When discussing cybersecurity strategy with an organization or individual, I frequently encounter a misunderstanding regarding Goal and Strategy. In many instances, there is a belief that they are synonyms. Goal is defined as the result that an individual or company plans to accomplish while a strategy is defined as the method by which the goal is achieved.
Goals can either be short-term or long-term. In both instances, the cybersecurity action plan will be a necessary component in achieving those goals. These goals can be any of:
- Consumer goal – concerned with supplying the demand of consumers for a certain product
- Product goal – concerned with producing products of high quality
- Operational goal – concerned with proper management of resources for the continuous and efficient operation of the business
- Secondary goal – concerned with all other goals of the company that are not considered as priorities.
Cybersecurity will, most likely, be involved with the organization’s operational goals and secondary goals. With respect to operational goals, the cybersecurity objective is to both protect critical digital assets and maintain the continuous operation of the business. With respect to secondary goals, the processes to achieve these lower priority goals may involve the use of critical digital assets and therefore require a similar security strategy as that used to protect that data’s use in achieving higher priority goals.
The goal of a cybersecurity action plan is the protection of critical digital assets through the mitigation of risk associated with operating environment vulnerabilities subject to compromise, or attack, by an adversary. The term “war” is defined in the Lectric Law library as, “contention by force; or the art of paralyzing the forces of an opponent”. The latter part of that definition is exactly the strategy a cyber adversary is often attempting to execute in order to achieve their goal. In that context, the adversary becomes an enemy much like the enemy in a conventional war.
Sun Tzu said, “To conquer the enemy without resorting to war is most desirable. The highest form of generalship is to conquer the enemy by strategy.” Strategy is the art of distributing and applying military means to fulfill the ends (Goals) of policy. In the case of cyberwarfare, strategy is concerned with the placement and movement, in order to adapt to the changing threat environment, of security controls.
When the application of security controls engages with an actual cyberattack, the disposition of, control of, and their direct action to achieve the desired effect, is termed tactics. Strategy and tactics can never be truly divided into separate compartments because each not only influences but, merges into the other. Again, as Sun Tzu says, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” This is especially true in cyberwarfare as the tactics being used are security controls available to and used by all organizations as well as the adversary. It is the art of the strategy developed that will determine the winner of the conflict.
All forms of war are based on deception. The merging of strategy and tactics enables the organization to deceive the adversary with respect to their response and surprise him with the actual response.
The strategy exploits the elements of movement and surprise. The aim of strategy in any type of conflict must be to bring about this conflict under the most advantageous circumstances. The strategist must seek a strategic situation so advantageous that if it does not of itself produce the decision, its continuation by battle is sure to achieve the aim. In the case of cyber warfare, the organization’s aim is to cause the threat actor to lose his will and abandon the attack.
The strategy must provide the organization with the flexibility to adapt to an adversary’s counter-move. This requires a strategy to have several branches, to a response, that have been well thought out and practiced in the preparation phase of the cybersecurity action plan. An organization’s cybersecurity action plan must take into account the adversary’s power to frustrate it.
Cyberwarfare most closely mirrors a psychological sphere of conflict and leads to the chief incalculable in such a conflict, human will. Human will must be accounted for in the organization’s preparation and training of the strategy as well as in the response to an attack. In the case of preparation and training, humans will most often lead to resistance in performing the training and conducting the due diligence required of the day-to-day security effort. An actual security event often arouses the human factors of fear, and anger and leads to mental fatigue and poor decision-making. These same human will factors, if the organization’s strategy is complete, can be experienced by the adversary and negatively impact his effort to infiltrate the organization. Consequently, the strategy must include tactics of distraction which will result in dislocation with respect to the adversary’s attack plan.
Stonewall Jackson referred to this joint strategy as “Mystify, Mislead, and Surprise”. Mystifying and mislead constitutes distraction and surprise is the essential cause of distraction.
It is through the distraction of the adversary’s mind that the distraction of his planned approach to infiltration follows. The effect of this distraction on the adversary results in his loss of freedom of action to respond to your dislocation effort and will lead to him committing mistakes as he now responds to your actions.
This exploitation, through strategy, of the psychological element in cyberwarfare is critical. It is based on making the adversary do something wrong. By compelling the adversary to make mistakes, the scales are most often turned in your favor. However, you must always be aware that this same element can be used against your plan if you have failed to plan, prepare to the plan, and continuously train for the preparation.
In summary, a GOAL is what you want to achieve. A Strategy is how you will achieve it. A good strategy is:
- A set of principles that when communicated and adopted in the organization generates a desired pattern of behavior.
- Is about how people throughout the organization should make decisions regarding the allocation of resources to achieve key objectives leading up to achieving the goal.
- Each objective must have its own strategy governed by the principles of the enterprise cybersecurity strategy.
Goals and strategies are hard to achieve and execute without planning. As we have learned through modern warfare, the details of a plan that was designed years in advance are often incorrect, but the planning process demands a thorough exploration of options and contingencies.
The knowledge gained during this probing is crucial to the selection of appropriate actions as future events unfold.
True in kinetic warfare and true in Cybersecurity defense.