Commentary
"Microsoft CEO should be fired over cyber failure", May 2024
In March, Microsoft’s security culture was laid bare – and found wanting – in a report produced by the US Department of Homeland Security’s Cyber Safety Review Board (CSRB).
The report was triggered by a significant security incident in mid-2023, when a China-affiliated hacking group compromised the emails of senior US government officials who were working on national security matters.
This attack affected other entities around the globe, but because of national security implications for the US and its allies, including Australia, we may never know the full extent of the compromise.
Reports have said a Chinese nation-state threat actor known as Storm-0558 infiltrated email accounts at 22 organisations, including some federal agencies. They gained access by forging authentication tokens with a stolen Microsoft account signing key, allowing them to use Outlook Web Access in Exchange Online and Outlook.com.
One thing is clear: the CSRB took aim at Microsoft, and its key finding that this intrusion “was preventable and should never have occurred” shows Microsoft has crossed a very hard line.
The US government is finally standing up to the multitrillion-dollar behemoth, and the CSRB was clear: the US government expects much more of Microsoft.
Profit motive
There are two critical insights to take away from this review. The first is that because companies that provide critical global services are incentivised to follow the money, we cannot let them make risk acceptance decisions on behalf of the global economy.
The CSRB slammed Microsoft’s culture – a culture directly nurtured by its CEO, Satya Nadella.
Under Nadella’s decade at the helm, revenue has soared, but Microsoft has also pivoted to selling security as an optional extra of its products, instead of selling inherently trustworthy ones.
The mid-2023 security incident was merely the latest in a long line of global incidents where decision makers at Microsoft chose money at the expense of global security.
The second insight, stemming from the first, is that the free market has not delivered inherently secure software and cloud services. Greater oversight and regulation is required.
Our national security – in fact, our global security – depends on the culture, diligence and due care of hyperscale vendors. Global critical infrastructure suppliers with a stranglehold on the market must be held to a higher standard.
A victim’s obligations
Many commentators, and I’m one of them, go to great lengths to point out that when cybercriminals attack a company, that company is also the victim of crime. This is still true of Microsoft, despite its $US3 trillion ($4.5 trillion) market cap. Microsoft’s riches do not excuse criminal acts against it.
But while Microsoft was the victim of a crime, it still has an obligation to face reality. The company has employees who are fully aware of the capabilities of the cyber adversaries it faces but, evidently, these people were not listened to.
This is the vexing paradox of Microsoft; it has unquestionably some of the best and brightest security people in the world. But the work of these brilliant and dedicated people is fundamentally undone by a culture focused primarily on selling security add-ons instead of delivering security by design and security by default.
Consequently, the CSRB found that Microsoft not only failed to provide an acceptable baseline capability for its own corporate security, but that Microsoft has also failed to provide an acceptable level of security to its customers, who collectively pay it more than $US200 billion a year.
Microsoft’s risk acceptance on behalf of its unwitting customers is unconscionable, and a clear symptom of its culture – which is set by Nadella.
Removing the CEO is the only viable signal to the customer base that Microsoft is genuinely committed to culture overhaul.
The CSRB found that Microsoft’s culture is unacceptable and needs to be overhauled. Culture takes years to change, and substantial structural intervention is required.
This month, Microsoft responded to the report and has agreed that it will prioritise “security above all else”. That is a welcome response, but very late in coming to the party. Microsoft, to misquote Churchill, “will always do the right thing, only after they have tried everything else”.
We should give Microsoft the opportunity to show meaningful achievement in the next 12 months, but breaking up the company is an unavoidable discussion.
Additionally, Nadella must go. Removing the CEO is the only viable signal to the customer base that Microsoft is genuinely committed to culture overhaul and being a vendor the world can depend on.
This opinion piece was first published by the Australian Financial Review.
"The cyber lessons Australia still has not learnt", February 2024
Over the last two years, Australia has faced significant data breaches, highlighting systemic vulnerabilities that demand our urgent attention. There are two crucial points that are getting lost in the public, post-incident brouhaha.
The first point is that while a large data breach is a bad day, there are scenarios for worse days, and many in our industry are often in a cold sweat at the prospect of these worse days occurring.
A worse day – a much worse day – happens when critical systems are not available, and we are uncertain when, or if, we will get them back. Imagine a day when access to power, water, food, and hospital services is abruptly severed, posing an immediate threat to our way of life.
The second point is that regardless of the threat actor, from opportunistic individuals to ransomware gangs to nation states, an organisation suffering a cyberattack is the victim of a crime.
Suffering a cyberattack does not necessarily indicate negligence, contrary to what some public narratives suggest.
No security person I know wakes up hoping that today is the day their organisation has a catastrophic incident that has them working around the clock for weeks, and then making them spend the next few years being interrogated by lawyers, auditors, and regulators.
In the cybersecurity domain, we talk about Team Australia, but we often overlook that teamwork does not appear out of the blue, perfectly formed, and ready to go in our time of need.
Teamwork requires ongoing effort, it requires diligence, it requires training and practice, and refinement. Critically, teamwork is what happens when a group of people all start working together toward a common goal.
This means that interests must be aligned, for both people and organisations.
Key ingredients
A couple of key ingredients are urgently required to help align Team Australia’s focus and efforts.
The government’s Cyber Incident Review Board needs to be spun up quickly and led by genuine and independent practitioners.
The Cyber Incident Review Board should be able to provide strategic advice on identifying and addressing weak signals that precede major security incidents so that all organisations can proactively rework their governance and oversight mechanisms to minimise the frequency and severity of future incidents.
The output of the Cyber Review Board should also help harmonise guidance from the nation’s regulators who are all keen to provide practical guard rails that make a genuine difference.
As it stands, the cybersecurity community is concerned about an increasingly complex web of cybersecurity, privacy and data protection legislation and regulation, and shifting government priorities about what’s most important.
Government’s role
Further, there’s a critical place for the Department of Home Affairs to further act as the convening agency to help bring accord among the nation’s regulators, and push for a streamlined approach to dealing with a company in the middle of a cyberattack.
In most organisations, the people best placed to respond to a regulator’s queries about an incident are the people in the security team who are also trying to work out what’s going on and minimise any impact to the organisation and its customers.
We need these people leading our frontline response efforts, rather than responding to regulators’ well-intentioned but poorly timed questions.
Attacked companies, and their staff, are the victims of a crime and should be supported through the crime. This is why companies need to be able to call the Australian Signals Directorate (ASD) and receive immediate support, confident that there will be no blowback from bringing help in early.
This is not a call to let people off the hook or provide immunity for acts of genuine negligence, but rather a recognition that enterprise technology is complex. And, it is imperative that the ASD is the first to know if Team Australia is about to have a very bad day.
That won’t happen through luck, it will happen through ongoing teamwork: practice, trust, and aligned goals.
A much worse day is probable. We need agreed principles and objectives for the nation. We need to strip away the unnecessary, streamline what is duplicated, and build what is required.
This co-creation will help develop our national immune response, so that Team Australia becomes match-ready and our muscle memory will be instinctive when we desperately need it to be.
This opinion piece was first published by the Australian Financial Review.
"Why Australia is losing the battle for cyber resilience", September 2023
The key theme from The Australian Financial Review Cyber Summit on Monday was resilience. Cyber and Home Affairs Minister Clare O’Neil said Australia could not prevent all attacks, but we could do the work to be prepared and recover from these attacks quickly. The big breaches of the last 12 months – Optus, Medibank, Latitude and HWL Ebsworth – have hit all of Australia hard.
Individuals have suffered the repeated loss of their personal and most sensitive information; breached businesses have been caught in news cycles for all the wrong reasons; and security staff and executives at breached organisations have worked insane hours trying to work out what the criminals had done, and how to protect their organisation and its customers.
Some of these staff will be caught up in class actions and regulatory activity for years. This further victimises these people who have already been through enough, and are responding to a crisis that wasn’t their fault.
Government agencies have found themselves missing critical capabilities to support Australians. Over the last year, the cybersecurity community has enjoyed the hollow victory of being proved right, having warned it was always a question for preparing for when you are attacked, not if.
Divergent regulatory forces
The Cyber Summit highlighted the fact we are now caught in the undertow of divergent regulatory forces.
