The NATO CCDCOE recently released Cyber War in Perspective: Russian Aggression against Ukraine. I found chapter eighteen, written by Richard Bejtlich, particularly compelling. It is entitled Strategic Defence In CyberSpace: Beyond Tools & Tactics.
Without commenting on the political issues, I think it is a well-articulated chapter urging the Information Technology community to move off of its continued fascination with Tools, and onto a more realistic mindset of where those tools fit into the (digital) security landscape. A key quote:
“An analysis of time intervals is key to understanding the interaction between attackers and defenders, but in general the security community does not sufficiently understand or appreciate the nature and consequences of this relationship. A technology-centric worldview obsesses about a static, one-time exchange between attacker and defender. This is not an accurate description of the real world, which is populated, not with mindless code, but with rational and irrational human beings who are both intelligent and adaptive adversaries and who observe their targets, allocate resources, and make dynamic decisions in order to accomplish their goals.” [Emphasis mine]
I have seen this technology-centric worldview go hand-in-hand with a vulnerability-centric mindset – where the focus is on dealing with vulnerabilities, at the expense of an intellligence-driven, threat-centric mindset. When an organization views digital security in this way, it can have the unfortunate side effect of siloing digital security resources outside of the established security apparatus of the organization. This reinforces IT’s continued tech/vulnerability-centric mindset, as they do not see targeted digital security incidents as they really are – coordinated campaigns that must be dealt with at a strategic level.
“The problem with the focus on tools and tactics, and related topics of risk and ROI is that higher-level management and boards do not feel connected to the true defensive posture of their organisation. Because leaders have not been valued parts of the security program development process, they think security is mainly an issue to be solved by technical professionals. Their experience with the IT and security worlds has led them to approach security as an issue of approving budgets to purchase ever-more-costly security software…” [Emphasis mine]
Organizations stuck in this way of thinking must first change their understanding of security to be based on the recognition that all security threats are ultimately created by human threat actors, and that human threat actors will use whatever resources they have available to them, whether physical or digital. This understanding will ultimately break down the silos, and unify the digital security resources with the rest of the organizational security apparatus. Secondly, as Richard states, organizational leadership must take ownership and deal with these issues at a strategic level. Only then will the organization have the ability to start tracking actual campaigns targeting them rather than just hand-waving and stating that they are seeing “millions / billions” of “computer attacks” every year.
“…Tech is not the path to security. Security comes from the way that you live your life, not the tools. The tools are simply enablers…” @thegrugq