The illustrious op-ed page of the Wall Street Journal featured talk of cyberwar again this week with “How to Fight and Win the Cyberwar.” The piece, written by Mortimer Zuckerman, rehashes some important facts: U.S. critical infrastructure, including the parts of it owned by major enterprises, is under constant attack from cyber criminals, nation-states, and terrorists.
While the piece is perhaps informative to some, it fails to deliver on the promise of its headline. Rather than detailing “how to fight and win cyber war,” it leaves U.S. enterprises with a hollow and demeaning call to action:
“This means we need a federal agency dedicated to defending our various networks. You cannot expect the private sector to know how—or to have the money—to defend against a nation-state attack in a cyberwar.” (Emphasis added.)
Beyond the unrealistic and counterproductive call for yet another federal agency, this appeal grossly underestimates the capability and responsibility of corporations to take action to protect themselves against nation-state cyber attacks.
What Companies Should Be Doing on the Cyber Front
I understand fully that many companies are not taking the necessary steps to protect their IT infrastructures from enemy attack or internal sabotage. According to Ernst & Young’s research, less than a third of global businesses have any IT risk management program in place to deal with these growing threats. But does the complexity and scope of the threat absolve them from the need to take the necessary action? Should private enterprises be immune to responsible security practices? When they inevitably sustain catastrophic damage, will it be left to the U.S. government to bail out the casualties?
Yes, there is an urgent need for government information sharing, assistance, and perhaps some government-mandated motivation. However, Mr. Zuckerman misses the point that we already have the know-how and money needed to thwart even the most sophisticated attacks.
The painful lessons learned by the victims of this week’s Wikileaks hactivist attacks suggest that more of the Fortune 500 should take a cue from BreakingPoint’s largest customers. Take, for example, the Fortune 100 bank that already understands exactly how its infrastructure would fare in the face of these attacks — because they’ve already attacked themselves. This bank and other forward-thinking companies have instituted rigorous programs for assaulting their networks with massive distributed denial of service (DDoS) attacks, botnets, and thousands of other attack permutations.
By simulating the latest attacks in the context of their own precise network and data center conditions, these customers have advance insight into whether their defenses will detect and block threats. They also understand exactly how their network and application infrastructures will perform when under attack, and have peace of mind that their data loss prevention (DLP) measures will detect any unauthorized access to sensitive information. They’ve also taken the first step toward transforming their IT staff into cyber warriors.
“Warriors”? That’s right. Much like U.S. military networks, private-sector networks are under constant attack. As such, enterprises must defend themselves aggressively by thinking and acting like the U.S. military. That includes training IT professionals in the science of cyber defense — even if their business cards will never say “Cyber Warrior.” The good news is that companies can do that today in a cost-effective and straightforward manner.
What the Private Sector Must Learn from the Military
As we’ve discussed before, a cyber range is the equivalent of a physical firing range or proving ground, where infantry, artillery, and tank troops hone their skills in weapons and battlefield tactics. The military’s cyber warriors use cyber ranges to simulate both benign application traffic and real-world cyber attacks so that they can harden their defenses and ingrain the skills they need when confronting the threats that endanger the country’s interests.
The importance of such cyber exercises cannot be overstated: without them, it is impossible for even the most dedicated IT professionals — military or civilian — to internalize the knowledge and the skills needed for rapid decision making to thwart the attacks of evildoers. Cyber strategists and commanders in the U.S. Department of Defense (DoD) and the individual military branches have become much more aggressive about cyber simulation in recent months, using BreakingPoint to develop their own cyber ranges for hardening defenses and training warfighters.
Since the same knowledge and skills pertain in the corporate world, it only makes sense that enterprises need cyber ranges to train their own warriors, harden defenses, and develop rapid responses to evolving threats. An enterprise cyber range has the power and sophistication to enable practically unlimited simulation of the scenarios that companies are facing and could face in the real world, but in a controlled environment. Just as military war games sharpen troops’ combat skills and knowledge of weapons, the scenarios created by cyber ranges enable corporate cyber warriors to hone their instincts, expand situational awareness, accelerate threat response, and develop sophisticated defenses to block attackers and protect sensitive data.
Cyber ranges also make it straightforward for enterprises to assess the risks of new technologies before they are deployed and continuously thereafter as configuration changes and new threats introduce new risks. This ongoing process of assessment gives IT buyers the ability to hold vendors accountable for the claims they make about the performance, security, and stability — the resiliency — of their network and security products. By subjecting new products and applications to the same treacherous conditions seen in the real world, enterprises can make more informed IT investments, design more resilient defenses, and risk-proof their deployment of new systems and patch updates. These best practices allow companies to build in resiliency throughout the life cycle of network and data center infrastructures.
Another critical aspect of protecting the enterprise is the prevention of costly and embarrassing data leaks such as those making media headlines right now. Enterprises have deployed sophisticated, high-speed DLP systems to spot malicious communications and transfers of private data — the virtual “needles” in the digital “haystack.” By leveraging the massively scalable scenarios and enormous quantities of unstructured data produced by a cyber range, enterprises are putting DLP systems to the ultimate test to ensure that they perform accurately and consistently, so that no sensitive data escapes the borders of the business to create a damaging breach.
A Cyber Range for Every Enterprise
Given the complex interdependencies between public and private network infrastructures, large U.S. enterprises that fail to use cyber ranges not only expose themselves to dangerous business risks, but also remain weak links in our nation’s cyber defense. Since military-grade cyber range functionality is within the reach of enterprises today, there is no reason they shouldn’t be expected to defend themselves against hackers or nation-state sponsored attacks. Companies that persist in ignoring this functionality will continue to make themselves part of the problem rather than part of the solution — and they shouldn’t expect a government bailout when they are ultimately attacked.
With this said, there is an urgent need for public-private information sharing to improve situational awareness, cyber warrior training, and defenses. Survey data shows that an overwhelming majority of critical industry enterprises are asking for government involvement. I’m sure these targets would like to have the same access to National Security Agency (NSA) assistance as Google was given when they became the target of Chinese hackers.
As the Department of Homeland Security (DHS) and the NSA work on the logistics of this task, new legislative initiatives are being considered to mandate the sharing of current threat information by these organizations. These changes allow DHS to distribute consistently updated cyber threat scenarios to businesses, which in turn must take responsibility to use these scenarios as intended: to carry out cyber simulations that build the skills their in-house cyber defenders need to repel real-world attacks. Working together with DHS will provide enterprises with a powerful ally on the cyber war front, but it doesn’t mean that they shouldn’t start harnessing the power of enterprise cyber ranges today. It’s time to take the necessary steps to harden their infrastructures — as a regular part of their business best practices, and without breaking the bank.
So, here’s a memo to Mr. Zuckerman: U.S. companies can defend against major cyber attacks, and indeed they must. In fact, the smartest ones already are. They’re not counting on a government bailout after a cyber catastrophe; they’re actively preventing the catastrophe in the first place. All that’s left now is to get more companies to follow their lead.
Des Wilson is the CEO of BreakingPoint Systems.