Organizing for Cyber Resilience: Rethinking the Balance Between Prevention and Response
Cybersecurity is once again in headlines. A new White House cyber strategy released in September promises a more offensive response to cyber threats and cyber attacks whether from criminals or nation states. However, Valentine notes that debates on cyber defense and security that are often dominated by turf battles between agencies over responsibilities and proposed response options often “address the wrong choices.” Valentine, a former F-16 pilot, commander, and staff officer who now works with the Microsoft Corporation’s efforts to support the US Army, notes this outcome is a result of incorrectly identifying the true nature of the cyber environment. Referencing the ideas of management theorist David Snowden, Valentine notes that attempts to centralize cyber authorities and responsibilities in federal agencies such as the Department of Homeland Security and the Department of Defense fail to recognize the cyber environment as a “complex system,” one that government cannot completely secure regardless of resources. Centralization and static security efforts also negate an important lesson from nature about complex systems, as articulated by the ecologist and scientist Rafe Sagarin, that suggests employment of decentralized tools and agents leads to improved adaptability and resilience. Specifically, the DHS, the DOD, and the US government “should expand its efforts to integrate private sector capabilities into the cyber operational environment," he adds. In addition, the US government should also seek to engage private sector cyber volunteers, who could aid in cyber defense by responding to challenges rather than directives, freeing up limited public resources elsewhere.