Imagining a Reverse Soviet Collapse for the West

With the indictments by Special Counsel Mueller against 13 Russians and 3 companies for criminal interference in the United States, it is timely to point to something I wrote in 2012:

Is a Communist or Totalitarian System Preferable in the Internet Age?

Back then, I was questioning whether anyone in government – and society writ large – was seeing how the openness and connectivity of the Internet was becoming a strategic vulnerability to democracy. That hackers, with ties to Russia and the former Eastern Bloc, were destabilizing the international equilibrium.  Seeing the assertive action of the US Department of Justice in bringing these indictments on Friday, I am happy to answer my own question back then with this answer today:

The Democratic institutions of America have joined the fight!

Yet, it is not enough to applaud the awakening of government institutions to the asymmetric and pernicious threats coming from the forces engaged in hijacking the goodness of the Internet.  These bad actors can continue to leverage asymmetric tactics, and by being nimble our adversaries can maintain their strategic advantage.  This was my very point in 2012: Our adversaries have learned that the Internet naturally favors those who crowdsource! 

A Straight Line: A. Avoiding a Reverse Soviet Collapse —> B. Community Cyber

What was observed back in 2012 bears repeating: “We all need exquisite security in the modern Internet Era, but few can afford it.” Another 2012 piece offered: “The approach the Nation takes in response to this critical threat landscape must start with internal resilience. Situational awareness must be improved at local levels so that the cyber-hygiene level rises …”

Enter Community Cyber!

The counter-strategy to fight our adversaries must center on combating what they are weaponizing:   Internet asymmetry and openness.  The method for achieving a new strategy must include crowdsourcing. The fight against cyber threats, in the Internet Age, is no longer government’s alone. We’re all in this together. Therefore, the role of government in this is to help mobilize society into the formation of cyber resilience centers.

Improving cyber resilience also cannot be solely government funded centers. That was the other point in the 2012 article: that the Soviets couldn’t compete with market forces. Today, criminal elements are aggressively monetizing their illegal efforts through black markets, money laundering, and other fraudulent – though profitable! – enterprises. Fighting a profit center with a cost center is destined to fail. Hence, a new strategy must also bring market forces into the fight.

To achieve this strategy, the citizenry must first come to understand their presence on the front lines. Second, the citizenry must further understand that they have a role in the fight. To develop appreciation of this paradigm shift, a movement is needed. Public service announcements must take up the message, and the media – including modern media like social media platforms – must also help change the national consciousness. And the soundbite for this effort, one which captures the notion that localities must take responsibility for improving their community’s resilience is “Community Cyber”.

The Awakening that’s Afoot

There is more good news beyond just the indictments. All “Five Eyes” countries, in the last few days, have now attributed to Russia the aggressive NotPetya malware attack of last year. This joint effort appears to signal resolve to confront Russia for its destabilizing attacks through cyberspace.

These are government efforts. At state levels in the US, information sharing mechanisms and institutions are also being established. And, information sharing is occurring at private levels, including formation of information sharing communities –  being formed as information sharing and analysis organizations (ISAO). The ISAO effort follows on the well-established, and government-promoted sector model – information sharing and analysis centers (ISAC). Thus, efforts and organizations exist, whereby government efforts to aid the further institutionalizing of these efforts into crowdsourcing components of national strategy looks like an attainable and necessary objective.

Good Start, But What’s Next?

For the national security establishment, The What and The Why about the risks posed by Internet-based threats has been acknowledged. A new approach by government appears to be underway. However, it is not yet evident that government appreciates the need to incorporate crowdsourcing in the fight, so The How in this new approach is not yet apparent. And, The When is pivotal for all of us: when does the national security establishment recognize that funding a resilience build in every community is not affordable, and that a market-based, locality-centric model is the only way we can win this fight?

Most importantly, The Who must be solved. It is We! It is both that the government must involve the private sector in this counter-threat strategy; and, the citizenry must be active in Community Cyber.

Top-down, and bottom-up must come together in a public-private mash-up.

By: Doug DePeppe, Founder
Cyber Resilience Institute
On:  February 17, 2018

Why Market-Making is Needed for Cyber

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces.

