Cybersecurity – the foundation for success

Most people’s introduction to cybersecurity begins with a dramatic video displaying a balaclava-clad criminal hacking their way into a business and wreaking havoc from a dark room with no windows. Unfortunately, this image tends to create a fear-driven mindset that promotes counter-productive behaviours.

Whilst it’s completely true that threats from cyberspace pose significant risks to business operations, combatting threats is not the key value proposition that cybersecurity offers; and hence should not be the primary driver behind cybersecurity investment.

Let’s change our perspective

We’ve all had enough of hearing about massive hacks and reputation-crushing information leaks. Everyone knows this is the reality of living in a modern, inter-connected, and digitised world. So why is it that we can still walk into so many organisations just to find out that cybersecurity is under-resourced and under-valued? Why is it that the security function is almost always considered a sub-function of ICT?

The answer is that cybersecurity is seen as a necessary evil. It is merely a ‘nuisance’ that hinders an organisation’s ability to get stuff done. It’s expensive, it’s complex, and it takes more effort. Security is perceived as an operational cost that provides no direct value to the business, other than an insurance of sorts.

This view of the world creates a failure-avoidance mindset towards cybersecurity, which drives behaviours such as tick-and-flick compliance, corner cutting, and cover-ups. Inevitably, such an apathetic, or sometimes even negative, attitude doesn’t actually do much to protect anything.

Accelerating growth through security

Let’s consider two competing businesses – Alpha and Bravo – who are both investing heavily in their innovation teams with a view to rapidly grow and expand their business operations. Business Alpha sees cybersecurity as an ‘IT problem’ and a hindrance to their ability to rapidly develop their new solution. They therefore decide to do the bare minimum required to meet whichever regulations are imposed on them. Business Bravo, on the other hand, sees cybersecurity as a business-enabler that enhances stability, giving them a secure platform to then focus on innovating confidently and without interruption. Accordingly, Bravo sets up an executive-represented security function that is integrated into the innovation and business processes.

Both solutions hit the market and perform exceedingly well, with Alpha breaking-even slightly earlier than Bravo due to the cheaper cost of insecure development. With more and more publicity, inevitably both businesses are targeted by cyber criminals. Alpha is hit hard and confidential documents regarding the new solution are published, leading to mass reputation damage. Their team are suddenly thrust into damage control and profitability is heavily impacted. Bravo is also targeted, but they are able to quickly respond and minimise losses due to their well-resourced security function.

Post-attack, Bravo continues innovation and their business grows even more rapidly due to the increased market-confidence compared to their competition. Alpha, however, have found themselves preoccupied with fighting fires and are unable to devote their full attention to regaining their market position and developing new opportunities for growth.

A motivation to avoid failure led Alpha to perceive security as a roadblock in their mission to expand. In contrast, a motivation to succeed drove Bravo to perceive security as an integral component of innovation and a vital prerequisite to success. In the end, it was business stability that Bravo invested in through their attitude towards cybersecurity. And it was this business stability that allowed them to win.

We need to shift our mindset away from seeing cybersecurity as an insurance against failure and start seeing it as a foundation for success. To paraphrase an old parable; a house built on a rock will withstand floods, winds, and rain, whereas a house built on sand will crumble.

Australian Peacekeeper Magazine

Communication and Information Systems (CIS) are ubiquitous in modern operations, from daily administration,logistics and operational planning, through to aircraft maintenance support and mission systems. All of these systems are viewed by opposing forces as valid targets for exploitation of information,denial of service, or outright attack. “It’s our role to ensure Air Force can conduct missions safely and securely, with limited impact from the cyberspace domain,” Flying Officer Plotnek said… Continue reading

DART-A delivers cyberspace security

A HISTORIC Air Force Squadron is now at the leading edge of defending deployed units against cyberspace attacks. Originally formed in 1942 as a bomber unit, No. 462 Squadron (462SQN) now forms part of the Air Warfare Centre’s Directorate of Information Warfare. It has now returned to operations, this time sending Deployable Assessment & Remediation Teams (DARTs) to the Middle East Region… Continue reading

Moral Philosophy of Autonomous Vehicles

Self-driving cars are quickly becoming a reality. Everyone from Volvo to Google are jumping on the bandwagon to design and build autonomous vehicles for the commercial market. California is even already in the process of creating legislation to allow driverless vehicles on the road without a licensed driver.

Taking the human out of the loop is almost always a good engineering decision when it comes to reducing error. The move to autonomous vehicles will undoubtedly make our roads safer and significantly reduce the number of road accidents. However, as we have already seen with Tesla in Germany, accidents are still bound to occur for one reason or another. The question is, when accidents do happen how are they going to be managed?


Naturally there are the legal questions, such as: Who is financially responsible for a collision, the car owner or the car manufacturer? Who is allowed to operate an autonomous vehicle? Will we be allowed to drink and drive now?

But the far more interesting questions (in my opinion) arise from the ethical decisions inherently programmed into the vehicles themselves. The good thing about having humans in the loop is that we are conscious beings capable of making moral judgements based on a given set of information. When it comes to autonomous vehicles however, these kinds of decisions will have to be left to the machine. Of course the machine can only do what it is programmed to do (at least at this point in time), so most of these philosophical questions need to be foreseen and decided on in advance by the car manufacturers.

