Simple, Low-Cost Measures Can Put Militaries on Road to Cyber Security
An employee, spending one of countless days in front of a computer screen, opened an email and clicked on a link. That began the invasion.
The worker, a computer technician at Saudi Aramco, a major Saudi Arabian oil company, presumably was well-schooled in the ways of careful computer use. But not, apparently, on August 15, 2012, during the holy month of Ramadan. The clicked link was all that hackers — calling themselves the “Cutting Sword of Justice” — needed to infiltrate one of the richest companies in the world.
In just a few hours, 35,000 company computers had been destroyed or partially wiped, according to a CNN report. Screens began to flicker. Computers shut down. Files disappeared. Company employees all over the world yanked cables out of servers and disconnected from the internet, hoping to halt the virus’ destructive march.
Saudi Aramco’s 9.5 million-barrel-per-day production continued, as did drilling and pumping. But the attack hurled administrative functions, such as supply management, shipping and contractual issues, into the technological stone age of paper and typewriters.
There was no internet, no corporate email service. Even the telephones went quiet. If a contract needed to be signed, workers faxed it — one page at a time. The company even had to turn away tanker trucks seeking refills. After more than two weeks of paralysis, Saudi Aramco was giving away oil to maintain domestic flows.
In the immediate aftermath of the attack, the company bought 50,000 new computer hard drives at once, paying above-market prices to get priority access. The purchase strangled global hard drive supplies.
“Everyone who bought a computer or hard drive from September 2012 to January 2013 had to pay a slightly higher price,” Chris Kubecka, a former security advisor to Saudi Aramco, told CNN.
One email. One link. One click. That’s all it takes to lose a battle in cyberspace. No country is immune. No military can prepare too much.
China, North Korea and Russia already have shown a willingness and ability to attack other nations in the cyber realm, setting their sights on elections and infrastructure, to name two targets. Although many African nations may not seem to be high-profile targets, they cannot be complacent, said Dr. Jabu Mtsweni, research group leader for cyber warfare at South Africa’s Council on Scientific and Industrial Research.
“The threats are vast,” Mtsweni said, “and I think we are not immune to any of them.”
SOLUTION STARTS WITH TRAINING
Establishing solid training and teaching best practices is the best way to ensure that Africa’s militaries are prepared for cyber threats. Experts agree that everyone can take steps to lessen the potential for a wide range of cyber threats, even if expert personnel and high-tech equipment are unavailable. Nations can deliver this training to Soldiers and officers through professional military education institutions.
Such military training academies exist across the continent, and many focus on an array of subjects, notably peacekeeping and war strategies. Cyber security has not yet achieved the status of other, more traditional, military instruction. That is largely due to a lack of awareness, Mtsweni said, and a lack of personnel with training, experience and interest in cyber security matters. Most African militaries, he said, have kept their focus on traditional, kinetic warfare tactics and strategies. Altering that mindset will require changes — and time.
“I think your first stage should start mostly at the recruitment stage,” Mtsweni told ADF. “In other words, when the military recruits, they need to start looking at recruiting for a digital age.”
This is easier said than done. People with cyber security skills are in short supply everywhere. Some degree of interest and proficiency is essential, because not everyone is inclined toward or talented in technology. Even setting up and delivering the training is not enough. There must be an opportunity to use and develop new skills. Cyber-trained officers and Soldiers will become discouraged if they do not have an outlet for using their training. Mtsweni said those who are trained will need to be able to implement what they have learned.
FINDING A CHAMPION
Dr. Greg Conti, security strategist for IronNet Cybersecurity in the United States, directed the Cyber Research Center at the U.S. Military Academy at West Point and its Army Cyber Institute. He told ADF that the best way to start effective cyber security training is “with a senior leader champion.” The alternative is to wait for change to come from the grass roots. That will be slower and less likely in a military hierarchy.
