If you think cyber risk management is not the end of the world you are dead wrong, according to the federal government’s top adviser on these matters.
Alastair MacGibbon thinks a potentially cataclysmic cyber security failure is “the greatest existential threat we face as a society today” and the relevant authorities have not been taking it seriously enough.
He told delegates at last week’s National Investigations Symposium — who came mostly from regulatory, law enforcement and public sector integrity agencies, as well as internal integrity units — that “cyber-related evidence” would soon become integral in most of their investigations.
“Now let me say I’m no climate change denier,” he quickly added, delivering the opening keynote on Wednesday.
“I believe climate change is impacting us, but I’ll say if you’re going to look for a catastrophic event that will impact upon the livelihood of Australians, the lives of Australians and the wellbeing of Australians, it will be a cyber security incident.”
MacGibbon went through a timeline of recent events that illustrate why he believes the good guys have been losing ground and law enforcement agencies “haven’t really evolved” in the past decade or so.“If you’re going to look for a catastrophic event that will impact upon the livelihood of Australians … it will be a cyber security incident.”
“Largely law enforcement agencies have vacated the field, and it’s not acceptable that we do so. The number-one crime now affecting Australians, in terms of volume, is cyber-enabled crime.
“And it’s not good enough that we allow that to happen and for us not to fight back.”
There are challenges, of course, with offenders able to launch undirected attacks that hit targets in multiple jurisdictions and evidence that is difficult to obtain. Much of the work needs to be preventive.
MacGibbon told delegates the skills to investigate “failures in IT systems and the abuse of those systems” had to become part of their standard toolkit. But just like all efforts to prevent crime, law enforcement bodies need to encourage protective behaviour by potential victims.
In many cases, simple scatter-gun cyber scams can be defeated through normal business controls like checking before paying money to a new bank account for the first time, or regular backups.
It is unhelpful for the authorities to maintain an “artificial division” between the physical world and “this virtual, cyber land” because crimes using computers still involved physical elements: computers, keyboards and storage devices, MacGibbon advised.
He said the old way of looking at cyber security was “a broken model” and promoted the more modern risk-management approach, where the more realistic aims are reducing and mitigating attacks. A common blind spot has been third-party risk in supply chains, he added.
Banks and government agencies can’t just secure their own systems, they need to recognise their suppliers could easily be the weak point that is exploited, as seen in a lot of the biggest breaches on record.
Sailing into a maelstrom
“We have to have introspection and we have to realise this is not a game we’ve been winning,” MacGibbon told the conference, warning of trouble ahead with the internet of things or, “the internet of everything”, if you prefer.
Hundreds of billions of tiny, inexpensive online devices with weak security controls, embedded in various products — on top of continued developments in areas like machine learning and cloud computing — are keeping him awake.
“It’s almost like we’re sailing in a storm, thinking we’re going alright but noticing, not just on the horizon but literally at the wave in front of us, some type of perfect storm. And our job is to somehow secure those systems, as we rapidly take those technologies into every part of our lives.”
On the positive side, he pointed out that quite basic cyber security controls in individual organisations could easily form a substantial bulwark against large-scale outbreaks of malicious software like WannaCry or NotPetya.
The former, in May 2017, was “the first global cyber pandemic” and eventually attributed to North Korea. “And that was the first time we saw the mass spreading of an unknown attack, with unknown vectors, with unknown consequences, across our economy, and that called into question our ability to communicate with the Australian public and to advise on how to protect yourself,” MacGibbon said. “We learnt lessons there.”
He noted the NotPetya attack came shortly after, representing “the fastest, highest-impact crime ever committed in the world, in terms of cost” and ultimately being attributed to the Russian government.
At the other end of the scale was the online Census failure, which saw MacGibbon take a frontline role explaining what happened: a cautious response to run-of-the-mill mischief. Even though the site suffered “some of the world’s smallest” denial-of-service attacks, it was feared they could have been part of something more sinister.
He said it was a “very tough call” for Australian Bureau of Statistics boss David Kalisch to take the site down but he did it “because in the fog of war there was a chance that data was actually being lost or compromised”, and Kalisch was primarily concerned with confirming the integrity of the Census data. Of course, there were other consequences.
“It called into question the ability of the Australian government to run IT systems that have become vital for every service that is provided,” said MacGibbon.
A few months later came the reports of Russian interference with the United States election that have frightened politicians everywhere, he added.
Both large criminal enterprises and hostile nations have the capability to cause a cataclysmic cyber attack, but MacGibbon said he remained “a glass-half-full type of person” because these risks could be managed a lot more effectively than they have been to date.
The main defensive strategy for the head of the Australian Cyber Security Centre is to drive up the costs for attackers, while making it easier for organisations to implement cyber security controls.
“If they’re a nation-state, I hope that every once in a while when they wake up in their foreign capital, they ask their boss to be assigned to a different desk and not to be working on Australia, and that it’s easier for them to be going after some of our other colleagues offshore,” he said.
“If it’s criminals, I’d love for them to have to innovate.”
Sadly that’s not the case; criminals are still profiting from many of the same basic scams MacGibbon was investigating almost 15 years ago when he founded the Australian Federal Police High Tech Crime Centre.
Meanwhile, nations compete and conflict while trying to cooperate against cyber criminals that cross borders. MacGibbon’s role as head of the ACSC is firmly in the cyber security realm, which makes him a deputy secretary of the Department of Home Affairs and a “deputy director-general designate” of the Australian Signals Directorate.
You can also call him the national cyber security advisor or, according to DHA, the national cyber coordinator and the special adviser to the Prime Minister on cyber security.
Once firmly part of the defence establishment, the ASD’s role has expanded more recently; poachers make good game-keepers, he explained. “If we spend our time taking things from other people, then we’ve got a greater chance of securing systems in our country.”
The public sector needs to go beyond compliance
“In government, we tend to be compliance-driven,” said MacGibbon.
That’s not a bad thing — following guidelines and rules is important — but MacGibbon emphasised that agencies need to tick all the boxes and go beyond this as well. Compliance does not equal security, but to deploy the same argument as an excuse for non-compliance, as some federal agencies have done in the past, seems illogical.
“Compliance gives us predictability, it helps prevent certain known bad things from happening, but it does not make us secure,” he said.
“Risk management is the key to that – recognising of course that every once in a while, risk will be realised. What I can say to those in government – and in the private sector and the not-for-profit sector – in the room today, is that of the rules we publish, have a look at the Essential Eight.”
Cyber security audits tend to indicate non-compliance with these basic controls is common in state and federal agencies; Home Affairs itself has struggled to convince the auditor-general of its cyber resilience in recent times.
The controls were actually “really, really hard to implement” in a very large organisation, MacGibbon said, “but if done correctly, provide a dramatic level of protection.”
“We recently went into a rather exposed Commonwealth department that comes to significant attention from some of our friends [read: enemies] offshore,” he added.
“Many times they’ve suffered significant cyber security breaches, but having now successfully implemented our Essential Eight, we were unable to detect the offenders back in that system, and they’re a sophisticated foreign threat actor.”