Deterrence in Cyberspace (Part 3)

John Davis

Vice President, Federal Chief Security Officer at Palo Alto Networks

Deterrence in Cyberspace (Part 3)

Introduction and background

This essay series focuses on the role of the private sector and how industry can contribute to governmental efforts in deterring cyberthreats. My first essay of the series discussed the growing role of the private sector in cyberthreat intelligence and information sharing. The second essay discussed the role of industry in the development of norms of responsible behavior in cyberspace. This final essay of the series will describe how industry can shape the future of cybersecurity by using an innovative new approach to provide technological options for deterring malicious cyber activities. This approach is about changing the current attacker advantage in the cyberspace environment and giving the defender opportunities to better prevent many, if not most, successful cyberattacks.

Component elements of an effective cyber deterrence policy – A refresher from my first essay of the series

As a reminder, my first essay of this series described the basic components of an effective cyber deterrence policy as incorporating these components:

  • A description of what types of activities the policy seeks to deter
  • Deterrence by denial
  • Deterrence by cost imposition
  • Activities that support deterrence

It’s within the last component, “activities that support deterrence,” that I’m focusing my effort to describe why I believe industry can become a more effective partner for governments in contributing to deterrence in cyberspace.

The problem that industry innovation must fix

First, allow me to describe a growing problem before sharing some thoughts about how industry innovation can help solve that problem, and how this contributes to deterrence of malicious cyber activities and prevention of successful cyberattacks.

Here’s the problem: The world of technology and the world of the security designed to protect technology are moving in opposite directions, and this is providing the attackers a distinct advantage over the defenders in the cyberspace environment.

There are six trends in the world of information technology (IT), operational technology (OT) and, as these two technology communities are increasingly connected to one another, the internet of things (IoT):

1. Things are becoming simpler to understand and easier to use.

2. Because of the above, things are more convenient.

3. As a result of these first two trends, it takes fewer people to do more things.

4. Everything is increasingly connected, designed from the start to work together and not something people have to figure out how to make work together – things are natively integrated. This trend enables the three trends above.

5. The primary reason for all the above is because everything in the IT, OT and IoT world is increasingly automated.

6. The final trend is that things in this increasingly connected technology world are designed to solve problems proactively.

These six trends are reflected in the technology industry’s movement to mobile, virtual and cloud environments, as well as the uber-connected IoT environment in general. Innovation in the technology industry is being driven by the requirements associated with these trends. As a result, the user and operator experience is increasingly fused, smooth and pleasant!

Now, let’s contrast these technology world trends to those in the world of cybersecurity:

1. Instead of becoming simpler to understand and easier to use, things are becoming more difficult to understand and use.

2. Instead of becoming more convenient, things are more complicated. One must look no further than examples like password complexity requirements and network security orchestration difficulties to see evidence of this trend.

3. Instead of requiring fewer people to do more things, the cybersecurity world is requiring more people to do more things. I don’t know of any organization that has a sufficient cybersecurity workforce to keep up with the challenges, and there are estimates that this gap is not only widening but getting out of control.

4. Instead of things being designed to work together natively, the cybersecurity industry is rife with a growing number of point solutions that work in isolation and don’t communicate with each other. This contributes to each of the three reverse trend observations listed above.

5. Instead of increasingly taking advantage of automation to reduce complexity and resource requirements, the cybersecurity world is still largely reliant on manual action based on human decision-making.

6. Finally, instead of being designed to solve problems proactively, the common design framework in the cybersecurity industry is about responding to problems after they have occurred. The functions of detection, response, recovery and resilience are all necessary parts of a comprehensive cybersecurity framework, but if you don’t focus on a prevention-first mindset and supporting architectural posture, you are missing an opportunity to wipe away most of the “noise from the signal” so that you can focus your limited resources (capabilities, funding and people) on your most important problems.

As a result of these opposing trends, the cybersecurity industry is greatly challenged with the mobile, virtual and cloud environments toward which the technology industry is moving.  Worse, the cybersecurity industry has its head in the sand regarding IoT. Innovation in the cybersecurity industry is magnifying the problem in many cases, causing these two worlds to move further apart. The experience for the user and operator from a cybersecurity perspective is piecemeal, filled with friction, downright overwhelming and even painful!

A proposed industry innovation solution – it’s all about integration

The cybersecurity industry must make a U-turn and better align with the direction in which the technology industry it is supposed to protect is moving. The challenge is how to do this, and innovation in the cybersecurity industry can help reverse the current direction to better align with the same trends in the technology industry. This can deter malicious cyber activities through four levels of integration:

The first level of integration is about applying defender visibility and threat prevention controls across the attack lifecycle. This lifecycle describes the steps that any cyber actor needs to accomplish in order to conduct a successful attack regardless of whether it is for criminal, military, espionage, terrorism or activism purposes.

