Building a Cyber Resilient Future

Aug 14, 2021·
Jacob Larsen
Jacob Larsen
· 8 min read
Image credit: AFCEA The Cyber Edge

Authored by Jacob Larsen, Margarita Sallinen and Michael Daw.

The value of cyber security education at the individual level to develop cyber resilience for the protection of future generations.

The Paradox

Technological advancements in the age of information are increasing rapidly. The traditional battlefield is changing and now includes the use of drones, Unmanned Aerial Vehicles (UAV), and directed-energy laser weapons. Similar developments are occurring in the cyber security sector. Emerging technologies like Artificial Intelligence (AI), blockchain and 5G present additional cyber risks which could influence how future wars are conducted and indicates that nations will increasingly rely on cyberspace in future war fighting.

Cyber security is already a key national issue for many countries’ political agendas. Governments all over the world rely substantially on the expertise of professionals within the field of cyber security to analyse the problems and implications attributable to cyber warfare. However, while technological advancements are influencing the nature of war, the knowledge gap between cyber security professionals and the general population is similarly expanding.

An important question arises from this: if the focus rests upon creating resilient technology as a solution to meet the challenges of future cyber warfare, then should we not turn our attention to creating a cyber resilient population instead? How can a resilient network prove effective if the general population is incapable of protecting itself while using such technologies? The knowledge gap in cyber security contributes to this present paradox – how can we build a cyber resilient future in a civil society illiterate of cyber risk?

Background

State sponsored cyber attacks challenge the very concept of war itself and any attempt to predict the future of cyber war fighting is therefore met with great uncertainty. For example, many states will predictably continue to operate in the “grey zone” – an area where no borders exist and which fails to meet the threshold of war thus enabling a nation to avoid triggering a declaration of war against another. In addition, grey zone operations are generally conducted covertly which adds to the attribution problem since it is seldom known which state is responsible.

State sponsored cyber attacks have far reaching implications for governments, militaries, the private sector and civil society too, which is made evident when using the database Cyber Operations Tracker. Most cyber attacks involve information control, espionage and sabotage, which RAND explains in its report “The Future of Warfare in 2030: Project Overview and Conclusions”. In this report, RAND also emphasises how information will become weaponised in the future.

These predictions demonstrate potentially hazardous scenarios where ‘cyber terrorists’ could acquire such technologies for diabolical purposes including attacks on digital and critical infrastructure. Yet, it also showcases the brilliant minds in our society. However, few cyber security experts exist at present and the immaturity of emerging technologies further suggests that there are security implications not yet understood. Consequently, the knowledge gap within the field of cyber security is prone to expand.

Evidence

To understand what the future of cyber war may hold, past reflection is necessary to identify the weakest link in cyber security. The following examples provide insight regarding how future cyber war fighting might be conducted.

First, in March 2016, Microsoft created a twitter chat bot called Tay.ai using AI. The bot was designed to mimic the language patterns of a 19-year-old American girl and to learn from interacting with human users of Twitter. However, leaving Tay.ai unsupervised led to some unsavoury events such as pledging Nazi allegiance, causing the bot to be taken down. Users on Twitter acted as an adversary and were able to reprogram the chat bot into adopting extremist views. This example is consistent with the key cyber security attack trend of information control and gives insight into how AI is vulnerable and can be manipulated in cyber warfare.

Second, in December 2020, an Advanced Persistent Threat (APT) group sponsored by a foreign nation, was able to compromise the internal networks of various United States government agencies through a sophisticated supply chain attack on a software vendor called SolarWinds. The APT actors infiltrated SolarWinds through a suspected spear phishing email targeting humans. It allowed the foreign nation state to compromise their internal networks and extract confidential information. The SolarWinds cyber intrusion exemplifies cyber espionage and how cyber war fighting is changing. This event further suggests that more complex and unpredictable intrusions will likely occur in the “grey zone” in future.

Last, in September 2020, a German hospital experienced a cyber attack when ransomware disabled critical infrastructure which caused the death of an urgent care patient. Thirty servers in the hospital became encrypted which paralysed essential systems used for emergency procedures. Consequently, a seriously ill patient was diverted to a nearby hospital by ambulance but passed away during transit – this was the first recorded incident of a cyber attack resulting in human death. This event demonstrates how cyber sabotage and future cyber war fighting may cause physical damage and harm to humans.

