Competition Strategy Amongst Nations in Sports and Cyberspace

The principles of a cyber defence strategy can be illustrated through high-performance sports. This three-part series will discuss the parallels between sports, big businesses, and cybersecurity using real-world examples.

Sport, big business, and military power have a common thread – competition.

The principles of competition and conflict are, after all, a human construct. First, we must appreciate that elite sport is not just leisure activity for most countries, principally administrated under the military and linked by extension to state power.

Similarly, the industry competes for everyday survival in a globalized economy while being the proxy target for power-struggle between nation-states. Sports analogies and military tactics are used all the time in big business. Cyber is defining today’s competitive landscape for everyone.

Over a 30-year career, I have participated in many forms of competition and conflict. I have applied lessons learned from sports competition to big business, cyber defence, and security. Let me share a few observations:

STRATEGY

Having a winning strategy is critical, whether training for the Olympics, running a business, or fighting a war. A strategy is not just a statement-of-intent like “I want to win” or “we will spend $ on cybersecurity,” or let’s schedule a round table meeting.” It is a comprehensive plan that includes discrete implementation steps and actionable outcomes. A plan starts with a well-defined goal, a mission, and SMART (Specific, Measurable, Attainable, Relevant, Time-Bound) objectives.

Related: https://www.linkedin.com/pulse/olympic-goals-require-strategy-dave-mcmahon/

DEFINING SUCCESS

Meaningful objectives are outcome-based and supported by key performance measurements. In sports, this establishes personal records or wins the game; this translates to sales and business profitability. For cyber defence, this may equate to measuring effective threat reduction, limiting, or deterring attacks. Many organizations invest substantively in security programs without defining what success should be.

SITUATIONAL UNDERSTANDING

To draw from the Art-of-War, you must first understand yourself, understand the terrain, and finally understand your adversary. We need a real starting point and a practical destination to build a plan. However, the first lie is the one we tell ourselves; this is why it is crucial to start with an objective gap analysis.

In sport, we would undergo extensive lab testing to establish hard physiological markers. Together with field-testing through training, time trials and races would provide both relative and absolute performance measurements. These indicators can be compared against milestones and the plan. Everything would be meticulously logged and reviewed by independent coaches and scientists. Competition is the biggest lie detector test one can take. Not only is competition a learning moment and an opportunity for self-reflection, but the best way to study your adversary. Over a career, this amounts to several thousand competitions - thousands of performance polygraphs. Rigour in planning requires undergoing objective performance testing to provide both situational awareness and performance resiliency.

Analogously, cyber defence requires comprehensive attack surface analysis, vulnerability and penetration testing, capability gap analysis, development of a cyber common operating picture, and understanding the adversary through global cyber threat intelligence.

INTELLIGENCE

As an athlete, I want to know where the sport is going, watch what my competitors are doing, deconstruct their training, analyze physiological data, note race times, tactics, technological innovation in equipment or technique, and detect cheating performance-enhancing drugs. Using sports platforms like STRAVA, I can track 42 million users worldwide and compare performances based upon 3 billion activity uploads.

Similarly, Cyber Threat Intelligence is critical for an effective defence. You will want to know everything you can about the adversary; their capabilities, intentions, tactics, techniques, and procedures. Your defences must match offensive tradecraft and likely attack vectors.

BEYOND STANDARDS

Canada’s food guide and exercise prescription may be satisfactory for essential health and fitness but are woefully inadequate for international sports competition. It would help if you had a far more sophisticated plan and commitment to the craft.

Similarly, conventional security standards, regulations, and systems may provide rudimentary protection (network health) but are ineffective against Advanced Persistent Threats (APT) and quickly get overrun in any conflict against a sophisticated adversary. Your firewall will do as much for you in a cyberwar as a Participation program will prepare you for an Olympic final.

Related: https://www.linkedin.com/pulse/fortress-strategies-walled-gardens-dave-mcmahon/

PERFECT IS THE ENEMY OF GOOD

The mission in the biathlon sport is to ski faster and drop the target as quickly as possible. There are no extra points if you waste minutes in the range, just to hit the dead centre’s target.

Comparably, many organizations suffer from ‘paralysis by analysis.’ That is the unrelenting development of doctrine, policy, internal reviews, closed process loops, and synthetic constructs against make-believe perceived threats. It is problematic when policy frameworks become more important than reality, or when the cyber defence does not match the adversary’s offensive tactics. Conventional cybersecurity is a lot like traditional martial arts. They are closed systems bounded by artificial rules (compliance to standards or policies written decades ago) ineffective on the street or in no-rules competitions.

Even the perfect plan is useless if delivered late. And these days, we are operating at the speed-of-cyber.

So, plans need to be elegant yet simple, evidence-based, timely, and just good-enough but better than standard.