Peter A Clarke

Yesterday the Attorney General gave the opening address at the Australia Cyber Security Centre Conference.  This morning there was an interview with the co ordinator of the Australian Cyber Centre, Major General Stephen Day. As speeches go it was good, touching all the right bases on all the right issues; that cyberspace ties in with most everything done in everyday lives (encompassing the internet of things amongst other matters), effective cyber security ties in with confidence in financial and other transactions, cyber attacks and attackers now have varied motives.  The Attorney General is wrong in claiming that the private sector has been investing heavily in cyber security.  Some industries yes, other areas not at all.  Part of the reason for that is that there is a perceived weak regulatory regime in place regarding compliance with the Privacy Act.  For some, if not many, organisations that is a contributing factor in their IT and training spend. The Cyber Security Centre Conference clearly has a place and it says it responded to 11,000 cyber incidents (whatever that term actually encompasses).  Government can assist in improving cyber security, it can educate, it can identify trends, it can liaise with equivalent agencies overseas and all of those things are useful. But it is building a culture of privacy compliance in the public and, especially, private sector that is more important in the immediate term.  That has to involve proper enforcement of laws and regulations.  Much as the ACCC does with Consumer legislation and ASIC does under the Corporations Act.  And there is the rub.  There has been a lack of active, high profile enforcement of poor privacy compliance both in cyberspace and on land under the Privacy Act. Poor enforcement results in poor compliance. That is human nature expressed through the companies they operate.  There is always somewher else to put money or time. Without such action the top down approach by the Cyber Security Centre, dealing with incidents as they arise, is incomplete and ultimately inadequate.

Further improvement to the Privacy Act, including expanding its scope of operation, and legislating effective data breach notification laws is also required.

The Attorney General’s speech provides:

Can I acknowledge a few people, can I acknowledge Major General Stephen Day, Coordinator of the Australian Cyber Security Centre, Dr Margot McCarthy, the Associate Secretary of the Department of the Prime Minister and Cabinet, can I particularly acknowledge our distinguished international visitors including Elly van den Heuvel, Secretary to the Dutch Cyber Security Council, Mr Jonathan Couch of iSIGHT Partners, Ms Marcelle Lee of the Anne Arundel Community College CyberCenter in Maryland and I thank them in particular and others who have come from elsewhere in the world travelling to participate in this inaugural Australian Cyber Security Conference.

As the Minister responsible, with shared responsibility for the Australian Cyber Security Centre and more generally with responsibility for National Security, including the protection and resilience of Australia’s critical infrastructure, cyber security is a key concern for me and my portfolio. 

Cyberspace is no longer a separate ‘online’ environment but completely pervasive and relied on in virtually everything we do in our everyday lives. And that’s why effective cyber security underpins confidence in our financial transactions, the accessibility of information and the reliability of critical infrastructure such as our electricity, telecommunications, even our road systems. In the digital age, the Australian economy has become reliant on cyberspace for continued growth and, therefore, strong cyber security is a necessary underpinning of economic security and national security.

You are no doubt aware of the sentiment articulated by the former FBI Director, Robert Mueller, who said, “there are only two types of companies: those that have been hacked and those that will be hacked. Even that is merging into one category: those that have been hacked and will hacked be again.”

Cyber criminals routinely target Australian businesses and citizens to steal information that can be turned in to a profit. In 2013, it was estimated the global cost of malicious cyber activity, including cybercrime, is between AU$365 billion and AU$1.2 trillion. Last year, CERT Australia – within my Department – helped businesses to respond to more than 11,000 cyber incidents. Those are staggering figures.

The traditional distinctions between the various different types of cyber actors, their skills and tools, and even their motivations, are blurring. We no longer have neat divisions between State and non-State actors, with cyberspace being used for political and military advantage as well as profit. Some malicious cyber actors have little respect for boundaries or jurisdictions and cannot easily be placed in a particular category or profile.

Across the world, some state actors are involved in cybercrime, while hacktivists are conducting activities in support of Governments, not just for their own ideological causes.

Many of the cyber tools that threaten government agencies are also used to target Australian businesses. The international market for cyber exploitation tools is growing and becoming more accessible. So it is up to us to make sure our response is just as agile and networked so that we can meet – and ultimately defeat – the threats that these malicious actors pose.

In 2002, Richard Clarke, the former special adviser to the President of the United States on cyber security, famously said “if you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” Since then the government and the private sector have been investing heavily in cyber security. But now we are looking to the next frontier – how do we maximise that investment? For us, that is about moving the conversation to investment in partnerships, rather than merely talking about funding.

