Modern cybersecurity begins with Odysseus. After all, it is not coincidence that “Trojan” malware derives its name from the Trojan Horse that Odysseus invented. But the lesson doesn’t end with interesting names. The real lesson of Odysseus was that even the tallest, strongest walls could be breached. Maybe not directly through brute force, but there is always a way in when enough motivated builders and warriors come together. Especially when people are involved, there is always a way to exploit human weakness—whether for Greek gifts 3,000 years ago or Nigerian princes today.
The lesson for cybersecurity is that remaining purely defensive is impossible. Defenses will always be breached. Therefore, to limit the frequency and scope of cyberattacks, governments need to pair defensive and resilience efforts with a focus on adversary decision-making. By coordinating major levers of national power to influence adversary decisions, governments can help reduce the number and size of attacks that their defenses must cope with.
However, this approach is not without its challenges. Coordinating efforts across government and industry at the speed and scale required in today’s cyber landscape risks stretching many government organizations to the breaking point. To prevail against today’s cyber threats, government should take another page from Odysseus and consider how innovation can help them succeed. In this case, innovation is not a hollow wooden horse, but the processes and tools that can enable coordination of a huge array of stakeholders in hours or even minutes. These may be significant organizational shifts for government; but if done correctly, they can achieve today what might otherwise seem impossible: insulate government networks from massive cyberattacks.
DRIVERS OF CYBER INSECURITY
The cyber landscape is being pulled by two seemingly opposing forces: connection and splintering. On one hand, advances in technology are enabling greater connectivity than ever before. On the other, national interests such as technology independence are increasingly splintering that connectivity into balkanized zones. For example, isolated by their Sovereign Internet Law and Great Firewall respectively, Russia and China have developed very different technical ecosystems. This balkanization can make cyberattacks appear more attractive, as nations can attack technologies that they do not rely on.
The shifting technological landscape has fundamentally altered when and how adversaries decide to attack. The perceived advantages in limited consequences and difficulty in attribution have increasingly made cyberattacks an option for nation states and criminal gangs alike. One natural response may be to try and better predict when and where attackers will strike. But this is largely impossible, given the size and complexity of cyber. Rather, to effectively counter today’s threats, governments should seek to shift the decision calculus of attackers and keep them below the threshold of deciding to attack in the first place.
CYBERSECURITY NEEDS AN ADVERSARY FOCUS
Before the bytes fly downrange, attackers need to decide that attacking is in their best interest. There are many ways to categorize what goes into that decision—capability and intent, need, legitimacy, confidence, and so on; but if government understands that decision-making process, it can bring to bear tools from across government to push adversaries toward seeing an attack as not in their best interest. For example, information operations by intelligence agencies can influence perceptions of legitimacy, while clear military signaling can deter confidence that the adversary will get away unscathed by counterattacks. Even law enforcement actions that take down key capabilities such as malware marketplaces can reduce an attacker’s ability to successfully execute an attack.
In an effective adversary-focused strategy, these diverse government actions should be calibrated to push a specific adversary’s decision calculus below the threshold of action. All this needs to happen at speed and while respecting the laws and liberties of each area where agencies operate. That level of coordination may be difficult for some government organizations and achieving it at the speed and scale of cyberspace in the current system may be even harder.
THE BARRIER: COORDINATION AT SPEED AND SCALE
Traditionally, the scale of government coordination has been limited by the complexity of coordinating schedules, so that all relevant stakeholders can get together in a conference room. This sets up a trade-off: coordination could be quick with few participants or slow with many participants, but not quick and at-scale.
Breaking this trade-off means introducing innovative tools and processes that can allow large numbers of participants within government and even industry to coordinate and share ideas in near real-time. Such innovations could include:
- A shared cyber operating picture common to government and private industry
- Human-AI teaming to route and make sense of huge volumes of shared information contained in that shared operating picture
- Visibility into the interdependencies inherent within software and hardware supply chains to illuminate where shared risk exists
But more than any specific technical innovation or tool, what can help government to coordinate at speed and scale is a change in how government leaders think. Organizational changes such as shared rotations and joint offices could potentially encourage a common culture across government cyber organizations. By seeing other agencies and the private sector in a common light, agencies would be more likely to share information, act on others’ tips, and coordinate actions to have the desired impact on our nation’s adversaries.
These recommendations are just the start. To read more about an adversary-focused approach to cyber and how government can overcome the tyranny of complexity, read our recent research report from the Deloitte Center for Government Insights. Cyber is hard, but so is breaking down city walls. If Odysseus could do it with just some wood and an idea, surely government can help make our world more secure today.
Jesse Goldhammer is a managing director with Deloitte & Touche LLP. Joe Mariani is a senior manager with Deloitte Services LP’s Center for Government Insights. If you would like to learn more about Deloitte’s Government & Public Services (GPS) practice, please visit our career opportunities page.