Take a lead from Turnbull's 'forward-leaning' infosec posture: senior ASD officer

​As the Australian Cyber Security Centre approaches its first birthday, Assistant Secretary Joe Franzi reckons that being risk-averse won't cut it in tomorrow's world.
Written by Stilgherrian , Contributor

There's been a culture change. Large private-sector organisations and government security agencies are telling the same story. Infosec is now all about balancing risk with opportunity and convenience. We can often afford to be a little more "forward-leaning", as Joe Franzi puts it.

Just like Malcolm Turnbull.

"Organisations should not seek to protect all information to the same degree," said Franzi, the assistant secretary who heads up the Cyber Security Branch of the Australian Signals Directorate (ASD).

"I love the fact that the industry, in the last five to 10 years, has really moved to this risk-based decision-making model. You can't protect everything. Nor should everything require the same industrial level of protection," he told the national conference of the Australian Information Security Association (AISA) in Melbourne on Thursday.

"We do it at home ... Those of us that have got personal devices, some of us are running apps to secure our voice, secure our text. Others don't. You make the judgement. You've made a risk-based decision," he said.

"Even in government, we find a varying level of risk appetite. Some agencies are risk-averse, and sometimes they're risk-averse in areas where they shouldn't be. And then there are others that are a bit more forward-leaning. And I think you can take a lead from our new prime minister. He's very forward-leaning in this space, as you can see with articles in the media recently with his push to personal-type devices used within government."

Franzi is referring to reports that Prime Minister Malcolm Turnbull uses a commercial email service and messaging apps such as Wickr, as well as his official government email account.

"You need to balance reducing risks, and reducing efficiency and convenience," Franzi said.

"That used to be the old ASD model. We used to say 'no' so many times that we hamstrung organisations from actually doing too much. That's not going to cut it in today's world, and certainly tomorrow's world."

Yes, there's been a culture change, and nothing illustrates it better than the difference between Franzi's appearances at the AISA conferences in 2013 and 2015.

Two years ago, journalists were banned from the conference room while Franzi spoke -- although the ban didn't work in practice, because not every journalist was known to the bouncers.

This year, Franzi was speaking in the wake of his former boss, Major General Stephen Day, having openly discussed how Australia's cyber defences were "pretty ordinary" before the ASD's Top 4 Strategies to Mitigate Targeted Cyber Intrusions were implemented.

Franzi hinted that the Top 4 may become the Top Something Else in the not too distant future. New ASD data is apparently revealing a shift in the risk profile.

Franzi also gave an exclusive interview to this writer, and discussed the work of the Australian Cyber Security Centre (ACSC), where the Cyber Security Branch he leads forms the major contribution from the defence sector. It was his first on-record media interview in the nearly five years he's been in his current role.

The ACSC brings together cyber security capabilities from the Australian Security and Intelligence Organisation (ASIO), the Australian Federal Police (AFP), the Australian Crime Commission (ACC), CERT Australia, and the Defence Intelligence Organisation (DIO).

It was opened by former prime minister Tony Abbott less than a year ago, in November 2014, and Franzi said that it's been an exciting time.

"It's gone fast, and I think the main achievements have been getting all of those agencies in, physically into the centre, with all of their systems, their personnel, working out where they're situated on the floor plate, and then getting up into an operational rhythm," Franzi told ZDNet.

"We're now at a point where, on a daily basis, those organisations quickly get together on operational issues -- can quickly work out who's got the lead, what particular assistance needs to be provided, what's happening in incident response, what's happening in intelligence-sharing -- and I think we're in a normal operating tempo now."

Physically, the heart of the ACSC is a little like a security operations centre, with operator stations arranged in a room with big screens on one wall. Franzi likes to call them "senior officer fascination screens". But it's not a SOC as such, in that its task isn't defending its own networks.

"But we're certainly SOC-like, in that we have an integrated operations area," Franzi said. Staff from the member agencies all access "the same system" to share information and work on issues.

Franzi is "really pleased" that personnel from organisations with different cultures and "very different DNAs" have taken to the concept. "I think one of the pleasing things has been they [the cultural differences] have not stood in the way of the collaboration," he said.

"If I think back to the old model of the Cyber Security Operations Centre (CSOC), which was very ASD-heavy, sat inside the Australian Signals Directorate, and only had small numbers of integrees from those other agencies, to where we are now, where we're all together in [a] much larger capability, it's been fantastic."

Apparently, even information-sharing with the private sector has been less of a problem than might be imagined. As Franzi reminded ZDNet, ASD has been an information security organisation for well over 60 years, and has cooperated with other agencies on a variety of missions.

"Defence has long-standing relationships with a range of industry players, particularly primes in the military capability space," Franzi said -- by which he means primary defence contractors such as BAE Systems, Raytheon, Thales, Lockheed Martin, and Northrop Grumman.

