When evaluating our effectiveness in dealing with cyber defense, we have two layers of uncertainty and risk: how effectively are we protecting critical information, and what are the adversaries actually getting and how might they use it against us?
In today’s interconnected world, we regularly deal with systems of overwhelming complexity and largely unmeasured risk, and that is before they become potential targets of explicit attack. Multiple risks, including software errors and network management failures, are compounded by the certainty that adversaries seek to cut through our defences, and the resulting uncertainty as to how much of our critical information has been compromised or exactly how such a breach could affect our organization’s future success or failure.
The fate of nations is not decided by wars alone, but by disease, technology, economics—and information, among other salient factors. Increasingly, information underlies and facilitates these other domains as never before. The modern military is largely dependent on huge information flows for all phases of its activities—net-centric warfare is the model of the day. The treatment of disease and public health is now built on prodigious amounts of information, not just for the understanding and treatment of the disease itself, but for all the issues concerning patient status and tracking, insurance and liabilities, etc. Technology and economics, our ability to innovate, create, market and profit, are impossible today without detailed—and protected—information.
What is not so often appreciated is that much of this information is effective only as long as we control it and manage its use. The fact that we have this information and can act on it, while our competitors and adversaries must wait until we have chosen to act, is a decisive advantage in all these domains. The time advantage resulting from knowing something uniquely and first can result in a leadership position in many domains. The continued bleeding of critical information through cyber attack may not convey the impression of catastrophe that we see in physical incidents such as last year’s Deepwater Horizon rig disaster, but rather, it can have a profound cumulative effect on our way of life and leadership position in the respective industry.
I would argue that there is a growing awareness in some quarters, but not broadly enough in either government or the private sector – that critical information is now more at risk of intrusion and theft than ever before, and that this matters. If an organization holds any significant amount of information that is critical to the success of that enterprise and which, if stolen, could confer an immediate advantage on a competitor or adversary, those competitors and adversaries will approach this as a fundamental strategic issue, making them persistent and implacable foes. This growing awareness that adversaries will seek to obtain protected information is leading to efforts to respond more effectively, and to find ways to measure the risk.
The loss of unique control over critical information should be regarded as an unacceptable outcome at the highest levels of any organization, and the enterprises that understand this are devoting significant resources to cyber risk management and response.