Text size: A A A

Alastair MacGibbon: learnings from the eCensus 2016

Agencies need to move away from a tick-box compliance security culture, invest in modern cloud-based systems and ensure agency leaders have a good understanding of the language of cyber security so they can properly assess risk, according to the Special Adviser to the Prime Minister on Cyber Security, Alastair MacGibbon.

MacGibbon’s report and the Senate Economics report on the eCensus shutdown were tabled last week. Speaking with The Mandarin about the lessons learnt from the August shutdown of the eCensus 2016 web site, MacGibbon was upbeat about the government continuing to aggressively pursue digitalisation, but warned that relying on formal compliance systems could in fact be creating more risk of cyber breaches.


“Canberra has a passion for proving compliance and I have said for many years … that compliance does not equal security,” MacGibbon said.

“Compliance is good hygiene, compliance can reduce some of the security threats. If all you do is adhere to compliance that in itself can be riskier for you. If you adhere slavishly to a set of procedures because those procedures will keep you safe, but if instead your procedures expose yourself to new risk vectors that are bigger, then your risk reduction processes increase your risk.”

“Technical people have owned the debate and we should not have let that happen. If you are the CEO or agency head signing off on risk, you need to understand the type of language being used.”

MacGibbon said another lesson was the need to modernise the technology base many agencies are using and to accelerate the use of cloud based applications.

“Cloud allows us to scale a lot faster, bring on applications quicker and to serve the public better,” MacGibbon said. He also said agencies needed to be smarter at using systems in one agency that could just be rebadged, white-labelled and used by another. “We are one Commonwealth; as a result we should be acting as one Commonwealth,” MacGibbon said.

He also foresees a growing security role for the Digital Transformation Agency, baking security into the larger platforms it is going to be increasingly be using.

MacGibbon also highlighted the failure in the crisis management system, noting he had been critical of his own office system, as well as the confusion in language and poor communications, as the shutdown continued. In his report he has called for a boot camp for ministers and senior APS executives so there is a common language and well understood escalation points.

“We are asking CEOs to sign off on risks. They need to understand what those risks are. I meet a lot of senior executives who are embarrassed they can’t engage in a security conversation. We have tended to make ICT security very technical.

“Technical people have owned the debate and we should not have let that happen. If you are the CEO or agency head signing off on risk, you need to understand the type of language being used. We really need to raise the bar and agree on what terms mean.”

MacGibbon also called on agencies to use social media to give them a much more accurate understanding of what users are thinking and their issues. “Commonwealth agencies need to understand social media, they need to understand and engage in it,” said MacGibbon.

“You can see security and privacy concerns evolving online and you need to directly engage those people. Not just through bland statements through media, you need to go into those same fora and actively involve. It is tough. It is not always pretty, but that is the type of place we have got to play in now and will help us be more safe and secure and frankly we will hear from the public more.”

MacGibbon also pointed to procurement culture as something that needed to change. He said agencies that had strong relationships with vendors needed to establish much stronger, test and verification procedures to ensure that the actual work was being tested. This was particularly in the case of subcontractors where failure to test in the eCensus had meant critical networks were left open.

Supply chain weakness, said MacGibbon, was where some of the biggest weaknesses in ICT security come from and the public service needed to get smarter at mitigating this risk. As agencies have moved from having their own IT shops, they need to get better at how they manage contracts. This meant much stronger capability was required around the performance of those contracts, and a “trust but verify” culture.

Full Transcript:

The Mandarin – Interview with Alastair MacGibbon – Lessons from the eCensus

Canberra, 25 November 2016

 

Tom: Welcome. I’m Tom Burton from The Mandarin, I’m the publisher. I’m here with Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security. Today, we’re talking about lessons to be learned from e-Census, which obviously went down on the night of August 9th. Alastair MacGibbon has written a long report about it. We’ve also had the senate committee report tabled yesterday. Welcome, Alastair. At a high level, Alastair, what are some of the important takeaways from the whole episode?

 

Alastair: Well, I guess the important takeaways are that we’re already a digital society. The number one way in which governments engage with the population is online. Clearly, on the 9th of August, we failed. That challenged the very heart, I think, of the public’s view of whether the government is capable of doing these things. Now, on a daily basis, 365 days a year, there are big agencies engaging with the public with good IT systems in a very robust way. Frankly, in many respects, in a very user-friendly way. We need to make sure, of course, that all the services provided by government can do those things. The report really looks into how we can reduce the likelihood of the events of the 9th of August, not necessarily deny those service attacks which led to this happening, are avoided by other agencies.

