Middle Eastern leaders work to strengthen cyber security by sharing information
UNIPATH STAFF
Cyber security cannot simply depend on highly trained technicians scouring networks for malicious infiltrations. Nor can security be achieved by brilliant software engineers who design virtually impenetrable networks.
It takes the combined efforts of policy leaders, industry innovators, academic researchers, tradecraft specialists, military officials and regular employees across the full spectrum of government and business to defend against the advanced and persistent threats from hackers, malign state actors and cyber criminals.
That is why the ninth annual Central Region Cybersecurity Conference (CRCC) — hosted by U.S. Central Command (CENTCOM) — was deemed a critical platform to help build relationships and share information among stakeholders. “None of us can tackle cyber security challenges alone,” CENTCOM Deputy Commander Lt. Gen. Thomas Bergeson said.
Held in April 2019 near Washington, D.C., this year’s CRCC included participants from Bahrain, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia, the United Arab Emirates and the United States. The event also included representation from U.S. Africa Command and military participants from Botswana, Morocco, Rwanda and Tunisia. Co-hosting the event with CENTCOM was the U.S. Department of State.
The CRCC lets military, academic, government and industry experts examine how to improve information sharing about cyber threats that impact national security. The relationships developed during the conference can help support international stability. Organizations learn to identify incursions to networks, rapidly respond, and recover quickly and with less damage when an incident occurs.
“U.S. Central Command works closely with our partner nations to promote peace, security and open information sharing, primarily through military-to-military engagements,” Lt. Gen. Bergeson said. “Cyberspace is an increasingly important operational domain and focus of our effort. Protecting these global interests requires cooperation among nations, all branches of government, and our partners in industry and academia, as seen by the representations from each of these groups.”
Cyber professionals must adapt along with innovations in technology, such as cloud-based computing and the fifth generation of wireless technology, better known as 5G. While these modernizations can bring efficiency and support economic progress, they also bring new vulnerabilities.
Organizations must have a strategic outlook, analyzing their assets and how they interact with computer systems and the internet. Another critical component from a strategic perspective is ensuring compliance with cyber policy and procedures. Khalid Sadiq Al-Hashmi, assistant undersecretary for Qatar’s Cyber Security Sector, spoke in detail about Qatar’s cyber security compliance framework.
“We are all using technology, trying to protect systems. But compliance is an area we are all struggling with,” Al-Hashmi said during a presentation.
For example, years ago armored vehicles were simply maintained mechanically. Today, these military vehicles have built-in advanced systems and technologies that must be maintained. When the technology must be patched or updated by its manufacturer, what procedures are in place to ensure that a technician using a laptop in the field to update programs has a “clean” laptop and is not introducing inadvertent bugs or malware?
Qatar has implemented legislation and policies to address cyber security compliance. One innovation is the accreditation and certification process that Qatar awards government agencies based on their compliance records and data protection plans. This is a critical step, because many of Qatar’s government services are accessed electronically.
Presenters from Saudi Arabia, Lebanon, the U.S. Department of Defense and the U.S. Department of State also shared their expertise during presentations. Academic and industry partners offered opportunities for increased collaboration.
Col. Clinton Mixon, commandant of the U.S. Air Force Cyber College, said clearly defining terms will help leaders better understand the magnitude of a threat and how to respond.
“If we don’t understand each other, if we aren’t using the same lexicon, we will not be able to successfully overcome the threat,” Col. Mixon said.
For instance, he believes the term “cyber attack” is often misused, creating confusion about the severity or intent of an incident. He believes people should use the term only when talking about a cyber operation meant to cause injury or death or damage to property. Some dire examples would be cyber incidents that led to the meltdown of a nuclear plant or breached a dam and drowned civilians. Terms such as cyber espionage, cyber disruption or cyber crime are often better descriptions of what is actually happening.
For the second year in a row, the CRCC included a tabletop exercise. It required participants to consider how to share information in real time with regional and international partners, as well as internally, so they could address and overcome security threats. Participants were divided into groups representing fictional countries so they could work through response scenarios to a regional cyber incident.
Brig. Gen. Mohammad Al-Enezi, chief of information technology in the Kuwait Armed Forces Directorate of Communications, vouched for the usefulness of the tabletop exercise. “We still face many challenges,” Brig. Gen. Mohammad said. “One of the most important challenges is that of human resources.”
Recruiting and retaining talented cyber security professionals to tackle threats was an important topic throughout the conference. Cyber security professionals are in demand worldwide, and private industry generally pays higher salaries than governments and militaries.
Military and governmental leaders should be creative in attracting talent and offer attractive compensation packages that include perks such as free continuing education. Recruitment campaigns can also appeal to patriotism and portray individuals as protecting their families and communities.
In the U.S., some government and military organizations have developed partnerships with corporations so their workforce can gain direct experience from innovative businesses such as Microsoft or Google.
During the 2019 CRCC, participants were given the U.S. Department of Defense Cybersecurity Reference and Resource Guide. The publication was designed to help develop cyber security programs by sharing best practices, policies and standards adopted in the U.S.
Cyber security leaders need to work harder to overcome barriers to sharing information, said U.S. Maj. Gen. Mitchell Kilgo, then director of CENTCOM’s Command, Control, Communications and Computer Systems Directorate. One way to improve such communication is through regular multilateral cyber exercises.
Said Maj. Gen. Kilgo: “A vulnerability to one is a vulnerability to us all.”