"A lot of those organisations also have cyber security capabilities, threat intelligence capabilities, so for a number of organisations who ASD already had standing relationships with, this was not a challenge. It was really just about how we actually used the relationship differently," he said.

The other agencies that make up ACSC also had existing relationships with many of the same private-sector organisations, often with the same people, so one challenge was structuring that more efficiently. Different agencies might have different ways of working, different operational tempos, and even different terminology.

"Making sure the op tempo doesn't leave anyone behind, that's the real challenge here," Franzi told ZDNet.

"Defence can be very operationally focused, 'cos that's its DNA, and can kind of what I would call 'go up the guts with plenty of smoke', and leave a few other organisations behind," he said. "You've got to play to your strengths, and get to a tempo that actually works for everyone."

Conversely, defence personnel at ACSC have learned to understand law enforcement agencies' need to gather evidence that will stand up in the courtroom.

"As an Australian citizen, I'm very thankful that our law enforcement colleagues are very detailed in their evidentiary process -- which is a challenge in the cyber security space, particularly with serious and organised cyber-enabled crime," Franzi said.

Some of the ACSC's first big wins have been in crime areas, according to Franzi, particularly on distributed denial of service (DDoS) attacks against Bitcoin, and on ransomware attacks on smaller businesses.

If the ACSC's first year has been about working together, then the second year will be about cooperation with the private sector. As ZDNet reported in June, seven telcos have already been invited into the centre. More organisations will follow.

"The big muscle move that we have to make over the next 12 months is going to be that work that we have to do with industry, and to get industry folks into the centre," Franzi told the conference. The three priority areas are telecommunications, critical infrastructure, and cyber security vendors.

"We've already kicked off work with the telecommunications sector, and that's progressing well," he said. He anticipates that telcos will have some sort of physical presence in the ACSC in the next six to 12 months, and that connecting with external organisations, both physically and virtually, will be the ACSC's focus for the next one to two years.

Collaboration with the private sector will mean sharing threat intelligence for greater situational awareness, and for coordinating incident response.

"It's not all going to hinge on government-sourced information, be it secret squirrel stuff, be it open source. It's also going to need that input from those key industry players," Franzi told the conference.

"In fact, many of you in this room work for organisations that have far greater capacity and sensor deployment than anything that the government could ever achieve."

Franzi's conference presentation was about the three Rs of cyber security: risk, responsibility, and reputation.

"Of course, I could have had a fourth R. I really wanted to put 'resilience' in there, because resilience is something that we've been talking about as a community for a number of years now," he said.

"But one of my directors of operations, Jess Hunter, continually reminds me that people can typically only remember three things, which works well for me, because I've only got three brain cells."

Franzi noted the "synergies" -- the word was used with some irony -- between his three Rs and Telstra's Five Knows of Cyber Security, which are detailed in the company's Cyber Security Report 2014 [PDF]. But risk management was his key message.

"There's no doubt that CEOs and boards need to have a clear understanding of what the organisation's critical assets are, especially information," Franzi told the conference. "What are the key threats to and vulnerabilities in the organisation's environment?" Not just within the organisation itself, but within customers, partners, and the supply chain too.

"For CEOs and boards, there will always be that balance between opportunity, cost, and risk to manage... Organisations daily make tradeoffs. But they need to do these relying on informed and risk-based decisions, particularly around cyber security," Franzi said.

"Cyber risks need to be part of the enterprise-wide risk management program, and organisations need to conduct an assessment of cyber security maturity. Are they going to undertake the appropriate, and prioritised, and the proportionate treatment of risks?"

But what organisations don't need, said Franzi, is a new framework for thinking about risk. There are already "great frameworks" and national and international standards. What CEOs and boards need is issues being presented to them in meaningful language.

"Back in the old days, when I had black hair, and information security professionals used to roll out of the then Defence Signals Directorate (DSD), they'd go and talk to organisations in very techno gobbledegook -- and that was OK when they were talking to their technical brothers and sisters and counterparts. That's all great," Franzi told the conference.

"But they kind of lost the influence, or the ability to influence, when they were suddenly talking to senior executives, secretaries of departments, CEOs of government organisations etc," he said.

"So we made a conscious decision around 2010, 2011, to really change the way that we actually talked about this in government, and particularly at a senior level. And you're already seeing this also in the private sector."

Information security personnel need to be champions, persuading the top level of the organisation to position their function as a centre of excellence within the organisation.

"It cannot just be seen as a cost centre -- or in many organisations, not only a cost centre, but an irritant. It needs to be a force multiplier, part of enhancing the business, not constraining it," Franzi said.

"Organisations need -- and they have a responsibility to -- plan, prepare, and rehearse for a major cyber event," Franzi told the conference. Cyber security needs to be considered as part of the overall enterprise business continuity and disaster recover plan, he said.

"Build it in, and test it. And test it time and time again. That's the game."

Stilgherrian travelled to Melbourne as a guest of Tanium.

Editorial standards