This type of warfare should be on the minds of experts and policy makers alike when contemplating national strategies and highlights how intelligence gathering will be on the frontline of future warfare. With the above examples in mind, it is possible to identify and fortify the weakest link in cyber security – humans. Despite new technological control improvements in cyber security systems, future cyber warfare will likely see the innate nature of humans to implicitly trust preyed upon. It is evident that society must become more informed about cyber security for their own protection and their nations too.

Herein lies the problem: only a small minority of the population are cyber risk literate. There is a concerning knowledge and skills gap regarding cyber security, which is predicted to increase. This was recently highlighted in Jon Oltsik’s research report for ISSA, “The Life and Times of Cybersecurity Professionals 2020”. Thus, what good will come from only a handful of citizens being cognisant of cyber security? Especially seeing that it is the general population who are most vulnerable to cyber attacks and who also produce the ammunition, i.e., the information, that our adversaries will use against us?

Solution

A non-technical, bottom-up and soft power approach should be considered as a long-term solution for understanding future cyber war fighting. While commonly discussed solutions focus on technical control implementation, a broadened and holistic perspective is required. That is, an investment in quality cyber security education. Since humans are the weakest link in cyber security, education can help build a cyber resilient future.

A society that is cyber risk aware is necessary to effectively manage cyber risk. Hence, cyber security education should be implemented within school curriculums and taught at every level of education. Children, for instance, are currently using technology such as iPads from as early as two years old. Cyber security education should therefore begin from pre-school. It is arguable that being knowledgeable of cyber risk will be as vital as being literate in English and mathematics in the future. Education from an early age will help ensure future generations become more vigilant of their digital footprint, which may contribute to their society’s overall resilience.

Reforming education to incorporate cyber security awareness and training enables citizens to contribute towards a cyber resilient future. Education can strengthen situational awareness around cyber security incidents and helps prevent individuals falling victim to spear phishing attacks like the SolarWinds breach. A reformed curriculum will provide current and future generations with essential knowledge and skills to navigate and resolve looming conflicts. Education provides vital teachings surrounding cyber security and technology, including international relations, ethics and the need for appropriate cyber legislation. Such endeavours can improve national security long into the future.

Additionally, incorporating cyber security education into schools will entice more individuals to pursue careers in this subject area professionally. Having a plethora of academics in this area will produce new perspectives and contribute towards a healthier balanced debate on this topic. This may assist countries to develop new technologies and implement modern cyber security policies regarding future cyber warfare.

This approach is already demonstrable in countries like Sweden and Singapore, whose ethos surrounding participation in future wars is not solely reliant on their armed forces. Instead, these nations strive to educate their citizens while opting for a so-called “total defence”. Following this path is argued to strengthen an individual’s sense of responsibility and therefore contributing towards domestic stability by creating a stronger nation with all citizens in tow. The approach suggested is complementary and does not relegate traditional hard power approaches like military technological developments.

In summary, education contributes to resilience via awareness, which contributes to a sense of a collective responsibility of the future defence of a nation – all citizens have a role to play. An individual need not become a soldier to develop the necessary resilience for future cyber warfare – an educated citizen will be just as proficient in contributing to national security overall.

Conclusion

A nation can remain robust and adequately prepared for future warfare by adopting a soft power approach. Building a cyber resilient future requires civilians to be cyber risk aware and is achievable via education. That is, prioritising the education of current and future generations on cyber security through implementation into school curriculums. Education can provide citizens the fundamental skills necessary to prevail in future conflicts and may entice more individuals to seek careers in this area too. This will arguably mitigate skills gaps in professionals and increase the overall knowledge on cyber warfare. After all, the coming generations will be responsible for protecting their nations. With sufficient education, preparation for future cyber warfare can be met with confidence.

Noli cedere cognoscere – do not cease to learn.

Jacob Larsen
Authors
Jacob Larsen
Offensive Security Team Lead
I have a deep interest in threat research, and work as an offensive security team lead. I have a diverse background in strategic cyber advisory roles.