SPEECH TO ISACA CANBERRA CHAPTER AND AISA CANBERRA BRANCH

24 February 2022

SPEECH TO ISACA CANBERRA CHAPTER AND AISA CANBERRA BRANCH

THURSDAY, 24 FEBRUARY 2022

CANBERRA, ACT

###CHECK AGAINST DELIVERY###

Thank you Jonathan and Leonard for inviting me to speak tonight.

I acknowledge the traditional owners of this land, the Ngunnawal people, and pay my respects to their elders past and present.

I also want to express my solidarity toward the people of Ukraine and to anyone in the audience with friends and family in the country tonight. It’s a grim day.

I appreciate being able to share the sense of community and collaboration that so often characterises infosec in the room here tonight not only given the events in Ukraine today, but also given how challenging the past few years have been.

While everyone has been battling the challenges of the pandemic in the physical world these past two years, in the digital world, the infosec community has also been dealing with ever increasing threats from nation state actors and criminal groups alike.

I know that for those defending networks, and particularly those responding to incidents, it’s been an intense and demanding period and I want to express my thanks for the work you’ve been doing.

Ransomware would have already been a regular topic of conversation for everyone in this room in 2019 and certainly by 2020.

But it wasn’t until 2021 that ransomware went mainstream amongst my peers in the policy community.

Security firm Emisoft received reports of just over half a million ransomware incidents around the world in 2021.

We saw governments around the world increasingly become targets — more than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021.

While high-profile incidents like the Colonial Pipeline attack dominated global headlines, attracting the attention of mainstream political leaders.

Australia has not been immune from these global trends.

In the last year or so we’ve seen major incidents impacting our essential services and critical infrastructure operators including hospitals operated by UnitingCare in Queensland and Gippsland Health Alliance in Victoria, Queensland’s government energy company CS Energy, and Australia’s largest meat processor JBS Foods.

Yet in February 2021 when I released a discussion paper on the need to develop a National Ransomware Strategy, the then Minister for Home Affairs hadn’t said the word ‘ransomware’ in Parliament once.

Despite my raising the issue constantly since taking the portfolio in 2019, it wasn’t until December 2020 that a member of the government even mentioned the word in Parliament.

Thankfully, the days of politicians being oblivious to this issue are now gone.

Exactly 365 days after I began calling for a national ransomware strategy, the Government introduced legislation into the Parliament giving effect to the first elements of its Ransomware Action Plan –

although it must be said that it has moved so slowly that there is almost certainly no time to pass this legislation before the election.

Beyond our shores though, ransomware has now become a top agenda item at diplomatic summits and multilateral security fora, including the G7 and bilateral meetings between major global powers.

This has been welcome, and the resulting policy interventions have been much overdue, particularly the renewed effort to enforce AML obligations on crypto exchanges, the roll out of targeted sanctions against ransomware groups and associated individuals and an increased willingness to deploy offensive cyber operations to combat this threat.

But as I indicated in my Ransomware discussion paper a year ago – there are no silver bullets in this space.

While concerted government action to both reduce the returns of ransomware attacks and increase the costs of mounting these attacks can move the needle, reducing the volume of these attacks over time, this isn’t a threat that’s going to go away any time soon.

Indeed, there are early indicators of a worsening outlook in 2022.

We can now see clearly that ransomware, and the cyber threat environment more generally, is strongly correlated with conditions in the broader geo-strategic environment.

Ransomware groups have long sheltered in nation states that lack the will or capability to take action on them within their own borders.

And a number of states now use ransomware gangs like the privateers of the 19th century, deploying them as quasi-deniable tools of statecraft.

In a geostrategic environment characterised by heightened tensions across multiple fronts, it’s easy to imagine a scenario in which these quasi-state backed ransomware groups became more active as relations between states deteriorate.

In this context, the ACSC, CISA and the NCSC have all warned of the potential for cyber-attacks on domestic organisations within their jurisdictions either as unintended spill overs from Russian cyberattacks against Ukraine or from a general deterioration of the cyber threat environment.

This is far from the only threat we’ve had to confront in recent years.

APTs and increasingly well-resourced ransomware groups have increasingly used supply chain attacks to obtain access to downstream targets.

The SolarWinds supply chain attack showed how sophisticated actors could leverage this attack vector.

The Kaseya and Frontier Software incidents highlighted the potential for smaller firms with lower product maturity levels and less scrutinised software offerings to be used as an attack vector into technology supply chains

We’ve seen commodity attacks spawn at a rapid clip from what were once tightly held zero days as APTs have been increasingly willing to burn these vulnerabilities in their operations.

This is the situation that all of us in this room face today, whether you’re a private or public sector CISO, or a policy maker like me.

It’s a lot.

I’ve been vocal in arguing that government needs to play an active role in trying to shape the strategic environment here, that government can’t just play blame the victim and wash its hands of responsibility when Australian orgs get popped.

But at the same time, all of us – public and private sector alike – have an obligation to lift the cyber maturity and resilience levels of our organisations in the face of this worsening threat environment.

