What Cybersecurity Can Teach Us About Defending Democracy

No government has stood the test of time in a single form. Democracy in ancient Greece crumbled. Rome’s republic burned. Monarchs and emperors alike have seen rises and collapse for ages. Whether it’s the sun setting on the British Empire or American democratic safeguards torn down, being on guard to defend and maintain a society whose system of values has made it rather unique throughout history is a charge that all who recognize its importance and value need to embrace as their own.

In that vein, defending a nation that stands for freedom of expression can be difficult. The loudest voices can oftentimes control the national megaphones, even when they decry said values or even wish to curtail our liberties under the guise of saving them.

In the last chapter of his book, Ship of Fools, Fox News’ biggest pundit Tucker Carlson wrote:

“There are two ways to end this cycle. The quickest is to suspend democracy. There are justifications for this. If your voters can’t reach responsible conclusions, you can’t let them vote. You don’t give suffrage to irrational populations, for the same reason you wouldn’t give firearms to toddlers: they’re not ready for the responsibility.”

His other option was to take care of the people of the nation, however, his views on what “care” actually stands for are more ambiguous and debatable than the clarity of his first option.

With millions of viewers tuning into his nightly, and now daily shows, there is widespread support among his followers for the words in his bestselling book. The suspension of what the core of a society is means to inevitably alter it for good.

As a recent example, the military in Myanmar decided they didn’t like the results of their country’s democratic vote and chose to take over the nation via a coup to “protect it” until another election could be had (with ideally a more favorable results for them, no doubt). To date, their military hasn’t left power and it’s not looking like they’ll be handing over the reins to the government to civilians any time soon. If a military can suspend democracy temporarily, it can suspend it permanently.  The faith that their citizens had in the democratic process has been shaken to the core and time will tell if that trust can ever be rebuilt.

Thus, defending ourselves against the suspension of rights (or worse) is something that needs to be understood by the general population so we can start taking action as needed. For that, there is no better place to look than how we approach cybersecurity. A holistic cyber defense strategy teaches us many critical lessons for protecting society and with that in mind, here are some of the core lessons Cybersecurity can teach us so we can hopefully avoid the end of democracy as we know it.

Without An Understanding Of Risk, We Cannot Properly Defend Society 

I like to say that cybersecurity is simply the quantification of risk and then the implementation of risk mitigation. If an organization cannot understand the financial and reputational damage caused by something like a hacking event, in hard and soft dollars, then how do they know their current defenses are proper and capable of withstanding an assault? Maybe production can only be down for six hours before it’s so economically unviable for the organization. Maybe marketing can be down for a week and no one cares! If this type of quantification doesn’t occur, then learning the hard way is usually the name of the game.

Society is no different. How do we quantify the risk for a country the size of the United States? The same way we look at everything else. Identify the threats, quantify the damage they can do, and then put a plan of action in place to mitigate them. This is why the riot on January 6, 2021, was horrific to much of the country. The illusion of security and a thoroughly peaceful political process for the nation was shattered. The government had not anticipated the mob that day despite all the warnings online, and the defenses were caught totally off guard and understaffed.  As Congress and the Department of Justice continue to sort through the events and actions preceding that day, it’s important to fully identify the warning signs and risks associated with those that were involved to try and fully mitigate another potential attack.

Proactive Vigilance Is Absolutely Required

 If you have ever experienced data corruption in your life then you understand that corruption continues to get worse until it is identified and fixed. In the age of the hacker, we in cybersecurity have developed tools and platforms that help actively monitor for anomalies and events so we can get ahead of developing attacks, spreading infections, and more. Those organizations that fail to implement proactive strategies for this level of vigilance are the ones that make the news. SolarWinds, Colonial Pipeline, Marriott, and on and on are all unfortunate examples of what I’m talking about in their own way.

Vigilance for threats that undermine society as a whole must be addressed before they spread like cancerous corruption. When the leadership of a government does not adhere to the guiding principles of the country then judicial action under the framework of the society is warranted. South Korea recently tried and convicted their former President under this premise. The United States has seen its share of congressional members tried and convicted in the past for various crimes. No one, not even a president, can be above the law. Historians have debated that when President Ford pardoned President Nixon after his resignation, it set a precedent that the president is above the scrutiny of the law. In a legal framework like the United States, that should not be the case. Everyone gets their day in court and a president, or former president, should not receive exemptions.

This vigilance is required for all branches of the government. Any civil servant that is caught attempting to undermine The Constitution needs to be investigated and removed from service with any clearances revoked if they are found guilty in a court of law.