That is why I am particularly pleased to be giving the opening speech of this conference today because this conference represents so much about the government’s commitment to cyber security.  I see it as a launch-pad for the Australian Cyber Security Centre (ACSC) – which has only been operating for five months but which has already established its vital role. This conference provides a forum for industry and government to come together and discuss technical and non-technical innovations and solutions for responding to cyber threats.

The ACSC provides the opportunity to ensure todays discussions are ongoing and have long term practical effect. Our adversaries are resourceful and resilient so we must combine our skills and experiences to ensure we can match and exceed the challenges we face. The sharing of those skills and intelligences is the work of this conference.

It is self-evident that government needs to partner with business on cyber issues. Last November, the Prime Minister directed his Department to conduct a complete review of the government’s approach to cyber security. I note that Dr McCarthy is our next speaker, without in any way wishing to pre-empt her remarks I will merely observe that when the Prime Minister announced the review he made it clear that it will look for practical ways to improve our national security and work with business to make online commerce more secure.

The majority of Australia’s critical infrastructure is owned and operated by the private sector, hence the criticality of government-business partnerships. I know that Dr McCarthy and her team have been consulting extensively with business. It is now up to us to demonstrate that the government is listening, and responding, to the concerns that business may have.

Last year, prior to the review being announced, the Cyber Security Operations Board, which is chaired by the Secretary of my Department, surveyed 29 prominent Australian businesses across a variety of sectors. The aim was to gauge what business thought of how government was performing with respect to cyber security. Amongst the issues discussed, a recurring theme was that many businesses did not expect government to protect them against cyber threats. However, they want better, more timely and actionable information about cyber threats so they can better protect themselves. That is an important distinction and one that has not been lost on the government. In fact, it continues to factor as a major consideration as ACSC develops and comes to better understand the expectations of it out of its role.

Let me talk in a little more detail about the Australian Cyber Security Centre. When the Prime Minister opened the centre five months ago, it marked the beginning of new opportunities for Australian business to cooperate with government.

The ACSC represents a fundamental shift in the way that government wants to partner with business on cyber security. It is a centre to share information and develop solutions to defeat our adversaries and many of these adversaries are common to both the public and the private sector. The ACSC provides a single location for government and business to collaborate on operational cyber security matters.

The ACSC co-locates the elements of the government’s operational cyber security capabilities from within the Australian Signals Directorate, ASIO, the Australian Federal Police, the Australian Crime Commission, the DIO and CERT Australia. Combining the capabilities of ACSC agencies allows us to access a formidable stream of information and analysis of current cyber threats. The staff in the ACSC are some of the country’s most dedicated and highly skilled security professionals. They are working together to protect government and industry systems, prevent cyber espionage and apprehend cyber criminals. The Centre is also developing products that provide a single government voice on cyber security issues which will directly benefit industries that are critical to national security.

Establishing the Centre has been a complicated task. It has not been a case of just flicking a switch, moving some desks and enabling different computers to talk to each other. Each of the agencies in the ACSC has unique capabilities and mandates. Some of those mandates are enshrined in legislation. The co-location model protects these individual mandates and retains the reporting lines and oversight authorities that are specific to each agency.

Within this environment, we are exploring how our enhanced situational awareness can support each of the distinct agency missions. By co-locating these agencies in the ACSC we maximise the opportunities to leverage the skills, information streams and resources of each agency to improve the way we approach cyber security overall. The ACSC is making the Australian Government and Australian businesses a harder target for malicious cyber actors. That, of course, is its core mission and it provides new opportunities for government to partner with business on cyber security matters. It is making it easier for industry and government to engage with each other.

For the first time in Australia’s history, industry representatives will be invited into the heart of the Australian Government’s cyber security operations. The aim will be to will provide access to near real-time information streams and the ability to work alongside one another.

We will have a team of cyber security professionals from industry and government engineering solutions to particularly complex technical issues impacting upon a range of sectors. There will be immediate pay-offs from this environment, including enhanced relationships and technical solutions that are readily applicable to a wider range of applications.

One of the key advantages of this deepening partnership will be developing more timely and relevant threat information that can be digested by the private sector. Because that is what business is asking for and we mean to deliver to business what it needs.

Of course, there are significant challenges for both government and business in sharing sensitive information that is sometimes derived from classified sources but we are determined not to place this in the ‘too hard’ basket. We will be asking industry to help us find the answers. Importantly, we want to understand how the ACSC’s collective information stores can be distilled or filtered in a way that would allow industry better insight into the prevailing threats and opportunities to better protect their systems.

As much as possible, we want this information to be targeted and actionable. We know this is likely to mean building on the briefings that we already provide to particular sectors and working with industry to develop tailored information exchanges that are beneficial for both parties.

