Winning or losing is not defined by our technology, it’s defined by our thinking. That was among the points made by Pete Cooper, deputy director for cyber security at the Cabinet Office, in a talk to open the annual Black Hat Europe cyber security conference; usually held in London, but this year run online over two days of briefings, after two days of training sessions.
“We are not always going to have the best technology,” he went on. “We are not always going to have everything we need, but with creativity and great thinking, and team work, we can actually achieve huge, huge amounts and in doing that we can really start transforming how we defend and start defending as one.”
The talk – by someone whose interest in computers went back to the 1980s, but who served in the Royal Air Force as a Tornado pilot – also stressed the reducing of risk, as in aviation, to the lowest reasonable point. “Because as we look forwards, our cyber challenges are not getting smaller,” he said; attacks are getting larger, and impacting larger and larger amounts of people, and critical issues, he said.
Otherwise, the 30-minute talk and his remarks afterwards in answer to audience questions after were strikingly free of tech stuff, whether by defenders or attackers. For instance, he recalled ‘one of the most interesting’ conversations he had about cyber in an organisation. First, he sat down over a coffee, he asked how the organisation got on against ransomware. When he put that to the board, the leaders’ reaction was ‘we did really well; we dodged the bullet’.
However, when Pete Cooper asked the same question to the security operations centre (SOC) and the teams who were the ‘eyes on screen’ doing the cyber-defending, they said ‘yes, we got away with it, by the skin of our teeth’. They admitted to feeling that if the organisation had suffered from an attack, it would at least have got the board to listen. That fitted in with Pete Cooper’s argument, that cyber working needs communication, to work together; which in that organisation was lacking. It takes effort, he stressed, to build up team work, whether externally with others in cyber, or in your own organisation.
He spoke also of how he learned, from different disciplines, such as psychology, safety culture, and marketing and comms; ‘we tend to be focused on cyber security, but a lot of that is landing the message with the people using the equipment that we are securing. We may not be natural comms and marketeers, but it really comes down to landing those messages.”
He stressed also the need of team work in cyber security, especially in government, where so many teams are working on so many things; and with others such as in academia and hacking teams. He set up an ‘aviation village’ at the cyber event Defcon.
It was significant that he answered a question from the audience about blockchain as a potential answer for secure communication in a non-technical way. Rather, he spoke of ‘time, effort and building up relations’. “One of the key challenges we have all got; it’s easy to build up personal relationships and have really good one to one relationships across different organisations; the really tricky bit is turning that into organisational relationships so that if you left, would the organisations continue collaborating and working together, and still producing great outcomes?”
More in the January 2021 print edition of Professional Security magazine.
