Close×

The fourth ADM Cyber Security Summit was notable for a continuing lack of a cohesive resourceful Government approach to major threats.

This year’s summit had the advantage of clarifying that cyber security policy in Australia was the preserve of the Office of Prime Minister & Cabinet.

The coordination of cyber security operations remains with the Attorney-General’s department, broadly executed via the Australian Cyber Security Centre – a one stop shop, headed by a Defence officer in charge of the Australian Signals Directorate (ASD). The ACSC will coordinate the activities of the ASIO, AFP, CERT Australia and other elements through a co-location of some of their staff in the Ben Chifley building (aka the new ASIO building).

Yet the resources, timing and overall approach still seem more a work in progress according to presentations at the Summit.

ACSC itself answers to Cyber Security Operations Board chaired by the Secretary of the Attorney-General’s Department which includes representatives from Defence, Australian Signals Directorate (ASD), ASIO, AFP, Communications, Finance and PM&C.

Mike Rothery, First Assistant Secretary for National Security Resilience Policy Division, at Attorney-General’s Department revealed that the Board’s “biggest governance challenge” was how the operational agencies will migrate into ACSC and its immediate agenda with industry (scheduled for later this year).

Demands from mature and less mature companies

He found that while everyone seemed to have a good idea of what the ACSC was going to offer, he detected two distinct demands from industry.

On one hand, many company boards were still grasping and managing cyber threats. They sought more information on the extent of the threats facing their sector and evaluating and managing the risk, how it affected revenue shares and bottom lines.

A smaller proportion of companies, approximately twenty per cent, Rothery dubbed “more mature” understood the threats. They were keen to share their intelligence, preferably through real-time network gateways between Government and industry.

The dilemma for ACSC and the government was how this difference in maturity could be managed and how it should frame its agenda.

“We need to experiment. We need to find out what works. We need to welcome people in. We will not have those sorts of capabilities in the first day,” Rothery warned.

The more mature companies hoped ACSC would roll out a fast moving network alert system to warn of coming threats. This was unlikely to occur from the outset, he said.

“We have to change the way we engage. We need to ‘strategise’ what we say to each company’s Board that is actually going to drive change downwards in an organisation,” he added.

For several representatives at the summit, such tentative counsel suggested uncertainty, inadequate at a time of a potential serious threat.

Command and Control
Could the time be ripe for more radical measures such as an Australian Cyber Force pondered Lieutenant General (Retired) Peter Leahy, former Chief of Army, Director of National Security Institute, University of Canberra?

Modelled on the recently announced Australian Border Force announced by the Minister for Immigration and Border Protection, Scott Morrison, Leahy pronounced that “command and control” arrangements were too unwieldy to respond to a serious threat.

It was high time for a single point of contact for international engagement, a single line of resourcing, clear focus of R&D effort, agility and the ability to react to developing situations.

Leahy questioned separating cyber security policy and operations.

Lynwen Connick PM&C’s FAS Cyber Policy & Intelligence Division countered that Leahy failed to appreciate the complexity of arrangements.

“We each have different roles in cyber security,” she said. “But they need to be joined up and coordinated. PM&C is the lead agency in delivery cyber security policy.”

While conceding PM&C’s role as the lead agency on cyber security policy was “a little unusual” it reflected the importance the Government viewed cyber security,” she said.

She went on to distinguish “cyber policy” (full spectrum of digital activity e.g. ISP regulation, the digital economy, child safety and every day cyber security policies) and “cyber security policy” (the measures to ensure digital environment is fully secure).

PM&C was the point of coordination for all cyber policy issues across Government. But it also developed cyber security policy, she added.

“My role is to ensure that appropriate policies are in place to support the management of cyber threats to Australia and our operational responses to cyber incidents,” Connick said.

Cyber Incident Management Arrangements (CIMA) based around a three level classification of incidents had been put in place recently, she revealed.

Asked to explain how she would secure cyber security strategy without an overarching national security framework, Connick questioned whether cyber security was a subset of national security. Many cyber security issues did not affect national security, she said.

The nagging issue remains: is the Government is well positioned to address threats to Australia?

