Oh dear.
At today’s 12th Annual Technology in Government conference, the Minister for Law Enforcement and Cyber Security, Angus Taylor, outlined the government’s strategies to combat cyber attacks beyond our geographic, legal and digital borders.
During his speech, Taylor provided an overview of government projects in the cyber security space as well as the difficulties posed by ever-changing threats and actors. However, the most eyebrow raising moment came when Taylor chose to evoke one of the Abbott government’s most polarising slogans:
As Australia’s cyber security maturity grows and evolves – we must adopt a posture of moving towards zero. Zero successful attacks, zero mistakes and zero negative impact.
Stopping the bots needs to have the same singleminded focus as stopping the boats.
While we can sort of see what Taylor is getting at here, it’s a problematic analogy for a number of reasons. Firstly, it adds a partisan element to what should be a politically neutral topic. Secondly, it clumsily lumps refugees in with cyber criminals and terrorists – which I think we can agree are two very different kettle of fish.
With that said, the speech provides a fascinating insight into the ways Australian law enforcement agencies are tackling online threats. It also provides some interesting titbits on privacy, big data and government vs consumer data rights. You can check out the speech in its entirety below:
Solutions for a society facing now more serious threats than ever
The Hon. Angus Taylor , Minister for Law Enforcement and Cyber Security
Thank you for having me here today.
Today I want to cover some key cyber security lessons from the last 8 months and then outline my plans for the future.
Today’s criminal and national security threats are increasingly characterised by global networks, sophisticated organisation and adept use of technology.
On a daily basis we are faced with criminal and nation state actors that are using cyber and cybercrime to attack the Australian Government, Australian business and the Australian public.
The frontline of our nation’s cyber defence – the gateways – are sifting through billions of cyber events every day. We currently have the capability to stop many of the denial of service, malware and phishing attacks directed towards Government But as you know, this is not a game of certainties – we are not stopping every attack.
As Australia’s cyber security maturity grows and evolves – we must adopt a posture of moving towards zero. Zero successful attacks, zero mistakes and zero negative impact.
Stopping the bots needs to have the same singleminded focus as stopping the boats.
Because it is the view of the Australian Government that hostile cyber activity will only continue to become more prevalent.
For criminals and other adversaries, the cost-benefit of cyber activity will only continue to grow.
As the global economy continues to digitise and to integrate new technologies – like the Internet of Things and 5G – the prize will only get bigger.
We have seen the impact of Europe’s GDPR upon privacy standards globally, and we have seen the passing of the CLOUD ACT in the US – a development the Australian Government welcomes.
Together, these developments will give Australians more control over their data with greater security, and it will give Australian law enforcement access to the information necessary to convict the very worst criminals.
However, we have also seen nefarious activity on the rise, including serious attacks on some of our most important institutions. So we have not been idle.
We have attributed cyber attacks to North Korea and Russia, we have worked more closely with our international partners than ever before, and under the new home affairs portfolio – our agencies have worked more closely with each other than ever before.
The joint taskforce that is the ACSC, has investigated attacks on Governments, the private sector and the public – and it has made a difference.
Only last week I announced joint law enforcement activity between our agencies and the FBI, that resulted in the arrest of cyber criminals targeting Australia.
It was a fantastic result and it couldn’t have happened without both national and international cooperation.
It’s something I reflected on recently – that there hasn’t been one single program, update, threat report or incident response that I have seen in my 8 months that was handled by one agency acting alone. I just haven’t seen it.
The agencies of the federal government are integrated and they are working together in a way that they have never before.
So why is that? Primarily I think it is because of the three core reforms the Government has implemented since 2016.
• The creation of Home Affairs
• The 2016 Cyber Security Strategy, and
• The response to the independent intelligence review.
These measures have created a structure that has been tested daily from the analyst level right up to the Prime Minister.
Because of the changes that we have made – this Government has been able to manage the increasing risk environment that we find ourselves in today.
What has changed since the 2016 strategy
However, in such an evolving area like cyber it would be naive for us to rest on our laurels and say job done.
Since it was released over two years ago, we have been constantly evaluating our 2016 Cyber Strategy and we have identified areas of emerging priority that we now must focus on.
We must expand our cyber defence of Government and we must build on our successful reforms to shape a new dynamic of engagement with the private sector.
First, let me address what we must do inside Government, because I am convinced that Government can only lead when it has its own house in order.
The Government’s cyber defences do not start and stop with the Defence Department and Home Affairs.
The Government’s cyber defences start with the lowliest APS1 and stop with the Prime Minister.
They start in the giant mainframes of DHS and they end in a USB stick that has been used to move files from one place to another.
It is a challenge that is great – but we must tackle it. Because our cyber security is only as strong as the weakest point. And as we have drawn together the core areas focused on cyber incidents –
AFP, ASD, ASIO, ACIC and Home Affairs – we have realised the impact we can have.
But we have also acknowledged the importance of engaging outside the national security agencies. Because, often the biggest prize in Government is not located in the ‘front offices’ at Russell or in Parliament House.
It’s in the back offices at Tuggeranong or Belconnen or in a data centre. Simply put, if the Government is unable to collect tax or deliver services then it will fall.
The challenge is large but the impact is great.
As part of ‘getting the government’s cyber house in order’ – there are three main initiatives that I intend to pursue in the first instance:
1. Implementing a clear standards, expectations and outcomes for our
security agencies, departments and Ministers
2. Developing a layered and world leading infrastructure – starting with the gateway review
3. Focusing on our procurement to ensure that as we buy new technology we are increasing our security, not decreasing it.
We must reach a space quickly where ASD is not the answer to every question. And to do that we must utilise our private and public partners more efficiently than ever before.
