The last many of our readers would have heard of the establishment of Australian Cyber Security Centre (not to be confused with the Australian Command & Staff College) was a year ago, when then Prime Minister Julia Gillard announced its establishment.
At the time, ACSC received a grilling by the then Coalition in Budget Estimates. Major General Stephen Day, Deputy Director for Cyber and Information Security at the Australian Signals Directorate (ASD) was appointed its first ‘coordinator’ according to last year's ADM cyber security summit.
A graduate of Officer Cadet School at Portsea, Day was commissioned into the Corps of Royal Australian Engineers in 1982. His operational service led to deployments to Namibia, East Timor and as the Director of Strategic Operations with the Multi-National Force in Iraq. For his service in East Timor with the International Forces, Day was awarded the Distinguished Service Cross.
He was appointed Deputy Director Cyber and Information Security following the departure of Mike Burgess to take up an appointment with Telstra last year.
“ASD will provide the majority of the new centre’s staff and about 73 percent and the majority of the centre’s capability,” he explained at one of his first public appearances at ADM’s cyber security summit last year.
“My intention is that the ACSC will become a one-stop shop for cyber security. Behind the shop front, we are going to work out who is best positioned to deal with the issue at hand,” he said.
While there was no new funding, in the bearish budgetary environment, flat was up, he quipped.
Day clarified some of these issues in ADM’s exclusive interview.
ACSC established
Firstly the ACSC does not yet exist, but remains an initiative being implemented by Government after the announcement in January 2013. As Head of Cyber and Information Security at ASD, Day will be the coordinating chief for ACSC and will oversee around 200 ASD staff.
Over the last few months Day has been working to establish the collocated agency within the yet-to-be occupied Ben Chifley Building, due for completion about May this year. Meanwhile the annual frequency of Cyber Threats continued to increase.
Furthermore ASD estimate four out of five of attacks are state sponsored. The rest are attributed to cyber crime (14 percent) and individuals or ‘hactivists’ some 6 percent.
In response, Day estimates the ACSC will expand to around 300 staff with the co-located agencies by August 2015.
But a further three to four months will be needed to make it suitable for ACSC’s requirements. This includes additional technology fit-out that could see the final ACSC occupation to be as late as December 2014.
In practice, the technology architecture to suit ACSC requires connecting the different systems of all five of its member organisations (AFP, ACC, CERT AU, ASIO and ASD) to the ACSC premises.
There will be a central ‘Operational Area’, fitted in horse-shoe fashion with multiple digital displays with one large imposing one, to display the data and applications available to all ACSC staff. This will be the core intelligence system for all ACSC staff to be used in conjunction with each of their own systems.
It will mainly involve network cabling, a separate feed off and into existing data stores, and security access layers rather than an entirely new system.
One stop shop
ACSC will become the new one stop shop by 2015. Once accommodated, ACSC will take over the function of the Cyber Security Operation Centre (CSOC).
CSOC has two main roles, providing government with a better understanding of sophisticated cyber threats against Australian interests and coordinating and assisting operational responses to cyber events of national importance across government and systems of national importance.
In addition to absorbing the CSOC, the ACSC is designed to ‘realize synergies’ through increased sharing and collaborating with the five organisations and prosecuting a broader over view of cyber security threats – allied with a single point of contact for industry.
The Government hopes to achieve efficiencies and the overall annual budget will remain static with innovations to be funded from the partial consolidation of the five organisations with resourcing drawn from their current budgets on a pro-rata basis.
Leading edge organisation
Day likes to describe the ACSC as a ‘breakthrough’ in dealing with the myriad threats emerging from cyber threats.
Counterparts from allied countries including Canada, US, Japan and the UK have sought briefings on ACSC. Day believes it will become influential as a means of national organising for cyber security threats.
It will combine the no-nonsense four-fold prescriptive strategies of ASD per its ‘Catch, Patch and Match’ launch in October 2012 that claims to defend against 85 percent of intrusions.
He adds the ACSC will better address the three elements of technology, people and culture under its broader mandate.
Interface with other federal agencies and major corporations
It is no secret that the cyber security agenda has been fought over and passed around various agencies over the past five years.
A frequent question ADM encountered among academics and industry contacts when preparing this feature was how capable the ACSC was to fulfil its coordination and leadership mandate.
At various times the official cyber security action has been passed between the Attorney-General’s Department, Defence and the former Defence Signals Directorate (now ASD), Defence Science & Technology Organisation, the Australian Federal Police, the Prime Minister and Cabinet and even the former Department of Broadband Communications & the Digital Economy.
