A couple of people have asked me to clarify what I mean by Sieges (and parasites) in terms of the first Siege post and the subsequent strategy/problem space framework post. Here’s a quick email I wrote that might help:
Sieges and Parasites:
From a collective non-aggressor entity perspective, cybersecurity “conflict” is functionally a siege of the collective environment: Non-combatants trying to maintain a minimum level of survivability while they’re surrounded, being drained of resources, and lack sufficient environmental influence/position to make effective risk decisions.
Compare/Contrast Siege and Parasitic Environment as conflict types to: crime, espionage, battlefield warfare, natural events. These latter tend to be incident/event driven, where the risk and responses to a siege are more environmental over time, with incidents to individuals happening but being largely irrelevant except as they contribute to the overall lack of stability/freedom to operate.
This though process got kicked off for me while reading about the siege of Sarajevo in particular. Imagine – you (a private org standing in as a citizen for this narrative) are in a city surrounded by artillery and snipers and you have to decide how best to keep getting water, which involves cross several streets through town. Some streets are vaguely safer than others, usually, but not necessarily. You occasionally can see or have insight into the people on the hills, but not usually. There are dedicated defenders around, but theyre not well positioned and lack the capacity to defend everyone all the time. Your resources are limited and your freedom to operate is constrained further over time as resources diminish. You can be hit at any time once you move from a standstill from your base/home (and even then, without change, you are at some risk). You sort of make up criteria for decisions that help you feel safer (has anyone crossed that street recently? Were they shot at?) but aren’t really indicative of actual risk.
In this case, trying to decide how and when to get water as a risk based decision is almost a nonsensical proposition: You don’t control your environment, you have a lot of exposure, and you lack relevant information that would change your situation significantly (this isn’t the same as lacking data, just helpful data).
This scenario is substantially different from how we look at cybersecurity and infosec today: Individual defenders, with sufficient skill and competency, access to resources indefinitely and as needed, on a relatively level playing field, trying to prevent, manage, or mitigate individual events on their own.
Ultimately, right now, we’re asking a bunch of non-combatants (you know, most businesses) to have the capacity to effectively and sustainable participate in what is becoming a low level global conflict (inclusive of state to state, criminal, hacktivist, etc activity) while under siege.
This is a broken model and will never, ever get us where we want to be (for more reasons than I’ll lay out here). We have to break the siege (thoughts on that being out of scope for the moment), which involves a level of strategic cooperation and unity that present culture, politics, business realities, and law do not allow.
(The Parasitic environment analogy is more specific to single-organizations, as it allows for specific targeting: https://sintixerr.files.wordpress.com/2015/01/hackervaluechain2.jpg )
Aside: Interestingly, though, from an aggressor standpoint, it might or *might not* look like either a siege or a parasitic environment – ie, aggressors acting individually and *without* coordination are contributing to creating a separate conflict type for defenders (Siege).