Unfortunately we have some ground to make up in this regard.

I sit on the Parliamentary Joint Committee of Public Accounts and Audit.

It’s one of those boring sounding but very important Parliamentary committees that’s little known to all but the wonkiest public policy buffs.

But it’s one of the most important institutions of accountability within the Parliamentary system.

It’s a legislatively established committee of the Parliament that is the voice of the Auditor-General in the Parliament.

Commonwealth cyber resilience has been a focus of the ANAO for almost a decade now.

Over six ANAO performance audits and three JCPAA inquiries we’ve heard the same issues again and again.

Almost nine years since the Australian Signals Directorate’s Top Four cyber security mitigations became mandatory for Commonwealth entities, less than a quarter of Commonwealth entities audited by the ANAO have been found to be fully compliant.

The Government’s own Cyber Posture Report has confirmed that:

“entities’ self-assessed implementation of the mandatory Top Four mitigation strategies remains at low levels across the Australian Government”.

Reflecting on five years in the role, the Auditor-General highlighted systemic non-compliance with these mandatory cyber security mitigations as one of the most significant issues of concern in his mid-term report.

I fully appreciate the limitations of evaluating an organisation’s cyber resilience through a compliance lens, but these metrics are the only substantive window into Commonwealth cyber-resilience available to external observers.

This persistent failure to implement a fundamental set of cyber security mitigations across the Commonwealth over the past decade should be a significant concern for everyone given the worsening threat environment.

This failure to effectively implement the Top Four over such an extended period of time also dampens expectations of what we should expect from AGD’s recent commitment to mandate Essential 8 implementation at some point in the future.

We can iterate the ISM as much as we want, but until we address the culture and accountability problems within Commonwealth cyber security we’re unlikely to make real progress.

I’ve become increasingly focused on this culture question during my time in this role.

The need for a cultural change in the approach to cyber security across the Commonwealth has become clear to me from my work with the ANAO, the Commonwealth PSPF policy holders and audited agencies during my time on the JCPAA.

Members of this committee have heard the same issues again and again.

The ANAO has clearly identified that the root cause of this systemic non-compliance is a failure of accountability within government.

In its latest report, the ANAO made its view clear when it declared that:

“The cyber policy and operational entities have not established processes to improve the accountability of entities’ cyber security posture. The current framework to support responsible Ministers in holding entities accountable within Government is not sufficient to drive improvements in the implementation of mandatory requirements.”

It’s clear to me that there’s currently a resistance to accountability and an instinct towards secrecy within government on these issues.

Let me give you two examples of this.

First, the Cyber Security Posture Report.

In October 2017, the JCPAA recommended that

“the Attorney-General’s Department and the Australian Signals Directorate report annually on the Commonwealth’s cybersecurity posture to the Parliament.”

The Committee reported that:

As a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament on cybersecurity.”

This report came from a government-controlled committee with a long record of bipartisan cooperation between members.

The Government agreed to this recommendation until April 2019.

It didn’t produce the first such Cyber Security Posture Report until June 2021.

The report declared the next report wouldn’t be delivered until November 2022!

That leaves us with just two ‘annual’ reports in the five years between the time that the government led JCPAA recommended an annual report to the Parliament on the Commonwealth’s Cyber Posture as a ‘strategic priority’.

These aren’t the actions of a government that acknowledges the important role of accountability in building cyber resilience.

The second example is perhaps more telling.

For a large portion of my time as Labor’s Shadow Assistant Minister for Cyber Security, I haven’t had an opposite number in the government.

My guiding principle has been to use my role to empower people on the inside trying to drive change.

I’ve tried to use the platform I have, and the Parliamentary mechanisms available to me, to raise issues that aren’t being discussed and ask the awkward questions.

So early on in my time in this role I arranged for all Commonwealth entities to be asked about the status of their implementation of the Top Four and the Essential Eight.

I received a uniform response:

“Publicly reporting on individual agency compliance… would provide a single, detailed and individualised snapshot in time of the entire Government’s cyber security maturity and as a result may provide a heat map for vulnerabilities in government networks, which malicious actors may exploit and thus increase an agency’s risk of cyber incidents.”

It wasn’t the answer I was looking for, but I thought, Ok, I’m not going to second guess the threat modelling of people trying to protect these networks.

But when I later asked each of these same entities about the status of their DMARC implementation I was less impressed to receive the same blanket answer.

You will appreciate that I was pretty disappointed in this given that DMARC implementation is externally observable.

Stories like this show me that Commonwealth cyber security isn’t operating on a foundation of collaboration and accountability.

Instead, it’s characterised by far too much insularity and unthinking secrecy.

As anyone will learn on the first day of a CISSP, an organisations cyber security culture is set by its leaders.

In the private sector, by the board and the CEO.

In the public sector, by Ministers and secretaries.

If Labor wins the next Federal election, and I’m lucky enough to keep my dream portfolio in cyber security, I want to use my leadership position to help drive change in the Commonwealth’s cyber security culture.

