The PCG Conference was conducted online. The limits of online engagement were tested at times with electrical storms along the east coast of Australia, where many presenters were located, causing glitches and also there were the inevitable lags with presenters from overseas – US, UK, the Netherlands – but overall the online conference was professionally and effectively delivered.
Whilst the focus of the conference was cyber security there were tributary topics, such as insider threat, that enriched the cyber focus along with presentations on the broader security industry (i.e. public event security guards), women in security, risk management, public sector PSPF and critical infrastructure.
The PCG Conference brought together an impressive collection of speakers, including:
- Michael Goldman – US Embassy Charge d’Affairs
- Roger Noble – DFAT CT Ambassador
- Elsine van Os – Signpost Six
- Simon Levy – CEO Risk Management Institute of Australia
- Tim Corey – Department of Agriculture, water and the Environment
- Nick de Bont – CSO Thales Australia
- Andrew Hastie – Assistant Minister for Defence
- Abagail Bradshaw, Head Australian Cyber Security Centre
- Charles Finfrock – Head Insider Threat, Tesla
- Lord Toby Harris, President Institute of Strategic Risk Management
- Alastair Mac Gibbon, CSO CyberCX
Highlights and themes I took away from the conference are noted below.
Cyber security is akin to an untamable beast. Cyber adversaries will continue to attack us, they will morph and vary their attacks working around the defences we construct, withdrawing if we block them to regroup and attack again, smarter and probably stronger than before.
This becomes more concerning when we contemplate how the internet-of-things (IoT), already arrived but growing perhaps exponentially, will add convenience to our lives but also make us more vulnerable to cyber intrusion. FAs an example consider the ransomware attacks on major companies and hospitals in recent years and multiply that to every home in the first world which will have become increasingly dependent on electricity and IoT devices for almost every facet of daily of life. Cyber criminals could disable your motor vehicle and seek a ransom to release it, or state sponsored attacks might disrupt the electricity supply or, using artificial intelligence, sequentially turn off / lock out every appliance in every home harvesting huge numbers of small ransoms paid in digital currency.
The conference closing address from Alastair MacGibbon was themed ‘time for action’ and he used the phrase with regards to cyber attacks ‘stop counting and start countering’ arguing that government and telecommunications providers must invest more to actually stop attacks. He argued that the level of harm caused by cyber attacks would not be tolerated against other assets such as property crime, white collar fraud, armed robbery or perhaps military attacks which would be responded to. He argued cyber crime costs billions of dollars and whilst we do see government and commercial victims it is overwhelmingly the basic citizen who is suffering the most from cyber malfeasance hence citizens need to be protected because they are not really equipped to protect themselves. This situation undermines the two assets MacGibbon flagged as most critical to any sovereign democracy: citizens and system of government. MacGibbon promoted the idea that we need to move the cost of cyber crime / attack from the victim to the attackers: offence is the best defense!
Insider threat was treated as a topic in its own right. So much of the PSPF its focused on governance because that’s the key toolkit for managing people and hence a fundamental adjunct to enabling cyber security.
Charles Finfrock for Tesla, speaking from a strong background in human intelligence, saw IT (cyber) problems as human-based problems. IT is made by humans so IT problems are caused by and solved by humans. Charles noted that IT industry data indicates over 80% of information loss is unintentional. The information loss nodes are (in descending order) email, cloud and exfiltration.
Charles showcased his key elements to managing the risk of loss of information by insider threats:
- Background checks: investigate as thoroughly as possible the past behaviours of employee candidates, the more sensitive their anticipated access the more you check.
- Training and awareness: if 80% of loss in unintentional then continuous focused training and awareness is the best mitigation for this (annual box-ticking online training is not a suitable level of training and awareness engagement and mitigation).
- Continuous evaluation of user activity on the network: with vast majority of loss via email, cloud or exfiltration (including removable media) then looking at data movement is the key to identifying threat activity. The monitoring activity needs to be designed so that it creates minimal number of alerts – too many alerts creates ’alert fatigue’ which may lead to missing truly suspicious activities.