How will this work? Will each car model have a different moral code embedded into its software? Will the consumer have any choice in whether they purchase the altruistic or egocentric model; one which sacrifices their own life for the greater good versus one which saves them every time? Can we finally enforce philosophical ideals in the real world? How much information can the car’s sensors gather in order to allow them to make the best decision possible?

MIT have developed a very interesting exercise to get the general public thinking about these sorts of questions. I encourage you to have a play on their Moral Machine website and see how tricky some of these problems can get. The bonus of playing around on their site is that data will be gathered about your choices which may be used to influence some of these decisions being made by the manufacturers.

Hacking and Securing Smart Cities

In the below video Cesar Cerrudo, the CTO of IOActive Labs and Board Member of Securing Smart Cities, presents his perspective of what a Smart City is before delving into some of his experiences with the security of smart technologies and describing some rather frightening attack vectors and potential scenarios. Finally, he concludes with some recommendations to Smart City vendors and governments to better secure these technologies and protect their citizens. Although I highly recommend watching the full video, for those of you who would rather read an ‘executive summary’ I have summarised the speech and slide package in my own words below the video.

A Smart City is “a city that uses technology to automate and improve city services, making citizens’ lives better”. Such technology can be employed in areas such as: traffic control, parking, street lighting, public transportation, energy management, water management, waste management, city management, security, M2M, sensors (weather, pollution, seismic, flood, smell, sound, etc), open data, and mobile applications.

A large number of vulnerabilities are present in Smart Cities around the world due mainly to new technologies being deployed without any security testing occurring beforehand. These problems are compounded by the facts that almost everything is wireless (ie able to be attacked without requiring physical access) and there is a wide lack of city CERTs (Computer Emergency Response Teams), resulting in a lack of coordination and communication about security incidents. Other problems plaguing technology-dependent cities are: huge and unknown attack surfaces, patch deployment and system update difficulties, vulnerable legacy systems being interconnected with new systems, government bureaucracy and shortage of skilled people, no city cyberattack response plans, and difficulty for security researchers to obtain systems and devices for testing. There are already many cases where even simple bugs have caused significant city-wide disruptions and, in some cases, even loss of life.

In consideration of the aforementioned vulnerabilities, there are many potential and proven malicious attacks that could occur on city systems. Hundreds of thousands of traffic control systems across the world have already been proven to be vulnerable to attack. Wireless encryption problems leave street lighting vulnerable to the extent that entire cities and islands could be left in the dark. The integrity of city management system information is vulnerable and could lead to events such as the 2010 confusion of Texan construction workers with respect to the location and status of a buried gas pipeline; resulting in an explosion with several casualties and one death. With real-time access to open data available to the public, attacks can even be freely orchestrated to determine the best timing for maximum impact.

So, it has been established that Smart Cities are vulnerable and that there are a variety of ways that these vulnerabilities can be maliciously exploited to cause havoc. The remaining variable in this equation is intent, or, threat likelihood. Cities are a valuable and interesting target when it comes to consideration of war scenarios such as cyberwar or cyber terrorism. It is publicly known that nation states have the knowledge and skills to easily attack cities and cause significant damage. Cybercriminals also exist and have proven to be well organised and have a large amount of resources at their disposal. Finally, let’s not forget about Hacktivist groups who have become known for launching coordinated cyber attack campaigns against various targets of their choice.

Despite the above seemingly alarmist information, there are a number of recommendations that Cerrudo believes will help mitigate against a lot of the highlighted problem areas. In order to highlight these solutions, I have provided them in dot-point format below:

  • Do not implement systems and devices without security testing and auditing
  • Ask vendors to provide all security documentation and timely incident response
  • Fix security issues as soon as they are discovered
  • Create a City CERT that can handle the various security aspects of the Smart City
  • Regularly run penetration testing on all city systems and networks
  • Implement fail-safe and manual overrides on all city systems
  • Implement and make known secondary services/procedures in case of cyber attack
  • Restrict access to public data
  • Threat model everything and prepare for the worst


Rwanda – The next African tech-hub?

Unfortunately, what first often comes to one’s mind at the mention of Rwanda is the terrible genocide of 1994 that brutally wiped out 20% of Rwanda’s population. President Paul Kagame, previously the commander of the rebel force that ended the genocide, has since been working hard to change the country’s position and reputation. The now completed eRwanda project was successful in utilising ICT to strengthen and improve the government and its internal processes. The next step? A Smart Rwanda.rwanda

Almost a year ago the Republic of Rwanda entered an official agreement with Ericsson to provide ICT infrastructure for the transformation of Rwanda’s villages to thriving Smart Cities. The focus of the Smart Rwanda project is on governance, education, health, agriculture, and infrastructure and is scheduled to be completed by 2018.

From an outsider’s perspective the project appears to be going well, with a Smart Africa secretariat due to open in Rwanda’s Capital Kigali sometime this week. There are however some concerns being raised about Rwanda’s democratic future after President Kagame recently changed the constitution to retain power for a third term; a move which violates Rwanda’s original constitution.

