Australia's cyber defence 'pretty ordinary' before ASD's Top Four

The Australian Signals Directorate has revealed that deployment of its Top Four mitigation strategies has vastly improved government network defence since 2012.
Written by Stilgherrian , Contributor

In terms of defending Australian government networks, "we've had some pretty ordinary years," Major General Stephen Day, Head of Cyber and Information Security at the Australian Signals Directorate (ASD) said on Tuesday.

"Things started to turn for the better in 2012 as the awareness campaign started to get traction."

That awareness campaign was for the ASD's Top 4 Strategies to Mitigate Targeted Cyber Intrusions.

Those strategies won the organisation, then known as the Defence Signals Directorate (DSD), the US Cybersecurity Innovation Award in 2011. They are mandatory for Australian government networks, and have also been adopted by the UK and Canada, as well as commercial organisations including Kaspersky Lab.

Day told Check Point's Cyber Security Symposium in Sydney on Tuesday that he'd approached the implementation of the Top Four as part of a campaign with a clearly-defined goal: there would be "no compromise of Australian government agencies" between mid-2013 and mid-2015.

"There were a lot of people who were uncomfortable with that, particularly the word 'no'. No compromise. That means it can be measured. That means you can be held accountable," Day said.

"The amount of effort that went into getting that right was quite extraordinary."

ASD had three "lines of activity" in working towards those goals. The first, which comprised the "vast majority" of organisational effort and energy, was about what Day called "sovereign mitigation" -- that is, implementing the Top Four awareness campaign, the politics and process of making them mandatory for government organisations, and developing a system for measuring progress in implementation.

"The other two lines of activity were about actions against our adversaries," Day said.

"Some other place, some other time, we might be able to talk about them. But those last two were much smaller efforts for us."

Day said this strategic approach to improving network security gave coherence to ASD's efforts, as well as a coherent narrative that could be explained to non-experts.

"People now knew what we were trying to achieve, [and] how we were going to do it, and two things came out of that. One, trust, confidence in us. And two, resources."

Day then showed a chart that tracked the progress of ASD's efforts, "a combination of the number of compromises of the Australian government, and the extent of those compromises", since 2009, the first year from which there was confidence in the data.

(Image: Stilgherrian)

"In other words, the higher the bar, the sadder the news."

While the vertical axis wasn't numbered, the chart showed clear progress. For 2009 and 2010, the columns were around 80 percent of the peak reached in 2011. For 2012, when the Top Four started getting traction, the measure was down to just a third of that peak. And for 2013 and 2014, it looked like the measure was down to well under 5 percent of that peak, or even less.

"I've never shown this in a public forum, and I want to make a point very clear: no hubris. It is entirely possible that next week, even tomorrow, we can find out that actually 2013 was a disastrous year -- and I'm going to have to change those bar charts, and I'll come back and apologise. That could well be the case," Day said.

However Day had "reasonable confidence" in the truth of the numbers, because preventative measures are "vastly improved", and ASD is better at picking up problems.

"A few years ago, it would often take us nine months to twelve months to identify that there had been a problem. Our recent experience is that it's measured more in weeks than months. So I have reasonable confidence, but I wouldn't be surprised -- though I would be disappointed -- were there to be more problems than we've identified in 2013 and 2014," he said.

"2015 is turning out to be reasonably good for us too."

Day said there have been three barriers to information sharing between the government and private sectors, and amongst private-sector organisations: commercial sensitivity, how the government classifies information, and the "lack of mature systems and arrangements" to exchange information securely and at "net speed" so issues can be addressed quickly.

"It is really important that we solve this problem, because cyber security is a quintessential team sport. If we are collectively to get ahead, we have to swap experiences and the lessons that we've learned," Day said.

He congratulated the banking industry for its recent information-sharing initiatives, as well as Telstra's openness and its recent public announcement about security problem with its recent acquisition Pacnet.

"There is no doubt in my mind that we in government have to work much harder to declassify what we know, and to get it out there to the people who can actually use it," Day said.

A first step in that process will be an unclassified report about the cyber threat across Australia, which will be released later this month. It will hold "few surprises" for cyber security experts, Day said, but it will be a "comprehensive, authoritative document that you can use to speak to executives, to boards, to those who just don't get it -- yet.

Day has also invited seven telcos and ISPs to join ASD in the new Australian Cyber Security Centre (ACSC).

"We are going to learn together about how we exchange information for the benefit of our country. How do we do this at net speed? What does the information need to look like so that it is actionable," Day said.

"I have a vision that your national centre will have footprints in each of our major capital cities ...where we can face-to-face build relationships, and interact in particular with industry."

But while information-sharing is important, and "we need to get to a better place", Day said that the conversation about how we go about things has "crowded out the conversation about what it is that we are trying to achieve."

Editorial standards