Commentary
Part 1 of a two-part series.
The most devastating security failures are often unimaginable until they happen.
Before 9/11, national security and law enforcement planners assumed that airline hijackers would seek a negotiated settlement and land the plane, but this was not the case. Before StuxnetThe control system engineers thought the air-gapped system would work fine, but then a virus got in. Before the SolarWinds breach When it was discovered in 2020, IT administrators assumed that verified updates to trusted network management platforms were legitimate and safe — until the platforms themselves became vectors for devastating supply chain attacks.
The extent of the damage caused by these incidents is new and novel. risk It was not anticipated or was assumed not to be a risk in the first place. In other words, the more fundamental the assumption, the more devastating the compromise will be.
The imperative of security is to anticipate and mitigate risks that will occur at later times and places through effective planning and preparation, not just for the present but for the future. And the assumptions we make about the future environment are the foundation for that work. Assumptions are necessary for security planning to be consistent. But assumptions have a shelf life.
Our assumptions today will not hold true in the future. We know that increasing interdependence will make security challenges interdisciplinary and multidisciplinary in nature. We know that the pace of change brought about by the speed of technological development will make the never-ending cycle of discovering and patching, identifying and neutralizing, sensing and responding even more difficult than it is today. We also know that who and what provides security is changing.
Our current approach to security is as follows: First, we look at recent incidents, Threat Intelligence We research the threats we know about. Then, based on incident data and expert insight, we agree on ways to neutralize those threats and reduce the associated risks. Finally, we develop the programs and tools to implement these mitigations at scale. The better and faster we do this, the more secure we will be.
Adopting a resilience approach to the future
Recognizing the evolving landscape, we have worked to accelerate this process through more extensive data collection and sharing, deeper insights through more powerful analytics, earlier detection of threat actors and their behavior, and faster response to ongoing attacks.
But we are falling further behind: by the time we understand threat actors, their intentions, and attack methods, or even detect their movements, it is too late. The fundamental challenge is to prepare for a future with an unpredictable risk profile.
To become more resilient in a world of threats that we “don’t notice until it’s too late,” we need to stress test our assumptions and strengthen our plans. The future of security is about being resilient in the face of new risks that we cannot specifically identify today. It is not enough to simply monitor trends and predict threats; we also need to question the very assumptions that underpin our current security sensibilities.
A new, future-proof approach must include the deliberate process of modeling a future in which existing assumptions are undermined while those assumptions are still valid. You can then develop ways to survive based on this new future “reality.” In other words, shift from an approach of assessing the current environment, making assumptions about the future, identifying threats, and mitigating those risks to one of explicitly identifying your assumptions, “crafting” the threats that undermine those assumptions, and building resilience to survive that future.
In reality, we need to stress test assumptions about the world we operate in and the environment we aim to secure. These assumptions can be broad or narrow across multiple dimensions. A rigorous approach should consider four categories:
Refers to: What assumptions do we make about who (or what) is being protected and why? What does it mean for that person or organization to be secure?
Affect: What assumptions do we make about defenders’ capabilities to protect themselves? What can attackers do to harm us? How much impact can they expect to have on the security landscape and ecosystem?
Interdependencies: What (or who) do we expect to be available without questioning its availability or intent? What are the system effects that we have not adequately anticipated?
Governance: Where do we think governments should and do exert their influence? What are our assumptions about the role of the state? Will the future world continue to function within a framework of sovereign states and international norms (as is)?
This process of sorting through and stress-testing fundamental assumptions is a necessary exercise for all leaders interested in ensuring long-term security and resilience in the face of an uncertain future.
In the next installment of this two-part series, we will examine the basic assumptions of some of the most common security frameworks and the technologies assumed to be central to cybersecurity. We will also highlight some key beliefs we may hold and ask some uncomfortable questions we need to ask to build resilience for the future.