“We have so many different factions located in Canberra,” Professor Jill Slay, Director of the new Australian Centre for Cyber Security (ACCS) at UNSW Canberra told ADM. “It would be more efficient if they were all working together.”
She was attracted to the ACSC’s coming under a senior military person. It could bring all the parties together, and offered a common platform for working with vendors and academia. “There are so few of us in this country who are qualified to do this stuff, we have been divided. And I know exactly why we have,” she said. “With the leadership of cyber security in Stephen’s hands we are actually getting all the players in one room – or at least one building.
“There have been really nasty angry people, big players, who have defeated any effort for collaboration.”
He initial impressions were positive of Day were positive, “I was very impressed with him and his ability to lead,” she noted.
For insights on Day’s approach, it’s worth trawling through his plain speaking Notes on Command for Commanding Officer in the Australian Army Journal (Autumn 2010).
“My first and most important message about risk is that, in war, if you have a choice, take the bold option,” Day advised Army Commanding Officers back in 2009.
This would appear to be as applicable to cyber wars as well.
In practice, the ACSC will be overseen by a Secretaries level board, the Cyber Security Operations Board (CSOB) chaired by the Attorney General’s secretary with representation from Defence, Prime Minister and Cabinet, DFAT, and the department of Communications, and the Agency Heads of ASIO, ASD, AFP and ACC.
According to the 2013 Defence White Paper, CSOB will have a mandate to report regularly to the National Security Committee of Cabinet.
Day expressed confidence that CSOB’s collective seniority should be sufficient incentive to ensure all federal agencies comply with the spirit and letter of directives and guidelines issued.
Priorities are cleared and approved each year by the CSOB. Attorney General Department (AGD) under the Protective Security Policy Framework require agencies to provide an annual report, due in August each year, of their compliance with guidelines.
“If an agency has problems complying requirements, it is usually due to a lack of understanding,” Day says.
Day also points to the consolidation of Government internet gateways from over a 140 to just eight gateway agencies by the end of this year, adding it would reduce the scope for information leakages.
In addition, he plans to improve awareness of ACSC’s mandate and services with a conference to various IT security staff around the second quarter of 2015.
Engagement with industry
At this stage, engagement with industry and major infrastructure organisation is handled by the AGD. However with the collocation, ACSC should be able to have a stronger engagement with major industry groups in the private sector.
He would like to issue official national statistical benchmarks to keep government and industry informed of Australian cyber security threats.
He was yet to decide if there should be an annual report of ACSC’s activities and threats to watch but hoped to issue regular advice from time to time.
He agrees there is a need for improved staff education generally. This will involve more case studies and guidelines to help senior managers appreciate the importance of being aware of threats and dealing with them as soon as possible.
ACSC will continue to alert those staff of potential vulnerabilities through pre-arrange penetration testing from time to time.
Though he regards the ACSC structure will serve Australia well, he cautions against expecting any quick fixes. It will be a learning process and needs to cope with longstanding, ever changing problems.
ASD has issued guidelines on Bring Your Own Device (BYOD), called ‘Risk Management of Enterprise Mobility including BYOD.’ Day disputes the views of some commentators that Australia (at least at the Federal Government level) trails other countries in managing cyber security threats.
Dean Frye, technical director of SourceFire for the Asia Pacific agrees with Day that Government and large enterprise segments are as equipped as any other country.
However he adds that Australia seems behind in some large segments. “In critical infrastructure we were slow to get going and we have quite a long way to go with companies that rely on industrial network manufacturing or gas,” he said. “Non-traditional computing devices that are being connected to run your heating can add new vulnerabilities and risks.”
He ventures some of these critical companies seem slower than their overseas counterparts to put in place appropriate analysis and action plans in the event of a sustained attack.
Matt Tett, Managing Director of Enex Labs who does regular work for Australian and overseas Governments felt there was a still a gap in the local market place for quality assurance in security products and services.
“How does one form an evaluation of a product to get that level of assurance to offer levels of security that they require?” Tett asks, pointing to his work with the UK Government back in 2007 which embraced and established common standards much earlier.
Day would agree some countries may have strengths and resources in some areas. He concedes the US was strong in technology solutions. The UK had best practice outreach with academia, and the Canadians were leaders in Gateway programs.
ACSC is sensitive to such developments and he expects its pragmatic approach will be able to take on board such developments more flexibly.