Small business is left frustrated, overwhelmed and confused when large organisations and regulators ask for mountains of customer data, but also then adopt clumsy attempts at self-assessed supply chain assurance.
Large organisations capture as much data as possible to avoid the wrath of regulators and to cover their backs regarding Know Your Customer requirements. But they are also pre-emptively ensuring that, after a breach, they will be able to provide evidence to lawyers that they have taken reasonable steps to check the security of supply chains.
These third-party assessments have become an exercise in futility. At best, they are a snapshot of a moment in time. At worst, they are a work of fiction.
Since the Optus breach, the prevailing sentiment has been that companies should backburn as much of the personal identifiable information they hold as is practical.
The confusion, uncertainty and conflicting expectations all undermine our national resilience.
The purpose of regulation is to achieve risk management at a societal level, and we are failing at this. Australian regulators are not collaborating enough to make the regulatory obligation on the private sector deliver a valuable outcome.
This is resulting in the observer effect, where the drag caused by varying, complex, uncertain, conflicting and time-consuming requirements from regulation and the consequent audits is, itself, degrading the ability of the private sector to fully use their security teams.
Regulators combine thoughts
One way to resolve this could be to reach agreement among the regulators on what they think good security and resilience looks like. Importantly, this unified vision should not be technically focused, but emphasise capabilities and outcomes.
In an ever-evolving threat environment, what good looks like will need to evolve. But that’s a matter of forecasting and letting the private sector know what will be expected next year, and what will be expected the year after that.
Government agencies should also be held to the same standard, which was pleasingly mentioned by former Telstra boss Andy Penn at the summit.
Finally, it is critical that everyone comes on the journey.
We keep using the cliché that security is everyone’s responsibility, but it’s clear from the behaviour of most that few people actually believe this.
Regulators who do not actively work to streamline their obligations on entities, with the explicit intention of making security and resilience easier to achieve, do not believe this.
Similarly, CEOs who do not put security KPIs across the whole organisation do not believe this. And boards that only ask the chief information security officer about security do not believe this.
We keep expecting a comparatively tiny group of security people to do more with less, while a growing number of people with clipboards critique their work.
We’re living in wilful delusion, which means we will never achieve the level of national resilience we so desperately need.
Resilience is a capability that requires everyone to be working together. It takes a community to fight crime.
This opinion piece was first published by the Australian Financial Review.
“Why the private sector is missing out on cyber threat intelligence”, July 2020
The formation of the Australian Cyber Security Centre created an organisation that held enormous potential. The ACSC was an amalgam of cyber expertise from six different government agencies and promised to enable collaboration across government and also between government and the private sector. It was supposed to focus on the transference of information to enhance operational capabilities.
The outcome we were all hoping for was a structure that would facilitate government and private-sector organisations being better able to protect themselves.
The ACSC was meant to be the cyber equivalent of the neighbourhood policeman walking down main street, popping into each shop and telling the owners to remember to lock their doors at night because of criminal activity in the area.
The cyber equivalents of nearby criminal activity include the various activities that rob us of our national treasure: money laundering, unauthorised crypto-currency mining, unauthorised access of computer systems, and electronic theft of either intellectual property or money. These examples are all crimes, and should be responded to as crimes, not as acts of war.
Unfortunately, the ACSC is now a sock puppet for the Australian Signals Directorate, a statutory authority within the Department of Defence. The ASD is a military intelligence organisation, notoriously secretive and wrapped in a shroud of mysterious, ruthless efficiency.
As a liberal democracy, we know we should not put the military in charge of providing security to citizens. You point your military toward an enemy; you charge the police to uphold the law. Pointing the military at the citizens tells the citizens they are the enemy.
This current structure is resulting in the diminution of the ACSC and a loss of private-sector confidence, much to the angst of the private sector and apparent indifference of the ASD.
The impact of the ACSC being subsumed into the ASD was the classification of threat intelligence according to the needs of the intelligence community, not crime prevention.
Some within the ACSC would dearly love to share information with the private sector, but cannot unless a private-sector individual is cleared to the right level. Then, of course, the classified information does the private citizen no good because they cannot share it within their employer: that information is classified.
Through my research around the world, the issue of information declassification continually comes up as a critical barrier that nations struggle to overcome.
As a side note, the initiative to create an information-sharing portal should be dropped immediately. Pursuing this initiative would inherently preclude the vast majority of Australian organisations from benefiting. The government must not dare put information on the top shelf then blame the private sector for not being able to reach it.
The ACSC should be made a statutory authority and have a sworn commissioner. Further, the ACSC should become a national security operations centre, drawing telemetry from all federal, state and municipal entities.
This would provide a powerful source for information to be shared through the clearing house function with the private sector, and make a stunning difference to the visibility of every government agency. The ACSC should then share this information with the ASD, where it can be classified into the next galaxy.
This experiment of subsuming the ACSC into an arm of the intelligence community has not delivered the outcome the private sector needed – what Australia needs – and must be reversed.
This opinion piece was first published by the Australian Financial Review.
“Why the government cyber security strategy needs a shake-up”, July 2020
This opinion piece was first published by the Australian Financial Review.
The Australian government will soon release its 2020 Cyber Security Strategy and while some may be hoping the release will unleash a new wave of energy across the market, I am pessimistic.
The 2016 Cyber Security Strategy heralded a marked difference in the Australian security industry and we were provided various organisational structures to help deliver on important national outcomes.
Three of the critical structures were the Australian Cyber Security Centre, the Joint Cyber Security Centres and AustCyber.
The ACSC was an amalgam of cyber expertise from six different government agencies and promised to foment collaboration both across government and between government and the private sector. It was supposed to focus on the transference of information to enhance operational capabilities.
The JCSC grew to be a network of offices in capital cities, and the intention was that these offices would be a meeting place for private sector specialists to meet with their industry and government peers.
The JCSC offices were supposed to create and develop operational relationships, so that when the fan was being unpleasantly redecorated, the responders had an established network of individuals across organisations and industry sectors.
In 2018, the JCSC was used to excellent effect to facilitate sensitive information between PageUp and its customers when it was attacked.
It made sense for the JCSC to be folded into the ACSC because the private sector organisations the government needed to learn from predominantly had multi-region operations. But lack of leadership and resources allowed both the ACSC and the JCSC structures to fall into misuse.
Then, the ACSC was subsumed into the Australian Signals Directorate. I’m assuming the thinking was that the ACSC relied on expertise from the ASD, so mashing these two organisations together made sense.
But this was flawed because they are fundamentally different organisations in focus and mission. The falsehood was that the ACSC needed to depend on the ASD. The ACSC should have had more of a co-ordinating and facilitating role, and greater interaction with the private sector.
But the ACSC could never do that with a skeleton crew. From the outside looking in, it was tragically under-resourced. The ASD should only ever have been one of many resources that the ACSC tapped into.
In summary, the machinery of government jiggery-pokery has largely neutered the ACSC's usefulness, despite the best intentions, hard work and long hours of its staff.
As much as a strong cyber defence capability is essential – and we have that with the ASD – so are structures that support good governance. Governance matters, especially when it’s inconvenient.
None of the governance and oversight structures in the coming Cyber Security Strategy can be left to the beneficence of powerful individuals with good intentions. History shows us that power must be meted judiciously. Too much centralised power is dangerous. Ignoring this recurring lesson from history introduces systemic risk. Power can be abused and people can be corrupted. A wise leader works to be above reproach, and not just say they are.
My hope for the coming Cyber Security Strategy is that three specific pillars emerge to support all Australians, at an individual, organisational and national level. The three pillars are: security, safety and privacy.
We already have three organisations in place – the ACSC, the eSafety Office and the Office of the Australian Information Commissioner – but none of these are sufficiently resourced or empowered to deliver at the scale we need.
There should be a dynamic tension between these three pillars, and this tension represents good separation of power and the complexities of the issues we face as an online society.
"Misleading government COVIDSafe app messaging undermines its value", May 2020
This opinion piece was first published by the Australian Financial Review.
The world is in the grip of a pandemic and despite its massive impact on our way of living, our economy, our national prosperity and our place in the world, Australians are squabbling about an app.
The Australian government has made two mistakes with its communications around the COVIDsafe app. The first is to double down on its efficacy, rather than trusting in Australians to make informed pragmatic choices. The second mistake was to create of a measure of behaviour that is now leading to undesirable outcomes.