Mtsweni agrees that finding a champion is key. “Everything rises or falls on leadership, so if there’s a leader who is a champion for cyber security, you will find that it is easier for the ground forces to follow through,” Mtsweni said. “And in the African context, you have less of that, because most of the colonels and generals, they are more of an old school where they grew up. In South Africa we say, ‘They were born before technology.’ They call them ‘BTs,’ so they were born before technology in the sense that it is very difficult for them to relate when you speak of cyber security, because that’s not their training when they were training in the military. They were never really introduced to cyber security.”
If a senior leader turns attention to cyber security, those in the lower ranks will follow. The leader doesn’t even have to have technical proficiency or deep knowledge of the subject, just a realization of its importance and a commitment to addressing it with money, resources, space and continued attention. This, Conti said, will help others see the importance of cyber security and buy into it. The senior leader’s priority will trickle down to others in the command structure.
From there, the leader needs to identify people with relevant talent and abilities, retain them and promote them. If a force can identify and empower a cyber security specialist and help them grow, the results will be “game changing,” Conti said.
Once personnel are identified, there are training options that can achieve valuable results without requiring huge expenditures. For example, there is a wealth of free cyber security information online. Or personnel could work from books that cost about $30 each.
If more money is available, Conti said a military force could send someone for training, who then returns to brief colleagues and share materials. Such a person could become the “local expert” on cyber security at a one-time cost of several thousand dollars for travel and tuition.
EFFECTIVE, LOW-COST TRAINING
Cyber security knowledge and safe habits can be effective without costing a fortune. Training can be tailored to Soldiers and officers, depending on their experience and responsibilities. The key, Conti said, is delivering the right amount of cyber security training to the right people at the right point of their careers. What a private needs likely will differ from what a noncommissioned officer or commissioned officer needs.
Training can be targeted to the many, the some and the few, he said. The most important training for the largest number of people would focus on “cyber hygiene.” This entails all the fundamental steps everyone must take in cyberspace. Without them, everything else fails.
Some examples are keeping passwords private, changing passwords frequently, and not clicking on links or opening attachments in unsolicited or suspicious emails. Even taking a selfie with a cellphone during an operation and posting it on social media sites can endanger a sensitive mission.
It’s also important to make sure that military computers are running clean versions of popular software. Conti told of how bazaars in Iraq sold Microsoft Office for $1 to $3. There is no doubt, he said, that such software is loaded with viruses, malware and other malicious code.
The next training would be for what Conti calls the “some” group. This includes enablers who work in the cyber realm occasionally, such as lawyers and policymakers, military planners and those who build and operate computer networks. Training in the Center for Internet Security’s (CIS) top 20 basic controls would be helpful to this group, Conti said. The list includes inventory and control of hardware and software assets, email and web browser protections, malware defenses, wireless access control, account monitoring, and incident response and penetration testing, among other things.
The CIS list represents the industry’s “canonical set of best practices for securing your IT infrastructure,” Conti said, adding that the list probably can protect against 80 percent of low- and medium-level threats. People in the “some” group also could pursue additional certifications such as the Certified Information Systems Security Professional.
The “few” category includes what Conti calls “true cyber security specialists,” such as those who are hands-on keyboard operatives who handle offensive and defensive cyber capabilities. Their training would be highly specialized and would likely include expertise in signals intelligence and how to leverage it in cyber warfare operations, cyber policy and law, intelligence analysis, computer network exploitation, and how to integrate cyber into kinetic operations, and vice versa.
Mtsweni said several African countries are beginning to show an increasing awareness of the importance of cyber security. He said nations such as Ghana, Kenya, Mauritius, Rwanda, Senegal and South Africa are showing a commitment to cyber security. Militaries typically take their cues from governments, so as governments continue to prioritize cyber security, national militaries are likely to follow.
However, it will take time to build national cyber security capabilities — perhaps five years or more, Mtsweni said.
Conti said the same is true regarding the training of military personnel. Attention to cyber security cannot be fleeting. “It needs to be part of a long-term vision.”