Tech in Estonia: CybExer – let’s democratise cyber knowledge
Chief storytelling officer at Tallinn, Estonia headquartered CybExer Lauri Almann is passionate on the subject of cybersecurity and wants to see a new approach to knowledge at a number of levels.
The CybExer team spoke at this summer’s ‘Digitally Wild’ press programme hosted by Invest Estonia, which saw a small group of journalists meet (under Covid-tested & safe conditions) with established, growing and startup tech players in the nation’s capital.
CybExer specialises in cybersecurity training platforms with a special focus on cyber capability development.
The company offers Cyber Range for universities and a number of other services including Cyber Core, a ‘live fire’ exercise where a company’s ‘blue’ team is pitted against CybExer’s experienced ‘red’ team in order to drive live knowledge training.
Almann spoke of four core levels of cyber knowledge that he feels should impact the way software application development practices (particularly those focused on cyber protection) need to evolve.
4-knowledge levsls
Level 1 – Users: We need to understand why users behave in such risky, unpredictable ways and gain a closer level of awareness into how and why these actions occur, we need this in order to be able to build the layers of protection needed for the future software application development landscape.
Level 2 – Top tier: We need to look at the ability to apply cyber-awareness at the management level… and this also means applying it at a governmental and national level as well, because (of course) some attacks are directed at users, some have governmental targets and some may be applied at a higher national level.
Almann spoke about the need to look at situations like the escalating politico-economic-cultural situation in Afghanistan (in August 2021 at the time of writing) and think about the worst possible world scenarios that could result from situations like this.
“Intuitive and improvisational decision making is not a luxury that we have at the cyber protection level, but cyber criminals do of course have that ability,” said Almann, suggesting perhaps that the protection mechanisms we develop need to be engineered close to the mindset of the cyber attackers.
Level 3 – Success: We need to deal with success i.e. when we build cyber security scenarios that successfully model potential attacks and end up successfully stopping them from being executed, then we need a way to be able to engineer-in those levels of learning to the platforms being built
Level 4 – Youth knowledge: We need to build a new awareness of cyber at the youth level, this means creating teaching syllabus programmes where 12-year olds are tutored with the type of knowledge that fully-fledged (penetration) pen-testers would be exposed to.
“Security incidents (at least in the short term) are likely to increase, but we need to sit down and have some grown up conversations about it… that way we can avoid ending up depending upon services that we really want to be using [because we haven’t thought about forward engineering enough]. If we don’t build the tough systems that we need now, then someone else is going to build those systems and some of them may come from China,” said Almann.
The above comment was not presented with anti-Chinese sentiment per se, Almann was intending to show us that it is the ownership and control element of platforms that matters if we are to create the highest levels of control.
Balance & decision making
To balance all these thoughts, Almann and team say that they do realise that those individuals that want to end up ‘going to the bad side’ will probably inevitably do so anyway, but (and this is the core proposition here) if we manage to approach code-level awareness of cyber across these four key cornerstones – and surely others as we start to think about them – then we might end with safer systems around the world.
As a final example of thought and knowledge in the security space Almann left the audience thinking about the Trojan Horse and the face that – in any given situation – the ability to stay safe often comes down to the decision-making process in any given scenario.
In the story of the Trojan horse, a minister or city official thought it was a ruse, but the decision as to whether or not it was allowed in was put to a public vote, which turned out to be an uniformed vote and a bad decision. Let’s move forward making good decisions.