Cyber Is What We Make of It

"It's not what happens to you, but how you react to it that matters."

        January 21, 2026

Cyber Is What We Make of It

            # Cyber Is What We Make of It
"It's not what happens to you, but how you react to it that matters." — Epictetus
Not long ago an Atlantic Council op-ed in CyberScoop outlined ten key reforms to close America's cybersecurity gaps. The recommendations are sensible: migrate to memory-safe languages, apply formal verification to critical systems, establish zero trust architectures, build data resilience, conduct proactive threat hunting. Laudable, uncontroversial, and comprehensive; missing only the most critical factor.
The problem is that although the piece mentions resilience repeatedly, it treats it entirely as a property of systems: resilient architectures, regional resilience districts, data resilience. But the thing is: resilience is a human quality.
First Principles of Cyber
There are three principles of offensive cyber identified by Matt Monte in Network Attacks and Exploitation. Principles that transcend constantly shifting technology: access, humanity, and economy.²
Access is the principle that there is always someone with legitimate access. "Some entity within the cyber world has the authority, access, or ability to perform any action an attacker desires to perform. The attacker's goal is to assume the identity of that entity..."¹ 
Humanity reminds us that although cybersecurity is highly technical, it is designed, built, used, and monitored by humans. As Clausewitz wrote on cyber conflict, theory "must also take the human factor into account, and find room for courage, boldness, and even foolhardiness."
Economy is the principle that ambitions always exceed available resources. There are more goals than people, expertise, time, money, or technology can support. 
Rewriting the world's software in memory-safe languages, for example, is a generational project. So until those solutions for fixing cybersecurity sometime in the future are realised, the world must deal with the insecure reality. And that means building resilience into people, processes, and technology. Strategies that address only the last two are missing over two thirds of the solution.
The Duality of Response
In February 2022, Russia invaded Ukraine accompanied by an "unprecedented series of destructive cyber attacks". Despite losing access to their VIASAT communications and the wiping of government servers, Ukraine kept operating. Under intense cyber assault and a full-scale invasion, the government organised resistance, coordinated evacuation of civilians, mobilised the army and defence forces, and maintained contact with allies.
Just a few months later, in July 2022, Iran launched a similar, though smaller, cyber assault on Albania. The Iranians, like the Russians, deployed ransomware and wipers that temporarily shut down government digital services. Unlike Ukraine, Albania almost collapsed. Prime Minister Rama warned that the attack "threatened to paralyze public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country."³ The government considered invoking NATO's Article 5 collective defence clause and later charged five IT officials with negligence, facing up to seven years in prison for failing to update their antivirus software.
Two countries facing similar attacks, and one practically had a nervous breakdown while the other continued to function. Granted, only one attack was accompanied by a ground invasion, yet that was the better handled of the two. Albania was psychologically unprepared for the cyber onslaught while for Ukraine, the attacks were "a problem to be managed, not a catastrophe to be survived."
The good news is that Albania went from institutional meltdown to confident resilience in just a couple years. By 2024, the country had successfully defended against 105 cyberattacks without significant damage. As one official put it: "Our crisis became an opportunity to make our digital infrastructure stronger." Of course they invested in better technology, but the deeper change was psychological. After getting punched in the face a few times, they learned to take a hit.
Conclusion
The Atlantic Council's ten points are, let's say, ambitious, although they would, if implemented, improve America's cybersecurity posture. However, what they would not do is address the real issue: people, the cause of, and solution to, all of cybersecurity's problems.

References

R. C. Parks and D. P. Duggan, "Principles of Cyberwarfare," IEEE Security & Privacy, vol. 9, no. 5, pp. 30-35, Sept.-Oct. 2011, doi: 10.1109/MSP.2011.138. ↩

M. Monte, Network Attacks and Exploitation: A Framework, Wiley, 2015. ↩

"NATO allies condemn malicious cyberattack on Albania," Al Arabiya English, September 8, 2022. ↩

                            Don't miss what's next. Subscribe to the grugq's newsletter:

          Add a comment:

                Share this email:

                                Share on Twitter

                                Share on Hacker News

                                Share via email

                                Share on Mastodon

                                Share on Bluesky