The devastating global success of 2017’s WannaCry ransomware worm and NotPetya network-destroying malware surfaced insufficiencies in Australia’s national cybersecurity defence, said a senior government cybersecurity executive who nonetheless lauded the successes made by local industry in the 18 months since.
WannaCry was “a wakeup call for us,” national cyber security advisor Alastair MacGibbon told attendees at the Cybersecurity Innovation Day at this month’s Cisco Live! conference in Melbourne.
“We weren’t structured to communicate, with industry and with the economy, in the way that we needed to,” MacGibbon said. “In the fog of war, people didn’t know what the threat was.”
With service delivery largely done by the states and territories, he added, authorities weren’t sure how they should or could communicate the emerging threats, and recommended remediations, even as details of WannaCry’s methodology and defences emerged.
The federal government’s response to NotPetya – which came hot on the heels of WannaCry and hit several major industries with more than a billion dollars’ losses – did spur more proactive discussions about threat-intelligence sharing, but “frankly we weren’t much better,” MacGibbon said.
“We did start a process whereby we started some deep introspection about how we could communicate better, what we would do in a time of crisis, and how we could share threat intelligence and threat solutions. There were some pretty important pivot points and moments of introspection for us.”
Formalising a response to the rapidly changing cybersecurity threat was a collaborative process, however – and this posed issues for a government which, MacGibbon said, is good at “fighting certain things like community policing and matters of terrorism, where you would expect them to lead with force. But cybersecurity is not that; cybersecurity is a team sport.”
Building that team, and refining their tactics, has been a key focus for MacGibbon and his colleagues across government as responsibilities shifted, accountability evolved, and leadership was decentralised to integrate the perspectives and resources of a broader range of stakeholders.
“Through all of those moments it was fascinating to me how risk moved laterally, vertically, and politically,” he said, “and how expectations of what we were meant to do had changed.”
The appointment of an Australian Ambassador for Cyber Affairs – an early phase of the government’s $230m Cyber Security Strategy (CSS) – was an early step in the right direction that had helped Australian organisations more actively engage with regional and global peers and was “helping to create a more resilient cyber ecosystem, improve the rule of law, and all the other bits in between.”
The formation and rapidly increasing profile of industry-development firm AustCyber was another coup for the government’s cybersecurity efforts, identifying and promoting Australian security innovators and helping funnel private-sector funding into building a national cybersecurity capability.
The third key deliverable in cybersecurity policy was the Edith Cowan University-based Australian Cyber Security Cooperative Research Centre (CRC), which was established in April 2018 and had created a centre of gravity for the broad range of postgraduate cybersecurity research being conducted within Australia’s academic and research institutions.
These efforts “are all part of an ecosystem that didn’t exist,” MacGibbon, “and they add to our DNA as a nation.”
He also flagged the philosophical changes since the introduction of the notifiable data breaches (NDB) scheme just over a year ago.
With more than 800 confirmed breaches reported through the end of 2018, the NDB established a commonality of purpose amongst a business community that had previously been far less open about what it was going through.
“We are much more vocal and communicative than we have been in the past, and we are sharing things faster and better,” MacGibbon said, pointing to the rapid dissemination of information about the February attack on the Australian Parliament.
That incident was reported “literally the day we were taking action,” he noted. “In the past, it might have taken a year or two years to have it dragged out of you by a good investigative journalist. Instead, we’re now just going out and talking about it.”
“Unless we do that, we’re not going to change the culture,” he added. “Unless we talk about our own failures, we can’t expect others to improve.”
Solid funding for cybersecurity initiatives had helped add momentum to capability and industry development efforts – “there is money around that wasn’t there in the past,” MacGibbon said – and this would help cybersecurity leaders continue to build on progress to date.
“Our ecosystem has changed,” MacGibbon said. “As a result of WannaCry and our inability to communicate and structure our discussions in useful ways, we created a cyber incident management arrangement that is still evolving.”
“Government is a unique beast to deal with,” he said, “and cybersecurity is something that is now spoken about at COAG, and amongst PMs and chief ministers. We are on the agenda of cabinets around the country, and cybersecurity is something they all now take seriously.”
Yet there was still much to accomplish: “I’m not going to say we have solved collaboration,” he added, “but If cybersecurity is a team sport and we are here for sharing information and solutions, we need to create things and learn, along with you, what good looks like.”
Whatever that model ultimately contains, MacGibbon said, it would have to incorporate at least three key capabilities: better communication throughout the cybersecurity ecosystem; better sharing of threats and solutions; and ways to measure and manage supply-chain and other third-party risk.
“Our goal, whether we work in the public or private sector, is to drive cost into the other person’s operation and cut the cost of ours,” he said. “Whether the aggressor is a criminal or a nation state, we want to make their business hard.”