1 00:00:00,300 --> 00:00:08,580 Let me introduce very briefly I'll speak to Graham. In fact, I'm sure everyone is saying to you that he is a former member of the British Army. 2 00:00:09,240 --> 00:00:16,020 He did a lot of work on what I consider to be some rock decent, hard aspects of soldiering. 3 00:00:16,410 --> 00:00:23,190 But he's reinvented himself. And I'm pleased to say that as he nears the completion of his doctorate here at Oxford, 4 00:00:24,600 --> 00:00:30,839 he has transformed from the military mindset, if you like, in some of these, 5 00:00:30,840 --> 00:00:39,450 I think quite deeply about carefully about some issues which are controversial in the very least on not just cyber security, 6 00:00:39,450 --> 00:00:43,260 that quite semantic phrase that seems to sanitise the problem. 7 00:00:43,590 --> 00:00:51,059 It's looking at things like offensive cyber, which is a much more worrying kind of issue for us to sort of contend with. 8 00:00:51,060 --> 00:00:59,100 And Graham, soldiering on has taken this on full forward holds, if you like, say I'm going to tackle this head on, is nearing completion. 9 00:00:59,430 --> 00:01:06,780 And he will explain to you, I'm sure, what he wishes to derive from the session, because this is a two way process, not a lecture, it's a seminar. 10 00:01:06,780 --> 00:01:11,640 We have an option to have things input into the final completed stages of his doctrines conducting. 11 00:01:11,910 --> 00:01:16,590 Graham very much do and I quite I had to follow that whether that sort of means that 12 00:01:16,590 --> 00:01:19,900 my army career was pretty inconsequential as opposed to what I'm doing my life. 13 00:01:19,910 --> 00:01:26,880 I know what I want to talk about today really is one of the central parts of my defence 14 00:01:28,650 --> 00:01:34,350 or my day for really what I wanted to look at was how the states operationalise 15 00:01:34,350 --> 00:01:38,190 their national cybersecurity strategies and what does that mean for the way that 16 00:01:38,190 --> 00:01:42,900 states that act in cyberspace and the diplomatic and at the strategic level, 17 00:01:45,120 --> 00:01:49,319 I think and within that is really one of the other drivers. 18 00:01:49,320 --> 00:01:57,000 Was the emergence over the last five years or so of offensive cyber as a policy toward a state so increasingly 19 00:01:57,000 --> 00:02:03,510 willing or stating that they are willing to use in order to achieve not only that aims in cyberspace, 20 00:02:03,510 --> 00:02:07,680 but their wider national security agendas and intense. 21 00:02:10,260 --> 00:02:15,330 So what am I going to do? And really it also comes from the existing literature in this space, 22 00:02:15,960 --> 00:02:20,910 and that was the good body of cybersecurity literature sort of move from a 23 00:02:20,910 --> 00:02:25,670 bookshelf in black clothes and small bookshelves acquired for almost monthly. 24 00:02:26,280 --> 00:02:31,200 A lot of it are looks very much at strategic theoretical thinking or down in the 25 00:02:31,200 --> 00:02:35,760 tactical weeds of doing what I wanted to try and look at was that space in the middle 26 00:02:36,330 --> 00:02:42,959 of how policy that is stated and put forward by governments and states is actually 27 00:02:42,960 --> 00:02:49,340 turned into effects on the ground of which there isn't very much out there. 28 00:02:49,350 --> 00:02:57,720 There is some work from OECD, there's some work NAITO has done, there is some global forum on cyber expertise is doing in this area, 29 00:02:58,080 --> 00:03:05,700 but most of that is actually wrapped up in the context of of capacity building as opposed to putting policy into action. 30 00:03:06,510 --> 00:03:08,040 The other thing I wanted to do really, 31 00:03:08,040 --> 00:03:16,829 and why the UK's approach is unashamedly I don't mind Black Book that I do call it is the use military to conduct a set of 32 00:03:16,830 --> 00:03:28,200 interviews across the UK cyber security domain and to look at how the UK's approach has approach has changed over the years and how, 33 00:03:28,200 --> 00:03:36,990 as you see I suggest that it is fundamentally different was when they released 2015 strategy for what other states were doing enough the introduction. 34 00:03:37,380 --> 00:03:41,880 What am I going to talk about? I'm going to give you a short little bit on the framework. 35 00:03:42,360 --> 00:03:49,230 I think this is important to place into perspective and context the model that we will discuss later. 36 00:03:50,190 --> 00:04:01,560 My assumptions how I see the strategic cyber ecosystem, UK cyber strategy, some models, some case studies and I'll talk to case studies in particular, 37 00:04:01,950 --> 00:04:07,590 and then some conclusions from you as the audience, what was said sort of sort of what the involvement. 38 00:04:08,310 --> 00:04:16,440 I know many of you will, but I'm very much looking to critique and flaws in what I'm presenting as opposed to saying it's a perfect piece of work. 39 00:04:16,440 --> 00:04:25,590 And here's what dphil, which is the analytical framework I think I take as my starting position conflict really. 40 00:04:26,130 --> 00:04:33,630 And the idea of we are in some sort of revolution in scientific thinking, that we now live in a time we sort of still see that our old models, 41 00:04:33,630 --> 00:04:43,620 our security models that the state has employed over centuries is no longer fit for purpose and security model based very much physical actions, 42 00:04:44,070 --> 00:04:50,790 physical threats and actors who are only empowered to do damage to states at a state level. 