 

Tom: What would you say are two or three other main takeaways from your report?

 

Alastair: I think it’s really important that government agencies look at the type of technology systems that they’re deploying, that those technology systems are fit for purpose and frankly, modern. That does question then our security culture, some of our compliance culture in government Risk averse compliance culture might actually be making things more risky. Are those risk models and the structures that tell you how you’re meant to do your technology actually poor force. Then lastly, I’d say it’s a matter of how we take that security culture and permeate it through organizations so that we challenge ourselves, so that we go in and test things. Not to ever stop anything bad happening, but to reduce the likelihood of bad things happening. Then we can respond faster.

 

Tom: Right. The technology observation, I noticed in your recommendations, you had a series of recommendations around speeding up Cloud enablement, for example; what was behind that thinking?

 

Alastair: Well, if we’re still building our own infrastructure, the phrase I’m using is that we’re building tomorrow’s legacy systems. We really need to move, unless there are really legitimate operational reasons not to do so, we need to move into the Cloud. Now, we need to therefore, make sure that the security frameworks that we operate in and that we adhere to so well in the Commonwealth reflect what is a secure way of doing the Cloud but that we move into things like the Cloud. The Cloud allows us to scale a lot faster, allows us to bring new applications on faster, it lets us serve the public better and, you know, not saying that Cloud would’ve stopped all of these but certainly a greater use of the Cloud might have reduced the likelihood.

 

Tom: Yep, and the speeding up of the certification process then to enable more applications.

 

Alastair: Yes, yes, and it can be a common platform too. The Cloud could operate across multiple agencies. We don’t need to have necessarily all agencies running their own systems, and the report talks about this concept that small agencies maybe shouldn’t run any at all and that they piggyback on the back of larger organizations that have bigger IT shops. In a shared services fashion. I know that has some connotations but so does running your own systems and we need to get smarter at using system in one agency that could be just re-badged, white-labelled and used by another, because we’re all one Commonwealth and as a result we should be acting as one Commonwealth and the report goes into those types of things.

 

Tom: Right. You envisioned a much more stronger partnering program, perhaps train the mid and small agencies with the bigger agencies.

 

Alastair: Yes. Well, I certainly see an increased role for the Digital Transformation Agency and the concept of Commonwealth-wide platforms and services. I think that’s important and we talk in the report about that and growing the security role within the DTA because if you bake security into those base platforms, then the applications you put on top, you’ve got to look at the security of it, of course, but if you’ve got the foundation done, you can move much faster to the app. That’s the first thing.

 

Secondly, we need to be, so the DTA has a big role. It may well be that, you know, in the near term you coalesce around departments that have certain capabilities, that if a certain organization has already got a big public facing series of web forms that work well then can’t we just add some more web forms onto those same services and actually just re-skin. The public doesn’t care, sorry, that sounds crazy, the public cares a lot, which is part of the problem in the census, right? The public won’t mind if the infrastructure is of a totally different agency. What they care about which is the agency I’m engaging, is the user experience good, are they worried about my privacy, are they protecting my security and what are they doing with my data at the backend.

 

Tom: Right. Okay. Talk about this capability question. The second point you raise. You said in the report the ABS was almost an example of the type of culture, I’m going to call it a sort of tick box compliance culture. You don’t think you’re pretty straight about that. How do you move from that sort of, if you like, tick box, “we’ve done everything we should do”, almost administrative approach to cyber security to a much more, if you like, front footed approach?

 

Alastair: Yes, well, first let me say that there but the grace of God, I suspect many, many agencies. ABS is no different to the vast bulk of agencies. Canberra has a passion for proving compliance, and I have said now for many years, obviously before being in this role and I say it in this role, that compliance does not equal security. Compliance is good hygiene, compliance can reduce some of the security threats.

 

Fantastic. I’m not saying not to be compliant, but I’m saying if all you do is adhere to compliance, that in itself can be riskier for you and I said that at the beginning, and I want to explain that to you, because it might sound a bit radical; if you adhere slavishly to a set of procedures, because those procedures will keep you safe, but instead by doing those procedures you actually expose new risk vectors that are bigger, then your risk reduction processes increase your risk, and I think in some respects our security thinking, our security frameworks now adheres to those actually have increased our security risk, which means we need to rethink it.

