The Australian Signals Directorate is going on the offense against cyber crime and a news article claims it might be moved out from under the Defence umbrella altogether — but a skills shortage and international collaboration pose substantial challenges.
“I don’t want to be an alarmist, but unfortunately I think it’s getting worse,” says Brian Fletcher, the agency’s former director of cyber security relationships. Ironically, he is only speaking to The Mandarin because he is now Asia-Pacific government affairs director for Symantec.
There’s plenty of opportunity for ex-government cyber security professionals in big private sector firms, but they’re not the only ones competing for an increasingly limited pool of expertise.
The Australian Defence Force’s new information warfare unit is expected to grow to 900 personnel, although that is over the next 10 years.
“The cyber skills problem is not just an Australian one,” adds Fletcher. “It’s a global one, and there’s certainly more and more companies and governments around the world that are trying to move into this space and the marketplace for these few skilled individuals is increasing.
“So it’s going to be a massive challenge for both the Information Warfare Unit and ASD in order to expand with enough skilled people.”
Despite being “very much a military capability” Fletcher thinks the new ADF unit will indirectly have a positive effect on more general cyber security efforts by contributing to building local capability.
“It will learn new things and it will see new ways of bad guys doing stuff and all that information will actually percolate back into the greater Australian system — so CERT Australia, the ASD, the AFP and the Criminal Intelligence Commission, they’ll all learn all that stuff,” he speculates.
“So the general knowledge that Australian experts have of these types of threats will increase as a result of this, but again it will be really hard to quantify and certainly for somebody out there in the street, they’re not going to see much.”
Perhaps the game of musical chairs that accompanies a skills shortage could accelerate this kind of cross-pollination.
A ‘stand-alone’ signals directorate?
Yesterday’s anonymously sourced article claims the government is likely to make ASD a “stand-alone” agency with a wider role in national security — possibly as part of a big new department like the United Kingdom’s Home Office or the Department of Homeland Security in the United States, a proposal that has floated around for over a decade and still hasn’t been taken up.
The report quotes a “senior intelligence source” who suggests an ASD that is more independent of Defence would be able to improve staff retention, presumably through more attractive remuneration. It’s widely known that one of its big challenges is retaining employees, who can take the unique experience of working in the spy agency and earn much bigger salaries in the private sector.
“People go into the ASD, they get given certain types of training which are extremely valuable, and they work on really difficult problems, which again makes them even more valuable,” says Fletcher. He estimates that when he left government last year, most cyber security guns only stayed about two years.
It’s not just about the technical capabilities. According to Fletcher, who spent about half of his 21-year public sector career with ASD, the agency will also need more staff with the relevant “soft” skills in everything from psychology to operational planning and logistics to fulfil its new crime fighting role. “There’s going to be a whole new infrastructure having to be built as well,” he says.“ASD cannot be responsible for securing other government agencies.”
The ASD grew out of wartime code-breaking efforts, a creature of military intelligence with a self-explanatory motto: “reveal their secrets; protect our own”. The ADF needs the signals intel it provides so any new capability will certainly need to be in addition to this core purpose, not at the expense of it.
The agency’s additional role in providing technical information security advice to other government agencies and setting nationwide standards through its Information Security Manual, including the “essential eight” and “top four” mitigation strategies, is a fairly logical extension of its original remit. Going after criminals is a much more extensive change that fits with the suggestion of it becoming more independent, having already dropped the ‘Defence’ from its name in 2013 and visibly expanded its information security role.
“It’s really aimed at other governments and other military capabilities around the world, so that’s a big change for what they’re expecting the ASD to be able to,” says Fletcher.
As the national security state continues to expand and the focus of increasingly turns to violent non-state groups linked to the same theatres of war where our forces and those of our allied are deployed, there is a blurring of the traditional lines between domestic security and Defence. Methods used in cyber attacks for espionage for criminal profits are also clearly converging, and guns for hire may well work for clients of any persuasion.
“It’s certainly true that we’re seeing a lot of convergence between what the cyber criminals are doing and what’s traditionally been the skill set of nation-state actors,” says Fletcher, and one reason is “quite damaging releases from groups like the Shadow Brokers and the Equation Group revealing nation-states’ capabilities”.
