Big surprise, as a cybersecurity professional with deep roots in information technology, I am a huge sci-fi fan; particularly Star Wars and Star Trek. As one can imagine, when the Cybersecurity and Infrastructure Security Agency (CISA) launched their Shields Up initiative, they had my attention. The information provided by CISA was well organized and directed at the right audience. The initiative was launched to ensure the public was made aware of the potential for a cyber attack by hostile national state actors. It was clearly intended as public service and it was on point.  To be very brief, Shields Up was and is a call to arms for organizations large and small to bolster their defenses. It was meant to ensure we, the American public, were doing things we ought to be doing such as enforcing Multi-Factor Authentication (MFA) for remote access or for privileged accounts, patching vulnerable systems, and checking firewall rules to make sure non-essential TCP/IP ports are blocked. Ultimately, Shields Up was not just a call to arms it was a spotlight cybersecurity showing that is a matter of national security and thus an issue of public safety.

We are paying more attention than ever before to cyber threats. More money is being spent on staffing and technologies, but the threat continues to grow. Imagine if the spent for any other public safety issue in the same manner as security with the same outcomes? Anything recent come to mind, maybe a recent Pandemic? We spent money and expended resources to combat the COVID19 pandemic resulting in a highly vaccinated population and what most people in America are experiencing a return to a somewhat normal daily life. This is not so in cybersecurity, yet we have thrown much money and resources at the problem. Why? First, we tend to think of cybersecurity in terms of a technology problem or something that the CIO and IT will solve, but it is not. The reason why the outcomes have not improved despite our spending is the underlying reason for the state of affairs with cybersecurity is how we look at the problem. Failures in cybersecurity programs are not because of money or technical constraints, but more because of a lack mounting a proper defense as the result of a philosophy of expediency.

Expediency is a problem because we tend to want to apply technologies or hire people to provide immediate defensive results.For example, an MFA solution was purchased to eliminate account take overs, why then was an account takeover the root cause for a breach the corporate systems? What if we change the philosophy of expediency and adopt a more holistic view? We start with the view thatcybersecurity is not a technology problem to be solved, it is a public safety issueto which our operations must conform.If we accept this view,  cybersecurity transcends an issue that can land on the CIO’s desk with a directive thatsays “fix it.” It is an issue not a problem and by saying it is an issue we are accepting that cybersecurity problems are pervasive and result from societal problems such as crime, personal privacy and national defense. Thus taking the issue approach raises the question, what does it mean to be cyber-secure?

To be cyber-secure means that we look at how personal computers, corporate information systems, critical infrastructure, IoT devices, mobile devices, and the list goes on all interact through not just the technological space of the Internet and local networks, but the human interactive element with the technologies and how these complex interactions can result in both a positive and negative outcome. Accepting this definition we ask, how do we get positive outcomes?

We can answer this question by comparing cyber incidents to other comparable emergencies that would impede information systems such as fire, earthquake, enemy attack or other such disasters. Disaster response relies on the actions of first responders. Well for cyber, who are the first responders? The answer is that much like the pioneers that went west across the nation, in the early days of America, we are responsible for our own defense. In accepting this concept, we can model the mindset of other first responders.

For much of public safety a paramilitary approach is applied. For example, Police and Fire Departments use a hierarchical structure with respect to chain of command. In emergency response this structure works because it provides clear communication for the direction of resources to a given situation. Now apply this logic to cybersecurity. Incidents are then handled with a clear command and control structure and when we are being proactive outside of the usual IT constraints we can take the paramilitary approach in the sense that is not hierarchical chain of command but instead was about battlefield management.

If we managed cybersecurity issues like they were defensive problems applied to the organization’s digital landscape like a field commander would maneuver resources around a physical battlefield to protect their position, then the utilization of an organizations staff and technology resources toward cybersecurity objectives could be more collaboratively and efficiently applied.  To put this into perspective, imagine that on a battlefield, a commander is defending their position as dictated by their unit’s mission. The commander talks to their staff and determines what assets they have available, determines what the enemy is likely do to, discusses how their mission is impacted the enemies potential actions and their own capabilities to respond, and then the commander examines each avenue an enemy can use to approach and compromise the unit’s position. Understanding this information allows the commander to determine where defensive capabilities will be placed and how they will be used in response to specific and general scenarios with the intention of deterring and/or thwarting the adversary’s attack efforts.

In applying this concept to our cyber defenses, we communicatewith the business and IT to understand our digital position by intertwining our cyber defense efforts with the business’s mission requirements and technological and staff response capabilities. To understand the interactionsof our systems and users is to understand how we will engineer to deter and respond tocyberattacks.

The paramilitary approach may seem simplistic and that is because it is. Although simplistic, it is comprehensive and goes to fundamentals such as inventory of users and assets, determination of zero trust access policies, incident response planning and testing, and technology refinement and procurement. It is a methodical to analyze the organization’s defenses one element at a time.Accepting that cybersecurity can be thought of as paramilitary means that we accept a common view that could lead to more common practices. The result of which could bea set of universally applied controls leading to common practice defenses which will disincentivizecybercrime and may also result in being organizations better prepared to recover from attacks carried out by advanced cyber threat actors.