As we persistently encounter security breaches and learn of Chinese infiltrators camping out in our Federal and CI networks for years, I for one am continually inspired by Richard Clarke’s insightful book “The Fifth Domain.”

I know that many consider Clarke a kook and a conspiracy theorist, but I think he may be the most level headed and security conscious watch dog we have.

The Electric Power Grid

Clarke proposes a comprehensive strategy for fortifying the U.S. electric power grid against vulnerabilities, a framework that could equally serve as a blueprint for enhancing cybersecurity in the private sector.

Instead of the conventional approach emphasizing prevention, detection, and response, led by a Chief Information Security Officer (CISO) with limited authority, we should consider adopting a strategy akin to what’s advocated at a national level for safeguarding against nation-state attacks on critical infrastructure. Here are five recommendations inspired by Clarke’s approach to securing the power grid:

1. Empower a Leader with Genuine Authority: Nationally, this might involve a high-ranking official from Homeland Security. In the private sector, this calls for ending the practice of nominally appointing CISOs who lack real power over budgets, structure, and policy. Real authority means having the clout to enforce mandates across all business functions without hindrance, including significant investment in technology and personnel to counteract the threat landscape.
2. Engage Specialist Firms for Threat Elimination: Just as Clarke advocates for a major initiative to rid the national power grid of foreign intrusions and vulnerabilities, companies should consistently employ top-tier penetration testers and cybersecurity experts to rigorously and regularly cleanse their IT environments without restrictions.
3. Adopt Cutting-Edge Security Practices: Implementing advanced security measures and engaging professional teams for continuous oversight ensures defense against cyber threats. This includes employing technologies and protocols proven to be effective, such as threat hunting, continuous monitoring, Zero Trust, ITDR and stringent access controls, among others.
4. Develop a Contingency Plan (Plan B): Similar to a national emergency response plans, businesses must have an alternative strategy ready to activate in the event of a breach, focusing on cyber risk management over traditional security measures. This pivot involves prioritizing the protection of vital business data and intellectual property and accepting or mitigating risks for less critical assets.
5. Consider Retaliation Through Deception: On a national scale, the threat of retaliation might deter adversaries, but in the current climate, we have created a strong sense of empowerment across our adversarial community – self-esteem is not a problem for these folks.
   
   

In the private sector, deception technology can serve a similar purpose, deterring attackers by confusing and trapping them, thus preventing future attacks without resorting to direct counter-strikes. But even that ship may have sailed.

Clarke’s book underscores the inadequacy of current cybersecurity measures, both nationally and in the private sector.

By drawing lessons from the strategic overhaul suggested for the power grid, we can better address vulnerabilities in corporate cybersecurity, moving beyond the insufficient “prevent, detect, and respond” paradigm towards a more proactive and authoritative approach.

One which adheres to Zero Trust principles and moves away from network-centric, report after the event, detection technologies on our endpoints.