If you run a small ecommerce firm, it might not seem you have much to learn from the US military. In some ways, that's true. It's likely that your budget for cybersecurity is smaller than that of the Defense Department. But, when it comes to effective cybersecurity, that's less important than you might think. Even the most secure systems in the world will eventually be breached; what's important is your approach to that fact.
In this regard, the private sector still has a lot to learn from the military. While many firms have already taken on board some of the technical lessons provided by the DoD – including those related to the way the military uses datacenters – when it comes to the "philosophy" of cybersecurity, we've got a long way to go to catch up.
In this article, we'll take a look at this approach, and explain what the private sector can learn from it.
The Military Mindset
Though the military – and particularly the US military – has an enormous amount of technical resources at its disposal, arguably their biggest asset is their approach to security. This is one based on the assumption that they will be attacked, and that at least some of these attacks will succeed. This is an approach that can be seen as developing directly from the more "traditional" activities of the military: namely, operating in combat zones, where it is equally certain that one will be attacked.
For those outside the DoD, the outcomes of this approach can most easily be seen in the military's response to data breaches. The US military, for instance, has suffered some high-profile breaches recently, but did not overreact to them. Instead of launching a total overhaul of their defenses, they remained tight-lipped about their cybersecurity strategies, and tacitly acknowledged that this kind of attack would succeed from time to time.
Resilience vs. Security
Because of this approach, the way that the military envisions cyberdefense is also strikingly different from the majority of actors in the private sector. Instead of trying to avoid attack altogether, the military focuses on "resilience" – the ability to limit the damage from successful attacks, and to recover quickly afterward.
Resilience is a term that is only infrequently used when it comes to corporate cybersecurity, but it runs through the research and frameworks developed by the military. Perhaps the most detailed explanation of the concept is contained in the 2013 Resilient Military Systems and the Advanced Cyber Threat, which bluntly states that “there is no single silver bullet to solve the threat posed by cyber-attack or [cyber] warfare … the cyber risk elements cannot be reduced to zero. While the problem cannot be eliminated, resilience capabilities can and must be determinedly managed."
The same document gives some details on what this means for the US military, at least at the broadest level. One of the most interesting ideas here – and, again, one that can be seen as a cyber analog of traditional warfare – is the idea of digital "tactical retreats." It appears – reading between the lines – that the military doesn't opt immediately for a traditional step-by-step technical strategy, as many a private IT cybersecurity department might do, say, in the event of a virus-infected computer. Instead, they will just wipe and reboot the machine, having taken steps to ensure that any data it contained has been backed up.
Theory vs. Practice
This idea – of junking a machine that has a virus – might sound a little expensive for the average private sector firm. However, the core principles of the "resilience" model followed by militaries around the world are fairly easy to put into practice, even for small firms. Here's how:
First, recognize that, no matter how good your cybersecurity is, you are going to be hacked at some point. Data breaches are not a sign of failure; over-reacting to them is.
Second, put in place technical measures to ensure the ongoing viability of your systems, even in the event of a successful cyberattack. This should include multiple, distributed backups of all data and systems, but also a modular network design that allows parts of your systems to fail without causing catastrophic damage to your operational capabilities.
Third, try to create a resilient culture in your firm. This includes employing a CISO to take charge and responsibility for your security; simultaneously sharing responsibility for cybersecurity across the C-suite; formalizing your risk management strategies; and making sure that your security team is in-post long enough to build up the necessary expertise.
Finally, take a deep look at your incident response plans. One of the key lessons to be drawn from the military response to successful cyber attacks is that poor responses to successful attacks can sometimes make them worse. US-Cert provides detailed guidance on how to build incident response plans that will safeguard your systems and data while allowing you to retain operational capacity.
The Bottom Line
Ultimately, if civilian government agencies and the private sector cling to security and neglect the importance of resilience in their cyber defense strategy, they will continue to lag the military when it comes to cybersecurity. Despite a reputation for being slow to react to emerging technologies, the military community was highly receptive to learning the hard lesson that security, though necessary, is bound to fail and therefore insufficient.
For private companies, learning a similar lesson means re-focusing on resilience, and not just at a technical level. There is, in short, a need to go beyond redundancy at a hardware level, and to build genuinely resilient systems at a managerial level.