Is Cyber Defense Simple, Complicated or Complex?
Cynefin is a sense making framework that divides problem response into simple, complicated and complex. The goal is choose the right response paradigm so that when a problem occurs the organization can respond and doesn’t fall into chaos. Cynefin is a decision framework well suited to cyber (they also both have funky English spellings – but for different reasons :).
In the “good” old days cyber defense consisted of anti-virus, firewall and VPN. It wasn’t perfect but was considered good-enough (and in many cases actually was) since there was a clear perimeter to protect. It assumed cyber defense is a “simple” problem; i.e. a problem where the domain is in “steady state” and the relationship between cause and effect is clear - for every problem there is one right answer. Simple problems are best addressed by a sense, categorize and respond paradigm - given the right sensors and policies the problem is easily solved. This works extremely well if the problem is actually simple, but a misclassified problem can quickly spiral into chaos (see the loss-of-control cliff from simple to chaos in the sketch above). It is easy to see why so many cyber incidents become chaotic – the attacked organization mistook a complicated problem and treated it as simple.
Many cyber defense issues are still simple, but nowadays more of the issues are complicated. Complicated problems require analysis or expertise to find the relationship between cause and effect – i.e. there is a range of right answers. Like Donald Rumsfeld and Iraq – these are problems with “known unknowns”. These types of problems are best addressed by a collect, analyze and respond paradigm based on knowledge and expertise
In a small minority of cases cyber defense needs to address a complex problem. A complex problem where there are no immediate right answers, or to quote Donald Rumsfeld again there are “unknown unknowns”. The only way to address them is to probe, sense and respond – hoping to quickly find a solution that mitigates the problem without deep understanding of the issue. The key is to make sure things don’t deteriorate into chaos and to have a laser like focus on getting business back to normal. Techniques like segmentation, micro-segmentation, DevOps and disaster recovery can help. The good news that true complex cyber issues are quite rare and are usually in the domain of nation states – not companies. The bad news is that since many companies view cyber defense as a simple problem they have only two modes – simple and chaos.
Finally, there is chaos – the state that should be avoided at all cost. If a problem response deteriorates into chaos, the best thing to do is act, sense and respond – where act is anything that seems sensible at the time.
Modern cyber defense is a mixture of recognizing and responding to simple, complicated and complex problems in the cyber domain. This insight helps defined the basics of a good proactive cyber defense platform –
- wide range of inside-out and outside-in sensors;
- holistic integrated expert and automated analytics;
- holistic, integrated dynamic policies;
- nuanced and layered controls