It’s reasonable to assume that it’s the sheer desire to protect Australians and reboot our economy that is driving the government rhetoric around the benefits of downloading the app, but reality is that – right now - there’s no evidence that the app will work.
That’s not a reason to ignore it, but it is a particularly good reason to avoid rhetoric if we’re interested in trust.
If government spokespeople could guide with a more nuanced message, we could de-escalate this spectacular waste of time and crack on with beating the virus.
Rather than over-simplifying the message and saying that COVIDsafe is the path to beer, the government could say that other countries are trialing an app to facilitate contract tracing and that Australian experts want to give it a go as well because we see the possibility of it helping.
Not like sunscreen
The government should stress that this app will not protect people from COVID-19, but that it is hoping that it will accelerate mapping any new infections and a faster time to respond could help save lives.
It’s another layer in our defences against the virus, along with physical distancing, and washing hands.
The government missed an opportunity to reassure Australians through transparency. They could have launched a hand-picked taskforce with some of the best minds in all relevant spaces to help ensure we get the most out of this exercise.
The taskforce could have comprised of the Human Rights Commissioner, the eSafety Commissioner, academics from various disciplines, privacy lawyers, technologists, and cyber security professionals.
Expertise, science and evidence-based decision making will enable Australia to get through this; and will also be how we thrive as we come out the other side.
False metrics
The second mistake the government made was in creating a metric that doubled down on the aspirational efficacy of the app.
By originally talking about how many downloads would be needed to allow people to return to work, the government created a compliance check box that businesses now just want ticked.
Consequently, we are seeing aberrant behaviour as businesses see the target and ambitiously set it in their sights. The government wants everyone to install the app? Fine. Let’s encourage our staff to install the app.
Further, let’s ask all our staff to encourage everyone they know to install the app. Does it work? Who cares, we want a tick in the box.
Which is why we now see the unusual behaviour we’ve seen on social media, where people are declaring that they have installed the app and that others should too.
Sometimes, they even make the mistake of repeating the rhetoric that the app will save lives, which perpetuates the over-simplification.
Poorly thought through goals drive undesirable behaviour, as the financial services Royal Commission exposed plenty of examples of people cutting corners to achieve goals.
We all want to make a difference. And, as we face the prospect of second and third waves of the pandemic, restrictions to travel, ad hoc facility closures to contain outbreaks, and the truly horrible societal impact of under-employment, now, more than ever we need each other.
Trusting in magical technology is just a different form of religion. People sitting on the runway flapping their arms will not take off. Hope is not a strategy.
The app will not save lives, but it may help. There is a slim chance. But, if the rhetoric continues and people are misled into thinking that the app is a substitute for physical distancing and washing hands, then we’re selling people digital homeopathy.
"How Australian business can work better together to counter cyber threats", March 2020
This opinion piece was first published by the Australian Financial Review.
The significant impacts of the cyber attack on Toll Group on its own operations, and those organisations it works with have shown the business community needs to learn fast about the value in working together to mitigate the ever-present dangers.
It is important to note two crucial points. The first point is that Toll Group is the victim of a crime. The company and its staff should not be called out by the holier-than-thou mob for being the victim of a crime.
Is there more they could have done to prevent it? Inevitably. But that’s true of every enterprise. If this was easy we could all go home.
The second point is that Toll has stated that it refused to pay the ransom, which is a laudable stand to take. The subsequent jolt to Toll, its customers, and the numerous people that have been impacted may cause some inside Toll to question their own judgment, but it was the right call.
Paying the ransom is never a guaranteed path to recovery. For example, NotPetya, a piece of malicious software that swept around the world in 2017 was disguised as ransomware, but was actually designed to destroy.
There is an interesting similarity between both the PageUp cyber attack in 2018 and this latest one against Toll Group. In each instance, the victim suffered a cyber attack, but the attack against these organisations had a significant operational impact on their enterprise customers as well.
The impact was not restricted to only the target organisation, even though the attack itself did not spread.
There are two main areas of interest from enterprise customers. The first is the immediate business perspective that wants to know the scale and duration of the cyber attack so that operational impact can be forecast. How badly will this impact me, and how long will it last? How long until I can count on you again?
The second area concerns the cyber security of customers. Could we catch what you’ve got or, have we already caught it?
Consequently, when a supplier has a cyber attack, its enterprise customers are justifiably motivated to find out what is going on so they can best protect themselves from, potentially, the same threat.
So, when Toll announced it was experiencing a cyber attack, a number of its enterprise customers took quick steps to insulate themselves from potential contagion. This was the pragmatic action to take; you can either deal with an interruption to business operations, or you can deal with an interruption to business operations as well as your own cyber incident which will further interrupt business operations. That’s an easy choice.
Both areas are important. Toll and PageUp customers wanted to resume normal operations as quickly as possible. Having some insight into when their supplier expects to be functional again helps customers make informed decisions and manage their own resources.
Simple, timely, actionable information is essential to foster assurance to the ecosystem.
This is an area Toll did not perform so strongly in ... it may have communicated with some customers behind the scenes, but its updates to the broader market were way too infrequent and lacking in detail.
Keeping external communications to a minimum may be a pragmatic and conservative option from a legal perspective, but it is not the behaviour of a good digital citizen. In terms of the other kind of virus on everyone’s minds right now ... if you have got cases of coronavirus you need to tell people all about it.
The Australian business community needs a code of conduct articulating the basic artefacts an organisation under attack is expected to share with a discrete community. My recommendation is that we use the Australian Cyber Security Centre as the clearing house for this information.
Naturally, no one will feel like adhering to this code of conduct in the middle of an incident. But the value to the wider community will be enduring. It’s only when you realise that you cannot win by yourself that you actually start thinking as a team.
This cyber attack against Toll, and its nationwide impact, is merely the latest opportunity for Australia to learn how to better respond as an integrated and interdependent ecosystem.
"Boards paying cyber ransoms should quit", July 2019
This opinion piece was first published by the Australian Financial Review.
Ransomware cases, where organisations are hit by a cyber attack and receive financial demands for the return of documents or systems, are exploding globally ... and in a disappointing number of the severe attacks, the victim organisations are responding by paying the ransom.
But, any executive who authorises the payment of ransomware should, as their next act, tender their resignation for total failure of leadership.
By authorising a ransomware payment, an executive is admitting that they have failed to adequately prepare their organisation for operations in the 21st century. The board should also be held to account.
Ransomware is an eminently foreseeable risk, and the prevalence and impact of ransomware attacks are well documented. From Norsk Hydro to the City of Baltimore, a severe attack can bring an abrupt halt to an organisation’s ability to function.
No one should have to be in that situation, where they feel like there is a gun to their head, and their organisation cannot continue to operate unless they pay.
It’s easy to imagine that the executives in these organisations are inevitably considering the impact of the interruption to service on their customers and staff, and probably hating every second of the experience.
Imagine discovering as you read this article that your organisation has to revert to manual processes. It’s a business continuity nightmare scenario.
But it is also a foreseeable scenario, and therefore eminently reasonable to take pragmatic steps to minimise the risk of a ransomware attack and ensure that an organisation could recover quickly.
That is a reasonable duty of care for any modern organisation.
From the start of this month the Australian Prudential Regulation Authorities CPS 234 standard came into effect, which essentially means the boards of regulated organisations are ultimately responsible for the security of their organisation’s data.
APRA has drawn a line for accountability, and CPS 234 states, “The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.”
The phrase, “continued sound operation” is directly relevant to a discussion around ransomware.
The three objectives that information security works toward are protecting the confidentiality, the integrity and the availability of information. Information and system availability is what ransomware targets, and thereby has the potential to impact the continued sound operations of an organisation.
Also worth noting is that CPS 234 is setting the scene that boards cannot waive off responsibility by claiming they assumed that their IT or security people had it all handled. Ignorance never excuses.
An organisation that suffers a ransomware attack is a victim, but the executive officer is the architect of how severe the impact will be.
If a ransom is paid, the board has failed to deliver on its core purpose, because if paying criminals is the only way to resume operations, then that organisation’s leaders do not practice good governance.
The ethics of making a ransomware payment is clearly troubling in itself, because you are essentially showing yourself to be the kind of organisation that would prefer to give money to criminals than commit to mature technology practices. But there is a further aspect to consider.
