The Cyber Maginot Line

PAGE 1

The Cyber Maginot Line

To understand the Cyber Maginot Line, you must first understand the French Maginot Line. The Maginot Line is important to military strategists because it represents one of the most damaging blunders in military history. To be fair and objective the French are not the only one’s guilty of this great strategic sin. It is a lesson often repeated in military history. The core of this problem rests in a timeless principle. The principle is that the strategy must match the technology.

Bullets and compression bows made armored mounted knights obsolete. Trench warfare marked the end of straight-line military formations. You can walk carefully through any case study of the French Maginot Line to get a better understanding of the topic.

This brings the discussion to the French Maginot Line. The French government after World War 1 had many motivations to take strong military measures but were unsure of what to do. The big debate narrowed down too two

camps. On one side voices wanted to modernize their forces and the other wanted to build an advanced fortified wall.

The French chose to build a fortified wall the likes of which the world had never seen. This decision, though greatly flawed, was based on lessons learned from past battles. The objective was to give them time to build up French forces

but almost 10 years later it turned into something else. This is a summary, as this is an advanced topic that many military scholars have written and debated on. However, most scholars agree this was a serious mistake due to its outcome. The result was a project that took up most of the French military budget and time and did not yield the expected results.

In fact, it’s almost comical if it wasn’t so sad. It’s not that the Maginot Line did not work. If you attacked, it directly with any army of that time, said army would have been destroyed. The problem is that the line did not accomplish its objective.

The primary objective was to protect France from military incursion. If the objective was to destroy an army attacking the French boarder head on, the line would have accomplished its goals. The Germans knew this, so they used

advancements in military technology to do the opposite of just that. To make matters even worse, the French knew of almost all the technology the Germans used. The French military leaders just failed to understand the impact these

advancements would have on warfare if used differently. The Germans took the same technology discovered at the end of World War 1 and developed a new strategy for employing it. The strategy of the French did not match the

technological advancements of the time. France was decimated and almost destroyed from the siloed thinking of uncreative military and political leaders. Warfare is not siloed are static. War is free flowing and dynamic. Leaders in charge of warfare must be of similar mentalities.

Siloed thinking and training do have their place but at the early stages. When we are first developing and training, we segment things down to study things and understand their functionality. Eventually we must begin to integrate all the

moving parts to master any subject. In the information super age, at what could be its climax, with emerging uses of AI and quantum computing. We sit at a

paradigm shift that if overlooked could be one of the greatest strategic military mistakes in history. At the core of this shift are many schisms that leave blind spots in the cyber environments of many organizations and nations. While many

may think that lack of information security and technical talent is what drives this problem, this is not the root but an affect.

The actual root cause I have found in my research and experience is somewhat binary. The lack of strategic knowledge

and how to apply this knowledge tactically among technical professionals is the root of the schism. Information security has become information warfare and many leaders still address the issue as only a technical problem. An example we can

use was given today as I write this article. Chinese state sponsored hackers attacked the U.S infrastructure. This attack was not limited to military targets, and this happens more often every year. Few of our leaders be they information security or political see the handwriting on the wall.

PAGE 2

A cyber-attack against the U.S. or one of our key allies’ infrastructures could have as devastating effects as an enemy bombing raid. These effects could have many implications on morality, politics and even the stability of the nation. I don’t

have to explain for too long how technology controls everything from our drinking water, food supply to our advanced weaponry. I don’t have to even explain how many nation states combine cyber and conventional attacks.

Iran does this often and Russia is doing this in the Ukraine as we speak.

I have been beating this drum for years only for it to fall on deaf ears. It often amazes me in the face of the Ukraine war with cyber and conventional war being carried out on both sides how little attention this is getting by information

security leaders. I have been in technology since the late 90’s and have been working with senior leaders in technology for nearly a decade now. If I had a dollar for every security leader, I have consulted who had no alignment of their

technical work with their organizations strategic vision. In fact, a good portion of these leaders out right rejected even the notion of the conversation.

Most of the leaders only wanted to discuss how to use technology to meet compliance and check boxes on forms to please business leaders. Many information security leaders do not recognize the fact we have entered a new era. Nation states have many ways to destabilize a nation. The proliferation of technical advancements is and has always been one of them.

