Your Previous Experience Does Not Prepare You For The Cyber-War You Are In Right Now

When you as a cyber-professional think of planning for war, you probably have in mind some order of battle map such as the one above. It shows the front lines, terrain, forces in opposition, troop movements, etc. 

Your thought process is wrong.

And, when you as a cyber-professional think of war you probably think of engaging with the enemy and taking and holding territory, or bombing, or drones and missiles.

Well that thought process is wrong too. 

But you're in a war anyway. How is it going for you?

War is serious business and cyber-warfare is not like other wars, especially when you're almost always on defense at all times.

All of us have models, scripts, or even memories based on experience and education for endeavors such as wars. These models and scripts come from family lore, movies, books, military service, and so on. They are all valid as far as that goes. Problem is, you're in a cyber-war and you don't have a model or script, probably not even personal experience, to draw on for that.

We were in a conversation the other day where we were asked/told that well you see past behavior predicts future behavior. And that is right but only to the future conditions are comparable to the past conditions. 

Going to college after high school? Similar. Moving from local directory file structure to cloud architecture? Comparable enough, plus or minus. Transitioning to system security to having your servers cyber-attacked hundreds of times an hour, leading to the loss of 12 petaflops of data? Sorry, you do not have a repository of experience for that.

Another thing that's different is that you're used to being attacked for ransom or for theft. This current war is about destroying your operations. And you're being attacked by state actors, not (exclusively) by gangs who might have state affiliations. Oh and they're attacking you too.

Your past cyber-defender behavior might not be what you need for current or future cyber warfare.

Instead, you must get serious about assessing your vulnerabilities before serious adversaries assess your vulnerabilities.

Here's what you can do about that.

First, as they say, when you're in a hole, stop digging. You are in a hole right now -- not of your making but a hole regardless. The hole is, you're relying on your outdated cybersecurity script to defend against sophisticated state actors.

Solution: are you able to identify any and all vulnerabilities both in your logistics chain and within your organization?

Second, you're expected to stay ahead of the trend. Being on the "leading, bleeding edge" means you're leading by bleeding. 

Solution: if you were an attacker, what would you say makes you a target and what are you (not) doing to make an attacker's life easier?

Third, you need friends -- peers, federal agency partners (law enforcement and intelligence and cyber), even academic institutions with computer science departments.

Solution: when was the last time you had a call with your peers? How about the local FBI field office in your nearest big city, because after all they have an office of public/private partnerships and you knew that and you can name that liaison...can't you? When was the last time you had a call about cyber-defense with universities that specialize in adversarial AI?

Fourth, you probably are not going to launch a 'red-team' attack externally but have you launched one internally to test your 'blue-team' capabilities?

Solution: well, have you?

Ask us how you can learn to adapt rather than repeat.

(image credit: Major John M. Rentz USMCR, Public domain, via Wikimedia Commons)