The Security Detail Download: Cyber Threats to the Public Sector in Australia

Dan Tripovich:
I want to take the time to, have a welcome to country at this event and remind us that every day we live, work and dream on Aboriginal and Torres Strait Islander lands. So firstly, I'd like to begin by acknowledging the Ngunnawal people, the traditional custodians of the land, which I'm recording this podcast, and pay my respects to the elders, both past, present and emerging. 

Kirsty Paine:
Thank you so much, Dan, for doing the Welcome to Country. It's really important that we include it here today. So I'm really excited to talk to you because I know you've got such an interesting background and especially your current role today as well. So I wondered if you could talk through, how did you get to your current role today and what does it entail? 

Dan:
My role as the Assistant Director General Standards, Technical Assurance and Research within the Australian Cyber Security Centre, which is within the Australian Signals Directorate, which is our Foreign Signals Intelligence organisation. I know it's a really long title, but it's a very important mission. The Australian Signal Directorate is Australia's oldest intelligence agency and remains the trusted advisor in assisting the Australian government to navigate major technical change, exploit technology and deliver foreign signals intelligence, improve our cybersecurity and conduct offensive cyber operations in support of the Australian government priorities. We have a group called the Australian Cyber Security Center. We're responsible for leading the Australian government's efforts on national cybersecurity, delivering countries efforts to secure government and critical infrastructure networks against cyber threats, producing and disseminating tailored cybersecurity advice, a la my job, incident response and uplifting cybersecurity maturity across government and industry and the economy writ large. 

Kirsty Paine:
That's such an interesting range of things that you cover. And I think with our global audience, perhaps they're mapping already how your equivalent organisation sits in their home nation as well. So thank you for such a good description. Perhaps you could talk about how y ou got to that role and such an interesting position to hold now, but what was the journey to get there?

Dan:
So I actually had a quite a long career in the private sector, working for large and small system integrators, telecommunications companies and other organizations. I was contracting into the Department of Defense at the time, working for our Chief Information Officer group, and one day I got a tap on the shoulder and said, we'd like you to run a project, but you have to go work in this place behind a fence. I had a report there on Monday. One day a job was advertised on the website and it was for our head of IT security. And it was a great role, a superb team, but also just a really interesting mission to work on. So I'd done a lot of things in the delivering and building and sustaining capabilities across my career, but I'd never sat on the other side of the fence, which was actually, how do we protect? How do we defend? How do we look after those things? And the predecessor to me in that job sort of turned to me and said, will you spend enough time sitting in my office talking to me about the crazy ideas you've got and the things you wanna do and the risks you wanna take? Why aren't you applying for this job? So look, I put my hand up for the job, surprise, I won it. In that role, I was responsible for all of our platforms and services, no matter what the classification, and all the functions within that ICT security lifecycle. 

Kirsty Paine:
I hear that from a lot of public sector contacts and friends who do say that it's really the mission that's drawing them in and what a mission it is. So that totally resonates. So perhaps you could talk about, you know, what is the day in the life for you now in the current role that you have?

Dan:
Righto. A day in the life of my current role. Look, you never know you needed a change until you get one. So when ASD offered me a promotion and said, we'd like you to actually shift out and work on our public side of the mission, I'd never worked outside that sort of sphere and always been on the ASD's traditional mission sets. So my, day in the life is really engaging with the public and private peak sector bodies to understand the security challenges–how we can best place our advice and guidance to actually be practical and implementable. You know, there's no point in putting out puritanical security guidance. If it's not going to hit the mark and people aren't going to do anything, right. So all well and good to publish something, but you want the cybersecurity needle to shift because you've, you've put some time, effort and soul into getting these things done. So we advise and represent, I guess, ASD's position, opinions and support. So not only other government agencies, but also our government bodies and parliamentarians to help aid and adjust their decision making or influence. We also engage with the academic sector to understand how we can work together. And also working with our government and international colleagues on those emerging technology research programs, but also technical standards being considered in those international open standard bodies such as IETF and ITUISO.

Kirsty Paine:
Yeah, well, standards is obviously a place very close to my heart. So I fully endorse that. I wonder.

Dan:
Yeah, I've got to put it in there just for you. Kirsty Paine:Thank you. I do appreciate it, Dan, because you know, I love it. If you're not into standards yet, get into it. It's really fun. So you mentioned that, there's no point putting out security guidance that's kind of too pure or not implementable, not useful. And that is a challenge I see, you know, across the globe, actually. But I wonder if you could talk about some of the other greatest challenges that you're currently facing in your role today.