In preparing for a ransomware attack an organisation isn’t just preparing for one niche type of risk.
The controls that will have the biggest impact on an organisation’s ability to avoid, or swiftly recover from, a ransomware attack are also the controls that address many other risks that come with an organisation’s increasing reliance on technology.
There’s a saying that management is doing things right, and leadership is doing the right things.
Preparation for ransomware is a great barometer of whether your organisation is doing either.
"Government must invest more to make Australia a cyber industry power", May 2019
This opinion piece was first published by the Australian Financial Review.
Post-election Australia stands at an inflection point where it has the potential to develop a globally significant cyber security industry, or watch on as other nations take some of our best ideas and grow their own wealth.
As the election dust settles, we need to put a flag in the ground for Australia’s future. Over the past three years the government has made important inroads to confirm Australia’s commitment to retaining currency in a global digital economy. It’s time to double down.
With the 2016 release of Australia’s Cyber Security Strategy, we identified that it’s imperative for Australia to raise the security capability baseline across our economy and strive toward cyber resilience. Equally as important, the government created AustCyber, a growth network tasked with fomenting a cyber security industry in Australia.
Farming and mining set us up as the lucky country. But luck isn’t a strategy, and our future contribution to the global economy must be more than exporting stuff with limited value added.
As we get better at the practice of cyber security, it naturally follows that we should seek to export our ideas and technology. That’s a valuable contribution we can offer to the world market that also helps us to pursue national interests.
Michelle Price, the CEO of AustCyber, recently made the point that cyber security is not an industry vertical, it’s an industry horizontal. Cyber touches everything.
Australia needs a world leading capability to identify and manage cyber risks at all points of our economy, because everything is now hyper-connected to the rest of the world.
Our national ability to execute cyber security at a world leading level is both a critical survival skill, and an important avenue of opportunity. The success of rising cyber security start-ups like Kasada and PenTen are testaments to what can be achieved with the, admittedly humble, focus we’ve brought to bear on the industry just in the past few years.
Scott Handsaker, the CEO of Cyrise, an Australian early stage accelerator for cyber start-ups recently made a striking observation that uninterrupted decades of active support from the US government helped set the scene for the epicentre that Silicon Valley is today.
The message of consistent, long-term, commitment is in harmony with what we know about mastery: you keep going, you learn, you adjust, you improve. You don’t drop it all and then come back in a decade and wonder why you’ve got no capability any more.
With the continuation of the Liberal government we have the good fortune of a government that can easily continue support of, and extend on, its own initiatives.
Along with AustCyber, the government’s Joint Cyber Security Centre (JCSC) initiative continues to gain traction and is facilitating important step changes in national cyber capability.
The Australian Cyber Security Centre’s ability to co-ordinate briefings from organisations going through security incidents to their customers using the JCSC facilities has been a graphic case in point of improved national capability … but the JCSCs are understaffed.
There are frequent opportunities for the government to play a pivotal co-ordination role in liaising between the layers of Australian government and the private sector, but they simply don’t currently have the headcount to seize these opportunities. Consequently, Australia is missing some easy wins in the journey toward cyber resilience by letting this under-resourcing persist.
It is going to require increased investment to get great at security, but that’s just the price Australia must pay to stay at the table. These two sides to the cyber domain are equally important for a mature national response: capability and commercialisation.
Capability without commercialisation is expensive. Commercialisation without capability gets stolen.
Our newly elected federal government has some nation-shaping decisions to make, and the gravity of these decisions for both our immediate and long-term future must be met with commitment.
"How parliament hack response showed we are actually doing cybersecurity better", February 2019
This opinion piece was first published by the Australian Financial Review.
Leaders in the cyber security industry have been saying for years that cyber risk isn't merely an IT problem, it's a business risk.
Never is this more apparent than when an organisation goes through a serious security incident in the public eye.
We are seeing this with increasing frequency in Australia, and each disclosure is merely further proof that we are all in this together. It's a digital ecosystem now, and the hyper-connectedness between our organisations means that all business executives should absolutely care about the welfare online of their suppliers, customers, peers and competitors.
Prime Minister Scott Morrison announced in parliament last Monday that what was initially thought to be a security incident for the Parliament House network, had also impacted the security of our main political parties.
He should be acknowledged for the clear leadership in disclosing these security incidents to the public. Opposition Leader Bill Shorten should also be acknowledged for his quick and complete bipartisan support – cybersecurity is a national issue and requires a unified national response.
Incidentally, apparently the Australian Cyber Security Centre has been phenomenal behind the scenes in leading the incident response. So, a huge thank you to the staff at the ACSC who will never get the public thanks or credit they deserve.
The disclosure in parliament to the general public of these security incidents was an essential step on the path to a more collaborative national response.
To hide these security incidents away would only reinforce the immature narrative that it's the victim's fault they were attacked, and that being attacked is a weird aberration. The truth is that any organisation that delivers value is a target.
With apologies to Oscar Wilde, the only thing worse than being targeted is not being targeted, because that means you're not relevant.
Be prepared
The reason criminals hijack the brands of big, well-known, Australian companies in phishing attacks is because these big well-known Australian firms are delivering value. These organisations know they are targets and they are dealing with incidents of varying severity every day.
A surprising delusion that some executives outside of security maintain is that their organisation can be both successful and not be targeted.
If you are hoarding customer data, you'll be targeted. If you're generating insights on your users, you'll be targeted. If you are creating and delivering value, if you are relevant, if you have a trusted relationship with your customers and suppliers and in regular communication with them, you'll be targeted.
This is nothing to be afraid of, it's simply something to acknowledge and prepare for.
With that knowledge, it is imperative that organisations are able to make informed decisions about responsible and reasonable safeguards so that they can minimise any impact and continue to deliver value.
Australian organisations will continue to experience more cyber incidents. Many of these will be public. There's no shame in being attacked, but that's not an exemption from appropriate preparation.
Prime ministers will be standing up in parliament again and again with similar disclosures. This predictable increase in frequency of announcements is not a sign that we're getting worse at cybersecurity, it's actually a sign we're getting better.
It's never great to hear about an organisation having a security incident, but with this particular disclosure of the cyber incidents against our political parties, the government has led both in and out of the public eye.
In a very real sense, the bipartisan support for this parliamentary disclosure has set a new benchmark for the level of collaboration expected of the Australian community.
"Australia is still in the cyber security dark ages", June 2018
This opinion piece was first published by the Australian Financial Review.
In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning.
We're only a few months into practising mandatory data breach notification, while many parts of the world have been doing this for years. The United States has been disclosing breaches for more than a decade.
Countries where data breach notification is the norm are still maturing, and there is no upper limit for our understanding on managing cyber risk. But you can see that by the steps other parts of the world are taking that they do see security incidents very differently to Australia.
This month, at the annual gathering of the Society for Corporate Governance in the United States, Commissioner Robert Jackson Jr. from the Securities and Exchange Commission (SEC) said investors are not being given enough information about cyber security incidents to make informed decisions.
This statement comes on the back of published guidance from the SEC in February that stated, "Given the frequency, magnitude and cost of cyber security incidents, the commission believes that it is critical that public companies take all required actions to inform investors about material cyber security risks and incidents in a timely fashion, including those companies that are subject to material cyber security risks but may not yet have been the target of a cyber attack."
This is from the regulator of a country that has been living under mandatory data breach notification for over a decade – and they're saying that as an ecosystem they still need more public information to put forward a better response to cyber risk.
APRA standard
Here in Australia, APRA's draft prudential standard, CPS 234, puts boards on the hook for their companies having appropriate cyber security capabilities.
This APRA document also asserts the need for fast and comprehensive disclosure of control gaps and failures that could have a material impact.
The regulator needs visibility to help tweak the risk tolerance of its industry, and investors need clarity on the maturity of organisations to identify, protect, detect, respond and recover to cyber security incidents.
Transparency is what allows our ecosystem to work. Trust, as ever, is the coin of the realm. But trust is earned, while faith and hope require no evidence.
Without transparency around cyber security incidents, investors face the unpalatable proposition of investing in a company that says, "we want your money but we're not going to tell you if we have a clue with managing risk".
I'm pretty sure that investing based on faith and hope is actually called gambling.
Victim bashing
But as transparency increases, we're also going to need to get past our delight at victim bashing, because transcending our own insecurities is part of growing up.
