COMMENTARY
Virtually on Our Own
Digital integrity simply means, keeping our data, ours. Sustaining the digital integrity of our nation’s private and government systems in governance, finance, industry, defense, healthcare, goods and services is essential to our national security. In a digital age, US national security is dependent on cyber security technologies’ ability to protect, deny, and defend our private and government networks from attack, intrusion, corruption, and theft. In a nation of ubiquitous cyber risk and unimpeded attackers, we are all ‘virtually’ on our own.
“Vaastav Men”
The word for ‘truth’ in Hindi can be translated as “Vaastav Men” or the “the truth as we find it”. Consider your fill-in-the-blank answer to the National Security Quiz in the box above. Then answer the question with a ‘Yes or No’. In a digital age, there is no national security without digital integrity, and no digital integrity without effective cyber security technologies and policies. My prior article made the case, that Russia and China are successfully crowdsourcing the fall of America’s sovereignty. Our nation endures ubiquitous cyber vulnerabilities with very little threat of consequence to a determined foreign attacker. An attacker who has the time, attention, and hubris to target ANY network, in ANY institution, ANYWHERE has very little downside risk. The takeaway of the article is simple. The United States of America without an ability to enforce digital governance and defend the digital integrity of our government and private enterprises has no enduring sovereignty. In a digital age, this harsh reality is as unacceptable, as it is undeniable, and should sting a bit. “Vaastav Men”.
Digital Crimes Without Consequence, Digital Victims Without Effective Defense
The convergence of digital and physical world co-dependencies at every level of our lives seems to substantiate three dueling cyber security critical needs effectiveness, simplification, and consequence. These critical needs compete in an extremely predatory digital world of complexity and vulnerability, floundering within a broken US cyber policy paradigm. At its core, cyber security is control of the network through various means and methods of network governance, enforcement, and integrity. Network governance is an analog to law and order in our neighborhoods, as is enforcement is to civil and criminal consequence for attackers. In reflection of the first two concepts, digital security simply means the data that is OURS is uncorrupted and beyond the access of unauthorized persons, and remains within the governed use of authorized persons. Forbes reports the global spend on cyber security is expected to rise to over $170 Billion by 2020 and the global costs of cyber attacks to risk over $2 Trillion. Many estimates double and triple those costs. The take away is simple math. Cyber crime really does pay, and we cannot spend our way out of the problem. The only path forward toward effective cyber security are significant changes in policy, consequence, and a new approach to defense.
Certainly, cyber security is far more than “just” securing data and networks. The US critical state of persistent cyber insecurity is an outcome from America’s over-reliance on cyber security technologies to “fix” the problems. Leadership matters most to drive towards ‘”fixing’” our broken systemic and management weaknesses. A sustainable network defense must integrate people, process, AND technology, so must an effective national defense. Cyber security technologies only play a roll in addressing the inherent weakness in traditional approaches to securing data and networks....in securing a nation. Yes, it is a hard problem. As a nation, we are confronted with an unstable world and emboldened cyber adversaries, it is a national security imperative.
Effective Digital Defense is a Supply and Demand Problem
Cyber insecurity is a supply and demand problem. There are too many poorly defended victim networks with too little risk of consequence to adversaries, and too high a pay-off for attackers. US private and government networks rely on the effective defense by a precious few experienced security analysts. They are constrained by time and attention. They fight against too great a supply of automated attack vectors. Those automated attack vectors are unconstrained by time or attention. It’s human network engineers vs. machine attackers. In cyber security, the house always seems to lose.... to the tune of trillions of dollars burglarized out of the US economy. That means jobs, bank accounts, and growth are being looted like a teenage flash mob at a mall. These losses strengthen and enrich our enemies. Digital thieves operate as modern day pirates with impudence under the protection of nation-state adversaries or corrupt foreign governments. Unimpeded, the numbers of attackers will only grow.
