rear admiral peter quinn csc - department of defence - the military defensive cyber security...
TRANSCRIPT
1
Australian Defence Force
Joint Capability Coordination
RADM Peter Quinn, CSC, RAN
Head Joint Capability Coordination
VICE CHIEF OF DEFENCE FORCE GROUP
R22371339
The military defensive cyber security challenge:
What are our requirements of both military forces and
contractors providing operationally critical services?
16 June 2015
2
Introduction
Presentation Scope:
• The modern ADF
• The threat environment
• Challenges for the ADF
• Building the capability
• Requirements of the ADF and partners:
– Defence’s approach: Responsibility, Resilience and Risk
2
3
The Modern ADF - Context
• Highly networked operations
• A tri-service and multi-agency federation
• Well integrated through cyberspace
• Logistics support– Reliant on military partners
– Reliant of commercial partners
– Reliant on partners security • trust vs audit?
3
6
The Threat Environment
• Novice to Level 3 actors
• Nation state vs non-state
• Insider and external threats
• Asymmetrical threat– The great equaliser
• Hard targets (platform mission systems) vs soft targets (supply chain)
Threat Actor – Level 1• Inexperience
• Limited funding
• Opportunistic
• Target known Vulnerabilities
• Thrills, bragging
• Easily detected Threat Actor – Level 2• Higher order skills
• Well financed
• Targeted activity
• Target known Vulnerabilities
• Target & exploit valuable data
• Detectable, but hard to attributeThreat Actor – Level 3• Very sophisticated tradecraft
• Foreign intel agencies
• Very well financed
• Target tech and info
• Use unknown vulnerabilities
• Persistent
• Very hard to detect & attribute
6Reference: U.S. Department of Homeland Security
7
Challenges for the ADF
• Normalising cyber defence– Inherent part of operations
– Identify important vs vital cyber ground
• Integrating a coherent, ubiquitous cyberspace defence strategy in Defence including partners– Addressing soft and hard
targets
– Implementing a
comprehensive
Information Assurance
strategy
Policy and Compliance
Intrusion Detection
and Prevention
Surveillance
and
Pattern Matching
Vulnerability Assessment
and Penetration Testing
Disaster Recovery
7
8
Building the Capability
• Building a new ADF capability within a fiscally constrained environment
• Building a sustainable workforce– Recruitment, training, retention
– Working with industry – flexible work arrangements
8
9
• Taking responsibility– Build a coherent ADF plan
– Build a defensive cyber capability
– Build strong, transparent & agile partnerships
– New generation contracts• Service with security, partnering in cyber security
• Assisting support and operational partners best practice
• Assuring supply chain
– Cyber security as inherent part of operations• Commanders to take the reins (not just a J6 problem)
• U.S. “Cybersafe” program
• RAN baseline
• Program managers responsible for ensuring acquisition
aligns with standards
9
Defence’s Approach
10
• Building Resilience– “Cybersafe”
• Set standards
• Baseline cyber status; monitoring and auditing. Strict adherence to baseline
– Investing in building a defendable architecture (CIOG and Services)
– Up-skilling current network operators • Network security specialists
– Investing in up-skilled partners• Prioritisation of security requirements
10
Defence’s Approach
11
Defence’s Approach
• Managing Risk
– The cyber threat will always get through
– Build a layered, multi-faceted cyber security defence
– Accreditation and certification• Cybersafe: Certification authority makes final
decisions and assumes risk & accountability
• Beyond just Defence (partnerships)
11
12
Summary
• Normalise cyberspace operations
• Commanders must appreciate the threat– Accept responsibility
• Build transparency through the “logistics” supply chain– No soft targets
– Work together (your threat is our threat)
• Identify and classify vital vs important networks– Scalable and defendable
• Build an agile, integrated and defendable capability
12