Patrick Durrant | Sydney
Former ADF Cyber chief Major General Stephen Day (Ret’d) says the Turnbull Government’s Cyber Security Strategy released in April is a good start in the race to tackle the asymmetric threat posed by cyber criminals and foreign intelligence services, but fighting it isn’t the duty of government alone.
“This is not a problem that government alone can solve, this is a problem that all of us – government, industry and academia – have to get together and solve,” says Day, who was also the inaugural head of the Australian Cyber Security Centre (ACSC).
Talking to ADM following his participation as a keynote speaker at the Intel Security Innovation Forum in Sydney on 2 June, Day says the strategy is an ‘up to date, plain English, sensible one’.
“If you’re not aware of what the problem is then you’re not going to be able to do something to fix it."
“There’s some solid, new money being put into it and that’s good news. The challenge now is those involved will need to roll up their sleeves and get on with it, and commentators should focus more on how it is being implemented.”
Day admits only the passage of time will truly tell if “we are heading in the right direction on the cyber front, but at least now there is a map to help us get there”. He stresses that the operating space where malicious actors play in cyberspace – “that myriad of interconnected networks” – is not owned by governments, but rather by private businesses, telecommunications companies, ISPs and the like.
“They have a role to partner with government to understand what’s going across the networks and then businesses themselves need to set up their own programs for their staff and then institute some preventative measures to minimise the chances that they themselves are compromised by these sorts of attacks,” Day says.
Within business, he says the responsibility to stem the threat shouldn’t rest solely with the IT department, but should be led by the senior leadership team.
“Leaving this to the IT department is what most businesses tend to do – but this is senior leader business, it’s a business risk, and a very significant one at that,” Day says.
“The solution space is in part about technology, there’s no doubt about that, but it’s also about people, appetite for risk, allocation of resources and policies and procedures. These things aren’t controlled by IT departments, they are controlled by executives and boards. Those people need to own these risks.”
Day also says much of what IT departments communicate to senior leadership on the issue of cyber security gets lost in translation.
“The technical language employed by them can at times be ‘befuddling’ to people, and one of the reasons senior leadership is not adequately engaged just yet is because they can’t understand the problem, let alone understand their role in the solution space.”
The problem would be better communicated to business if it was framed in terms of risk, according to Day: “Business is used to dealing with risk, they understand that language, so if you can frame what you are trying to describe in business risk language then you are more likely to get traction”.
Acknowledging there was a disconnect between academia and practitioners on cyber security (see ADM’s story last week), Day says this is “entirely understandable”.
“Unlike a lot of other human endeavours, cyber and cyber security is, in human terms, relatively new.”
Compared with other disciplines such as engineering, where “for even hundreds of years there has been a cycling through of practitioners into academia and vice versa”, Day says the cyber security discipline “just hasn’t been around long enough”.
“In other disciplines there is a good understanding between what is being researched and what is needed on the ground – it is missing in cyber security at the moment but that means that people like myself who have that experience need to reach out to academia and help it to focus on the problems we are all struggling with at the moment.”
If Day had a dollar left to invest in the cyber security fight what would he spend it on?
“If you’re not aware of what the problem is then you’re not going to be able to do something to fix it,” Day says. “Especially for the smaller SMEs, we all need to raise the awareness level among those companies.”
But he’s confident that the tide is turning.
“There’s a critical mass of people who now understand that this is as much a human problem as it is a technical problem.”
ADM’s Cyber Security Summit will take place in Canberra on 21-22 June.