The 3-Body Problem of Cybersecurity

Motivation

Recently I was watching the new series 3 Body Problem in Netflix, it was intriguing, challenging and quite captivating, but while watching my thoughts kept coming back to the challenges in my own professional world which my CISO colleagues, cyber professional and I face on a daily basis, and they seem to be totally out of control, but may be there is some way this can be explained through the laws of physics.

?Now, before watching this series, I was not particularly aware of the 3 Body problem except, probably for some remote memories from my physics classes during my undergrad from a book I picked up, and swiftly put away, not thinking it would be relevant to my work then. So, let’s start with a quick refresher for what it is, and spare you, readers another google search.

The 3-Body Problem in Physics

The universe is full of mysteries, and one of the most intriguing among them is the 3-body problem. In classical mechanics, the 3-body problem refers to the challenge of predicting the motion of three celestial bodies, such as stars or planets, based on their mutual gravitational interactions. Unlike the simpler 2-body problem, which can be solved with precise equations describing the elliptical orbits of the bodies, the 3-body problem eludes such straightforward solutions.

This problem first came to prominence with the work of Sir Isaac Newton, who, while laying the foundations of gravitational theory, realized the complexity involved in predicting the interactions among three or more bodies. Later, Henri Poincaré proved that there is no general solution to the 3-body problem, highlighting its inherent unpredictability and chaotic nature. This means that even slight changes in initial conditions can lead to vastly different outcomes, making long-term predictions practically impossible.

The 3-body problem is more than a theoretical puzzle; it has real-world implications in fields such as astronomy, space exploration, and even weather forecasting. It illustrates the intricate balance and dynamic interplay between multiple forces, which can result in highly complex and unpredictable behavior.

How does this apply to Cyber?

There are many forces akin to the celestial ones that keep forcing cybersecurity not only us across multiple directions, but also in multiple dimensions. I think, understanding the 3-body problem gives us insight into the broader challenges of managing complex systems, whether they are celestial bodies or the multifaceted demands of modern cybersecurity. Just as in the physical world, where predicting the motion of three interacting bodies is a daunting task, cybersecurity professionals face their own set of challenges in balancing business needs, regulatory compliance, and the ever-changing landscape of cyber threats.

Just as the 3-body problem in physics presents complex challenges, cybersecurity leaders face their own 3-body problem: balancing business needs, regulatory compliance, and a dynamic cyber threat environment.

The Three Main Challenges in Cybersecurity

In no particular order we deal with three major problems, among many others. These are forces that decide the course of action we follow while strategizing, implementing and operating cybersecurity programs for our respective organizations. Albeit, this is only one interpretation, I submit that my colleagues will come up with their own representation of the three strong forces they have to deal with. Nonetheless, here it is.?

1st Set of Forces: Business Needs (and Challenges)

We have to remember that first we are defenders of business, and the needs of the business is what drives the defenses that are required for it to operate in a digitally connected world of commerce and society.

Importance of aligning cybersecurity with business objectives,

o?? Supporting end customers

o?? Supporting internal stakeholders

o?? Managing supplier/third and nth party risk

Need for cybersecurity to support innovation and growth at the pace of business and market demand, more often than not, business moves at its own pace of using technology and processes that are not vetted out and due diligence not adequately performed.

Balancing security with usability and performance, especially in large environments where there is a huge mix of old and new, and it is hard to have an integrated modern security approach from end to end.

Most importantly for cyber programs and operations, align to business revenue, finance and budget cycles while cybersecurity threats do not usually follow these cycles. Business may go up and down, and with it budgets for defending the business, but you cannot increase the cyber risk during economic downturns (when cybercrime also increases). ?Resource allocation and budget constraints.

2nd Set of Forces: Regulatory Compliance?

Business of any significant size has to manage compliance and risks associated with key regulations (e.g., GDPR, HIPAA, CCPA). The importance of maintaining compliance to avoid penalties and build trust with regulators, shareholders, stakeholders is one of the most important aspects of a business. Whether privately or publicly held, stakeholders have regulatory expectation, and at many times compliance expectations, which cyber programs for productive business operations have to follow.

