Throughout history, one of government’s primary duties has been to provide for the common defense of citizens. Our armed forces have protected our geographic boundaries exceptionally well for over 200 years. In stark contrast, the cyber domain introduces a new reality in the human experience.
Thieves and adversaries can reach beyond our traditional geographic boundaries to steal or harm, making geographic delineations irrelevant. Because cyber risk transcends the four traditional domains of conflict, the old rules simply don’t apply to this new domain. Civilian leaders—like corporate directors—must lead the way to define new rules for defending civilian assets given the reality of a cyber blind spot: the gap between government and civilian defenses.
“The cavalry ain’t coming.”
So said General Michael Hayden, former director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA), about cybersecurity at a conference in 2017. Not only is there no governmental “cavalry” coming to the defense of civilian cyber assets, it is not even clear that such defenses exist in any cohesive form. This isn’t intended as a criticism. Rather, it’s simply a reflection of reality resulting from limits in constitutional authority, capability, capacity, and ambiguous charters.
Government defense of assets in the physical domain is routinely accomplished within the bounds of the Constitution. But defense of cyber assets—information contained within computers—is fundamentally different. By definition, the defense of information requires in-depth access to and an understanding of the information and computers on which it resides. If, for instance, a company had voluntarily chosen to allow such government surveillance, and data is revealed that laws are being violated, could the government use this information against the firm or the people trusting that firm with its privacy?
With the current murkiness around privacy protections in this non-physical space, would this be a violation of fourth or fifth amendment protections for the corporation and its customers? Would it matter if the discovered violation were willful or inadvertent? The requirements of defending companies and their customers from cyber risks may not fit the realities of constitutional law.
The government at-large is tasked with widely varying roles in defending against cyberattacks. Capabilities range from ultra-sophisticated cyber actors in the CIA and NSA, to traditional law enforcement agencies with little technical expertise. Meanwhile, sophisticated cyber capabilities are as rare in government as they are in the private sector, and those limited assets are consumed with defense of the government itself or with providing intelligence. There is very limited capacity to help business or non-critical government capabilities.
Like the private sector, there are plenty of federal government examples of failing in the fight: the loss of sensitive data on 22 million individuals by the Office of Personnel Management, the hacking of the Chief of Staff to the President, and the loss of highly sensitive cyber defense tools by the NSA are but a handful of examples. Bottom Line? If the government struggles to defend itself, it can’t be expected to defend businesses.
It’s not yet entirely clear which agency should be doing what tasks to secure cyberspace, despite frequent coordination attempts and exercises. The Department of Homeland Security is responsible for defending the homeland, but the Department of Defense is responsible for defending the nation. Who defends cyberspace? Both? Neither? After a cybercrime has occurred, the Federal Bureau of Investigation is responsible for the investigation, but if the criminal is outside the U.S., do they have jurisdiction? If so, do they have credible recourse?
It isn’t clear who should help and what the nature of the help could be—even according Keith B. Alexander, founding commander of United States Cyber Command. “The truth is that today, our government agencies appear to be confused by the different terms of protection, incident response, and national defense,” Alexander said in an address to the US House Committee on Homeland Security in 2017. “More needs to be done in defining these roles within the key departments, and we must practice how the government is going to collectively execute their responsibilities.”
Furthermore, what are the rules of engagement? The government deserves credit for providing expertise and guidance to the civilian sector such as the NIST Cybersecurity Framework, threat sharing networks, and so on. But there is no mandatory compliance required except in narrowly-defined areas of critical infrastructure.
Without realizing it, most business and civilian leaders assume that a faceless “they” are defending us in cyberspace like “they” are defending us in the traditional geographic sense. While not an unreasonable assumption, we all know what happens when we assume.
The Assumed Cocoon
We exist within a relatively secure geographic and physical “cocoon” consisting of layers of defense provided by governments against catastrophic attack by foreign powers. This cocoon allows business to focus attention and investments on innovation, shareholder value, and employee satisfaction. Businesses therefore expend only the most basic effort in physical defense, burying security into generic administrative organizations and outsourcing staff to minimize cost.
Without realizing it, many organizations have tacitly adopted a nearly identical model for cybersecurity. Examples include burying cybersecurity responsibility under the chief information officer, outsourcing security operations to save money, and generally treating security as a necessary evil. Meanwhile, organizations are both physically and existentially vulnerable to security risks, enjoying the softness of the assumed cocoon.
Going to a Gunfight With a Golf Club
Most corporate executives and directors are skilled in increasing shareholder value. But the essence of cyber defense is human-to-human conflict. Whether we think of this as war fighting or crime fighting, we argue that it is indeed fighting. We posit that success here requires thinking in terms of battle: weaknesses, attacks, defenses, and contingencies. The fluidity and chaos of human conflict requires a specific set of skills and experiences that most of those groomed in the civilian sector simply don’t have, or have let lay long dormant, because they never needed it in business practice—until now.
You are the first generation of executives and corporate directors to deal with the business reality of self-defense, and that’s daunting. It would be easy to adopt an ostrich strategy to avoid it altogether. Or, nearly as bad, to diminish the urgency of decisive action by resting on the comfort of conventional wisdom.
If you find yourself saying any of these things to provide a sense of self-assurance, you’re likely whistling past the graveyard—not giving the problem the serious intellectual engagement it deserves.
- We’re using the NIST Framework.
- We spend a lot more than we used to on our defenses.
- We just bought this new fill-in-the-blank.
- One of our folks used to work for the FBI.
- We haven’t had any trouble so far.
- Our audits are ok.
Leading in the Age of the Cyber Blind Spot
We aim to illuminate a reality that deserves additional examination and thought, not to criticize the actions of government or civilian leaders. Government can’t sufficiently defend civilian assets in the cyber domain and civilian capabilities aren’t well-suited for human-to-human conflict. Taken together, this cyber blind spot introduces significant challenges to corporate directors and officers.
Some key questions for board members to ask include:
- How does the cybersecurity team inculcate strategic and tactical military mindset and experiences into its cyber-defense strategy?
- In what ways does the company’s cybersecurity strategy and investment mirror its physical counterpart?
- What are the key assumptions in the cyber strategy, and what are the risks associated with those assumptions?
- How frequently and how aggressively are our cyber defenses “red teamed” or probed by external “hired guns”?
- How powerful and relevant are the measures of cyber defense provided to the board by cybersecurity executives? What other questions should be asked to explore the gaps in our cyber defense?
Businesses are exposed to dramatic new risks in the cyber domain and “the cavalry ain’t coming.” We must lead accordingly.
Editor’s Note: Manner and Walker will provide more in-depth advice for leading in the age of the cyber blind spot in an upcoming issue of NACD Directorship magazine. All thoughts expressed here are their own.