43 00:04:51,540 --> 00:04:55,200 I'm suggesting that we live in a world of new threats, new actors. 44 00:04:55,830 --> 00:04:59,940 They have new bases of powers through technology which allows them to move around from way. 45 00:05:00,670 --> 00:05:04,959 And actually the model that we have of national security only answers some of the questions 46 00:05:04,960 --> 00:05:10,890 and some of the challenges in terms of building my model and how to operationalise it, 47 00:05:10,900 --> 00:05:15,940 I believe I borrow from ecological theory and use the analogy to operationalise it 48 00:05:16,600 --> 00:05:22,059 and really three main things zones and I'll explain these in more detail shortly. 49 00:05:22,060 --> 00:05:28,570 Flows and feedback loops and emergent principles in terms of my data, asset evolutions, 50 00:05:28,570 --> 00:05:34,060 views and then document analysis and really in terms of trying to tie them together. 51 00:05:34,270 --> 00:05:38,860 I very much apply a fact based thinking. My focus is on outputs. 52 00:05:39,310 --> 00:05:44,040 It's not the inputs, it's not the technology. And that's even the policy that drives it. 53 00:05:44,110 --> 00:05:47,110 It's what is the effect on the output that is created. 54 00:05:48,460 --> 00:05:56,230 I'm one of these very busy slides, really sort have been to sort of just got four posts and put too many words on it. 55 00:05:56,890 --> 00:06:03,940 Cybersecurity for me is simply a competition for advantage between agents that occurs in cyberspace, 56 00:06:05,320 --> 00:06:11,770 and it's important to strategic level because it destabilises a state's national security balance. 57 00:06:12,070 --> 00:06:15,280 And it's important to see this in the context of national security. 58 00:06:15,760 --> 00:06:23,020 It is not something separate or unique. Massive cyber security strategies seek to redress that balance. 59 00:06:25,750 --> 00:06:33,820 And they do that. And by the sort of phrase in the UK strategy in terms of achieving security and stability in cyberspace. 60 00:06:36,140 --> 00:06:41,300 One of the things I suggest involves for from ecological theory, though, is that security and stability is not a point. 61 00:06:42,020 --> 00:06:45,200 It's not a definitive value or definitive position. 62 00:06:45,290 --> 00:06:49,940 It's a zone that I call zones of cyber security. 63 00:06:50,330 --> 00:06:58,880 And really, you can look at it from a counterfactual point and say that these zones are not necessary areas of security or stability. 64 00:06:59,120 --> 00:07:08,389 They are acceptable spaces of insecurity. They are that space in which the state itself and its population will accept level 65 00:07:08,390 --> 00:07:13,660 of risk of these things achieved and maintained from positive feedback negatively. 66 00:07:14,450 --> 00:07:20,959 Of Diagrammatic we explain that cyber security agents act as if you like. 67 00:07:20,960 --> 00:07:29,930 I use the word agents because that's what this new ecological theory that I operate in cyber domains of influence. 68 00:07:30,710 --> 00:07:38,270 What I'm trying to get across here is that all the time they are operating within the side of the main. 69 00:07:38,720 --> 00:07:47,930 They are doing so with a frame of mind and a frame of reference that is based upon their card intent and the context in which they operate. 70 00:07:48,650 --> 00:07:53,390 And this is fluid and it changes to a CDI. 71 00:07:53,630 --> 00:08:01,280 A cyber domain of influence to the United States in terms of its relationships with Russia is very different 72 00:08:01,730 --> 00:08:06,940 in terms of the actors have lacked in its power to seek to achieve effect than it is with the law. 73 00:08:08,750 --> 00:08:10,520 And you can take that down to any level. 74 00:08:11,750 --> 00:08:20,210 And then the final point really I'm also following from because the theory I draw out of the model, my findings, 75 00:08:21,350 --> 00:08:26,959 what are known as emergent principles and emergent principles really are effects 76 00:08:26,960 --> 00:08:32,000 that are created by the interactions of agents within the model with not obvious. 77 00:08:32,000 --> 00:08:36,210 When you just look at how the agents say all of that and I throughout the day. 78 00:08:40,760 --> 00:08:48,320 Two diagrams on top. One really is how I see the stop the cyber ecosystem at the strategic level. 79 00:08:48,980 --> 00:08:54,290 What we are familiar with in a lot of the literature is we just see the diagram on the left and 80 00:08:54,290 --> 00:08:59,370 you will see people say this is a criminal ecosystem which will talk about the access within it. 81 00:08:59,390 --> 00:09:06,590 It will be and it's a descriptive tool. What I'm suggesting is that actually there's two elements this ecosystem. 82 00:09:07,220 --> 00:09:14,780 There is the state, the national cybersecurity system in my work, and there is the malicious actors cyber domain of interest. 83 00:09:15,560 --> 00:09:24,350 And actually, these two are in constant a state of constant independence between them, and they are in a state of constant competition. 