The terms “Military Specification” or “MIL-SPEC” may sound like government bureaucracy. This requirement, however, that every piece of equipment used by the military — down to its components, such as screws, electronics, and plastic — needs to meet certain standards was arguably why the United States was able to win the Cold War.
While the US military focused on quality, the Soviet Union focused on quantity, driven by its own doctrine that quantity was a key part of quality. The regime believed that endless numbers of tanks and planes would allow them to win any conflict; that turned out to be faulty thinking.
For the US military, quality — and the details it takes to get there — remains critical. I know this firsthand from the seven years I spent working on F-16 fighter jets during my service in the US Air Force. Everything that was installed in that plane had to have a MIL-SPEC rating, or it wasn’t good enough. MIL-SPEC means that the material or component that was used to build a circuit board, for example, had to be tested in a way that pushed the component to the point of failure, which was far beyond the operational requirement for what it was designed for. This includes but isn’t limited to exposure to freezing, thawing, heating, vibrating, dropping, pressurizing, depressurizing, and electromagnetic pulses (EMPs). It was this focus on quality that allowed the US to put a man on the moon, have stealth fighters that rule the skies, and submarines that “make like a hole in the water.”
A focus on quality should also be the guiding principle for enterprise cybersecurity, especially when budgets are limited. It’s increasingly clear that quantity isn’t working; spending on cybersecurity tools and services is growing more than 12% a year, yet data breaches are multiplying and their damage will likely amount to more than $10 trillion annually by 2025, according to a McKinsey report. Amid this challenge, it’s crucial to embrace quality at every step of the way, from building a team to testing products to planning for an attack.
Build a Team With Military Experience
As the threat from state-backed attacks grows, companies can benefit greatly if their cyber team, whether internal or through an outside provider, contains people with experience in the government or military sectors. Businesses realize that state-backed attacks from places like Russia and China are a growing threat; 42% of surveyed companies say they feel at risk from a state-backed attack, and half said they had already been targeted in one. But few have the resources to prevent and mitigate these types of sophisticated attacks, the survey found.
Professionals with a background in military or government work are especially valuable when it comes to finding and evaluating threats from state-backed hacking groups. In addition to being more familiar with the technical hallmarks of such threats, those coming from the military or government also bring valuable insight into the changing geopolitical landscape, which must be considered when evaluating potential threats from state-backed hackers. A military or government background also prepares these professionals to understand the importance of processes and communications. These are two elements that can determine the quality of a company’s cybersecurity stature.
Test, Test, and Test Again
Just as every element I used in F-16s needed to stand up to the most extreme scenarios, so should a company’s cybersecurity safeguards. Engaging a professional red team, or ethical hackers that try to infiltrate and gain control of a company’s IT system, is one of the best ways to check the quality of defensive tools and strategies. Real-life testing is the only way to determine which tools and policies are working and which need to be changed or improved.
Similar to the joint exercises and Operational Readiness Inspections the US Air Force performs, such testing should be carried out on a regular basis. Critical events such as a when significant new threat is introduced, or infiltration, should also trigger extensive testing. A key part of engaging a red team is making sure communications are good and that the hiring company receives a full report of what was done, what the results were, and suggestions on mitigating the findings. These technical aspects then need to be translated into language and concepts that nontechnical corporate leaders can understand, including what effect cyber vulnerabilities have on a business’s bottom line, potential for growth, and overall risk stature. That way, these decision-makers will understand what is most at risk and where they need to invest to improve the real-life quality of their cyber posture.
Don’t Underestimate Tabletop Exercises
Holding drills as if attacks have happened can test the quality of a company’s response and mitigation abilities far beyond the technical level. This is increasingly important, as a cyberattack is no longer simply a technical event; attacks and data breaches cause significant business interruptions, as well as legal and public relations challenges.
The truth is that even with quality defenses, most organizations will at some point fall victim to some type of attack or data breach. But the damage can be reduced or eliminated if all parties inside a company understand response procedures, know their roles, and communicate well. Organizations need to understand how to handle the inevitable in the best manner possible.
When companies take these steps, they stand a better chance against hackers. Cybercriminals often have an unlimited amount of time and many tools — sort of like the Soviet Union. Companies must counter this by making sure their tools and processes are of the highest quality and can prove themselves in battle.