A well-known example of this is Pakistan’s A.Q. Khan helping North Korea become a nuclear power. A situation like this with information technology could lead to a doom’s day scenario. Let me work out a logical flow to drive this point home.

If your organization:

? Has a service that people pay money for they do it for a reason.

? This service is important to everyday life.

? If the lack of this service would greatly decrease the quality of life.

? If this service is not easily replaceable.

? If this service is adjacent to the support of critical services IE. The company makes plastic that it used to make heart values or car parts.

? If your service is critical to get any of these mentioned services from point A to point B.

If your organization falls in any of these categories, you are part of the critical U.S. infrastructure. The next point to cover is if you are an information security leader and you:

? Have no idea of your organization’s critical assets.

? Have no knowledge of the adjacent assets to the critical assets that could critically degrade them, or render said

assets useless.

? Have no knowledge of your organization’s strategic goals and objectives.

? Have no idea of how your security work is directly tied into the company’s strategic goals and objectives.

? Have no idea of proactive security.

? You hear of strategic concepts like Zero Trust and Cloud Maturity Models but have no roadmap to implementation.

? If you do not believe in the importance of strategy in cyber security.

PAGE 3

I will not sugar coat it. I will give it to you straight. If you fall into this category, you are part of a serious problem. You are failing as a security leader but you maybe succeeding as a technical leader. This puts you in the category of one of

the leaders from the French government prior to the start of World War 2 and that is not a good thing. Many scholars believe real security work happens outside of compliance. This is where the concept of proactive security originated. If you are just reacting to security alerts trying to resolve vulnerabilities, you are reactive in your functionality.

Remember we are in cyber war, not just cyber security. No nation or people have ever won a war with only defensive capabilities. This gap also exists on the government side as well. We have leaders who only think in terms

of military assets and fail to see the urgency of aligning our civilian and government cyber security, capabilities, and responses.

This project could be our biggest effort since the Manhattan Project. It may be a daunting task, but it is one we must take on none the less. This lack of strategic alignment represents our Cyber Maginot Line. Our public and private sector

both can learn from each other. I know talent shortage is a big issue and many agencies like Gartner have pointed this out. This is a symptom of our problem. I have been on numerous high level advisory boards and listened to a lot of data being debated. Two key things are universally agreed on are however.

Technology moves too fast for most universities to keep up with in their current format. The other is American students lack enough technical background to be competitive. Many of these students have no real exposure to

technology despite living on cell phones and social media.

By exposure to technology, we mean foundational skills needed to learn applicable technical skills, in a competitive time frame.

If our nation and civilian sector aligned, we could:

? Have guild type organizations that mentor and train youth into technical proficiency from grade school to

university paths.

? These students could then be segmented into specialties in technology and or innovative groups under the

careful guidance of high-level practitioners (instead of only) university studies.

? Organize and train these students at a certain point on proactive security, military strategies, and intelligence

studies.

? Have these student network with their business counterparts to produce a new age of innovation and security.

? Have programs to integrate these students into needed roles.

These things of course like all sciences are just concepts and not written in stone. These concepts can be adjusted as needed and are designed to be a blueprint for what is needed. If we can avoid the tragic mistakes of the past, we could save countless lives are even human civilization. We as humans have a habit of being caught up in bias and lateral thinking. We often fail to see the madman on the horizon or in the room. Others are afraid to tell the emperor he has no clothes.

We may estimate the reaction of a nation state and count on mutually assured destruction as a deterrent. However, what if we face a madman or religious zealot determined and well financed. If this person is determined to bring on the

apocalypse by purchasing a series of zero-day vulnerabilities, mixed with superior strategic knowledge, this could be the end of civilization as we know it. This is not so inconceivable as it has almost happened many times in human history.

Bio:

Andre Joseph is a senior multi-cloud security leader with a specialty in Amazon Web Services (AWS) and Azure. He works as a senior cyber security subject matter expert at Microsoft. He specializes in multi cloud-based / hybrid / security modernization with CASB, CSPM and SIEM / SOAR tools. Andre serves as an advisor to CISO's and senior technical leaders of various global organizations in FINTECH. With strategic road mapping, and cloud maturity modeling, His work facilitates innovation. This work helps clients to use their existing tools more efficiently. Part of this functionality is to bridge the gap between business and technical stakeholders through modern security practices