Dan:
So look, part of the excitement of working in such a, you know, I guess this dynamic environment is every day is sort of unique, but the speed that threatens our environment is evolving remains this massive challenge for all of us. And I think it affects everybody, no matter where you are in the globe. Threat actors across the world continue to find those innovative ways to sort of deploy online attacks, supply chains, penetrating those cyber defenses of governments and organizations in many countries, including Australia. But The good news here is, I guess, with every challenge, it also presents those opportunities for not only the public sector, the private sector, and the education sector to work together and harness those collective capabilities to solve, but also, it's a bit like zone defense. We wanna see that sort of increased collaboration across those sectors. So being able to actually understand what your risks are, think about those in a risk managed sense, understand what your business benefits that you're trying to achieve are and then balance benefit versus risk. and understand those consequences and make a conscious decision in how you're going to operate your business is incredibly important. So in Australia, we've got great programs such as Council of Small Business Organizations Australia. They have a cyber wardens program which reaches out and helps uplift small businesses and get staff to cross and become cyber champions within their organization. We also have this great example which I touched on before, which is that essential aid assessment course. So when fully implemented, this initiative is gonna help cybersecurity professionals to assess, improve and understand their organization's security postures, but also contribute to training the next generation of cybersecurity experts within their sphere.

Kirsty Paine:
So I love that it's not just a technology approach, you know, the use of cyber wardens and really focusing on the next generation of talent as well to bring that education piece. I think that's critical, like you say, to addressing those challenges. So I wonder maybe we can pivot into kind of threats and if you had to, and I'm sorry to put you on the spot, but if you had to say, what is the top cyber threat facing the Australian public sector, what would it be?

Dan:
Look, cyber criminals and cyber risk is not bound by borders. Our traditional geographic benefits of being in a country like Australia, one big massive island, is not effective in the cyber security domain. Cyber criminals increasingly and persistently targeting all sectors of the Australian economy due to the attractiveness of our prosperity. Within the Australian Cyber Security Centre's latest annual cyber threat report, there were over 76,000 cybercrime reports in the 2021-22 financial year.That's a 13% increase on the previous financial year, which is pretty scary and shows that the rate of pace that these things are evolving. But that boils down to one every seven minutes. And if you look at the previous reporting year it is one every eight minutes, right? So you watch those stats sort of drop slash threat increase. It's a never ending evolving fast pace change.

Kirsty Paine:
When you get to the end of this podcast, just think how many crimes have been committed during the time you've been listening. That is a shocking statistic. 

Dan:
You know, it's pretty epic, right? The thing we're seeing and the things that are evolving here is cyber adversaries are constantly developing their tradecraft. Malicious cyber actors are exploiting public vulnerabilities in a manner of 24, 48 hours. So it's really critical that cyber is front and center of your decision-making structures, your technology choices, but also the way you're maintaining and balancing, I guess, your business priorities across the board.

Kirsty Paine:
So it's really interesting because I love asking the question, what's the top threat and not getting the simple one word ransomware. Cause that does seem to be top of mind for a lot of folks in public sector and actually across many verticals and industries we speak to. 

Dan:
Ransomware remains the most destructive cyber crime and is potentially damaging to Australia's national, financial and data security. And it's also likely that ransomware remains significantly underreported, especially by victims who choose to pay that ransom. So, you know, the current Australian cyber security center advice is to never pay a ransom. There is no guarantee you'll regain access to your information, nor prevent it being sold or leaked online afterwards anyway. And you may also be targeted for another attack as a result of that data.  

Kirsty Paine:
I think that's probably very hard when you're in the moment and you feel like you have no option but to pay. But you're completely right that it's bringing along this market, in fact, and creating more likelihood that they'll be targeted again, or that a peer will be, or it's really raising the ecosystem of making that profitable crime. So I do see why that's the stance. It can be very hard to implement that stance in the moment. 

Dan:
Yeah, a hundred percent, right? You know, and when you think about some of the scary facts, like 41% of the reported data breaches that came into us were linked to ransomware in that reporting period, it shows that it is top of mind, it's top shelf tools that people are using across the board and it's the go-to product. And 34% of those breaches were also involved in the exploitation of internet-facing applications using common unpatched vulnerabilities, misconfigured settings, common bugs and flaws. It's a challenge, but it's that sort of cyber hygiene piece across the board that's going to protect you against these things. And really, I can't stress that enough, you know, sort of maintaining and understanding what your risk posture at all times is incredibly important to an entity, no matter how big or small.

