Mike Burgess, Director-General ASD, speech to SINET61
Security Innovation Network Conference 61
Langham Hotel, Melbourne
31 July 2018
Cyber security – a poacher and gamekeepers’ perspective
Thank you. Good morning everyone. It’s my pleasure to be here and great to be back in Melbourne.
Today I’m going to share with you a poacher and gamekeepers’ perspective on cyber security, but before I continue, let me introduce myself and the Australian Signals Directorate. With the exception of the last five years, I have been involved in Defence all of my working life – starting out as an electronics engineer in the defence industry. I’m now back in Defence after receiving an offer too good to refuse.
Having returned to ASD, I’ve noted one very important thing about the organisation that hasn’t changed since I left. That is my team’s unwavering commitment to delivering on the mission. Our motto is 'Reveal their secrets, Protect our own' and in the words of ASD’s values, we operate in the slim area between the difficult and the impossible.
In part, our commitment to mission comes from a clear recognition from everyone, that in this unstable and challenging world, there is a critical need for the sorts of high-quality intelligence, leading cyber-security advice and real-world effects that only ASD can deliver.
It also comes from 70 years of culture, born out of the dark days of World War 2 when timely, high-quality signals intelligence, often made the difference between victory or defeat.
But in a large part, the culture comes from the kind of people we seek to employ and retain. Some of the best and brightest across several generations, from all walks of life, not just engineers - including a large chunk of frighteningly clever millennials.
Gaining the ability to flexibly recruit, train and retain our specialist staff is one of the major reasons why ASD became a statutory agency on 1 July.
Our mission runs from providing intimate support to military operations through to countering terrorism, countering transnational crime and identifying and countering cyber threats that challenge the security, prosperity and personal freedoms that underpin our rich and vibrant society.
ASD’s purpose is to defend Australia from global threats and help advance Australia’s national interests. We do this by mastering technology, and the application of technology to inform, protect and disrupt.
- Informing by covert acquisition of foreign information not publicly available (known in our business as SIGINT, signals intelligence)
- Protecting, by comprehensively understanding the cyber threat, providing proactive advice and assistance to improve the management of cyber risk by government, business and the community, and
- Disrupting, by applying our offensive cyber capabilities offshore, to support military operations, counter-terrorism, counter cyber espionage and serious cyber-enabled crime.
ASD’s strategic objectives include:
- Delivering strategic advantage for Australia by providing foreign intelligence that protects and advances Australia’s national interest
- Improving cyber security, across Australia
- Supporting military operations, enabling the warfighter, and protecting Defence personnel and assets
- Countering cyber-enabled threats, protecting Australia and Australians by countering cyber-enabled crime and disrupting terrorists’ use of the internet offshore
- Providing trusted timely advice and expertise to government, business and the community.
What we do is very hard, and we must continue to operate in that slim area between the difficult and impossible to be successful. Our people are key and key to mastering technology and its application.
So, what is the security challenge ahead?
Today, we live in a technology-enabled, connected world. With this comes great opportunity and benefits to society and our economy. Everything is being digitised, everything is being connected and everything is being controlled by software.
And there is no doubt, the full potential of connectivity, technology and software are yet to be fully realised. However, these same benefits represent a significant risk.
We’ve all witnessed the wholesale theft of data and disruption to business globally in recent years.
For the last 10 years, the security world has been focused on dealing with the problem of wholesale theft of data. As the full potential of technology, connectivity and software are further realised, I think it is time we turn our mind to integrity and availability.
The successful identification and management of cyber-security risk across the community, businesses and governments is critically important.
The 2017 Independent Intelligence Review recognised the importance of this. In regard to the Australian Cyber Security Centre, the review noted, it’s essential to have a seamless connection between the centre and the Australian Signals Directorate.
The review also noted the centre should be established as the credible and authoritative voice on cyber security in Australia. The Australian Cyber Security Centre is now part of ASD and we have been joined by staff from CERT Australia and a smaller contingent of staff from the DTA.
