There is no single solution to cybersecurity concerns. Technology is advancing, but nothing can replace solid planning and training. All three pillars are necessary to balance cyberthreats. If too much emphasis is placed on one pillar, the vulnerability gap will expand. Ensuring the constant growth and evolution of this trilogy is currently the best way to thwart threats that are ever evolving.
Americans habitually look for a technological fix (a “silver bullet”) that will solve whatever problem arises, which includes cybersecurity concerns. Although cybersecurity is the ultimate in high-tech issues, a perfect technological solution does not currently exist. So, technology cannot simply replace good planning and training.
If technology is not a panacea, then something else needs to be done to provide adequate cybersecurity for organizations, families, and individuals. It is fundamentally necessary to provide training and invest time and energy in emergency or crisis management planning in order to mitigate current risks. Neither aspect is terribly expensive, but finding the time and resources to plan and train can be inconvenient. Without training, all the technological investments in the world will not provide adequate protection, and systems will be vulnerable.
Future Solutions & Current Training This is not to say that there will never be a viable solution. The government and particularly the private sector are currently investing huge amounts of research capital in efforts to find that silver bullet. For example, in the past 10 years, IBM Corporation has spent almost $2 billion on research and development related to security. If the silver bullet – whatever that may turn out to be – can be “attached” to a network, or run on machines, it would allow operations in the cyber domain to be free from hacking, cyberattacks, and data theft (be itentities or intellectual property).
The value of such a discovery would be astronomical, but it has not yet been found; and it is not likely to be found in the short term. In the absence of perfect protection, a proactive approach to emergency or crisis management is necessary and involves three critical parts: (a) train personnel; (b) plan well to achieve a level of resilience that allows organizational functions to go forward despite an attack; and (c) maximize the best, less-than-perfect technology solutions available, updating with great regularity and sufficient frequency.
Looking at the seminal Mandiant Intelligence Center Report (“APT1: Exposing One of China’s Cyber Espionage Units”) on Chinese government hacking, it is clear that, although the Chinese are very sophisticated, their most consistent entry point to hacked networks has been old-school social engineering. A well-constructed spear-phishing attack has been China’s primary method. To thwart such attacks, personnel must be trained beyond the infantile, compliance-driven, online drivel that passes for annual training in many cases.
Training must be rigorous, dynamic, and relevant to job responsibilities. Without that and without the management staff participating, the message is clear: security training is not important. A highly trained workforce will not stop all cyberintrusions, but it will stop a lot more than an untrained workforce could prevent. This is the foundation.
Vital Questions & Viable Solutions Next, the highest levels in the organization must realistically plan, asking vital questions, which include:
How will we react when (and not if) we are attacked?
Do we have backups?
How will we shift duties to fix the problem and continue executing our missions?
Who is in charge should a breach occur?
These questions and more should not be decided upon after an information technology infrastructure has been attacked. Investments in planning before an attack result in much better decisions and actions when needed, which greatly increases the overall resilience of the organization.
Once the “human” factors of training and planning are addressed, it is time to invest in the best technological protection that fits the company’s organizational model and budget. Again, this may not prevent an attack, but it will stop many who wish to do harm. There is a greater return on security investments when equipped with a trained workforce and a good remediation plan than with only protective devices and software on the network as a defense strategy. With solid research and good counsel, investments in technology would reflect a continual process that facilitates the evolution of protective assets as the threat environment changes.
The bottom line is simple. Investments in technology alone do not sufficiently protect networks and remove the need for good training and dynamic, insightful planning. In today’s highly competitive cyber arena, a myriad of potential enemies are targeting security gaps. Without all three pillars – planning, training, and technology – an organization is extremely vulnerable. This vulnerability is unnecessary and unacceptable.
Steven P. Bucci, Ph.D., former Green Beret, is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He also is an adjunct professor of leadership at George Mason University and an associate professor of terrorism studies and cyber security policy at Long Island University. He serves on the advisory board of the MIT Geospatial Data Center and is an advisor to the Prince of Wales/Prince Edward Fellowship program at MIT and Harvard. He previously served as a lead consultant to IBM on cyber security policy and as a special forces commander in the U.S. Army, where he assumed the duties of military assistant to Defense Secretary Donald H. Rumsfeld. After retiring from the Army in 2005, he served as deputy assistant secretary of defense for homeland defense and defense support to civil authorities at the Pentagon, and was the primary civilian overseer of U.S. Northern Command.