Australia's Fight Against Cyber Security Threats
Keynote Speech at CIFI Sydney
I begin my acknowledging the traditional owners of the land on which we meet, the Gadigal of the Eora people, and pay my respects to their elders past and present.
Like so much in the national security space, cyber security is largely a bipartisan issue.
That said, it does not mean the Opposition will not hold the Government to account on its performance in this rapidly evolving area, which is what we have been doing since the creation of the front bench cyber security position to shadow the Minister following the election last year.
It’s why speaking at events like these and engaging with government, industry, business, the community, is so important.
For testing whether the Government is on track.
For testing whether we, as an Opposition, are on track.
And it’s this area of broader community engagement that I’m particularly interested in.
Because cyber security is everyone’s responsibility, and thinking about cyber threats, cyber security and cyber resilience has to break into the every day.
Take programs like Siri, Cortana, Alexa or Google Assistant. And don’t get me started on why all these assistants are female!
The security risk of always-listening devices is something the average user will most likely have never given a second, let alone a first thought to.
But with technology evolving quickly, it’s becoming increasingly clear that the understanding in the broader community about the risks and threats of safely and successfully operating in this new environment is not keeping pace.
So any serious effort towards improving our nation’s cyber security must involve everyone.
Exposure to threats is not just confined to government and big business.
Threats are being experienced on a daily basis by grandmothers, grandfathers, Mums, Dads, teenagers and small and medium business owners, through scams, cyber crime and phishing.
Before entering politics, I ran my own micro business for ten years.
I was a communications consultant and contracted to government agencies, with the Department of Defence being my longest and largest client.
As a micro business owner, everything in my business relied on me.
It was up to me to compete for business on government panels or find a way to sub-contract my services.
It was up to me to ensure my contact lists, invoicing and records were up to date.
It was up to me to ensure my computer was backed up and the latest patches and software installed.
I didn’t have a human resources department.
I didn’t have an ICT department.
I didn’t have a CFO.
It was just me, my study, a mobile phone and a laptop.
If I had ever been targeted by ransomware, I can tell you I wouldn’t have known what to do.
Who to speak to.
Where to go for assistance.
And there are hundreds of thousands of businesses in Australia who are today just like me seven years ago.
There are so many experts – many are here today – that can talk enough about technology, standards and infrastructure to make the average person’s eyes glaze over.
And, like you, I have a keen interest in these areas, particularly in developing the appropriate public policy response.
But I think the real, tangible difference that we – as experts, regulators and policy makers – can make, is in bringing the broader community along on the cyber security journey with us.
To start seeing cyber security, cyber threats and cyber resilience as not just the domain of CISOs and CIOs, but as everyone's business, as everyone’s responsibility.
As a risk to be managed, in a business as usual way.
Now that begins with how we frame cyber security.
And a lot of that comes down to the language, the lexicon, around cyber security. Even the name itself. It’s acronym-riddled, steeped in technical, defence and diplomatic jargon, exclusive.
If cyber security were to be framed around concepts of risk mitigation and management, about survival from threats, a lot more Australians, particularly small and medium business owners, would sit up and take notice.
If small and medium business owners were educated to back up, patch and keep their software up to date to build the resilience of their business and manage risk, so they don’t risk:
- The family home they had borrowed against to get the business up and running
- Their reputation and future business prospects
They would sit up and take notice.
If small and medium business owners were educated to treat the contact lists and files on their computer, as just as important as the hard copy documents they keep in their locked filing cabinet.
They would sit up and take notice.
If small and medium business owners were educated to risk manage their cyber security in the same way as fire or theft.
They would sit up and take notice.
In the 2016 financial year, more than 90 percent of Australian organisations faced some form of cyber security compromise.
In the first six months of this year, there were almost 24,000 incidents of cybercrime reported to the Australian Cybercrime Online Reporting Network.
That's 4,000 a month.
Or 1,000 a week!
And that's just what gets reported.
Between denial-of-service extortion, data ransoming, and sophisticated spear-phishing campaigns, we are facing threats on multiple fronts.
The high profile nature of recent world-wide attacks such as WannaCry and NotPetya have thrust ransomware into the limelight as one of the defining challenges today.
WannaCry hit around 200,000 companies and organisations in 150 countries.
Here in Australia we were fortunate to escape the brunt of the attack, but at least 12 Australian businesses did get hit. From what we know. And from what I understand most of these 12 were small businesses.
Given that 97 percent of all businesses in Australia are categorised as small or medium enterprises, the risk posed to our economy by cyber attacks is huge. And around 60 percent of them don't have a shop on the high street. Most of them are micros, like I was, operating from their own home.
By 2020, Australia’s ‘internet economy’ is estimated to be worth 139 billion dollars, growing at twice the rate of the rest of the economy. And many, if not the bulk, of the businesses operating in this space will be small and medium.
So it’s alarming that a Norton Small Business report released earlier this year showed that almost a quarter of Australian small and medium business don’t have any form of security software on their systems.
And a survey of more than 1000 New South Wales small and medium businesses found only one had a cyber incidence response plan.
Out of 1000.
Small and medium businesses are fiendishly difficult to communicate with – I know, because I was one of them. They are disparate and they are dispersed.
So, I’m not in any way suggesting the cyber security education – or should I say risk education – of small and medium businesses will not be easy.
But I do see cyber insurance as a way of driving behavioural and cultural change.
