Preventing cyber attacks requires focusing on adversaries rather than the technology used to stop those adversaries, the retired deputy director of the National Security Agency (NSA) said Wednesday at MeriTalk’s Fourth Annual Cyber Security Brainstorm.
“It’s about more than technology,” said Chris Inglis, who retired from the NSA last year and now teaches at the U.S. Naval Academy. “This is really an issue of people, plus technology, plus process.” The increase in successful cyberattacks “is not because the adversary is that much smarter. It’s not because we have not been trying hard to get the technology right. It’s because they’re still outwitting, they’re out-maneuvering, they’re more audacious, they have the initiative, and we don’t. It’s a people thing.”
But, Inglis said, too many organizations:
- Defend the wrong thing;
- Defend things at the wrong time;
- Hold the wrong people accountable;
- And have the wrong goal.
Organizations must focus on their data, he said.
“What really matters in cyberspace? More often than not it’s the data,” Inglis said.
Instead, organizations focus on the technology tools and perimeter protection, he said. “But what do we defend? We defend what we can. We defend perimeters. We defend links. We defend operating systems, abstractions of the data, not knowing for sure whether, in fact, that’s keeping the data safe.”
Building a secure network is incredibly difficult, Inglis said, and that underscores the shortsightedness of focusing on technology rather than data.
“It turns out [building a secure network is] impossible. You cannot secure these systems,” he said. “The best you can do is to make them defensible, and then defend them.”
After organizations suffer an attack, IT staffers typically are the people held accountable, Inglis said, but users – employees – often are the ones responsible for a data breach. To improve an organization’s defenses and reduce the potential for an attack, all users must improve their understanding of cybersecurity and strategies to steal data, he said, so they don’t fall victim to phishing scams or other attacks.
Organizations too often are reactive in efforts to stop cyber attacks, Inglis said, establishing strategies following a breach. Working harder to understand the behavior of their adversaries would help organizations prevent an attack, he said.