I’ve spoken repeatedly in the past about the need to build a culture of collaboration in commonwealth cyber security driving engagement between those working in infosec within government with the broader Australian cyber security ecosystem through staff exchanges, vulnerability disclosure processes, bug bounties and engagement frameworks with private sector incident responders.

But in order to effectively build a culture of engagement and collaboration with the broader Australian cyber security ecosystem within the Commonwealth, we also need to rebuild the internal capability and morale of the Australian Public Service in cyber security.

The Independent Review of the Australian Public Service undertaken by my former boss, David Thodey in 2019 was right when it declared that the

APS is a foundational institution of Australia's democracy… its proper functioning is essential to the prosperity and security of all Australians.”

In evidence to the Senate Finance and Public Administration References Committee, the ANAO recently identified ICT transformation and cybersecurity as core areas where there is “room for improvement” in current APS capability in its aptly titled ‘APC Inc’ report.

Labor recognises the challenges that comes from more than eight years of a government which has decimated the internal capability of the APS and significantly reduced secure career pathways opportunities across the APS.

The cyber security capabilities of the APS in particular have been steadily eroded by years of contracting out to private sector consultancies.

This erosion of capability has been driven by the policies and ideological preferences of the current government.

As the Senate’s APS Inc report highlighted, the Average Staffing Level cap imposed by this government “has led to a systemic overreliance on labour hire and contracting arrangements within the APS.”

Outsourcing has given the government access to some excellent talent on a short-term basis, but it’s come at the expense of the long-term capability of the APS.

It’s also come at a significant cost to the Commonwealth.

This government paid PwC between $1800 and $5800 per worker per day to develop the Department of Agriculture’s “Future Borders Roadmap. 

By comparison this could be completed by public servants for between just $226 and $420 per person per day.

People in this room will know plenty of analogous examples in the Commonwealth’s contracting in cyber security.

This is not only costly but damaging to Australia’s sovereign capability.  

Short-term contracts and staff rotations within private sector consultancies rob the APS of institutional knowledge and corporate memory.

It also robs members of the APS of opportunities to do interesting, challenging and meaningful work.

It robs members of the APS from both the sense of job satisfaction that comes from doing this work and the opportunity develop new skills and experiences within their roles. 

This is bad in most areas, but particularly so in information security.

Infosec is a highly specialised vocation.

As the Thodey review highlighted, the APS is currently not set up to adequately support technical specialists with the kind of career pathway that would see our best talent want to become senior public servants.

The Review stated:

“The APS should create a genuinely compelling offer to work in data, digital and broader technology roles in the public service.”

It went on to say that:

“By not delineating career paths, a single track largely prevails in senior levels of the APS, that of generalist management. Acknowledging the inadequacy of this approach, and the multitude of specialisations that contribute to an effective public service, other public sectors are establishing specialist professional tracks to attract and develop talent.”

The government has established APS digital and data professional streams in response to this, but it’s early days and there’s more that needs to be done to address talent attraction and retention.

The public service is a sovereign capability we must rebuild.

Were we to be given the opportunity to form government, this is something we would seek to address.

We cannot undo the eight years of damage done to the APS overnight.  

But we can make a solid start by reinvesting in permanent capability, ensuring that there is strong leadership

- particularly from central agencies –

and by reducing the wasteful and expensive over reliance on the private sector to fulfil the responsibilities of public servants. 

As part of this process, I want to set about rebuilding the morale of those working in cyber security in the APS.

Too often, I’ve heard stories from people working in commonwealth cyber security that they feel that their leaders care more about managing potential blame for incidents than about managing cyber risks themselves.

That their leaders are incentivised to prioritise constant system availability over rapidly addressing known vulnerabilities.

That their leaders are resigned to low levels of maturity and cyber resilience.

It’s easy to understand how this can be damaging to morale for infosec professionals within the Commonwealth.

It’s a common reason why people leave – they don’t feel like their work, and the mission they are trying to achieve - is valued.

Working in Commonwealth cyber security should be a mission focused vocation.

People working in these roles and their leaders should be able to be proud that they are performing one of the most important and most challenging tasks in the public service.

That’s the way I see these roles and I want to be a champion for the work the people in these roles do for our nation.

You’ve probably picked up by now that I’m a tragic geek.

I genuinely love this sector and I have the same sense of curiosity – the same desire to pull things apart and to understand the way they work – that has attracted so many people to infosec.

And if we win government, I want to be a champion for the rest of the geeks in government.

I want to ensure they get the recognition they deserve and the support their need to deliver on their mission for the Australian people.

There are no silver bullets for this, and I’m not naïve about the scale of this challenge, but I want to be in the fight.

It’s been hard going the last two years for those of us in infosec – whatever your role and wherever you’re working.

It pains me to say that this shows no signs of letting up.

But that’s why it’s more important than ever that we all work together as closely as possible to achieve our shared goal of a more cyber resilient Australia.

I know there is a desire from people across the many parts of the cyber security ecosystem to work together and achieve this.

We just need the political leadership that will allow them to do it.

In a few months’ time I hope to get the opportunity to work with all of you to provide it.