Patrick Durrant | Sydney
Last week saw the Prime Minister announce a new Cyber Dialogue during his visit to the US and the release of studies painting a dim view of the ADF’s preparedness for the prospect cyber-enabled warfare. In addition, the recent hacking of the Bureau of Meteorology’s supercomputer by a foreign nation raised questions about Defence’s ability to cope with threats to what is in essence a fundamental input to its capability.
The Cogito Group is an Australian owned ICT company specialising in cyber security and ADM spoke with CEO Richard Brown to get his perspective on these matters, as well as his hopes for the forthcoming White Paper and Defence’s current approach in a realm of constantly evolving threats.
“Cyberspace doesn’t respect boundaries so sharing information about attacks is a vital first step,” Brown said with regard to the PM’s announcement.
“I think we've got a lot to learn from the US, especially in our government space – they are far more advanced in terms of protection, despite having had some huge setbacks.”
A study by retired RAAF Group Captain Keith Joiner released by the Australian Centre for Cyber Security warned that the ADF needs to do much more to ensure its current weapons systems can withstand a cyber-attack, particularly during the test and evaluation (T&E) phase.
Brown said he wasn’t overly concerned by this, stating Australia rarely developed such systems from scratch – with programs such as the Air Warfare Destroyer for example, it relied on integrated systems from other countries that conformed to a common criteria.
“This way the T&E will be performed by say, the US, and it means Australia doesn’t have to redo all of the work.”
Brown thinks it is important that T&E processes are agile and relatively inexpensive but also warned that in outsourcing services to companies, Defence needed to be very careful that such companies weren’t competitors.
Brown said Defence had certainly achieved successes in IT security but these were often in danger of becoming something of an Achilles Heel.
“For example in terms of perimeter protection they have been really good – to the extent that this has been to their detriment because they haven’t looked elsewhere.”
Indeed, Defence-in-depth is something he thinks the Department could do better, in particular a better focus on individual and device authentication encryption and improved controls on access.
Instances such as the release of classified NSA documents by Edward Snowden and the recent BOM supercomputer penetration provided the unpleasant but necessary wake-up calls Defence needed to ensure it was never complacent on cyber security, according to Brown.
The former government contractor and founder of Cogito Group said his business was mostly about countering the problem once it had penetrated the perimeter.
“Whether they get in via a USB stick or a phishing email attack, we are more about that internal data protection – especially now that's moving into the cloud. So we’ll protect it there as well, even preventing access from the cloud service provider,” Brown said.
“A good example of that is Office 365 encrypting data loads that go into Sharepoint and OneDrive, so that even Microsoft doesn't have access to the information, only the organisation does.”
Brown warned Defence had to be careful about the risk of outsourcing security of its data to the cloud service provider.
“They’re not outsourcing the responsibility for that risk, if the data is compromised the buck still rests with them.”
Brown said he’d really like to see a focus in the White Paper on getting more resources to tackle the cyber security challenges it faces.
“I’d like to see them actually commit to building more of an internal capability – this would give an appreciation of where the shortfalls lay, and in turn identify where industry could fill the gap.”
He also wants to see Defence adopt a fluid approach to the outsourcing/insourcing question.
“So perhaps those things that Defence is doing well could continue to be insourced but it needs to be more open to the idea of outsourcing those things which it isn’t doing particularly well – forming partnerships if necessary and constantly re-evaluating the best way to achieve positive outcomes,” he said.
Cogito Group will be marking its fifth year of operations in June and has already established an office in New Zealand, where it is performing similar contracts to those it has with the Australian Defence Organisation.