Despite opening statements by the Minister of Home Affairs, the Hon Peter Dutton MP to the Australian Cyber Security Centre Conference 2018 (#2018acsc), held 10-12 April in Canberra, the Shadow Assistant Minister for Cyber Security and Defence, Gai Brodtmann MP highlighted Australians need to develop the same attitude to cybersecurity as we impose water-safety on our beaches. Dutton outlined the diverse range of government initiatives including new Critical Infrastructure legislation, foreign espionage legislation, new departmental structures and addressing the scale of the cyber security problem, in terms of cyber bulling, child exploitation and now impacts on the small business sector. However, Brodtmann proposed, “I don’t get a sense we are working towards a common goal. What is Australia’s mission in the context of cybersecurity?” In terms of water-safety, Brodtmann referred to ‘slip slop slap’ and ‘swim between the flags’. “What is the key message for cybersecurity?”, she asked.
The government and opposition understand that cybersecurity is everyone’s responsibility, Brodtmann said, “We need to address, in light of all the changes going on, a range of challenges that still prevail in our ecosystem, and that begins with Government. I’ve been calling on the government to take the cybersecurity of government agencies seriously since the release of the 2014 ANAO audit and Cyber Resilience Report, when no agencies were found to be compliant. In the follow up audit, only one government agency was found by the ANAO to be compliant with security standards. Government agencies should be the standard that others in the community measure themselves. Frankly, we have got to do better on the government agency front. We have to get our house in order.”
“This is a whole of community issue and we need a national education campaign”, she said, suggesting ‘patch and backup’ is a suitable message. Brodtmann also claimed, “We need one point of truth. There is no clear ‘go to’ in Australia.”
With Australia reported to be short of up to 19,000 cybersecurity professionals, as well as needing diversity in skills, Brodtmann asked what the Government’s key performance indicators were and asked how do we know we are succeeding in this space. “We need to get industry and government working together to address these issues,” she said.
Mike Burgess, Director-General Designate of the Australian Signals Directorate, who commenced in January, reiterated cybersecurity is global problem and that the successful identification and management of cyber risk across the community, business and government is critically important, referring to the 2017 Independent Intelligence Review which recognised this and the requirement to have a seamless connection between the ACSC and the ASD. In March, the Intelligence Services amendment, the establishment of the Australian Signals Directorate Bill was passed by Parliament.
Outlining his priorities for the next 12 to 18 months and his new role, Burgess said, “We will establish a seamless integration between the ASD and Australian Cyber Security Centre and from July 1 this year, the ACSC will become part of ASD, including staff from CERT Australia and small contingent from the DTA. “Absolutely certain”, said Burgess, “the collaborative protentional will increase as a result of this but you will also see a change of emphasis and span of engagement will be changed. The new legislation introduced two key changes in this regard. First ASD’s advice and proactive assistance remit on cybersecurity is now expanded to include community, business and Government and the legislation also included a new function to combat cyber enabled crime. The ambition and expectation of the Ministers is high”, confirmed Burgess.
In the context of cyber enabled crime, this includes pure play cybercrime, that is hacking for criminal purposes. This also includes nation state actors, as well as, cyber enabled serious crime. Combatting cybercrime will continue to be a ‘team sport’, said Burgess, and will include the coordination with the Australian Federal Police, Australian Criminal Intelligence Commission and the Australian Security Intelligence Organisation (ASIO) will be more important than ever.
“ASD focus will shift and broaden,” said Burgess, “the Centre’s focus will cover business, community and government, backed with the full support of the ASD. My expectations for the Centre include, comprehensively understanding the cyber threat to Australia, providing timely proactive advice and assistance that makes a real difference across the community, business and Government. The Centre’s work must lead to an improvement in the identification and management of cybersecurity risk for all Australians. My key priorities for the next 12 months include a national assessment on Australian cybersecurity, with an initial focus on critical infrastructure. Collaboration with major internet service providers and critical infrastructure providers to drive out known problems and equally important, identify first seen new threats. Executing counter cybercrime campaigns will also be a priority, as will outreach and influence to improve the identification and management of cybersecurity risk.
We live in a connected world. Everything is being digitalised and everything is being connected and everything is driven by software. There is no doubt the full potential of this is yet to be fully realised. However, with these same benefits comes some serious risk. In this digitalised world it is timely to remind ourselves that security also includes integrity and availability, not just confidentiality. We all have much to do.”
Alastair MacGibbon, National Cyber Security Adviser and head of the Australian Cyber Security Centre outlined the top level threats and activities. “We do security for the purposes of enabling of opportunities. Time for incremental shift is over and there is an ambition and expectation to do more.” Describing the 2016 Cyber Security Strategy as now being in a state of accelerated cybersecurity strategy plus, MacGibbon confirmed the Government is seeking to be doing things faster and with more ambition.
The Census failure in resilience helped change the political dialogue. WannaCry and Not-Petya ransomware attacks helped educate on how fast things can spread and the Russian interference in the US elections has shown the threat to democratic systems. With the Notifiable Data Breach legislation, and the OAIC releasing NDB statistics this week, it is clear that since the since the 2016 Cyber Security Strategy, there has been significant changes to the government ecosystem.
Providing a top level view, MacGibbon outlined the increased sophistication in tools and tradecraft, increased infiltration and exploitation of third parties, such as global ISPs and exploitation against routers to compromise networks. “We expect more nation states to enter this field”, said MacGibbon, “and the weaponization of malware is expected to increase.” Cyber espionage is alive and well and in March the USA formally accused Russia of cyber attacks against the US energy sector since 2016. MacGibbon reported seeing more modulised processing attacks again SCADA systems to override safety systems and noted this may be indictive to how some nation states are thinking.
Alongside cyber warfare and cyber espionage, cybercriminals continue to launch large and targeted ransomware campaigns, wholesale theft of personal data and targeting attacks on banking systems and cryptocurrency exchanges. Increased credential harvesting malware and rising DDOS attacks and social engineering continues, including business email compromise. Over the next 12 months, envisioned MacGibbon, “anything worth money, criminals will try to steal.”
By Chris Cubbage, Executive Editor
MySecurity Media will release a series of podcasts interviews conducted at the ACSC Conference 2018 including interviews with Alastair MacGibbon, Liz Jakubowski, Director of Ribit.net and Rupert Taylor-Price, CEO of Vault Systems and more.