 

Tom: Yep. You have to build that out as a proposition. One of the things I think you put your finger on there was culture and the role of culture; what do you mean by that?

 

Alastair: Well, there are several aspects, particularly with the ABS, and I don’t see a huge amount of sense in raking over the coals of what is now being done many times through various committees and reports, but I think generally to do with culture there are some interesting ones. Procurement culture, potentially just having such strong relationships with third party IT vendors that have built your systems that they almost win because they’re locked in.

 

That’s an interesting one. How do we break that? Or do we need to? I would say yes, but what are the risks if you don’t. The culture of actually testing and checking so that you need to have that sense of trust but verify, so I trust that you’ve done it, Tom, but I’m just going to check you have. No offense to you, I’m going to use a third party to come in. There was enough of that done, and maybe not enough of that done across the Commonwealth, because that’s how we’ll detect a lot of things.

 

Then in some respects a culture of not engaging in the online space. There was an, and I’d love to talk more about communications. You could see for months this concept of building up of some concerns online, maybe the above the line sampling being done, the polling wasn’t showing it, but you could see online there was a problem.

 

The culture, in the case of the census, was not necessarily truly engaging that online space, and both before the event and after, and I think to their detriment.

 

Tom: Yeah. I put it this way. When you’re running a big live event like this, you’ve got to be very aware of the context you’re going to drop this event into, and if you’re not listening (capital L) listening to what’s happening then you remain, as you say, quite rigid in your response. Is that where you’re going with it?

 

Alastair: Yeah. Social media, there are a lot of people that will say, “Well, you know, if you do good polling then you’re going to know what’s going to be happening” and we could all list some interesting international events recently where polling would say one thing and some of those events have not transpired as people had predicted. Yet, if you look at social media, you might get a much more granular, better understanding. Commonwealth agencies need to understand social media. They need to understand it to engage in it.

 

Why am I saying that is that, first I talked about security because you could see the security and the privacy concerns evolving online and you need to directly engage those people, not just through bland statements through media. You need to go into that same forum and actively involve. It’s tough. In my previous role, I looked at the way people behave online to each other. I spent a long time looking at the way people behave online to each other. It’s not always pretty but that’s the type of place we’ve got to go and play in now. That’ll help and make us safer and more secure and frankly we’ll hear more from the public too on what to do.

 

Tom: Yep. One of the things you put your finger on was the actual incident response protocols, if you like, and probably expose weaknesses. I think you said weakness is at the central level and at the agency level and at the, our subsequently; what’s your thinking about how you’re strengthening some of that up? I think one of the things you said, for example, getting much clearer language and understanding of what the escalation pieces were.

 

Alastair: Yeah. Well, Tom, the first recommend I made in the report was criticizing my own area. I thought that was only appropriate because I wanted to be pretty direct in the report and our crisis management arrangements, run by prime-minister and cabinet, under my office, did not work. Part of it was language because we recommend now that we’re starting to, we’re using the same dictionary when we’re talking to each other because, you know, to an intelligence agency, the word “attack” means something and to the military in particular means something very different to you and I when we might use the attack a bit more flippantly.

 

We might have an agency saying, “Well, that’s not an attack but it’s a denial-of-service attack” and then you might have someone else, so we’ve got a language question. We’ve got to how we actually handled the crisis in government question. We’ve got a question of how we communicated in the crisis communication side and big learning there as well.

 

I’m a glass-half-full type of guy. I see what happened on the 9th of August and on the 10th of August when we started doing the more above-the-line crisis communications. It’s just a great learning opportunity for us. That’s what I’m trying to do in this report. I’m actually trying to, rather than rake over what happened, we had to do that of course, you know, what went wrong, but more importantly how do we design this stuff out. With cyber security you cannot design out all problems. If we accept the fact that we do our best to reduce the likelihood of it happening, but know that we will fail, then we need to get much better at that whole crisis communications and crisis incident management.

 

Tom: Yeah. Is that your idea of, I think you used the word “bootcamp”, to really up the understanding, particularly the higher levels of the ABS, same within ministerial ranks, is that …

 

Alastair: Yeah, we have asked or told senior executives, CEOs, people that run organizations, to sign off on risks. They are responsible for risks. They are responsible for, in this case, the cyber security of the organizational area I deal with. They need to understand what those risks are, and I’ll tell you my observation of being in this space throughout 15 or years, in lots of different roles, from policing to corporates, to my own private sector experience to back here again, and that is, I made a lot of senior executives who were embarrassed they cannot engage in a conversation. They’ll say to me, “I’m not a technical person, I don’t really understand the language used so I cannot really have a discussion.” Tom, I’d say to you, “I’m not expert on a whole range of things but we can have a, hopefully, pretty fulsome, educated discussion because I understand the language.”