“What used to be purely in the realm of nation states is now being done by other actors, and some of the stuff that used to be just done by cyber criminals is now being done by nation-states.”
The best defence is… still defence
The twin announcements of the ADF’s new information warfare unit and the ASD’s new mission to “disrupt, degrade, deny and deter organised offshore cyber criminals” served to show the government doing something active in cyber security, in the wake of yet another highly publicised worldwide ransomware outbreak.
The Turnbull government clearly sees political value in assuring voters that its cyber security strategy is active as well as passive.
“This is actually reaching out over the internet and turning off cyber criminal infrastructure, or changing things that the threat actor’s doing to make sure that they actually are not damaging Australian businesses and Australian infrastructure,” explains Fletcher.
To date, the main active measure against cyber criminals was the same as for any other type of crime: law enforcement agencies collecting evidence, making arrests, laying charges and then leaving it to the prosecutors.
“What the government’s now saying is that’s not enough,” Fletcher adds. “[It is saying that] sometimes the threats are so acute you actually have to go up against them now; the government needs another toolbox in order to try and protect itself and the greater Australia from these cyber crime threats.”
Both decisions had been in the works for quite some time; an expanded role for ASD had been proposed in government for several years at least. Neither was a response to the Petya and WannaCry outbreaks, despite the PM and his cyber security assistant Dan Tehan name-checking them in their joint announcement.
This doesn’t mean the traditional passive variety of security detailed in the ISM is ineffective or has failed. For individuals and organisations, including government agencies, the best line of defence is still to assess the specific risks in one’s own particular context and mitigate them as appropriate.
Auditors-general at state and federal level have consistently found agencies falling short of these standards — most recently in Western Australia, where Colin Murphy was not at all pleased with the results of his ninth annual information systems audit:
“Disappointingly, I must again report that many agencies are simply not taking the risks to their information systems seriously. I continue to report the same common weaknesses year after year and yet many agencies are still not taking action. This is particularly frustrating given that many of the issues I have raised can be easily addressed. These include poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.
“A pressing issue that must be acknowledged and addressed across the sector is for agencies’ executive management to engage with information security, instead of regarding it as a matter for their IT departments. As recent high profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats. The risk to agency operations and information is real and needs to be taken seriously.”
Fletcher points out the ISM advises a risk management approach and he thinks some audits (not the one above) can give an unfair impression of agencies that actually are doing a good job, if they are based on a “compliance focused” goal of implementing every single security control across every single machine.
Obviously some computers or servers are higher risk than others depending on who or what could potentially connect to them, and the same goes for agencies in terms of their value as a target for espionage.
However, he adds that no matter what the ASD does with its new role — and it won’t be nothing — it is not and cannot be responsible for securing other government agencies.
“Certainly there is an absolute basic minimum standard that all government departments should be doing to protect themselves, and not doing that puts the government at great risk,” says Fletcher, pointing out the buck stops with department heads.
“ASD doesn’t have that authority to come in and say ‘don’t do that, do this’ — they can provide advice and that advice is provided in the form of the ISM, but they don’t have a big stick that they can come through and hit people with, despite what some people think.”
Having said that, the new “offensive capability” the PM so dramatically announced could, in time, realistically contribute to some success against international organised crime. But it is unlikely to be very visible.
Fletcher says ASD has “some very powerful capabilities” they could use to “reduce the capability of some of the really big, serious cyber threats that are facing Australia, and potentially, take some of them completely off the road” — but they’re going to have to work together with a lot of other nations. “So the exact impact that Australia has on its own will be really hard to measure.”
And, according to the International Telecommunications Union’s latest cyber security rankings, co-operation is one area where Australia falls short.
“There are very few threats that target Australia solely,” Fletcher says. “Most big threats, certainly as we’ve seen with stuff like WannaCry and Petya, they’re global in nature, and so Australia will be contributing to this type of thing in a coalition environment. We’ll be working with other countries around the world.
“Will we see a reduction of the big cyber crime impacts? My opinion on that is no, but we won’t see the really rapid increase of these really big, high-impact threats that we could have seen, if we didn’t have this kind of capability working for good.”