‘Cyberworthiness’ expands the ADF’s understanding of cyber security into our complex new reality

“Cyber-security isn’t just stealing information, in the Defence context it’s much broader. It’s about stealing Defence systems and access… ships have to be seaworthy and aircraft have to be airworthy—cyberworthiness resonated with Defence because this was a language they understood.”

Researching cyber-security governance under Dr Elena Sitnikova from UNSW Canberra Cyber , a group of postgraduate students realised that the Australian Defence Force’s (ADF) understanding of cyber security was often much narrower than the reality.

“One of the frustrations we’ve had in Australia is a distinction between the layperson’s understanding of cybersecurity—people stealing data from networks—and our broader understanding,” said Dr Keith Joiner, a Senior Lecturer in UNSW Canberra’s School of Engineering and Information Technology and Dr Sitnikova’s colleague.

“Cyber-security isn’t just stealing information, in the Defence context it’s much broader. It’s about devising ways to impair defence systems and retain inappropriate access, often from systems that might not even be connected to the internet, and even interfering with our ability to use weapons at some time in the future.”

Seeking a way to bring the ADF leadership’s understanding of cyber security into line with the modern demands of the force and improve ‘cyber resilience’, the students coined the term ‘cyberworthiness’.

“Our students wanted an Australian term, and knew the ADF had a lot of experience with, for example, ships having to be seaworthy and aircraft having to be airworthy,” explained Dr Joiner.

“Cyberworthiness resonated with Defence because this was a language they understood a bit better.”

Like airworthiness or seaworthiness, cyberworthiness introduced the well defined concept of ‘safety’ into the discussion. Treating safety within the ‘cyber’ domain more like land, sea or air would mean creating processes for systems to go through to be considered cyberworthy, rather than having to identify specified threats up-front. The constantly evolving nature of cyber security means it is difficult to identify what threats might look like in even just a few years’ time.

Dr Sitnikova explained that the nature of the cyber domain, as distinct from air, land or sea, presented unique challenges for how to assess cyberworthiness. Seaworthiness assessments, for example, could require things to be built to particular specifications.

“The cyber domain is very new, so there aren’t the established specifications there, and it’s also a very large domain,” she said.

Dr Joiner added that cyber was unique because cyber threats are malicious, whereas in other domains, worthiness is assessed more in terms of environmental factors, such as whether or not a vehicle can operate under certain conditions.

“There’s human ingenuity that is constantly trying to devise ways to impair systems and it is a real challenge to bring that into evaluating suitability and resilience of complex and inter-connected new systems,” he said.

“It’s true that technology in ICT is constantly changing, but the type of change is also in the ways cyber adversaries are always developing new threats.”

The Masters level program that developed this new cyberworthiness framework involved students from a range of disciplines and professional backgrounds at UNSW Canberra at ADFA, all working together to solve problems in cyber security. Dr Sitnikova and Dr Joiner pointed to this collaborative approach as a fantastic example of interdisciplinary collaboration to provide real benefits to the community.

Dr Joiner noted that,“This year new research students are looking at ICT governance concepts more broadly and producing another paper seeking to improve cyber-resilience across Government departments more broadly than just Defence and even into critical banking systems.”

While this is early days for the notion of cyberworthiness, the students’ work is having a genuine impact. The researchers have been encouraged by the fact that the concept was recently validated by ADF leadership at Senate Estimates, when two senior ADF members explained cyberworthiness to the Foreign Affairs, Defence and Trade Legislation Committee.

You can read more about the research of the UNSW Canberra team here.

 

References:

Fowler S,  Sweetman C,  Ravindran S,  Joiner K.F,  Sitnikova E,  Developing cyber-security policies that penetrate Australian defence acquisitions,  Issue No. 202, 2017

Christensen, P. (2015). Introduction to Cyberspace T&E. Tutorial, presentation at ITEA International Conference, Washington DC, August 2015

Brown, C.; Christensen, P.; McNeil, J. & Messerschmidt, L. (2015). Using the Developmental Evaluation Framework to Right Size Cyber T&E Test Data and Infrastructure Requirements. International Test and Evaluation Association Journal, 36: pp. 26-34.