How Do We Succeed in the Cyber Security Battle? – EPISODE II.5 (Modified Weinberger-Powell Doctrine)

EPISODE II.5 – Modified Weinberger-Powell Doctrine

27 MAY 2016

Welcome to Episode II.5! As indicated in Episode II, I decided to apply a modified version of the Weinberger-Powell Doctrine (“WPD”) to cyber security.  The key difference in application is simple: I am not using the Modified WPD to decide whether or not to commit offensives cyber security forces to a potential battle; rather, I am using the Modified WPD as a tool to evaluate your cyber security strategy/solution.

Modified Weinberger-Powell Doctrine

  1. Is a vital personal/organizational interest threatened?
  2. Do I/we have a clear attainable objective?
  3. Have the risks and costs been fully and frankly analyzed?
  4. Have all other non-technical means been fully exhausted?
  5. Is there a plausible strategy that avoids excessive cost?
  6. Have the consequences of our action been fully considered?
  7. Is this an action I/my organization will support?
  8. Will I be able to gain the support/assistance of those I rely on?

The Modified WPD works like this:

  1. If the first question is answered in the affirmative, you or your organization require a cyber security solution; and
  2. If any of the following seven questions are not answered in the affirmative, you have a gap in your cyber security solution.

In Episode II, I answered the first question: Is a vital personal/organizational interest threatened? I trust all would agree that, in today’s world, the answer is relatively obvious (so, yes, an interest is threatened).

Of course, each individual/organization will have different answers to the next seven questions, but I will answer them through the lens of industry trends and what is, more or less, currently being discussed. What I believe you will see is a great many gaps that need to be filled.

Question 2: Do I/we have a clear attainable objective?

Based on industry trends, namely that many of us still remain ignorant to the cyber security issue, I am fairly confident to say that we do not have clear objectives. The Federal Cybersecurity Research and Development Strategic Plan is a document that sets forth near-, mid-, and long-term goals, but how many organizations actually do this?

And even the government initiatives are not comprehensive. As the Brookings Institution points out, apart from the US Department of Defense, most government agencies lack a clear cyber security plan.

While I agree the tipping point may be more executive-/board-level accountability – nothing motivates people like the threat of a lawsuit or jail time – like in any strategic or operational decision, if you do not have a clearly defined and attainable goal, chances are you will not succeed.  This problem only compounds itself when those tasked with a significant amount of responsibility for the cyber security issue (like your CIOs or IT professionals) could be contributing to the problem.

We can also say the same about our personal behavior. Are we truly being careful and diligent with our digital information? In the interests of full disclosure, as I write this serial, I have to remind myself: “Am I alright with posting this online? What are the near-/mid-/long-term outcomes of doing this? Am I taking steps to protect my own intellectual property?” And so on.

They may seem like obvious questions with simple answers, but if you do not go through the process of asking them, you increase your risk exposure, something that will only accumulate over time.

Therefore, based on industry trends, I do not think we can answer Question 2 in the affirmative. Already our cyber security solution has a gap.

Question 3: Have the risks and costs been fully and frankly analyzed?

In the interests of brevity, can we all simply agree that the risks and costs have not been fully and frankly analyzed? To answer in the affirmative, we have to make the following two assumptions:

  • We have a “pretty good” idea of what most of the risks are; and
  • We have the means to accurately measure the costs.

I would simply suggest we are probably lacking on both these assumptions. I will refer you to PwC for two reports with great commentary and statistics: one on cyber security being a business priority and the 2016 Economic Crime Survey.

Note: Thanks to Paul O’Rourke for sharing this report. Some great statistics that will help give you a better understanding of the landscape.

So far, our cyber security solution is not looking too good. I guess we can put an “X” beside Question 3.

Question 4: Have all other non-technical means been fully exhausted?

This question probably animates me the most. Earlier this week I shared an article on the importance of the board being involved in the cyber security discussion. Here is another indicating that cyber security is becoming a commonly discussed issue at the C-Suite level.

Despite years of my commentary of this issue falling on deaf ears, often resulting in mind-numbing headaches, one thing that I am happy to see is that decision makers are finally accepting that the cyber security issue is no longer “an IT issue.” For examples, look here, here, here, here, here, and one even from 2013.

This problem compounds itself even as some still try to force cyber security as “an IT issue” because of the skills gap. Richard Starnes published a fantastic article on the cyber security recruitment process.

What I believe should be evident is that this question is far more complex to answer in this Episode because of overlapping issues, such as education, culture, personality, change management, and resource allocation, just to name a few. What I will likely do in a future Episode is emphasize more on the tension between different work groups and who wants to “control” the cyber security issue (never forget that everybody has different interests and interests, even within organizations, do not necessarily align).

Therefore, I would suggest that this question cannot be truly answered in the affirmative until these cultural challenges within an organization are addressed.

The gap in your cyber security solution continues to grow!

Question 5: Is there a plausible strategy that avoids excessive cost?

Modifying this question from the original Weinberger-Powell Doctrine was probably this most difficult of all eight. The original is: Is there a plausible exit strategy to avoid endless entanglement?