Kirsty Paine:
Yeah, we hear that all the time, you know, good cyber hygiene, eat your cyber vegetables, nail the basics, and yet it's interesting, still we see a focus, cause it's maybe a bit sexier on zero days and you know, very niche, cool attack vectors, but in fact, the large majority, the vast, vast majority are still these basic unpatched things, like you're saying, and you know, to actually address the threat, address the impact, that's where we need to be focusing our effort and somehow make it cool, make it interesting to do that.   

Dan:
100%.

Kirsty Paine:
Speaking about cool things and hype, I wonder if we could touch on generative AI. Talk about ransomware, then talk about generative AI, why not? So I wonder if you could explain kind of how you see the future of generative AI in cybersecurity, whether it's on the adversarial side or being used for the defensive side.

Dan:
There is so much opportunity, but there is also on the other side, so much opportunity for those adversaries. I think it's unique because it can take actions at speed and scale that likewise or otherwise be impossible when you've got humans typing on keyboards in that process, but that speed of innovation... against those recent artificial intelligence models are now posing those new potential risks and creating uncertainty about their full implications, but also the rise of public concern around these tools is quite interesting. For example, the other day I was in the shops and you can hear people talking about it at a coffee shop and being uncertain about what tools or products were using it and whether they were comfortable in that sort of process. There's lots of hype, there's lots of fire on this subject at the moment, but distilling it back, if you look at the risks here, we've got information security risks, we've got supply chain risks, but also just those ethical and other considerations that you need to take when adopting those sort of things. So the Australian government, through the Digital Transformation Agency, have just published, some guidelines for our government entities to consider while adopting and using those technologies and to be really, I guess, forward leaning in there. It's an AI positive document. 

Kirsty Paine:
Yeah, it's astonishing to me that it's made it to the coffee shops.    So perhaps I've taken a few holidays to Australia.  It's quite a remote place, but I do love it there. I wonder if you have any challenges in filling cybersecurity roles in Australia? What needs to be done to grow that workforce?

Dan:
Our cyber workforce face that intense competition for a limited pool of skilled people in data, cybersecurity, and software engineering. ASD, the organization I work for, is an attractive employer. So for example, between the 1st of July and 31st of December 22, we had 10,000 applications for people to come work in our organization. They want to get amongst it and be a. be a part of what we're working on here. But we're not immune from that workforce competition to attract or retain those best and brightest talents in the field. I think there are a number of initiatives across the whole of economy to build and focus on those things. I've talked about this education program we're working on with our TAFE side of the essential aid assessment course. But we've also got other cool sort of things out there like the Girls Programming Network. We've got our Australian Women in Security Network. So... They provide a range of leadership and training initiatives from cadet to CSO programs. And you'll see within ASD, neurodiversity, people of all different walks in life, because it takes a community and a village to deliver good things, right? And you need people with all different perspectives and all different skills and viewpoints. And that way we can do awesome things together.

Kirsty Paine:
We see that actually running through a lot of technical recruitment in terms of making sure that diversity is first and foremost. Like you say, when you bring diverse minds together, you end up with a better result at the end, as well as just having a better working culture and environment. And whatever you're doing, it sounds like it's working with 10,000 applications. That's an astonishing figure. So perhaps we can look at the next steps that ASD is taking to bolster cybersecurity across the public sector or critical infrastructure. What things are you already doing that have really been working?

Dan:
 I'm super excited to talk about this. So the Australian government and people have put a lot of trust and faith in my organization with a project called Red Spice. This is the most significant single Australian government investment in ASD over our 75 years. It comprises of $9.9 billion over the next decade and to develop new national cyber and intelligence capabilities. We're looking at recruiting an additional 1,900 Commonwealth with 1500 of those over the first three years. So that's why we're really out there talking to people, engaging with industry, engaging, you know, with our recruitment sectors and the educational sectors, because we want to attract people with the right skills and talent to come work on those hard problems with us for tomorrow. We can expand outside our national footprint out of Canberra. We're building new regional offices in Brisbane, Melbourne, Perth, and additional 150 international postings. 

