Cybersecurity as chess match: A new approach for governments
The continued growth of cybersecurity threats means that government needs to adopt a more dynamic approach to security. Expert William Eggers explains.
Cyber threats are growing in volume, intensity, and sophistication, and they aren’t going away—ever. And recent failures call into question the effectiveness of the billions already sunk into cybersecurity.
How can government agencies reverse the growing gap between security investment and effectiveness? Traditionally, cybersecurity has focused on preventing intrusions, defending firewalls, monitoring ports, and the like. The evolving threat landscape, however, calls for a more dynamic approach.
Whether it’s an inside or external threat, organizations are finding that building firewalls is less effective than anticipating the nature of threats—studying malware in the wild, before it exploits a vulnerability.
The evolving nature of cyber threats calls for a collaborative, networked defense, which means sharing information about vulnerabilities, threats, and remedies among a community of governments, companies, and security vendors. Promoting this kind of exchange between the public and private sectors was a key aim of the US Cyber Security Act of 2012.
Australia has taken a significant lead in working across government and the private sector to shore up collective defenses. The Australian Cyber Security Centre (ACSC) plays many roles, raising awareness of cybersecurity, reporting on the nature and extent of cyber threats, encouraging reporting of incidents, analyzing and investigating specific threats, coordinating national security operations, and heading up the Australian government’s response to hacking incidents. At its core, it’s a hub for information exchange: Private companies, state and territorial governments, and international partners all share discoveries at the ACSC.
The Australian approach begins with good network hygiene: blocking unknown executable files, automatically installing software updates and security patches on all computers, and restricting administrative privileges.
The program then aims to assess adversaries, combining threat data from multiple entities to strengthen collective intelligence. The system uploads results of intrusion attempts to the cloud, giving analysts from multiple agencies a larger pool of attack data to scan for patterns.
Cybersecurity experts have long valued collective intelligence, perhaps first during the 2001 fight against the Li0n worm, which exploited a vulnerability in computer connections.[i] A few analysts noticed a spike in probes to port 53, which supports the Domain Name Service, the system for naming computers and network servers organized around domains. They warned international colleagues, who collaborated on a response. Soon, a system administrator in the Netherlands collected a sample of the worm, which allowed other experts to examine it in a protected testing environment, a “sandbox.” A global community of security practitioners then identified the worm’s mechanism and built a program to detect infections. Within 14 hours, they had publicized their findings widely enough to defend computers worldwide.
A third core security principle is to rethink network security. All too often, leaders think of it as a wall. But a Great Wall can be scaled—a Maginot Line can be avoided. Fixed obstacles are fixed targets, and that’s not optimal cyber defense. Think of cybersecurity like a chess match: Governments need to deploy their advantages and strengths against their opponents’ disadvantages and weaknesses.
Perpetual unpredictability is the best defense. Keep moving. Keep changing. No sitting; no stopping. Plant fake information. Deploy “honeypots” (decoy servers or systems). Move data around. If criminals get in, flood them with bad information
The goal is to modify the defenses so fast that hackers waste money and time probing systems that have already changed. Savvy cybersecurity pros understand this: The more you change the game, the more your opponents’ costs go up, and the more your costs go down. Maybe they’ll move on to an easier target.
“Most people want to build [a defense] and let it sit for two years,” says my Deloitte colleague Craig Astrich, but that doesn’t work: “This is a constant evolution.”
Agencies need to learn to love continuous change. As Astrich says, “I’m putting myself out of my job as fast as I can every day.” New problems will arise. There’ll always be work.
This challenge for governments resembles that facing military strategists as their primary roles shift from war against established nations to continual skirmishes against elusive, unpredictable non-state actors. Your government will inevitably lose some cybersecurity skirmishes, but that doesn’t mean it’s failed. It’s a given that not every encounter will end in victory.
The important test lies in how government officials anticipate and counter moves by an ever-shifting cast of criminal adversaries.
Digital governments will need speed, dexterity, and adaptability to succeed on this new battlefield.