To say our country is at war with cyber criminals is an understatement.
The onslaught of attacks is relentless, and the numbers are staggering. Last year, 800,944 cybercrime-related complaints – or nearly 2,200 per day – were reported to the FBI’s Internet Crime Complaint Center. While the number of complaints dipped by five percent, the dollar value of potential losses skyrocketed 48 percent to $10.2 billion.
It seems that each day we hear or read about a new breach at some of our country’s most venerable private and public sector institutions. In mid-June, for example, Russia-linked criminals breached several federal agencies. Among those agencies was the Department of Energy, which oversees our country’s nuclear weapons - and whose cyber defenses were breached two years earlier.
Recognizing that our country is in an unending war, lawmakers have proposed more funding for cybersecurity for fiscal year 2024, earmarking $13.5 billion for the Pentagon and another $12.7 billion for other agencies. The recommended funding package includes $3.1 billion for the Cybersecurity and Infrastructure Security Agency, which would represent a modest $145 million bump in the agency’s current budget.
That is a positive step forward, but here is the problem: Our federal government has a long history of being obsessed with compliance-related rules and regulations. That mindset thwarts progress for a couple of reasons.
- First, our adversaries do not have compliance standards to meet. They only care about winning each battle and causing maximum harm.
- Second, a compliance mindset is reactive rather than proactive. With each successful breach, policymakers seek to “fix” the problem through improved compliance. It is a slow and ineffective approach because by the time new standards are approved and implemented, threat actors have found other ways to bypass the new safeguards. There is a long and growing list of organizations that met compliance standards, yet fell prey to criminals.
- Compliance is the lowest rung on the cybersecurity ladder that also includes maturity and, at the top, effectiveness. The obsession with compliance has another negative consequence. The cost, in time and money, can be so burdensome that businesses decide not to participate in federal contracting opportunities. It is a barrier that prevents some of our country’s skilled cybersecurity talent from working on improving our national defense.
The federal government needs to work closely with defense contractors so our country can move beyond compliance and maturity and achieve effectiveness. Here is how you do it:
1. Know what assets need protection and the capabilities of your cyber defense resources. Many cybersecurity strategies begin by creating a list of what technology and compliance standards are required to prevent breaches. There is a better approach. Instead of creating a checklist of every conceivable weakness in your cybersecurity defenses, focus on identifying the assets (data, intellectual property, trade secrets) you want to protect and the resources you have in place (software, servers, networked devices, cloud storage). This information will be instrumental in building a comprehensive plan to safeguard those assets.
2. Establish a design basis threat. A design basis threat (DBT) is an assessment that identifies specific threat profiles that your cybersecurity initiatives will be designed to defend. Collect all relevant intelligence, including a review of past cyber assaults and responses, and analyze the characteristics of potential threat actors. This legwork facilitates establishing a detailed plan to protect assets and respond to attacks. It will also help you filter out noise and reduce time spent reacting to false alarms.
3. Determine your performance baseline to measure progress. It can be difficult to achieve high-level organizational goals in a timely manner if you are unable to measure progress. Establishing a performance measurement baseline helps everyone on the team know if the organization is moving forward or falling behind. The baseline provides managers and leaders with a clear-eyed assessment of success in building a resilient cyber defense.
No organization can achieve 100 percent protection from a cyberattack. The tools do not exist. With each passing day, the pace of technology accelerates, and our adversaries improve their capabilities to evade our defense, steal our confidential data and hold companies hostage.
The only way to fortify our defenses and maintain our cyber resilience is through a focused, deliberate strategy that places more importance on effectiveness and less on compliance. When that happens, our assets and resources will be better aligned, integrated and protected from our enemies.
Jeffrey Engle serves as the standing President and Chairman at Conquest Cyber. He received his certification in cyber risk management from Harvard, CISM, CRISC, CDPSE and is one of the youngest members of the most elite Special Missions Unit, with 2 Bronze Star Medals, Purple Heart, Army Commendation for Valor, and 12 Deployments.