84 00:09:25,490 --> 00:09:36,050 Affects come from the state in the form of security and stability, and they come from this domain of interest in terms of threat and opportunity. 85 00:09:36,080 --> 00:09:41,930 Of course, the malicious actor in this case actually doesn't need to be a malicious actors to make. 86 00:09:41,930 --> 00:09:49,040 It could be any domain that has a cyber purpose or function, offers both threat and opportunity, 87 00:09:49,280 --> 00:09:52,880 and it is as important to recognise opportunities as anything else. 88 00:09:55,190 --> 00:10:04,790 Just to shorten on the zones of security. This is a very traditional view of how what violence looks like in ecosystems and ecology. 89 00:10:06,140 --> 00:10:15,049 And really the idea is that violence or the violence that is enough to keep the system stable and secure exists in 90 00:10:15,050 --> 00:10:24,260 this space here and events we're in it move up or down on the external events as well as depicted by the allies. 91 00:10:24,470 --> 00:10:31,700 And effectively what happens is you affect the movement here, move it back to 2 to 2, that state of violence. 92 00:10:32,270 --> 00:10:43,190 And if the external effects of is an internal effect that is generated, is a significant power effect on a catastrophic a cyber Pearl Harbour, 93 00:10:43,190 --> 00:10:52,280 perhaps it may even change totally where the point of violence is by moving it up to a new state of equilibrium. 94 00:10:53,840 --> 00:11:00,470 Really, that is that is how I conceptualise the model and how it sets in, how I make it work within that framework. 95 00:11:04,990 --> 00:11:14,559 I'll let you read the proposition. What's interesting, I think, is you look at the dates of these this is not new offensive. 96 00:11:14,560 --> 00:11:32,570 Cyber was being talked about in 2011. In fact, it's first use that I can find in terms of policy material was before then was in 1992. 97 00:11:33,490 --> 00:11:42,309 And interestingly enough, there is also a paper that was written in 1970 or Hansol document in 1970 that refers to the fight of computers 98 00:11:42,310 --> 00:11:50,770 and data protection and talks about the CIA's activities in terms of manipulating data and manipulating machines. 99 00:11:51,310 --> 00:11:55,540 It describes as them feeding data into what was nothing more than a kitchen blender. 100 00:11:56,200 --> 00:11:59,920 It's interesting to see how it was viewed at that time in 1971. 101 00:12:00,490 --> 00:12:03,670 And actually the problems are discussed in that work. 102 00:12:03,730 --> 00:12:09,760 Are they still valid? But what I've tried to show by these quotes is a progression. 103 00:12:10,090 --> 00:12:21,100 2011 2013 Osborne's made a sort of very famous speech at his HQ in 2015 and bringing this up to date. 104 00:12:21,730 --> 00:12:30,320 And he tries to do. So let me put some context in trying to prove my proposition. 105 00:12:33,860 --> 00:12:39,650 Traditionally, the UK's approach to looking at a cyber security issue has not been from a national security perspective. 106 00:12:40,460 --> 00:12:44,360 It was driven from the economic prosperity debate, 107 00:12:44,360 --> 00:12:51,589 and this rise came out of Britain's initiatives to deal with the digital economy and 108 00:12:51,590 --> 00:12:57,470 trying to make the UK the leading states in terms of exploiting new technology. 109 00:12:58,740 --> 00:13:08,360 And really it was only in the early 2000. But we 2003 and from the literature in Hansard and also from several of my interviewees, 110 00:13:08,780 --> 00:13:18,800 what really sparked the UK into moving into how the security perspective, the national security perspective was Titan ranked Titan right, 111 00:13:19,400 --> 00:13:23,750 which was an attack that's accredited to the Chinese elements of play, 112 00:13:24,530 --> 00:13:34,460 which is believed to be an espionage attack that certainly was going on in 2003 and widely reported in 2005. 113 00:13:34,790 --> 00:13:41,300 And there were some indications that some of the methods and tools we use then are still actually being used now. 114 00:13:41,840 --> 00:13:45,290 But Tighten Rein was a factor for the UK to change its approach. 115 00:13:46,100 --> 00:13:49,730 And the second one really looks at how it framed it. 116 00:13:50,540 --> 00:13:52,820 Early days, it was all about information security. 117 00:13:53,000 --> 00:14:01,700 It's about framing the machine machine in simple terms, then to threat information assurance, really protecting data. 118 00:14:02,690 --> 00:14:10,610 And then cyber security. And then it's interesting when you look at looks can go back to look at what was being protected because it was focusing. 119 00:14:11,030 --> 00:14:21,770 The government looked at this very widely. Actually, the early years it was about government and about key critical national infrastructure. 120 00:14:22,250 --> 00:14:32,150 Really, that was military intelligence and power in this period have moved really to CNI much more broadly. 121 00:14:32,160 --> 00:14:35,480 And there were another number of initiatives with that. 122 00:14:36,500 --> 00:14:42,739 Until now we get to stage a position where to go on. It's all that government saying I and society, it's about us. 123 00:14:42,740 --> 00:14:48,740 As much as it's about the national infrastructure governance approach to early days, 124 00:14:48,740 --> 00:14:58,460 the government will support that by giving advice and guidance if needed to act, and it would support that need to act. 125 00:15:00,600 --> 00:15:05,210 Didn't do very much in the 2009 cyber security strategy, the one that's always forgotten. 