Defending cyberspace: more than resilience

When discussing cyberspace, we stumble upon some concepts that often get confused or intermingled, such as cybersecurity and cyber defense, or the cognitive and the information environment. These are separate concepts, even though they are interconnected and interdependent. Ultimately, it is the target and goal of our actions which allows us to determine which of these concepts we are deploying. For cyber defense, this means our goal is countering the actions of an adversary, which ultimately target digital systems. Cyber defense is a fight against a living and thinking enemy, not against an abstract risk.

 

When defending cyberspace, the challenge is exacerbated by the covert nature of this enemy and our lack of resolve to act without a degree of certainty and justification that is hard to achieve, when not impossible. The adversary enjoys a high degree of impunity. Attacking the sense of security that comes with it is the crucial element of deterrence, an aspect of cyber defense in which modern nations have been less than successful.

 

An effective deterrence requires three components, which must all be present for it to be effective. Attribution is needed to determine the origin and intention of an attack, while Resilience is needed to preserve the nation’s capacity to respond. Last, but definitely not least, the capacity and the will to carry out retribution is an essential element without which the attacker will continue to feel validated and enjoy a position of impunity. This retribution does not need to be a military action, nor carried out in cyberspace. It is often a political decision, carried out at the diplomatic and economic level, and it is at this level where the will and capacity to enact retribution must be ensured.

 

Defense is a constant effort, and can never afford to be passive. All the latest trends in cyber defense emphasize this proactive attitude, seeking to reach and study the adversary before they strike, probing and testing our defenses before they are put to the test by an enemy, and assuming this enemy is already inside, forcing us to take active and widespread measures to mitigate the impact of a successful intrusion even before it is detected.

Resilience itself is only one component of an effective defense, like it was only one component of a successful deterrence. Nevertheless, it is the first fundamental component, which preserves the ability of the nation to function. As such, it must be built on the premise that it will be needed and employed. The attack will come, crucial systems will fail, and it is in this chaotic environment where response must be enacted. Resilience comes, first and foremost, from a mindset. A mindset that expects the attack and prepares for it in advance. A mindset that goes beyond prevention, and thinks of survival, recovery and adaptation. A resilient nation does not sit back and hope the attack will not come. It assumes the attack will come, and is ready to face it and remain standing.

 

In the connected world of cyberspace, this effort involves everyone. Awareness at the citizen level is extremely effective in building a resilient society. Awareness at the state level ensures the continuity of the administration and services through a crisis. Cooperation beyond the national level is indispensable to face a threat that recognizes no borders and exploits the gaps wherever it can find them. If there is one principle to defending cyberspace it is that, even though the battle may be fought using machines, it is the people behind those machines who are the key to victory. Victory comes from leaders who are ready and willing to respond to an aggression, and from citizens who are informed and ready for an enemy who never rests. In cyberspace, the key actors are still the people.

Lieutenant Colonel Ignacio Pizarro