An Cosantóir

www.military.ie the defence forces magazine | 19 curity is vital for defending the security of Ireland and the entire EU. Cybersecurity includes preventing nefarious use of the internet. Almost every crime has a cyber dimension, often using freely available messaging apps encrypted to a military level of security. The 9/11 attacks were possibly the first terrorist atrocities where the internet was used in planning. Today the internet is the key tool for indoctrination, recruitment, financing, planning and execution of terrorism. Cybersecurity has developed a further dynamic that will play a key role in the future of defence. The 'internet-of-things' (IoT) is becoming central to our everyday lives (including our cars, home appliances, even children's toys), our critical infrastruc- ture, as well as our defence. The IoT con- sists of interconnected devices ('things'), receiving and transmitting data. These contain automated sensors and actuators performing critical functions. They are, in effect, small computers running software and firmware (a computer program stored within the hardware). The IoT will be used in maritime, land, air, and space environments. It will integrate intelligence, surveillance, and reconnais- sance to accurately identify threats. It will facilitate more autonomous defence sys- tems and vehicles. The IoT will enable huge advancements in EU Permanent Structured Cooperation (PESCO) capabilities. To put this development in some con- text, maritime vessels will soon comprise multiple IoT connected to control systems via the internet. The power management, loading and stability systems, alarms, bridge control console, electronic chart display and information system, auto- matic identification system, navigation decision support, voyage data recorders, computerised automatic steering, global maritime distress and safety system, and GPS - to name just a few - will all become IoT devices. However, the IoT creates vulnerabilities that are an often-overlooked part of cyber- security. Dr Stefan Lüders, Head of Com- puter Security at CERN says that around a third of CERN's newly purchased IoT devices fail the most basic cybersecurity tests his team throws at them. Dr Lüders told me that he thinks IoT cybersecurity "is getting worse". IoT cybersecurity is now one of the main priorities of the US Dept of Defense. Future Defence Forces missions may well depend on the security of cyberspace and the internet-of-things. Contrary to popular belief there is no separate internet for critical infrastructure or for the military environment; it's the same internet used by everyone. The Defence Forces possess a great advantage in progressing cybersecurity because of the expertise and central role of the CIS Corps. The heart of their work is providing efficient and effective com- munications and information systems. As Cpl Audrey Doyle said in November's An Cosantóir, the expertise within CIS ensures the maintenance and updating of the systems, switches, and routers that are the backbone of the Defence Forces' comput- ing network. CIS develops the sophisti- cated and secure systems that the Defence Forces depend on for their global commu- nications. This world-leading knowledge within CIS is crucial for the cybersecurity of the Defence Forces as the technology becomes ever more interconnected. In addition to this first class technologi- cal advantage, two other aspects are vital. At the governmental level coordination is increasingly occurring with the National Cyber Security Centre (NCSC) Ireland, An Garda Síochána National Cyber Crime Bureau, Dept of Justice and Equality, DC- CAE, Dept of Defence, and all government departments working closely together to address cybersecurity challenges. At the EU level cybersecurity coordina- tion is equally critical. There are at least 188 national intelligence services across the EU and countless numbers of regional and police agencies. It is crucial that the EU acts as an intelligence fusion centre for all these agencies to address cybersecurity challenges. It is not only technical informa- tion that needs to be shared but intelli- gence cooperation also needs to create an ongoing visualisation of the cybersecurity threat landscape facing Europe; this is the wider picture that helps to show how nefarious actors are using the internet to undermine EU security. Europol EC3 Euro- pean Cybercrime Centre, and ENISA, which deals with critical infrastructure and the IoT, are central to this. Cyber coordination across the entire EU is needed, especially with EU military staff. Nefarious actors have no problem collaborating and sharing information and they'll always be one step ahead unless we do likewise. Finally, the human factor of cybersecu- rity is rarely discussed, but it is an essential element. Ensuring effective cybersecurity is about the early identification of prob- lems - recognising them when they are mi- nor, before they become major - and then dealing with challenges in a resilient way. We should follow the specific guidance of Europol EC3, An Garda Síochána, NCSC Ire- land, and other government departments. It is also about management, people and process. Cybersecurity requires information sharing; organisations need to work holisti- cally, empowering each and every person with a shared responsibility to identify problems. Not a single employee or contrac- tor has a role that can now be considered separate from cybersecurity. All civilian and military personnel should be able to identify cybersecurity concerns as early as possible in a no-blame environment. In Defence Forces Review 2017 Comdt Frank Byrne writes about the 'Just Safety Culture' in aviation where the reporting of errors is encouraged and honest mistakes are not punished, thereby allowing ev- eryone to learn. This approach is precisely what is needed in this new interconnected environment. Moreover, the Just Safety Culture has to be continually maintained according to Comdt Byrne, with constant effort and engagement to demonstrate and promote it; this should be no differ- ent for cybersecurity. As Comdt Jonathan Marley, Head of the Command, Leadership and Management Programme at the Com- mand and Staff School says: "It is vital that we place cybersecurity awareness at the forefront of professional military educa- tion; embedding the appropriate mindset in our organisational culture. The initiatives being introduced by the Command and Staff School in 2018 and 2019 will represent positive steps in that direction." Indeed, awareness is the key. While we will never achieve 100% security we can make it as difficult as possible for nefarious actors. We need to be continually learning from cybersecurity challenges, however they are caused, and identifying problems at the very earliest opportunity, whether as individuals, across business and govern- ment, or within the Defence Forces. about the author: Dinos Anthony Kerigan-Kyrou is responsible for cybersecurity training within the Senior Command & Staff Course. He is a co-author of the Partnership for Peace Consortium/NATO Cybersecurity Generic Reference Curriculum.

• Cover