126 00:15:05,960 --> 00:15:11,540 Whenever people talk about the UK, the number of strategies it's had was all of that time forget. 127 00:15:11,540 --> 00:15:15,380 Prepare the ground for the need to act and recognise that something needs to be done. 128 00:15:17,060 --> 00:15:24,020 The 2011 strategy, really the decision was taken in the 911 period that actually the best way to achieve 129 00:15:24,020 --> 00:15:29,579 this was threatening to delay or taking another view that was expressed to me. 130 00:15:29,580 --> 00:15:33,350 It was because there was no money to do anything else apart from the industry. 131 00:15:34,760 --> 00:15:43,010 So the market led and I think probably many of you who read the material now will know that that was not seen as a successful way of doing business. 132 00:15:43,610 --> 00:15:49,040 And the 2015 strategy talks about it in many things in a number of places, 133 00:15:49,370 --> 00:15:54,080 but actually recognises that government has to intervene and it has to intervene in a hallway. 134 00:15:55,070 --> 00:15:56,180 So that's the context for it. 135 00:15:56,190 --> 00:16:05,300 And I think that's important to try to understand how we got to where we are today and how is cybersecurity done across those charts? 136 00:16:05,390 --> 00:16:13,700 Really, this starts to introduce one model which doesn't seem to have survived contact with moving from Mac to Windows. 137 00:16:15,860 --> 00:16:23,840 These are two iterations of one model. No one model really talks about is how I'd find these as effects spaces. 138 00:16:25,500 --> 00:16:29,810 Those faces are defined by the nature of the facts that take place within them 139 00:16:31,700 --> 00:16:39,139 and on the right hand model to use three effects places passive cyber defence, 140 00:16:39,140 --> 00:16:40,910 active cyber defence and defensive side. 141 00:16:41,900 --> 00:16:49,100 And I define these in terms of the nature of the effect, well, that's a hard effect or a soft power effect being very deliberate, 142 00:16:49,100 --> 00:16:56,240 very focussed, usually very short term, a soft effect kind of fun tends to be continuous and widespread. 143 00:16:56,660 --> 00:17:02,540 And then really in terms of is indirect or direct in terms of the adversary, if it's direct, 144 00:17:02,540 --> 00:17:08,480 it's probably hitting the adversary very hard in a physical sense, taking out of their systems, maybe destroying one of their systems. 145 00:17:08,720 --> 00:17:15,260 If it's indirect, they may be educating all of us to recognise that actually some of these paths steal our passwords. 146 00:17:17,780 --> 00:17:24,499 And the two lines really that the one that we just read to you how I define these terms. 147 00:17:24,500 --> 00:17:29,329 First all probably. So I define, first of all, passive, 148 00:17:29,330 --> 00:17:44,870 cyber passive cyber defence as being lawful and critically non cyber effects that are delivered within the state actors cyber domain of influence. 149 00:17:45,530 --> 00:17:50,870 So he's delivering that effect with effects of those effects within his own cyber space. 150 00:17:51,230 --> 00:17:58,610 And they range really from educational talks about standardisation regulation to collaboration, 151 00:17:58,610 --> 00:18:05,200 setting up networks of working and international allies in that active cyber defence. 152 00:18:05,210 --> 00:18:09,470 And I am defining this in a UK sense, not in the American sense, 153 00:18:10,550 --> 00:18:21,470 relates to lawful cyber threats that are delivered within an actors zone, CDI through to get direct engagement with the adversary. 154 00:18:22,160 --> 00:18:30,650 What I'm talking about here is technical, primarily technical activities that engage with the actions of the adversary. 155 00:18:31,610 --> 00:18:34,000 Once again, within the stateside domain. 156 00:18:34,370 --> 00:18:42,860 So DNS blocking the blocking of websites, for example, the blocking of email traffic into your own side of the mind. 157 00:18:43,550 --> 00:18:52,820 I would caution that an effectively in terms of the Pentagon offensive cyber is I 158 00:18:52,910 --> 00:18:59,300 defined as lawful cyber facts delivered within an adversaries cyber domain of interest. 159 00:19:00,350 --> 00:19:08,570 So I am defining this as much upon the geography in terms of whose domain of interest they occur and as as the effects itself. 160 00:19:09,140 --> 00:19:18,680 What I'm suggesting is that until probably 2015, the model that comes out is looking at national cyber security strategies and literature is this one. 161 00:19:19,280 --> 00:19:27,440 And I've read out when I actually did my research into this, there were 81 different national cybersecurity strategies issued, 162 00:19:28,520 --> 00:19:32,720 and I got 75 of the ones that were in English or had English equivalents. 163 00:19:32,750 --> 00:19:34,130 And my getting through them, 164 00:19:35,120 --> 00:19:44,760 that is effectively a model and that is that the key to this is the technical engagement answer to moving from nothing to cyber to do cyber. 165 00:19:44,780 --> 00:19:53,149 And this is the domain. What you also discover there when you look back and you go back beyond cyber 166 00:19:53,150 --> 00:19:58,130 security strategies and develop really from an idea from the 1990s onwards, 167 00:19:59,000 --> 00:20:02,959 there was a parallel system and somebody is in the room. This will be familiar. 