The Cyber SITREP
Deputy Director Cyber and Information Security Division MAJGEN Steve Day speech to the 3rd Annual Australian Defence Magazine Cyber Security Summit, Hotel Realm Canberra, 12 June 2013
I have been asked to speak about cyber security and there are four topics that I thought worthy of comment.
But before I mention them…
Over the last few days there has been media reporting on the intelligence collection operations of the United States' National Security Agency.
In the context of my presentation, let me make a few salient points about ASD’s [Australian Signals Directorate, formerly Defence Signals Directorate] operations.
All intelligence activities carried out by ASD are conducted in strict accordance with Australian law.
While as a matter of principle and long standing practice we do not comment on intelligence matters, I can say that we have a strong legal framework to protect Australians.
Under the Intelligence Services Act, DSD is required by law to obtain specific authorisation either from the Minister for Defence or the Minister for Foreign Affairs to produce intelligence on an Australian.
And for matters relating to threats to security, the Attorney-General must also support the approval.
All of these activities are independently examined by the Inspector-General of Intelligence and Security to ensure that authorisations are conducted in accordance with the law.
Furthermore, any information obtained by us from the United States is subject to these same protections.
Let me now turn to the task at hand … cyber security.
Some of you know that I have just come out of the field. I spent last year in Afghanistan. And some years earlier I spent 12 months on operations in Iraq.
As you would expect, our operations in both those wars was critically dependent on information networks.
We relied on the quick, reliable passage of uncompromised information to prosecute our business. Cyber security was vital and was, or mostly was, a constant focus for senior leaders.
The threat came both from without … and within. Private Manning is the pin-up case for the insider threat from our time in Iraq. Mr Snowden might be the latest.
My experiences in the Middle East also taught me what it is like to be in a daily arm wrestle. And what is going on in cyber space is certainly a daily contest.
The cyber threat is real, it has real consequences, it is persistent and it is present now.
And it is not something that should be left to your IT folks to sort out. The solution is, in part, about hardware and software.
But it is also about culture, resources and risk management, so it requires the attention of executive mangers.
In fact if I can impart anything to you today, if there is only one thing that you leave with, let it be that cyber security is senior leader business.
Now, the four topics that I wish to address are:
- Some thoughts on the threat
- Catch, Patch, Match … is it just a marketing slogan?
- Enterprise mobility … I want to officially launch our guide on security and enterprise mobility this morning
- And then I want to finish up on the new Australian Cyber Security Centre.
Let me take each in turn.
In the Cyber Security Operations Centre in ASD, which we refer to as the CSOC, we are in a daily struggle against malicious cyber threat actors. The statistics that I’m about to show you should give you a feel for this.
Let me be clear for those of you taking notes, these are statistics from the CSOC alone.
This table represents the totality of the cyber security incidents detected by or reported to the CSOC.
As you can see, the number of incidents is increasing.
This next table shows the number of cyber security incidents that required a heightened response from us. You can see the trend is, again, up.
When an incident occurs, we will determine which CSOC agency is best placed to respond.
The CSOC has representatives from ASIO, CERT Australia and the Australian Federal Police. Usually the response is a team effort.
There are a range of factors taken into consideration when a cyber incident has occurred:
- the nature of the intrusion
- who and/or what information is being targeted
- the security posture of the compromised network, and
- wider world events.
These factors are considered and used to form a judgement about the appropriate level of response required.
So who are the known threat actors? While we do not attribute every incident, of the ones we do, state-sponsored actors are the most active. They are also the most sophisticated and best resourced adversaries.
State-sponsored adversaries seek Defence and national security information to identify vulnerabilities in our capabilities or to gain a strategic advantage.
But the targeting of commercial information is more preponderant. In fact, we judge around 65% of cyber intrusions have an economic focus.
Cyber crime is a common threat to industry. But for those of you in the defence industry it is the theft of IP that poses the biggest risk.
The five most commonly targeted sectors in industry that we see, in no particular order, are:
- mining, resources and energy
- banking and finance
- defence capability
If your organisation is connected to the internet, you are vulnerable. Even if your networks have had no known compromises, the threat landscape is evolving, it is changing, it requires ongoing vigilance.