We Do Not Live in a Digital Civil Society
Most businesses address cyber security with commodity technologies and services. This approach is sometimes based on a convenient notion of digital civil society. A digital civil society enjoys the luxury of law and order, enforcement, and consequence. Like your safe city in rural America, they are presented with the occasional cantankerous and mischievous digital misfits, who vandalize, steal, and disrupt digital lives and digital commerce in their free-time. Cyber crime has evolved into a very sophisticated criminal enterprise, augmented by crowdsourced criminal opportunists acting like a massive plague of locusts, overwhelming cyber security defenses, and feeding on victim networks. At the other end of the spectrum, poor performing hyper-vigilance and overly complex approaches to cyber security are not helpful or sustainable either. In the real world, most company network teams are struggling to keep up, and constant fire alarms for malicious threats are shut off, false or not. Most companies do not have a budget to hire or retain highly skilled security analysts. Cyber security is often resourced on the fanciful movie mashable of Pirates of the Caribbean, Pleasantville, and Office Space, yet, nothing could be further from the truth.
Driving Route Irish in an Ice Cream Truck
As homeowners should not have to buy tanks to keep themselves safe while driving through their neighborhood, neither should private companies endure the rapidly escalating costs of defending their networks against nation-state actors. Cyber insecurity is a critical national security interest and the responsibility far beyond individual and corporate resources. As a nation, we have approached the problem of defending a network within the false technological weltanschauung of a digital civil society. Not only is the approach failing, but it squanders precious resources and exacerbates the vulnerabilities. Those failures are feeding the monster and making it stronger, and fueling growth in cyber criminal enterprises.
Within a digital civil society, an owner of a network or data can enforce their will through reasonable means in order to prevent the intrusion, access, vandalism, exploitation, and theft of their data. We live in the digital equivalent to Baghdad in 2005, when the world’s greatest military power was being chopped down to its knees by a nation-state sponsored insurgency. Though we mount a cyber defense as if in a pollyanna digital world, most professionals, companies, and even government organizations quietly feel like they are driving down the most dangerous road in the world, Route Irish, in an ice cream truck. Continuing with this mismatch in resources vs. threat, failures are fueling an internalized sense of futility or learned helplessness, many are calling cyber security fatigue.
Cyber Security Fatigue- “What difference does it make.”
Devastating revelations in recent years of seemingly unrestrained US cyber intelligence collection activities combined with a constant high-volume of headline grabbing breaches reinforce a sense of digital helplessness that implies, “Nothing can be protected, so why even try.” At the same time, government network security compliance and enforcement seeks to drives out complacency through harsh penalties to individuals, corporations, and organizations within their reach. With great irony, private networks try to keep their data secure, yet when they fail to do so, face speedy consequences as cyber thieves and threat actors pursue their insidious exploits with little risk.
Stuck Between a Server and a Hard Place
Cyber criminal enterprises and threat actors are integrated into a larger geo-political chess match as viral virtual proxies whose purpose is to drain the life out of the US economy and destabilize our country. The Cold War was fought through proxy conflicts and surrogates on foreign lands and jungles. Today’s front line for a cyberwar is our retirement funds, corporate boardrooms, university research labs, hospital operating rooms, and our checking accounts….EVERYWHERE and ANYWHERE, we are attacked and vulnerable, yet our means and methods of accountability, justice, or even retribution are vacant. We stand at the edge of a great precipice, where cyber security is national security, and there is no national security without cyber security. Our cyber security weakness is radioactive....globally.
A Call to Action
Cyber security as an industry in the context of a digital civil society is a broken paradigm. A new approach is required. Digital integrity must be an enforceable reality. The strategy, technologies, means, and methods for protecting, and presenting consequences in the defense of our private and public networks must adapt to face this reality. Leadership is required to rally those with the knowledge, skills, and abilities to develop the strategy, technologies, means, and methods to defend the digital integrity our private and government networks, as they also defend the sovereignty of our nation. Cyber security professionals and network administrators have found themselves at the cutting edge of battle of the most ubiquitous threats and vulnerabilities our country has ever faced. In response, we should tackle the hardest parts of this critical situation in policy, vulnerability, and consequence, first. If Russia and China, can try to crowdsource our fall, then so can America crowdsource our fight back. Cyber security’s first line of the defense is…you and me. Data integrity and network security are national security imperatives. We just have to have the will to fight and the will to lead.
Can we sustain our nation without digital integrity? No.