What Does Successful Cyber Warfare Look Like?

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Mike Starr of trackd charges into battle to redefine what success in cyber warfare looks like in the modern age.

Conventional shooting or “kinetic” wars used to end with a clear winner and clear loser, and the closure was palpable in ticker-tape parades, terms-of-surrender signings, and mass discharges of returning soldiers. That, clearly, is no longer the case, exemplified by the seemingly endless analyses during our wars in Afghanistan and Iraq that asked a common question:  what does victory look like?

A similar question might be asked about other, less-conventional “wars”, for example, the war on drugs, the war on terror, or the war on poverty, all now decades old, and some more than a half-century. It seems we start to ask the “what does victory look like?” question only after a war becomes protracted, and frankly, when it feels very much like we’re losing it.

So it may be time to ask that question – or a version of it – about InfoSec:  what does successful cyber warfare look like? Cybersecurity professionals have been battling threat actors since at least the inception of the public internet, so we’re starting our 4th decade in this war against the bad guys, and I don’t think anyone in the cybersecurity community would say with any degree of seriousness that we’re winning, or even moving in the direction of a conventional victory.

What Does Successful Cyber Warfare Look Like?

In the Trenches…

It feels more like trench warfare in World War I than the march to Berlin a couple of decades later, and the cybersecurity community has been coming to terms with the reality that the goal of stopping cyber-attacks is giving way to a more pragmatic “management of cyber risk.” That might sound a bit like surrender, but we do live our lives managing risk every day. If we wanted our risk of personal injury to approach zero, we’d never get in a car, an airplane, or leave the house for that matter, but that would certainly limit our prospects for employment, not to mention our enjoyment of life. But, we do our best to minimize that risk with seatbelts, car safety features, etc. Returning to the topic at hand, the equivalent of never driving or venturing outside in cybersecurity would be removing all connections to the public internet (although even that wouldn’t stop insider threats and social engineering attacks 100 percent).

A business can’t function in 2023 if disconnected from the internet, and humans can’t live fulfilling lives in a protective bubble, so, we accept and manage risk every day. Where the cybersecurity challenge differs, however, is that the probability of occurrence is staggeringly high compared with, say, the probability of having your car stolen (0.3 percent) or being audited by the IRS (0.45 percent). Unlike those sub-1 percent odds, there’s an 80 percent chance of being the corporate victim of a cyber breach, or at least that’s what those charged with defending their organizations against cyber-attacks believe.

“When”… Not “If”

Over the past several years, the cybersecurity community has operated under the mantra of “when, not if” when it comes to network compromises, which is a tacit recognition that the war against cyber-criminals will not end with a surrender ceremony. Now, the community needs to take that tacit acceptance and make it explicit. “Winning” is no longer defined as avoiding a breach, but rather minimizing the likelihood of a breach while maintaining robust corporate operations…and preparing for an inevitable compromise. A breach should no longer be met with shock and panic but should be planned for, practiced for, and calmly addressed. All things much easier said than done. And this is where senior leadership comes in. Giving lip service to cybersecurity as a risk to the business and then using the CISO and other infosec management as scapegoats when the inevitable happens is unhelpful.

Encouragingly, the concept of “cyber resiliency” is gaining traction among infosec professionals, and its holistic approach to minimizing cyber risk is not only refreshing, but at its core, explicitly acknowledges that network compromises are an unavoidable element of IT and security operations. An exhaustive treatment of cyber resiliency theory is beyond the scope of this piece, as well as the author’s expertise, but it includes five areas of cyber risk management:  prepare/identify, protect, detect, respond, and recover. The last three of those openly recognize that the first two will not be fool-proof, and that crossing fingers is no substitute for comprehensive cyber security operations.

Changing the Criteria/Final Thoughts on Cyber Warfare

If a compromise is a foregone conclusion, then the cyber security operation must be judged by a different standard than “anything less than going undefeated is a failure.” Rather, the criteria should be:

• Is the CISO and their team doing everything necessary to reasonably minimize the risk of compromise? (Note: this has nothing to do with adherence to compliance.)
• Does the organization have the technology and incident response plans in place and executable when the time comes?

If senior leadership can answer these questions in the affirmative, then that’s accountability in this “new” world of cybersecurity reality. Doctors will tell us that we should exercise, eat our fruits and vegetables, avoid booze, red meat, fried foods, and generally anything fun. But, even if we do all these things and more, no doctor will guarantee we won’t contract cancer, experience a stroke or heart attack, or generally be 100 percent immune from anything. They can only offer that our probability of experiencing these bad outcomes will decrease. Similarly, if every employee in the organization obeyed every edict around security, the cybersecurity team was armed to the teeth with all the resources and tools it needed, and all security processes and procedures were executed flawlessly, it would not guarantee immunity to a successful attack. Doctors can’t promise 100 percent health, and CISOs can’t stop 100 percent of attacks.

We don’t cast aspersions on the medical profession when marathon runners have heart attacks, and we need to start recognizing “successful cybersecurity” when we see it.