Of late, I've heard a lot from military minded people about running "cyber security and cyber operations" (whatever that means) like you would run a physical world military operation. In other words, I hear a lot of discussion about running a cyber operation like you would run an operation to take a hill (land), drop a bomb (air), or secure a strait (sea). This seems to be a foregone conclusion that is not up for debate. Unfortunately, I don't see how it's possible to run cyber security and cyber operations in this manner. In other words, the enemy in cyber is one that I can't see, can't react as fast as, and am not as smart as. I can't outspend this enemy, and the enemy has just as much "history" and "experience" as I do. The enemy does not have to follow bureaucratic processes and/or laws, and the enemy is free to recruit the cream of the crop without needing them to adhere to arcane standards that are irrelevant to the cyber landscape. So, all in all, how is a large, hulking bureaucracy designed for and experienced in other purposes supposed to fight this enemy?
They're not. Perhaps that's why I've seen a lot of discussion to date, but little progress. Everyone seems to be a cyber expert of late (experts follow the money I suppose), but most of these so-called experts have never worked in the space, even for a short while. If cyber security is indeed to be treated like a battle, the enemy has already infiltrated us and is living within us. Talk is cheap. Action is rare, sorely needed, and often winds up stalled in the headstrong trade winds that often dominate bureaucracies. I would urge those skilled in the physical world's battle strategies (these are often the people in leadership positions these days) to keep an open mind and choose progress and success over tradition and procedure. It may necessitate listening to people who have little or no military experience and may look or act differently than you would expect. It may also necessitate being open to the fact that we, as a society, may not know how to approach the cyber landscape, and that approaching it as a military operation may be entirely misguided. Otherwise, I fear we may end up in a bad place.
I've had experience consulting in both the public sector and the private sector. What's amazing to me is that although private sector organizations often start out with their capabilities behind those of similarly sized public sector organizations, they are soon able to catch up and surpass their public sector peers. It isn't voodoo or magic that is responsible for this transformation -- it's openness, discipline, competency, and most importantly, the choice of progress over politics, pomp, and circumstance..