Alastair MacGibbon out to fix Australia's broken cybersecurity model

A few months into the role as Australia's first Special Adviser to the Prime Minister on Cybersecurity and Alastair MacGibbon has his eyes set on working through the 33 initiatives of the Cyber Security Strategy.

Alastair MacGibbon, Australia's first Special Adviser to the Prime Minister on Cybersecurity, may have 33 initiatives to work through as part of the Cyber Security Strategy, but his main priority is to fix what he refers to as the "broken model" of cybersecurity in Australia.

Speaking to ZDNet, MacGibbon said the country's current approach to cybersecurity is flawed, and while one of the components of the strategy is to protect the country from cyber threats, employing more people to battle against the growing number of cyberattacks is not the solution.

"If all we do is increase the staff -- which we rightly should be doing of investigative agencies and intelligence agencies against the threat without actually making the system we're trying to protect more resilient, or the economy we're trying to protect more resilient -- we are actually going to fail," he explained.

"This is about resilience. This is about educating the public to reduce the likely threat vectors. This is about working with companies to reduce their threat vectors, so we reduce the likelihood of a breach, and by the way, if there is a breach, we would have a better understanding of what has actually occurred.

"Firstly in cyber you often don't know what you don't know. When you do know about a breach then you go through the process of understanding what happened, and that can be very hard, and if not impossible sometimes...to understand what's wrong. That's why I say it's a broken model if all we do is put more cops on the beat; you can't arrest your way out of this problem, you need to develop the ecosystem, you need develop a strategy in this space."

The Cyber Security Strategy was announced in April by Prime Minister Malcolm Turnbull, who at the time pointed out it was necessary to "safeguard against criminality, espionage, sabotage, and unfair competition online".

"Australians are targets for malicious actors, including serious and organised criminal syndicates and foreign adversaries, who are all using cyberspace to further their aims and attack our interest," he said.

The government is investing AU$240 million to defend the country from foreign cyber attackers. It specified as part of the 2016-17 Budget, AU$47.3 million will be spent creating Joint Cyber Threat Centres and an online threat sharing portal; AU$21.5 million will be set aside to expand CERT Australia; AU$10 million will be used for a security awareness campaign; and AU$2 million will expand the government's exercise program for cyber incidents.

The other component of the cyber strategy, according to the former Australian Federal Police agent and Children's eSafety Commissioner, will be to grow the cybersecurity ecosystem and create a "cyber smart nation".

He believes the key to this will be through education of end users starting at primary school through to tertiary level, particularly in science, technology, engineering, and technology (STEM) subjects, to ensure they will be able to work in the private sector and will be cleared for government work, too.

Growing the ecosystem also requires participation from the industry, with MacGibbon pointing to the work Data61 has been doing to accelerate cybersecurity innovation in the country.

In April, Data61 signed a memorandum of understanding with Cyber London that will see Australia and the United Kingdom share expertise, resources, and capital to develop programs for improved "cyber skills and governance"; launch a CyLon accelerator program in Australia; and support and commercialise new ideas, including building a physical and virtual environment in each country to showcase "cyber innovation and solutions" to prospective partners or buyers.

"Data61 is a phenomenal government asset and how do we use that remarkable asset to help do really interesting research to solve real life problems we face today, and commercialise those solutions to help build that domestic industry," MacGibbon said.

"If we get it right with the universities to help skill people, if we get it right with educational institutions and younger Australians that's a remarkable thing."

A key part to delivering the strategy is knowing how to be "agile", much similar in the way startups operate today, MacGibbon said, who also took the same attitude when he entered into government April last year as the eSafety Commissioner. He believes operating like a startup will let him fail fast before moving on quickly, and admits that some elements of the strategy will fail.

"My view, my role, my instructions are to quickly asses those and drop them, move on to the ones that work. Doesn't sound quintessentially public servicey but that's our goal. Our goal is to look at where we get traction and pile in on those, and frankly have the guts to come back to the public and say this is where we've failed, and this is what we're going to do to rectify it or just drop it," he said.

MacGibbon believes the so-called agile approach will also help solve the skill deficit problem that currently exists in the cybersecurity industry, as it will mean work with academia, schools, and industries to harness the pent up desire to make a step change and convert those intentions into actions will be easier.

"We need to change the incentives, and frankly we need to change the narrative. Part of my role has to be to help shape the concept that there is something very noble to go work for government.

"In this space in particular, it is a phenomenal service to your friends and families, and your neighbours...to convince Australian kids that it's a fantastic career. But it's not all they're going to do, if they come and work for government at some stage in their career there will be remarkable things they can do, it's a job for life.

"We have a skills shortage and that will only get worse, unless we are effective in changing that narrative, and have that narrative work through that system."

Previously when MacGibbon was the Children's eSafety Commissioner, he admitted to ZDNet cybersecurity education for employees had largely failed, and called for the "failed government industrialised model of central distribution of information" of policy and funding being developed in a minister's office to be dumped, and rather focus on building a new model with the next generation of Australians.

Other goals MacGibbon said he hopes to achieve in this role include building upon existing activities.

"For example, CERT Aus already reaches out to the top 500 or so companies in Australia, but how do we industrialise that, how do we make that stronger, how do we increase the sharing of information. The sharing of information between companies and government is something we have to get right," he said.

On the topic of information sharing, MacGibbon said the government is strongly committed to creating an "open and free government where government doesn't control it" as part of efforts to build strong, trusting relationships with the industry.

"There are governments in the world that are convinced they should be controlling the internet space, not for purpose of security but not necessarily allowing free and open communications," he said.

"The Australian government is committed to the concept of internet governance that is not controlled by governments. A very important component of that is it does not mean the internet should be a safe place for criminals. A key part of this strategy is helping empower the Australian Federal Police to further project their capacity into so-called safe havens to reduce the likelihood that sometimes criminals can get away with.

"But it's not a solution in itself you cannot arrest your way out of this cybersecurity problem, but you shouldn't allow people to openly catch you as well."

According to MacGibbon, a key component to information sharing will be to build physical places to share information in capital cities, so people do not have to travel down to Canberra.

"It's wrong of the federal government to assume everyone should come to Canberra. We will create physical places that will allow for the secure exchange of information, and we'll virtualise that for other industries to the lower level of information," he said.

However, on that note of building a safer internet, MacGibbon said he is pro-encryption, even if the trade off means making it more difficult for law enforcement and intelligence agencies to do their job.

"If a billion or several billion of us online can be safer because of the use of end-to-end encryption and a few threat actors benefit from that encryption, then we need to develop a new muscle in law enforcement and intelligence on how to investigate those people. That doesn't mean, of course, we shouldn't have access to the courts or have judges compelling people to do certain things, handing over their password, for example."