Irish Defence Forces: An Cosantóir - Defining Our Approach to Cybersecurity . Kerigan-Kyrou D.A.

Article Transcript:
In January the media announced there may be critical vulnerabilities on computing devices across the world. Despite this bleak news there is, actually, much we can do to be proactive and lessen threats. Before addressing this, let’s look at the background to this rapidly changing problem.Cybersecurity is an issue that blurs the boundary between what is considered ‘military’ and ‘non-military’. This is a real test for NATO and its Partnership for Peace (PfP), of which Ireland is a key member. NATO has traditionally referred to cyber defence rather than cybersecurity. It was not until the PfP Consortium/NATO Cyber-security Curriculum in November 2016 that NATO began referring to cybersecurity as a concept that moves beyond the exclusively military environment toward the holistic security of NATO partner nations. In Ireland, the 2015 White Paper on Defence correctly points to emerging security challenges that are more diverse and less predictable. They comprise a broader concept of national se-curity involving state and non-state actors. These include climate change, transnational organised crime, terrorism, energy security, forced migration, and challenges to cybersecurity, technology and cyberspace - the environment in which communication within computer networks occur. Computer networks increasingly not only include traditional computers with keyboards and monitors but also nearly every aspect of civilian and military life.Cybersecurity is the protection of our personal, organisational, and govern-mental information from unauthorised access and control. At a personal level it’s about protecting our own information, for example email or financial records, from theft or ransom. Cybersecurity is essential for keeping intellectual property safe from espionage, which is of critical national importance to Ireland as we have many companies investing in the very latest R&D. Cybersecurity is key to securing our connected critical national infrastructure: telecommunications, energy, water, and transport. The National Cyber Security Strategy states that cyber is central to government, the economy, critical national infrastructure, and every citizen. Cybersecurity is vital for defending the security of Ireland and the entire EU.Cybersecurity includes preventing nefarious use of the internet. Almost every crime has a cyber dimension, often using freely available messaging apps encrypted to a military level of security. The 9/11 attacks were possibly the first terrorist atrocities where the internet was used in planning. Today the internet is the key tool for indoctrination, recruitment, financing, planning and execution of terrorism.Cybersecurity has developed a further dynamic that will play a key role in the future of defence. The ‘internet-of-things’ (IoT) is becoming central to our everyday lives (including our cars, home appliances, even children’s toys), our critical infrastruc-ture, as well as our defence. The IoT con-sists of interconnected devices (‘things’), receiving and transmitting data. These contain automated sensors and actuators performing critical functions. They are, in effect, small computers running software and firmware (a computer program stored within the hardware). The IoT will be used in maritime, land, air, and space environments. It will integrate intelligence, surveillance, and reconnais-sance to accurately identify threats. It will facilitate more autonomous defence sys-tems and vehicles. The IoT will enable huge advancements in EU Permanent Structured Cooperation (PESCO) capabilities.To put this development in some con-text, maritime vessels will soon comprise multiple IoT connected to control systems via the internet. The power management, loading and stability systems, alarms, bridge control console, electronic chart display and information system, auto-matic identification system, navigation decision support, voyage data recorders, computerised automatic steering, global maritime distress and safety system, and GPS - to name just a few - will all become IoT devices. However, the IoT creates vulnerabilities that are an often-overlooked part of cyber-security. Dr Stefan Lüders, Head of Computer Security at CERN says that around a third of CERN’s newly purchased IoT devices fail the most basic cybersecurity tests his team throws at them. Dr Lüders told me that he thinks IoT cybersecurity “is getting worse”. IoT cybersecurity is now one of the main priorities of the US Dept of Defense.Future Defence Forces missions may well depend on the security of cyberspace and the internet-of-things. Contrary to popular belief there is no separate internet for critical infrastructure or for the military environment; it’s the same internet used by everyone.The Defence Forces possess a great advantage in progressing cybersecurity because of the expertise and central role of the CIS Corps. The heart of their work is providing efficient and effective com-munications and information systems. As Cpl Audrey Doyle said in November’s An Cosantóir, the expertise within CIS ensures the maintenance and updating of the systems, switches, and routers that are the backbone of the Defence Forces’ comput-ing network. CIS develops the sophisti-cated and secure systems that the Defence Forces depend on for their global commu-nications. This world-leading knowledge within CIS is crucial for the cybersecurity of the Defence Forces as the technology becomes ever more interconnected.In addition to this first class technologi-cal advantage, two other aspects are vital. At the governmental level coordination is increasingly occurring with the National Cyber Security Centre (NCSC) Ireland, An Garda Síochána National Cyber Crime Bureau, Dept of Justice and Equality, Dept of Defence, Department of Foreign Affairs, and all government departments working closely together to address cybersecurity challenges.At the EU level cybersecurity coordina-tion is equally critical. There are at least 188 national intelligence services across the EU and countless numbers of regional and police agencies. It is crucial that the EU acts as an intelligence fusion centre for all these agencies to address cybersecurity challenges. It is not only technical informa-tion that needs to be shared but intelli-gence cooperation also needs to create an ongoing visualisation of the cybersecurity threat landscape facing Europe; this is the wider picture that helps to show how nefarious actors are using the internet to undermine EU security. Europol EC3 European Cybercrime Centre, and ENISA, which deals with critical infrastructure and the IoT, are central to this. Cyber coordination across the entire EU is needed, especially with EU military staff. Nefarious actors have no problem collaborating and sharing information and they’ll always be one step ahead unless we do likewise. Finally, the human factor of cybersecurity is rarely discussed, but it is an essential element. Ensuring effective cybersecurity is about the early identification of problems - recognising them when they are mi-nor, before they become major - and then dealing with challenges in a resilient way. We should follow the specific guidance of Europol EC3, An Garda Síochána, NCSC Ireland, and other government departments. It is also about management, people and process. Cybersecurity requires information sharing; organisations need to work holisti-cally, empowering each and every person with a shared responsibility to identify problems. Not a single employee or contrac-tor has a role that can now be considered separate from cybersecurity. All civilian and military personnel should be able to identify cybersecurity concerns as early as possible in a no-blame environment. In Defence Forces Review 2017 Comdt Frank Byrne writes about the ‘Just Safety Culture’ in aviation where the reporting of errors is encouraged and honest mistakes are not punished, thereby allowing everyone to learn. This approach is precisely what is needed in this new interconnected environment. Moreover, the Just Safety Culture has to be continually maintained according to Comdt Byrne, with constant effort and engagement to demonstrate and promote it; this should be no differ-ent for cybersecurity. As Comdt Jonathan Marley, Head of the Command, Leadership and Management Programme at the Com-mand and Staff School says: “It is vital that we place cybersecurity awareness at the forefront of professional military educa-tion; embedding the appropriate mindset in our organisational culture. The initiatives being introduced by the Command and Staff School in 2018 and 2019 will represent positive steps in that direction.”Indeed, awareness is the key. While we will never achieve 100% security we can make it as difficult as possible for nefarious actors. We need to be continually learning from cybersecurity challenges, however they are caused, and identifying problems at the very earliest opportunity, whether as individuals, across business and govern-ment, or within the Defence Forces.
Dinos Anthony Kerigan-Kyrou is responsible for cybersecurity training within the Senior Command & Staff Course. He is a co-author of the Partnership for Peace Consortium/NATO Cybersecurity Generic Reference Curriculum.