How to create a military mindset and ‘chain of command’ for cybersecurity
Sticking to a strict chain of command with accountability at each stage is critical for reducing errors and security lapses: IT professionals can apply the same thinking to strengthen cybersecurity.
Considering the mission of cybersecurity – to defend against, identify, mitigate and defeat threats to IT infrastructure – it’s no surprise that strategies are often based on military models.
The idea of the IT security ‘kill chain’, for example, was inspired by military protocols for fighting an attack: 1) find the attacker, 2) fix the attacker’s location, 3) track the attacker’s movements, 4) target the right weapons against the attacker, 5) engage the attacker by launching those weapons and 6) assess the damage caused by the attacker and gather intelligence about the attack.
Strong cybersecurity also requires preparedness and accountability at every level of the organisation – concepts with clear parallels in the military’s chain-of-command structure. As every military strategist throughout history has known, a well-disciplined and well-trained chain of command reduces the risks of weak links. And weak links are the bane of strong defences.
So what lessons can security-minded businesses take from the military to improve their chains of command and prevent weak links? And which strategies are most effective for fighting today’s ever-evolving threats, including advanced persistent threats from well-trained and well-resourced bad actors who use social engineering and other tactics to break through an enterprise’s defences?
Security is everyone’s responsibility, around the clock
As the US Army’s Cyber Command notes: “You are the first line of defence. Securing cyberspace is a 24/7 responsibility.” That means every person in an organisation – IT specialist or not – needs to be aware of what potential cyberthreats look like and how they can slip past defences. And, once a threat is spotted, everyone should be clear about how to report it, and to whom.
In other words, every organisation needs a clear plan for responding to threats and should make sure its employees understand how to use it.
“Incident response plans are a critical yet underutilised component of emergency preparedness and resilience,” according to a 2015 guide to basic cybersecurity measures prepared for the water industry with the help of the US Department of Homeland Security, the Cyber Emergency Response Team, the FBI and the Information Technology Information Sharing and Analysis Center.
“This task is not complete once the plan has been developed; it needs to be operationalised as well,” the report adds. “It is critical that plans be routinely reviewed and updated to ensure they remain relevant and useable for when they are actually needed. Furthermore, to truly understand their cybersecurity incident response plan, organisations must practice them through regular exercises. “This will ensure that all stakeholders understand the procedures that would be implemented in the event of a significant cyber disruption or breach, enabling a more effective and efficient response.”
In other words, if the cyberthreat landscape is a battlefield, you need to play regular ‘war games’ to be prepared for the real thing.
Skilled defenders must handle threats as ‘missions’
While military organisations have a clear hierarchy, tacticians also recognise some situations require special teams that might not fall within the normal chains of command. As Lt. Gen. Edward Cardon, former head of the US Army Cyber Command, said at a conference during his tenure, some threats – whether they’re in the physical world or the digital one – demand a response by 'fusion cells', that is, cross-sector teams of people recruited for their specific, specialised skills and knowledge.
Another military-inspired strategy for IT security involves using different teams that approach the same threats from dramatically different angles. For example, a red team that looks at IT from the perspective of a would-be hacker and a blue team whose responsibility is to consider every possible means of defending a system.
“It is this 360-degree view of threats, attack vectors, vulnerabilities, defensive tactics and human education and training that constitutes the military-style approach to cybersecurity,” according to Network World.
One word: Resilience
“Military agencies practice security but overwhelmingly rely on resilience,” an article in the national security-focused news site Defense One recently noted. “To depend on security is to assume that you have a silver bullet when all you really have is a 50-foot wall waiting to be scaled by someone who has a 51-foot ladder.”
Whatever territory and resources they’re defending, military leaders understand there are always equally determined people on the other side continually looking for new ways to break through those defences. They also recognise the reality that any military encounter, even the most ‘minor’ skirmish, carries the risk of casualties. There’s no perfect, 100-per cent-certain way to prevent such losses, so battle plans must always include strategies for carrying on and prevailing despite these.
In cybersecurity, the publication Government Technology said this means an organisation needs to be ready to assess its “ability to deliver operational excellence in the face of disruptive cyber adversaries, and use ‘design for resilience’ techniques to limit the impact of an attack.”
From a strategy perspective, designing for cyber resiliency requires the following, according to not-for-profit government research organisation MITRE:
- Focus on common critical assets
- Support agility and architect for adaptability
- Reduce attack surfaces
- Assume compromised resources
- Expect adversaries to evolve
“Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources,” MITRE noted in a 2017 report on cyber resiliency design principles.
“As concern increases for cyber resiliency (or system resiliency, when malicious cyber activities are explicitly considered as a form of adversity), so does the need to include cyber resiliency design principles in a programme’s or a system’s set of design principles, and to reflect cyber resiliency in the corresponding Program Protection Plan or Security Plan.”