Organizations in todays world have to keep up with changing regulations. They have to work on integrating compliance into existing security frameworks to ensure there are synergies in controls and enforcement of those controls than having duplicate the efforts.

Especially in today’s business environment with technology disruption and fluid regulatory environment around AI and data privacy regulations, it is become even more important to keep the business up to date with the changes.

3rd Set of Forces: Dynamic Cyber Threat Environment

Threat landscape is constantly evolving. Types of cyber threats, malware, phishing, ransomware are growing every day. Staying ahead of sophisticated attacks and rapidly adapting to new threats and vulnerabilities is a daily struggle for cybersecurity professionals.

Cybersecurity solutions are not like ERP platforms for business, where there are predictable core and non-core cross functional processes that is understood by the whole of business functions. The frameworks and standards for cybersecurity keep evolving as they try to keep pace with different cyber risks. Meanwhile, the patchwork of cybersecurity tools and technologies (and sometimes widgets and gadgets) create even more holes than they tend to fix for organizations to consider themselves more secure.?

With the frequency of ransomware attacks, businesses are choosing to pay what is a small cost for getting back to business and cyber criminals keep getting richer by another few hundred million to fund their dark business. and then go back to target another one.

You don’t even have to do a cyber investigation to find out it was one of the cyber hygiene elements like MFA that was missing or not fully deployed. Most of the times, it is not the absence of the simplest of cybersecurity controls or its enterprise-wide adoption, assisted by standalone exceptions of these simple elements of cyber hygiene is what are exploited as vulnerabilities by cyber criminals.

The Cybersecurity 3-Body Problem?

Interconnectedness of the Challenges of business needs, regulatory compliance, and the dynamic threat environment needs to be understood, and strategies need to be formulated at the highest level of enterprise risk management. Scenarios for business continuity and resilience need to be planned and practiced on a regular basis.

A starting point of balancing the three forces include:

• Integrated Enterprise Risk Management by adopting a holistic approach to manage risk across all three areas.
• Continuous Monitoring and Adaptation, considering the importance of real-time monitoring and threat intelligence, and following adaptive strategies to stay compliant and secure.
• Encouraging Cross-Functional Collaboration by facilitating dialogue and active partnership between cybersecurity, legal, and business teams.

Maintaining equilibrium in cybersecurity involves a delicate balancing act. Here are some strategies:

1. Risk Assessment and Prioritization: Regularly assess risks associated with business needs, regulatory requirements, and cyber threats. Prioritize actions based on the impact and likelihood of risks.
2. Security Policies and Controls: Develop robust security policies aligned with business goals and regulatory standards. Implement controls (such as access controls, encryption, and monitoring) to mitigate threats.
3. Continuous Monitoring and Adaptation: Monitor the threat landscape and adjust security measures accordingly. Stay informed about emerging threats and vulnerabilities.
4. Collaboration and Communication: Foster collaboration between business units, IT, and security teams. Communicate the importance of security to all stakeholders.
5. Incident Response Planning and Cyber Resilience Prepare for security incidents by having a well-defined response plan.

It is not practical to expect all these to work overnight, and it is important to realize some of these practices will take time to implement, adopt and perfect, ironically by the time the three forces would have aligned in a different way, and we can only get to the next stage of maturity and evolution in the cybersecurity program to achieve a state of momentary equilibrium.

That is when we need to realize cybersecurity 3 body problem is real and have to addressed continuous as a business risk and the management of this risk of moving targets is where leadership and stewardship of cybersecurity professionals is required as the defenders of the business.

While physicists are still grappling with the perfect equation to solve for the three body problem, we have the opportunity to apply the art of managing business problems, and the science of cyber risk quantification and management of risks. Through this we will be able to move from one state of equilibrium to the next state without losing our momentum and improving the state of cyber.

This will be a work in progress for me as a cyber professional and expect that I will have support from my colleagues in the cyber profession as well as business stakeholders who we partner with. Please leave your comments on this and feedback on how we can advance our profession despite the forces that try to deter us.

Sources:

1. Wikipedia (multiple articles on 3-body problem)
2. ChatGPT, Gemini and Perplexity for outline of content and validation of thesis
3. Credit to 3 Body Problem on Netflix for motivation on this topic