Let’s hope this move towards a smarter Rwanda will help further enable the transparency of the Rwandan government and enforce the democratic values the country has worked so hard to instil over the past two decades.

Australia Creates Minister for Cities

With the recent Australian Government cabinet reshuffle, Prime Minister Malcolm Turnbull has announced a Minister for Cities with the aim of creating more liveable, vibrant, and future-embracing cities in Australia. It would appear that Mr Turnbull’s wife, Lucy Turnbull, is one key driving factor behind this decision. Lucy is currently heading a project with Arup that examines how to build a more female-friendly city.

Having two such influential and future-minded people can only mean well for Australia and the 66% of Australians that live in its cities. However, the lack of modern digital infrastructure needs to be addressed before any kind of smart city technology can be fully appreciated or implemented in Australia. This highlights the need for an increase in funding to the STEM (Science, Technology, Engineering, and Mathematics) industries, which, with the amount of money lost in paying for bureaucratic waste, may unfortunately be difficult to find.

Regardless, it is refreshing to finally see a move by the Australian Government that shows they are thinking beyond their three-year term of office and getting themselves re-elected.

The Rise of Urban Technocracy

Technocratic governance is a form of governing whereby subject matter experts are put in charge of policy and decision-making (i.e. engineers in charge of government). This is not necessarily a bad thing, however it does present some issues – particularly for smart cities.

As cities become smarter they will inherently become more reliant on technology. Depending on the rate of technological evolution, this reliance may reach a point where today’s politicians no longer have enough expertise to fully understand how the city functions, and therefore how to run it and maintain the systems it relies on. The governance of such a city could then fall into the hands of the engineers that created them, as the management of cities becomes more technical rather than political.


So why might this cause problems? Engineers and technologists tend to have a very analytical and system-focused mentality. With all the data being produced by smart systems, it would be very likely that the management of the city would become very technical. Issues that arise may be looked at from a purely mathematical or technological perspective and solutions might be overly functional in nature. Effects on qualitative aspects of life, such as culture, politics, and humanity may either be neglected or treated as a secondary priority.

The main concern here is that technology rarely solves deep-rooted issues. It can only generally solve the problems that arise from deeper complications, not the complications themselves.

As modern urbanism delves deeper into the technological sphere, we must always remain vigilant that we keep one eye on the bigger picture so that we are able to recognise when technology is actually helping to solve issues, and when it is simply masking systemic issues that need to be addressed at a different level.

Are Smart Cities Invading Our Privacy?

Privacy has been a hot topic of debate in recent times. In light of controversial events such as the ‘leaking’ of celebrity nudes and Edward Snowden’s NSA revelations, a lot people have become much more aware of the implications technology presents to the security of their personal information. Hence it is quite understandable that some people are legitimately scared of this prospect of having everything and everyone connected to the internet.

The way we interact with our environment tells us a lot about ourselves. The meta data produced by a city of sensors could actually prove to be a greater intrusion of privacy than if we were each simply being filmed 24/7. If the petabytes of confidential data thrown into the ether by networked sensors recording every detail of our environment and our movements are not secure, then the privacy of all city-dwellers may be open to compromise.

By taking a step back and putting smart cities aside for a moment, we are able to have a much clearer view of what the root fear here actually is. Firstly, looking at the mobile phone industry, the number of active mobile phone services almost outnumbers that of the entire human population on earth. So what. Well, if you break a modern-day phone down into its individual components this statistic actually reveals quite a lot. nophone.pngA smartphone is literally an internet connected, voice recording, GPS tracking device that we use to store a bunch of our sensitive data such as calendars, contacts, passwords, photos, and communication logs. Not only has all of this been proven vulnerable to exploitation, but we have literally been given proof that it is already being actively and consistently exploited. And yet, the widespread use of smartphones is actually GROWING! Even further to this, wearable technology is a new massively growing trend. People are actually buying and wearing watches and accessories that physically connect them to the internet!

So what does this tell us about our so-called fear of privacy? It tells us that most humans are more than willing to sacrifice their privacy in exchange for convenience and efficiency – even if some do enjoy grumbling about it in the process (usually on the internet, ironically). With this in mind, are smart cities really going to generate that much more personally identifiable information than we are already freely giving out? The answer is no. The data produced by smart cities are, in general, designed to give information about the population as a whole as opposed to individuals.

There is, however, one key difference between smartphones and smart cities. No one is really forced to buy a smartphone. With smart cities on the other hand, the average citizen may not get quite as much of a personal say in what data is or isn’t collected about them. This is where the focus needs to be placed. According to the chief globalisation officer at Cisco, Wim Elfink, “we have to first give the citizens the right to opt-in or opt-out [of the use of their data]”. I whole-heartedly agree with this sentiment.

Citizens need to first be reassured that the smart technologies being introduced into their cities are about making the government more transparent and making their lives better. Not the other way around. Cities are for people, and we need to ensure we keep this in mind when rolling out any new technology. If the people don’t feel safe or comfortable, then nothing should be done until they do. After all, if a product you know nothing about is forced upon you, could you trust it?