Protecting against attacks on IT systems is no longer just a technical matter. Today, it requires organisational engagement and attentive personnel.
Many functions within military organisations use information and communications technology, in everything from command, weapons systems, intelligence analysis, monitoring, and reconnaissance. It is precisely these that are so attractive for enemies, not least because the growing use of IT systems also increases the possibility of incursions. And because it can be practised at a distance, with minimal infrastructure.
“Vulnerability increases in step with broader use of IT, large data traffic, increasing numbers of exposed points in the networks, such as computers and connections, and of course rapid threat developments,” says Peter Svenmarck, Senior Scientist in FOI’s Division of C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance), in Linköping.
Traditionally, research on IT security involved technical protection, but as attacks have become increasingly sophisticated, more knowledge is needed. This calls for more research on how IT security is created through the interaction of people, technology, and organisation, according to Peter Svenmarck.
“Our literature review shows that the existing literature contains very few descriptions of attackers. But among those that do, there are descriptions of how attackers often construct complex ways of working, to capitalise on vulnerabilities in ways that the defenders don’t expect.”
He explains that when technical protection is increasingly better at detection, attackers often focus on vulnerabilities in a user’s behaviour. A reliance on only technical protection then becomes insufficient.
“An example is harmful links in e-mail. One reason why users click on them so readily is that the messages are designed to avoid inspection. For example, the messages may resemble what one has seen earlier and so one deals with them automatically, without reflection.”
In other words, several layers of protection must work together. This can involve technology that supports the user and, by warning of harmful content and abnormal links, increases conscious scrutiny. But this also requires organisational improvements.
On a more overarching level, if IT systems that are both secure and useable are to be created, system administrators and users must understand each other better.
“It is not uncommon that the system administrators have inadequate knowledge of the activities where the IT system is located. If knowledge about the organisation’s work routines is lacking, this will have consequences, in the form of decreased understanding of security, and in efforts to circumvent the restrictions that have been set up.”
According to the review, it is obvious that users have a responsibility, and that there is broad knowledge of the risks, but there must be teamwork between all the actors, not least via the possibilities that the leadership has for creating a healthy culture of IT security within the organisation.
The literature also contains descriptions of the interaction between attackers and defenders. Called non-cooperative games, they build on the choices that each party makes to maximize gains and minimise losses. One study of this topic shows that it is better to update the system than to invest in new technology for IT security, as a support for proactive defence. Conversely, it is better to have the best technology possible for reactive defence.
The literature review was based on nearly 500 publications, but when the contents were subjected to specific criteria, only 93 remained. The criteria involved three types of descriptions: interaction between people and IT security technology, proposals for dealing with the problem, and evaluation of the proposal.
“The next step is to make a new version of the literature survey, with somewhat different questions. These could involve knowledge support for IT security, situational awareness in network surveillance, or studies of how an attacker reasons.”
In addition to summarizing the current state of research, FOI cooperates with FMV – the Swedish Defence Materiel Administration – among others, to strengthen competence in IT security.
“We are part of a research group within NATO’s Science and Technology Organization (NATO STO), where we work with security questions at a strategic level. Our contribution is, among other things, to develop a tool that can search for relevant course literature for course coordinators in military colleges. The tool will find publications that are appropriate to the content of a security course; it could be about how attacks proceed, technology for dealing with them, or the relation between the attacker and the defender,” says Peter Svenmarck.
The reason, of course, is that there is no one book that describes all this; the information is scattered in a variety of different publications. The work has proceeded for two years, and should be finished next year.
The research group also includes the Netherlands, Bulgaria, USA, Canada, Germany, United Kingdom, and Ukraine.