Much fanfare has come about with the formation of cyber security roles across the Australian Defence Force (ADF); however, I cannot but foresee a number of risks that are popping up that we’ve failed to learn from history, both from recent events and from several years ago. I wanted to explore several of these to better shape and inform the risk and the opportunity we have within the wider ADF in lieu of the common 'sky is falling in | cyber pearl harbor' rhetoric that provides no productive output. This didactic, whilst somewhat esoteric, hopefully communicates a rational path towards a few opportunities the ADF can leverage as we form our cyber security capability.
The Mr Robot Effect
Mr Robot is a fantastic TV series that explores, at the individual level, the complexities of cyber security, practical and realistic attacks as well as their geopolitical implications. The series has sparked an interest in cyber security alongside other dramas; however, it can also create the wrong person and send the wrong message.
This issue is common within cyber security; the illusion is that hacking is cool and everyone wants to be a hacker. In the case of Defence, everyone deducts this is what will replace our fighter planes and, similar to our air force counterparts, we will win wars without physical confrontation. The attitude that is born from this effect however does not consider the difficulties faced with mastering the craft; the hours of engineering, patience and underlying knowledge. This issue is nothing new and pilots and Special Air Service (SAS) soldiers have both experienced the attitude of 'that job is cool and I want to pretend to be Chuck Norris and then write a memoir' without having done anything but turn up.
The SAS, I assess, had addressed through the hardship, demand for focus and revelation of character in selection processes, something that perhaps the cyber security elements of the ADF may wish to emulate: barriers to selection. I note that this has been previously attempted with theoretical exams. However, in my experience, theoretical exams are for exam takers and will reveal numerical results over a more holistic view of our soldier.
The Snowden effect
For the uninitiated, Edward Snowden was an National Security Agency (NSA) contractor who disclosed the organisation's capabilities in 2013. Some may attribute his actions to the 125,000 deaths and 4 million people displaced in the middle east between 2013 and 2016, and argue that these tragedies occurred as a direct result of someone who simply wanted to be important.
We are seeing in cyber security an attraction to two broad concepts; the first stemming from a belief that one can use 'cyber' to win wars (or more likely create an advantage), or the other around saving the world from a 'cyberpunk dystopian future.' Both are inherently dangerous and lack any technical or functional foundation in cyber security. I argue that the beliefs on both sides are overhyped and do not get qualified in the same manner as we would qualify ideas, assumptions and facts in normal military appreciation processes.
So what do I mean when I say 'the Snowden effect'? It is a person that has come in with a subjective belief of self-importance, as if they are here to save the world, and the conjured illusions of cyberspace are perfect for self-deceit. If nothing else, revelation of activities, gloating, overstating facts or other acts of self-gratification are a massive risk. In my experience, all too often, cyber security has a bad habit of attracting individuals who are interested in this space not for the challenge, but rather to let individuals know that they work in cyber security.
Once again, barrier testing would best screen for this quality.
Power tripping as a risk is related to Snowden, insofar as it’s not a pre-condition but rather an outcome of working in cyber security; as one learns and develops skills, there's a danger of becoming overconfident to a point of exerting oneself in a chosen domain. I put power tripping into two categories: the operator and the manager.
At an operator level, the person on the tools can become consumed by their newfound capabilities or position without appreciating the outer impact of their power. I have seen this already in several cases, where inexperienced operators take pleasure in dominating another individual for failing to conduct a basic task (such as patching). I also recall seeing this amongst several personnel at Ruxcon in 2011, who were adamant that their newfound abilities made them superior. These individuals were put in their place by other attendees very quickly during a capture the flag (CTF) event.
At a manager level, Empire builders, “thought leaders” or any other form of management that sees this as an opportunity for advancement or taking a Machiavellian approach, risk damaging the trade. Cyber security is starting to 'bubble' and encumber key operations both in the civilian and military domains. The environments we seek to defend must remain operational and cyber space must be seen as an enabler. Leaders must find quick and efficient methods of enablement, which is harder than telling people they are wrong or imposing new processes.
Unless there is an immediate realisation that you are not all knowing and all powerful and that you are here to motivate and inspire and to support the plan, the power tripping and approach to domination that is all too often manifested through a number of inputs will only go to destroy the reputation of cyber security and fail to enable the mission.
Self-awareness and promoting this activity early on is key to preventing this risk. I currently have in my civilian practice a new salesperson who is enthused by what we do, but I have found myself educating him on Wheaton’s law and the Bill and Ted approach of 'be excellent to each other.' This is ultimately an indoctrination that must be led.
Overqualified and underprepared
In my early days, when I helped out with recruiting officer cadets, I met an over energetic youth who was confident that their platinum gym membership made them suitable for special forces selection with no prior military experience or physical exertion outside of an air conditioned facility. This individual did not last. In recent years, there has been an attraction within the technology industry to view industry qualification as an indicator of competence. However, history has shown us otherwise. I recall, again in a civilian trade, a fully qualified Microsoft Certified Systems Engineer (MCSE) who had never actually installed Windows! Once again, that individual did not last. In the military domain, we do not have the luxury of “not lasting” and under-preparedness in an intellectual battle can be final.