The Case for National Cyber Defence
In my time in this job I have been struck with the strategic uncertainty that cyber presents to the world order.
I am struck by the analogies with the nuclear build up of last century, where the scale of the threats created a peaceful standoff, albeit a tense one.
We haven’t yet reached that point in the cyber world, and there is a real debate about whether we ever will.
This strategic uncertainty is just as prevalent in Australia as it is in the rest of the world.
We are still working out how to deter our adversaries, how to create the kind of stand-off that reduces – or eliminates completely – the risk of a global cyber meltdown.
But reducing or eliminating this risk must be a priority for all governments. We have effectively been debating, in a digital context, the merits of Fortress Australia vs Forward Defence – an isolationist policy versus a more interventionist one.
And I believe we have landed, in the cyber domain, just where we have landed in the physical domain.
Australia’s national cyber defence must be one of Forward Defence. We can not expect to hide behind our fire walls and our gateways in some kind of glorious isolation and hope the threat will pass.
We must build a system that is active, interventionist and collaborative. Collaborative with our allies, our partners and of course most importantly with our private sector.
For too long government has viewed the private sector as a service provider or as a piece of infrastructure that must be protected.
And in traditional national security that was correct – and there is the problem we must address.
Cyber has many more similarities to personal security than it does to some of the more established national security challenges.
If we are going to protect our people – the Forward Defence of Cyber must deliver an economy wide view of cyber security.
It must be defence in depth. So what does defence in depth look like?
If you will indulge me let me take a simple analysis of personal home security to get us started.
You won’t think about it much – but there is a well-established set of constructs that have evolved in personal security. And government is at the center of it.
Firstly, we expect people to lock their doors – we don’t expect them to know the type of lock that they have and the particular tumbler characteristics – just lock their doors.
Secondly, we encourage them to have insurance.
Thirdly, we have alarms that are monitored by private security.
And finally, we have the police force and ultimately the Defence force.
So what is the role of Government in those examples? Well we provide the police and the defence force – but we also regulate the insurance and private security industries, and we make sure that the locks people use do what their manufacturers claim they will.
We don’t provide all of these services but we make sure they are available.
Now let’s take this back to cyber. We have police and defence.There is an emerging insurance market and there are many private providers.
But we as a government have not assumed the central role in the economy that we should play.
We don’t currently regulate or assure the market in a way, that we would for other industries. And that is because of the roots of Cyber – cyber comes out of the intelligence world.
The widescale defence of a nation is a new thing to intelligence agencies.
Its bigger than critical infrastructure, its bigger than protecting key secrets and it brings a new set of challenges.
Now this isn’t a criticism of our intelligence agencies – they have done an outstanding job in protecting all of us in the emerging cyber theatre.
We have been remarkably well defended through the major issues that have hit the world since 2016. But we must evolve and we must deliver.
It is my intention to deliver a new national cyber agenda – we must build a national cyber defence network.
National cyber defence is an integrated strategy that raises the bar across the Australian economy and beyond.
So what does national cyber defence comprise? Well it comprises the layered defence we spoke about but it also comprises an interventionist element.
Its core elements include:
• Threat blocking and targeting – both major and criminal
• A framework for strong attribution and response to cyber attacks
• Increased data sharing on threats
• An insurance market that recognises investment in security, and the data
necessary to support this
• Effective awareness campaigns, and
• A government that is able to lead by example.
Now I don’t have time to go through all of the elements today.
I will expand on many of them in the months to come. But I would like to cover one of the interventionist element to compliment my earlier comments on layered defence. And that is threat blocking and targeting.
Threat Blocking
The importance of threat blocking cannot be underestimated, and it is achievable.
Between the main players in the Government and private sector we often know exactly where the threats are coming from.
Too many of our attacks are from known sources that we are not shutting down. And when I say shutting down we are mostly commonly talking about blocking their traffic.
Now let me be clear – we are not talking about an internet filter. This is not blocking based on content – it is about blocking known malicious domains.
So how do we achieve this ideal of threat blocking security?
We must work with our private sector partners more effectively than ever before.
Fundamentally, that requires the unified efforts of our telcos, our cloud providers, our data centres and our core software providers.
Between us we see much of the activity and many of the threats.
It is my intention to develop this model within the Government, as an exemplar, and then roll it out to our key partners.
We must be able to come to our partners with a plan, with resources and a set of priorities that we can build on.
Threat Priorities
To effectively implement threat blocking we must know who is a threat to our economy and who to go after. This is fundamentally important to the our National Cyber Defence program.
This threat picture – if it will truly work – must be a coordinated process between Defence, law enforcement, government agencies and the private sector.
It must be open and relevant to all partners to work.
Under this concept we would have a common threat picture, a known target list and a set of priorities that best meet the particular capabilities of each member.
Law enforcement targets the criminality, Defence conducts national security, telcos actively block threats and everyone works to raise the default security posture of their customers.
Because that should be end goal of this activity – we can and we should be seeking to provide a level of protection for the public and business that we have never provided before.
For the public, it should be as simple as turning a lock, buying insurance and being sensible.
Conclusion
Quickly before I wrap up I want to reinforce my earlier point.
The current cyber threat is different and greater than we imagined in 2016 and it will evolve more than we can imagine into the future.
I am committed to ensuring that this Government is open, it is listening and more importantly it is working with all our partners to defend Australia.
We can achieve a cyber environment that is heading towards zero – but only if the federal government leads and our key partners join us.
I will continue to outline other key elements of our National Cyber Defence
Strategy over the coming months.
Thank you
Leave a Reply
You must be logged in to post a comment.