Going into R5 in Russell is an odd experience. Being completely device free is a rare thing in modern life. But when one wants to speak to Lieutenant General John Frewen, the Principal Deputy Director-General of Australian Signals Directorate (ASD) and current head of the Australian Cyber Security Centre (ACSC), rules are rules.
A career infantry officer, LTGEN Frewen is the top uniformed cyber man in the land.
He has been wearing two hats as the head of the ACSC within ASD, since Alastair MacGibbon moved back into industry.
ASD has made a conscious decision to come into the light as it were. Both LTGEN Frewen and ASD Director-General Mike Burgess are increasingly making public remarks about the shadowy nature of their world. While not pointing fingers at particular threat scenarios or outlining in detail the cyber warfare landscape, the focus is on attracting and retaining a cyber workforce for both defensive and offensive operations on behalf of the Australian government in dealing with media.
ASD has been a statutory authority for barely a year now, in the wake of the 2017 review into Australia’s intelligence community. The review recommended that ASD’s legislative mandate be amended to explicitly recognise its national responsibilities for cyber security, including the provision of advice and assistance to businesses and the community and that it take formal responsibility for the ACSC.
On 1 July 2018, following the passage of the enabling legislation through Parliament on 28 March 2018, ASD became a statutory agency. This is the most significant change to the organisation, and its antecedents, since the Defence Signals Bureau was established 72 years ago, in the aftermath of WWII.
“The move to become a statutory authority has given us greater flexibility in attracting and retaining a highly specialised technical staff,” LTGEN Frewen explained to ADM. He also noted that the organisation is not after purely technical people in all cases. “We need curious minds with creative problem solving skills too.”
ASD and ACSC
LTGEN Frewen was clear that his double hatted status is a temporary move until Rachel Noble replaces MacGibbon as head of ACSC. ASD has grown and expanded from support to military operations. As ASD transitioned to statutory authority status in 2018, the Chief of the Defence Force was very keen to ensure ASD didn’t get drawn away from support to military operations. LTGEN Frewen brings a ‘customer set of eyes’ to the range of intelligence and cyber challenges that both Defence and government similarly face.
“Deployed and home-based systems are increasingly integrated and the challenges are growing as more devices and platforms become connected. There’s no going back and the world is only going to become more connected,” LTGEN Frewen said.
The industry facing side of the piece under ACSC has been an interesting transition for the organisation, with the government workforce seeing a mix of security clearances depending on the task at hand, with movement between cyber sections more free under the new model.
“We have Joint Cyber Security Centres (JCSCs) in all capital cities except Hobart and Darwin. Not just Canberra – they provide a space to talk to industry, to hold training, exercises and discussion. They play an important part in raising awareness and increasing cyber resilience. The community, business and government can come together to get advice,” LTGEN Frewen explained to ADM.
This is a frequent activity for ACSC as ‘there is no set and forget cyber solution’, LTGEN Frewen said. ASD works closely with Major General Marcus Thompson’s Information Warfare Division in VCDF Group. See ADM’s May edition for more on Information Warfare Divisions’ work under MAJGEN Thompson.
“Cyber awareness is increasing, we need to keep apace of the constantly evolving threat,” LTGEN Frewen said. “Cyber security is hard but the majority of the threats are known and can be effectively mitigated by applying ASD’s Essential Eight (see box for more on the Essential Eight).
“Third party providers are a concern as vulnerable in the supply chain. We need an enterprise wide approach when it comes to cyber management across the supply chain.”
More than ICT
Confirming that cyber is not just an ICT problem but a whole of business and whole of government issue, cyber policies need constant attention as threat actors are persistently looking for opportunities. This awareness is a rising tide that is benefitting everyone, LTGEN Frewen said.
“Our resilience can always be better but there are so many resources available to support government agencies and business looking to make sure they are working to an appropriate level,” LTGEN Frewen explained to ADM. “The future will hold many challenges for us. AI and quantum computing era will mean things we can’t yet possibly comprehend. There are great benefits to mankind and risks too. We need to evolve as we won’t need humans to build firewalls, we’ll need to train them to work in the cyber security space of the future. Clearheaded and sophisticated thinking is required to ensure we are prepared for the future. Humans are central and essential to being prepared.”
This article first appeared in the July 2019 edition of ADM.