Stanley McChrystal: Cybersecurity is a unique challenge today because one, we are so utterly dependent upon our digital communications and our digital control of things and so it's going to become ever more essential that we have the ability to provide security that we're confident in. The challenge is if we were against Doctor No or Mr. Big in a cave somewhere and they got a bunch of people working, you could understand the threat and you could sort of limit the threat and the threat would have a predictable limitation in what they could do. They'd have to pick an avenue of approach and they'd have to go at that avenue of approach because they can't do all things at all times.
The problem with the cybersecurity; that's not the threat. There are some entities like that. There are some state-sponsored entities that are focused on certain things, but the barrier to entry into the cyberworld is very low. You can get in your basement in your boxers shorts and you can have a computer and you can get into the game. And it's sort of the idea of 10,000 monkeys typing on 10,000 keyboards; somebody is going to create a cybersecurity challenge. And it's constantly morphing and adapting, whereas the cyber security requirement is to protect things so you essentially have to protect everything that you value all the time. The people who want to attack that can attack at their choosing wherever they want and constantly change their attacks. Constantly just like water goes against a dam, it just goes until it finds the weakest point. At some point, something happens — technology changes, human error, technological glitch or whatever. There's a good likelihood that they'll get in.
And so, if you think about the cybersecurity problem the first thing I don't think will work is the Maginot Line. The Maginot Line was created by the French in the 1930s to prevent the Germans from doing a repeat of the first World War and invading France from Germany. People think of it now as the stupidest thing ever built, but it's not really correct because the Maginot Line actually worked. The Germans did not invade across the German/French border. Now, the fact is they went through Belgium. They still got into France and conquered France in the summer of 1940.
So I think the lesson to be learned is there has to be defensive things set up as best we can for cybersecurity, but it's going to have to be this constantly adapting, constantly morphing, defense in depth, with some offense too, with going out and figuring out where the threats are arising. And that defense in depth means that you can't have one line. The government can't put a big wall up and everybody hides behind it, nor do we want each organization, each commercial firm or government organization to be an island onto themselves just hoping that they're not the weakest wildebeest in the herd and that the lions will get somebody else.
What we really need is all those entities to be linked so that they constantly learn from one another. If one suffers a breach, everyone has to learn from it. Right now the challenge is people are loath to share that information. One, because commercially they might be hurt by reputation; also they're afraid the more you share the more you have the possibility of your little island is not completely separated. Your moat around it has got linkages across it and you can be opened up more. But we're going to have to get a network to defense where every time something happens, and we learn from it, the entire network learns immediately. We're going to have to have that kind of speed because there will be breaches. There will be mistakes. But the organisms have got to learn. It's going to have to be a lot like the human immune system. The human immune system is extraordinary because about 10,000 times a day it gets attacked by something that could hurt the human body. But as it responds and it sends out antibodies to it, it does it and it learns from that. And so if it has a breach one time, it actually builds up antibodies against that challenge and has them at the ready for the next time. That's how we build up immunity to things. And I think the human immune system is the way our cyberdefense is going to have to be, which means it has to be integrated.