US Cyber Risk & Patton’s Vision: Critical Crossroads in the Sands of Time

Our country sits in the dangerous digital crossroads of national security, economics, and geo-politics. This year, 2016, the year of the data breach, sits as the blinking caution light in this dark intersection. Cyber is the very nexus of US national power. The current approach to secure networks and reduce cyber risks is failing. Nation-state peer competitors have crowdsourced a global digital insurgency that attacks all facets of our country from our families, to our jobs, to finances, to our government. Despite consumer-driven indicators to the contrary, we do not live in digital civil society. Rather subtlety, the hundreds of millions of drivers traveling down the information superhighway from 8 to 81 years old are closer to driving on Route Irish then Route 66. In order to reduce US cyber risk, industry and governmental leaders need a new approach to deny, disrupt, defend, and pursue. Leadership matters most. The urgency is not driven by fear or aggression; it’s gravity.

Our critical need to reduce US cyber risk by denying, disrupting, defending, and pursuing cyber threats isn’t driven by fear or aggression, but by gravity.

In 2002, while walking down Chicken Street in Kabul, Afghanistan, I had a powerful sense that I was walking through the sands of time. From shop to shop, I saw an array of items from Russian forces, to pristine 1860’s British Enfield rifles, to the short sword I purchased with the royal stamp of both a Persian king and Arabic inscriptions… With each item, I felt a looming humility and connection with the other soldiers who walked down this same street across thousands of years of history.

Though President-Elect Trump’s choices of retired general officers for top posts may be concerning for some, former senior military leaders offer unique perspectives not shared by most career politicians. Our military education and professional experience, especially during the last 16 years of war, teaches that the human consequences of leadership echo across time. Empires can fall. Freedom, democracy, and capitalism can become dusty artifacts in a forgotten past. Properly framing cyber risk is crucial in asserting our national interests and addressing our digital insecurity.

General George S. Patton is a man of legend. Perhaps it is time for some Patton-esque attributes in our cyber leaders. If we peel away the deep flaws, General Patton’s love for his country and sense of certainty gave him uncanny insight and boldness of action. These were compelling forces pushing him through risk and the fog of war. As he drove across the battlefields of his time, he envisioned past battles fought, won, and lost before him. Perhaps this provided him a deep sense of soulful humility, relentless energy, and also the fuel for victory. Soulful humility isn’t often attributed to Patton, but it is a very humbling experience to be driven by bold purpose and know that nations like men stand at fateful crossroads. Choices define destinies, armies fight battles, and the fallen are covered by the sands of time.

Digital insecurity is the greatest threat to US national power in the history of our nation. We face a ubiquitous digital threat and endure ubiquitous digital vulnerability undermining our national security, bleeding our economy, and jeopardizing our leadership in a global geo-political chess match. Restoring US digital integrity and mobilizing a sustainable cyber defense will take a coherent assessment across all the elements of our national power. It is cyber governance and cyber organizational risk management on a massive scale, spanning across private, public, industry, government, and military needs, concerns, risks, capabilities, legalities, and potentially overwhelming challenges. US cyber risk reduction requires leading without the authority to do it all…but getting it done anyway.

Reducing US cyber risk requires leading without the authority to do it all… but getting it done anyway.

As we stand on the sands of time, perhaps the moment has arrived for us to embrace soulful humility, decisiveness, uncanny insight, and boldly turn towards the enormous challenges cyber risks and vulnerabilities threatening America. Brilliant, but not without controversy, General Patton envisioned his life in seven epochs across time. Let’s use our imagination and those epochs as useful vignettes for engaging the complexity, enormity, ubiquity, and necessity of the cyber challenges before our country.

Cyber risk is far more than information technology. Internet facing technology and data function as the nervous system, backbone, and the muscle of the US economy. The year 2016 may be known as the year of the data breach. Our lives and our businesses have been virtually exposed in a hostile world filled with nation-state competitors, criminals, malcontents, idealists, guardians, corporate giants, family businesses, all employees, all customers, and all patients. The global economy looms. The darkweb grows. Our global competitors enrich themselves as American businesses and the American people are stripped of trillions in terms of real dollars and intellectual property. All this is hidden behind a dark digital curtain. No one really knows how much has been stolen, usurped, and transferred. Think about that for a moment as we stand hungry on a frozen landscape, armed with a spear, before a giant angry beast. It’s dinner or our death, and we have to make a choice.

