Cyber security is big business these days and the market is flooded with a growing array of advice, opinions, tools and services, but the overall responsibility can never be outsourced.
The recent revelation of a major data breach via the Bureau of Meteorology is a reminder that the risk which is real, significant and growing. Lots of Australian public sector agencies are not up to speed, but that doesn’t mean they should rush to throw money at the cyber security companies in the hope they will make it all go away.
Agencies should be wary of the impressive claims that emanate from the burgeoning cyber security industry, and that’s according to a marketing boss from one of the biggest and most respected vendors.
The global director of RSA-Archer’s market liaison team, Cliff Huntington, says lots of vendors will say they can make you safe, but “that’s a lie, pure and simple”. Huntington was in Canberra recently for a military ICT conference.
“There is no way that any product down on the [trade show] floor or even my own products — and we’re one of the largest security organisations in the world — will make you safe,” he told The Mandarin, gesturing to the displays vying for the attention of Defence employees.
“We will make you safer, we will help you mitigate damage should the inevitable happen, but it’s not a question of if you get breached. It’s when you get breached, and what they get away with.”
He may sell technology but people and processes come first and second, he says. “You need a culture of adoption, of people who want to go and solve this problem — that is probably the biggest barrier that you run into — and then you need executive leadership that is sponsoring the initiatives that [arise from] that culture.”
Huntington’s counsel has a familiar ring, as does his advice that it all begins with knowing where your “crown jewels” are so you can focus limited resources there. A single asset catalogue, or configuration management database (CMDB), gives a clear picture to work from, but it’s rare to find one done properly, says Huntington.
“In my seven years working this space, I’ve only encountered two or three organisations ever that have had a single CMDB,” he said. A more common situation is a half-finished effort comprising spreadsheet here and a spreadsheet there.
After an incident like the one the BoM won’t confirm or deny, or perhaps an audit suggesting cyber security isn’t up to scratch, a large wholesale review is a common response in the public service.
“There is absolute value in taking a step back and doing overall assessments,” says Huntington, “but you have to be careful about kicking off very large initiatives or burning everything that you have to the ground and starting fresh.”
Like much with the digital space, progressing towards a grand vision in small steps that have value of their own is the way to go, he suggests. And whatever advanced threat intelligence or data analytics tools or other technologies are to be employed, that grand vision or blueprint needs to be framed in the language executives understand.
“The last thing you should do is to take leadership that has a lot of things to worry about and does not have the time to go get a degree in computer science, cyber security and advanced threat analytics, and try to communicate to them in that language,” Huntington advises those inside government who want to advocate for improvement.
“You need to translate the security problem they’re facing from an IT security problem to an IT risk problem, to a business risk problem.”
The conversation needs to relate to employees, jobs, efficiency, and good old reputational risk to the department and the minister.
Collaboration, once again
In the past the gold-standard information security procedures were found in parts of the public sector but all over the world, it has fallen behind. At the same time, attackers are targeting data held throughout the public sector, not just the kind of sensitive material that has always been protected.
Huntington thinks government agencies are only just beginning to accept they have been surpassed and need to lure expertise back from the corporate world.
Advice on best-practice cyber security is easy to find but there is considerable evidence of public sector organisations, particularly at state level, moving too slowly. It is a rapidly evolving space and there will always be wins and losses, but it is clear public service leaders don’t all see it as a first-order issue.
Huntington doesn’t think budgets are the issue. He goes first to culture — recognition of the problem and what to do about it from the top down — and secondly to education of executives whose expertise lies outside ICT.
“I also think politics is a really big piece of everything,” he adds. “There are egos and there are organisations and there are domains and fiefdoms that have been built.”
Patch protection is a problem afflicting large entities all around, and collaboration between public service silos, tiers of government and sectors of the economy is once again touted as a big part of the solution to cyber security. “There’s huge value and huge wins to be gained by everyone if we can just come together and communicate,” Huntington enthuses.
It’s also naive to think you’re a low-value target or not a target at all. Almost all large quantities of data are valuable in some ways to large-scale criminal and state-sponsored groups of attackers. They’re looking for intellectual property, or even just people’s identities, which can be used to launch further attacks from cover, or simply commit large scale fraud such as that which is targeting Medicare refunds and tax returns.
Third party organisations also have to be more closely considered and assessed as information security risks, along with fourth parties and so on. The incredibly damaging attacks against the United States Office of Personnel Management and the US-based Target Corporation, and many others, involved third party vulnerabilities.
Perhaps the best Australian example came when building plans for the Australian Security Intelligence Organisation’s headquarters were allegedly stolen from a building contractor. The government of the day denied it but the ABC’s Four Corners stood by their anonymous sources.
If Huntington is right, the “agile” government often referred to by the Prime Minister is a vital piece of the cyber security puzzle. Agencies need to be able to move quickly to get up to speed, and keep up as threats rapidly change.
“There are certain areas of government that are very agile, and they’re on the bleeding edge all the time of the latest threats that could potentially impact anyone in the world, but that does not necessarily describe government as a whole,” he said.
“And there is leadership in a lot of areas of government that have just never kept up to speed with how quickly this is evolving. Even a year ago, we would be talking about different things. The threat landscape has drastically altered in the last 12 months. If we talk in another year we will probably be talking about entirely different things again.”