Cybersecurity: Leadership Challenges in the Cyber Threat Era
Computers represent one of those rare creations in history whose unforeseen effects cascade throughout society, leaving lasting change. Emergent technology, such as the printing press or gunpowder, can challenge the status quo by creating new paradigms for how nations conduct war and diplomacy. Meanwhile, individuals charged with securing critical components of functional society—electrical grids, power plants, transportation networks—face unprecedented threats as well.
Non-state actors (like Anonymous) and cyber protagonists (men like Edward Snowden) can infiltrate networks and threaten protected data with just a smart phone, and businesses are unprepared to defend against this new and dangerous threat. Deloitte’s cyber advisor, Ed Powers, noted recently in the Wall Street Journal that among companies with more than $1 billion annual revenue, “Nearly 25 percent… are insufficiently prepared for such [cyber] crises, and just 10 percent say they are well-prepared.”
Given that any employee with a smartphone or laptop can make a company vulnerable, and coupled with increased rates of cyber attacks, businesses should continuously reassess their cybersecurity programs to defend their high-value assets. Cybersecurity exposes leadership challenges in the cyber threat era.
The US government is hastily catching up. Although it has a National Security Strategy, the United States acknowledges the direct challenge of defending cyberspace. Military services, like their civilian counterparts, run operations and lines of communication on a backbone of crisscrossed wires and networks. In turn they are susceptible and vulnerable across the spectrum of threats, from wannabe malicious intruders to foreign state sanctioned cyber militias.
Although no one can predict the future with 100 percent certainty, we can take advantage of historical lessons learned by examining how emergent technology altered war and warfare. Cyber may be a new domain, but war itself is older than human recorded history—thus we are provided with centuries of information that assist in evaluating how emergent technology and rising threats have altered the face of defense and security.
One hundred years ago, European leaders sought every benefit of new technology along the battlefields of World War I. Planners used the full extent of railroads, airplanes, and radio technology for strategic, operational, and tactical advantage. Consequently, Europe was nearly bled to death because leadership failed to think differently about “how to fight.” They continued the same failed tactics over and over again and contributed to wholesale slaughter—37 million people were killed, wounded, or missing. Both sides stood frozen in a stalemate where wins and losses were quantified in yards and inches.
Information has always been a commodity: a tangible object sought by the curious, the ambitious, and the devious. Information in the twenty-first century continues to be a valued commodity, existing in the cloud and delivered through networked machines that give us access to markets on an unprecedented scale. Barriers to information are being reduced and scores of individuals are empowering themselves in this self-help era. Cheap technology has enabled millions of people around the world to be their own information broker at a sliver of the cost. But more information does not equal to better information.
The constant creation of new malware means that today’s firewall advantage could be tomorrow’s disadvantage. Cyber technology has facilitated the growth of lone-wolf hackers who represent the myriad of malicious, criminal behavior coinciding with evolving technology. For example, equipment blueprints, energy infrastructure, and financial records are all accessed through a networked computer, which can become tempting low-hanging fruit for would-be intruders. Thus, it is reasonable to consider that a cyber attack on any national critical infrastructure is really the opening volley of conventional, armed conflict. Otherwise, a cyber attack on any critical component or function of society, which is not followed by conventional arms, could spoil a capability. If the juice isn’t worth the squeeze then a precious source code is wasted.
However, the steady speed of new and better technology may just outpace an organization’s ability to adapt to new technology, which begs the question: how can we prepare leaders to manage pervasive risk when the nature of the threat changes on a near daily basis? The answer is: We can’t! The current environment requires strategies that plan for attack and sets objectives that contain cyber activity and then follow through with planned responses. By performing risk analysis and identifying likely targets and access points, companies can evaluate which assets need extra insulation from attack and which assets can sustain loss.
Military deterrence, as a concept, parallels loosely with civilian IT redundancy as a means of guaranteeing business continuity. The Department of Defense Information Network connects the military establishment in a single backbone network. If jeopardized, military units and operators could be fragmented and vulnerable to more conventional forms of warfare. Fortunately, the military would still exist as a tangible force with plausible counter-strike capabilities, such as rifles, trucks, and other small arms. Therefore, to deter an invading force, credible counterstrike capabilities must first be known by enemy forces. Deterrence only works if everyone knows your capabilities and believes that you will use them if necessary.
Military leaders are instructed, coached, and persuaded to take appropriate action in the absence of orders, which also assumes prudent risk and disciplined initiative: concepts outlined in military doctrine and field manuals. However, the military has been operating in a networked world since Operation Desert Storm in 1991 and our military culture, like civilian culture, has grown accustomed to a digital lifestyle—becoming almost dependent. This prompts the question of whether our military could adapt to a sudden, radical shift in warfighting methodology. How would we react if our networked bubble suddenly burst? Severed from our virtual chains-of-command, our mettle would be tested to be sure, but does that equate to a defeated force?
What would be the full measure of our military capabilities in a zero-day (+1) attack? It is impossible to predict. But, defense functionality would slightly resemble the joint forces that spearheaded the invasion of Panama in 1989. Known as Operation Just Cause, the effort to remove Manuel Noriega from power provides a glimpse of US military capabilities prior to the emergence of networked computers. Nevertheless, the joint force that invaded Panama was effectively trained, motivated, and led.
It’s impossible to replicate past environments. Events in the past were shaped and formed from the experiences unique to the circumstances of the time and by the individuals making decisions in the heat of battle. The use of wireless radio made headway in World War I, but trench warfare brought soldiers together in close proximity and enabled each side to eavesdrop, thus making wireless a risky method of communication. So soldiers lay miles and miles of wire to connect various headquarters.
Realizing that constant artillery was severing wire and cutting off communications, signal officers again relied on previous methodologies and that timeless means of communication: the runner. It is likely that we will fight the next fight with the latest and greatest technology, but we should also consider war’s reality—that humans can foil technology. Despite our best efforts, we must accept that certain conditions could exist that compel us to fall back to timeless means of warfare. One of our founding fathers, Benjamin Franklin, understood this concept and suggested American soldiers use bow and arrow when faced with depleted ammunition stockpiles.
Although history helps put emergent technology into context, we really don’t know where cyber technology will go or whether or not there’s a cyber “finish line.” Despite our best planning efforts, cybersecurity comes down to a quasi-guessing game. That’s why the US Army conducts deliberate planning. We draft war plans and disaster responses during peacetime to reduce friction during conflict. We level the playing field by anticipating chaos and the fog of war and then train in it. We will continue to operate in a hybrid cyberspace ecosystem where collaborative technologies converge among fixed, mobile, and cloud platforms, where the only guarantee is that humans and technology will co-exist in a dynamic relationship.
Christopher Brill is a Lieutenant in the Alaska Army National Guard where he serves as a staff Signal Officer for the 1-207th Black Hawk Aviation Battalion. His previous assignments include Platoon Leader in a Long Range Surveillance Company and Executive Officer for a Network Signal Company. Brill is completing his MA from American Military University and conducting research in the fields of strategy, leadership, warfare theory and practice, military history, and cyber warfare. Brill’s work has been accepted at top international conferences, such as the International Conference on Cyber Warfare and Security and the European Conference on Cyber Warfare. His paper, Fight the Last War to Win the Next, was recently awarded Best Masters Colloquium in the UK. Brill’s new concept paper, The Diffusion of Information Technology: How Cyber will Reinforce the Global Balance of Power, has been accepted for presentation at Boston University in March 2016.
This article first appeared in the November 2015 print edition of Alaska Business Monthly.