Author: admin

The Challenge of Staying Fit

This time last year the excesses of the festive season had taken their toll. I was overweight and I had done no significant physical exercise for weeks. With my New Year’s glass of Champagne in hand I made a commitment that the same wouldn’t happen next year. Of course I’ve made resolutions before, but they’ve always been too vague. Promising to ‘get fitter’ is destined to fail as it isn’t definable or measurable. So this year I decided to focus on 5 very specific goals, chosen rather arbitrarily as you might expect when under the influence of Champagne:

  • Complete the Coast to Coast in a Day Cycle event (150 miles) – Completed on 24th June. A great experience cycling across the country from Seascale to Whitby through 3 beautiful National Parks and including the hardest climb in the UK.
  • Cycle 1000 miles in 2017 – Completed in June. Lots of early morning training for the Coast to Coast added up to just over 1000 miles.
  • Achieve a Personal Best in a Half Marathon – Completed on 1st October in the Great Scottish Run in Glasgow. I managed a time of 1:45 improving my PB by 7 minutes. This is the first time I actually trained for a running event and (unsurprisingly) it makes a big difference!
  • Run 500 miles in 2017 – Completed in December. I thought this would be easily achieved by training for the half marathon, but in reality I had to keep regular running going through the year to hit the target.
  • Run at least 3 miles every day in December – Completed on 31st December. This was the challenge that was specifically intended to curb the festive excess, and it worked, although there were a few days when the 3 miles was a bit of a slog!

By doing these things I re-learned two valuable lessons. Firstly, having clear goals is invaluable. It focused me on what I wanted to achieve and gave me a real sense of satisfaction when I was able to tick each one of the list. Secondly, maintaining a consistently high level of fitness throughout the year makes a huge and positive difference to mental and physical health. I have been happier, more motivated and more productive as a result of my five challenges.

So this Hogmanay I will again take a glass of Champagne in hand and look forward to 2018 by setting a fresh set of challenges that will keep me active all year. One thing is for certain though, after running 3 miles every day in December there is no way that any of my 2018 challenges will involve running on New Year’s Day!

Information Assurance and Defensive Cyber Operations – An Important Distinction

During a recent planning meeting I found myself explaining my views on the difference between Information Assurance (IA) and Defensive Cyber Operations (DCO). This is something I do a lot, but it is worth doing because it is an important distinction. Knowing which you are pursuing ultimately determines what you do, the mindset and methodology you adopt and who in your organisation is accountable.

IA has been established and understood for some time and, until recently, it sufficed as an approach to achieving protection in cyberspace. IA is focused entirely on protecting information systems at an accredited baseline level. This extends to technical measures, both hardware and software but also extends to the physical security wrap around a system. Routinely these measures are built into procurement so that a base level is achieved at the beginning of a system’s lifecycle. This is then maintained through life with periodic reviews and frequent updates and patching. Both in analogy and literally it is making sure the door is locked and the intrusion alarm is on.

Until fairly recently IA was considered sufficient; if the accreditors ticked all the boxes on their inspection sheet then information was ‘safe’. There are benign occasions when this might be true, but in the majority of cases, and especially on deployed military operations, a completely different approach is required to raise the standard well above base level protection.

This delta is met by Defensive Cyber Operations. These are fundamentally different from IA in that they focus on mitigating operational risk by delivering Cyber Mission Assurance. This is not the domain of the accreditor, rather ownership sits squarely with leadership and their operations team.

DCO are proactive and draw on an offensive spirit; they are the antithesis of sitting in a locked house not knowing what threat lies outside. They are rooted in understanding and therefore begin with detailed and aggressive threat analysis so that the intent and capability of the adversary is understood. This should include actively hunting for adversary activity. Additional measures can then be taken to counter that threat. DCO are less worried about protecting individual systems and more concerned with operational resilience, so business continuity and rapid response and recovery become essential. Perhaps most importantly, DCO are not limited to protecting information on command and control systems. Their scope is much wider, essentially anything that could impact the mission must be considered. This includes platforms, Industrial Control Systems, supply chain systems and welfare communications irrespective of who owns them. Finally, under certain definitions, and with the correct authorities in place, DCO can include the ability to strike back at an adversary to stop, or even prevent, an attack.