Finally, the assumption that institutional safeguards are both fully in place and will prevent corruption is a false sense of security. This is also why good cyber defense strategies are continuously checked and tested. Recently, Julie Ioffe of Puck said that “Institutions… are just buildings with people in them and it very much depends what kind of people you shove into those buildings.” Meaning, that the character and ethics of those people are what hold the line against coups and takeovers. France recently saw this in action as two opposing political parties formed a coalition to keep a more extreme party from assuming power. Though, these parties agree on basically nothing, both understood that all is lost when extremists can permanently remove them and
change the nation for good.

Education Is The Difference Between Life And Death 

 I like to tell my clients that I can build them a Ferrari of a cyber defense strategy, but if I’m turning the keys to said Ferrari over to a chimpanzee then how far are we going to get? We have to learn how to drive. Knowledge of how your government operates is no different.

Recent polling of the American public shows that a shocking number of Americans are failing civics in general. An unhealthy percentage cannot name all three branches of the government, which means they do not understand concepts like “separation of powers” or the “checks and balances” methodology that ensures no one branch can assume too much power. It is this lack of knowledge that leads another unhealthy percentage of Americans to think that the president (leader of the Executive Branch) should be able to remove a sitting judge (member of the Judicial Branch) that they disagree with. That is acceptable in autocratic and authoritarian countries where judges are used to confirm the will of the leader only, but not in a healthy democracy.

Artist Francisco Goya said, and painted; “The Sleep of Reason Produces Monsters.” I wish he was wrong.

Resiliency With Some Rigidity Must Be Baked Into Everything 

The ability to quickly recover and adapt to a disaster is key in a cyber event. Having a contingency plan that works as a playbook during any type of crisis is key to survival. Whether it’s a ransomware event or tornado, an organization has to quickly assess the situation, communicate with key stakeholders, execute coordinated recovery operations, perform an impact analysis and try and plan for improvements once the dust has settled. The rigidity in this situation is adhering to the policies, procedures, and principles everyone has agreed to. In this manner, everyone does their job during a crisis and improvement will come upon review in the aftermath. Nations can be no different. Disasters can strike but the institutions must hold the line if the country is to survive.

Living in a democracy is adhering to the principles and laws of the land. When improvement is needed, it is vocalized, debated in good faith, and voted upon. However, most importantly it’s voted on peacefully. Change may come slowly but it does come and usually for the greater good when all parties adhere to the system. If the past few years have taught us anything, it’s that this societal resiliency is being tested and stretched. In the book “How Democracies Die” authors Steven Levitsky and Daniel Ziblatt offer multiple examples of how the resiliency of unwritten rules that guide the American government has been tested or even broken.

“Mutual Toleration” is the concept that both political parties and their followers understand and respect the other side. Both sides accept that they have an equal shot at winning elections and shaping the future of the nation. However, without the rigidity of this unwritten rule, trust breaks down and so does the resiliency the people have enjoyed knowing everyone has the same chance at success.

Polls show that, once again, an unhealthy percentage of people see the other side more as deeply immoral than simply wrong. That assumption that we are all in this together and working for the greater good (even when we disagree on what that is) is sadly becoming a thing of the past. Without restoring this trust, the United States can never recover and come back together as a nation.

Complacency Will Doom Us All 

 Complacency is one of the biggest challenges security professionals faces. New and innovative technology, designs, strategies, and approaches are constantly being developed and adopted by those organizations that recognize they need to keep up with defense if they’re going to be successful in protecting their intellectual property, revenue, people, and more. These are the organizations that are much less susceptible to events like ransomware. The organizations that keep doing the same thing over and over, whether it’s renewing that antiquated firewall under the assumption it’s just as good as new solutions or not understanding the ever-changing threat landscape and adjusting defenses accordingly are the ones we see on the news when all of our credit cards and passwords were compromised and put for sale on the dark web.

If the rise in the last decade or so of domestic violent extremism around the world should have taught all governments anything, it’s that those that threaten stable society take their time to assess; the flaws in the law that can be exploited, the gaps in traditional security that allow things like bombings, and the ability to leverage new technologies to try and gain popular support for their antithetical ideologies. The rise of social media and the free and open communication platforms that connect billions of people has been a disaster for the stability of nations around the globe. Every conspiracy theory from flat earth to JFK Jr. is alive and well, is running rampant across the Facebooks and Youtubes of the world with little to no checks. Artificial Intelligence isn’t the same as a human reviewing a controversial post for nuance and with billions of posts happening daily it’s almost impossible to police. Facebook tried, failed, and appears to have given up as CEO Mark Zuckerberg is now focused on depressing us in virtual reality. Face
book is spinning down vital research tools the world was using to track disinformation and extremism, which puts stable countries in an even more precarious position.

If the fascists of the 1920s and 1930’s taught us anything, it’s that a motivated and violent few can topple governments and the general population isn’t educated or motivated enough to stop it from happening. If the current stable democracies are to survive this current onslaught, the lessons here need to be at the forefront of the public consciousness. If we are asleep at the wheel, the monsters really will be legion. It’s time to get moving.