In medicine, hypertension (high blood pressure) is commonly referred to as a “silent killer,” undetected until it's too late. Today our cyber defenders – over 90% of which are privately owned – are facing a silent epidemic, one embedded in our systems, codebases, and institutional culture. Many organizations have data backups that check the box but fail to ensure that these backups achieve cyber resilience. This silent killer has surfaced in countless cyberattacks on
data backups. Once the backups have been destroyed, deleted, or degraded, the adversary then goes after the production environment critically impacting the victim.
The absence of cyber recovery represents the silent killer of critical infrastructure systems. Organizations that are compliant with legacy backup requirements focus on investments, compliance, and testing on attack detection and prevention. These same systems do not have cyber recovery capabilities to help systems recover quickly from a cyber attack such as ransomware or wiper attacks.
No tests, no symptoms, no alarm
The medical field has developed tools to identify and detect hypertension. Blood pressure cuffs, blood panels, scans, and trained specialists have fine-tuned the ability to identify and treat the condition early.
In cyber, “tests” for cyber health or resilience
do not exist. There is no routine screening of cyber resilient backups, testing and gauging backups ability to recover, no security vital signs, and no check-ups to detect a problem before it metastasizes. Instead companies compete for business, fine tuning their sales pitches and rush code to market with the lowest cost and minimally compliant solutions. Compliance does not translate to the security or resiliency of a system. Organizations do not have the digital equivalent of a blood pressure monitor, let alone the nurses or technicians trained to be able to use them. The typical defense contractor—akin to a nurse being directed to treat an invisible illness they have never studied—is ill-equipped and under-incentivized to recognize the signs. Most personnel are not looking for problems outside the narrow scope of what they are being paid by the government to deliver. The expectation is that modernizing and sunsetting is the preferred way to deal with it. “Good enough” is the accepted standard until something goes horribly wrong.
Contracting for stagnation
But the structural problems extend far deeper. In government, innovation continues to be impeded by bureaucracy. Contractual vehicles are fixed years in advance. Money is spent on outdated technology requirements that become obsolete before the ink on the page dries. Updating these contracts costs time and money. Every change request requires a separate approval process with the work required to get a $500,000 contract the same as one valued at $5 million. This forces organizations to go big while programs stay the course because any change becomes too onerous. A process to facilitate agility and innovation instead produces further inertia.
Innovation is casualty #1
While the private sector innovates in such critical areas as artificial intelligence, machine learning, and autonomous vehicles, DOD continues to use legacy IT systems built around email and static information sharing. AI is interesting and sexy—often getting the lion’s share of attention and funding—but it is frequently bolted on top of fragile, insecure infrastructure. The result is a veneer of modernity that masks a brittle foundation just beneath the surface.
A security mirage
Security is not something you can just “add on.” It must be baked into the architecture with continuous feedback loops, testing, and adaptation. Software being developed today is deployed and then retrofitted with security. This process is like bolting a lock onto a door that has already fallen off its hinges. We are failing to build in security.
Software factories and the shift from government off-the-shelf (GOTS)
There is hope in software factories—like those supported by innovation-driven programs including AFWERX. These factories aim to replace cumbersome GOTS solutions with agile, modular, continuously deployable software built around user needs. DevSecOps, automated testing, and refined feedback loops are emphasized. But without a culture that prioritizes resilience and proactively invests in cyber hardening, even the best development pipeline produces insecure results.
The software factory model must be paired with rigorous exercises that test how systems behave under duress. Just as military units run combat simulations, our digital infrastructure should regularly undergo cyber wargames: red-teaming, resilience testing, and simulated takedowns. We should know and be able to anticipate what happens if email fails at a Combatant Command? The question is not theoretical—they are scenarios that demand rehearsal.
Building muscle memory through cyber exercises
We must embrace failure as a teacher. Organizations avoid stress-testing their systems because they do not want to face what they might find. But just as you would rather detect hypertension in a routine check-up than in the middle of a heart attack, it is preferable to uncover cyber vulnerabilities during a drill instead of in the midst of an ongoing breach.
We need institutionalized exercises where networks are taken offline, dependencies are severed, and incident response plans are tested under real-time pressure. These simulations ought not be the exception but should be routine—embedded into operations, creating muscle memory in support of cyber resilience.
Conclusion: Diagnosing the disease
Cyber resilience or its absence is a silent killer because it thrives on invisibility, delay, and denial. Our systems operate in the background—untested, and unchanged—until
crisis strikes. Warning signs abound. But, without resilience focused requirements, adequate tools, training, testing and the will to detect, they remain, awaiting a nefarious actor to identify and exploit that weakness.
The time to develop the digital equivalents of diagnostic scans and wellness checks for critical infrastructure systems is long overdue. We must work to empower technical experts, overhaul outdated procurement models, and create space for innovation unimpeded by red tape. It’s time to stop pretending that cybersecurity is something we can buy off the shelf and instead start treating it as a discipline we must live and breathe every day.
We ignore a silent killer in our bodies to our own demise. We cannot afford to ignore it or be caught off guard in our critical infrastructure networks. Failure to do so will result in far-reaching consequences of the very systems people rely on to deliver essential services every day.