We still have plenty of armchair generals, only too happy to prognosticate on situations they weren't helping with and people they don't care about. This form of victim bashing is repugnant and exploitative.
No one goes into business, delivering value to their community, hoping to get hacked and lose everything, or being the conduit for their customers to suffer serious loss.
It will be a wonderful day when the latest news of a security incident is met by commitments from onlookers that they will do more and better, driven by a deep understanding that we are all in this together.
The first step is to admit that we have a problem. We, as a community, have a common problem that cannot be ignored: we're not yet very good at this cyber risk stuff. We're going to get better at this, but it won't be comfortable.
"How Australia must use the PageUp data breach to become stronger", June 2018
This opinion piece was first published by the Australian Financial Review.
PageUp People, a successful Australian software-as-a-service vendor, has been the victim of a crime, with a data breach that could be extremely damaging for its prospects. There are two lessons for the industry that are worth drawing particular attention to.
The first lesson is that we need the victim to survive. Once PageUp is safely through this incident, one of the most valuable things its executives can do for the industry is to share their experiences and the lessons learnt.
Sharing this information is important because, as one security executive from an ASX50 company said to me, it could have been any of us. And, it is only through sharing these experiences and the lessons from these crimes that we, as an industry, can improve.
Despite years of security incidents and data breaches worldwide, many Australian executives think their organisations are magically immune. It's far too easy to underestimate the potential impact, the flow-on consequences, and the personal cost for people involved or affected.
It could be you
Australia has many companies similar in size and aspirations to PageUp that need to appreciate it could just as easily have been them. Think about the sensitive data held by law firms, accounting firms, real estate agents and mortgage brokers. Do you think the security of these organisations is markedly different from PageUp?
Jim Hagemann Snabe, the chairman of Maersk, said in a World Economic Forum gathering in January, that Maersk thought it was average in its cyber security capabilities. But after the NotPetya malware incident in June 2017, Maersk executives realised they did not have the capability they thought it did.
Hagemann Snabe and Maersk are to be acknowledged, not only for coming through the incident and surviving the $US200 million-300 million cost, but also for being prepared to share their experience.
Security executives who have been through their own serious security incidents are not crowing at the PageUp incident. Quite the opposite. There is an industry-wide recognition at executive levels that we need PageUp to come through this.
Victim must survive
This desire for PageUp to succeed is partially because of the inordinate pain for many large organisations of having to transition to a new HR system, partially because it's an Australian company competing on the world stage, but also for the sake of our industry.
How do we take care of our own? How do we respond when one of our up-and-coming international success stories is the victim of a crime?
The second and equally valuable lesson from this incident is the demonstrated value of the Australian government's Joint Cyber Security Centre initiative.
The JCSCs are facilities throughout the country established during the past 12 months specifically to create a collaborative bridge between government and the private sector.
Valuable service
During the aftermath of the PageUp incident, the JCSCs have operated as the conduit between PageUp and the many Australian organisations that wanted information.
Instead of PageUp having to allocate dozens of people to field inquiries from its many customers, the JCSC has stepped in and alleviated that potential resource drain.
This facilitative role wasn't quite what we anticipated from the JCSCs, but the capability was there when we needed it and now it looks like an excellent model for the foreseeable future.
But the JCSCs are going to need more staff to deliver on this, and not only technical expertise.
It's worth noting that a year ago, before the JCSCs were deployed, there was no facility that could have undertaken this role. The JCSC initiative has now chalked up an important operational success.
Now it's up to Australia's private sector to help ensure that one of our own doesn't stumble on the type of incident that we'll be seeing a lot more of.
"The three cyber security challenges Australian businesses can't ignore", May 2018
This opinion piece was first published by the Australian Financial Review.
Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers.
Rather there are three new regulatory forces impacting specific points of the cyber security posture of the Australian economy, where relevant businesses will face all kinds of trouble if they fail to keep up to speed.
These external obligations are the Notifiable Data Breach (NDB) scheme, the Security of Critical Infrastructure Bill, and APRA's draft of Prudential Standard CPS 234.
There are lessons to be learned from all three of these external obligations. At a simplified level, the NDB scheme addresses the security of people's data; the Security of Critical Infrastructure Bill addresses the technology that supports our lives, and CPS 234 addresses the processes and governance that protect our wealth.
In short it is people, technology and process.
New legislation
In February, the NDB scheme went live and we've subsequently discovered that in the first three months of this year, there were 63 eligible breaches reported to the Office of the Privacy Commissioner.
The purpose of the NDB scheme is really to encourage organisations to understand the personally identifiable information they have, understand the impact that an unauthorised disclosure could have on the people that information is about, and make informed decisions about how to pragmatically protect this data.
In other words they have to respect the people by respecting their data.
Australia also has the recently passed Security of Critical Infrastructure Bill, which places significant emphasis on critical infrastructure organisations having a clear and current view of their assets, as well as who can control these – financially and electronically.
There is incredible value in knowing what assets you're actually dealing with. This is visibility at its simplest and enables better decisions, responsible application of resources, and faster responses.
It is also important to be able to accurately forecast the interactions between the physical and the cyber domains, so heightened levels of maturity around asset management and deep insight into the supply chain are now expected.
APRA requirements
The third external obligation is APRA's draft of Prudential Standard CPS 234.
This document states up front that, "The board of an APRA-regulated entity (the board) is ultimately responsible for ensuring that the entity maintains the information security of its information assets in a manner which is commensurate with the size and extent of threats to those assets, and which enables the continued sound operation of the entity".
There's a lot to unpack from that sentence, but I think the key word there is "commensurate". Who decides what is commensurate?
It won't be a regulated entity in a vacuum, and cross-organisation and cross-industry comparisons will play an increasingly important role.
Don't let anyone tell you that how your organisation manages cyber risk is a competitive advantage that must be kept secret. That argument is only destructive to the wider ecosystem.
Commensurate sounds a lot like "due care" to me. What was foreseeable, what should you have taken the time to understand, what did your peer organisations already know, what level of responsibility is reasonable to expect?
Moving goal posts
The other fun fact about commensurate in the world of cyber risk management is that what's reasonable today will be inadequate in three years.
So, it is also reasonable to expect a mechanism in place to ensure continual improvement, and that's what I think is at the heart of CPS 234.
Directors of all organisations, not just APRA regulated, should look at CPS 234 as a herald of what capabilities will become expected of organisations that provide value to the Australian economy.
Prudent leaders are already working out how to make an enduring difference within their organisations with the most efficient use of resources. Collaboration is critical to success.
And, in the words of Harry Truman, "It is amazing what you can accomplish if you do not care who gets the credit."
"New data breach notification scheme will be a barometer for business maturity", March 2018
This opinion piece was first published by the Australian Financial Review.
Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed dramatically over the last 20 years, but the way many people view security is stuck in the 1990s.
Here in Australia, we're now under the Notifiable Breach Disclosure scheme and it's worth using this as a barometer to understand how well executives actually appreciate that they run digital companies working in a digital economy, with all the risks that come with hyper-connection and digital interdependence.
How well an organisation understands itself and its ability to work through responding to a suspected data breach is a direct reflection of how well it understands its business, as well as its dependence on technology and data. In other words, how well does the company understand and manage risk? Yeah, governance, that old chestnut.
People talk about digital transformation and disruption as though these were destinations to get to. But, digital transformation is a continual process and risk management is a necessary component. There is no finish line for transformation or risk management, there are only companies that will cease to be competitive.
From what I see, most organisations are not ready to deal with the Notifiable Breach Disclosure scheme. Of course, be aware of the legal consequences of this scheme, but I think there's a more valuable conversation to be had.
People relate to compliance like it's a lofty goal and they must stretch up on tippy-toes to reach it. Compliance is the bare minimum expected because that's where the line was drawn for consequences.
I'm not arguing that you should be striving for perfect security; that's impossible to achieve and destructive to aim for. The question, "are we secure?" is actually shorthand for "do we know our risks and are we confident we're addressing them responsibly and pragmatically?"
Compliance should be a by-product of organisations continually working through this.
Good risk management is like sailors harnessing the wind; do it well and you can gain tremendous speed. Ignore it at your peril.
Seeking better data governance
Remember, compliance is merely society's way of adjusting behaviour to more socially acceptable outcomes.
