Military Lessons on Cyberdefense

with Dr. Marcus Thompson

Dr. Marcus Thompson is a retired Major General and former Head of Information Warfare for the Australian Defense Force. In this episode, Dr. Thompson talks with Alvaro Vitta about best practices for protecting sensitive data and making risk-based decisions.

Episode 37: Military Lessons on Cyberdefense

Public Sector Future

Episode summary

Dr. Marcus Thompson is a retired Major General and former Head of Information Warfare for the Australian Defense Force. On the second episode of our cybersecurity mini-series, Dr. Thompson talks with Alvaro Vitta about best practices for protecting sensitive data and why making risk-based decisions is so important.

Download the episode transcript

Listen to this episode on any of these podcast platforms:

Spotify

Apple Podcasts

Google Podcasts

Deezer

Libsyn

How does the military protect sensitive data?

Dr. Marcus Thompson is a retired Major General and former Head of Information Warfare for the Australian Defense Force. Since leaving the Australian Army Marcus has founded Cyber Compass. On the second episode of our cybersecurity mini-series, Dr. Thompson talks with Alvaro Vitta about best practices for protecting sensitive data and why making risk-based decisions is so important.

A diverse set of experience

Dr. Marcus Thompson is the founder of CyberCompass, an independent advisory focused on improving cyber security. But before his current role, he spent over three decades of his career serving in the Australian Army. He’s served on deployments to East Timor, Iraq and Afghanistan, he holds a PhD in cybersecurity, and he was named Head of Information and Warfare for the Australian Defense Force. Thompson holds a plethora of mission-driven capabilities that a lot of organizations, both government and non-government, can learn from.

“I find myself reflecting on what lessons I’ve learned in the past 18 months since leaving the military and leaving government service, and I think that there are some really helpful observations that I think my former colleagues, you know, certainly in the Australian Department of Defense and elsewhere, could use and the biggest observation I’ve had is that I think industry can do more, and government can facilitate industry doing more.”

Thompson continued, “And I think the key thing here is, let government do what only government can do, and then look for opportunities to bring industry in to help with the rest. Because that deep technical expertise that resides within industry, I think the ability of industry to innovate, and innovate at scale, just remains something that I think certainly in Australia government could perhaps do a bit better. You know, the bureaucrats could be a bit better with that.”

Self-defense, passive defense and active defense

Government organizations have to navigate the challenge of protecting their sensitive data while also having access to it and using it. It can be crucial not to let your guard down.

“Just remember that there is a threat, there is a cybersecurity threat out there. The threat is real, the threat is active, and it wishes you harm, it wishes your organization harm, it wishes your family harm, it wishes your nation harm. And I think all good comprehensive approaches to cybersecurity start with a recognition that the threat is real, that it’s active, and that it wishes you harm.”

Thompson suggests thinking about protecting data in three different ways: self-defense, passive defense, and active defense.

“What are we posting on social media, what are we freely giving away to the internet at, what is our workforce doing, that a professional threat actor, with a targeting mindset can turn around and use against us – to attack us, you know socially-engineered phishing campaigns. It’s about culture and awareness, so when you’re thinking about your self-defense, have a look at your culture. You can just continue to bang the drum about the importance of cybersecurity and encouraging all of the workforce to not be the weakest link. That’s self-defense.”

“Passive defense, I mean this is the domain of our system administrators, our CIOs, and maybe our CISOs. This is where we think, you know, how’s our network hygiene? Are we patching our systems? Are we patching our hardware? Are we patching our software? Do we have multifactorial authentication incremented within our organization? How many people have administrator rights, you know, have that privileged access, who might then become a potential sort of insider threat?”

“And then the active defense – well, this is the bit where we say, all right, we know that if we implement good hygiene, good network hygiene, we’re patching, we’ve got multifactorial authentication and all that, all those important functions, you know, there’s still a chance that a sophisticated threat actor can get in, can get past those defenses, so what have we got? Do we have a highly capable security operations center, the ultimate risk mitigator, looking at our infrastructure to immediately detect, contain and resolve any penetrations, any breaches of our security?” Thompson said.

