Three things I’m reading this week:
Would a Cyberattack By Any Other Name Be as Binary? The AP Stylebook recently limited the definition of “cyberattack” to only intrusions that cause “physical damage or significant and wide-ranging disruption.” Any attempt to limit the use of the term cyberattack may already be a lost cause, but limiting its use would be a very good idea. Under international law, nation-states are permitted to respond to “attacks” with physical force. Limiting what we call cyberattacks limits this risk of escalation.
It also helps to clarify that a criminal theft of credit card numbers, the theft of employee background information for espionage, and the destruction of uranium-enriching centrifuges are not all the same. In fact, they are radically different and demand different types of responses and defenses.
But if “cyberattack” isn’t the right term for espionage, criminal theft, and the raft of intrusions we see today, what should we call them? Simply limiting the meaning of cyberattack may not be enough – the term is used so broadly because there is little agreement on how to categorize the different types of intrusions we face.
Without a common grammar, everyone will tend toward the most exciting and compelling term, and the more we try to limit the use of cyberattack, the more people will gravitate to it. So if we’re going to try to bring some discipline to the way we talk about cyber threats, limiting the use of the term cyberattack is a good start. But what we really need is consistent terminology for all the intrusions we face that don’t rise to the level of attacks. Here’s hoping this comes next.
I'm reading: "What makes a cyberattack? Experts lobby to restrict the term."
This 90/10 Rule Is Not the Rule You’re Looking For: Earlier this week, Rick Ledgett made a surprising statement: he acknowledged that the federal government spends 90 percent of its cybersecurity budget on cyber-enabled offense, and only 10 percent on cyber-enabled defense. He also noted that this lopsided distribution was a problem and should be remedied.
Cyber-enabled offense is an important part of the federal government’s deterrence strategy, but deterrence alone is not a shortcut to security. Pundits and technology experts often claim that security is a lost cause, and that we should focus on deterrence so that even if we can’t keep intruders out, we can at least increase the cost on them if they get caught.
The problem with this line of logic is that it presumes that we have done everything we can to make our systems secure, and that greater investment in security would be unlikely to yield results. But if we’re only investing 10 percent of our resources in defense, we clearly haven’t done everything we can. In fact, we’ve basically done the bare minimum of what we can.
Investing 10 percent of your resources in defense, and then claiming that defense doesn’t work, is sort of like skipping locks because they’re too expensive, putting a latch on the outside of your gate, and then complaining that people keep coming through your gate by opening the latch. We need to invest in cyber-enabled offense, but it’s past time that we got serious about defense as well.
Some of this investment should just be used to improve our security with enhancements we know work today. But it’s just as important that we invest more seriously in cybersecurity innovation: in building the systems, frameworks, and platforms we will need to improve our security going forward. There are already a few examples of this work happening – DARPA’s Cyber Grand Challenge is a great example. We need more of this.
Simply put, defense is a much harder problem than offense right now. That logic suggests that we should be investing in defense to get ourselves back to parity, not underinvesting and using poor results as an excuse to underinvest even further.I'm reading: "A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense."
- Building a Cybersecurity Portfolio: Focus on Needs, Not on Tools: Investing in cybersecurity solutions as a CISO isn’t just daunting – it’s exhausting. With thousands of tools claiming to be the perfect solution for whatever problem you’re facing, everyone needs a strategy to run that gauntlet. This week Dan Woods is on part two of an excellent multipart effort to help CISOs think through how to navigate these tricky waters.
It’s a very thoughtful and useful piece, and it gets just about everything right. He emphasizes the need to balance prevention and detection, to compare against your peers, and to think seriously about the specific threats facing your organization. He also highlights a few key investments worth prioritizing, such as shortening your time to detect and increasing your ability to isolate key parts of your environment to minimize the damage intruders can cause before they’re caught.
When focusing on building your security strategy, don’t focus your investment entirely on prevention, detection, and response. Those are essential capabilities, but the foundation of any security program is understanding and controlling your environment.
As Dan points out, knowing your network is the most important starting point. And from there, actually controlling your network is essential. If the network is wide open, intruders have many options for what to target and how to move laterally through your environment. You’re left always playing catch up, and detection and response will suffer without good understanding and control. On the other hand, in an environment with strong identity management, limited privileges, and effective segmentation, detection and response are faster, easier, and cheaper – and the intruder’s life is much harder.
I'm reading: "How To Design Your Cybersecurity Portfolio."