 

We tend to make this IT security thing very technical and technical people have owned the debate. We shouldn’t have let that happen. If you’re the CEO or the agency head, signing off on risk, you need to understand the type of language being used, that’s incumbent then upon the technical people to be using language that the rest of humanity can understand and it’s incumbent upon the senior executive to understand that language as well.

 

Yeah, we really need to raise the bar in terms of language used. We need to agree on what terms mean, which might sound pretty simple and frankly is, and just execute upon things like that. Then we can start talking risk. This is still a risk question. That you can’t really make a risk decision if you don’t understand what you’re making a decision on.

 

Tom: Yeah. It’s also an area, as you know, very fast moving. We’ve recently had those very big zombie attacks, for example. Completely new types of attack, you know, using the Internet of Things. How do agency leaders try and keep that capability up to date?

 

Alastair: Yeah. We have seen, when you first mentioned zombie attacks I was thinking people could be worried that are watching these online bits of kit Internet of Things that are being directed now in the case of a few weeks ago at the very infrastructure of the Internet, up to do the domain name servers.

 

Tom: These were the American attacks.

 

Alastair: Yeah, America, on the East Coast of the United States. Phenomenal. No way you could respond to it. Unlike the denial-of-service attacks that eventually led to the ABS taking down the census website, they were very small, unpredictable attacks. These are phenomenally large and totally unable to deal with them. It’s a great question. I think it’s important, we’ve got some remarkable agencies inside the Commonwealth government to deal with IT security and they all roll up in the Australian Cyber Security Centre, which is currently based out the ASIO building but will be moving as part of the cyber security strategy.

 

In there you’ve got the Australian Signals Directorate, you’ve got the Australian Criminal Intelligence Commission, the Australian Federal Police, the Computer Emergency Response Team of the federal government, you’ve got ASIO and you’ve got the Defence Intelligence Organization. With all those organizations, they kind of know what’s happening and they’re putting out increased number of threat reports and other things. We’ve just got to keep the information coming and keep those education boot camps coming and probably run sessions to update people on the type of threat environment and the attacks that are occurring. I use the attack word there and I’ve already broken my own rule, so I apologize.

 

Tom: Breach. Breach.

 

Alastair: Well, whatever they are. Whether it’s a breach or a denial-of-service or other things. We’ve just got to get better at that. It’s not rocket science, it’s a communications question. It’s a change of culture question, and then we’ll all be talking the same language. We’re not asking people to be experts, what we’re asking them to do is to be able to know where to go to get expertise and to make rational risk decisions in the interests of the people they serve.

 

Tom: Right. Report goes in quite a lot of detail looking at the vendor relationships and you can conclude that there was a strong sense of vendor lock-in for historical reasons; what are the lessons in terms of dealing with, you know, IBM is obviously very reputable organization, what are the lessons learned when you’re dealing with big technical projects like this and ultimately you’re going to be teaming with a major vendor?

 

Alastair: Yeah. Well, clearly the public service has changed. I mean there was a time when you would have your own IT shop and everything would be done in-house. Now a lot of the work done, I’d hazard a guess that it’s a vast bulk of the work done is done by third party providers. That means we have to have a different skillset in government. It’s not just to be able to right the tenders and other such things and to select the successful party to deliver the services. It comes down to how we manage those contracts and those services. That’s a different type of skillset, but it’s one that we need to keep growing. I mean clearly it exists in the Commonwealth but we need to build those skillsets. It also means that we need to be not just managing but checking what gets done-

 

Tom: This is your verification process.

 

Alastair: Yeah, this is the “trust but verify”, so we’re going to use it, not for everything, but, you know, “Show me proof you’re doing it or I’m going to come in and get someone else to do it.” Then lastly I think it’s the question that just because you engage one company doesn’t mean that there aren’t a whole heap of companies behind it that are also engaged. You could have a third party to a third party to a third party to a third party.

 

Tom: Which in this case, as we know in the report about all identified that there were multiple network providers, so it’s a good example of saying how does an agency, you know, in the sense, verify all the subcontractors.

