Australian Cyber Warfare Conference 2019

The proceedings from last year’s Australian Cyber Warfare Conference have been published. If you missed my presentation on the definition and taxonomy of Cyber Terrorism you can check out the discussion paper on Page 1 of the 2019 Australian CWAR Proceedings.

What is Cyber Terrorism: Discussion of Definition and Taxonomy

JJ Plotnek, J Slay (La Trobe University)

This paper reviews the use of the term ‘cyber terrorism’ and proposes a new universally-applicable taxonomy and definition. The proposed new definition is derived from detailed analyses of existing definitions in the publicly available literature, which includes all of the key commonalities identified in accordance with the newly proposed taxonomy and allows for more specific subsets of cyber terrorism to be defined in future research.

New Gallery Partnership in Prahran

I’m excited to announce that my artwork will now be available for viewing and purchase at Market Gallery in Prahran! Make sure you come down and have a look if you live in the Melbourne area!

How to achieve ‘Secure by Design’

Cybersecurity is an interesting beast. It is a relatively young discipline, which tends to get caught between its two older and more mature siblings, Security and Engineering. Cyber professionals tend to fall in one camp or the other when it comes to engineering security into the design of a system. Either they’re too preoccupied with standards, compliance, and over-engineered technical solutions. Or they fall into the other camp, where they’re too focused on external factors, such as threat intelligence or the latest known exploits.

The issue with the technical mindset is that, unlike with safety engineering, security engineering can’t assume that people behave the way they’re expected to. So, even if the system is technically engineered to perfection, the whole thing falls down as soon as you add people to the mix. Blindly implementing best-practice controls, achieving accreditation, and having all the latest gadgets will not necessarily achieve the desired risk levels.

The security intelligence mindset brings about a different issue. The modern threat landscape is in a state of perpetual disruption – we have no idea what threats are going to look like in the next year, let alone over the life of a system. Threat models and threat intelligence are great, but at the end of the day it doesn’t actually give any useful information when it comes to designing a system security architecture.

The key is to find a balance between these two mindsets and achieve both technology and threat agnostic security. This can be done by focusing on the system’s inherent vulnerabilities and, taking an impact-focused approach, building in mitigations to lower the risk exposure to the desired level. Naturally, risk exists wherever humans are involved and fail-secure solutions need to be considered. Technology should never be included in a design simply to meet compliance expectations as this will only make the final solution more complex than it needs to be, which in turn raises the risk profile. Additionally, threat assessments should not be used as a key input into the design as threats and attack methods evolve far too quickly to be reliable – these tools are much more useful for operational security.

Drawing up a system scope and taking an inward vulnerability focus is the only way to secure a system by design. This ensures the most critical security consequences of system failure are covered, regardless of what happens outside the system boundary.

Cybersecurity – the foundation for success

Most people’s introduction to cybersecurity begins with a dramatic video displaying a balaclava-clad criminal hacking their way into a business and wreaking havoc from a dark room with no windows. Unfortunately, this image tends to create a fear-driven mindset that promotes counter-productive behaviours.

Whilst it’s completely true that threats from cyberspace pose significant risks to business operations, combatting threats is not the key value proposition that cybersecurity offers; and hence should not be the primary driver behind cybersecurity investment.

Let’s change our perspective

We’ve all had enough of hearing about massive hacks and reputation-crushing information leaks. Everyone knows this is the reality of living in a modern, inter-connected, and digitised world. So why is it that we can still walk into so many organisations just to find out that cybersecurity is under-resourced and under-valued? Why is it that the security function is almost always considered a sub-function of ICT?

The answer is that cybersecurity is seen as a necessary evil. It is merely a ‘nuisance’ that hinders an organisation’s ability to get stuff done. It’s expensive, it’s complex, and it takes more effort. Security is perceived as an operational cost that provides no direct value to the business, other than an insurance of sorts.

This view of the world creates a failure-avoidance mindset towards cybersecurity, which drives behaviours such as tick-and-flick compliance, corner cutting, and cover-ups. Inevitably, such an apathetic, or sometimes even negative, attitude doesn’t actually do much to protect anything.

Accelerating growth through security

Let’s consider two competing businesses – Alpha and Bravo – who are both investing heavily in their innovation teams with a view to rapidly grow and expand their business operations. Business Alpha sees cybersecurity as an ‘IT problem’ and a hindrance to their ability to rapidly develop their new solution. They therefore decide to do the bare minimum required to meet whichever regulations are imposed on them. Business Bravo, on the other hand, sees cybersecurity as a business-enabler that enhances stability, giving them a secure platform to then focus on innovating confidently and without interruption. Accordingly, Bravo sets up an executive-represented security function that is integrated into the innovation and business processes.

Both solutions hit the market and perform exceedingly well, with Alpha breaking-even slightly earlier than Bravo due to the cheaper cost of insecure development. With more and more publicity, inevitably both businesses are targeted by cyber criminals. Alpha is hit hard and confidential documents regarding the new solution are published, leading to mass reputation damage. Their team are suddenly thrust into damage control and profitability is heavily impacted. Bravo is also targeted, but they are able to quickly respond and minimise losses due to their well-resourced security function.

Post-attack, Bravo continues innovation and their business grows even more rapidly due to the increased market-confidence compared to their competition. Alpha, however, have found themselves preoccupied with fighting fires and are unable to devote their full attention to regaining their market position and developing new opportunities for growth.

A motivation to avoid failure led Alpha to perceive security as a roadblock in their mission to expand. In contrast, a motivation to succeed drove Bravo to perceive security as an integral component of innovation and a vital prerequisite to success. In the end, it was business stability that Bravo invested in through their attitude towards cybersecurity. And it was this business stability that allowed them to win.

We need to shift our mindset away from seeing cybersecurity as an insurance against failure and start seeing it as a foundation for success. To paraphrase an old parable; a house built on a rock will withstand floods, winds, and rain, whereas a house built on sand will crumble.