Op-Ed: Cyber security for military systems – mission context is critical

Times have changed for security, and particularly when it comes to cyber security for military systems. Putting bars on the windows just isn’t enough. As missions are increasingly executed across interconnected and multi-domain environments, and conflicts are more digitised with more varied threats, the era of a single secure perimeter is over.

Delivering cyber-secure military systems needs to move beyond traditional paradigms, cyber models, and standards and take an adaptive, mission-focused approach. We need to shift our thinking from cyber security being a back-office function to it being required holistically across an enterprise, including being a frontline priority.

Command-and-control (C2) hubs, unmanned aerial systems, war-fighter planning systems, logistics chains, headquarters task management, and enterprise IT – every digital node is a potential vector for attack. Cyber supply chains are complex, and vulnerabilities can be introduced at the production stage of a system, before traditional cyber security processes are engaged.

Military cyber attacks can halt a convoy, blind a drone, or disable a command centre and threaten mission assurance. Preventing these requires a well-thought-out approach. The mission context must be at the core of any cyber defence strategy. Designed in isolation, untailored cyber defences are likely to fall short when it matters most – on the battlefield.

VIEW ALL

A cyber actor isn’t going to distinguish between business systems and critical infrastructure. They will exploit vulnerabilities in business networks to gain access to critical military systems. In this case, understanding your connectivity and posture within the IT environment is critical to enable security controls, but more importantly, we need to balance those controls and be pragmatic by understanding what’s needed on the ground for mission success.

When we understand the mission context, the user experience, and their needs in a real-world scenario, then we can effectively map cyber defence solutions that work in the field. In a military context, the challenge for securing military systems is that we need top security without laborious controls. It’s about understanding the mission and what the system will be used for because we need to enable our military to do their job.

Certainly, the Australian Cyber Security Centre’s Essential Eight (E8) provides a solid foundation for baseline controls. However, in the case of government and military, even the E8 must be implemented with an understanding of context, rather than just implemented carte blanche. True cyber security is not achieved via a checklist. For example, implementing multifactor authentication to a critical military system in the field could result in an inability to complete the mission should a multifactor token be lost. This can have real-world consequences, including loss of life.

Securing military cyber systems requires mapping real-world mission workflows and environments to effectively design a cyber security strategy that doesn’t hamper operational effectiveness. The interdependencies of modern military systems make for an additional layer of consideration. From satellite communications to cloud platforms to mobile units and Iot-enabled gear, data is shared constantly. The belief that a system is safe because it is “air-gapped” and not connected to the internet is a fallacy. In reality, it will almost certainly still connect in some way, for example, via system upgrades.

Cyber security for military systems, therefore, calls for a tailored approach, including the importance of testing systems for resilience in contested, degraded, and disconnected settings.

Thinking about cyber security this way means moving beyond compliance and moving towards providing mission assurance. It means tailoring for the very specific needs of the systems being protected. It also ensures that cyber security measures are layered, intelligently positioned, and mission-specific.

How do we achieve all of this in practice? This comes down to the integration of cyber security within the engineering life cycles, for hardware and software, rather than bolting it on at the end. Ensuring that cyber security is considered for supply chain integrations, software libraries, communications bearers, all of it. At Leidos, we achieve this primarily through our use of the DevSecOps approach, which, while being traditionally tailored towards software engineering, we apply to all manner of platform-based projects.

As part of this, it’s also important not to forget the people and process elements. Taking this integrated viewpoint means understanding how your processes interact with your people, as well as the tech that is being delivered. Sometimes, it’s a business process that an actor will exploit, not a piece of code. Continuously reviewing and improving these processes and training your team is essential to security confidence and mission readiness.

While I don’t work in that building with bars on the windows anymore, it’s becoming more and more critical for my – and our teams’ – work to ensure that we are delivering reasonable and effective controls, rather than just ticking boxes.