ArchiveOODA Original

Cyber: The Art Of War

Foreign bad actors are conducting a covert cyber war. The pace, frequency, and intensity of cyberattacks are now greater than ever. As the physical realm inevitably merges with the cyber one, forming a new kind of infrastructure, cyberattacks on this infrastructure can have a catastrophic impact on our energy, waste, water, transportation, and telecommunications facilities. Examples include potential attack on infrastructures like distributed control system (DCS) and supervisory control and data acquisition (SCADA) that monitor and control processes and plant with many control loops. Additionally, exploitation of supply chain vulnerabilities can substantially disrupt the way we live, work, and play.

In most cases, we are woefully under-prepared to protect our country against attacks. Hundreds of millions of records are exposed by over a thousand reported data breaches every year in the United States alone. The average cost of each security incident impacts enterprises by roughly $18 million. Experts predict that the aggregate cost of cybercrimes will exceed $5 trillion over the next five years.

Compounding these issue is the novel COVID-19 pandemic. It is rapidly moving Americans’ lives further online. Governments and businesses alike are forced to operate with a decentralized, virtual workforce. Our ever-increasing dependency on technology is making Americans increasingly vulnerable to new threat vectors. Imagine the devastation that could occur if a foreign enemy released a malicious computer worm or a cyber-pandemic, with the ability to self-propagate, undetected into our virtual infrastructure. To combat this risk, cybersecurity must be interwoven into every aspect of our business, infrastructure, and even our physical health in the form of health security, for us to continue to enjoy the freedoms and privileges that we now have.

This new war will be online and, to win it, business and technology leaders must adopt and embed military style strategies that align with their organization’s mission. This war will be unconventional, covert, and sophisticated. Although centuries old, the Art of War, an ancient Chinese military treatise, and the principles of war, can provide us insight into what will be required to prosper in this new era.

MILITARY STRATEGY 1: KNOW YOURSELF, KNOW THE ENEMY

“If you know your enemies and know yourself, you will not be imperiled in a hundred battles.”

Leaders must intimately know themselves, their organizations, and the enemy to effectively apply a strategic and proactive approach to win the cyber war. They must understand the maturity of their organizations’ cybersecurity postures including the processes, people, and technologies driving the mission. Chief Security Officers (CSOs) are largely responsible for security posture and many are only beginning to adopt emerging technologies to gain essential security insights and intelligence to combat an increasingly sophisticated and evasive enemy.

For example, the Federal Government is extremely complex, decentralized, and fragmented. With ambiguous governance, overlapping business functions, and fragmented architectures, CSOs must navigate an intricate mesh of bureaucracy, shadow IT, and outdated technologies to understand vulnerabilities and instill cyber security rigor and excellence. Also, securing the hybrid federal enterprise of both on-premises and cloud assets presents even more challenges. This hybrid model consists of fragmented technologies with little standardization, making it difficult to enforce security compliance. Lastly, CSOs must also consider how the organization’s culture impacts security as well. Continuously measuring the workforce’s knowledge, perceptions, assumptions, values, and attitudes towards cybersecurity allows CSOs to assess their cultural capability to implement security best practices.

CSOs must also continuously study adversaries to understand the threat they pose. Adversaries are using advanced tactics and technologies. For example, hackers are leveraging artificial intelligence to probe, conceal, and monitor the interactions between users and systems to expose vulnerabilities. They thrive on social engineering practices which target users; the greatest threat to security posture. Furthermore, they use AI to develop polymorphic malware (such as worms, viruses, bots, and key loggers) that outmaneuver and bypass antiquated security controls and detections methods.

Security compliance is the central nervous system of an organization’s cyber posture. It disseminates intelligence and coordinates offensive and defensive measures to protect the organization from foreign intrusion. CSOs cannot enforce security compliance without the assistance of the same suite of emerging technologies used against them. Using artificial intelligence, security professionals can peel away the complex layers of government and shed light on the underlying infrastructure and its vulnerabilities. Deep learning and neural networks can expose threat patterns and detect anomalies 24/7. Through these augmented intelligences, CSOs can anticipate and better prepare for attacks.

MILITARY STRATEGY 2: SPEED, FLEXIBILITY AND ADAPTABILITY

“What is of the greatest importance in war is extraordinary speed: one cannot afford to neglect opportunity.”