 

Alastair: Yes. The Commonwealth’s not alone there. I’ve dealt with a lot of large organizations that ask themselves the same question. From an IT security point of view, third party weaknesses, supply chain weaknesses are some of the greatest vectors of problem for you as an organization, along with insiders, which is a different topic altogether.

 

Tom: Yeah.

 

Alastair: It’s incumbent upon us to understand at least the relationship we’re having with the person we contracted.

 

Tom: Yeah.

 

Alastair: You can put it in the contract. Of course you must make sure that. It’s fine because it’s a contractual clause that sort of waves the magic wand of liability and all those other things but it doesn’t mitigate risk. We’ve got to get smarter at how we go out and mitigate those risks, and that’s talking to that supplier. It might be engaging with those people further on but where does that end? But it’s time to create that culture. I’m engaging you, you’re engaging other people, we need to make sure we’re all on exactly the same level and the same page and the same understanding as to what the risk is and how we’re going to be mitigating it.

 

Tom: Yeah. In this space, it’s got to be quite tricky because you’ve got a lot of vendors offering differing services right through the stack. It’s often the challenge, I think, particularly for the smaller agencies, to understand, “Well, what do I need out of that?” Because if you believed every vendor, you’d be signing up for, you know, 40% of your ICT spend for security. How do they weave their way through that sort of jungle of vendors?

 

Alastair: It’s really tough. That’s why I’m not in that space. I’d have to be in the advisory space I’d say to you, Tom, but look, agencies do this well. The sky isn’t falling. I just think it means we need to focus on these things a little bit more as we increasingly move to relying upon third parties and there’s nothing at all wrong with the government relying on third parties just like big industry does. I mean it’s a connected world anyway. You could do everything in-house-

 

Tom: We will, in this case.

 

Alastair: Well, absolutely. But it’s a connected world, even if I did everything inside, I’m still connected, and therefore I’ve got third parties I’m relying upon. We’ve got to be prudent, we’ve got to make sure that we don’t bind ourselves up with this risk thing. We’ve just got to make sure we do risk well and, as I say, we can be the best risk managers in the world, a problem is still going to happen. It’s setting that expectation too, that mistakes, problems, catastrophic events are going to occur. It’s reducing the likelihood of it.

 

Tom: Yeah. One of the things you identified in that space was the actual procurement process if you like. I think there’d been the same vendors in this case, IBM had successfully won it three times, so it was a certain comfort; how do you mitigate against that sort of, if you like, around getting a bit too comfortable with each other?

 

Alastair: Yeah. Well, what I did in the report is I recommended that the prime-minister and cabinet procurement task force look into those types of matters because they have specifically set up to look at procurement and clearly you look at what happened on the 9th of August and the events leading up to it as part of their learnings and general observations. They’re in the process now of going out of, soon, to engage with the public and get ideas. I’m certain they’re going to be getting significant feedback from suppliers as to how procurement works or doesn’t work.

 

Tom: Right. Just the last question I want to do, just explores the, if you like the general digital transformation proposition. I think you’re very strong about saying, “Look, this is obviously a very serious problem but we shouldn’t hold back, you know, the digital transformation roadmap.” How should agencies be thinking about in the space, given some of those learnings? Is this a reason to pause or to keep going?

 

Alastair: I think it’s a reason to accelerate. My report quite explicitly says the digital transformation agency needs to increase its efforts in this area. They need to increase this effort with security baked in. That’s the really important criteria because if we do that and we build these more secure foundational platform, then more things can pile in on top.

 

I’d also like to say, by the way, that the role the Australian Signals Directorate has not diminished in anyway in that regard. They are the experts in the Commonwealth. They are the ones mandated for protecting Commonwealth systems and for providing the advice. It’s working with them to make sure that that advice is fit for purpose for the types of transactional business government is doing and there might be different advice you give to an intelligence agency that is holding the most classified bits of information in the Commonwealth versus an agency that is engaged in transactional, high-volume business with the Australian public.

 

You need to, obviously, we need to make sure that those frameworks work and then we need to make sure we take it to market with a DTA, accelerating that stuff. I’d be saying to you that on the contrary to what happened on the 9th of August slowing us down. We need to speed up that digital transformation to reduce the likelihood of things like the 9th of August happening again.

 

Tom: Right. To get us through the census generational legacy issues of technology.

