Cyber-defenders urged to use counterinsurgency playbook
Large enterprises should model their cybersecurity strategy on counterinsurgency, including by ensuring they have a sufficient ratio of cyber-defenders to the “local population,” a new academic paper argues.
In a master’s paper for the prestigious SANS Technology Institute, Sebastien Godin, a captain in the Canadian Army, provides a framework mapping the concepts and players in cyber-defense onto their equivalents in counterinsurgency theory.
He argues that 6 percent of a large company’s employees ought to be dedicated to securing the enterprise’s IT networks.
“My paper concerns itself with the enterprise. So, the enterprise becomes the sovereign state which has to defend itself against a global insurgency [the hackers],” Godin told CyberScoop in an interview.
“The way an enterprise has to operate and defend itself within its own network [against hackers] is the same way a state has to defend itself against a global insurgency, but acting within its own borders,” he said.
In this conception, a nation-state’s government stands for the company’s executives and senior management, and the insurgents are the hackers.
“It’s the same kind of limitations and difficulties the same kind of requirements for success and the same center of gravity,” he said of the two kinds of conflicts.
Counterinsurgency theorists typically refer to the local population as the center of gravity in the conflict. In Godin’s framework, the local population is represented by the company’s IT infrastructure and its users.
“The criteria for success is to protect the local population,” said Godin. And key to that is a sufficiently large force of defenders.
Counterinsurgency doctrine typically requires a ratio of counterinsurgency forces to local population of 20-25 per 1,000, Godin explained.
In a 10,000-person company, the “local population” — devices on the IT network and their users — might be 10,000 people and 15,000 devices. A population of 25,000 would generally require a counterinsurgency force of of 625 or so, Godin said.
“I include defending not just the personnel but the infrastructure,” he said.
That counterinsurgency force of 625 includes not just the company’s cybersecurity team, but all IT personnel — system administrators, helpdesk operators, engineers and so on, said Godin.
“That might seem like a lot … but if you look at everything that needs to be protected and the daily upkeep and … split that number between helpdesk people and admins and cybersecurity people it gets really small really quick,” he said.
He noted that a constant complaint of security operations center personnel was that they didn’t have time to do proactive or preventive security, because they were always responding to alerts or incidents.
“I think six percent of your employees being cyber-related … will give you enough to both establish and secure your perimeter and do your maintenance and updates and testing while being able to respond to threats or incidents or investigate intrusions.”
Even with sufficient numbers, winning over the local population and creating the preconditions for victory, requires a “strong governance model.”
“The local population need to see that the c-suite, that senior management are on board with the cybersecurity plan. If the employees see that those guys don’t care, they’re not gonna care,” he said.
Another precondition for victory in counterinsurgency doctrine is good intelligence. “People need to get over the shame of being hacked,” Godin said.
“Company to company information sharing is key,” he said, noting that “Once they start sharing and they share faster and faster, they reduce the attack surface.”
Godin deprecates the use of the phrase “hearts and minds.”
“We used to hate that,” he said of his service with Canadian NATO counterinsurgency forces in Afghanistan.
But what ever you call it, winning over the local population is key to victory in counterinsurgency, and, Godin argues, in cyber defense.
“You need a strong training program … so employees know, this is who I need to call, this is what I need to report,” he said.
“There needs to some kind of reward or recognition program … people liked being recognized … If people do the right thing, they should be recognized.”
“So everybody participates and everybody starts recognizing a phishing email or a social engineering call … then everybody’s supporting each other.”