Managing critical incidents in the cyber domain

Dr Paul Vallet: Welcome to the Geneva Centre for Security Policy, weekly podcast. I'm your host, Dr Paul Vallet Associate Fellow with the GCSP’s Global Fellowship Initiative. For the next few weeks, I'm talking with subject matter experts to explain issues regarding peace, security, and international cooperation. Thank you for tuning in. For several years, even in this socially distance period and in a virtual format now, the GCSP has hosted a fascinating recurrent competition, the Cyber 9/12 Strategy Challenge in partnership with The Atlantic Council at which competing young teams of various institutions and universities are tasked with responding to an ongoing scenario of a security crises originating from a breach in cyber security. It's this time of the year and to discuss such competitions, their challenges and perhaps the useful lessons that come out of the competing teams and their talents, we're joined today on the podcast by Ms Sarah Backman. Ms Backman is a doctoral candidate in International Relations at Stockholm University, focusing her research on cyber crisis management. As a practitioner in the field, she's also consultant in strategic security risk and crisis management for Secana in Stockholm, as well as lecturing to the Swedish Defense University and offering several publications on cyber crisis management, she has acted as a judge for four editions of the Cyber 9/12 and is returning this year. So welcome to the podcast, Sarah, and thank you very much.

Ms Sarah Backman: Thank you so much, Paul.

Dr Paul Vallet: So, my first question to you is perhaps a little bit personal, looking at your background, and so on. But I was wondering when and how did you develop an interest in cyber security crisis management, and in particular, in participating in simulation exercises, and perhaps you can tell me whether there are also similar types of exercises to nine, Cyber 9/12 that you know, of, that you participate in for the industry or in the academic setting?

Ms Sarah Backman: Yeah, so, it was back in 2014, I think early 2014. And it was really quite random. But I was looking for an internship and then I got an internship at a cyber security firm, a very small one. And that was really lucky for me because I got to work with the CEO of that firm, which is one of Sweden's most prominent cyber security experts. And pretty quickly, I realised, you know, I have a background in security studies and political science. And pretty soon I realised that this field of cyber security is not all about the technical stuff. But there are a lot to do when it comes to the perspectives from a security studies political science perspective too. And then I continued to study security studies and crisis management. Meanwhile, I worked as a consultant. So that is basically what I've been doing since then. So, I have my PhD project and I also work with large scale cyber crisis management exercises as a consultant. And, for me, I just think that based on what I've seen, but also based on research, we know how much value exercises can have, in the absence of real experience of crisis. And that, especially if you have simulation exercises, people actually do feel and act a lot like it would be a real crisis. And research tells us that when you experience a situation, a real crisis, or situations similar to real crisis, that creates sort of mental slides or a mental library that you can access in a real crisis, and it really helps responders. So, yeah, I just love to combine, working with something that I really believe in, which is exercises. And also combining that with the academic part of it.

Dr Paul Vallet: You make a very valid point, first, of course, that the notion of cyber security isn't all tech. So that's a very important point to make for people who are interested in that field and for the interdisciplinarity that you've mentioned in that matter. And it's somewhat anticipated my next question, which was precisely that thoroughly editions of the Cyber 9/12 were featured all too realistic scenarios, in that the events that the competing teams had to deal with actually came to pass, I recall one instance of back about to the cyber hacking in hospitals, and in particular, so in this respect, my question would be do you see simulation exercises as important tools to deal with current crises, or more as an effort to anticipate future problems?

Ms Sarah Backman: Well, both. I do think that I mean, when it comes to large scale exercises, we should perhaps, adopt an even bolder stance in trying to anticipate what could happen, because usually the case is that you think that something is totally unrealistic, and that would never happen. So, you don't add it to your scenario. But then five years later, it happens. So, we have always a tendency to sort of prepare for past crisis and past wars, which is a problem when it comes to cyber security and cyber crisis management because it's such a swiftly developing area. And I think the tendency to look too much to the past can be a disadvantage in this field.

