Cyber-security is typically a hush-hush topic; militaries and governments do not want their enemies (or sometimes even their friends) to have knowledge which might create a vulnerability. There’s no better example than the Cyber Education session at ITEC 2016 at London’s ExCel: the name of the session moderator, a British military officer in a sensitive post, was deliberately left off the printed conference programme.
“Humans are both a vulnerability, exploitable, and a potential threat,” for digital information systems, according to Yilmaz Cankaya, Chief Researcher, for Tübitak Bilgem. “The weakest link, the human, should be trained when possible with real-life incidents and in real-life environments,” he said. “Most cyber-attacks today are multi-resolution attacks with multiple stages. It is not possible to set up physical systems to simulate all kinds of possible attack or defense scenarios acting on a complex system. With a simulation environment possessing a wide spectrum of offensive and defensive scenarios with multi-resolution scenarios, systems resiliency boundaries can be easily tested.”
Despite the acknowledgement that humans in the cyber loop can often be a weakness, the Dutch Armed Forces are pressing forward with a scheme to provide everyone in their ranks with at least a basic understanding of cyber-security issues. “The cyber domain is recognized as the 5th domain for the MoD. And it affects all other domains,” noted Lieutenant-Colonel Paul R. Hoen, commander of the joint Defence Cyber Expertise Centre in the Cyber Command. “About 40-50% of the task list is generic tasks we could see all over the organisation.”
In February, the Dutch Cyber Defence Strategy was updated, and among the top priorities are attracting, retaining, and developing cyber professionals, as well as widening and deepening knowledge of the digital domain within the MoD. “Cyber education is a monumental task,” Hoen stated. “Our goal is to get every rank and function ‘cyber-up-and-running’ and to do so as quick as possible.”
The majority of personnel are expected to achieve either awareness-level (70/75%) or a basic-level (25/20%) of understanding …”including the Minister of Defence.” The 1-2% who would be trained to expert-level understanding will also have expertise in a specific cyber topic, e.g. Obfuscation, Encryption, Malware detection/analysis, and so forth.
Andreas Haggman, a doctoral candidate researcher in cyber-security at Royal Holloway University of London, said: “Cyber ‘space’ doesn’t really exist. How many dimensions does it have?”
He explained that although militaries have been quick to latch on to cyber as an operational concept, “details of what cyber is and how it can be used remain notoriously vague. Part of the problem lies with the difficulties in defining cyber and cyberspace, and how traditional strategic and tactical doctrines can be translated to this new domain.”
Unlike conventional military equipment, Haggman said, “cyber cannot be easily quantified or qualified, so the capabilities of in-game actors are largely the result of educated guesswork. If these are grossly incorrect, the consequences can be that the players learn the wrong lessons from the wargame.”
“Humans are both a vulnerability, exploitable, and a potential threat,” for digital information systems, according to Yilmaz Cankaya, Chief Researcher, for Tübitak Bilgem. “The weakest link, the human, should be trained when possible with real-life incidents and in real-life environments,” he said. “Most cyber-attacks today are multi-resolution attacks with multiple stages. It is not possible to set up physical systems to simulate all kinds of possible attack or defense scenarios acting on a complex system. With a simulation environment possessing a wide spectrum of offensive and defensive scenarios with multi-resolution scenarios, systems resiliency boundaries can be easily tested.”
Despite the acknowledgement that humans in the cyber loop can often be a weakness, the Dutch Armed Forces are pressing forward with a scheme to provide everyone in their ranks with at least a basic understanding of cyber-security issues. “The cyber domain is recognized as the 5th domain for the MoD. And it affects all other domains,” noted Lieutenant-Colonel Paul R. Hoen, commander of the joint Defence Cyber Expertise Centre in the Cyber Command. “About 40-50% of the task list is generic tasks we could see all over the organisation.”
In February, the Dutch Cyber Defence Strategy was updated, and among the top priorities are attracting, retaining, and developing cyber professionals, as well as widening and deepening knowledge of the digital domain within the MoD. “Cyber education is a monumental task,” Hoen stated. “Our goal is to get every rank and function ‘cyber-up-and-running’ and to do so as quick as possible.”
The majority of personnel are expected to achieve either awareness-level (70/75%) or a basic-level (25/20%) of understanding …”including the Minister of Defence.” The 1-2% who would be trained to expert-level understanding will also have expertise in a specific cyber topic, e.g. Obfuscation, Encryption, Malware detection/analysis, and so forth.
Andreas Haggman, a doctoral candidate researcher in cyber-security at Royal Holloway University of London, said: “Cyber ‘space’ doesn’t really exist. How many dimensions does it have?”
He explained that although militaries have been quick to latch on to cyber as an operational concept, “details of what cyber is and how it can be used remain notoriously vague. Part of the problem lies with the difficulties in defining cyber and cyberspace, and how traditional strategic and tactical doctrines can be translated to this new domain.”
Unlike conventional military equipment, Haggman said, “cyber cannot be easily quantified or qualified, so the capabilities of in-game actors are largely the result of educated guesswork. If these are grossly incorrect, the consequences can be that the players learn the wrong lessons from the wargame.”
Rick Adams