The NDB scheme is nothing more than a vehicle to slowly prod organisations toward better data governance because that's good for the ecosystem.
Some organisations will achieve better governance and some, through enforceable undertakings, will have better governance thrust upon them.
If your organisation is not aware of and managing the risks that come with being in a hyper-connected world, the data that you have, and the potential impact of this data being breached, then I assert you don't know what business you're in.
If you want to take cyber security seriously, know that your organisation must punch through compliance to a more mature way of doing business and managing risk because that's what it takes to be doing genuine, sustainable, digital transformation.
The bottom line is that the Notifiable Data Breach scheme offers prudent organisations a phenomenal opportunity.
If you're not working through war game scenarios to understand what a data breach would mean to your organisation, then you're sticking your head in the sand and trying to pretend you're not part of this digital economy. Good luck with that.
"Business experience should help parents keep kids safe online", November 2017
This opinion piece was first published by the Australian Financial Review.
The Office of the eSafety Commissioner deals with some of the most confronting aspects of abusive behaviour on the Internet: child exploitation material, image-based abuse, and cyber bullying, to name a few.
Julie Inman Grant, the eSafety Commissioner, is dedicated to helping ensure young people have positive experiences online.
To this goal, in the first week of November, the Office of the eSafety Commissioner, in conjunction with its New Zealand equivalent NetSafe, hosted Australia's first online safety conference.
About 400 delegates from around the world came to share ideas, approaches and research in the area of cyber safety.
The delegates included teachers, lawyers, law enforcement, policy people and academics.
I asked for a show of hands from the audience and maybe 15 of the attendees considered themselves to be security specialists.
It's worth looking at the thin overlap between cyber security and e-safety people because of this single and screamingly-important point: both groups are trying to shape human behaviours for better online risk management.
One of the presenters at the online safety conference shared that, in studies from several countries around the world, parents only had a level of knowledge for online safety behaviour that was equivalent to a teenager.
Business principles at home
But teenagers need the adults in their lives to know more.
Another conference presenter stated that teens were more receptive to information on how to protect their privacy than they were being told to not use social media.
To me, that echoes business people wanting to know how to do something simply and securely. But, too often, security has the reputation of being the department of No.
The adults in the lives of young people need to know more about security and safety in an online world.
One of the best places for many adults to learn the practices and behaviours that are safer online should be at work.
True, much of what young people, in fact people of all ages, need to learn is tilted towards privacy.
But it's a short line to draw between sound technical hygiene and sound privacy practices.
As an obvious part of corporate social responsibility, organisations should be training their own staff on e-safety issues. The clear upside for all organisations is that this training will raise the level of understanding among staff.
Informed conversations
One of the great challenges for most workplaces is addressing employee engagement. A good level of engagement is vital before an organisation can even dream of doing security awareness training.
But the more empowered parents are to talk to their children and teens about cyber bullying, sexting, privacy and reputation, the more you empower these parents in their workplace as well.
Cyber security professionals are the natural allies of e-safety. And while it's true that often the many cyber security people can struggle in communicating the value of their domain to normal humans, this is where HR departments can step up and help bridge the gap.
This stuff matters, and the two areas of home e-safety and corporate cyber security go hand in hand.
Too many people are being harmed from abuse that is facilitated by the marvels of our online world.
Listening to Professor Genevieve Bell's Boyer Lectures recently, I was struck by the principle she learned from her mother: "If you could see a better world, you were morally obligated to help bring it into existence."
The internet can be a better world for all Australians, and as individuals, organisations and a country we need to get behind the people helping to make a difference to the parents and young people who are very much on the frontline of this new era.
"Is cyber insurance necessary or a racket? What to know before you sign on", September 2017
This opinion piece was first published by the Australian Financial Review.
When was the last time you had a delightful customer experience with insurance? Well, we need to talk about cyber insurance.
In 2013, the Financial Ombudsman Service penned a circular titled "Queensland floods – lessons learnt" and there are useful ideas for us to bring to the cyber insurance discussion.
The Financial Ombudsman Service noted that among the improvements between the experience of Queenslanders claiming on flood insurance in 2011, and then 2013, was the standardised definition from the government of what a flood is. Words matter.
It's easy when we're dealing with fire, theft and flood. Well, at least in theory it's easy. We've been dealing with natural disasters for millennia. But the cyber domain and the risks that come with it are comparatively new, and evolving rapidly. A year is a long time on the internet.
The FBI states that since January 2015 more than $3 billion has been lost in the US through Business Email Compromise (BEC) scams. But were these cyber incidents, or were they social engineering?
There's daylight between the two definitions but the impact could be the same. How does your insurer define these and are they in your policy?
RAND Corporation, a US think tank, has released a draft report on cyber insurance policies. The report, Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk? analysed 103 cyber insurance policies. This sample includes policies from insurers operating in Australia.
The RAND report sets out the areas that cyber insurance policies can offer, but it also notes that these areas can be grouped or split out depending on the insurer.
This raises the importance of a customer being very clear of exactly what costs it hopes to insure against and the various scenarios that could result in a loss.
Some of the costs that many organisations seek to insure against are: the cost of notifying individuals impacted by a breach, engaging PR firms to help with crisis management and brand protection, and paying for third parties to investigate the cause of a breach.
Accurate pricing
Accurate pricing of cyber insurance will be an issue that insurers struggle with for the foreseeable future.
The challenge of pricing comes from the knowledge that cyber incidents can happen once or repeatedly to the same organisation, to one organisation or many, and with or without the organisation knowing about the incident.
One organisation may experience a number of cyber incidents simultaneously and clarity around what's actually going on can be hard to find in the fog of incident response.
Section 21 of the Insurance Contracts Act (1984) stipulates that the party seeking an insurance contract has an obligation to disclose to the insurer anything the party knows, or could be reasonably expected to know, that may impact on the insurer's decision to accept the risk of insuring the party. Got a skeleton in your IT cupboard?
If you have an enterprise of any size or complexity, you'll have many.
Unlicensed software, software not patched in either a timely manner or in accordance to the insured organisation's patch policy, undocumented systems, inadequate (or missing) audit trails, and non-compliance to any external obligations (eg PCI DSS) – any of these could be sufficient grounds for an insurer to deny an obligation to cover costs.
I'm not trying to paint the insurance industry as the bad guys here, it's always the fault of the criminals. But let's remember that insurers are not charities.
So before you go too far down the cyber insurance path, how about an internal conversation about what are the basic steps your organisation should be doing to help minimise the risk of a cyber incident.
Does car insurance prevent car accidents? No, but it did help make anti-theft technologies prevalent. Think on that.
"Companies must hire a CISO to address cyber threats at the executive level", July 2017
This opinion piece was first published by the Australian Financial Review.
If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.
Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world.
The CISO and their team help translate and contextualise the risks that come with doing business in the 21st century. This team helps your organisation prepare itself for the inevitable cyber incidents that are a fact of life.
If you're at a large organisation and you don't have a CISO, then it's a fair indicator that your organisation has not yet had that digital epiphany.
I find this concerning because it's a flag that your organisation may not be having informed conversations about cyber risk and potential business impact. You're also unlikely to have a coordinated response to cyber incidents, and that is itself a considerable risk to your organisation's resilience and sustainability. Cyber risk is not a problem to be fixed, it is a condition to be managed.
One of the most important capabilities of a good CISO is their ability to develop relationships across the executive layer. You need your CISO and their team to have a deep understanding of your organisation and what really matters to the business. This exploration will go through layers of maturity, and takes time, resources, ongoing commitment, and trusted relationships.
Your organisation needs the trusted relationships between your CISO and your executives to be in place before a serious incident. There's a great quote from JFK, "The time to paint the roof is when the sun is shining". Cyber security incidents are entirely foreseeable, and to claim otherwise is simply indefensible.
Promote internal talent
To be managing cyber risks appropriately, I think it's imperative your CISO is internal, full-time, prudently resourced, and continually developing relationships across your organisation.
External security consultants, particularly if they have been CISOs at large Australian organisations, can be excellent resources for asking challenging questions and providing pragmatic advice. Drawing on the experience and expertise of these people can be a useful step on an organisation's journey to a better understanding of cyber risks. Ultimately, though, you'll probably want someone internal because you'll want to work with someone who also has skin in the game.