We are becoming dependent on specific qualifications or complex metrics to measure our cyber talent, whether as a means of measuring the size of the organisations, or in a Robert McNamara-esque approach of over application of quantitative measurements (technological equivalents to body counts) as an indicator of success. We are forgetting the one fundamental necessity of cyber trades - the capacity to solve problems. In my experience, some of our mechanics and RAEME personnel are better prepared for this activity than our IT systems operators for if nothing else they bring in a tactile approach to troubleshooting, repair and working constantly in their respective trade.
Unless qualifications can be used as an effective measure of problem solving skills in lieu of regurgitation facts or, worse yet, a capacity to answer multiple choice questions, the training conducted will not provide capability. Any trade-based training must be consolidated with regular problem solving exercises.
The 'walking heart attack in cams'
Much has been said about putting personnel off the street into uniform as cyber security professionals, regardless of mental health, ability to deal with stress or the hardships of service. I anticipate that, with cyber security as a flash point in the next ten years, unprepared or unconditioned personnel in forward areas (whether these be cramped aircraft, tropical environments with no air conditioning or decent food, or even out to sea) will prove to be a greater liability than an asset. The reality is that these personnel are best suited to working within or alongside Defence as civilians. Not only is this option cheaper, but it lowers the risk to those personnel who would be better suited to developing capability that we can 'push forward' to physically and mentally ready soldiers that may not have the depth of experience, but could at least employ toolsets developed by these geniuses.
The approach of 'genius back-end, functional frontend' has worked well in the United States. An analysis of the leaks from Vault 7 suggest that the tooling developed by the NSA is intuitive and does not need absolute genius to operate, but certainly demands the operators at least have some smarts.
Forgetting about the other trades
This I think is one of my greatest concerns; in the midst of pursuing cyber security, we neglect what are, in effect, mutually supporting capabilities. These include:
- Simpler systems and processes enabled by technology: I cannot tell you how much it frustrates me that we rely on unmanaged spread forms and excel spreadsheets that see the ADF waste time and effort in user managed version control and user errors (how many Chief Clerks have had to return AE360s and undermine the signing process?). The organisation could save hundreds of thousands of dollars in data storage and software licensing if we binned file based management and administration.
- Data analytics: I have been spruiking about the value of open source technologies such as R, elastic search, MISP and half a dozen others that can already be used in security, operations and intelligence, and I question why we don't see these more actively employed.
- DevOps for enabling and creating: A root cause of a lot of our cyber security issues is that we do not have the secure environment to begin with, and worrying about ‘hackers’ over a functioning environment that accelerates the warfighter is something of concern. Let's find ways for our geeks (and other trades) to create content and move faster.
Bureaucratizing the trade
A discussion during ANZAC day in 2019 with some of the older diggers highlighted to me that several individuals from the 90s, who had contributed to developing the geek trade, left the second it was overly structured to a point where they could no longer innovate. We have a risk of focusing heavily on systems and processes in the Army to a point where they encumber the force. We’ve already seen this in the Information Systems Technician trade (ECN 661) within the reserves, where brilliant individuals are left behind because they’re lacking paperwork. I dare say the cumulative effect on this has resulted in our current challenges with cyber security, that could have been more readily adapted to had we not constrained ourselves so heavily.
Any future trade development must focus on the outcome over the process.
Creating a large, unwieldy and unnecessary force
In 2010, 11 individuals from lulzsec conducted multiple lines of operations against the United States and North American Corporations. Between 2014 and 2016, four individuals formed the core of the cyber caliphate and had six major cyber security events attributed to them (of note, their leader, Husain Junaid, was allocated as number 3 on the kill list). In 2018, a team of four individuals from the 8th Signal Regiment came 2nd out of ~30 teams of much larger sizes in the joint cyber skills challenge. Size does not count and in my own assessment is counter-productive to effective cyber security activities.
We have regrettably inherited the 'steroid capitalism' approach of growth often seen in San Francisco's startups, of forcibly growing organisations to unwieldy sizes with no explicit purpose but for the sake of growth. This is in stark contrast to other effective organisations throughout history, such as Room 40 during World War 1, FRUMEL during World War 2 and 547 signal troop whose size during the Vietnam conflict never exceeded 45.
There does need to be a rationalisation of size relative to necessity; we do not need a big team, just an effective one.
Encumbering our personnel with technology or tools
Warren Buffet once said 'Beware of geeks bearing formulas' and I extend the same risk to over-engineering our solutions. We saw this occur with some over-engineering during the world wars, where inventors would come up with ideas that lacked utility or presented a greater risk (I always recommended Peter Brickhill's book The Dam Busters to introduce people to wartime engineering). I already foresee risks such as debt sustaining technologies we do not need, such as analytics software with excessive licensing, software platforms that cannot adopt to change without a substantial redevelopment (and cost to the Commonwealth) or service contracts that overpromise and under deliver because a private firm has decided to overconfidently sell their software.
Radical simplicity will be the key to overcoming complexity and this needs to come from the intellectual edge the Australian warfighter has always had. I would also encourage greater use of open source technologies, within reason.
A matter of culture
If nothing else can be taken away from this didactic, cultural attributes, barriers to entry, the attitude of the individual and mutually sustaining activities will deliver us an effective capability that will give us the advantage we require. However, as cyber is an enabler, it is important to note that this is only an advantage in support of our other activities, whether they be physical or social.