Cyber Security: Defending against modern society’s deadliest menace
In July 2016, NATO officially recognised cyber security as a domain of war, and as such, recognised that international law applies to cyberspace. An evermore sophisticated generation of cyber criminal, ranging from the lone wolf to the state actor, is threatening the very fabric on which our digitised society is founded. It is not too far-fetched to imagine that the modern day cyber menace is becoming as much of a danger to the civilised world as standing armies.
In this interview, we speak to Phil Davies of Defence Intelligence & Cyber at Atkins, an expert in the intelligence and cyber arena. He discusses the nature of the cyber threat, how to mitigate it and what is next for the defence industry in the expanding battlespace of cyber warfare…
Defence IQ: Phil, what challenges have been created as a result of the increasing digitisation of society, and the growing cyber threat?
Phil Davies: Well, firstly, we all live in this increasingly digital world. A world where we see, almost daily, an increasing threat coming from different actors. And secondly, we're not just talking about what we were, say, five or maybe ten years ago, when we talked about internet security, where we were referring to just communications networks, and information and communications technology.
Today security is about wider technology and systems being used across society that are increasingly digital, and that are all operated in a very competitive and increasingly connected world.
DIQ: So how does that evolving cyber threat impact on defence, in particular?
PD: Today defence forces operate in the same environment as the rest of the world. In the past, they would operate in bounded operational environments, away from civilian populations. They'd fight in a traditional way against known adversaries, often traditionally organised armed forces.
But now it's very different. There are a range of factors impacting on defence operations.
First, cyber-attacks against defence operations now originate from range of potential threat actors from hacktivists to hostile intelligence services. They're operating in what we would, conventionally, call peacetime, rather than just wartime. In fact the boundaries between peace and war are increasingly blurred.
Secondly, defence has increased dramatically, its use of commercial off-the-shelf, or COTS, technology. You can see the appeal, because it offers lower cost solutions and it's able to be brought into service much faster than long military procurement programmes, and often at lower cost. So, COTS systems are increasingly used on the battlefield in the whole operational area, by defence forces.
And that leads to the third area, where we're operating in the same interconnected world, as I mentioned earlier. So defence is in contact with its civilian infrastructure on a daily basis often using global transport and supply networks. That technology was designed from the outset to be interconnected, and so Defence is interconnected into a civilian infrastructure whether it planned it or not.
Finally, defence has many platforms that have been operated for a long period. So at any one time, in modern defence forces, you will have systems that are still in development, where you could make them secure by design at an early stage. But you've also got systems, which are already in service. And they were designed in a time when the cyber threat wasn't as great as it is today. And those systems remain in service for long periods, across complex platforms such as ships, armoured vehicles, and aeroplanes. Those present an interesting challenge for modern defence forces trying to mitigate the cyber threat.
DIQ: Phil, you’ve delineated the threats that the defence business, in particular, is dealing with. How do you think that those challenges should be mitigated?
PD: This is a complex environment, and you need to be very careful and considered in the way you do this. There's an immediate reaction to dive in and fix the first issue. So my approach would be to, first of all, take a strategic view. You need to understand the vulnerabilities and threats. You need to understand the dependencies, for example, on civilian infrastructure.
And once you understand that, you need to develop a coherent policy and strategy. So people talk about cyber in defence and people talk about electronic warfare. Well, actually, there's a combined cyber and an electro-magnetic activities approach by some nations, known as CEMA, which links the two very closely together. So policy and strategy need to be developed coherently with other capability areas.
Then there needs to be a very rapid scan of cyber vulnerabilities. And we're talking here, again, not just about information and communications technology, but we're talking about the systems that defence uses, the platforms from aircraft, to ships, to boats, to land platforms. Look at those vulnerabilities, and gain sufficient situational awareness that allows you to take decisive action.
And that cyber vulnerability approach, which looks at a very simple model; you collect information, you model the system, you understand its vulnerabilities, and you validate it. That sort of approach will allow you to make balanced judgements on whether you treat one of these risks, or you tolerate it. Because some of these platforms will be in service for a long time to come. They can't just be left alone, in the hope that they'll be replaced by something more secure later.
Finally, defence needs to draw on expertise from a variety of sources. And that much of the equipment we're using in defence, as I mentioned earlier, is off the shelf equipment. Some of it is using the same sensors, the same systems that are used in other industries. So defence needs to draw on the experience of industry, particularly those that are working in other sectors. And it needs to draw on the national agencies, and the experience of allies.