The office of a CISO is a structure you put in place to help your organisation deliver a continually relevant response to cyber risk. You want your CISO to have an impact, you want to see processes challenged and informed consensus with business units achieved, you want to see tweaks to staff behaviours, as well as to the technical environment. You want your customers to have trust in your organisation. You want your suppliers to be vigilant against the potential impact on you if they don't hold up their end.
Cyber risk management is not static and there absolutely is no finish line.
As your organisation continues its search for pragmatism in approaching cyber risk, you'll want your CISO to be supported in their role, both with their own team as well as senior executive sponsorship because their success is your organisation's digital wealth protection.
Cyber security is much more than merely an IT issue, and while I'd like to argue that the CISO shouldn't report through a CIO, I know highly capable CISOs who would argue that point with me. And their reasoning, which I agree with, is that what really matters is the business outcome not the reporting line.
If you accept the argument that cyber security incidents are a foreseeable business risk, then you'll agree that responding to them will require cultural, behavioural and attitudinal change at every level of your organisation.
Above all else, if you're hiring a CISO, do your reference checking. You're hiring this person to make an impact and, one way or another, they absolutely will.
"Small business risks being left behind in Australia's virtuous cyber security plans", May 2017
This opinion piece was first published by the Australian Financial Review.
It's now a year since the launch of the Australian Cyber Security Strategy. Could progress be better? Of course. But the progress is good. Actually, it's great.
The collaboration between government and the private sector has had a fresh wind touch its sails and the level of cyber security collaboration between many of Australia's largest organisations is at an unprecedented level. The recent global wave of ransomware, variously termed WannaCry or WannaCrypt, was a live-fire exercise for testing the efficacy of this collaboration.
The recent launch of the ASX 100 Cyber Health Check report was an excellent step on the journey to a more complete understanding of what will come to be viewed as due care in the domain of cyber risk management, and the launch of the Australian Cyber Security Growth Network is already making waves for the local start-up community.
The prevailing sentiment is that we don't really have a choice other than to work together because we absolutely have to be good at this. Collaboration is essential.
Yet for all this virtuous activity at the top end of town, there is a glaring omission with the lack of engagement with, and empowerment of, Australia's small and medium businesses.
SMBs account for about 45 per cent of the employed population of Australia, but the vast majority of these people and businesses don't have access to the kind of technical expertise who can easily explain to them why upgrading to the latest version of software and using multi-factor authentication are so important.
That's nearly 5 million people who don't have a dedicated team of communication experts working to ensure that they are adequately informed on the value in performing the cyber equivalents of getting their car serviced regularly, and putting on a seatbelt.
Now, there's nothing wrong with what ASX organisations are doing to collaborate more effectively and the initiatives from the Australian Cyber Security Strategy must continue, but we're living in a fantasy if we think that the SMB space can take care of itself.
Digital safety
About 45 per cent of the working Australian population is employed by a business that probably doesn't realise that it is a digital company, and it is inextricably connected to a digital ecosystem.
If they don't know that they're digital-dependent, they cannot begin to make informed decisions about how they should manage the cyber risks they face. Cyber and digital are two sides of the same coin; risk and reward.
But it's equally unreasonable to expect all SMBs to become masters of cyber security.
SMBs don't need to be the cyber security equivalent of rally drivers, they only need to be able to drive safely on the public roads. Some may argue that it should be up to the government to educate and inform, as with any other public health and safety campaign.
Others will argue that market forces should be allowed to fill the potential market opportunity, of which there absolutely is one.
Now, if we as a nation don't get great at cyber security, and raise the tide for all boats, then there is a huge opportunity cost. Imagine half your customers being reticent to trust your new online initiatives. Imagine half your customers giving you bogus data because they had no faith in internet security.
Both the top end of town and government have a vested interest in the cyber security of the SMB space. Standing back and waiting for someone else to fix it won't work.
We cannot leave SMB behind. Not because it isn't an option, but because it's actually not possible for the Australian economy to thrive as a whole, while half of us are getting picked off like fish in a barrel.
Cyber security for SMB must be addressed and we must do it together. Welcome to the digital economy.
"ABS census was an IT and cyber security disaster waiting to happen", August 2016
This opinion piece was first published by the Australian Financial Review.
On Tuesday night the Australian Bureau of Statistics asked all households to complete the 2016 Census online. Leading up to the night, spokespeople from the ABS, and some politicians, were making impossible claims guaranteeing perfect security. Claims of being able to deliver perfect security, guaranteeing no data breaches, and no data misuse, are simply not credible. Many of us in the cyber security industry were vocal with our concerns.
Additionally, many privacy experts were very concerned about the ABS starting what amounts to a longitudinal study of individuals by retaining people's names.
The upshot was that many people tried to complete their census online, but the website crashed. I'm not gloating over this failure. No thinking person would object to the census on principle. We know the value of capacity planning based on data; a statement not without irony based on Tuesday night's debacle.
The ABS has said it was the victim of a Distributed Denial of Service (DDoS) attack, which is essentially using a network of compromised computers around the world to pepper a target with thousands or millions of requests, thereby aiming to overwhelm it. Like if you were standing in the middle of a crowd and everyone was trying to get your attention. The ABS also said, via its official Twitter account, that its website has capacity for 1 million census completions per hour on Tuesday night - but it thought that the likely number was 500,000.
Now, the ABS is in an unenviable position because one of two things happened. Either these alleged DDoS attacks did take the census offline, in which case the ABS failed to plan for an entirely foreseeable event. Or, the DDoS attacks did not cause the outage. This means that the census site collapsed under the load of Australians trying to do what the ABS asked them to do. Simply, this means that the ABS failed to plan sufficiently for peak load. Personally, I'm assuming the latter; largely based on the collapse of the ABS call centre due to unexpected call volumes in the lead up to census night. Poor capacity planning.
The ABS pushed us all strongly to use the website. Now, according to its website on the census, it expected about 15 million people to complete the census online. Most of these people were likely to address the census after they got home and had eaten dinner, but before they went to bed.
Not rocket science
So now you've got allegedly 15 million people all trying to access the site within a three to four hour window. Let's call it a five hour window, and even drop it to 10 million people. That's still 2 million people per hour. And that is double the 1 million people per hour that the ABS said the site was built to service. Planning for this level of demand is not rocket science, but it does seem that the census website was simply not designed to support a realistic level of demand.
The #CensusFail, as it's being referred to on Twitter, will be providing many people with valuable lessons. Sadly, most of these lessons are bread and butter for more mature IT organisations.
Given the importance of the census, is is extremely likely that if the ABS had gone to any of Australia's leading organisations and asked for advice, they would have got it in spades. The banks face DDoS attacks all the time, and know how to shrug these off.
Many Australian companies have large online systems that are built with an architecture to be able to withstand peak load from eager customers. Again, it is very likely that these organisations would have gladly shared their experiences with the ABS in how to build and provision a robust web site.Instead, it seems that the ABS went on its own, and then completely outsourced responsibility for the design, delivery and testing of the Census website. There's nothing wrong with outsourcing IT functions or business processes; the industry has been doing this for some time. But outsourcing these functions does not absolve the customer of responsibility for assuring themselves of the vendor's capability to deliver to requirements. Trust but verify.
Sadly, this debacle will have undermined the trust of the Australian public in the ABS. And equally sadly, if past behaviour is any indicator of future behaviour, we can expect the ABS to continue to double down on its uninformed assertions, such as blanket guarantees about the security of data and the reliability of the census website.
It is critical that the ABS regains the trust of the Australian public, and the only way this is likely to happen is with a healthy dose of humble pie. We need the ABS to fess up and take responsibility.
We need the ABS to say publicly: "We miscalculated, and we are genuinely sorry. This has been a deeply humbling experience and we apologise for wasting the time of so many Australians. The staff at the ABS are hard-working Australians and we've all been impacted by this failure. We believe the census is of national importance, so we're going to postpone it for a year and learn from our mistakes. Australians have trusted the ABS for 100 years, and we are committed to earning that trust back. You can count on us to not repeat these mistakes again."
But humble pie is never appealing to people that seem to follow the Trump lie-and-deny school of thought. This is a strong statement, but we need merely review the last week of guarantees from the ABS against what has happened so far, to see that there is a wide gap between its assertions and reality. What the ABS and our national leaders do next will reveal their level of commitment to us, our privacy, and our future.