Importantly, the ACSC will not be offering a service that can, or is already being, provided by the market. We want to see further innovation and investment in cyber security, and the Government recognises that the ACSC has a niche role in fostering this environment and that development.

It is also important to recognise that government does not have all the answers and we will be looking to our private sector partners to share their expertise and information, which is often well in advance of that of the government sector. Australia is not alone in taking this approach. As you know, in February this year, President Obama signed an executive order aimed at encouraging companies to share more information about cyber threats with the American Government, and its agencies, and with each other, in part, in response to attacks against Sony, Target and other American corporations.

While what I have outlined might seem ambitious, our plans for the Australian Cyber Security Centre don’t end there. We also recognise the importance of partnerships that reach beyond our borders and provide us with a rich regional and global picture of cyber threats and trends.

The agencies within the Centre already have, as you would expect, well-established operational relationships with many international counterparts – some of whom are attending the conference here today. The challenge on the horizon for the ACSC will be how to maximise these relationships to provide even better advice and support to government and industry on cyber security matters.

Again, this is not something the ACSC, or government, can achieve in isolation. We know that partnering with multi-national corporations and big business can provide access to the international stage in a way that partnerships with overseas agencies cannot always do. It is our challenge now to determine how that can be achieved in practice, and what government can offer in return for that cooperation. I believe this is another area that will be strongly influenced by the Cyber Security Review, and something that I believe Dr McCarthy will cover in her address shortly.

In closing, I’d like to remind everyone that, as I said at the start of these remarks, the Australian Government considers cyber security as a vital national security and economic security priority. But that doesn’t mean that it is locked away in a classified locked box somewhere – inaccessible to industry and the public. Quite the opposite. We recognise the only way to develop resilient systems that continue to foster confidence in our economy is to partner effectively across the public and private sectors, as well as internationally. The Australian Cyber Security Centre is an evolutionary step forward in achieving that goal, and I am excited by the prospects it offers for a depth of industry relations beyond what we have previously enjoyed in the cyber security field.

But it is only a first step. I hope this conference and the early days of the ACSC provide opportunities to canvass not just evolutionary steps, but revolutionary ideas on enhanced government and industry collaboration in the ever changing cyber environment. With those words might I formally declare this important conference open and wish you well in your deliberations. Thank you.

 The AM story, 11,000 cyber attacks last year could be the tip of the iceberg, watchdog says, covers much the same issues highlighted by the Attorney General.  Stephen Day was right on the money when he stated that outside of the telcos, financial and resources sectors many companies are existing in an island of “comfortable bliss” and, by implication, are not spending enough money and effort on having proper security, cyber and otherwise. He describes getting awareness as being one of the challenges.  Again, proper high profile enforcement by the regulator would go a long way to bringing companies to a proper state of awareness.  At a point education alone is not the answer.  That point is long in the rear vision mirror.

The story provides:

  MICHAEL BRISSENDEN: Cyber attack is often talked of as one of the biggest security threats of the modern era. Online criminals consider Australia to be particularly lucrative – and government, business and individuals are all targets.

The Government estimates there were 11,000 cyber attacks against business last year. Cyber espionage has also become a powerful tool of foreign intelligence agencies.

Last year the Government established the Australian Cyber Centre.

The coordinator is Major-General Stephen Day, the deputy director of the Australian Signals Directorate, and he joins me in the studio this morning.

Stephen Day, welcome to the program.

STEPHEN DAY: Good morning to you Michael.

MICHAEL BRISSENDEN: What is the cyber security threat to Australia and how do you assess it?

STEPHEN DAY: I actually, I think you summed it up quite neatly. There are a range of actors who use cyber to achieve their particular ends. We have those who seek national security information, traditional espionage.

There are those who seek economic advantage by getting access into companies, finding what their strategies are, what their negotiating positions are, and there’s a significant proliferation of cyber criminals who are after the money of citizens but also of governments.

MICHAEL BRISSENDEN: And 11,000 attacks last year, that sounds like a lot. Is it a lot on an international scale?

STEPHEN DAY: It is a lot but actually what we really think, that’s probably just the tip of the iceberg. One of the challenges in this space is actually how do we collect all the data, how do we get knowledge of all that’s going on and we’ve just opened a new facility for citizens to actually report what’s going on.

So 11,000 is a lot, but actually we don’t think it’s the true picture.

MICHAEL BRISSENDEN: And can you get a handle on it? I mean are we always somewhat one step behind the technology in a sense?

STEPHEN DAY: Of course you can get a handle on it.

MICHAEL BRISSENDEN: (Laughs) That’s your job.

