Over the past month, we have all watched with dismay as the islands of the Caribbean and coasts of Texas and Florida were hit with devastating rains and high-speed winds. In the days leading up to the storms’ landfalls, some of the most talented scientific minds deployed astounding levels of technology to assess and communicate the severity of the approaching threats—despite the fact that severe weather is notoriously unpredictable, with inherent uncertainty that makes truly accurate assessment of the threat nearly impossible.
In the physical world—where threats collide against civic infrastructures, highway engineering, uneven home construction—understanding and fleeing impending destruction is often the best we can do in the moments of crises. We may not know exactly where the storms will hit so we work to avoid that damage because mitigating it seems impossible.
As I watched the storm predictions, I couldn’t help but see its similarities to cybersecurity threat prognosticators. But I also was plagued with a question I contemplate often: Why then are we not more focused on better protecting our assets than we are on what threatens them?
The answer that came to me was disappointing, though difficult to refute.
As an industry, we have become mesmerized by threat assessments, just like we’re mesmerized by the swirling colors of storm radars threatening our shores. Threat insights —though a critical component to any cybersecurity strategy—are more dramatic, more enticing, more exciting and more captivating than the dry, complex and sometimes grueling work of effective cyber protection. Threat expertise alone is not enough to deliver true security; we need to do something about it.
As a sector dedicated to securing strategic assets and enabling economic prosperity of millions, too many of us in the cybersecurity business have become cyber-threat weathermen, breathlessly describing the threat. Without doubt, there is real value in raising awareness and better informing people about gathering storms and potential threats—a decade ago, it was my old organization that added the term “advanced persistent threat” to our industry terminology as a way to differentiate threat from hackers. However, while threat assessment has grown, our overall risk posture remains deeply insufficient, with few meaningful leaps forward in countering the other dimensions of risk - consequences and vulnerabilities.
And not only are we deeply insufficient in terms of mitigating the cyber risks that are often as unpredictable as hurricanes at sea—but we also wildly, unknowingly minimize the potential severity and devastation that will occur when they hit. As much as some like to focus on threats, the fact is that most have little idea how significant the threats are—let alone, when and where they will be realized. Even within the inherent limitations of threat analysis, we are missing the true scope and bigger picture alike.
The strategic intentions of cyber adversaries out there—ideologically independent and state-sponsored alike—cannot and will not be relieved by commercial companies and individuals. Only governments with wizard-like technical resources, militaries and globally influential diplomatic and economic policies can change the behavior of whole countries. And sometimes, they still don’t succeed.
Unless you have covert penetration of the adversary’s networks, or worldwide real-time operational sensors to characterize attacks in progress, most organizations’ threat-oriented work should be focused on leveraging expertly-developed signatures and behavior-based analysis to mitigate threats. Where we need to bring more internal focus are the aspects and practices of cybersecurity that we can all do something about based on the knowledge we have of our own networks. Companies would be better served spending much more time, effort and resources leveraging and intensifying techniques for mitigating our vulnerabilities before a threat targets us. And even better —eliminating potential negative consequences even and especially when the threat directly targets our vulnerabilities.
So—without minimizing the essential role of signature and information sharing; nor threat analysis’ importance in the overall risk equation of Vulnerability-times-Threat-times-Consequence—I hope to utilize this column to engage in the kind of cybersecurity dialogue and debate that will, hopefully, inspire all of us to move beyond the idea that the government will be able to provide accurate, precise, and well-timed warning to each of our networks; they have never promised that and it’s not practical. Because like a community bracing for a hurricane, what matters most is not the general knowledge we have about the storm approaching. Instead, it is the knowledge we have of our own internal infrastructures, plans and preparations—and how we have committed ourselves to bolstering our abilities to withstand the storms that will inevitably, increasingly and ever-more-destructively make landfall.