"Australia is suffering a shortage of world-class cyber security teams", April 2016
Outside of the big four banks and Telstra, Australia lacks world-class cyber security teams.
This opinion piece was first published by the Australian Financial Review.
A few weeks ago I was fortunate enough to attend the world's largest cyber-security event, RSA Conference, in San Francisco. This year was the 25th anniversary of the conference, and there were 40,000 attendees, and over 500 vendors exhibiting.
My experience at RSAC reflected my experiences at many other international cyber-security gatherings over the years. I have come to the conclusion that Australia has pockets of cyber-security leadership that are world-class, and in some instances, world-leading. But these pockets of capability – almost all at the top end of town – are insufficient for the nation's needs.
In Australia we have a small number of organisations with big cyber-security teams, and established leaders with excellent bench strength in their direct reports. Principally, these pockets of cyber maturity are in the big four banks, and a hothouse of talent that has emerged in Telstra.
Each of these five organisations has cyber-security teams that exceed 200 people. By comparison, Google has over 500 security staff. These five Australian organisations are not the only pockets of world-class security practice and leadership, but they are by far the best-resourced in the private sector.
Not everyone has the resources of a bank to defend against cyber-attacks, but everyone is being attacked. This means that all business leaders must have an informed opinion on how their organisation is managing cyber risk.
Under attack
In March an internationally renowned cyber-security expert, and former security officer at the Pentagon, gave a briefing on current attack trends, saying US healthcare organisations have come under fierce attack. In these attacks, personally identifiable information about executives from different organisations had been explicitly harvested.
This information was then used for targeted attacks against these executives and their organisations.
In Australia, healthcare is just one sector where our cyber capabilities are sadly lacking.
If you look across the ASX 200, you will find isolated instances of cyber-security maturity and leadership which stand out, precisely because they are the exceptions. This is not sustainable, and it means we are trying to build our national economic future on uncertain ground.
We're all in this together, but we behave as though it's someone else's problem.
I am not arguing that every organisation needs to hire a chief information security officer and a team of 200 security specialists; that's not practical. I am arguing that having an informed opinion of your organisation's exposure to cyber risk is essential to balance the "risk versus cost versus benefit" equation.
Admitting the problem
The first step is to admit that we all have the same problem. Just because you're not aware of having been attacked, doesn't mean you haven't been. It's a foreseeable risk.
The second step is to identify what role in your organisation is accountable for cyber-security. If a company already has a CISO, are they optimally used?
A chief information officer who cares about security is a good start, but effective cyber risk management requires continual interaction and collaboration with legal, IT, finance, risk, and operations. It's a business issue, not just an IT problem.
Third, it's vital to know what your information assets are.
What are the information assets that your organisation depends on? What would be the business impact if everyone in the world could access them? Or you couldn't trust the data in them? Or you couldn't access the data for a minute, a day, a month, or ever again? This will give you a good map of where your treasure is.
Fourth, there is an excellent approach called "the Five Knows of cyber-security", created by Mike Burgess and Rachael Falk at Telstra. The Five Knows are: know the value of your data, know where it is, know who has access to it, know who is protecting the data, and know how well the data is protected.
Solving the problem
Use these five points as questions to generate answers grounded in reality, not hope.
Once your organisation commits to improving its cyber maturity, you'll also realise you need to look outside your organisation with the intention of learning and sharing. For instance, there are useful resources available from ASIC to help guide thinking.
There is also a steadily growing collaboration among our most capable CISOs, because they recognise the need for a unified response. Everyone's staff member is someone else's customer.
The more workers that participate in security interest groups and conferences the better; their network of peers will be their best source of ideas and intelligence on the threat environment.
There is so much hype in the market, with many claiming to have a golden cyber hammer, that it's easy to be overwhelmed by options – a common reflection from executives looking at the 500 vendors on the RSAC exhibition floor.
While cyber-security makes for bad TV, fortunately, it is an awesome team sport, and we have the makings of a great national team.
"Ignorance on cyber security no longer an option for boards", August 2015
This opinion piece was first published by the Australian Financial Review.
If you are a company director, you need to know that your company is under attack. It's not your fault but it is a problem you must deal with. Cyber security is not a technical problem that should be left to IT to deal with, it's a business issue and you must be able to demonstrate due care.
Many of the hacks against organisations are possible only because of sloppy maintenance practices of people and organisations that have been tolerated as there are always more -urgent – but not necessarily more-important – things to do.
If you do not have an opinion of your organisation's strategy to deal with cyber risk, then either you don't have any security expertise in your organisation, or you haven't been listening to them – which amounts to the same thing.
This is a problem. Ignorance of the relevance of cyber security to your organisation is a glaring failure of organisational risk management and governance.
Any organisation listed on the ASX that does not have an executive with a clear mandate to understand the organisation's technical risks, and facilitate the decision-making on how to address these, is failing its obligations to run in the best interests of shareholders.
I've run through the list of ASX200 organisations to look for who was accountable for cyber security. This role is often referred to as the chief information security officer (CISO) but variations in title are aplenty. Outside of the banks and a handful of other organisations, there are few cyber security executives to be found. This may mean that security has been relegated to the IT staff (not an unreasonable approach but hardly inspires confidence because it's not an IT problem). Or, it may mean that the organisation is relying on third parties.
While it's valuable to get external perspectives, it's imperative that cyber security is focused on business enablement and that requires deep understanding of the organisation. Be wary of anyone who says they've benchmarked hundreds of organisations and here's the off-the-shelf framework that you should apply to your cyber security practices or spending.
CISOs worldwide will admit, in private, they don't know if they are spending enough, too much, or too little on security. But in an environment where benchmarking is overly simplistic at best and misleading at worst, the top CISOs ensure that what is spent is aligned with helping their business achieve its objectives. The top CISOs are the ones who can articulate what's really important and how it will assist the business.
Creaking infrastructure
A telltale sign that governance has taken a back seat is if your organisation is still running Windows Server 2003. Typically, servers are used to deliver an important capability to the business and store information assets. If it matters, you will maintain it. That looks like ensuring the software is up to date, from the operating system to the application. There will always be other more (allegedly) urgent expenses and budget cuts to deal with, but not protecting valuable data from foreseeable hacks or disruption is not a viable governance strategy in 2015.
This is the trap that the United States government's Office of Personnel Management fell into, resulting in poorly maintained systems that facilitated a hack that netted more than 20 million confidential records of current and former US government employees. No doubt the OPM faced all the usual challenges of budget and resource constraints, but it clearly failed to protect a critical information asset. The impact of this hack on the US is incalculable, and no amount of rebranding will make it better.
I've railed against organisations being blamed for being attacked, but being attacked is a foreseeable risk. As much as it's not an organisation's fault for being attacked, it's equally inexcusable for organisations to not have prepared for this eventuality. Preparation helps an organisation ensure that many opportunistic attacks are avoided, and that more-serious attacks are able to be recovered from. Just as any workplace knows the "safety first" mantra, we need organisations to be aware of the risks that come hand in hand with the stunning opportunity that is the internet.
Knowing the game
If you want to drive on the road, you must be trained and assessed, you should use better practices, you must follow the ground rules, and your vehicle must be maintained. If you want to conduct business on the internet, you should be informed of the risks, there are ground rules and better practices to heed, and your vehicles must be maintained.
In the cyber security world we throw around terms such as "people, process and technology", which are a bit of a lie. Security is delivered through people using processes and technology. It all comes back to your people. Do your people understand the risks? Are they acting prudently? Have they bought the shiny security toy with no insight into the commitment required? Is this control necessary, or will it merely be a sea anchor? Are we responding appropriately to an external obligation? Are we fighting the last war? These questions are the hunting ground of a CISO, and not enough Australian organisations have someone in this role.
If you're not aware of the value of your information assets, to your organisation, and to a potential attacker, then I think you're heading toward negligence. Assets should be protected commensurate with their value. Personally, I don't think we need new laws for cyber security because we already have torts. When the risks are as foreseeable as they are (and they are), executives must be able to demonstrate due care.
Cyber security has many technical elements but is absolutely a business issue. If you direct a company, it is your job to be able to show that you've acted in the best interests of your shareholders. I do not expect you to become a cyber security expert but you must get people inside your organisation who can walk you through this area so that executives can make informed decisions.