STEPHEN DAY: But the problem is relatively new. I mean, it’s been going on for a number of years but in terms of what our society is used to, it’s relatively new. So it’s probably going to take quite some time yet before we get a handle on it, but we must do that.

MICHAEL BRISSENDEN: Where’s it coming from?

STEPHEN DAY: Well, the threats to national security come from strategic competitors, there’s a range of those. We don’t go into specifics.

The most important serious and organised crime seems to emanate out of Eastern Europe. There is some in our region as well and of course, there’s some in Australia but most of it seems to come from Eastern Europe.

MICHAEL BRISSENDEN: Okay, now obviously you don’t want to talk about the other nation states that presumably are targeting us and others, that’s understandable but in terms of the business cost and the business effect, can you estimate a cost to the economy?

STEPHEN DAY: We don’t know how much it’s costing the economy. We know that there’s been an estimate that it costs Australians about a billion dollars last year in lost revenue. A lot of companies are quite reluctant to talk about the fact that they might have been subjected to a cyber intrusion or a cyber ‘compromise’.

What we do know is that Sony, who were attacked late last year, have set aside tens of millions of dollars for the next six months to try and recover their systems but this is not an easy thing to fix and it is not a cheap thing to fix.

MICHAEL BRISSENDEN: So companies themselves are obviously growing concerned about or are considerably concerned about this and are spending a lot of money on trying to prevent it themselves?

STEPHEN DAY: Some are. One of the great challenges here is actually to build awareness and I’d describe the situation in Australia as this, in terms of industry: there are some islands of excellence who are well aware of the problem and are doing something about it and I’d describe the telcos, our big banks, and some of our resource companies as being very solid in this area but my general view is that they exist in an island of comfortable bliss.

One of the challenges we’ve got is actually getting awareness out there. There’s plenty of good advice about how to deal with it though.

MICHAEL BRISSENDEN: What about terrorism and cyber terrorism? Presumably cyber attack would be considered an attractive weapon by terrorists, wouldn’t it?

STEPHEN DAY: I mean cyber is just another vector, just another means, but a modern one, to achieve ends that people have been trying to achieve for centuries through other means.

It is entirely feasible that a terrorist organisation could use cyber to attack a company, a power grid… But what we’ve seen so far is not so much that and that’s not a straightforward thing to achieve. It requires a level of sophistication and resources that most folks don’t have.

What they have been doing, though, is running this global reaching social media campaign to get their message out and to recruit our young.

MICHAEL BRISSENDEN: So, have you noticed, any anybody noticed Islamic State actually trying to engage in a more sophisticated way?

STEPHEN DAY: Not yet but we are ever conscious of that possibility.

MICHAEL BRISSENDEN: Have you stopped any attacks, not necessarily terrorist attacks, but I mean are we stopping attacks regularly?

STEPHEN DAY: Um, we need to be careful. We are careful about the use of the word “attack”. An attack for us is something that has a destructive element. Mostly what we see is people trying to use cyber to steal things – to steal money, to steal national security information or to steal personal identities.

Have we stopped any of that? Absolutely, we stop a lot of it every day of the week.

MICHAEL BRISSENDEN: Right, so it’s a pretty active area, obviously, 11,000 attacks – 11,000 instances. Those are the ones that you know of.

STEPHEN DAY: Correct.

MICHAEL BRISSENDEN: Right, so there could be a lot more?

STEPHEN DAY: Yeah, and indeed in this game there’s a lot you don’t know. So you know, in the earlier days of us doing this, it wouldn’t be for some months after something had occurred that we’d picked it up, but we’re much quicker today.

MICHAEL BRISSENDEN: How do we- how do individuals and companies protect ourselves?

STEPHEN DAY: Best advice I can give you is for people to go to the Australian Cyber Security Centre’s website, which is acsc.gov.au. In my view the world’s best advice is there. It is practical advice.

The solution here is not just about technology, that’s part of it. It’s also about people and for companies, it’s about resources and risks. Good advice out there.

MICHAEL BRISSENDEN: Okay, and just finally, you are conducting a review of how we are tackling our cyber security which I understand is coming out in the next couple of months. What do you expect, what are you finding, what do you expect to find and what can you say about it?

STEPHEN DAY: Well, that’s actually a review that’s been called by the Prime Minister and his department, Prime Minister and Cabinet, are actually conducting that review. I’m expecting to be one of the people that’s given some jobs out of that.

I think, I really don’t know what we’re going to see yet. I mean the review’s not due to be completed until the middle of the year.

MICHAEL BRISSENDEN: Okay, well, we’ll talk to you then. Thanks very much for joining us.

STEPHEN DAY: My pleasure, thank you Michael.

MICHAEL BRISSENDEN: That’s General Stephen Day there.