As Co-Leads on a government-funded project for about the past year, my colleagues and I engaged in a research and design effort to address cyber market failures, specifically focused on the lack of appetite down-market. Our departure point, outlined in the original proposal to the US Department of Homeland Security (DHS), was to view business disregard for calamitous cyber risk as a market failure. After studying the demand-side malaise for cyber offerings, even confusion and exhaustion in certain market segments, the team arrived upon a solution for this failure in the market: “making the market” for cyber.

Market-Making is not a term exclusive to security trading and financial exchanges. Rather, it is increasingly used to describe the functions and environment needed to create a market. Increasingly, the Internet has come to be known as a Market-Making platform, with new industries being made through its unique ability and efficiency of coupling supply and demand. The social media industry, and the explosion of Facebook and Twitter, would not exist but for the Internet!

And yet in the cyber market, no calamitous event has changed behavior, even though cyberattacks occur through the Internet. Not the statistically high percentage of small businesses that go under after experiencing a data breach. Not the state actor attack on Sony. Not massive data breaches. Not even attacks on elections and Western democracies. There remains very little appetite down-market to incur costs to address cyber risks. We are not alone in observing the need to “Fix Cyber”.

In an important, concise piece, former Director of National Intelligence, Michael McConnell and co-author Patrick Gorman outlined several practical steps for improving the approach to cyber. In it, they pointed to creating market incentives, and to reducing the costs and inefficiencies associated with compliance systems.

Warren Buffett called the cyber predicament a bigger threat to humanity than nuclear weapons! The former CEO of Yahoo!, in testimony before Congress, seemed to imply that it is the role of government to help companies when it comes to sophisticated state-actor cyberattacks, a view expressed by others. Conversely, the private sector seems to widely believe that it is the private sector which should be leading, not the government; and even that government should be supporting the private sector’s leading efforts.

All this dialogue about HOW to fix cyber is good – perhaps it reflects the recognition necessary to institute change. Resistance to institutional change is a dynamic explored by Thomas Kuhn in The Structure of Scientific Revolutions. And change we must! Kuhn’s observations could be a revelation today for addressing cyber. Our team certainly adopted parts of his thinking. For us, the lack of a market reaction to calamitous risk caused our project to consider the impediments to a properly functioning market. And we arrived at a model that would deliver structural change, as well as promote market forces. The structural change part is definitely Kuhnian.

Our research revealed that to make the market in cyber, there are several elements or dynamics:

1.      Market-Making is best achieved at community levels (“Community Cyber”). This would promote information sharing among trusted local stakeholders, and we view information sharing as an imperative for starting cyber markets. The other major advantage of localized Market-Making in cyber is that it would spur innovation and invention; and, a by-product of an institutionalization of Community Cyber Market-Making would be a return of wealth generation to Main Street through that localized innovation and invention. This dynamic also has an attractive populist advantage.

2.      Market-Making entails active market formation. That is, if markets were functioning properly, assistive measures would not be needed.

3.      Start where demand exists and grow it. Community Cyber needs quick wins to grow traction and awareness. Our efforts include the introduction of quick win value propositions and programs.

4.      Community support, stakeholder engagement, and political advocacy is needed for Community Cyber. This requirement reflects structural and normative changes. That is, adopters of Community Cyber must understand and advance an approach to reducing risk that entails collective measures. This approach runs contrary to the usual practice of one-to-one vendor-customer relationships, instead of a pooled delivery of services.

5.      The cost of achieving satisfactory cyber hygiene must be driven down! Increasingly sophisticated, one-to-one vendor-customer engagements are driving costs higher. Moreover, governments at all levels have generally retained these service providers rather than promoting ISAOs which would push for universal adoption of information sharing and drive costs down. In other words, governments should be supporting the ecosystem rather than solely addressing their needs.

6.      Community Cyber necessitates a sustainable business model for partners to have a business incentive to pursue Market-Making in cyber. Whereas enterprise vendors profit from their services, our model drives opportunities down-market through mutually beneficial business arrangements. Our team expressly took on the tough business model question of community partners of “How do we make money doing this?”  And, we answered it.

7.      Markets create incentives for entry and increase efficiencies, whereas compliance regimes drive costs higher.

8.      The pooled services model creates cost-sharing incentives, which again drive costs lower.

Presently, the net effect of current business practices in cyber indicates No Change. That means that the market remains dysfunctional in cyber at down-market levels. Companies have no Community Cyber option yet, which is why our project will soon start to rollout c-Market. Until that rollout begins, the costs to achieve cyber hygiene will rise, causing more down-market companies to exit. At a macro level, this dynamic makes the country less competitive and less secure.  And concomitantly, it also makes up-market security-conscious companies less secure via their supply chain to those down-market.