Minister Stephen Smith has instructed us to play close attention to, and support, Defence industry.
The Defence Industry Security Program is a risk mitigation program managed by the Defence Security Authority.
It provides businesses with the information, guidance and assistance they need to manage security risks and protect classified information and assets.
ASD works closely with the Defence Security Authority and provides input on the cyber security aspects of this program.
If you are in Defence industry and are not yet a member, then can I recommend you join up and stay in touch with the latest threat information.
So what to do…
I know many of you have heard the ASD mantra about what to do - implement the Top 4; Catch, Patch, Match. Here they are if they slipped your notice.
Someone posed the question, is “Catch, Patch, Match” just a marketing slogan?
So we ran an experiment to test whether the theory stood up in practice. What we were really interested in was seeing how the Top 4 went against real world malware.
We built 1200 virtual machines and we gathered together around 1700 malware samples. We used malware that had been employed against Commonwealth government agencies and also that lurking out in the wild of the internet.
Some of our machines had no Top 4 mitigations at all, some had the full dose, and the balance had varying degrees of mitigation.
We started by running malware on machines that had no mitigation. If they penetrated then they were run through the next, lightly mitigated machines. And so on to the machines with the Top 4 fully implemented.
The final result from our experiment, with the Top 4 mitigation strategies fully implemented, was … zero!
Now it is worth keeping in mind that the Top 4 will not … let me say that again … will not be effective against all malware. But they are an excellent step in improving cyber security.
Let me turn to my third topic, enterprise mobility.
One of the bigger issues before all of us is what to do about security and the rising tide of mobile technology, including devices personally owned by employees.
Some of you will refer to this as “bring your own device” or BYOD. We think BYOD is a subset of enterprise mobility, so when I refer to enterprise mobility, I am including BYOD.
We have been working at pulling together some authoritative - and hopefully useful - advice on how to use mobile technology securely.
If you access the ASD website after midday today you will find our guide, Risk Management of Enterprise Mobility Including Bring Your Own Device, available for public download.
The key message is, you can have enterprise mobility and security - but you have to do your homework.
Our guide will help you with your homework. It will advise you on how to implement enterprise mobility in your organisation with due consideration of:
- business opportunities
- complying with regulatory obligations
- personnel resources, and
- your limited budget.
We aim to help you to understand the security risks and how to manage them in the mobility space. I am sure you will let us know what you think of our advice.
The Australian Cyber Security Centre
Let me turn to my final topic, the new Australian Cyber Security Centre, the one the Prime Minister announced in January this year.
While we are still finalising all of the detail, there are some things that have been agreed.
ASD will continue with the central role we currently play in cyber security. ASD will provide the majority of the staff, about 73%, and the bulk of the capability, for the new centre.
And, reflecting the majority contribution of ASD, an ASD officer will be the centre’s coordinator. I will be the first incumbent.
The centre will build upon the fusion model of the current CSOC.
It will combine the cyber security capabilities from ASD, ASIO, the Attorney-General’s Department, the Australian Federal Police and the Australian Crime Commission in a single location.
Because all operational capabilities in the centre will fall within the Attorney-General’s and the Defence portfolios, the overarching accountability will reside jointly with the Attorney-General and the Minister for Defence.
I know there is some confusion out there about who in government is responsible for what in cyber. One of my intentions is that the centre will represent a one-stop shop for cyber security, 1800 CYBER if you will.
Behind the shop front we will work out who is best positioned to deal with the issue at hand.
Now, it is worth noting that each contributing agency will maintain its current responsibilities, mandates and authorities under the law and to government.
As we progress our thinking I will take another opportunity, later in the year, to give a more comprehensive run down of the centre.
Let me wind up and leave you with four messages:
One, if your business is connected to the internet, you are vulnerable. If you are involved in Defence industry, then you are in one of the key target groups for state-sponsored cyber espionage.
Two, you can and should do something to protect yourself. Implementing the Top 4 will make you a really hard target. Attending to it is senior leader business.
Three, you can have enterprise mobility and security - if you do your homework. Our guide is aimed at helping you with that.
Four, the new Australian Cyber Security Centre is good news - but we have a way to go yet before all of the details are sorted.
Thank you for listening.
Australian government agencies seeking further information should contact DSD.