NITHEN NAIDOO: Data, not fear, must drive our national cyber defence

It is common for large organisations to prohibit multiple executives to fly on the same plane, but they are allowed to drive in the same car. Yet statistically the chances of losing an executive team in a car crash is significantly higher than losing them in a plane crash.

The problem is that risk is in the eye of the beholder and often skewed by biases such as background, skills set and area of expertise. This is the same with cyber risk assessment, which is often a fear-driven exercise rather than one driven by data. The same biases can adversely affect sovereign security if we fail to address national cyber defence holistically in an information-based society.

An example is Russia’s interference in the 2016 US election, where tunnel vision on protecting voting infrastructure led to the Russians successfully using Facebook for mass cognitive influence. This type of adversarial tactic was also present in the 2021 KwaZulu-Natal unrest where Twitter was used to propagate disinformation and incite violence.

While national cyber defence clearly exceeds the bounds of national critical infrastructure, it remains one of the most critical focus areas. In 2021 we saw Transnet being compromised, causing financial loss and reputational damage, and a breach at the department of justice. Critical information infrastructure differs from traditional critical infrastructure and includes, for example, financial institutions’ information processing systems. Critical information infrastructure is not strictly restricted to “public” infrastructure and often resides within the private sector, which makes public-private partnerships (PPPs) for national cyber defence an imperative.

Though national cyber defence can only be accomplished through public-private partnerships, the nature of the data collected, information disseminated and insights gleaned would mean it should be under the supervision and purview of the state. We also require PPPs to achieve a secure indigenous technology supply chain. For example, Crypto AG, a dominant producer of encryption to over 120 governments for decades, was an American (CIA) and German (BND) smokescreen to monitor and manipulate international relations for sovereign advantage.

Crypto AG is a foreshadowing of modern espionage where state investment, involvement and influence in the global cybersecurity supply chain is not only obvious but the norm. The fundamentals of warfare have always been deeply rooted in deception, and in this realm cyber is not a new threat but a new vector. Though complex, our digital borders and digital defence must be built on an indigenous technology foundation and reside — open source and without restriction — with the state.

While threats increase in complexity — quantity, quality and diversity — the fundamentals of security remain the same. In truth, especially with national critical infrastructure, much can be achieved simply by getting the basics right. Strategically, this implies having appropriate national legislation, regulation, and regional and global frameworks. An excellent example is the Critical Infrastructure Protection Act. However, this needs to be complemented with additional forms of legislation to address the national cyber defence requirement more comprehensively.

Tactically, this implies establishing national computer security incident-response team capabilities and setting up national cyber defence intelligence operation centres. This would empower the proactive response to attacks on critical infrastructure, PsyOps “influence operations” and other adversarial tactics designed to leverage cyberspace to adversely affect political, financial and sovereign stability. PsyOps are intentional, planned and co-ordinated activities designed for mass cognitive influence. This includes the influence of emotions, reasoning, attitudes and, most significantly, behaviour.

To truly achieve a resilient security posture, state institutions, companies and individuals require an intelligence-led approach. We need to understand three core elements: the environments in which we operate, our vulnerability and our threats — their motives, methods and incentives. We also need to be increasingly aware of  external activity, made most apparent in 2021 when sensitive documents relating to Israeli cyber surveillance firm NSO Group were leaked online. The documents disclosed that the NSO Group’s notorious Pegasus spyware was potentially used to target high-profile political figures, including President Cyril Ramaphosa. Using intelligence gleaned from the clear, dark and deep web is an essential activity to understanding cyber threats and proactively responding to them. This allows us to take finite defence resources and apply them in the most effective and efficient manner.

Finally, if we wish to achieve digital transformation and not only embrace but be at the forefront of the fourth industrial revolution, we must “secure by design”. The rapidly emerging new technology landscape is not a threat but is a unique window of opportunity to secure our digital citizen, smart cities and national infrastructure by design. Securing any environment in the design phase is significantly more cost-efficient than retrofitting security as an afterthought. Ultimately, only the first to “securely” digitally transform will find themselves at the forefront of the revolution. The rest will be left behind or battling with the technical, social and financial debt of having to retrofit security.

Given the diversity, disparity and bespoke nature of the new technology landscape, this challenge may slow progress indefinitely. Therefore, the earlier we address these challenges, the simpler, more cost-effective and achievable our goal of building a safe, digital transformed nation becomes.

• Naidoo is CEO of Snode Technologies.