Lack of security leadership hindering Australian IoT progress: UNSW professor
At the second annual Everything IoT Summit in Sydney on Monday, professor Jill Slay, director at the Australian Centre for Cyber Security at UNSW in Canberra, lamented Australia's lack of leadership around cybersecurity, as well as vendors overpromising and under-delivering, and urged Internet-of-Things (IoT) developers to incorporate security into the core design of IoT solutions.
Currently, there are more than 8 billion devices connected to the internet globally, according to IHS's Connected Device Market Monitor, with this number estimated to grow as high as 212 billion devices by 2020. Though market predictions vary considerably -- Cisco has estimated this number is more likely to sit at around 12.2 billion -- the general consensus is that we have surpassed the "emergent" phase and that IoT will continue to grow at an accelerated pace.
Latest Australian news
However, there are urgent cybersecurity challenges we need to address before we diverge further into a connected world, according to Slay, who said the growth of cybercrime in Australia has been exponential.
The first is the skills shortage, she said, and as technology advances, so too does crime. As such, existing network security staff need to be upskilled, while a new generation of security professionals need to be trained from the ground up, according to Slay.
"Just as we have a huge shortage of data scientists, we have an equivalent shortage of cybersecurity professionals, and even a greater shortage of those who deal with big data and cybersecurity," Slay said.
"Now we're at the stage where we're trying to train a new generation of people who might have equivalent vocational qualifications to understand what the Internet of Things looks like, what breaches to the Internet of Things look like, and how in their everyday jobs they can deal with it. But as soon as we do that, we're going to have a whole generation of hackers who do that too."
Slay said cybersecurity is often mistakenly believed to be the same as network security, and pointed out that it is far more complex and larger in scale, encompassing a range of political, social, legal, technical, management, and personnel issues. This is why it's both difficult and essential to find qualified cybersecurity professionals.
Slay said that since the Maroochy Shire water services incident in 2000, which is claimed to be the first attack on critical western infrastructure, we have seen the increasing "weaponisation of the internet."
"Sixteen years later, we have customised, highly targeted malware, which through the internet, could find the exact system that it wants [to attack]," said Slay.
She added that there's also a common belief that organisations simply need to purchase the right cybersecurity tools and their systems will be secure. Slay promptly debunked this idea, warning that vendors tend to make unrealistic promises.
Speaking of her job as a cybersecurity researcher, Slay said she and her colleagues have hacked every kind of device you can imagine.
"We walk a few steps behind you agile people who adopt [new technologies] -- then we attack them and tell you why you shouldn't use them," Slay added.
"Our mantra is: 'Don't bolt on the security afterwards, build it in at the beginning.' Security by design ... Hack [your devices] to death yourself."
Despite cybercrime growing at an "exponential" rate in Australia, Slay said it's underreported and therefore not deemed a national priority.
In Queensland for instance, Slay said there are more cases of domestic violence than of cybercrime, so funding is being allocated to fight that.
"We haven't got the financial resources or the people resources to deal with [cybersecurity issues effectively]," Slay said.
In April this year, Prime Minister Malcolm Turnbull announced that the government would invest AU$240 million into its cybersecurity strategy, with a particular focus on the sharing of threat information between business and government. The strategy is aimed at defending the nation's cyber networks from organised criminals and state-sponsored attackers, and sits alongside the AU$400 million provided in the Defence White Paper for cyber activities.
The government also announced that it would spend AU$136 million on small business grants to boost security, increase the government's cybercrime intelligence and investigation capabilities, create a threat information-sharing portal, and be able to identify vulnerabilities in government systems.
According to Slay, funding is still insufficient and US government is "way ahead" of Australia with their national cybersecurity systems.
Slay also complained there is no clear cybersecurity leadership in Australia, pinpointing that cybersecurity is an issue of national security.
"If you live in my world -- the training, teaching and research world -- it is really difficult to understand who wants to be the leader in cybersecurity, who wants to say, 'this is the direction in which we should go nationally'," Slay said.
"If you look at the academic literature ... there are two major voices in the literature. One is the computer scientists who have done great work in developing the algorithms and the machine learning [technology] that we trust ... but also, this is the realm of cybersecurity for national security. Cybersecurity gets mixed in with national security."
From her research, Slay also noticed a problem at bottom-end of organisations where IT and engineering departments didn't want to work together, thereby risking the organisation's cyberhealth.
"We actually looked at the security of control systems across the country and much of what we had to report back wasn't actually a technical issue, but a communications issue," she said.
"Engineers and IT not wanting to talk to each other; engineers who said certain systems belong to them; IT people who wanted to do patching; engineering people who wouldn't let IT people do the patching; physical security being incredibly important to some groups, while logical cybersecurity not being so important."
Slay believes poor cybersecurity practices among SMEs could make large organisations vulnerable, despite their own best efforts at tackling threats.
"I feel the top end will be reliant on the bottom end ... and the risk is at the bottom end. In Australia, a lot of SMEs, they struggle to deal with cybersecurity because it is hard for them to access the right level of expertise at the right costs," Slay said.
To address the slow moving pace of cybersecurity measures, CSIRO's data analytics division Data61 opened its Cyber Security and Innovation Hub in Victoria earlier this month. The hub will work with government, industry, and the private sector to tackle what is believed to be a AU$98 billion cybersecurity market.
Earlier this year Alastair MacGibbon was appointed Australia's first Special Adviser to the Prime Minister on Cybersecurity. He told ZDNet in August that there are more than 30 initiatives he'll be working on as part of the Cyber Security Strategy, but his main priority is to fix what he referred to as the "broken model" of cybersecurity in Australia.