Thank you for taking the time to speak with Defence Online, Alex. Could you firstly tell our readers a little about your own professional history? How did you come to work at Thales?
I’ve worked in the aerospace and defence industries for pretty much my entire career. It’s taken me from the UK to the United States, the Middle East and now Africa, so I’ve certainly gotten about a bit!
I’ve always had an interest in cryptography, key management and the protection of defence and communication systems, and through this work I was nominated as a civil advisor on cyber security to NATO. NATO provides protection to and makes use of civilian infrastructure in the execution of its objectives, specifically in offering civil support in the event of an emergency. This requires expertise across a number of different areas, one of which was cyber security, and my background in defence and critical infrastructure proved useful to them.
In addition, I’ve found myself doing a little bit more military cyber security. As cyberspace becomes the fifth domain of warfare, the defence sector has very quickly realised that it must protect critical national infrastructure from cyber attacks. Here, defence integrators like Thales are well placed because a lot of them actually provide critical infrastructure alongside defence services. If we know how to make these systems then we also know how to break them and therefore how best to protect them.
Thales is a very large system integrator working in the critical infrastructure and defence domain but even we need specialist guidance every once in a while. As a result we operate a technical consultancy business which we use to support our body of work and the wider market. Our consultancy speciality is helping people make the best use of their technology, because that’s in essence what the larger Thales organisation does – we integrate technology in order to make other people’s lives easier. That’s great when the technology works, but when it doesn’t problems can occur.
Across our consultancy we have a number of different specialties around helping people to use their technology, be it systems engineering, cyber security, the human factor or business transformation and training. As CTO or Chief Cyber Consultant, I oversee the strategic direction of the business to ensure everybody has the right knowledge, that we are working on the right projects and spending our R&D budget wisely to ensure what we’re delivering is of value and relevant to the customer.
In light of last year’s WannaCry ransomware attack, is the defence of critical infrastructure being taken as seriously as it should be?
Absolutely. You’re probably well aware of GDPR or the General Data Protection Regulation that everyone is talking about. But the NIS Directive has gone under the radar. It will have a similar impact but while GDPR applies to companies working with personal data, the NIS Directive specifically addresses critical national infrastructure.
Through risk assessments we will be able to find out where our infrastructure is in danger of cyber attack. Are we doing enough from a proactive security culture and maturity perspective, do we need to monitor our systems to detect if they have been compromised, and are we able to take action in the event of an incident?
The NIS Directive lets each EU nation decide how it should be implemented – that’s why it’s not a regulation, it’s a directive. For instance, each country must establish a central point of contact for all critical infrastructure. That’s why the UK set up the National Cyber Security Centre (NCSC). All critical infrastructure in the UK can now call upon the NCSC for guidance.
If you do experience a cyber incident you must report it to your central point of contact, which in many cases are the regulatory authorities. Failure to do so could result in a fine, similar to GDPR.
That’s a very longwinded way of saying that governments are no longer taking industry’s word that it is doing a good job where critical infrastructure in concerned. We actually need a bit of enforcement to recognise and reward good behaviours and punish those who are burying their heads in the sand.
From a Thales perspective, I think Britain’s national infrastructure is at a tipping point. There’s a lot of recognition around the issues and a lot of work is being done to make things more secure. There’s been a realisation that the old legacy systems that are so difficult to upgrade and secure are difficult to attack as well. But it’s a tipping point because there’s big interest in the increased use of technology. In the electricity domain everybody is talking about the smart grid. But when they say smart what they really mean is more automation, collecting more data and automating actions in order to become more efficient.
You can be so efficient however that, without realising it, you become very fragile. Suddenly, you’re reliant on technology. And when it works, it works great. But when it doesn’t you don’t understand why and, because you may have downsized, you will have gotten rid of the people who can fix it. You’re very efficient, but also potentially very fragile.
Is this a topic you will be discussing in more detail at 3CDSE 2018?
Yes. One of the things I’ll be talking about is trust in the cyber age. On a human level businesses trust their customers, employees, suppliers and stakeholders. Without realising it, you end up trusting that certain things will happen – that you will be paid on time, for example. But from a technology perspective, do we operate with same level of trust and, more importantly, should we? We have good HR practices in place to protect on a human level who we employ and how they perform, but we’re starting to swap out people for technology, integrating more and more without necessarily realising that the same rules do not apply.
Specific to the defence sector is a new procurement requirement – DEFCON 658. Essentially, the MOD has realised that anytime it procures a service it has to trust the supplier and give them a lot of its own personal data. If I’m trying to create a new radio product, the MOD would have to tell the contractor how far they’d like it to communicate, how many clients it should support, etc – exact specifications which, if they fell into enemy hands, would be quite sensitive.
Once that information is handed over to a prime contractor, traditionally the MOD has to implicitly trust that the contractor will not lose it. Thales has close to 6,000 subcontractors and 300 key suppliers. Even if we’re up to snuff on our cyber security, how about the supply chain that we rely on?
And here’s the interesting part of DEFCON 658. Not only does Thales have to meet a minimum set of requirements but if we want to engage any subcontractors on our behalf, it’s up to us to make sure that they meet the necessary level. Basically, it’s a way to push the requirements out through the supply chain without the MOD having to take the responsibility to assess everybody.
DEFCON 658 is aligned around information risk. If we as the prime contractor need to employ a subcontractor to bend a piece of metal, they’re not going to receive a lot of the more risky information that a printed circuit board manufacturer would, and so they won’t need to implement the same level of security controls. It’s all risk based. Who’s getting what information from the customer and therefore how much security do they need to put in place to protect it.
Moving back to 3CDSE, what differentiates the expo from others in the defence and security calendar?
Providing an appropriate and innovative solution is not something one company can do alone. 3CDSE gets us out of the London bubble and the M4 corridor, and enables us to interact with those companies that manufacture and contribute in critical and potentially unseen ways to the success of the sector as a whole.
Is there anything in 3CDSE’s packed events programme that you’re especially excited for?
I’m looking forward to catching up with a few old colleagues! And meeting other people from outside the Greater London area. Sometimes at other shows you don’t get a lot of time to collaborate so that’s why I’m really looking forward to 3CDSE – to hear from other companies about the innovative and practical things they’re doing in their respective fields.
Any final thoughts for attendees of 3CDSE?
Thales and Thales Cyber Consulting are always open to potential partnerships and discussions. We’re happy to contribute to the success of the industry, and ready and willing to talk with anybody about solving their technology challenges. If attendees are interested in a discussion, be it intellectual or have a problem to be solved, we are interested in talking at 3CDSE.
To find out more about the Three Counties Defence and Security Expo (3CDSE) 2018, visit www.3cdse.co.uk or email info@3cdse.co.uk.
3CDSE 2018 critical national infrastructure cyber security Thales