- Secure offboarding: studies show that the majority of information stolen occurs in the last 90 days of employment when malicious actors steal information – look for their departure data ‘go bag’, cut IT system access as soon as possible and deliver prophylactic brief on cessation of employment.
Charles noted the importance of ongoing positive connection between leaders and team members to identify people who may be problematic, noting happy people don’t hurt other people.
Climate change was raised by Lord Toby Harris as a fundamental global risk, not so much about the environmental issues themselves but as the consequences in terms of unregulated mass movements of people and the consequences that will bring (and I note we have seen this across western Europe and the southern United States in recent years) in terms of food shortages, competition for (perhaps diminishing) resources, social unrest and eventually strained governance and social chaos. We have seen something of this in Australia with the social consequences of COVID. Note: this has been a theme for years in World Economic Forum (WEF) risk forecasting.
All this has been mapped before but Lord Toby used it to make the case that Western societies are underinvested and hence underprepared to confront significant risks. We know that climate is changing but globally over the last 20 years there has much talk but little action, certainly form governments and collectives of governments. As we saw in COVID there were many interdependencies that were not anticipated, and the time of crisis is clearly not the best time to discover and try address these. He highlighted the point with the aphorism what we prepare for, we deter.
Lord Toby focused on the fundamental importance of nations being able to deliver a reliable and affordable electricity supply because almost every facet of our modern (Western) lives depends upon electricity (links to the IoT issue previously mentioned). If the electricity delivery is degraded over time, or indeed cut, then intense civil disorder and social breakdown will very quickly follow with law enforcement and government unable to maintain order.
Women in security was a panel session examining the views of four female security professionals. Two comments particularly resonated with me.
The first was the ‘imposter syndrome’ under which the established phenomena of women not putting themselves forward for a role or promotion because they are not ‘100% qualified / ready, whereas men will generally put themselves forward with much lower perceived levels of qualification / readiness. Panel members recounted that they were supported, generally by senior men in their workplaces, to press ahead and when they won the role they quickly knew that they could do it – they had been selling themselves short.
The second point was the need for women, especially in a leadership role, to ‘find her own voice’ – to be authentic rather than affix others’ leadership models or attributes to themselves – which was a challenge cited by the group. As they achieved this authenticity they found growing comfort in their roles.
Critical infrastructure commentary noted the porosity if critical infrastructure with respect to cyber attack. Alex Webling of Resilience Outcomes made clear the increasing list of elements that are being considered as critical infrastructure (the anticipated 2021 Security of Critical Infrastructure (SOCI) legislation increasing critical infrastructure categories from 3 to 11) and the increasing intertwining of cyber and physical infrastructure.
Much existing critical infrastructure will never be immune to cyber attack. New infrastructure might be built with a Zero Trust Model design – affording it greater immunity from cyber attack – but the infrastructure we have now is and will largely remain vulnerable to cyber attack.
Webling noted recent research by IBM which concluded that it takes 212 days for cyber intrusion / attack to be detected by infrastructure operators. This may in part be due to the reality that much critical infrastructure can’t be secured by ‘top management’, that is the owners of critical infrastructure don’t control all facets and inputs of the infrastructure they are responsible for but are interdependent on other inputs, all of which are potential vulnerabilities and attack paths for cyber threat actors.
Comments around Protective Security Policy Framework (PSPF) were focused on the success of the framework, and the support that AGD provides, and the absolute importance of the ‘people part’ of PSPF: hence the PSPF focus on governance to shape the behaviours and performance of people.
The annual PSG Conference is a valuable professional development and industry-awareness activity which I would happily participate in again. Providence EPS staff should also participate (and were given an opportunity to do so).
My key take-aways are:
PSPF – Despite comments by some presenters I believe that many government clients require support to take their PSPF performance to a higher (i.e. appropriate) standard.
Critical infrastructure will become a dominant and enduring market for protective security practitioners. The SOCI legislation raises a raft of questions and uncertainties about how Department of Home Affairs and Australian Signals Directorate will engage with and regulate industry.
Cyber security will continue to dominate in terms of focus and winning the bulk of protective security funding.