To win the cyber arms race, give hackers fewer incentives

Cybersecurity has transformed into a cyber arms race – and the government needs your help.

What’s complicating matters is the growing parity between cyber adversaries and defenders. Hackers have become as smart as defenders, and bots are looking more and more human – they “behave” like humans, have browser histories, live on residential machines and seem to have real identities.

Most dangerously, hackers have become highly incentivized to win, whether that means selling stolen information or simply basking in the notoriety that comes from a successful attack.

These days, senior government leaders are grudgingly but openly admitting that the name of the game is mitigation and not prevention. It’s not a matter of whether a security breach will happen – it most certainly will. The only question is how severe the aftermath will be.

How can the government tilt the arms race in its favor? Certainly, arrests and indictments can go a long way, but where the rubber meets the road is in raising the aggravation levels for the enemy while also lowering incentives.

That’s where industry plays a role.

The winning strategy: Close the OODA loop

Winning the cyber arms race depends on closing the distance between threat detection and response. The military refers to that as an “OODA” loop (Observation, Orientation, Decision and Action). As applied to cybersecurity, it simply means that the one who moves fastest through the OODA loop wins.

In the cyber defense world, government agencies need networks and systems that challenge cyber attackers and deny them real-time success feedback. That means changing the attack surface in less time than it takes for adversaries to observe whether each step they take to penetrate a network has been effective.

By being agile enough to move to Round 2 before the hackers can tell if they won Round 1, agencies can prevent adversaries from benefitting from their actions, but without interrupting that action. Among other tactics, that requires ensuring that detection capabilities include a “silent alarm” to avoid alerting hackers that you have identified unauthorized actions.

When adversaries are denied any immediate feedback on the success or failure of their attempts, agencies add uncertainty and complexity to the attacker’s efforts. It’s like adding harder locks to thwart a lockpicker; it immediately changes their risk/reward calculation. Playing this game disincentivizes the enemy. Not only is it unrewarding, it lowers their likely financial benefit.

You’ll find a receptive audience in government if you can find ways to frustrate the enemy by closing the gap between detection and response. These days, cybersecurity is not a partisan issue. Politicians stand to gain political capital by demonstrating that they are taking tangible actions to combat cyber threats. And congressional committees are fighting to own pieces of the cyber pie.

Current and future cyber issues

As far as the cyber pie is concerned, there are a number of cybersecurity priorities across of government, including:

• Election security: The federal government (the Department of Homeland Security in particular) and the states have significant roles to play in ensuring fair elections free from outside interference. Vendors that can disincentivize bad actors here will be in high demand.
• Supply chain security: Each agency has its own unique challenges as it relates to the supply chain, as it is largely shaped by their respective missions. It is important, therefore, for vendors to have ongoing conversations and relationships with agency program managers. This will ensure that their service offerings properly address the individual mission requirements of their current or prospective clients.
• Internet of Things (IoT) security: Agencies are increasingly recognizing the rapidly expanding attack surface created by IoT. Cyber threats against industrial control systems are on the rise. IoT security is an interconnection of all downstream effects, and just as with supply chain security, is agency specific. Therefore, having conversations with agency program managers, to understand their IoT related mission needs and its effect on the threat landscape are essential.
• Offensive security: Both the executive and legislative branches are taking a hard look at offensive security. This requires simulations to proactively test security measures before attacks take place, as a way to gain confidence in risk mitigation strategies.

Security leaders in the government need to know what the emerging threats are and how the attack surface will evolve. By helping agencies brace for the inevitable impact of breaches and disincentivizing adversaries from inflicting maximum damage, vendors can help government win the cyber arms race.