The changes you will see from the centre will not come from these changes alone. The collective potential will increase as a result, but you will also see a change of emphasis and greater engagement.
The changes to the Intelligence Services Act, the Act that governs ASD, introduced two key changes:
- firstly, ASD’s advice and proactive assistance remit on cyber security is now expanded to include the community, business and governments, and
- secondly, a new function to prevent and disrupt serious cyber-enabled crime.
These changes are significant. The ambition and expectations of our Ministers are high. And I’d be confident your expectation is the same.
The centre is now focussed on cyber-security risks for:
- the community,
- businesses, small, medium and large, and
- governments, both federal, state and local
I can assure you, Alastair MacGibbon, his team, and the rest of ASD will be focused on this.
In the context of this whole-of-nation focus, the new function to prevent and disrupt serious cyber-enabled crime is also important.
In this regard, cyber-enabled crime will include:
- pure play cybercrime – that is hacking for a criminal purpose - I’d also include nation-state actors in this, and
- cyber-enabled serious crime.
Countering cybercrime will continue to be a team sport, our work with the Australian Federal Police, the Australian Criminal Intelligence Commission and ASIO will be more important than ever.
ASD’s focus on nation-state actors, that is, countering cyber espionage, interference or attack will continue and will remain important.
However, ASD’s focus will shift and broaden. And when I refer to ASD in this context, I mean the whole of my organisation.
My expectations for the centre include:
- comprehensively understanding the cyber threat to Australia, and
- providing timely, proactive advice and assistance that makes a real difference across the community, businesses and governments.
The centre’s work must lead to an improvement in the identification and management of cyber-security risk for all Australians.
My key priorities for the centre include:
- a national assessment of Australian cyber security, with an initial focus on critical infrastructure
- collaboration with major Internet Service Providers and critical infrastructure providers to drive out known problems and identify first-seen more serious threats
- executing counter cybercrime campaigns, and
- outreach and influence to improve the identification and management of cyber-security risk across the community, business and government.
While our mission has expanded, security is not the government’s responsibility alone. We all share responsibility for identifying and managing our cyber-security risks.
For those in this room, I encourage you to do two things:
Think longer term, not just the next six months, not just the next product or service you will buy. Think about the next one to five years, what might be on the horizon, what the threats and risks are. Don’t get caught up in the hype and excitement in this technology-enabled world. AI is a great example of this – peak hype comes to mind.
Thoughtful and sound investment in your future is critical. We all use the innovation word today, but what research does your organisation invest in? And when it comes to identifying and managing cyber risks, know what is important to your business and your customers.
Do you know the value of your data?
Do you know what systems and services you are dependent upon?
Do you really know what risks you carry?
I know this gets complicated quickly. We are all dependent on technology and connectivity and there are few people who actually understand how it all works. However, managing this risk isn’t rocket science.
Think through it, pay attention to what’s important, pay attention to your hygiene and don’t get distracted. There is plenty of good advice out there already and while I know I am biased that includes Telstra’s Five Knows of Cyber Security (PDF) and ASD’s Essential Eight.
Just last Friday I was briefed by the centre’s hunting team. They had just completed a hunt on a federal agency’s network – a network that had been compromised in the past. In this case, the hunt did not identify any compromises, but it did identify attempts which would have been successful if the department had not applied ASD’s Essential Eight.
ASD’s Essential Eight is advice that makes a real difference when applied!
Technology, connectivity and software hold much promise, but we shouldn’t just look at the benefits – what are the vulnerabilities, what are the risks? This will require my agency to do what it has done for the last 70 years.
As both a poacher and gamekeeper, we know that offence informs defence and defence informs offence. ASD’s strength and capability come from mastering technology and its application.
Let us all continue to embrace technology, but with our eyes wide open. I am confident Australia will rise to this challenge to ensure we all identify and manage our cyber risks more effectively. But, in this regard, we all have much work to do.
ASD will do its part, and I’m confident all of you will rise to the challenge and make a difference. Thank you. Enjoy your conference.