Stress-Testing Our Security Assumptions in a World of New & Novel Risks

COMMENTARY

First of two parts.

The most devastating security failures often are the ones that we can't imagine — until they happen.

Prior to 9/11, national security and law enforcement planners assumed airline hijackers would land the planes in search of a negotiated settlement — until they didn't. Before Stuxnet, control systems engineers assumed air-gapped systems could operate unmolested — until a virus was planted. Prior to the SolarWinds breach discovery in 2020, IT managers assumed that verified updates to a trusted network management platform were legitimate and safe — until the platform itself became the vector of a devastating supply chain attack. 

The extent of injury from these incidents is often a function of the extent to which new and novel risks were unforeseen, or assumed not to be risks in the first place. In other words, the more basic the assumption, the more devastating the compromise.

The imperative of security is to be right not only now, but also in the future, to anticipate and mitigate risks that will arise at some later time and place through effective planning and preparation. And the assumptions we make about that future environment serve as the foundation for that work. Assumptions are necessary for any security plan to be cohesive. But they come with a shelf life. 

Our assumptions today are unlikely to hold in the future. We know that increasing interdependencies will make security challenges inherently cross-domain and interdisciplinary. We know that the pace of change, driven by the rate of technological development, will make the endless cycles of discover and patch, identify and neutralize, and sense and respond even harder to sustain than they are today. We know that who and what provides security is changing as well.

The current approach to security goes something like this: First, we review recent incidents, while gathering information on the threats we know about. Next, we develop a consensus (based on incident data and expert insights) on how to neutralize those threats and mitigate associated risks. Finally, we develop programs and tools to implement these mitigations at scale. The better and faster we do this, the more secure we are.

Embracing a Future-Resilience Approach

Recognizing the changing landscape, we have attempted to accelerate this process through broader data collection and sharing, deeper insight from more powerful analytics, earlier detection of threat actors and their actions, and faster response to attacks underway. 

But we are falling further behind. By the time we understand a threat actor, their intentions, and their attack methods, or detect their movements, it's too late. The fundamental challenge is to prepare for a future with an unknowable risk profile. 

To become more resilient in a world of "unseen until it's too late" threats we must strengthen our plans by stress-testing our assumptions. The future of security will be about resilience in the face of emerging risks that cannot be specifically identified today. Monitoring trends and anticipating threats is not enough. We must also question the very assumptions that undergird our sense of security today. 

A new, future-resilient approach will need to include a deliberate process of challenging existing assumptions, while they remain valid, to model a future in which those very assumptions are compromised. Then, based on this new future "reality," we can develop ways to survive. In other words, we shift our approach from assessing the current environment, making assumptions about the future, identifying threats, then mitigating those risks, to explicitly identifying our assumptions, "making up" threats to compromise those assumptions, and building resilience to survive that future.

In practice, this involves stress-testing the assumptions we make about the world in which we operate and the environments in which we strive to achieve security. These assumptions can be broad or narrow, across multiple dimensions. A rigorous approach will need to consider these four categories:

This process of categorizing and stress-testing fundamental assumptions is a necessary exercise for any leader who is interested in ensuring long-term security and resilience in the face of an uncertain future.

In the next installment of this two-part piece, I'll examine some of the basic assumptions in the most common security frameworks, and the technologies we assume to be central to cybersecurity. I also will highlight a few key beliefs we apparently hold and ask the uncomfortable questions we need to ask in order to build future resilience.