168 00:20:02,960 --> 00:20:11,450 And this was going on not in the open space, which is where this model sits, but in the private spaces, secret space. 169 00:20:11,780 --> 00:20:20,030 This is what intelligence agencies and national security agencies know with the large letters of the founder that had been there and they 170 00:20:20,030 --> 00:20:27,200 had been conducting operations in cyberspace through these three expected spaces computer network defence defending their own systems, 171 00:20:28,100 --> 00:20:32,450 computer network attack, getting rid of the adversary systems, putting it crudely, 172 00:20:33,680 --> 00:20:37,910 and computer network exploitation, exploiting what is on the adversary systems. 173 00:20:40,600 --> 00:20:47,770 And I think really until probably 2015, that is what that is. 174 00:20:48,010 --> 00:20:52,420 That is the state of play in terms of how you can model national cyber security strategies. 175 00:20:53,950 --> 00:21:00,730 What I'm saying is when the Brits, when the UK released its 2015 strategy, it actually from next year. 176 00:21:00,790 --> 00:21:05,740 I have not seen this stated as such publicly stated by two or three people I interviewed. 177 00:21:06,130 --> 00:21:13,360 This is the model they created. They interjected in that model a fourth effect space counter cyber. 178 00:21:14,740 --> 00:21:22,120 And really what this allows them to do is to cooperate and conduct all those great activities that we see 179 00:21:22,120 --> 00:21:31,089 associated in offensive in an offensive side of the main outside of conflict and what they want to see. 180 00:21:31,090 --> 00:21:40,450 And here it does really is it separates offensive cyber that is done in peacetime from offensive cyber that is done in wartime. 181 00:21:41,110 --> 00:21:46,180 What that means is it's done under a totally different set of rules, regulations and legislation. 182 00:21:47,110 --> 00:21:57,250 Activities in this area here now governed by the law of armed conflict, Geneva Convention, and other policies related to the fighting wars. 183 00:21:58,030 --> 00:22:05,050 This is all about legislation that is to do with law enforcement and crime, anti-crime and protecting the state. 184 00:22:07,290 --> 00:22:17,320 Now the two effect spaces stay the same. They have, of course developed, but that I think is the model that the UK put forward in 2015. 185 00:22:17,680 --> 00:22:23,860 It is very much the model Australians have just released in their latest national cyber security strategy. 186 00:22:24,280 --> 00:22:32,800 It is the model that I think New Zealanders will put out and I also believe it's a model that the Americans will develop and take forward. 187 00:22:34,540 --> 00:22:41,110 And I'm I'm close to where we are with the US cyber security strategy in terms of whether it's been agreed or whatever. 188 00:22:41,710 --> 00:22:49,810 And it also reflects the French model and to some extent the German model as well as developing it. 189 00:22:52,480 --> 00:22:55,540 So how do I operationalise it and I'll make a few points here, really. 190 00:22:57,520 --> 00:23:02,730 When states undertake their cybersecurity strategies and avoid issuing some framework, 191 00:23:02,740 --> 00:23:11,980 which is how they put it in some discussions we had on this, it's through campaigns at the strategic level. 192 00:23:12,040 --> 00:23:19,600 States achieve their intent in cyberspace through a series of effects, not just one effect. 193 00:23:20,410 --> 00:23:24,610 These campaigns are constructed through the delivery of cyber security effects themselves. 194 00:23:26,800 --> 00:23:30,490 But like cyber domains of interest, these campaigns are unique. 195 00:23:30,490 --> 00:23:34,050 Every one is different, and they themselves are driven, 196 00:23:34,060 --> 00:23:39,370 driven by the intent in the context of the state and the domain in which they're being played into, 197 00:23:40,660 --> 00:23:43,930 and the effects flow between the states and adversaries. 198 00:23:44,800 --> 00:23:48,220 So the main of interest continuously, as we said. 199 00:23:51,690 --> 00:24:00,090 I was talking to Rob before. Before we came in, I sort of had a hope when lacerated last week and the doctrine trying to pull this together. 200 00:24:00,360 --> 00:24:07,350 And it's it's these effects this taxonomy comes from national cyber security strategies. 201 00:24:07,440 --> 00:24:15,750 It comes from policy documents, primarily in English and almost exclusively as in English. 202 00:24:15,890 --> 00:24:25,830 I think maybe I could read the Spanish, but apart from that, and it also comes from reporting on actual cyber events. 203 00:24:26,520 --> 00:24:32,129 So what I've tried to do is analyse all these three, three sources and say, okay, 204 00:24:32,130 --> 00:24:38,520 when you boil it down in each of my four effect spaces, what do they actually seem to achieve? 205 00:24:39,090 --> 00:24:46,590 And in some of them and many of them, you'll see I end up with second order effects that are duplicated. 