Engaging the challenges of digital insecurity is a matter of economic survival. Some experts estimate that 95% of all cyber risk is based on human and organizational behavior. Leadership is required to assess, mitigate, and reduce organizational (cyber) risks far beyond IT departments. An over reliance on technology to compensate has and will fail. An organizational approach to cyber risk views the network as the backbone of defense and vulnerability stretching across the entire organization.

Cyber risk is substantially influenced by culture, policies, procedures, compliance, technology, and people. Recognizing the powerful interdependence is paramount to substantially reducing US cyber risk. Recognizing the vast distinct differences in reducing organizational cyber risk and nation-state cyber risk…a successful hunt always begins with the fundamentals. Understand our risks and opportunities, develop a plan, mobilize resources, choose agile and decisive leaders, who embrace accountability, and begin.

Cyber risk is substantially driven by culture, policies, procedures, compliance, technology, and people. Recognizing the powerful interdependence is paramount to significantly reducing US cyber risk.

Start with forming a Coalition of the Willing and developing a coherent strategy built on a common NIST cyber security framework and integrating the necessary principles of unity of effort and unity action. All industry, private, public, and government networks endure persistent and ubiquitous cyber risk. The challenge does not get bigger than that. Separated and disjointed, cyber risk escalates at the logarithmic rate of growth of the network. When unified efforts look at cyber risk comprehensively, risks are manageable, culture is transformed, procedures are aligned, security policies reinforce strong culture, and networks are defendable. They stand capable of affecting a formidable defense.

The Greeks fought with tremendous ferocity to defend their country from the overwhelming Persian armies. They were free men strengthened by their love of country and love of family, unified by desperation against an invading army. Their fighting formation was the phalanx. The phalanx unifies purpose, strategy, shield, sword, and spear against the enemy. We need to consider these useful methods as metaphors to reduce our cyber risk, harden our digital defenses, and mobilize effective downside risk to attackers and criminals. Nature teaches there is strength in numbers and in a common defense. We recognize and embrace that freedom is the fuel of democracy. Balancing the risks to freedom, as we defend it, is an absolute imperative to protecting our democracy as we defend it.

The headlines demonstrate and millions of breached accounts have proven an over-reliance on technology will fail. Alexander the Great lay siege on the city of Tyre whom was protected on an island in the middle of channel with high walls and formidable defenses. As Alexander stood on the shore, he ordered his forces to sail across the channel, land and attack. The obvious choice, and the obvious choice was well-defended. Alexander the Great took the path of least resistance and failed. Eventually Alexander decided to innovate and drive the hard solution…build a bridge across the channel to the island, combine tactics with tall infantry siege towers, and include a ship assault. Tyre fell.

In this same manner, cyber risk management must take a system of systems approach to cyber risk reduction. Comprehensive organizational risk management needs a sustainable path forward, which transforms the organization’s cultural and those changes are reflected in people, procedures, policies, choices, and actions. Industry and government partnerships can build alliances to integrate purpose, people, processes, technologies, and procedures. Through NIST, we can provide a coherent strategy for commercial products to integrate into a sustainable defense. It is in the best commercial interests of all. Without significant improvements in cyber risk reduction, the cyber security industry will commoditize itself through failure. Chain link fences have limited value.

True Defense in Depth is beyond IT. It must be led across the organization, driven beyond an aspirational goal into reality by results. This is articulated and achieved not through the voice of technology, but by power of leadership. Thinking in terms of National Cyber Risk Governance, a common strategy must be complimented by security policy, compliance, regulation, which hardens defenses and improves attacker attribution. It must be more difficult for attackers to be successful, and attacks must substantially increase the personal risk of the attackers. These integrated actions will increase the resilience of the defenders. Sometimes you build a bridge, and then sail a boat… but we must effectively use the sword and shield in both.