Cyber warfare takes place at a speed physical warfare is simply incapable of. It is fast, sudden, and uninhibited by the size of forces, complexity of the terrain, location, or the unity of alliances. Rather than relying on a human force, bad actors use automated minions to wreak havoc. Since cyber warfare is characteristically influenced by speed, intelligence, and agility, we must free ourselves from the shackles of all too prevalent highly manual, paper-intensive, convoluted security process that are typical of today’s security postures. We are still making data calls for patches, inventory, and vulnerability scans!

The Federal Government is notoriously slow and riddled with outdated processes.  Over 95% of security governance, risk, and compliance (GRC) processes are paper based. Even continuous diagnostic and mitigation (CDM) processes are highly manual. This can be seen in the 6 to 12 month Assessment & Authorization (A&A) process required to launch a new system.  Integrating AI and blockchain can drastically shorten the A&A process down to less than a month while simultaneously re-engineering it to be continuous, thus avoiding the need to reauthorize every 3 years. Responding to security breaches can still take days. Discovering whether a security breach occurred can take even longer as the agency must rely on this antiquated system to conduct scans of the network and systems. Since cyber-attacks are fast and furious, the current delays are unacceptable in modern cyber warfare.

The speed at which we detect, analyze, and respond to security incidents will affect who wins this war. Blockchain and AI can be used to accelerate the security process. The blockchain’s shared distributed ledger can be used for storing security events and incidents to provide an immutable source of truth.  AI can analyze that data to predict threats based on patterns and anomalies. It can cluster security data to predict risk and foster a zero-trust security model. Robots can continuously scan firewalls, routers, gateways, networks, systems, applications, and databases for vulnerabilities. Humans may be smarter but robots are faster. If supervised correctly, robots can evolve and execute tasks with less bias, fewer mistakes, and reduced downtime.

By gaining full visibility, accountability, and transparency of security events and incidents, security professionals can analyze threat patterns like their adversaries’ tactics, models, and tendencies. This would allow organizations to set, and manage, threat intelligence and cyber hunting efforts. Security professionals could then profile threats in a manner similar to how the Federal Bureau of Investigation profiles criminals. With better security intelligence, security professionals can pivot from being reactive to proactive.

MILITARY STRATEGY 3: SIMPLICITY

“Prepare clear, uncomplicated plans and concise orders to ensure thorough understanding. Everything in war is very simple, but the simple thing is difficult. To the uninitiated, military operations are not difficult. Simplicity contributes to successful operations. Simple plans and clear, concise orders minimize misunderstanding and confusion.”

In war, there is no place for unclear instructions. Keep it simple and clear.

The greatest security threats to an organization are the people who operate it. If security is too complex, people will either avoid or circumvent the process. Although NIST, FedRAMP, and FISMA are leading security frameworks, few people within federal agencies and commercial enterprises understand them well enough to reap their benefits. Due to their complexity, people within organizations regularly delegate security only to cybersecurity experts. Rather than institutionalizing security, complex frameworks make it impossible for people to adopt them.

Education is key to promoting organizational cybersecurity hygiene. As generals do in war, organization must build a culture of awareness to ready the workforce to respond to any crisis. The organization must constantly measure, assess, and improve its cyber security maturity model. This can be achieved by using AI to analyze the workforce and make strategic, targeting investments to elevate the workforce’s understanding of security. For example, AI can be used to identify clusters of people who follow security policies as well as those who take shortcuts. Training resources can then be used in a more efficient, targeted manner.

CONCLUSION

Protecting our critical infrastructure from hackers is the most serious challenge facing our nation today. We must take the same approach to cybersecurity as we do war; we must deeply understand ourselves, our organizations, and our adversaries to win. We must implement precise, unified, simple, and well-balanced plans and execution strategies. These will be necessary to achieve our security objectives and protect American freedoms, civil liberties, and privacy rights as guaranteed by our laws. CSOs must take the appropriate measures and prepare the troops for a sophisticated, covert cyber war. They must educate, train, and then trust the workforce. They must embrace the same bleeding edge technologies that our adversaries are using against us if we expect to beat them. Starting with Blockchain and AI. Blockchain ensures trust by maintaining an immutable source of truth. AI uncovers vital security intelligence that is essential to executing both offensive and defensive strategies.

Oki Mek

Oki Mek

Oki Mek is a veteran of the United States Army National Guard. He is a guest lecturer on cybersecurity and innovation at the University of Maryland. He is also serving as the Senior Advisor to the HHS CIO at the U.S. Department of Health and Human Services. He received his Bachelor of Arts from Virginia Tech University and his Master of Liberal Arts in Information Management Systems from Harvard University, Extension School.