27/06/2017
Speaking at the Organisational risk in an era of cyber threats event, Mr MacGibbon said there were three clear events which had helped shift the discussion.
“The first happened in August last year which was the failure of our census,” he said.
“When you look back at it, it was actually quite a minor matter…in the sense that it was a series of very minor denial of service attacks and it was the Australian Bureau of Statistics choosing to take that site offline.
“But if you have a look at the reaction both politically and publicly to those events, it was quite a significant turning point for government.
“It called into question the government’s ability to deliver digital services in an era where the public increasingly expects seamless digital service delivery – whether that’s from the public sector or the private sector.
“The census events were really important for us, important in terms of a learning experience...but the most important thing for me was a shift in conversation in the corridors of Canberra.
“Secretaries and agency heads were suddenly having a discussion about risk rather than compliance…resilience of their services rather than just delivery.
“That’s an important shift in the language. And it wasn’t just in Canberra…it was state and territory government agencies.
“Perhaps more importantly still, it was in boardrooms.”
Mr MacGibbon said the other events were the ransomware attack on the UK health system and the influence of Russia in the US election.
“Nothing else we do as a government really matters if the institutions that govern us could be influenced,” he said.
“These are bi-partisan issues; in fact, they are multi-partisan issues. There is no debate in Canberra anymore on whether or not cyber is important.”
Australian Cyber Security Network, CEO, Craig Davies discussed the change in ecosystem, focusing on supporting Australian companies in the space.
“We have a habit of trusting that it can’t be good because it comes from Australia,” he said.
“That’s ok because you want to buy a solution that suits your business. But what we want to change is how do we let those firms in the room, how do we expose them to you?
“We know that people don’t know how many security firms there are and who they can talk to.
“We’re currently tracking over 100 companies in this space and every day we continue to find companies.
“What happens to security firms here, our habit is we get them started…they start to get a little bit of traction and the very first thing that happens is they have to do is move to the United States or overseas.
“We have some that have stayed here. The ones that have gone overseas we’re working with them to help them to come back home.
“What we’re also thinking about is how do we help foreign firms establish in Australia?
“We’re working with firms who traditionally might have gone to Singapore or Hong Kong to create an Asia Pacific operation and we’re helping them come into the Australian market.
“We’re setting up operations in each state that are actually owned by the state government.
“In each of the cases, we’ve asked the state to essentially become a franchise of the national program.
“We want to have the same experiences for business in each of the states. We want to have a consistent story for how we’re growing the segment.”
Mr Davies said collaboration between the states was also an important part of the program, while also encouraging each state to focus on their area of expertise.
“We only have one key metric: how do we create a measurable economic benefit for this country,” he said.
“Our time is severely limited, we run the risk of becoming an outlier economy or branch economy in cyber security.”
Microsoft National Security Officer, Greg Gale also spoke at the event and said that cyber security is a team sport.
“One of the key things we really want to focus on is partnering; the sharing of intelligence, the sharing of information,” he said.
“Partnering with industry, partnering within government and partnering with each other because ultimately if we’re going to make the nation stronger, and the nation safer, that’s how we do it.
“We need to realise…that cyber security is actually a team sport.”
Mr Gale also discussed the impact of cyber security on an organisations reputation.
“Largely these days the damage that happens to an organisation's reputation as a result of a cyber security incident isn’t actually because of the incident itself. It’s that identification of what they did to respond, and the hindsight analysis…of what they could have done to prevent this,” he said.
Using Microsoft as an example, Mr Gale discussed a tech scam issue which was seeing 10,000 calls to the digital crime unit each month.
“The Windows support tech scam is not actually Microsoft. It’s not a problem with our product, it’s not a problem with our services. But we’re getting 10,000 calls a month, and that’s where you start to look at it and think well actually, that’s impacting our reputation. It’s our brand that’s being used to exploit these end-users to do this tech scam,” he said.
“So what do we do about it?
“The free trade commission in the US just last month launched a crackdown on those tech scammers to try to prevent it from happening.
“Most of that was based on the fact we had already done this work, and that we can capture all this data and present it to government or law enforcement so they can do something with it because otherwise it’s too much information for them to consume.”
(Craig Davies, CEO, Australian Cyber Security Network, replaced speaker Dr Maria Milosavljevic Chief Information Security Officer, NSW Government)