Ethics should be at the core of cybersecurity: ​Former cyber defence head

A trusted, ethical cybersecurity industry is vital to underpinning Australia's social and economic wellbeing, Major General Stephen Day, the former head of Cyber and Information Security at the Australian Signals Directorate, has said.

He also believes it is in the best interests of the country's national security to conduct business in such a way.

Speaking at the Intel Security Innovation Forum in Sydney on Thursday, Day said that all people involved in the area of security have a role to play in ensuring the industry goes forward in an ethical and trusted manner.

Having recently visited the United States, Day discussed the heightened awareness the US has of cyber threats; that there is a real concern about the threat of an attack in the US, in stark comparison to Australia.

"Out of this atmosphere, one tinged with a little bit of fear, has arisen some less-than-honourable businesses and business practices," he said. "There is a risk that the reputation of the cybersecurity industry could be harmed, and if that happens then the industry will be kept at arm's length, and that is in no one's interests."

According to Day, Australia relies on a safe, secure, and reliable cyberspace for its social and economic wellbeing, with the cyber defence veteran saying it is particularly important for those in the cybersecurity business to act ethically.

"If you are a cybersecurity vendor and you have a single technical product offering, do the right thing and explain to your customers that your offering will work best when it is part of a bigger plan," Day said. "If you are a consumer of cybersecurity products, and you have a vendor that insists that they have a single silver bullet solution, then you're probably best off showing them the door."

As an advanced economy that performs a large amount of business online, Day believes Australia is an attractive target for malicious cyber actors.

"We have some significant bilateral relationships and alliances, and there is some unique research done in this country. Wi-Fi was developed in this town and we have some strategically important natural resources, too," Day said.

"In the short time that we have been together, there will have been thousands of cyber attempts against our financial institutions and our retail sector -- several countries will have made several attempts against some of our biggest businesses and our government."

Reflecting on his time in defence, the major general said organised cybercrime is not only global, but also a lucrative industry. Governments and businesses alike need to play catch-up, as Day said many cybercriminals worked out long before most that data is a commodity from which you can make money.

"Some of these criminals have very close links to the intelligence and security services of their countries; sometimes we found it difficult to determine if an attack had been prosecuted by a criminal gang or by a nation state," he said

"Some of these criminals work for their intelligence or security services by day, and at night to make money on the side, use their learned tradecraft."

According to Day, cyber incidents are now reasonably foreseeable, which he said is very important when a business finds itself in court.

"The days of companies being able to say 'this is all very new, how the hell could we have taken reasonable steps to protect against these' are over," he said.

During his time with the Australian Department of Defence, Day also headed the Australian Cyber Security Centre, previously discussing how Australia's cyber defences were "pretty ordinary".

During his tenure with defence, Day was proactive in reducing the successful penetrations against the Australian government by 70 percent, and also reduced the time for detection by 2015 to less than 10 percent from previous years.

Day said the way cyber defence was tackled by the department changed after they realised they were clearly not succeeding. As a result, Day and his team implemented four fundamental ideas: That cybersecurity is a process, not a product; that cybersecurity is a senior leader concern, with organisations not to leave it to IT alone to sort out; that businesses need to detect early; and that businesses must have a tried and tested plan for when something does go wrong.

Paving the way for Australian businesses to follow, the federal government unveiled its AU$230 million cyber strategy in April, which focuses on closer collaboration with business.

The strategy aims to defend the nation's cyber networks from organised criminals and state-sponsored attackers, and sits alongside the AU$400 million provided in the Defence White Paper in February for cyber activities.