Become Hannibal to defeat Hannibal. At the time, Rome sat in the greatest seat of power in the western world. No greater standing army or navy in the world could match them. The Roman army and navy dared any challenges to face them by land and sea. Yet in arrogance, they sat waiting on their challengers from every direction, but north, through an impenetrable wall of mountains. They believed the Alps would provide their defense from a northern invasion. Hannibal had the audacity to turn their belief into a great weakness. Like the Alps for Rome, if the United States believes technology and global interdependence to be its greatest defense, then for certain attackers are using this belief to create the attack path for our defeat. We live this reality in real-time…with every keystroke, in every home, in every office, and now every dishwashing machine that is connected to the Internet. Hannibal lives today with the ability to attack any computer, on any network, in any location in the United States from anywhere in the world. We must recognize this reality and become Hannibal to find Hannibal, before he finds us.

To be a Legionnaire is to be a part of something greater than yourself. Anonymous and other hacker communities stand united in a common cause. There is no tougher job, than defending a network from the locusts of threats and threat actors. CIO’s, CISO’s, and their network admins endure a daily siege, responsible for the defense of our infrastructure, enforcement of inconsistent policies, managing runaway technologies, manning labor intensive defenses, blinded by false negatives, and deafened by false positives. CIO’s and CISO’s voice their concerns, fatigued by failing technologies, overwhelmed by Frankenstein networks built with the urgency of the surge, but without the strategic considerations necessary to support an effective defense. In some cases, the architecture of yesterday, is the frustrating challenge of tomorrow.

Where is our cyber Julius Caesar who calls us to stand and fight? Remind us of the greatness that is Rome, and the common cause, which inspires us beyond compensation. We are not legion, the demons that haunt us in the matrix, but Legionnaires, those who choose to stand against the barbarian horde and defend all that is Rome, an every day struggle. As Julius Caesar so famously rallied his troops, so are hundreds of thousands of network admins tired of fighting alone in the trenches. It is Julius Caesar who reminds me to sharpen my sword, as he reminds my Captain to lead me from the front and by example.

Julius Caesar said once, “It is easier to find men who will volunteer to die, than to find those who are willing to endure pain with patience.” Yet our security policies tie the hands of the defender and often aid the advantage of the attacker. When will someone see cyber risk management as what is…the heat of the battle, yet also the long war against an agile and relentless attacker? How then can we rally our troops to fight and defend with the same heart as they would defend their families, their friends, their communities, and the Nation? The only difference, is all the difference… As our global adversaries have crowdsourced our plunderers, so can cyber leadership rally and crowdsource our defenders. It’s happening already. Inspire their vigilance. Inspire their commitment. Inspire the defense of a Nation, and for the precious things in their lives worth defending.

French and English forces gathered on the freshly plowed fields that would soon turn into a bloody, muddy mess. At the Battle of Agincourt, though historians disagree on the specific numbers, the French far outnumbered the English. The English should have been slaughtered, yet the English soundly defeated the French. The English long bow prevailed over far superior numbers of French cavalry and infantry. It is this decisive engagement that named artillery the king of battle. At the intersection of US national power, the digital long bow of our adversaries will prevail if unanswered and poorly defended. Reducing US cyber risk requires we embrace this truth and begin to answer the threat with a new approach.

Michael Ney, a Marshal of Napoleon was described by Napoleon himself as, “the bravest of the brave.” Love of France was the fuel, which inspired both men to greatness. Ney would be caught in the turmoil of the French rip tide between monarchs and Napoleon as General, and Napoleon as Emperor. Ney’s service to country would push him into the higher conflict between loyalty to men, and the necessity to limit their power. In the end, Ney’s dedication and years of service in the crucible of battle were thankless, and he would face a firing squad made up of his own men. With a lion’s courage, he ordered his men to fire, standing before them eye to eye without a blindfold.

Embracing the call to reduce US cyber risk won’t end so dramatically, but the lesson reveals the tremendous challenges ahead to make an impact. All the effort will likely be thankless. From the digital trenches to the highest leaders, reducing US cyber risk means embracing the long hours, the difficult path, the Gordian knots, Herculean tasks, and the relentless accumulation of a thousand small win/wins to make a difference. The reality of enormous task at hand, is it isn’t likely to be appreciated by many, but that doesn’t mean it’s not worth doing. On the contrary, George Patton and Marshall Ney would likely agree, the people who answer the call not from fear, or aggression, but gravity, are the most likely to succeed. 

This article was originally published in the Huffington Post