In
this
blog,
I
will
introduce
discussions
from
S4
over
several
posts.
The
first
installment
will
cover
two
topics
from
the
academic
interviews.
Interview
with
Michael
Fischerkeller
–
Author
of
Cyber
Persistence
Theory
Fischerkeller
is
a
senior
researcher
in
the
Institute
for
Defense
Analyses
and
has
been
involved
in
shaping
US
government
security
policy
for
over
25
years.
Based
on
this
experience,
he
published
“Cyber
Persistence
Theory”
with
two
co-authors,
aiming
to
bridge
the
gap
between
cyber
security
theory
and
policy.
Dale
interviewed
him
based
on
this
work.
During
the
upon
reading
his
book
entitled
“Cyber
Persistence
Theory”
and
attending
the
talk,
I
found
that:
-
Cyberspace
is
a
completely
different
third
strategic
environment
from
traditional
strategic
environments. -
Adversaries
are
constantly
in
contact
with
each
other
due
to
interconnectivity. -
Countries
exploit
their
adversaries’
vulnerabilities
for
their
own
benefit. -
The
cumulative
effect
can
exceed
the
benefits
of
traditional
warfare.
As
a
symbolic
term
to
explain
the
characteristics
of
cyberspace,
Fischerkeller
mentioned
the
difference
between
“exploitation”
and
“coercion”.
Coercion
and
exploitation
are
two
different
concepts
in
the
context
of
national
security.
Coercion
is
a
strategy
that
involves
the
use
of
threats
or
force
to
compel
another
state
to
change
its
behavior
or
comply
with
certain
demands.
For
example,
a
state
might
threaten
military
action
or
economic
sanctions
in
order
to
coerce
another
state
into
stopping
its
nuclear
program
or
withdrawing
from
a
disputed
territory.
Coercion
is
often
used
as
a
means
of
deterrence,
to
prevent
an
adversary
from
taking
a
certain
action.
Exploitation,
on
the
other
hand,
involves
taking
advantage
of
vulnerabilities
or
weaknesses
in
another
state’s
national
security
or
economy.
This
can
involve
activities
such
as
cyber-espionage,
theft
of
intellectual
property,
or
infiltration
of
key
government
or
military
organizations.
The
goal
of
exploitation
is
often
to
gain
strategic
or
economic
advantages
over
another
state.
While
coercion
and
exploitation
can
both
be
used
to
achieve
national
security
objectives,
they
are
different
in
their
approach
and
methods.
Coercion
relies
on
the
use
of
threats
or
force,
while
exploitation
relies
on
taking
advantage
of
vulnerabilities.
He
also
stated
that
promoting
the
logic
of
“exploitation”
is
an
initiative
and
that
asset
owners
gathered
at
the
venue
should
prioritize
driving
their
own
business
to
increase
national
power.
Interview
with
Eugene
H.
Spafford,
Professor
of
Purdue
University
This
interview
with
Spafford,
a
legend
in
the
security
community,
pointed
out
misconceptions
in
cybersecurity
and
inspired
the
audience
based
on
his
over
40
years
of
experience.
Spafford
claims
that
the
top
priority
of
cybersecurity
should
not
be
security
itself.
Cybersecurity
should
protect
users
and
their
activities
from
attackers
and
losses,
in
order
to
support
users
in
achieving
their
original
goals.
Security
professionals
tend
to
focus
on
maximizing
security
capabilities,
but
they
should
aim
for
appropriate
security
after
understanding
users
and
their
context
well.
He
also
said
that
the
understanding
that
defense
always
fallen
offence
is
a
major
misconception.
It
is
not
always
true
that
offence
is
easier
than
defense.
For
example,
the
cost
of
attacking
critical
infrastructure
may
not
be
lower
than
the
cost
of
defending
it.
The
defense
side
seems
to
spend
too
many
resources
learning
attack
methods.
The
cost
of
defense
depends
on
the
value
of
what
needs
to
be
protected,
and
it
is
a
challenge
that
can
be
considered
before
thinking
about
how
and
by
whom
attacks
will
come.
In
addition,
he
said
that
a
common
problem
is
the
pile-up
of
security
tools.
This
is
due
to
the
misconception
that
the
more
tools
there
are,
the
more
secure
it
will
be.
Too
many
tools
increase
complexity,
cause
fatigue,
burnout,
and
errors
in
the
security
team,
and
can
actually
increase
risk.
New
tools
are
meant
to
help
security
teams,
not
to
cause
overwork.
Recently,
Spafford
compiled
over
175
cybersecurity
misconceptions
into
one
book.
Each
chapter
is
accompanied
by
humorous
hand-drawn
illustrations,
making
it
an
ideal
introductory
book
on
cybersecurity.
In
the
next
article,
I
will
focus
on
cybersecurity
in
the
energy
industry,
which
was
one
of
the
topics
highlighted
at
S4x23.
Reference:
Cyber
Persistence
Theory:
Redefining
National
Security
in
Cyberspace
(Bridging
the
Gap)
Cybersecurity
Myths
and
Misconceptions:
Avoiding
the
Hazards
and
Pitfalls
that
Derail
Us
About Author