206 00:24:47,220 --> 00:24:52,890 The point I want to make, though, is that what's duplicated in terms of the effect that they achieve, 207 00:24:52,920 --> 00:25:02,999 the means and the methods to do it are very different. So the means in the methods effect to detect in an offensive cyber posture, hacking in, 208 00:25:03,000 --> 00:25:12,389 hard hacking in and detecting in a passive cyber defence situation where it may 209 00:25:12,390 --> 00:25:17,640 well be when you in a user to recognise something is wrong are very different. 210 00:25:17,790 --> 00:25:23,010 But the overall effect, the final effect, the final output and seeking to achieve is the same. 211 00:25:27,890 --> 00:25:36,200 So this is how it tried to graphically. Operationalise my model and share the flow. 212 00:25:38,780 --> 00:25:45,210 I also use this diagram to explain the model and also just to talk about timeframes, because I think that's also something as well. 213 00:25:45,890 --> 00:25:51,960 So you have a cybersecurity strategy here which moves into a cyber domain of interest for the state. 214 00:25:51,980 --> 00:26:00,940 As I say, let's take for this example some malicious laptop. What the state is trying to do, its full effect spaces. 215 00:26:02,010 --> 00:26:05,210 So on change, what is happening in that cyber domain of interest. 216 00:26:05,570 --> 00:26:08,780 So once again achieves its own security. 217 00:26:09,050 --> 00:26:16,160 It's stable and secure. And of course, that then feeds back to a feedback loop into its cybersecurity strategy and subsequent policy. 218 00:26:16,980 --> 00:26:19,580 Really what I'm saying is that for parts of cyber defence, 219 00:26:19,850 --> 00:26:25,970 it's continuous and it's delivered at scale, educating people about the threats and the challenges. 220 00:26:26,540 --> 00:26:36,229 It's something that is ongoing and it's wide in many ways, although in a technical space as opposed to to the non cyber space, 221 00:26:36,230 --> 00:26:43,670 active cyber defence in terms of the UK's active cyber defence program meets that requirement as well. 222 00:26:45,680 --> 00:26:53,060 Whereas both of these on the offensive side, so operating and when you're operating in the adversaries domain of interest, 223 00:26:53,430 --> 00:26:59,090 either short term and focussed, they are undertaken to deliver a specific effect. 224 00:27:03,440 --> 00:27:14,090 But what asylum signs show with this model is that it has all these effects operating in a domain that lead to the re-establishment of security. 225 00:27:16,100 --> 00:27:24,079 So I take two examples. I take this cyber campaign primarily because it's interesting that it covers the 226 00:27:24,080 --> 00:27:29,270 full spectrum from passive cyber defence all the way through to offensive cyber. 227 00:27:33,830 --> 00:27:37,430 Don't worry too much about whether that is complete in terms of all the actors. 228 00:27:37,430 --> 00:27:38,600 Agents should be in that. 229 00:27:39,050 --> 00:27:50,050 But what I'm trying to show with that, that it is not just one part, it's not just government agents, but involve in terms of the UK, state CBI. 230 00:27:50,060 --> 00:27:57,110 And this is how the UK Government see the cyber domain in which they are operating in that conflict with banks. 231 00:27:58,430 --> 00:28:01,280 And this is a nation's cyber domain of interest, 232 00:28:01,820 --> 00:28:08,930 and that's how they see the cyber domain that they are operating in, in terms of trying to cause an effect here. 233 00:28:09,950 --> 00:28:14,690 I think that sums up and starts to illustrate how these are different perspectives. 234 00:28:18,590 --> 00:28:31,310 In terms of the model and how it's put together with this in terms of context, really in terms of effects, 235 00:28:31,940 --> 00:28:38,010 the operational effects, the offensive side effects, you can look at it from the next slide. 236 00:28:38,030 --> 00:28:43,700 So putting this into the next slide, I'm really looking at the material that's available. 237 00:28:44,840 --> 00:28:57,380 You can see these effects being played out so in the offensive space and perhaps typified most of all by the take down of the UK National in 2015. 238 00:28:57,860 --> 00:29:09,170 Janine, who sound known by threat by American by American munitions in Iraq, really typifies where you can go in this space. 239 00:29:09,440 --> 00:29:17,960 And in order to do that, the information would suggest that there was a lot of detection carried out on bases, networks. 240 00:29:19,910 --> 00:29:20,330 They were the. 241 00:29:20,990 --> 00:29:31,670 There was collection of data undertaken on stations, networks set up was contributing to when you take them out at the other end of the scale, 242 00:29:31,670 --> 00:29:37,010 you have the work done by the counter extremist organisations within the UK. 243 00:29:37,490 --> 00:29:47,870 And in many ways this passive cyber defence piece which will relax mitigating is influence operations. 244 00:29:48,390 --> 00:29:50,560 That was about first of all, regulating it, 245 00:29:50,840 --> 00:29:58,950 putting some laws to Parliament in terms of what is meant by what was meant at the time, what propaganda and how that could be met. 246 00:29:59,150 --> 00:30:05,840 Educating, educating schools, educating them that to get people to recognise that you do something about it, 247 00:30:07,190 --> 00:30:13,990 collaborating with the public and private sector influence in the international domain to do something about it and, 248 00:30:14,720 --> 00:30:24,020 and an act and partnership with, with international allies in terms of delivering an outcome. 