Make decisions based on risk

According to Thompson, a compliance-based approach isn’t enough in the cyberdefense environment.

“When there’s a new piece of malware on the streets, every seven to twelve seconds, you know, you might be compliant, at that nanosecond, in that instant, you might be compliant, but a moment later, you’re now being noncompliant.”

What’s needed, he said, is a risk-based approach. And here’s why:

“It is not possible to bring the cybersecurity risk to zero. That’s just not a thing, so you know, a sensible conversation amongst leadership groups about cybersecurity risk, what we tolerate, what we can’t tolerate, and therefore, what we need to invest, today and into the future. These are sensible discussions that smart generalists can have, within government and outside government, and you don’t need to be a cybersecurity Jedi to have those sensible conversations.”

Have those important conversations, invest in defense, and then what?

“And then monitor it, and then continue to monitor it, you know, are our settings right? Are we being true to our stated tolerance? Is our investment right? Is there something new that has changed our risk landscape, and these are right now in Australia, these are standard agenda items at board meetings for commercial entities and government entities, especially those who are now classified as critical infrastructure within Australia,” Thompson added.

What government organizations should avoid

“I still see folk, especially in government, thinking they can do everything, and that’s just really hard, we’ve got, I’m sure it’s well, in fact, I know it’s the same, around the world, but I’ll keep my commentary to Australia where we’ve got a significant workforce shortage when it comes to cybersecurity professionals. My personal observation, anecdotally, is that we’re probably 30 to 35% underdone in terms of the number of quality cybersecurity professionals that we need here to defend our economy.”

Thompson added, “I know that there’s plenty of cybersecurity professionals work within government, just as there are plenty of cybersecurity professionals who work outside of government. And I’d just offer that this is a unique workforce. You know, this is a workforce that is naturally curious, that is in a hurry, and that, if we can put it frankly, knows its value. And, the curiosity piece means that they’re always looking to develop new skills. And if you’re not, if you’re not a big enough organization to hold a subsidiary workforce of sufficient size to satisfy that curiosity and provide those career opportunities for these individuals, then they will go somewhere else.”

“So, I sort of say, in effect, look, especially if you’re a small government entity, don’t try and do this yourself. Bring in the experts to do it for you, and let that workforce management challenge be their problem, not yours, because I think beyond the really big government entities it is really hard to hold that sort of capability internally.”

It’s a continuous journey

There are practical things that government organizations can do to help themselves optimize their data protection journey.

“Number one is the labeling of data. Then you can store it and it’s easier to protect and secure. But I think also, I mean, even from a capability perspective, you know, none of us know what artificial intelligence technologies might come into the future. And so far, all we’re really seeing is automation rather than anything, sort of Terminator-like, you know, neurocognitive when it comes to artificial intelligence. But irrespective of what artificial intelligence technology comes in the future, it’s going to be dependent on data. And if that data is not labeled and stored, and getting all those policies squared away now, if that data is not discoverable, that technology would be useless,” Thompson said.

Labeling data seems pretty simple and straightforward, but what else can organizations be doing?

“I think the other thing is, because our appetite for digital information, for data and for electronic devices, internationally, is insatiable. Our dependence on electronic devices and digital information data is growing exponentially, you know, every day. and I see no sign of that slowing down. So, policies around data discoverability and how long you have to keep it. And obviously, yeah, Microsoft has a significant product offering in that regard. So, hey, government, are you just going to continue to build and operate datacenters, or do you bring industry in to help you with that, whatever classification of data that you need for your – you know, within government?”

“I think they’re the sorts of things that, from a pure data protection play, people can be thinking about, you know, that there’s policy aspects here, there’s technology aspects here, and there’s human behavioral aspects here,” Thompson concluded.