Dr Paul Vallet: Well, I'd certainly probably concur with that with a background in military history, when you just said about the tendency to fight the last war is something that we've observed. And certainly, you're making a very good point about the fact that, in this particular area with the evolution of technology, it makes really a necessity for the scenario writers to try to be as anticipatory as possible so that I really follow you on that. My next question would be about more to do with your vision of crisis management, and it perhaps it can anticipate on how you do your job as a judge in some of these competitions. So, what are the particular aspects in crisis management that you identify as key to an optimal response when a team is confronted with a cyber security crisis?

Ms Sarah Backman: Well, I think that the difficult thing about looking at crisis at the national or international level is that the crisis management process is definitely not just one thing, you have several parallel tracks. And this happens at both the horizontal level. So, for example, a cyber crisis affecting a critical infrastructure sector, then if it affects the energy sector, you would have crisis management structures and mechanisms for the energy sector, and you would have the cyber incident structures going on to and if it would threaten citizens lives and critical infrastructure functions, you would have national level of generic crisis management structures kicking in. So, I think it's important to realise that it's cyber crisis management at a high level is several tracks of crisis management, with sort of different aims. They have different timelines also. And so we have the horizontal level, which is between sectoral boundaries, also between agencies, just within inter government agencies, and then you have on the vertical level, you have the crisis management processes going on, for example, technical operational level, the incident management, and then you perhaps have the generic crisis management structures at the strategic level. So the big challenge is, of course, to try to get all these efforts coordinated, to make sense of the situation together, to have an efficient information sharing, to make sure that there are no gaps between the different sort of tracks going on. And this is a big challenge, I think, in exercises, and in real life.

Dr Paul Vallet: If I can just anticipate on that. I mean, I recall that the teams are competing in an exercise, while they're a number, usually four, I think four or five. And I'm assuming that for some of the exercises that you're familiar for industry, and in real life, will involve larger teams that are perhaps more complex to organise and to marshal their resources?

Ms Sarah Backman: Yeah, I wouldn't say that. It's usually more when it comes to the Cyber 9/12 Challenge you try to, to have teams who can answer a lot of different questions about, you know, media management, about technical incident handling, about generic crisis management structures. But usually, in practice, you don't have exercises that are that interdisciplinary, and just one team who will respond to all of it, but you have, for example, in in cyber Europe, you would have one part, which is more technical, and one part which is strategic, and there are different teams with different expertise for that.

Dr Paul Vallet:  And so that leads me of course, to my next question, which was trying to judge on what happens in the cyber security universe. And its relation to work to crisis management, specifically, in responding to that, is that essentially a factor about the teamwork that operates and the correct handling of the networking within that team? Or does actually possessing technological superiority make a difference? In other terms, is the technologically better armed response team going to make a difference, or can someone even with less technical means then affected? Are they capable of supporting any kind of incidents?

Ms Sarah Backman: Yeah, I think it's going back to my previous point about different tracks of the crisis management efforts when it comes to incident management and more technical track I think it definitely makes a difference and especially human resources, so you need skilled incident managers and that's usually a rather scarce resource and I mean there are several international communities like  CERT for example where they can sort of share information and support each other and so on but it's definitely in the end it comes down to the skills of humans trying to manage the crisis and cyber crisis are by definition a very interdisciplinary trans boundary and complex so not just anyone could manage these situations and so I think that having technically skilled people on your team, that's a very good thin. But then it's also about collaboration and just because it is so trans-boundary, cyber crisis management is a lot about collaborative crisis management and sometimes you need to collaborate across boundaries that are unusual or actors who are not really used to working together need to work together or perhaps share information and what I've seen in my research is that when you don't really have those formal structures for collaboration or an information sharing it comes down to the individual skills of certain crisis managers and incident managers who sort of in the situations I looked at under crisis I like that they sort of solved the situation through creativity and improvisation and often informal contacts. A key point is that it's really good to have formal structures for information sharing but when that fails the possibility to have creativity and improvisations is very important too because it can also be very difficult to anticipate the exact needs of the crisis management efforts in a cyber crisis because it could take on so many different characteristics.

