The current US presidential administration is taking action following a wave of ransomware attacks that have targeted US critical infrastructure and organizations such as Colonial Pipeline, Nocona General Hospital and Wiregrass Electric Cooperative. Their actions have included issuing executive orders; building on engagements with the National Institute of Standards and Technology (NIST) in addition to industry partners such as Microsoft, Google and IBM; and appointing senior leaders throughout various government agencies responsible for cybersecurity. However, as the dynamics in a rapidly evolving world shift, so should the mindset of security professionals, risk managers, C-suite executives and technology practitioners when it comes to defending the systems they are tasked to protect.
Not our problem?
In my undergraduate criminal justice courses, I was introduced to the concept of “not in my backyard (NIMBY).” Essentially, practitioners tend to feel safest when bad actors are “over there.” I have found that, often, if a cyberthreat attacks another country or industry sector, leadership is content to say, “not our problem.” This was until recently when cyberattacks began to threaten critical infrastructure and the government became awakened to the reality of the threat of poor cyberpractices to the country.
A cyber Pearl Harbor
In some ways, the Colonial Pipeline attack felt like an attack on the United States because of the consequences it caused across the country. But these types of attacks are not just happening in the United States. Cyberspace is global, and the attack in Estonia in 2007 should have been our wake-up call—then maybe the pipeline attack could have been prevented. However, we cannot live in a world of what-ifs, and the positive is that American leadership is addressing the cyberdomain and its security issues. Working to invest in the safety and security of US critical infrastructure will be a massive step forward.
Breaking your opponent
In a tennis match, breaking an opponent's serve when down 5 to 4 can swing the momentum of the match and ultimately decide whether there is a chance to play another game or lose the set. Unfortunately, in cyberspace, not every vulnerability that comes across the scanners can be prevented. However, we can deter the opponent from targeting critical systems through persistent engagement, being proactive rather than reactive and staying in the game when it matters.
Defending forward
As highlighted, organizations should set an objective of defending forward rather than waiting until they are engaged in a digital confrontation with an actor or adversary. More time and effort should be dedicated to disrupting an attacker’s game plan. If that happens, the opponent will be forced to call audibles, remediate vulnerabilities and spend less time running offensive operations. This requires a well-balanced approach between prioritizing the security of systems while simultaneously disrupting the playbook of the opposition.
Editor’s note: For further insights on this topic, read Roncs Etame-Ese, Daniel Odei, Sean Manning, Eric Mavakala, Andrew Hall’s recent Journal article, “US Policy on the Use of Force in Cyberspace,” ISACA Journal, volume 5, 2021.
ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!