You cant seem to go anywhere these days without hearing the mantra, Cybersecurity is a team sport. M...
You can't seem to go anywhere these days without hearing the mantra, "Cybersecurity is a team sport." Maybe because I think the phrase a bit trite, I ask myself, "Which sport are they talking about?"
Yes, cyber is a "team sport" if you are making a sporting analogy to a chain where the weakest link defines the strength of the entire chain. But the practice of cyberdefense for any given organization or entity is far more analogous to writing one's Ph.D. dissertation—although you are informed by the work of others, the research and the writing is a long, lonely road. Indeed, despite the government's statements and best intentions about protecting its citizens from an active cyberattack, they do not—and they can't.
As we all know, cyberspace analogies to real space can help in understanding and explaining new concepts, but eventually they fall apart because real space is fundamentally different from cyberspace. If a foreign nation launches a missile at a target in the U.S., the American military would knock the missile out of the sky, reliably be able to identify the source, and respond forcibly against the attacker. None of this is possible in cyberspace. (Case in point—did the government predict, prevent, or detect the cyberattack on the Port of Houston in 2021; attribute a source; or launch any sort of response?)
The government can, presumably, help organizations build a cyberdefense. The Cybersecurity and Infrastructure Security Agency (CISA) tells us to keep our "Shields Up" and, indeed, we should. But what does this mean? For individuals, this means basic Cybersecurity 101—keep software up-to-date, use anti-malware and firewall software, use multi-factor authentication, be alert to social engineering, and other basic cyber protections. For an organization, it means (and I paraphrase from the CISA website): reduce the likelihood of an intrusion, be able to quickly detect an intrusion, have a response plan, and be resilient. And, to their credit, CISA provides all sorts of tools and other resources to help organizations do these things. But only the first of these steps includes pro-active actions to take before an incident has occurred; the others are reactive, taken during and after the fact.
But, what is resilience? Resilience is defined as being able to respond to, and survive, an attack. This is part of the gospel of any military action; Prussian Field Marshal Helmuth von Moltke the Elder generally gets credit for observing that "No battle plan survives first contact with the enemy." Mike Tyson put it more succinctly and, perhaps, pragmatically: "Everyone has a plan until they get punched in the mouth."
But as we're building resilient systems, we need to be cognizant of who the enemy is. Too many of our systems, from the Internet's Domain Name System (DNS) to Microsoft's Active Directory (AD) to the Global Positioning System (GPS) are designed to be resilient against nature. We understand the failure rate of a server, software, or satellite in stochastic terms; we can calculate mean-time-to-failure and mean-time-to-repair, and plan accordingly. What we don't plan is a resilient defense against an active, intelligent actor. Another case in point—we can easily handle the failure of a single GPS satellite, but what happens if all the satellites are attacked at one time (have you read about the specific threats to this effect by Vladimir Putin)? Ask Maersk what happens when all (but one) of an enterprise's AD servers fail.
Continuing down this sports theme, I recall Muhammad Ali often saying: "Float like a butterfly." (He also said, "Sting like a bee," but I'm going to pass on that analogy to information operations for now. Sports analogies aren't really my thing and I've already used more in this short article than in every other item I've written to date.)
What Ali was alluding to was agility. Resilience is reacting and surviving when somebody lands a punch. Agility is to be able to read and respond to the ever-changing vulnerability landscape, adjusting our defenses, and avoid getting hit in the first place (or minimizing the impact of the hit). Note that I talk here about vulnerabilities. No company that has been successfully attacked in cyberspace has ever said, "If only I had known that Threat Actor X was out there, I would have done things differently." What they're most assuredly going to say is, "If only I had known that that vulnerability existed and/or was present in my system, I would have taken care of it." Threat actors shouldn't cause us concern if we don't have vulnerabilities for them to exploit.
Now, of course we are going to have exploitable vulnerabilities that we don't know about, hence the need for resiliency. But we shouldn't be building and planning our defenses around resiliency but building first-line defenses to reduce our attack surface, which means rooting out vulnerabilities and exposures. In this way, we give threat actors less of a hand-hold with which to launch an attack.
The single best resource for helping the cyberdefender is the free and open exchange of ideas, information, knowledge, and intelligence, shared amongst the various user communities. Now that is a real team sport. Conferences, papers, articles, books, case studies, networking, and information sharing centers are all necessary. Hardware and software vulnerability databases maintained by CISA, MITRE, and the National Institute of Standards and Technology (NIST) are essential tools to track vulnerabilities in the systems that we use. With the plethora of zero-day exploit-based attacks, it is essential that information be shared in a timely fashion. As a cyberdefender, I don't necessarily need to know who was hacked, but I might need to know how someone was hacked. And I might even need to know about this vulnerability before it gets fixed because that gives me an opportunity to choose what to do about the problem. Better to let everyone know about a problem than try to keep it secret and hope that no Bad Guy stumbles upon it.
Maybe, in the final analysis (or final analogy), cybersecurity is like a team sport. I'd say baseball. Sometimes we play as part of a team, sometimes we're standing out there all by ourselves. Sometimes things are slow and sometimes things move so quickly that we can't keep up.
Gary C. Kessler, Ph.D., CISSP, is a retired professor of cybersecurity, principal consultant at Fathom5, and Non-Resident Senior Fellow at the Atlantic Council. This editorial includes excerpts from Maritime Cybersecurity: A Guide for Leaders and Managers, 2nd. ed., by Gary and Steven D. Shepard (2022). He can be reached at gck@garykessler.net.