The way I see cyber security (and this is clearly open for debate) is that these threats and risks are here to stay, much like insurance or taxes. The only thing that will change is their nature and how we are affected by them (and how much they cost us). In other words, endless entanglement is unavoidable, thus requiring a significant change to the original question.

The market is huge for cyber security vendors, with $75 billion USD spent in 2015 and expenditures expected to reach $170 billion by 2020. The key is where to spend though, because let us be honest, not all of us can afford some of the technical solutions being offered.

Spending a few million dollars to set up a cyber intelligence center and then housing it with some of the most technically savvy people available may sound flashy, but spending a couple of hundred thousand dollars to train your everyday staff may yield much better results. In a later Episode, this issue gets addressed directly.

After spending years of treating cyber security as “an IT issue” I believe it is fair to say we are entangled in a loop of excessive cost. How do we break it and remould it to something much more manageable.

A quote from Shimon Peres comes to mind: “If a problem has no solution, it may not be a problem, but a fact – not to be solved, but to be coped with over time.” I believe we have reached that phase in cyber security.

I guess it would be ambitious to state we can answer this question in the affirmative. Add one more gap to your cyber security solution.

Question 6: Have the consequences of our action been fully considered?

Much like Question 3, in the interests of brevity can we simply agree by saying we have not considered the consequences of our action(s)?

Melissa Hathaway, along with Chris Demchak, Jason Kerben, Jennifer McArdle, and Francesca Spidalieri, produced the Cyber Readiness Index “CRI” for the Potomac Institute for Policy Studies. Version 2.0 was released in the fall of 2015 and you can watch the launch and discussion session here (Part I) and here (Part II).

I reference the CRI for this question because I believe it is difficult to consider the consequences of our action(s) if we are still grappling with some of the most basic issues surrounding cyber security, many of which are addressed in the CRI.

Similarly, given that we have only begun to truly accept that cyber security is not “an IT issue” I believe it is safe to say that few of us understand the consequences of our action(s).

Are we up to five gaps so far?

Question 7: Is this an action I/my organization will support?

Imagine this scenario: You are the CISO of your organization and you walk into your CEO’s office. You tell your CEO that, given the increased risks affecting mobile devices, the organization will have to scrap the BYOD policy in place (thus, requiring most staff to carry a business and personal device) and that the business devices will have limited access to services and many popular apps.

Let us assume your CEO has little understanding of the cyber security issue, apart from the fact that it is costing the organization a lot of money. How do you think that conversation will go?

How this question gets answered I believe will be influenced greatly by the messenger. If the messenger cannot articulate the action in a way that the organization will support, no matter how sound the action is, the message may fall on deaf ears.

Keeping in line with the above scenario, imagine you are a board member that also has limited understanding of cyber security. You, as CISO, have been asked to put forth a presentation regarding the state of affairs. The first words that come out of your mouth are:

“Last quarter we saw an increase in attempted SQL injection attacks, but do not know for certain if any were successful. The investigation of our logs is ongoing. There were two attempted DDoS attacks, one of which slowed down our operations for two days, quite significantly. We also identified a new vulnerability with one of our vendors. They did not have a security certificate on their main website portal, so we need to ask them to transition to HTTPS in order to ensure their servers are verified by a third-party, because we believe we may have suffered a man-in-the-middle attack.”

If you are the board member, and have no idea about anything that was just said, this is where you wish your coffee had some more kick to it.

So, is this question answered in the affirmative or negative? Unknown. But why break a streak? Let us just say you cannot answer this one in the affirmative either; the gaps just keep adding up.

Question 8: Will I be able to gain the support/assistance of those I rely on?

This is the wildcard question. When you are using a third-party service, do you have access to their cyber security policies? If you ask them, will they divulge the methods and techniques? Cyber incidents attributed to business partners are on the rise, surpassing 22%.

But ask this question closer to home as well. What about your staff? Will they buy into your cyber security solution, especially when they are they are responsible for the majority of your cyber incidents? Pick any IBM Cyber Security Intelligence Index to see how staggering the numbers are.

Much like Question 7, the answer to this question is unknown, but until you ask the right questions, of the right people, it will be a difficult task to answer this question in affirmative as well.

Summary

I mentioned in Question 6 the Cyber Readiness Index by Melissa Hathaway et al. Here is brief summary of the report. What I believe is most valuable is how the cyber security issue is reframed: cyber insecurity is causing economic erosion. I believe this is a fantastic way to frame the issue and hopefully this approach will pull the cyber security issue further away from the “an IT issue” that has been so prevalent.

In closing, I believe the Modified WPD offers some tremendous upside if used to evaluate your cyber security solution for the following reasons:

  • It is scalable. You can use it at the personal, departmental, or enterprise level.
  • Next, it helps identify gaps in a simple yes/no manner. This is important because it serves as a template to communicate the message to decision makers, but also provides a roadmap to some glaring issues for your technically savvy problem solvers.
  • Finally, I believe the Modified WPD helps you develop a business case by shifting away the cyber security issue from being an “IT issue” to a “business” issue, applicable to any type of organization and at any level.

I hope you enjoyed this Episode! Next week I will examine the considerations behind making the business case for cyber security solutions.

To all those in the United States, a very Happy Memorial Day long weekend!

And of course, thank you to all helping to spread the word of this serial!