Cyber Awareness Week:  Is it time to reconsider Information Assurance thinking?

March 5, 2019

Resilience: Is it time to reconsider Information Assurance thinking, given the pace of changes we are seeing in cyber and communications?

In the second in our special features marking Cyber Awareness Week, James Gray, Managing Director - Cyber and Intelligence at Raytheon UK, takes a look at a number of different strategies that could be employed to strengthen the Ministry of Defence’s cyber security.

The Ministry of Defence’s Cyber Vulnerability Investigation (CVI) Programme has been a welcome and sensible investment to help the MOD understand its cyber risk profile across platforms and systems.

Whilst the programme’s focus continues to evolve more towards the understanding of cyber risk and its operational impact across the MOD’s enterprise, and potentially towards investment into mitigations, the emerging wider cyber defence strategy could also consider a number of other thought leadership aspects to enhance the MOD’s security posture.

One of the accepted premises behind CVIs is that ‘the adversary hackers do not read the IA manual’; they think ‘out of the box’ in a way that IA professionals and security architects have been unable to, often because of prescriptive processes. There is now an increasing sense that traditional IA and pen-testing are not holistic enough and are based on antiquated processes and thinking; processes which are focused towards proprietary systems where the authority ‘owns’ a system end to end. Modern IoT or IP–enabled, or even Modular Open System Architecture–based systems have different risks and benefits.

As an example, there is increasing awareness about how much information the West publishes online about their systems, capabilities, operations and personnel. Are we making it easy for adversaries to target individuals and to gain access to our Military IPR and systems? Because of the legal jurisdictions in the UK, our adversaries may exploit us more easily and rapidly than we can them. We could consider it time to review law such as the Computer Misuse Act, for instance. Is it time that List-X companies should be able to look for vulnerabilities for the greater good?

Should we also consider that in a rapidly evolving Modular Open System Architecture and Software Defined Agile environment, we are faced with IA practices that often take years to gain accreditation, which is often prohibitively expensive. IA is also challenged with the modular nature of modern systems. Often by the time accreditation has been gained, the rest of the world’s technology has moved on and the MOD has to work out how to keep up with this pace of change. Conversely the pace of change in itself may be a useful element of security. If the MOD’s IT and communications were at the cutting edge within Software Defined systems, it would take time for adversaries to develop exploits. By the time they do, systems could have evolved, and the exploits would no longer be relevant. These new Software Defined systems offer both new vulnerabilities and also new security advantages. 

Considering ‘Secure by Design’, before new systems are devised is also an area which is under consideration. Could MOD’s capability and supply chain be enhanced by having access to information about the top ten risks which the CVI Programme has unearthed? Conventional wisdom suggests that these will closely mirror the NCSC’s top ten risks, but perhaps by baking in these lessons the MOD supply chain could help add cyber security earlier in due processes, reducing cost and cyber risk. Conversely, it is also worth considering the possibility that basic cyber hygiene factors such as knowing your base-line and patching, whilst often not seen as the cutting edge of cyber security, offer a greater return than investing in hot topics like Machine Learning.

We should perhaps also learn from the Enigma story from a different angle, in that failing to think ‘outside the box’ and to invest in more secure communications led to disaster for both sides during World War II. Whilst German communications were turned against them by the genius of Bletchley Park, a lack of investment in secure communications for the Royal Navy and merchant shipping left them vulnerable to German signals interception in the first place, with the Wolf-packs being vectored to allied shipping. 

Perhaps it is time we turn some of that still evident UK genius towards the resilience challenge, and to think ‘outside the box’ to gain information advantage in this rapidly changing field.

If you would like to join our community and read more articles like this then please click here.

Cyber Essentials is a government-backed, industry-supported scheme. It helps businesses win more public sector contracts, by ensuring that they comply with mandatory requirements for cyber security. To learn more click here.

Cyber Vulnerability Investigation Ministry of Defence Raytheon