Star Wars and Cyber Defence
Dave McMahon · Clairvoyance Cyber Corp. · Posted: January 25, 2021
While binge-watching Star Wars over the holidays, I could not help see similar tropes in my chosen field of cyber defence:
Stormtroopers, despite training their whole life for combat, really suck at it! They can't hit anything they aim at. It all falls apart in a real engagement.
Conventionally cyber security training does not prepare folks to conduct active cyber defence operations against a sophisticated adversary within contested environment.
A great deal of time is spent monologuing, instead of acting in the movies.
Endless meetings or hours in an office or spending budgets are a poor measurement of performance. We can’t talk, work or spend our way into better security posture or mission assurance. Organizations often suffer from red tape, processes and paralysis by analysis. Mission performance in cyber defence is to stop attacks. Period!
Rather than nuking the adversary from space, someone has the bright idea of fighting hand-to-hand on the ground.
Detecting, reacting to a breach and trying to mitigate compromises inside your perimeter is to practice disaster continuity. A strategic defence would deploy upstream security and intelligence services to stop attacks at scale from ever reaching the organization. Ideally as far forward as possible.
Deaths stars and multi-trillion dollar weapons systems are all built with catastrophic single-points of failures, which can be destroyed by a few people and minimal resources.
Cyber defences are often under-looked in high-value platforms and facilities. A hacker in their pyjamas operating out their parent’s basement should not be able to break into major corporation, nuclear power plant, research facility and warship, or take the government off-line.
Death Stars keep getting blown up in much the same way. Apparently the after action report was never read.
Not only do organizations fail to patch known vulnerabilities, but they get compromised by the same actors in the same way over and over again. We can’t just recover from an incident and then set up as before. Defences have to be improved and we need to prosecute the actors. And read the after action reports instead of supressing them.
Characters penetrated with a laser-blast or sword, can be easily fixed up by cleansing the wound with alcohol and applying a bandage.
Bandages are applied after a breach, but often the compromise goes deep and metastasizes. The solution may require a specialist, surgery and organizational chemotherapy.
Speak in jargon so no one understands. But it sounds impressive.
Cyber security practitioners need to speak a language that resonates with decision makers and employees alike. The fear, uncertainty and doubt pitch needs to be replaced with one where security is used to enhance performance and profitability.
There are always more bad guys than you anticipated. The same henchmen appear to be resurrected and return in the next scene.
Defining the problem at teenage hackers is naïve. Competition and conflict in cyberspace is planet wide and practiced by a multifarious set of actors and mixed agendas. Just wait for Artificial Intelligence Agents.
Protagonists blindly follow anachronistic doctrine and code even when it is demonstrably ineffective.
Doctrine, policy, standards and law are hopelessly outmatched by the speed of cyber and the ingenuity of the threat. Canon needs to be redefined by technology and tactics. Rather than forcing cyber defence solutions to be redesigned to match antiquated requirements, doctrine, standards or regulations. Any standards we do write, cannot be so technologically prescriptive that that are not future-proof.
Speaking truth to power never ends well, nor does being a messenger of bad news.
Many times I have witnessed CSO/CISOs dismissed for providing accurate and timely security advice to the C-suite, only to have the organization suffer catastrophic losses after the fact. This culture need to change.
The insider threat can bypass well-designed static safeguards.
Sometimes the simplest people and methods can cause immense harm to an enterprise. Look no further than Edward Snowden.
Blaster fire to the access mechanism for a secure door will always cause it to fail open.
So many systems behave poorly and give access when an unexpected state is triggered (eg: Buffer overflow). We need to design software and systems that fail closed. Similarly, when I upgrade my software (browser, IOS or apps) I prefer if all my security and privacy settings are not reset to open by default.
Adversary drives innovation while we are driving machines designed in the 1970s.
To many security solutions of built to comply with standards or align to standing offers or RFP requirements rather than stop a real adversary.
All the Empires’ advanced weapons are conceived of and built by industry. Even the clone army is manufactured. They also use mercenaries and bounty hunters to do carry-out the hardest operations. The rebel alliance itself is a volunteer force.
Cyber space is owned and operated by the private sector. Industry designs and builds the cyber technology. Having a sovereign cyber defence industrial base at your disposal is a powerful thing – not just as a vendor but equitable partner in the contest to control and defence cyberspace.
Divisive politics of republic loses to singular purpose of the Empire.
The government, industry, society and crime organizations of our adversaries collaborate with intent along one mission.
A small rebel force takes on the Empire
Asymmetric nature of cyber space means that a dozen talented individuals with access to the cloud can generate nation-state capabilities overnight.
Imperial star cruisers and bases have insecure USB ports everywhere that any droid can port into and steal the most sensitive data or control vital systems.
The Internet-of-Everything will drive hyper-connectivity and ubiquitous access to information, people and things.
In the end, most things in life can be solved with a light-sabre.
An active defence is often more effective than a reactive one. Defending forward through threat hunting, adversarial pursuit, attribution, targeting, fire and effects contributes to successful threat reduction. Cyber power can be used to both protect and project.
This is the way.
Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.
Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence. Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.
Security, Economics & Technology Blog
Browse Recent Posts
June 24, 2021 - Remembering Air India 182: A Failure of Imagination
June 15, 2021 - CANADIAN FOREIGN INTELLIGENCE SERVICE – DISCUSSION PAPER
June 8, 2021 - The Idaho Mass Shooting and the Australian Example
June 1, 2021 - Jordan: Still Stable, but Less So
May 13, 2021 - Are we Entering a new "Threat Wave"?
March 16, 2021 - Insider Threat Bias
February 9, 2021 - The Socialization of Terrorism
February 1, 2021 - Star Wars and Cyber Defence
January 25, 2021 - Understanding the Wave of Normalization in the Middle East
January 19, 2021 - Top 10 Cyber Defence Predictions for 2021
November 23, 2020 - Digital Citizen
November 16, 2020 - Why can’t the Canadian PM denounce a brutal act of terrorism?
November 2, 2020 - Piecing Together the Puzzle of a Potential Terrorist Plot
October 13, 2020 - State Sponsored Kidnapping - What are the options?
October 06, 2020 - The Taliban Deal & U.S. - Jihadist Negotiations
September 28, 2020 - This Threat to National Security may be out of this World!
September 22, 2020 - FUDging the odds: Security as business enabler
September 14, 2020 - Is the violent extremist issue bigger than a shoebox?
September 1, 2020 - Canada is getting a failing grade when it comes to terrorism prosecutions
August 17, 2020 - Canada must send a strong message to Saudi Arabia
July 22, 2020 - Russian Espionage and Dirty Tricks During a Global Pandemic
June 24, 2020 - Déjà Vu for Canada’s Security Intelligence Service
June 17, 2020 - So Canada is Bringing Back ISIS Women – Now What?
May 28, 2020 - How Foresight Could Help us Prepare for the Next Crisis
May 20, 2020 - Allegation from a Former Spy's Kiss 'n Tell Memoir
May 13, 2020 - "Money Often Costs too Much"
May 6, 2020 - Where is the COVID-19 terrorism spike?