Can we secure our Government assets?
A related question is whether resources to secure Australian assets including those of the Government are adequate for the responsibilities being taken?  

The first official audit issued the following week of the Summit suggests, perhaps not.

The top four strategies – the minimum security requirements - prescribed by ASD were:application “whitelisting”: only specifically selected programs can be executed;

  • patching applications;
  • patching operating systems; and
  • minimising administrative privileges.

 

Yet seven agencies holding our nation’s personal or commercial intelligence, (Australian Tax Office, Bureau of Statistics, Human Services, Customs & Border Protection, Australian Financial Security Authority, Foreign Affairs & Trade and IP Australia) failed to comply with all of the top four mandatory cyber security strategies from the Australian Signals Directorate.

Entitled Cyber Attacks: Securing Agencies' ICT Systems, the Audit found none of the seven agencies complied with all four of these requirements by July 1 as required.

Moreover, trends in compromise are rising, steeply.

New locally sourced data on cyber threats from Joe Franzi, Assistant Secretary Cyber Security of ASD and David Campbell, Director of CERT Australia provided valuable official records for the first time.

Serious incidents recorded had grown from 1259 in 2011 to 2168 in 2013. Of the 940 Incidents ASD investigated in 2013, 49 per cent were from the Federal Government, twenty-three per cent from non-Government sources, eleven per cent from State or local Governments and the rest from other or multiple jurisdictions.

Forty-eight percent of the attacks were attributed to other State Actors, forty per cent unknown, nine per cent cyber crime and three percent “hactivism”.

The CERT Australia cyber crime survey revealed overall the number of incidents increased in 2013, as did targeted attacks – especially targeted emails.

Significantly, sixty-one per cent of private companies did not have cyber security incidents identified in their risk registers. Most businesses (fifty-seven per cent) chose not to report a breach to an external agency.

Why do the bad guys still finish first?
Complementing this gloomy picture, Atlantic Council’s director of the Cyber Statecraft Initiative (US) Jason Healey concluded from his 25 year history of cyber-attacks that most cyber strategies have failed.

Healey identifies four common strategies for dealing with cyber threats: technological, crime fighting, espionage protection or fighting “cyber wars”.

These strategies have been well resourced because they often bring the Government as the main driver.

He concludes few computer security controls can prevent an adversary from accessing the information sought.

Reportedly the Pentagon spends roughly two and a half times more money on offensive cyber research in its yearly budget than it has on defensive cyber research. In practice, Google, Microsoft and many US-based cloud companies found the US was as much an adversary as other state players.

The three historic lessons Healey draws from his study The Fierce Domain (2013) are that threats are driven by market forces. They are especially aggressive in areas of espionage and there are real attacks against national security. These have been well founded and documented many times.

The more recent lessons are the rise in professionalism by both attackers and defenders.

Significantly cyber-attacks are no longer attributed to the “bad guys” and the scope and scale of the attacks is on the increase.

What has not changed over the last 25 years have been computer vulnerabilities, the categories of threat, identities of low and high end threat players, the general ineffectiveness of defences, the dynamics of cyber conflict and the relationships between offense and defence.

He observes destructive attacks are always “five years away”.

Healey is pessimistic with measures such as public education. Furthermore market forces will ensure there are no skills shortages for rogue organisations.

He warns that Governments are going to lose their influence, if they continue to be ineffective. He muses whether it’s time for the private sector to be given more encouragement in addressing breaches.

Let’s stop using the term cyber and start focusing on the real problem

So are we at a so-called tipping point to look for alternative approaches?

Staff errors and a poor security culture were the main internal factors that led to IT security breaches last year according to CERT Australia.

Why can’t Government approach the issue like an economic, environmental or health problem? Healey suggests the option of cap and trade approach as another means of managing cyber risks by companies and offering a financial incentive.

These require a more transparent approach to data breaches and disclosure of the breaches to be effective. Many cyber security issues are not new. Nor do they move at lightning speed at all. The most effective breaches tend to be based on social engineering and spoofing.

For a start, let’s drop the term cyber. It’s just a synonym for computer or network anyway. It sheds little light other than implying that it’s a technical problem, when it’s more likely a user problem.  

comments powered by Disqus