DIQ: What do you think can be learnt from parallel industries?
PD: I think, first of all, that you need to take the view that future operations will not just be conducted in small, isolated parts of the world.
If you look at recent experience on a global position, where nations have been in conflict with other nations, they’ve attacked their critical national infrastructure, rather than undertaken the traditional hard attack that you've seen in the past. Given this, I would argue that these other industries, particularly those operating critical national infrastructure, have already recognised that they must improve their cyber resilience, rather than just thinking it was a military or defence problem.
So for example, in our experience in the civil nuclear business, this cyber risk as seen as a risk to the business and its operations, not just a risk to the IT. So a range of industrial control systems have now cyber security built-in by design. Many of our power stations have been running for 20 or 30 years, so even as those legacy systems are maintained, the new cyber threat presents new vulnerabilities. So work has to be done to examine those threats, to see where they're coming from, the threat vectors, how they're being attacked, and then to deal with the threat accordingly.
At the other end of the scale, in cutting edge technological developments, the other area that we're seeing a big focus on cyber security is in intelligent mobility. So we're talking about smart cities and self-driving cars.
These advances are coming on quickly, and that creates increased and new vulnerabilities, which again, new actors in this area can threaten, if they wish. So we need to be building in secure by design from the outset. Recognising that these systems will all be interconnected and a threat actor is always looking for the weakest link in a secure chain.
DIQ: One of the things that's going to be discussed at this event, is the fact that the Bundeswehr is actually instating a cyber defence unit as its fourth branch of the armed forces. Can you see that happening across state militaries?
PD: Well, I look forward, at the Conference, to hearing the latest developments in the UK Ministry of Defence, which has already acknowledged a need for what is termed ‘Information Manoeuvre’, and potential organisational changes that might be needed to prosecute future military operations in this area.
Announcements have not been made, other than those made by ministers in November, so the detail is yet to come out. But it certainly appears, from looking at other nations, that all of us are considering a similar response to the threat: by looking at creating cyber protection teams that can actually examine real threats deployed on operations, as well as conducting vulnerability assessments of our existing systems and platforms.
The US Army policy for cyber and electromagnetic activities has already been endorsed and it will be interesting to hear how the UK and other nations are addressing similar issues.
But I think it’s also important to increasingly use industry to provide qualified Systems Engineers and Systems-of-Systems Engineers, those with cyber expertise, to take a top-level view, and examine holistic cyber vulnerabilities in a very different way than you would have done, if you just examined them at a single system level.
So, I think other nations are doing the same thing, and I’m interested in hearing how the Bundeswehr and other Armies are approaching the problem.
DIQ: In a report that we did recently with regards to cyber security in energy, one of the analysts we spoke with related our defensive cyber security capacity to antibiotics: the better we are at dealing with threats, the more resistant threats become, creating a kind of super threat. Do you identify with the same pattern in the defence business? Are we making the malefactors up their game?
PD: I think there's a danger of that, though if you look at the National Cyber Security Strategy 2016-2021 in the UK, and the changes they announced last month, you’ll see we now have a National Cyber Security Centre that is sharing threat intelligence across sectors. Given attacks in one area are likely to be replicated in others, it’s key that intelligence is shared.
And this is an area, a dynamic area, where just because a particular measure's been developed, does not mean you can rest assured and sleep well at night. What you really need is this continual link into the the national technical agencies, in the cyber security areas for our critical national infrastructure, to share information on those emerging threats, share responses, and to develop counter measures on a very rapid basis.
This is not a conventional, old-style military operation, where it takes a long time to develop counter-measures and threats. This is a much more agile, dynamic environment, which is cross-sector and multi-agency.
DIQ: You'll be at CDANS 2017 (January 24-26) event particularly relevant for you?
PD: For me, this event is a great opportunity. There have been rapid developments in the UK, and in other nations, over the last 12-18 months, in response to the cyber threat. And this event provides the opportunity for those from the UK Ministry of Defence, for allies in other nations, for those working in other government departments, to come together with industry.
Together we can share and discuss these threats, understand the responses, learn best practise, and develop an informal network of people, who will help with these broader counter measures we need to develop on a daily basis to counter the cyber threat for the long-term. And I think the relationships built at this conference can only be positive, in terms of developing that multi-agency, multinational response.
Interested in attending? More information can be found at: cdans.iqpc.co.uk.