Kirsty Paine:
That sounds like a really good endorsement of what you're doing, like you say, and focusing on the geographic distribution should really help with some of that diversity aspects that you were speaking about before as well. So it sounds like, couldn't agree more, Red Spy sounds like a fantastic initiative.

Dan:
Yeah, 100% right. It's got a core focus in expanding on our, you know, cyber defensive capabilities, our offensive capabilities. It'll deliver services, knowledge and workforce in advanced artificial intelligence, machine learning cloud technologies, but also uplift our cyber hunt capabilities towards defending Australia.

Kirsty Paine:
So have you got any other steps that you're taking at the moment to bolster cybersecurity in the public sector? I think I read something recently about a coordinating function. Perhaps you could expand on that.

Dan:
The Australian government recently appointed the National Cybersecurity Coordinator to lead the National Office of Cybersecurity within the Australian Department of Home Affairs. The Australian government has appointed Air Marshal Darren Goldie as the inaugural National Cybersecurity Coordinator in June 2023. So it's really new, it's fresh. This coordinator will lead the National Cybersecurity Policy, the coordination of responses to major cyber incidents, whole of government cyber incident preparedness efforts, as well as strengthening that sort of Commonwealth cybersecurity capability. But that will further complement the integral work that's already begun under Red Spice to bolster our cybersecurity across that public sector and the critical infrastructure. but also provide a firm steering hand through times of crisis, helping coordinate those response activities.

Kirsty Paine:
That sounds great. And I think it's a common theme we see that you're almost a victim of your own success when you've got a lot of people engaged in the response to an incident, very excited to help, really keen to know what's going on and get the latest. And this need for a coordinating function just seems to be more and more common. So actually perhaps related, do you think in general that government agencies are paying more attention to cyber threats? Do you think it's reflected at all in budget or staffing decisions?

Dan:
I think that's pretty evident here. You know, we've got Red Spice also, you know, the Australian government just had commissioned and delivered the defense strategic review. And within that review was looking at all the functions of the Department of Defense and how they're going to defend and look after our nation. But the importance of cybersecurity was a key defensive and offensive capability to the government and the Defense Department in particular were highlighted within that. So increased investment in these things across the board is something that we're seeing. We must deliver against pace and scale. So I think you can see, you know, that large amount of funding and trust from the government is there, but we can't do it alone. We've got to work and collaborate with our industry partners, our academic sectors and others, because it's vital to our collective cyber resilience, right? We can't be the only people reaching out and delivering those things. We need to partner up. 

Kirsty Paine:
Yeah, I completely agree. I think it's really interesting that you mentioned resilience because it's something we see coming up a lot in private industry as well. Lots of organisations reaching out to understand how they can improve resilience. And I just wondered what's your take on resilience? What does that mean to you and the Australian public sector? The UK government at the end of 2022, they released a national strategy on national resilience, which was officially making resilience a national endeavour for the first time. 

Dan:
I work for the Cybersecurity Resilience Division. So we've got a whole division assigned within my organization to focus on delivering, uplifting, and ensuring that those things are happening in that sort of defensive cybersecurity space. You can see that we've got a quite strong theme with that term across the board. It's a priority for us and it's a national priority. A whole society effort is required to sort of ensure that effective cyber security skills and competencies, but also those technical architectures, things like secure lby design, secure by default starts bleeding into the products that we're consuming today. So rather than having to turn on those safety measures or those security measures, they come default out of the box. Like your car, your traction control's turned on, your airbags are turned on, your seatbelt warning indicators are there. You know, you have to make a conscious choice to turn those off. We'd love to see and work with our industry and our technology manufacturers to ensure that trend bleeds down into the technology sector as well, right? But also just making people aware of the things they can do to support themselves. That's, you know, those cyber hygiene, you eat your cyber veggies things here, right? In Australia, we've got the the essential aid mitigation measures are there to support  organizations to uplift and drive those sort of better behaviors,  So it's multifactor, that's patching your operating systems and your applications, it covers sort of increasing and understanding of your privileged user accesses. 

Kirsty Paine:
It's like we said earlier, it's just nailing the basics, isn't it? It's like having that good uplifting posture. And it's funny, even as we're listing them, I hear the kind of boredom in our voices, right, but it is so important. So if we can energize anyone just to implement one more of those basic security practice after this podcast, that's a success. Don't hesitate. Do it today. Really don't wait.

