
Rather than nuking the adversary from space, someone has the bright idea of fighting hand-to-hand on the ground. Detecting, reacting to a breach and trying to mitigate compromises inside your perimeter is to practice disaster continuity. A strategic defence would deploy upstream security and intelligence services to stop attacks at scale from ever reaching the organization. Ideally as far forward as possible.
Deaths stars and multi-trillion dollar weapons systems are all built with catastrophic single-points of failures, which can be destroyed by a few people and minimal resources. Cyber defences are often under-looked in high-value platforms and facilities. A hacker in their pyjamas operating out their parent’s basement should not be able to break into major corporation, nuclear power plant, research facility and warship, or take the government off-line.
Death Stars keep getting blown up in much the same way. Apparently the after action report was never read. Not only do organizations fail to patch known vulnerabilities, but they get compromised by the same actors in the same way over and over again. We can’t just recover from an incident and then set up as before. Defences have to be improved and we need to prosecute the actors. And read the after action reports instead of suppressing them.
Characters penetrated with a laser-blast or sword, can be easily fixed up by cleansing the wound with alcohol and applying a bandage. Bandages are applied after a breach, but often the compromise goes deep and metastasizes. The solution may require a specialist, surgery and organizational chemotherapy.
Speak in jargon so no one understands. But it sounds impressive. Cyber security practitioners need to speak a language that resonates with decision makers and employees alike. The fear, uncertainty and doubt pitch needs to be replaced with one where security is used to enhance performance and profitability.
There are always more bad guys than you anticipated. The same henchmen appear to be resurrected and return in the next scene. Defining the problem at teenage hackers is naïve. Competition and conflict in cyberspace is planet wide and practiced by a multifarious set of actors and mixed agendas. Just wait for Artificial Intelligence Agents.
Protagonists blindly follow anachronistic doctrine and code even when it is demonstrably ineffective. Doctrine, policy, standards and law are hopelessly outmatched by the speed of cyber and the ingenuity of the threat. Canon needs to be redefined by technology and tactics. Rather than forcing cyber defence solutions to be redesigned to match antiquated requirements, doctrine, standards or regulations. Any standards we do write, cannot be so technologically prescriptive that that are not future-proof.
Speaking truth to power never ends well, nor does being a messenger of bad news. Many times I have witnessed CSO/CISOs dismissed for providing accurate and timely security advice to the C-suite, only to have the organization suffer catastrophic losses after the fact. This culture need to change.
The insider threat can bypass well-designed static safeguards. Sometimes the simplest people and methods can cause immense harm to an enterprise. Look no further than Edward Snowden.
Blaster fire to the access mechanism for a secure door will always cause it to fail open. So many systems behave poorly and give access when an unexpected state is triggered (eg: Buffer overflow). We need to design software and systems that fail closed. Similarly, when I upgrade my software (browser, IOS or apps) I prefer if all my security and privacy settings are not reset to open by default.
Adversary drives innovation while we are driving machines designed in the 1970s. To many security solutions of built to comply with standards or align to standing offers or RFP requirements rather than stop a real adversary.
All the Empires’ advanced weapons are conceived of and built by industry. Even the clone army is manufactured. They also use mercenaries and bounty hunters to perform the hardest operations. The rebel alliance itself is a volunteer force. Cyber space is owned and operated by the private sector. Industry designs and builds the cyber technology. Having a sovereign cyber defence industrial base at your disposal is a powerful thing – not just as a vendor but an equitable partner in the contest to control and defence cyberspace.
Divisive politics of republic loses to singular purpose of the Empire. The government, industry, society and crime organizations of our adversaries collaborate with intent along one mission.
A small rebel force takes on the Empire Asymmetric nature of cyber space means that a dozen talented individuals with access to the cloud can generate nation-state capabilities overnight.
Imperial star cruisers and bases have insecure USB ports everywhere that any droid can port into and steal the most sensitive data or control vital systems. The Internet-of-Everything will drive hyper-connectivity and ubiquitous access to information, people and things.
In the end, most things in life can be solved with a light-sabre. An active defence is often more effective than a reactive one. Defending forward through threat hunting, adversarial pursuit, attribution, targeting, fire and effects contributes to successful threat reduction. Cyber power can be used to both protect and project. This is the way.