Peacemaker for Resilience
An example of pursuing the wrong first principle strategy
I’m a superhero nerd. I’m not ashamed to admit it. There’s a good reason for it too. If it wasn’t for the comic book, “Avengers 103: The Sentinels Strike!,” I may never have learned to love reading.
I was in 7th grade in the South Dakota fall of 1972. I’m pretty sure that at that point in my educational journey, I had never read a complete book; unless you count Dr Seuss’ “One Fish, Two Fish, Red Fish, Blue Fish.” And then, a high school senior who lived on my street (Mike Terwilliger) decided to give away his box of comics and I was the lucky recipient. “Avengers 103” was on top of the pile and I was hooked. I’ve been a superhero fan ever since.
Spoilers!
So, of course I’m a “Peacemaker” fan from the James Gunn “The Suicide Squad” movie and the HBO TV series. Season Two is about to come out so I’ve been re-watching Season One to catch up. The plot is pretty simple: aliens (the Butterflies) invade earth and a new version of the Suicide Squad has to stop them.
While I was watching, it occured to me that the Butterflies’ Chief Risk Officer (let’s call him Bob) picked the wrong survival strategy. He picked prevention over resilience and it cost the Butterflies everything.
Prevention vs Survival
And I can hear you all saying, what is Rick going on and on about? What does a tier 3 superhero, like Peacemaker, have to do with cybersecurity? I’m glad that you asked. I recently wrote a book to help the infosec community rethink its approach to cybersecurity strategy. It’s called Cybersecurity First Principles: A Reboot of Strategy and Tactics."
In it, I make the case for the absolute cybersecurity first principle; the goal that all of us, regardless of vertical or size, should be pursuing in all our infosec programs.
Reduce the probability of material impact due to a cyber event over the next business cycle.
To achieve that ultimate goal, I present several strategies to consider:
Primary
Zero Trust
Intrusion Kill Chain Prevention
Resilience
Supporting
Automation
Risk Forecasting
Automation
Workforce Development
Compliance
This is not a checklist or a framework. The idea is that security leaders should choose one or more strategies that will give them the biggest bang for the buck; reduce the most probability of material impact with the resources that they have on hand.
Of the three primary strategies, two are about prevention (Zero Trust and Intrusion Kill Chain Prevention) and one is about survival (Resilience). Zero Trust is a close-all-the-windows-and-doors strategy by only allowin- access to “things” based on need to know. Intrusion Kill Chain Prevention is a fight-the-bad-guy-in-the-trenches strategy by developing and deploying prevention and detection controls for known adversary behavior. Resilience is completely different. It’s about survival. It’s a forget-all-that-prevention-stuff-and-just-ensure-that-the-business-keeps-running-no-matter-what strategy.
For most of my career, I’ve pursued the very-expensive-to-do prevention strategies. The truth is though, I really never had enough resources to get everything done. I had holes in the program; gaps where a determined adversary could eventually find and exploit.
Now that I’m here at the twilight of my career, I’m convinced that survival is a better goal; that Resilience is the better strategy. It’s cheaper for one thing, by a lot. And it’s easier to do. It’s basically making backup and restore operations, encryption of material data, and crisis management the most important things that you do. The goal is to restore a compromised set of systems and data so fast that your customers don’t even notice the change.
So what does that have to do with Peacemaker?
The Butterfly’s Chief Risk Officer Decision
In the TV series, the invading aliens (the Butterflies) need the earth to survive because their home planet is dying. The downside is that they can’t eat any of the food that grows organically on earth; not vegetation, not meat (not even humans). They had to bring their own food source with them. The Butterflies called it their “cow” and it resembled a massive, two-story tall, insect similar to a grub. The Butterflies milked their “cow” for an amber, honey-like liquid that sustains them. Without it, they would all die.
Spoilers!
I refer to the “cow” in the past tense because the Peacemaker Suicide Squad blew it up in the series finale. The team slipped by all of the preventative zero trust and intrusion kill chain prevention tactics that the Butterflies deployed to prevent such a thing.
Bob, the Butterfly’s Chief Risk Officer (whom we never meet in the TV show), decided that the best way to protect his entire race was to bring one, count ‘em, one, cow to the new planet and hope that the gaps in his protection scheme would not prove disastrous. That sounds like a lot of CISOs I know.
I hope you see where I’m going with this.
If they would have just brought two cows and located them at opposite ends of the earth, their probability of a material loss would have been much lower.
Bob should have pursued a Resilience strategy.
Take Away - Resilience is the Way
I love it when I can find nerd references to make my point about cybersecurity issues. My other favorite is in when Doctor Strange, in the 2018 “Avengers: Infinity War” movie, uses a mystic Monte Carlo simulation to predict the Avengers’ success against Thanos. But that’s another story all together.
In the TV series, “Peacemaker,” the director/writer (James Gunn) demonstrates persuasively that, at least in the Butterfly’s case, Resilience would have been a better strategy. In the infosec community, I think the Resilience strategy will give most infosec programs the biggest bang for their buck in terms of reducing material cyber risk.
References
Anthony Russo, Joe Russo, Benedict Cumberbatch, 2018. Avengers: Infinity War [Movie]. IMDb. URL https://www.imdb.com/title/tt4154756/
James Gunn (Writer / Director), John Cena (Actor), 2022. Peacemaker [TV Series]. IMDb. URL https://www.imdb.com/title/tt13146488/
James Gunn (Writer/Director), Margot Robbie (Actor), Idris Elba (Actor), John Cena (Actor), 2021. The Suicide Squad [Movie]. IMDb. URL https://www.imdb.com/title/tt6334354/
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1