And I do see contracts demanding certain cyber security levels and standards as another key driver of change.
No regular patches, back ups and updates.
Some government agencies and private outfits are already enforcing these settings. I look forward to it becoming widely applied.
In the same way, the need for $10 million professional indemnity is mandated for Commonwealth government work. In my first year of business, this crippled me, because my first premium was $10,000. In fact, I worked for six months before actually making any money.
But I saw this as a cost of doing and staying in business.
Patching, back ups, updates must be seen as just a cost of doing and staying in business.
Government also has a role in facilitating change.
Unfortunately, right now there is a confusing spaghetti bowl of various centres, networks, agencies, and authorities, which make getting clear and accurate information difficult not only for small and medium business owners, but individual users, even big business.
Clearing up these lines of communication and finding out precisely who provides what advice and assistance is the first step.
And here I can see a role for a one stop shop for small and medium business.
And one for individuals.
At the moment it’s a ten to 20 stop shop.
Because the number of internet-connected devices in our homes and at our workplaces will only increase.
By 2019, the average Australian household will be estimated to have 24 devices connected online.
Fridges, TV’s, Lights, Surveillance Cameras, Hot Water Systems, Watches, Doggie Doors.
All connected to the internet for convenience and functionality.
All increasing the number of attack vectors into our homes and businesses.
The potential for these devices to be used in cyber attacks – in denial of service – is already great.
We’ve already seen the effect this can have through last year’s DynDNS attack which took down many of the most popular websites on the internet.
But with the proliferation of the internet of things, the threat potential will only grow and expand.
We have seen through events overseas that the cyber security of the systems and networks that keep our country running – our critical infrastructure – are a national priority.
In 2007, the US Government demonstrated how hackers could take down a power plant by physically destroying a generator using code.
Then in 2015, Ukraine experienced this reality first-hand.
On December 23rd, many in Western Ukraine were preparing to head home into the cold winter night.
The workers at the control centre that provides power to the region were also preparing to head home, before one operator noticed something unusual as he was organising the papers on his desk.
Before his eyes, the cursor on his computer started working its way across the screen on its own.
As he watched on, it navigated its way towards buttons that controlled circuit breakers at a substation in the region, before clicking on a box to open the breakers, taking the substation offline.
Then thousands of lights went out.
Then thousands of heaters went off.
When workers tried to seize control of the system, suddenly the machine was logged out of the control panel.
Ultimately, the attack took down about 30 substations, but it didn’t stop there.
Two other power distribution centres were attacked, leaving over 230,000 residents in the dark and cold.
According to an extensive investigation into the hack, these attackers weren’t opportunists who just happened to stumble into Ukrainian control centre systems.
They were highly skilled strategists who carefully planned their assault over many months, by first studying the networks and siphoning operator credentials, before launching a synchronised assault in a well-choreographed attack.
But often threats aren’t well choreographed at all.
Too often they are unanticipated and unintentionally of our own making.
Andrew Warnes, who heads the critical infrastructure security branch of the Attorney-General's Department, recently said one major Australian asset owner had, without intention, given an offshore supplier's staff full access to their system without realising it.
While another had found malicious code embedded in equipment delivered from overseas that led to a leak of data exiting the asset.
Threats to critical infrastructure don’t just affect federal government and large corporations.
State and local governments must also contend with threats to their infrastructure systems.
Any system, in any city or country town, is exposed to the same cyber risks as the energy grid of an entire state.
Even the systems and infrastructure that run our elections, the very foundation of our democracy, the essence of trust in our social fabric and values, are exposed to risks, although unfortunately they are not yet recognised as critical infrastructure in Australia.
After the attacks last year, the US recognised its electoral systems as critical infrastructure earlier this year.
Then-Department of Homeland Security Secretary Jeh Johnson stated:
"Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.”
The same applies here in Australia, which is why I am deeply concerned our electoral infrastructure is not being given the highest priority and security considerations due to resource constraints, according to Andrew Warnes.
Cyber threats permeate every aspect of our life, and it’s up to all of us to mitigate, manage and survive these risks.
But we need cyber security experts to be able to anticipate, offend and defence against them.
And we are hampered by a global shortage of cyber security professionals.
Forecasts suggest that by 2019 there will be 6 million jobs in cyber security globally, and only 4.5 million people with the skills to fill them.
That’s one and a half million jobs that will need filling globally in the next few years.
This is a big concern of business.
Who are concerned about the lack of graduates who are work ready.
Who are concerned about the lack of pathways to a cyber security career.
Who are concerned about the marketing of these careers as just for technicians, when ethicists, communicators, psychologists, creatives are needed.
Who are concerned about the difficulty in getting vocational education courses up and running, and meaningful practical time.
Australia’s cyber security education is still in its infancy, so now is the time to put in place initiatives that will improve educational outcomes that will deliver people who have the skills to address this shortage.
IBM Chairman and CEO Ginni Rometty has said:
“Data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true—even inevitable—then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world."
That’s why we need to shift the mindset in cyber security.
So everyone understands it is the responsibility of everyone.
That’s why – in this era of data – we need everyone to understand they have a role in keeping our nation, our economy, our people safe and secure.
That’s why technology producers and developers need to continue to innovate and improve the safety, security and cost effectiveness of the products they create.
That’s why government needs to ensure clearer education and communication.
That’s why need we need a behavioural and cultural change and fast.
So we can all be empowered and resilient enough to reap the rewards of this new resource.