Fundamentally protecting our businesses in cyberspace is about mindset. To do it well we must think more in terms of operational assurance and less about simple compliance.

The Bright Future of Military Offensive Cyber

This article was originally published at www.wavellroom.com in September 2017

It is unfortunate that, for many staff officers, the practicalities of ‘cyber operations’ consist of a brief and contrived power cut on the annual CPX for the sake of objective box-ticking. There are others who dare to imagine something more potent but who have become disillusioned because of the constant mantra from the non-kinetic effects community that real life isn’t like the movies; ‘there is no magic cyber button’. The truth is, cyber operations became a faddish focus of senior leadership long before we were ready to deliver on the promise and the inevitable result was a deep-rooted and perfectly understandable cynicism.

There is a gathering body of evidence that the situation is changing and is doing so at pace. The potency of a ‘cyber-attack’ is abundantly apparent in the media. It is easy to forget that even five years ago such stories were relatively rare and were far removed from the reality of daily life. Contrast the situation today when there is invariably an open source daily dose of reported cyber incidents that have a clear and understandable impact. Invariably the majority concern bulk personal data loss, often perpetrated by criminals. In such cases the effect is often negligible save for the reputational damage of the victim. Increasingly, however, cyber operations are becoming more sophisticated in their ambition and intent. Perpetrators are using Cyber operations to have a focussed effect on individuals, groups of individuals and even nation states. Sometimes this is simply through the manipulation of information, as was the case with Russian interference in the US 2016 election, but it can also be through the delivery of physical effects through cyberspace. Whether it is Ukrainian power outages or electronic destruction of Saudi government computer hardware it is not difficult to find examples where (usually) state actors have had a calculated effect on their adversary – be that as a standalone effort or blended with other instruments of soft and hard effects

There is evidence too that Western nations are embracing this new tool of influence. At the 2016 RUSI conference, the Secretary of State for Defence acknowledged that the UK is already integrating offensive cyber into its full range of military effects. Across the Atlantic, the US is so energised about the possibilities that cyber will bring that they are elevating US Cyber Command to Combatant Command status. Canada has, for the first time, acknowledged that they too are aggressively investing in offensive cyber. Amongst our close allies, cyber is transitioning from the theoretical to the practical.

So offensive cyber is a proven potent weapon and its possibilities are being enthusiastically embraced by Western Powers. The resultant challenge faced now is how to best leverage at scale what has hitherto been a niche and largely insignificant capability? This question is exercising minds across government; integrating a new domain of tools into the national arsenal is an exceedingly complex business. Although evidently not a complete solution, the following 3 points are critical to success:

Technical Credibility.  It is critical that credible and relevant offensive cyber options continue to be delivered in short order. This will not only ensure that meaningful effects are achievable, but it will also serve to build operational evidence to challenge the cynics. For this to work, cyber effects must be developed to support existing national contingency plans and their employment must be woven into to operational planning from the outset. Capabilities must not be delivered simply because they are technically interesting; there is no room in the modern world of professional cyber for the enthusiastic hobbyist.

Effects Focus.  Those involved in cyber operations tend to be drawn overwhelmingly from the intelligence and communications fields. This is entirely understandable – offensive cyber has evolved largely from signals intelligence because of shared access techniques, and communicators, especially in the military, are likely to have the baseline skill level required to build cyber expertise. These are not, however, those who typically have operations and targeting experience. This needs to change; those that once saw themselves pigeon holed in an exclusively combat support role are on point to deliver effects. This equally applies in defensive cyber operations, which have for too long been solely about protection rather than proactively setting the conditions for operational success. Mindsets and skills will need to change accordingly.

Partnerships.  Despite considerable recent investment across Defence, cyber is not exclusively a military effort. Indeed the real UK expertise and capability is invested in those with many years of relevant experience across government departments. Developing an autonomous military cyber capability would be hopelessly inefficient and would create an artificial and unhelpful divide between cyber used in pursuit of military and wider national objectives. The answer is a full and true partnership to create one single focus for UK Cyber operations.

There is no question that cyber is here to stay. Getting it right now is inevitably going to be difficult and expensive, but the price is worth paying to ensure we are postured to stand up to our adversaries and lead the way amongst our allies.