During a recent planning meeting I found myself explaining my views on the difference between Information Assurance (IA) and Defensive Cyber Operations (DCO). This is something I do a lot, but it is worth doing because it is an important distinction. Knowing which you are pursuing ultimately determines what you do, the mindset and methodology you adopt and who in your organisation is accountable.

IA has been established and understood for some time and, until recently, it sufficed as an approach to achieving protection in cyberspace. IA is focused entirely on protecting information systems at an accredited baseline level. This extends to technical measures, both hardware and software but also extends to the physical security wrap around a system. Routinely these measures are built into procurement so that a base level is achieved at the beginning of a system’s lifecycle. This is then maintained through life with periodic reviews and frequent updates and patching. Both in analogy and literally it is making sure the door is locked and the intrusion alarm is on.

Until fairly recently IA was considered sufficient; if the accreditors ticked all the boxes on their inspection sheet then information was ‘safe’. There are benign occasions when this might be true, but in the majority of cases, and especially on deployed military operations, a completely different approach is required to raise the standard well above base level protection.

This delta is met by Defensive Cyber Operations. These are fundamentally different from IA in that they focus on mitigating operational risk by delivering Cyber Mission Assurance. This is not the domain of the accreditor, rather ownership sits squarely with leadership and their operations team.

DCO are proactive and draw on an offensive spirit; they are the antithesis of sitting in a locked house not knowing what threat lies outside. They are rooted in understanding and therefore begin with detailed and aggressive threat analysis so that the intent and capability of the adversary is understood. This should include actively hunting for adversary activity. Additional measures can then be taken to counter that threat. DCO are less worried about protecting individual systems and more concerned with operational resilience, so business continuity and rapid response and recovery become essential. Perhaps most importantly, DCO are not limited to protecting information on command and control systems. Their scope is much wider, essentially anything that could impact the mission must be considered. This includes platforms, Industrial Control Systems, supply chain systems and welfare communications irrespective of who owns them. Finally, under certain definitions, and with the correct authorities in place, DCO can include the ability to strike back at an adversary to stop, or even prevent, an attack.

Fundamentally protecting our businesses in cyberspace is about mindset. To do it well we must think more in terms of operational assurance and less about simple compliance.