In the lead up to ADM’s May edition on cyber security, I spoke to Major General Marcus Thompson, head of Information Warfare Division in the Joint Capabilities Group, about the cyber security ecosystem in government and how it all fits together.
The full interview appears in that edition but a related issue is that of online privacy and by extension, privacy in general. Social media and app use is the new normal; there’s now a generation of people that have never experienced the world without an internet connection. Clicking ‘I agree’ on terms and conditions or privacy docs without reading is common when downloading a new app.
“Privacy is an important value construct of a democratic society and I absolutely 100 per cent respect and value that,” MAJGEN Thompson said. “Where I occasionally wonder about things is when people freely give information away to the internet. The thing is, it’s not just about that tweet, that post, that social media interaction, it’s the long term aggregation of all of those posts, all of those tweets, all of those interactions with social media and what a professional analyst with a targeting mindset can do with that information and turn it back against a person, an organisation, a nation.
“Within the ADF we’ve been thinking about this very, very carefully now for a couple of years. I’m on the record as relaying a vignette from Exercise Hamel in 2016; Exercise Hamel being Army’s major field training exercise each year. In 2016 I was commanding Army’s 6 Brigade at the time and the exercise area was in Cultana in SA. I pulled together a team of 12 people to support the Red Force, the enemy force, for the exercise in Toowoomba, literally the other side of the country.
“The 12 people were five cyber operators, five intelligence analysts and two lawyers. The two lawyers of course were to assure absolute accordance with our obligations regarding privacy.
“There was 4,000 people in Blue Force; that team of 12 took less than 48 hours to completely unpack the Blue Force. They had unit nomenclature, unit locations and in some cases unit intent, all within the first 48 hours, names of key individuals right through the chain of command. Of 4,000 people in Blue Force, there were over 600 files on individuals that led directly to actionable targetable intelligence that the enemy commander just loved for the purposes of the free play activity.
“So that was 2016. It was a nice little wake-up call for Army. Fast forward to Talisman Sabre 2017. A similar activity was conducted and there was a noticeable improvement in the collective performance of personnel in the exercise area.
“However, one individual still posted to social media a geo-tagged image from the inside of a command post and the image included the battle map. It only takes one!” MAJGEN Thompson concluded.
And that is why good cyber hygiene matters. It’s awareness, it’s education, it’s recognising that there’s a threat; don’t be the person who clicks on the link in the phishing email, don’t be the person who finds a USB stick in the car park and plugs it into your system because you’re curious.
“What are you posting online, how to keep yourself, your mates and your family safe in cyberspace; it starts there with self-defence before we even look at firewalls and white-listing applications and patching systems and the ASD essential eight,” MAJGEN Thompson said. “It starts with people, with individuals thinking through their individual responsibilities to cyber security and cyber defence.”