What does a ‘typical’ cyber job in defence involve?
People who want to work in cyber often think it’s sitting in front of a keyboard hacking the Russians – but that’s not the reality! Unless you’re a deep specialist, a cyber job is similar to any other planning ops-facing role: you’re engaging with partners, you’re working in teams, you’ve got a problem set to solve and need to find the best solution. What defence does and requires from its cyber specialists is very different from other areas of government, but you’re also looking at costs and risks, and the mitigations you can put in place.
Why is cyber important to defence?
Cyber is about exploring the art of the possible, and it’s becoming more important across every role. After joining the Army around ten years ago, I went to uni to do a bachelors in hacking and computer security. At the time, people asked why I would want to study that subject. But when I came back into the military after graduating, cyber was ‘in vogue’. My degree was seen as really useful and nowadays I’m having to lean on my vocational qualification more and more. As well as looking for opportunities, it’s important to understand the limitations, and it’s easy to get frustrated with the pace of change in defence. But you have to accept: it’s incremental gains. Cyber is a very powerful tool when used in the right way, but it’s a difficult capability with a long lead-in time.
Yes, Offensive Cyber (OC) isn’t something that can be applied retrospectively once the rest of the plan is formed. Cyber needs to be nimble and agile, which requires enormous investment to develop capabilities against specific targets and maintain them at a sensible level of readiness.
Mastering the cyber domain supports defence to become agile and responsive, and the multi-domain integration training here at the Defence Academy is equipping our people with the knowledge and skills to gain that strategic advantage. What are the other challenges facing defence?
The pace of the passage of information makes the dissemination of fake news, propaganda and leaked material readily available to hostile actors. Cyber options to combat Advanced Persistent Threats are key to countering misinformation: much of our capability is defensive, but we also need active measures. A cross-government and international approach can help limit the freedom that malign actors possess to broadcast propaganda, and to rapidly produce and disseminate counter messaging. And engagement with academia, industry and the intelligence agencies is needed to assure the protection of sensitive information and projects.
The more digitised we become, the more risk and opportunity we present to our adversaries. And that goes both ways. What we’re going to be able to do in the next five to ten years is really going to change business: as we rely more on technology, cultural and behavioural change is needed to keep pace with evolving threats.
In my view, analysis and understanding of how to apply capabilities to operational problems is where we are currently experiencing the key pinch point. There is a lack of continuity in OC related roles. The time preparing for and learning the ecosystem is eaten up very quickly in a two-year posting. We need a mix of skills.
What are those specific skills? Does it help to have a particular personality type to be a cyber specialist?
A lot of my uni friends could sit and focus for long periods of time on writing programs and finding vulnerabilities, and that’s a unique skill – but it’s not typical of an Army officer in the field. I think recruiting a more neurodiverse workforce could help.
Our adversaries are developing similar technology at pace: we must match them - and match industry in attracting and retaining the right talent. Many solutions for cyber problems in my regiment have been developed by innovative soldiers. Command must enable them to do this work and empower those who are interested to pursue education in science and technology.
It’s going in the right direction, with MOD working to understand where the experts are, nurture them and get them into the right position to make positive changes to policy and solutions. We need people with good, deep technical knowledge to add value to the planning process and support the non-specialists and chain of command. It’s not an insurmountable challenge and I think it will get better as we recruit the younger generation who are more tech savvy.
And for those of us who may not be tech savvy… What are your top tips for staying safe online?
Minimise your military signature, and if your role requires you to be on social media, have separate devices for work and personal use. Ensure that your anti-virus software and firewalls are up to date, and minimise the amount of information you share on personal devices – never use them to discuss anything above OFFICIAL.
Unless you cut yourself off from technology completely, you’re never going to be 100% secure, 100% of the time. But practising good ‘cyber hygiene’ will minimise the risk. Don’t allow your phone to make lots of automated connections and don’t put stuff out there that could compromise you. Technology can make our lives easier, so just understand the limitations and make use of it in a safe way. A classic example is social media: everyone is very good at locking down their Instagram and Facebook, but they put their Developed Vetting (DV) clearance on LinkedIn. You wouldn’t walk around a tube station with your security pass on.
Read and implement the excellent guidance that has been disseminated across defence - and ask if you’re not sure. We all benefit from learning outcomes when people ask questions.
This October is Cyber Awareness Month, an international initiative that aims to promote strong cyber security behaviours. Across defence, personnel are encouraged to engage with a variety of activities and resources linked to three themes:
- Them – the individuals and organisations behind cyber attacks
- You – the role we all play in the ‘human layer’ of cyber defence
- Us – why this is crucial to defence as an organisation