 

Alastair: Yeah. It’s starting to try to not be building the next legacy system, and that is a mind-set shift. It’s a mind-set shift as much as it is a technology shift and I’ll try to explain that. Technology, absolutely, move to the Cloud if you can, but it’s about sharing of the resources as well. It’s about saying, “I do not need to build from the ground up a whole new system to replace the one that is now aging and going to fall over. Maybe I can find myself a business partner in government who’s already done most of this.” It’s cheaper, faster, and I’m not saying that shared, we’ve all been around this, you know, shared services have got hairs on them from time to time, but that doesn’t mean that we shouldn’t do it. It just means that you’ve got to …

 

Tom: Yeah. They’re all called processes in government. They can just be replicated in a much lower cost environment if you want to understand the core business processes.

 

Alastair: Of course. The advantage for me, in my role, is if we get security in there, right, and we actually just reduce some of those threat factors. I mean you don’t create Nirvana. You just reduce some of those threat factors. That’s good. Then we can focus on the other things. At the moment, you’re dealing with legacy systems, different ways of thinking, a compliance culture, different ways of procuring, that’s slow. All of those things mitigate against us being able to create that more trusted, secure, digital experience that the public expects. In fact doesn’t expect, it demands and we are now in a world where, because of their experiences with the private sector, there’s an expectation that they’re going to be delivered by government and the private sector doesn’t have those same restrictions upon them about how they handle data and all those other security things. That just makes our challenge more delicious but certainly solvable.

 

Tom: Yeah. Really last question, it exposed obviously some of the issues at the federal government level; how applicable do you think it is also at state? I’m sort of asking your broader role here as an advisor.

 

Alastair: I’ve been travelling through the states. I’m trying to tick them off. Not tick them off in a bad way, by the way, tick them off the list, visit them, that’s a better use of words, and we’re engaging through COAG and other such things, and I can tell you, from a cyber security point of view, the relationship’s great and will only get better. There’s a huge recognition, Commonwealth on its own cannot solve this, states and territories on their own cannot. Together we can but only if we’re working with industry and frankly the entire population.

 

But the relationship is really good in this space. It’s actually I think exemplar. My observation as I go through those states and territories is that they are sitting with exactly the same questions. The DTA, to its credit, when it was the DTO, has been engaging with many of those states and territories already. ISD already has a relationship with states and territories, has a responsibility there to really be providing that type of advice. We just need to ramp it up. We need to chuck it up a few notches and look at how we can do this stuff faster. There’s a huge appetite in my colleagues in the states and territories to do that and it’s very much one where people are leaving their egos and brands at the door. They’re sort of saying, “2016, we’d better start acting.”

 

Tom, I’d say to you, I’ve been in this space for a long time. I have never seen the stars align as well as they have for people demanding action, whether it’s our political masters who are very engaged on this and the census events actually helped with that, which is good. It focused people’s attention. I’ve never, as I go through the various departments and bureaucracy, I’ve never seen such a desire to be moving faster and in alignment together, and I’ve never seen as I’ve gone out to the states and territories that same level of excitement and interest.

 

Shame on us if we cannot actually harness those things and drive a real step change in this space. It would be just a remarkable thing for the people of Australia, the people that we serve, and it would just be fantastic because we’ve got a pretty steep hill to climb, and we just got to start climbing.

 

Tom: Yeah. As you say, if it’s inevitable we’re moving to digital, then you need to get up this pretty quickly.

 

Alastair: Yeah. Well, it’s interesting. I know you said it’s the last question, but the importance of those digital delivery services. I mean clearly you can think of the really major ones that everyone would say are critical, you know, a tax system and a health system and a welfare system, but clearly something like a census was a really critical digital service event, almost a pop-up event and we just didn’t manage those things well. Understanding what our critical services are so that we can make sure that we’re handling them in a manner that is truly at the right scale and with the right levels of protection, I think is incumbent upon us.

 

Tom: Right. That’s a really good last point. Having a much clearer view what you’re actually putting on and what the context it sits in. You know, live events are hard thing to do and governments don’t often do them. As you say, a pop-up exercise with  lot of different sort of parameters you’re going to play with. Thanks so much, Alastair. That was a great a conversation and I hope it’s been really useful for our listeners, so thank you very much.

 

 

 

Author Bio

Tom Burton

Tom Burton is publisher of The Mandarin based in Melbourne. He has served in various public administration roles, specialising in the media and communications sector. He was a Walkley Award-winning journalist and executive editor of The Sydney Morning Herald. He worked as Canberra bureau chief for the Australian Financial Review and as managing editor of smh.com.au. He most recently worked at the Australian Communications and Media Authority.