249 00:30:26,190 --> 00:30:27,089 In this space. 250 00:30:27,090 --> 00:30:38,850 It was all about disrupting the flow of propaganda and messaging to sympathisers in the UK, doing it by blocking by legal removing of websites, 251 00:30:38,850 --> 00:30:47,040 for example, going down, going to a website supplier, hosting supplier and saying this this website is hosting propaganda. 252 00:30:47,040 --> 00:30:56,400 Please take it down, influencing again and in all of these was sort of influencing the international community's influence. 253 00:30:56,610 --> 00:30:59,940 Actually influencing is also being played back to Daesh. 254 00:31:00,600 --> 00:31:05,729 It's showing Daesh that actually operating within the UK sort of of interest is 255 00:31:05,730 --> 00:31:09,840 difficult and challenging and perhaps you might want to go do it somewhere else. 256 00:31:11,520 --> 00:31:19,460 On a of cynically that ties in with comments that and this has been in the press in the last weeks. 257 00:31:19,560 --> 00:31:24,900 You say that you made the comment that actually one of the fundamental pillars of UK 258 00:31:24,900 --> 00:31:30,000 strategy is to make the UK a hard target outside of the main routes are still operating. 259 00:31:30,300 --> 00:31:34,740 So we have to take this somewhere else and that's in place that's planning for in fact, 260 00:31:36,540 --> 00:31:43,529 my second example really is now getting totally out of of that sort of military space, 261 00:31:43,530 --> 00:31:48,180 getting out of that conflict space and getting out of the threat space in terms of physical threat. 262 00:31:48,450 --> 00:31:56,130 And really this is about how the UK is looking at protecting its brand, which brings a unique set of challenges to it. 263 00:31:57,120 --> 00:32:02,550 In some ways the same actors, but they play different roles and they have different importance within that. 264 00:32:04,540 --> 00:32:09,000 I've used cyber crime just to tie it down to a particular subject matter of interest. 265 00:32:09,270 --> 00:32:11,070 You could move it. Why in that? 266 00:32:11,340 --> 00:32:19,740 And this one though, of course, I'd put the international judicial system in that because actually cybercriminal less so concerned about it. 267 00:32:20,130 --> 00:32:26,550 And we've put his operations in areas where perhaps there is not the judicial oversight and control, 268 00:32:27,390 --> 00:32:33,210 but fundamentally, once again, it's all about delivering effect from here to here to mitigate that. 269 00:32:37,740 --> 00:32:42,980 These ones these are the effects that I have identified by looking at how it's done from the material. 270 00:32:42,990 --> 00:32:47,940 At least you will notice nothing in here. 271 00:32:48,930 --> 00:32:53,910 I would suggest in this situation that we are not in a state of war with any cyber criminal group, 272 00:32:55,560 --> 00:32:59,940 even some of the AP teams that are often noted as operating in this space. 273 00:33:01,110 --> 00:33:04,260 But effectively it's all of our hands of cyber. 274 00:33:04,470 --> 00:33:14,400 So one of the other case studies that I narrowed down is the takedown in 2015 of the Avalanche Criminal Network, 275 00:33:15,120 --> 00:33:24,510 which was responsible for the distribution, I think of 17 very profitable streams of malware on a global basis. 276 00:33:26,070 --> 00:33:37,710 And that was that within the counter cyber space that was taken down by a group of 30 different nations operating through Europol and coordinated. 277 00:33:38,180 --> 00:33:43,259 And that quite clearly involved a lot of operating on the avalanche networks, 278 00:33:43,260 --> 00:33:50,130 own networks within their own cyber domain for intelligence purposes to degrade their capabilities. 279 00:33:51,600 --> 00:33:58,680 I think in one of the US court hearing that that actually as well I got a lot of my information from the avalanche. 280 00:33:59,520 --> 00:34:06,750 They signed off on literally destroying some of their servers and because they that was more effective in trying to save them. 281 00:34:08,370 --> 00:34:14,129 But once again, some say that all of these the force three spaces in this case play a role. 282 00:34:14,130 --> 00:34:19,140 And let's talk about emergent properties. 283 00:34:19,140 --> 00:34:24,480 And really, I've shown you two case studies of the models in action and how it works. 284 00:34:25,530 --> 00:34:33,850 What can you say? Are they in terms of what comes out of it, the properties that you can identify with, the agents working together? 285 00:34:33,870 --> 00:34:42,260 I think Agent Duality and I mean that in terms of some of the agents of both providers of security and targets, 286 00:34:42,270 --> 00:34:46,229 the state obviously for a lot of the private sector fits in for that. 287 00:34:46,230 --> 00:34:56,550 The main telecommunications companies, for example, are frequently targets, but also they all play a very important role in the protection. 288 00:34:57,270 --> 00:35:07,139 Beat, for example, is a very strong pillar of the UK's active cyber defence program and also has established 289 00:35:07,140 --> 00:35:12,030 relationships with Interpol in terms of working partnerships and collaboration, 290 00:35:12,420 --> 00:35:19,010 which shows an interesting dynamic in terms of the private sector and its relationship to such an organisation. 