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces. We cannot win with a government funded model. Government-funded efforts cannot compete with the power of market forces. The two models offer different outcomes: one is zero-sum and the other is synergistic.

The golden nugget in a 2012 tongue-in-cheek article by this writer that observed the advantage totalitarian regimes had over open democracies in the Internet Age was that the West won the Cold War by leveraging market forces. We should revisit that lesson in our approach to the cyber challenge.

Get involved with Community Cyber!

By Doug DePeppe, Founder
Cyber Resilience Institute
First published:  January 8, 2018 on LinkedIn

Tactical Cyber: The Case for Community Cyber ISAOs

An army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace.

A prior piece here redirected the national debate about certifications for ISAOs onto a broader view — that ISAOs represented industry formation of cyber capacity and innovation centers at community levels. In that article, the concepts of Community Cyber and Market-Making were introduced. And, it was outlined how an innovative DHS contract vehicle had spawned the Cyber Market Development Project. The views expressed previously, informed from project research, showed how the question about certification was too narrowly scoped; and the piece described how this predicament of issue definition had come about from the genesis of information sharing and its early structures. It’s time to further explore how this project research can inform a deeper understanding of the ISAO movement.

What the White House got right in the Executive Order on Information Sharing, and which DHS further implemented in proper fashion through contractual establishment of the ISAO Standards Organization, was to establish information sharing as a national policy to further national security interests in resilience and cyber capacity building. Yet, in practical terms, what is resilience and cyber capacity building? And how are we to go about it? Are ISAOs supposed to suddenly spring up? What is their mission? What are the use cases?

Let’s look at why it was proper to cast ISAOs in the national security mission space. And how to introduce that mission at community levels.


What has been revealed in the past two years is that an army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace. No longer are we fighting JUST identity thieves, DDOS botnets, or black-market enterprises, we are now combating state actor networks and a complex, anonymous web of deceit and manipulation. The trustworthiness of news and information are being undermined.

When we look to define what’s needed to build resilience and cyber capacity, we have to factor the changed game plan of the adversary. Deploying a better firewall and calling it a day won’t work. We have entered the era of cyber intelligence, where businesses need to be better equipped with information to fight the modern cyber battle.

We must also countenance that with all the wizardry of the intelligence community, the requisite Need to Know criteria severely limits its utility outside the national security environment. Yet, businesses also need to know the nature, sophistication, motives and game plan of the attackers.


What is now universally needed is a private-public Order of Battle build. An Order of Battle derives from military lexicon and practice, and it refers to profiling the adversary to identify command and control, malicious architecture and domains, TTP, campaign correlations, and even attribution to attacker networks and identities. Commercial vendors offer sophisticated intelligence, yet tailored services to enterprise customers needs to come down market. That’s the role of Community Cyber and public-private ISAOs.

An Order of Battle build is tactical intelligence. And ISAOs are the perfect structures to offer tactical intelligence across localities, tied to state Fusion Centers, and supporting member needs. Tactical intelligence is the province of bottom up, organic generation, rather than from top down structures. Hence, building local capacity to conduct tactical intelligence is well-suited for ISAOs.

With this in mind, the Cyber Market Development Project – which is commercially prototyped as the c-Market™ – developed the CrowdForce. The first university club is being formed with a partner university, and will grow across our other partner universities. This cadre of cyber threat analysts is formed with the dual purposes of workforce laboratory and tactical collection network.

With the benefit of this description and an identified manifested creation, consider the value of ISAOs, located in communities across the Nation’s footprint, for creating a tactical cyber intelligence capability for elevating cyber defenses from the ground up. This is resilience and cyber capacity building!  This is a use case for ISAOs at community levels: to engage in tactical intelligence, Order of Battle building, and training the workforce in ISAO operations and cyber threat analytics.

ISAO Conceptualization: Expanding the Narrative

When there’s talk of ISAOs, and whether certifications are advisable, it is important to question the premise: with ISAOs, are we considering all their use cases?

Establishment of a network of cyber intelligence entities engaged in tactical intelligence in support of their communities seems a more substantive debate than the narrow question about certifications.

By:  Doug DePeppe, Founder
Cyber Resilience Institute
First Published:  January 4, 2018 on LinkedIn