1. This first level of integration is a conceptual level, and is about applying the key functions of “see and stop” across each of the steps that cyberthreats must accomplish in order to successfully achieve their goal.-  The cyberthreat lifecycle steps include probing, exploitation of a vulnerability, delivery of malicious code, establishment of a control channel, escalation of privilege and lateral movement within a network, and then the final attack step – exfiltration of information, disruption, destruction, deception, encryption, for ransom, etc. The last step defines a “successful” attack.-  Since these steps occur in different locations within an organization’s network environment, you must consistently apply “see and stop” capabilities across the applicable portions of the environment. This includes the categories of fixed, mobile, physical, virtual, on-prem, cloud (public, private, hybrid and SAAS), enterprise edge, data centers and endpoints.- Innovation in the cybersecurity industry that enables this kind of integration fundamentally changes the the attacker’s current advantage. Instead of the attacker only having to be right once and the defender having to be right everywhere – and all the time – now the attacker must be right at each step of the lifecycle and the defender only has to “see and stop” a threat during one step along the path to a successful attack.

  • By applying threat prevention controls across each of the steps in an attacker’s playbook (playbooks are specific techniques and tools used by a specific actor or organization across the lifecycle steps), defenders can now impose greater costs on cyber adversaries. This is because adversaries can’t simply change the one feature that was detected and reuse all of the rest of the features in their playbooks (which is what happens today with polymorphic malicious software). Innovation like this drives up the adversary’s cost of doing business and drives down the number of successful cyberattacks.
  • This level of integration is also about reversing the cybersecurity trend of responding to problems after the fact and better aligning to the technology trend of solving as many problems proactively as possible.

2. The second level of integration is at a technical level, and the key to success is innovative partnerships. In my opinion, there is no single entity in the public or private sectors that can do this kind of innovation described above in isolation. Integration at this level in industry requires deep technical partnerships between companies who are best-of-breed at what they do within the different portions of the network enterprise environment where the various cyberthreat lifecycle steps occur.

  • This level is focused on changing the cybersecurity trend of an increasing number of point solutions that don’t communicate with each other and are “bolted on” as an afterthought, and aligning to the technology industry’s move toward being better connected,  natively designed to work together, and “baked in” from the start.
  •  Innovation at this level may require some cultural adjustments in the business community as well. Effective competition in the market place has traditionally demanded that a company delivers the best individual product for the best price. To take advantage of this level of integration companies must now demonstrate a new key performance parameter. They must show their solution is an integrated component of a broader platform approach, and it’s engineered to do so natively in order to make things easier to understand and use, as well as more convenient. They must also show that it requires fewer people to do more things, further aligning to technology world trends.

3.  The third level of integration is at a technical level, but has process implications as well. It also has excellent potential to set the stage for driving future innovation across the cybersecurity industry in ways that we cannot yet imagine. This level is about expanding the scope and flexibility of open application program interface (API) capabilities.

  • Let’s face it, not every cybersecurity capability that an organization thinks it needs to secure and defend its unique network environment can be deeply integrated at a technical level as described above. We should also acknowledge that one of the reasons the cyberspace environment is so unique is that things change very quickly and dramatically.
  • To provide the flexibility required to adapt capabilities to the scale and speed of changes in both the technology environment and the adversary underworld that threatens it, the cybersecurity industry must inspire and enable innovation by making it easy and inexpensive (maybe even free) to integrate quickly.
  • This takes “plug and play” innovation to a new level by providing incentives for emerging capabilities, including from startups, to integrate on a cadence that matches the need of the customer base.

4.  The fourth and final level of integration is a combination of people, processes and technology innovation. The three innovation integration levels described above are still not sufficient to the challenge, in my view. The other levels must be wrapped in an overall ecosystem of cyberthreat intelligence and information integration. This requires innovative information sharing partnerships.

  • As described in level two, no single organization has the visibility required to be effective across the entire threat landscape. Organizations that partner in effective cyberthreat intelligence and information sharing benefit from a dynamic described in Part 1 of this essay series. Whatever is seen by one organization can quickly immunize all the other organizations in the partnership, drive the costs up for cyber adversaries, and contribute to the deterrence of malicious cyber activities.
  • Innovation from a leadership, cultural and even business model perspective is required in order to fully mature the concept that responsibly sharing and integrating cyberthreat intelligence as a greater public good instead of a commercial commodity is a better model. Industry should not compete over what they know about cyberthreats: they should compete over what they can do with that information.
  • However, as a reminder from Part 1 of this essay series, innovation in the standardized and automated integration of this intelligence and information is required.  This kind of innovation can make this fourth level of integration effective as a complement to each of the other three integration levels in deterring modern cyberthreats.


This essay series provides at least three ways that the private sector can assume greater responsibility in supporting governmental efforts at deterring cyberthreats. Part 1 of the series discussed the increasingly effective capabilities that industry is building in cyberthreat intelligence and information sharing. Part 2 explained how industry can contribute more effectively to government-dominated efforts to establish and enforce norms of responsible behavior in cyberspace. Part 3 proposed an innovative new approach for industry to provide technological options to rebalance the current advantage that attackers have over defenders in the cyberspace environment. Each of the essays provides examples of industry activities that can support the deterrence of modern cyberthreats. An effective public-private partnership focused on each of these proposed activities that support deterrence can add value and magnify the other governmental aspects of deterrence by denial and by cost imposition, and can help make a difference in cyberthreat deterrence in the digital age.

Join the growing community of risk management, cybersecurity experts and thought leaders.

Subscribe to our monthly newsletter

please enter a valid email address