291 00:35:19,800 --> 00:35:24,870 I think I would suggest in the model of what I've taken out of, it really is something that. 292 00:35:24,950 --> 00:35:30,140 Centralised direction, but multi-agency delivery. You're not. 293 00:35:30,410 --> 00:35:35,540 This is not about one agent. It's not even a group of agents per say. 294 00:35:35,810 --> 00:35:39,230 It's multi-agent delivery across a number of spaces. 295 00:35:39,860 --> 00:35:42,470 I think there's collective interdependence. 296 00:35:44,090 --> 00:35:53,090 What I'm trying to get across with that is that the facts delivered through one or my four experts places have consequences elsewhere. 297 00:35:54,200 --> 00:36:00,890 They do not just go across and read directly across the great from themselves second and third order consequences. 298 00:36:02,480 --> 00:36:09,050 Integrated intervention is really getting to the fact that this is a campaign. 299 00:36:10,040 --> 00:36:16,760 I think between the campaigns, unity on the effects basis reinforce the action. 300 00:36:17,030 --> 00:36:24,410 I think it's quite obvious in terms of fact that effects must be delivered to reinforce other effects on a continuous basis. 301 00:36:26,630 --> 00:36:32,930 The balance is dynamic in that the balance itself satisfied their design and security is not static. 302 00:36:33,170 --> 00:36:39,860 It changes and changes in terms of the effects of appropriate in the cyber domains of interest. 303 00:36:39,860 --> 00:36:48,200 And it also changes as the intense in the context of the next agent change dynamic evolution. 304 00:36:48,470 --> 00:36:57,860 It's the whole of the model is constantly evolving and also it's a rather crude one really. 305 00:36:58,130 --> 00:37:04,370 I'm trying to get support that local action, that very specific actions can have truly global effects in the space. 306 00:37:06,640 --> 00:37:14,270 Why it is important is because I think they then provide you a framework place for developing cybersecurity strategies. 307 00:37:14,630 --> 00:37:25,430 One of the things is I think this work is scalable. It also gives you a framework to judge cybersecurity strategies, not based upon input output. 308 00:37:28,160 --> 00:37:32,420 So that's that's that's the UK model. What did the UK actually do? 309 00:37:34,790 --> 00:37:38,390 You can read these, I think the self-explanatory many ways. 310 00:37:42,180 --> 00:37:47,160 The first one is all about bringing together the public and the secret remains. 311 00:37:47,310 --> 00:37:48,810 When I was interviewing people, 312 00:37:49,320 --> 00:37:59,070 it was of interest and lots of people talked about good things going on in open cyberspace and bad things going on in the secret state in cyberspace, 313 00:37:59,910 --> 00:38:04,260 including sort of a number who had worked within within the secret state. 314 00:38:05,550 --> 00:38:13,890 This is all about focus and focus and strategy, which is a problem that other states have got. 315 00:38:14,370 --> 00:38:15,530 The US has got it. 316 00:38:15,540 --> 00:38:26,220 Interestingly enough, Australia is taking a line following in some ways the interest C model and providing focus to a single actor agent. 317 00:38:28,800 --> 00:38:35,550 And I think this is really important. The UK government made a decision for the ownership of the problems in one space. 318 00:38:37,680 --> 00:38:48,600 Okay. So it was not spread between agencies who would act that same role, but they would do so a sort of with guidance. 319 00:38:52,750 --> 00:38:53,620 In real terms. 320 00:38:54,340 --> 00:39:07,180 I'm said that many of these will make the fight between the two traditional national strategy models on integrated offensive cyber as a policy option. 321 00:39:08,280 --> 00:39:15,160 Offensive cyber in terms of using the capabilities that that space offers to deliver. 322 00:39:16,660 --> 00:39:19,750 It was enabled by the establishment DNC. 323 00:39:20,620 --> 00:39:23,860 It was formalised in the 2016 strategy. 324 00:39:25,630 --> 00:39:33,310 What are my conclusions? I think the UK did do something different and this loss of security strategy and I think the saying 325 00:39:33,310 --> 00:39:38,080 that in the way that debates are going on in other parliaments about should they follow the model? 326 00:39:39,550 --> 00:39:47,080 I think it represents a much more realistic description of what is actually going on in the cyber security world. 327 00:39:47,440 --> 00:39:57,850 From a strategic and operational level perspective. I think the model is applicable to different cybersecurity challenges and theoretical models. 328 00:39:58,600 --> 00:40:05,350 Interesting. If I'm using my model to actually write a cyber campaign as an anniversary for some work that I'm doing. 329 00:40:05,490 --> 00:40:08,290 Nathan I want to play right the cyber attack, 330 00:40:08,680 --> 00:40:18,790 but I'm going to use the model and work out how that model allows you to create physical virtual cognitive effects through different effects spaces. 331 00:40:20,260 --> 00:40:21,580 And importantly, for me, 332 00:40:21,970 --> 00:40:28,300 I think one of the things I wanted to do something that may or may not act as an analytical tool to support policy and planning process. 333 00:40:28,780 --> 00:40:31,890 I want what I do to be meaningful and hopefully not set in motion. 334 00:40:33,610 --> 00:40:36,150 And that's it. Thank you, Chris. Thank you very much.