Avoid distractions to focus on the long cyber game: ASD chief

Organisations need to focus on the basics and think five years ahead, says Mike Burgess, director-general of the Australian Signals Directorate.
Written by Stilgherrian , Contributor

Organisations need to avoid short-term thinking about their cybersecurity needs, and avoid being distracted by the latest over-hyped technology, according to Mike Burgess, director-general of the Australian Signals Directorate (ASD).

"Think longer term, not just the next six months, and not just the next product or service you buy, as important as that may be. Think about the next five years. What might be on the horizon? What are the threats and risks?" Burgess said during his keynote address to the SINET61 cybersecurity innovation conference in Melbourne on Tuesday.

"Don't get caught up in the hype and excitement in this technology-enabled world. Artificial intelligence is one great example of that. 'Peak hype' comes to mind," he said, referring to the Gartner Hype Cycle model of technology innovation.

"We all use the innovation word today, but what research does your organisation actually invest in? And when it comes to identifying and managing cyber risks, you should know what is important to your business, and what is important to your customers."

Stuart Mort, chief technology officer for cybersecurity at Optus Business, said that vendors, and especially startups, need to be careful about the language they use.

"I've got machine learning and AI fatigue at the moment, because everybody does machine learning and AI, and it's generating more questions for me. What's your data pool to drive that machine learning? You're a startup. How have you got access to data to actually test your machine learning capabilities?" Mort said.

"Talk more about how you're going to integrate into my environment and not cause me more problems."

Angus Taylor, minister for law enforcement and cybersecurity, also identified integration as a problem, referring specifically to the vendors who provide network gateways to government agencies.

These gateways are "fundamentally important" to Australia's active cyber defence strategy. Their role includes defending against distributed denial of service (DDoS) attacks, spearphishing, and spam.

"So far they are not integrated into our cyber defence as much as I would like, particularly in their governance, and in their strategy development," Taylor said.

"This needs to be a real focus for the government in the coming months and years."

Managing cyber risk "isn't rocket science", according to Burgess.

"Think it through. Pay attention to what's important. Pay attention to your hygiene. And don't get distracted," he said.

Burgess cited Telstra's Five Knows of Cyber Security [PDF], which were developed by his team when he was the telco's chief information security officer, and the ASD's Essential Eight strategies to mitigate cybersecurity incidents.

"ASD's Essential Eight is advice that makes a real difference when applied," he said.

"Just last Friday I was briefed by the [Australian Cyber Security] Centre's hunting team. They had just completed a hunt on a federal agency's network -- a network that had been compromised in the past. In this case, the hunt did not identify any compromises, but it did identify attempts which would have been successful if the department had not applied ASD's Essential Eight."

Burgess did not identity the agency in question.

He did, however, re-emphasise the priorities he'd published in the ASD's Corporate Plan 2018-19 in July, and the operational priorities previously announced in April.

Australia will continue to name and shame malicious nation-state actors

Australia has already officially attributed cyber attacks to both North Korea and Russia. Blaming Russia for the NotPetya attack was a coordinated diplomatic action involving seven nations, with official statements of support coming from five others.

This naming and shaming of nation-state actors will continue to be part of Australia's cyber diplomacy, according to minister Taylor.

"We have to face reality with this... We are facing hostile governments with potent intelligence and cyber capabilities ... and often we see them working closely with criminals," he said.

"We will keep doing it. It is absolutely crucial that we attribute attacks when we know where they are coming from. That is an important part of the process of establishing a doctrine for how we act on the international stage when it comes to cyber, and the good news is that our Five Eyes partners in the US, and UK, and Canada, and New Zealand have exactly the same mindset."

These attributions are a key part of Australia's assertive cyber diplomacy strategy, launched in October 2017. Australia was instrumental in creating the UN's 11 international norms for behaviour in cyberspace, and has made it clear it will deter and respond to unacceptable behaviour.

Australian Ambassador for Cyber Affairs Dr Tobias Feakin said that the International Cyber Engagement Strategy is due to be revised in October 2018.

"We currently have an update to that going through legal teams right now. We're ahead of where we expected to be, and we'll be well ahead globally in terms of coming out and actually putting in to the public what our approach internationally in this space is," Feakin told ZDNet.

"Genuinely, around the table with like-minds, they're still kind of marvelling at the fact that we published what we did in 2017. For us it's like, yeah, that's great, it was a nice starting point, but we're pushing way beyond that now."

Related Coverage

Cyber security: Nation-state cyber attacks threaten everyone, warns ex-GCHQ boss

Citing Russian cyber attacks and WannaCry, ex-GCHQ director Robert Hannigan says nation-state campaigns have become "a problem for everybody"

New Zealand gets NZ$3.9m 'cyber' boost in 2018 Budget

The Computer Emergency Response Team, a government CTO, R&D, and Communications get a slice of the New Zealand Budget.

ASD restructure: Trouble at t' cyber mill?

Differing views within the recently restructured Australian Signals Directorate, described in one media report as an 'internal brawl' and 'internal frictions', could highlight a deeper, more challenging division.

ANAO calls out low self-assessments of Commonwealth cyber compliance

With multiple cyber checklists to test against, Australian government agencies have a strike rate little better than a coin toss.

Why foreign actors are a big cyber-threat for business (TechRepublic)

OT and IT need to merge, says RedSeal CEO Ray Rothrock, in order to protect your company from cyberattacks.

Editorial standards