A persistent view prevails amongst the IT sector leadership and information network monitors of enterprises responsible for providing related U.S. government and commercial services. This view is grounded in the principle of a “defense en masse.” Such a doctrine often requires a sizeable expenditure for building a “cyber army,” ostensibly for the defensive purposes of mitigating threats that arise via the innumerable avenues of approach malicious cyber actors can exercise to achieve objectives against targeted networks (*note: the offensive aspects of leveraging a cyber army will NOT be addressed in this missive).[i] [ii] [iii] It can be very difficult to argue against this popular view, potentially inviting a cacophony from stalwart officials and security professionals who must remain vigilant and informed when it comes to cybersecurity and the defense of the telecommunications infrastructure for the sake of the nation’s serenity.
However, an epiphany I had some time ago has shown me another view of cybersecurity that would compel me to limit the furtherance of “building” any (defensive) cyber army for any enterprise to which I was a counselor, at least initially. That epiphany was: Information network operations are not where shortcomings tend to occur; it is where they are discovered! The observed lapses in security had actually occurred earlier in the chain of responsibility for the creation and maintenance of the victimized information networks. To provide anecdotal support to this argument, I will ask the reader to take a short (and hopefully fun) quiz: What do the following highly publicized computer network compromises (and many others) all have in common? (Hint: a ‘zero-day’ is an exploit that has yet to be discovered on a network until utilized):
- Equifax (2017)[iv]
- S. Securities and Exchange Commission (2016/2017)[v]
- S. Office of Personnel Management (OPM) (2014/2015)[vi]
- WannaCry Ransomware (2017)[vii]
- Heartbleed (2014)[viii]
The answer: Not one of these events used a zero day exploit. All of these compromises were the result of exploits known in publicly-accessible network security circles to exist long prior to when each respective catastrophic event captured the public’s attention.
In my estimation, failures such as these undoubtedly occurred in the network planning, acquisitions and purchasing, component manufacturing and warehousing, or technology deployment stages of information network maintenance. Often, I have observed personnel involved with these and associated aspects of network creation and upkeep are not provided with the intelligence they need to make the best decisions for the enterprise’s information integrity, but instead with just enough information to make the quickest decision germane to the particular step for which they are responsible. Consequently, purchasing decisions, for example, made with a focus on using the current fiscal year’s dollars before they are withdrawn (for NOT being spent) are likely to result in relative increased risk to information security. This is especially likely when the affected acquisitions officer had gone without the knowledge of whether a preferred vendor sold components that were already known to others to have unmitigated vulnerabilities. Carrying this example forward, negative effects are then potentially amplified when components are insufficiently configured for utmost security by a technician upon deployment onto an enterprise’s network lines. It is only later that the negative outcomes of these compartmented oversights are abruptly discovered in totality. Outcomes from this mishandling of information network stewardship result in mistrust of the networks being used or, worse yet, an unfounded trust that all shortcomings have been addressed and therefore there is no reason to worry until proven otherwise.
Based on my aforementioned experiences, it is my belief that saying an enterprise (whether military, governmental, or commercial) must “build” (read BUY) a cyber army that can handle more than just the most egregious threats is patently impossible due to financial constraints in the face of all possible ways networks may be compromised. Does this mean I believe the concept of having a cyber army is flawed? Absolutely not! On the contrary, what I have been shown is that all enterprises already have their respective “armies.” Recognizing that these armies lie dormant within the confines of each enterprise’s cubicle farms is the key takeaway from this missive. The telecommunications planner, purchasing officer, logistics manager, warehouse manager, tech support, clerks, executive assistants, and personnel from partnered enterprises – to name a few stakeholders – can all be leveraged to carry out security vetting which collectively can limit the frequency and impacts from information network compromises that always seem to be discovered at the worst times. In my view, the choice to “build” a cyber army for incident warning and resolution is likely indicative of prior choices made by enterprise management to exempt all relevant stakeholders from the responsibility of addressing shortcomings before they became impactful, operational issues.
It goes without saying to the leadership of affected enterprises that proper resourcing decisions must be made to ensure efficiencies in operations, whether for purposes of effectiveness or profitability. Yet what is regretful – and often seen – is when valuable resources are expended on goods and services which, through good internal management and reallocation, could have been realized with both much less cost and less binding contractual obligations tied to the affected enterprise. What is MOST regretful is when expending those valuable resources does NOT result in any desired effect (i.e., mitigating compromises of enterprise networks) regardless of amount spent, especially when a manager later finds that training personnel and arming them with the right knowledge could have done a much better job for relatively much less. Heed these words: For the sake of optimal resource management and cost/benefit-centered decision making, before trying to buy/build your cyber army, try providing the “gatekeepers” along key stages of information network upkeep in your enterprise with the right information and intelligence to awaken the army you already have!