Dr Paul Vallet: A little point about curiosity I have because we're also from a bit of an academic as well as practitioner background but I was wondering how long does it regularly take to train people in these areas I suppose the question arises for you in your consultancy activities when an organisation or even a public institution wants to train some of their personnel to be more aware and more responsive to that is that necessarily a long time type of training or can it be done rather swiftly I suppose?

Ms Sarah Backman: That depends on their background and what aspects of cyber security you want to train them in so I think it's well you would think that getting a basic sense of awareness would be easy but I mean people are very prone to just do what they have always done and if they if you don't really build in security if you don't have security by design and default people will tend to use the more efficient way even if that's less secure. I think it is slowly changing, but we still have a lot to do and really I think that this is something that should be very integrated into the understanding of cyber security we cannot have the understanding of cyber security we had in the 90s where it was totally okay to say “Oh I wish I could patch human stupidity.” Like, it's not our job to do that in the cyber security industry it is it's not any more about just inventing really smart technical solutions it's also about working with people and awareness and all of these non-technical aspects that is just as important. I don't think we can get away we just say that humans are stupid, and we should just give up if they don't comply with the behaviour, we want them to have so.

Dr Paul Vallet: My final question will be in in in the area of anticipation and it would be doing it identify any sort of a cyber security crisis that does not currently have some kind of solution that we can think of at this moment compared to others I guess?

Ms Sarah Backman: I guess that depends I think that of course the more dependent we get as a society on connected and interconnected systems for our basic needs and that is without the words like critical services and critical infrastructure, we are putting ourselves in a situation where we are very vulnerable and I don't really think that based on what I've seen that we are yet really prepared to handle that and one of the reasons for that is that these crisis take on characteristics which our crisis management systems weren't really built to manage the level of transparency of these issues is yeah but that is something that we have not really seen before I think and I mean trans boundary crisis in general are on the rise as a as a consequence of globalisation, I mean COVID is an example of this and basically our crisis management mechanisms and structures weren't really built for it and the difficult thing about this is also that when we have a trans boundary crisis we could use for example supranational structures to help us manage and help us coordinate such as the EU for example, but then we have the issue that cyber security is in general very close to national securities that sovereignty, that is something that the EU cannot go into too much so we have a tension here one of many tensions in the field of cyber security between the need for sort of supranational coordination mechanisms, something that can help us to collaborate better and that it is a really sensitive issue very close to national security. We do have a lot of challenges ahead of us I think but I mean we are also very adaptable and I think since I started this in this field in 2014 a lot has happened and I mean on the national level as well as the supranational levels I still think that it's definitely moving in the right direction

Dr Paul Vallet: Okay well yes, our takeaways will be that we have to keep exercising, keep learning and then adapting to that. So, I guess this is all we'll have time for this episode. But I want to thank you again. Sarah Backman, for joining us today. And of course, wishing your fun competition this year as well, too.

Ms Sarah Backman: Thank you. I'm looking forward to it.

Dr Paul Vallet: For our listeners, please listen to us again next week to hear the latest insights on international peace and security. Don't forget to subscribe to us on Anchor FM, Apple iTunes, you can follow us on Spotify and on SoundCloud. I'm Paul Vallet with the Geneva Centre for Security Policy. And until next time, bye for now.

Learn more about GCSP’s Cyber Security offerings

Disclaimer: The views, information and opinions expressed in this digital product are the authors’ own and do not necessarily reflect those shared by the Geneva Centre for Security Policy or its employees. The GCSP is not responsible for and may not always verify the accuracy of the information contained in the digital products.