Mike Burgess, Director-General ASD, speech to SINET61

Security Innovation Network Conference 61
Langham Hotel, Melbourne
31 July 2018

Cyber security – a poacher and gamekeepers’ perspective

Thank you. Good morning everyone. It’s my pleasure to be here and great to be back in Melbourne.

Today I’m going to share with you a poacher and gamekeepers’ perspective on cyber security, but before I continue, let me introduce myself and the Australian Signals Directorate. With the exception of the last five years, I have been involved in Defence all of my working life – starting out as an electronics engineer in the defence industry. I’m now back in Defence after receiving an offer too good to refuse.

Having returned to ASD, I’ve noted one very important thing about the organisation that hasn’t changed since I left. That is my team’s unwavering commitment to delivering on the mission. Our motto is 'Reveal their secrets, Protect our own' and in the words of ASD’s values, we operate in the slim area between the difficult and the impossible.

In part, our commitment to mission comes from a clear recognition from everyone, that in this unstable and challenging world, there is a critical need for the sorts of high-quality intelligence, leading cyber-security advice and real-world effects that only ASD can deliver.

It also comes from 70 years of culture, born out of the dark days of World War 2 when timely, high-quality signals intelligence, often made the difference between victory or defeat.

But in a large part, the culture comes from the kind of people we seek to employ and retain. Some of the best and brightest across several generations, from all walks of life, not just engineers - including a large chunk of frighteningly clever millennials.

Gaining the ability to flexibly recruit, train and retain our specialist staff is one of the major reasons why ASD became a statutory agency on 1 July.

Our mission runs from providing intimate support to military operations through to countering terrorism, countering transnational crime and identifying and countering cyber threats that challenge the security, prosperity and personal freedoms that underpin our rich and vibrant society.

ASD’s purpose is to defend Australia from global threats and help advance Australia’s national interests. We do this by mastering technology, and the application of technology to inform, protect and disrupt.

ASD’s strategic objectives include:

What we do is very hard, and we must continue to operate in that slim area between the difficult and impossible to be successful. Our people are key and key to mastering technology and its application.

So, what is the security challenge ahead?

Today, we live in a technology-enabled, connected world. With this comes great opportunity and benefits to society and our economy. Everything is being digitised, everything is being connected and everything is being controlled by software.

And there is no doubt, the full potential of connectivity, technology and software are yet to be fully realised. However, these same benefits represent a significant risk.

We’ve all witnessed the wholesale theft of data and disruption to business globally in recent years.

For the last 10 years, the security world has been focused on dealing with the problem of wholesale theft of data. As the full potential of technology, connectivity and software are further realised, I think it is time we turn our mind to integrity and availability.

The successful identification and management of cyber-security risk across the community, businesses and governments is critically important.

The 2017 Independent Intelligence Review recognised the importance of this. In regard to the Australian Cyber Security Centre, the review noted, it’s essential to have a seamless connection between the centre and the Australian Signals Directorate.

The review also noted the centre should be established as the credible and authoritative voice on cyber security in Australia. The Australian Cyber Security Centre is now part of ASD and we have been joined by staff from CERT Australia and a smaller contingent of staff from the DTA.

The changes you will see from the centre will not come from these changes alone. The collective potential will increase as a result, but you will also see a change of emphasis and greater engagement.

The changes to the Intelligence Services Act, the Act that governs ASD, introduced two key changes:

These changes are significant. The ambition and expectations of our Ministers are high. And I’d be confident your expectation is the same.

The centre is now focussed on cyber-security risks for:

I can assure you, Alastair MacGibbon, his team, and the rest of ASD will be focused on this.

In the context of this whole-of-nation focus, the new function to prevent and disrupt serious cyber-enabled crime is also important.

In this regard, cyber-enabled crime will include:

Countering cybercrime will continue to be a team sport, our work with the Australian Federal Police, the Australian Criminal Intelligence Commission and ASIO will be more important than ever.

ASD’s focus on nation-state actors, that is, countering cyber espionage, interference or attack will continue and will remain important.

However, ASD’s focus will shift and broaden. And when I refer to ASD in this context, I mean the whole of my organisation.

My expectations for the centre include:

The centre’s work must lead to an improvement in the identification and management of cyber-security risk for all Australians.

My key priorities for the centre include:

While our mission has expanded, security is not the government’s responsibility alone. We all share responsibility for identifying and managing our cyber-security risks.

For those in this room, I encourage you to do two things:

Think longer term, not just the next six months, not just the next product or service you will buy. Think about the next one to five years, what might be on the horizon, what the threats and risks are. Don’t get caught up in the hype and excitement in this technology-enabled world. AI is a great example of this – peak hype comes to mind.

Thoughtful and sound investment in your future is critical. We all use the innovation word today, but what research does your organisation invest in? And when it comes to identifying and managing cyber risks, know what is important to your business and your customers.

Do you know the value of your data?

Do you know what systems and services you are dependent upon?

Do you really know what risks you carry?

I know this gets complicated quickly. We are all dependent on technology and connectivity and there are few people who actually understand how it all works. However, managing this risk isn’t rocket science.

Think through it, pay attention to what’s important, pay attention to your hygiene and don’t get distracted. There is plenty of good advice out there already and while I know I am biased that includes Telstra’s Five Knows of Cyber Security (PDF) and ASD’s Essential Eight.

Just last Friday I was briefed by the centre’s hunting team. They had just completed a hunt on a federal agency’s network – a network that had been compromised in the past. In this case, the hunt did not identify any compromises, but it did identify attempts which would have been successful if the department had not applied ASD’s Essential Eight.

ASD’s Essential Eight is advice that makes a real difference when applied!

Technology, connectivity and software hold much promise, but we shouldn’t just look at the benefits – what are the vulnerabilities, what are the risks? This will require my agency to do what it has done for the last 70 years.

As both a poacher and gamekeeper, we know that offence informs defence and defence informs offence. ASD’s strength and capability come from mastering technology and its application.

Let us all continue to embrace technology, but with our eyes wide open. I am confident Australia will rise to this challenge to ensure we all identify and manage our cyber risks more effectively. But, in this regard, we all have much work to do.

ASD will do its part, and I’m confident all of you will rise to the challenge and make a difference. Thank you. Enjoy your conference.