Cyber(war) what is it good for?

AusCERT 2016 Speaker

Edward Farrell runs penetration testing firm Mercury Information Security Services. But he also is a member of the Army Reserve and he’s seeing an increasing overlap between his civilian and military lives.

“We’re applying too many military characteristics,” says Farrell when looking at the problems facing the commercial world.

One of the challenges, he says, a divergence in understanding what “cyber” really is.

Farrell says the term cyber has its foundations in science fiction but it evolved to be used mainly in security. It’s a vague term that lacks a basis in fact resulting in miscommunication, particularly as it’s applied in many different fields.

Farrell looked at some statements made by political figures. For example, UK Chancellor has said “Islamic State militants will aim to kill via cyberattacks”. However, the reality is IS is using the internet as a sphere of influence. And this is leading people to make incorrect assumptions about what “cyber” can do.

Back to basics

Farrell says it might be better to actually stop using the term “cyber”. For example, rather than say “cyber defence” we should use “computer network defence”. Similarly, application penetration testing and digital forensics are more useful that cyber pen testing and cyber-forensics respectively. By being clearer about what we are doing, it’s more likely for people to be engaged with a better understanding.

Another challenge, says Farrell, is today’s leaders fight conflicts today based on how they fought past conflicts. However, this “top down” leadership approach based on seniority may be flawed.

Strategy will always trump technology

"There’s a perception technology will solve all our problems. But we’re not seeing that,” says Farrell.

For example, the US dependence on drones is trumpeted but there have been some significant issues as drones cross national borders.

Modern conflicts are often conducted in urbanised, over-populated areas where there has been environmental degradation and there are failed governments. That means conducting an effective response requires a different strategy than in past conflicts.

Today’s army networks are more complex than ever before which can hamper the ability to adapt to changing field requirements. However, military leaders don’t think about strategy in these terms all the time.

Much military thinking is largely focussed on higher-level conflicts (such as national survival wars) whereas today’s conflicts are often more localised and remote (such as overseas peacekeeping).

The new world

The breakdown of government is more likely to be the reason the military will be engaged rather than the more traditional reasons for military engagement, such as protection of national borders.

Typically, the military domain wants to use technology to damage the interests of enemies. But Farrell suggested using technology to stabilise the enemy environment might be a more suitable approach although he believes there’s a view that would not be “sexy enough”.

Overly technical or leadership dependent strategies are doomed to fail, he says. How those are balanced is a challenge for the next three to five years.

"There are innovative paths out there, let’s hack around a bit,” he says.

Tags cyber attacksgovernment securitycyber warfareMercury ITAusCERT conferenceEdward FarrellAusCERT2016cyber military

Show Comments