Cybersecurity must start with mission assurance

Government and industry might usefully consider that the current economic downturn in general places us in a risky cyber position because a recession creates conditions favorable to an attacker.

Companies and agencies tend to hold on to their systems longer, extend their refresh cycles and cut back on acquiring, developing or introducing patches and other defenses. The attackers, on the other hand, have the advantage of being able to work against familiar systems with increasingly familiar vulnerabilities; they have an increasing opportunity to get inside our decision cycle.

It is no secret that government has been talking about approaching cybersecurity holistically. The president’s report on the subject says, “Government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity-related issues confronting the United States.” This is worth some consideration.

I would argue that cybersecurity cannot be understood, much less addressed, except as part of a larger mission assurance whole. You want cybersecurity because you want to be able to use information to get something done. And you want to protect that information because you want to prevent others from damaging your ability to get things done. So the point is really mission assurance; that’s the holistic context in which cybersecurity makes sense.

Businesses and government agencies do not differ significantly in their mission assurance needs: They all need an information environment that’s reliable, available, survivable and secure enough to get the job done. They don’t need absolute perfection in any of these areas -- that is an unattainable fantasy induced by our natural tendency to think in terms of perimeter defenses -- intrusion detection, blocking and tackling.

In reality, the perimeter is always penetrable, and striving for the perfect set of firewalls is to cybersecurity what Patton said fixed fortifications were to warfare: a monument to the stupidity of man. Instead, we should be thinking about mission assurance. We want to be able to continue to operate, to do what it is we need to do. We needn’t aspire to seal off our networks completely, or to lock away all our information perfectly.

Cybersecurity begins with disciplined, methodical risk analysis. Each business or agency needs a clear mission profile. Its decision-makers need a comprehensive analysis of their assets that includes an understanding of vulnerabilities and dependencies. First-hand, experiential mission knowledge helps ensure analytical accuracy. Since the people with first-hand mission knowledge often are the first to adapt to changes in the mission’s operational environment, their input provides vital reality testing.

Once you understand your vulnerabilities and dependencies, you need to look into the Web -- in current parlance, “to go into the wild.” You see what’s out there and what’s developing. Observation is no longer enough. You should collect information globally from open sources, figure out what attack structures are developing and build your defenses on the basis of an informed, credible forecast. You do global threat prediction for local enterprise protection. If you’re concerned about mission assurance, it’s no longer good enough to observe cyberspace and record what goes on there. You’ve got to observe the Internet, predict the threats before they hit and take steps locally to assure your ability to accomplish your mission.

Both industry and government have a role to play. Government aligns, harmonizes and synchronizes. It enables the establishment of standards by which people and organizations can operate. It can serve as a vital early adopter, even an angel investor. Industry gives you the rapid innovation you need in a dynamic, distributed marketplace.

We might be tempted to put off dealing with cybersecurity. But that would be a serious mistake. Cyber speeds access to information, speeds dissemination of information and lowers barriers to entry for bandits, terrorists and hostile states just as much as it does for entrepreneurs. However, a proper understanding of cybersecurity’s place in the mission assurance whole can lead to sensible, affordable and effective measures for continuing the mission and recovering from cyber attack.