Competition Strategy Amongst Nations in Sports and Cyberspace
The principles of a cyber defence strategy can be illustrated through high-performance sports. This three-part series will discuss the parallels between sports, big businesses, and cybersecurity using real-world examples.
Sport, big business, and military power have a common thread – competition.
The principles of competition and conflict are, after all, a human construct. First, we must appreciate that elite sport is not just leisure activity for most countries, principally administrated under the military and linked by extension to state power.
Similarly, the industry competes for everyday survival in a globalized economy while being the proxy target for power-struggle between nation-states. Sports analogies and military tactics are used all the time in big business. Cyber is defining today’s competitive landscape for everyone.
Over a 30-year career, I have participated in many forms of competition and conflict. I have applied lessons learned from sports competition to big business, cyber defence, and security. Let me share a few observations:
Having a winning strategy is critical, whether training for the Olympics, running a business, or fighting a war. A strategy is not just a statement-of-intent like “I want to win” or “we will spend $ on cybersecurity,” or let’s schedule a round table meeting.” It is a comprehensive plan that includes discrete implementation steps and actionable outcomes. A plan starts with a well-defined goal, a mission, and SMART (Specific, Measurable, Attainable, Relevant, Time-Bound) objectives.
Meaningful objectives are outcome-based and supported by key performance measurements. In sports, this establishes personal records or wins the game; this translates to sales and business profitability. For cyber defence, this may equate to measuring effective threat reduction, limiting, or deterring attacks. Many organizations invest substantively in security programs without defining what success should be.
To draw from the Art-of-War, you must first understand yourself, understand the terrain, and finally understand your adversary. We need a real starting point and a practical destination to build a plan. However, the first lie is the one we tell ourselves; this is why it is crucial to start with an objective gap analysis.
In sport, we would undergo extensive lab testing to establish hard physiological markers. Together with field-testing through training, time trials and races would provide both relative and absolute performance measurements. These indicators can be compared against milestones and the plan. Everything would be meticulously logged and reviewed by independent coaches and scientists. Competition is the biggest lie detector test one can take. Not only is competition a learning moment and an opportunity for self-reflection, but the best way to study your adversary. Over a career, this amounts to several thousand competitions - thousands of performance polygraphs. Rigour in planning requires undergoing objective performance testing to provide both situational awareness and performance resiliency.
Analogously, cyber defence requires comprehensive attack surface analysis, vulnerability and penetration testing, capability gap analysis, development of a cyber common operating picture, and understanding the adversary through global cyber threat intelligence.
As an athlete, I want to know where the sport is going, watch what my competitors are doing, deconstruct their training, analyze physiological data, note race times, tactics, technological innovation in equipment or technique, and detect cheating performance-enhancing drugs. Using sports platforms like STRAVA, I can track 42 million users worldwide and compare performances based upon 3 billion activity uploads.
Similarly, Cyber Threat Intelligence is critical for an effective defence. You will want to know everything you can about the adversary; their capabilities, intentions, tactics, techniques, and procedures. Your defences must match offensive tradecraft and likely attack vectors.
Canada’s food guide and exercise prescription may be satisfactory for essential health and fitness but are woefully inadequate for international sports competition. It would help if you had a far more sophisticated plan and commitment to the craft.
Similarly, conventional security standards, regulations, and systems may provide rudimentary protection (network health) but are ineffective against Advanced Persistent Threats (APT) and quickly get overrun in any conflict against a sophisticated adversary. Your firewall will do as much for you in a cyberwar as a Participation program will prepare you for an Olympic final.
PERFECT IS THE ENEMY OF GOOD
The mission in the biathlon sport is to ski faster and drop the target as quickly as possible. There are no extra points if you waste minutes in the range, just to hit the dead centre’s target.
Comparably, many organizations suffer from ‘paralysis by analysis.’ That is the unrelenting development of doctrine, policy, internal reviews, closed process loops, and synthetic constructs against make-believe perceived threats. It is problematic when policy frameworks become more important than reality, or when the cyber defence does not match the adversary’s offensive tactics. Conventional cybersecurity is a lot like traditional martial arts. They are closed systems bounded by artificial rules (compliance to standards or policies written decades ago) ineffective on the street or in no-rules competitions.
Even the perfect plan is useless if delivered late. And these days, we are operating at the speed-of-cyber.
So, plans need to be elegant yet simple, evidence-based, timely, and just good-enough but better than standard.
Gameplay needs to be proactive, if not pre-emptive. Reacting only after your competitor scores on your net and then taking 120 days to find the digital puck is not an effective defence strategy. But this is what conventional cybersecurity teaches: Protect, Detect, Respond, Recover.
A proactive strategy would include predict and prevent functions that close-down attacks. An active cyber defence strategy thus requires forechecking the adversary. Just like in sport, the offence is sometimes the best defence. Active defence takes the puck out of your zone and allows the offensive line to take shots on your opponent’s net. If your adversary is busy defending their attack infrastructure, they can’t launch attacks on you.
TECHNOLOGY FORECASTING AND EARLY ADOPTION
Most significant breakthroughs in human performance and warfare have occurred through disruptive technology. I have seen sports careers ended overnight when coaches and athletes could not adapt to a new technique between seasons or the fighter get KO’d in the ring because they never saw it coming.
I witnessed how organizations ignored the Internet, mobile communications, and cloud computing until it was too late. DVDs killed VHS, and online streaming turned the entertainment business on its head. Telecoms providers and media giants struggled to accommodate the power of the iPhone.
“Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road.” 
In just the last few months, triggered by a global pandemic, we have gone to a cashless society, telecommuting, adopting the cloud, online collaboration tools, and the ubiquitous security and cyber defence requirement.
We saw this coming a long way off. Predictive strategies include investing in cyber foresight initiatives, which explore future trends, technologies, and tactics.
Competition drives innovation on the sports field and the battlefield. There is always something new every sports season. One needs to try new things, borrowing insight from other disciplines continually.
Cyber power is doubling every ten months; this means more challenging training courses, hyper-realistic test ranges, or applied research and development in the laboratory. The most advanced cyber defence strategies have an industry-led, academic-supported, and government-funded component to incubate next-generation cyber speed ideas.
In the second part of this three-part series, we will discuss the different aspects of sports and big businesses that parallel cybersecurity, such as speed, agility, adaptability and more.