It was a rich week at RSA Conference 2019, the nerd prom of the cybersecurity world. Thousands descended on San Francisco’s Moscone Center from all over the world. They came, they saw, they cyber-conquered. On my side, I joined Dr. Chase Cunningham for a discussion at Illumio’s customer dinner; attended the U.S.-Australia track 1.5 dialogue with representatives from the two countries’ governments and industry; listened to General Paul Nakasone (U.S. Army), the Commander of U.S. Cyber Command and the Director of the NSA, address the masses at RSAC; and met with colleagues from national security community I’d not seen since leaving D.C. in 2015. It was a great week.
Here are a few of my takeaways:
- There were more cybersecurity vendors than ever. It’s a bit of a circus, but it’s a circus of goodness and innovation.
- Alliances are progressing not just in terms of government-to-government partnerships, but in the maturity of the discourse; alliance connective tissue is getting stronger.
- U.S. Cyber Command has matured in leaps and bounds since its founding in 2010, proving that smart strategic investments can become a down payment to drive down risk.
It's the last point that I'd like to dwell on.
We now have a real-world example of cybersecurity investments panning out in U.S. Cyber Command. How so? And what is the lesson for companies and organizations?
Two weeks ago, it was disclosed that U.S. Cyber Command took the first publicly declared “counter-offense” operation to defend the United States against a cyberattack of significant consequence by shutting off internet access for Russia’s Internet Research Agency. The intelligence community had indications and warning that Russia was going to try to do something like what it did during the 2016 U.S. presidential election, undercutting trust in democracy. If Russia had succeeded again in disrupting the electoral systems, the result would have been disastrous and led to a further reduction in trust.
Hearing General Nakasone speak about Cyber Command last week reminded me of all the effort that went into building the organization. It didn’t just spring magically out of the ground. It took effort over the last nine years to ensure that it was appropriately manned, trained, and equipped. The Cyber Mission Force (CMF) of 6,200 elite operators achieved “full operational capacity” in 2018 but when the Pentagon leadership decided to invest in the CMF back in 2012, it came with a great degree of pain. The 6,200 were taken “out of hide,” reassigned to the Cyber Mission Force without being replaced in each service. It was a hard call in a budget constrained environment, but Defense Department leadership recognized the threat. So in 2012, the military made a big down payment on America’s cybersecurity.
Leaders need to make smart investments for unforeseen contingencies.
In addition to U.S. Cyber Command’s tactical defense of democracy, there’s another reason why this operation matters: it proves the value of strategic foresight. Leaders need to invest in futures thinking to make smart investments for unforeseen contingencies. That means thinking about trends.
At RSAC this past week, my colleagues at UC Berkeley released a new set of scenarios about the future of cybersecurity – Cybersecurity 2025 – Berkeley’s second global scenario assessment of cybersecurity trends and futures. For a short dive into the scenarios, check out the video series, introduced by Walter Parkes, a Hollywood writer and producer who wrote War Games and Sneakers and produced Minority Report. He shares my views that cybersecurity remains abstract until an organization gets breached, and that stories can help us understand how to safeguard society.
So, what are some key findings from the Berkeley study? One that jumped out: there is a risk that the world’s hopes of connectivity now risk being overwhelmed by the darker aspects of cyberspace. “Some of the most profound upside expectations about what digital technology could do to improve the human experience risk becoming buried in the emerging landscape,” the authors write. “The first generations of digital technology came with (possibly outsized) idealism—for wealth creation, safety, efficiency, peace, happiness and more. It was inevitable that those expectations would be adjusted over time. But if the pendulum swings too fast and too far towards the pole of risk and threat—as now appears possible—societies risk losing sight of the massive good these technologies can do if properly managed and secured.”
That’s a strong point. For the last three years the world has grappled with a loss of public trust in both our digital world and the democratic process. Russia continued to take hostile action – including by penetrating the electric grid through 2018 – and to a degree problem felt unhandled. With U.S. Cyber Command’s operation, however, the U.S. took a wise action. It may not stop Putin forever. But it sends a message for deterrence: interfering in another country’s election process is unacceptable and comes with costs. For years Russia escalated in cyberspace and the United States responded only with sanctions. This operation pushes back.
The operation happened because of the strategic effort that leaders made with U.S. Cyber Command over a decade. One of the primary functions of leaders, as the Harvard psychologist Howard Gardner explained in his landmark work Leading Minds, is to tell stories to guide organizations and societies forward. Stories and leadership matter now more than ever. “Nobody believes any more than this problem is going to be solved and we’re not going to be facing an accelerated game,” said Steve Weber, one of the authors of the Berkeley study. “We’re going to be fighting this battle for the foreseeable future and beyond.”
Strategic and scenario thinking can help us make smart decisions for the future. That’s what the Pentagon leadership did in 2012 with the Cyber Mission Force. That’s what security professionals need to do within their companies today. You won’t always be right about what the future holds.