Former Navy Secretary: Effective Cybersecurity Requires Persistent Presence
In nearly eight years as Secretary of the Navy, I faced a steep challenge on how to manage cyber threats at the pace of 8 million attempted intrusions a day in an organization of 900,000 people, Ray Mabus writes.
As Secretary of the Navy, I spent a lot of time focusing on presence—having the Navy and Marine Corps not just in the right place at the right time, but in the right place all the time. United States sailors and Marines are stationed around the globe around the clock as the nation’s first line of defense: flexible, adaptable and ready for any challenge on the horizon, and a firm, steady deterrent against those bad actors who might consider bad actions. It was my job to make sure that they had the policies and resources needed to play this important role in our nation’s—and global—security.
Nowhere is that need for presence—persistent, continuous presence—stronger than in cyberspace. Increasingly, we are seeing a world where the weapon of choice is a cyberattack, and breached data can be as consequential as a breached border. In fact, these types of warfare are closely linked. In Crimea and in Georgia, for example, Russian cyberattacks preceded Russian troops. In the raid that killed Osama bin Laden, Seal Team Six brought out hard drives found in the compound—because that data could give us a huge advantage in fighting al-Qaeda. Breaches at private companies pepper the headlines, and more than 40 municipalities have been the victim of ransomware attacks this year alone. Nation-states and criminals—and sometimes a combination of the two—are stepping up sophisticated cyberattacks daily.
If you lead an organization of any size in the United States today, you sit atop a powerful technology stack. Your communications, calendar and finances coordinate instantly, globally—as long as the networks keep working, and you have access to that data. Disrupting those networks creates chaos.
In nearly eight years as Secretary of the Navy, I faced a steep challenge on how to manage cyber threats at the pace of 8 million attempted intrusions a day in an organization of 900,000 people. Here’s how we maintained presence in the cyber domain—and you can too:
Acquire expertise and communicate. Your CEO doesn’t need to be a cybersecurity expert; I was an English major. What you do need is clear, jargon-free continuous communication between leadership and cybersecurity experts to understand risks and priorities. Failure in cybersecurity poses a risk to every part of your enterprise. Breaches bleed customer trust, expose intellectual property and can stop your business completely.
Drive cyber investments toward specific outcomes. When I was in the Pentagon, the Defense Department grew its cyber budget from $3 billion to $5 billion to $7 billion in successive years—effectively buying cybersecurity by the pound—without fully understanding of the specific outcomes of those investments. It’s about more than spending. Today, more than ever, chief information security officers and chief information officers must be able to speak to the C-suite and board and state clear priorities and outcomes, and the C-suite and board must hold CISOs and CIOs accountable. The organizational structure must be such that CISOs and CIOs can get their message to the very top immediately.
Share intelligence. As Secretary of the Navy, ambassador, and CEO, I’ve consistently relied on and benefited from diversity of perspective. Whether it is a variety of information, background, experience or philosophies, it is one of the greatest enrichers of an environment. Shared threat intelligence leads to better analysis and prevention which leads to a more secure cyber environment for everyone. Cyber defense—from services to resources to lessons learned—should be a cooperative, not competitive, approach.
Deter the adversary. Somewhere under the ocean right now there is the powerful deterrence of nuclear submarines that will complete their cruises completely unseen and without taking any actions. That constant presence dramatically changes the way adversaries think about attacking our country. Cybersecurity is like that: You hope you don’t need it. When it works, you may see nothing. When it doesn’t, consequences ramp up quickly.
Remain flexible and adaptable, and learn. Whenever a carrier group came back from deployment, there would be a debrief. Across all the deployments during my time in the Pentagon there was only one constant: Every single time, our people faced something they had not trained for. To meet that challenge, we had to train our people to think on their feet, not fall back on rote actions. The same is true for cyber. If you don’t plan for change and can’t adapt, you will fail.
The cyber arena continues to escalate, with nation-states and criminal enterprises continuing to develop and deploy new modes of attack. The stakes are high, reaching every part of our modern way of life. As we maintain persistent presence in this uncertain environment we would do well to operate with the mantra the Marines apply to their many missions in uncertain environments: Improvise. Adapt. Overcome.
Ray Mabus is the chief executive officer of the Mabus Group, former governor of Mississippi, former ambassador to Saudi Arabia and former secretary of the U.S. Navy.