For all its controversy and divisiveness, the 2016 U.S. presidential election provided a powerful lesson for securing the future of our critical infrastructures. And while the same threat actors who succeeded in 2016 would relish an opportunity to school us again on their malicious cyber activity and information influence campaigns, it\u2019s both prudent and necessary for us to avoid the refresher course. Especially with one likely being planned for the upcoming midterm elections.When a crime is committed, there is a natural inclination to determine who did it. But effective cybersecurity is not fundamentally always about who is attacking you\u2014it\u2019s about making strategic decisions to protect key assets. Understanding the threat and attribution of cyberattacks is always helpful, but it is rarely timely or certain enough in an operational sense.I was personally involved with Intelligence and White House deliberations in 2016 about attributing and reacting to the calculated and highly coordinated state-sponsored attempts to influence our national election. That election illustrates a larger and more important point about the changing nature of critical infrastructure: we need to consider certain repositories of data as being among our most important national assets\u2014as important as physical infrastructures like power plans and water systems\u2014whose compromise or loss of integrity can cause grave harm to a government, country or organization.Until very recently, securing a nation\u2019s critical infrastructures was primarily seen as protecting\u00a0physical things\u2014dams, bridges, power plants and the like.\u00a0Now, critical infrastructures include important\u00a0virtual things\u00a0that must be protected\u2014the data that underpins the integrity of important government functions and public and private information systems.Especially with voting technology\u2014a diverse collection of devices and data that couldn\u2019t be more central to representative democracy\u2014the ability to cast doubt on a nationally sacred process, either through the election systems themselves or the information influence campaigns directed at voters, is disturbingly easy. There are more than 50 different election systems (i.e., each state, DC, etc.), with many more operated at the local level, that feed into a national result. To be successful, hackers don\u2019t have to change vote counts or voter rolls. To some degree, all they have to do is create enough confusion, and leave enough evidence of tampering, that election officials can\u2019t be sure of the results.\u00a0That is a precarious position for the country to be in for one of its most sacred institutions, and why many smart people are working hard to minimize that risk in 2018. But the assault on the election system is not a lesson solely for governments; it reveals the importance of our digital infrastructure and the critical necessity of consequence-based engineering.Thankfully, cybersecurity fundamentals offer an effective path forward.Whether you are the CISO of an enterprise-size company or an individual subject matter expert, the principle of Consequence-Based Engineering (CBE) should be at the heart of all your cybersecurity planning. With CBE, you identify, up front, the bad consequences you want to avoid. These should be specific and appropriate for your organization\u2014whether it is to prevent employees from accessing HR information, vendors from comparing each other\u2019s terms, or hostile foreign governments from sowing mistrust with acts of disinformation.Once determined, CISOs and their teams can then apply the appropriate measures to minimize the overall risk they find by mitigating the vulnerability, the threat or the bad consequence itself. There is a wide range of tactics to achieve this, but central to all good security is the practice of segmentation.The strategy behind segmentation is based on a very simple truth: the network boundary is dead. Up until about five years ago, it was common to place defenses along the border of a network. But with the advent of wireless, mobility and the cloud, a boundary-based approach simply doesn\u2019t work. And, even when it did, it created tremendous risk by making most access decisions binary: Should access be granted or denied? Moreover, when a hacker was able to scale that wall, they were able to achieve total access, with catastrophic results.Rather than placing one security wall around everything, segmentation allows separate but aligned micro-segments throughout the network. It separates sensitive data (e.g., proprietary, financial, privacy, marketing, operational) and other critical data so that even if an organization\u2019s first lines of defense are breached, the scope of that breach can be contained. It is a far more effective security strategy, one that attempts to prevent compromises yet assumes that inevitably, an attack will succeed and minimizes the compromise\u2019s scope.The strategic and technical implementation of agile segmentation, done at both the macro and micro levels, allows security teams to make much more nimble and effective decisions about which groups of data to protect\u2014as well as who gets access and for how long. Further, there are a host of business benefits to this that align with the principle that cybersecurity should enable business and not hinder it. But even as a security measure alone, it is incredibly valuable.And there\u2019s even more good news about the adoption of this strategy: It\u2019s well within the reach of both the smallest and largest of organizations, sometimes efficiently enabled by companies that seek to minimize the complexity of implementing it.The process of CBE that leads to a strong segmentation architecture begins with doing an inventory of your organization\u2019s major data groups, such as: company financial data; communications with the press; contract data; enterprise IT configurations; executive deliberations; IP (e.g., design, code repositories); legal; marketing; personnel; research; and security services data (e.g., information on customer networks).\u00a0Next, you assess how or if your network\u2019s design keeps them separate from each other\u2014this is where macro and micro segmentation come in\u2014and if so, how easy it is for users to move freely between them (if users can easily jump from one to the other, so can hackers). If there is security in place to prevent that, how strong is it, and how have you determined that strength? Are there regular audits to detect breaches between data sets or snooping? What measures have been taken to identify and prevent a breach as it occurs?Regardless of where one falls on the political spectrum, we all care about democracy.\u00a0 And we have all become painfully aware at how the integrity and availability of data is essential to free and fair elections. Now we need to achieve that same national attention and urgency to protecting our companies\u2019 and organizations\u2019 data sets via consequence-based engineering techniques.A hundred years ago we understood that there was no local security without the protection of oil fields. Fifty years ago we understood that there was no national security without safeguards for nuclear weapons. And today we now understand that, in our hyperconnected world, there is no global security without protecting our most valuable assets with modern segmentation techniques.Cybercriminals and adversaries are relentless. Once they find a weakness, they exploit it with an almost compulsive intensity. They certainly don\u2019t pat themselves on the back and call it a day after they are successful.So, the question is not whether another attack will happen. It will. Instead, we must ask if we have acted appropriately to ensure that when it happens, our most critical assets\u2014which are not just physical things, but data as well\u2014the underpinnings of our data economy, are protected.