Kirsty Paine:
So given all of the things, we do have a long list, right, of things that people could be doing, but where do you think a public sector leader should be focusing their security effort today? 

Dan:
I think action one is really understanding what are your crown jewels? What are your critical things that you need to continue operating? What are the services that you're going to rely on in a time of crisis to communicate, engage with your customer base, but also continue providing those vital services? Then stepping out and understanding how do I provide resilience to those? How do I find alternate means of maintaining that continuity, but also understanding what are the things that you can do to uplift and engage that workforce and that cyber culture piece. So we've got tools like our Protective Domain Name System. you know, that blocks malicious web activity hosted, you know, in front of government services. Like we blocked 20 million malicious domain requests last year through that service. You know, we've got a domain takedown service that we provide, which prevents those sort of resources being hosted in unsuspecting entities web domains. So we did 70,000 takedown notifications that have been sent to those commonwealth entities. But also we have programs like the Cyber Threat Intelligence Sharing Platform, which allows participating entities, both government and private industry. to share observable indicators of compromise. We had 28,000 IOCs shared through that platform, which is a really great thing. It's sort of, you know, that cyber health, but also that herd health coming into that play. We're actively helping and supporting each other across the board. So.

Kirsty Paine:
Yeah, I love how humble you are as you throw out stats like 70,000 takedowns, 28,000 IOC shares, you know, like you say for the herd health, this is really impressive because at scale you're protecting the herd, not just individuals. And that's a fantastic thing. I've worked with a lot of organizations where we talk about protecting their crown jewels. Like you said, the critical services that really need to be protected. And just making sure first you know what those are. And that they, you don't have 5,000 such things, you know, really prioritise, be ruthless in that, because if you have to protect 5,000 services at once to the same level, that's just not going to happen in pragmatism, is it? So trying to get that number down and being really clear and specific about what you have and what needs protecting is great advice. 

Dan:
That's spot on, right? In COVID, I think we all suffered that where we all had to go remote and suddenly discovered what services and what pictures and functions really needed to continue. And in Australia, we had an event just before the bushfires of that year. And the air was so thick, full of smoke that we had to send people home because their buildings were full of smoke and services were difficult to deliver. But it gave us a really good dry run of actually understanding what services did we... really need to function and maintain mission critical. And those that we could either park or find alternate delivery mechanisms for it. So I agree, right? You've got to carve those numbers down in a time of crisis, really focus on the things that matter and carve out that noise so you can really pay attention and deliver and respond in an appropriate way.

Kirsty Paine:
Fantastic example there of just crisis and meaning that you really need to prioritise in a way that you haven't before in times of calm. I wondered if we can just end on this question: I've seen a lot from Australia lately on smart cities. Given that, you know, Australia is quite remote, are you aiming to be a leader in the smart city space, especially in cyber security, what is the motivation behind that?

Dan:
Look, this is a wonderful lollipop of a question. We recognize the potential technology innovation to provide enhanced services and improve those lives of our citizens through things like Smart Cities. They are critical to the ongoing prosperity of our nation and the wellbeing of our Australian citizens. So for us, communities and organizations across Australia must understand and address those cybersecurity risks that come with that connectivity in that process. So when you talk about smart cities and smart places, we're talking about those basic things that you just don't think about. The lights on the street, the traffic lights at every intersection, your water and your energy sectors, you know, those basic functions, you know, close collaboration is required between, you know, the public sector, like myself and private sector to ensuring that smart place technologies and systems are implemented effectively and managed securely across Australia. YWe've just released a publication called An Introduction to Securing Smart Places. We've now complimented that with a first joint advisory with our Five Eyes country partners.. And both of those publications are available on cyber.gov.au.

Kirsty Paine:
And I believe you've actually got quite a lot of those materials translated into other languages as well, something that I think the Australian government's leading very well on when I look at ACSC's ad vice that they put out.
Dan:Yeah, totally. So, you know, Australia is an island in the middle of an ocean, but we've got a lot of fantastic regional partners, but also we're a melting pot of civilization, right? So, you know, I touched on before we've got our wonderful First Nations people here, but Australia is a nation of migrants and immigrants. So we recognize that and we translate and we're working to actively translate all our products into 22 different languages. And that's because we want to speak to the people in a way that they're going to understand that they're also going to implement that stuff, because there's no point in putting out wonderful advice and guidance. But if you're not shifting that cybersecurity needle, there's no point.

Kirsty Paine:
It really goes back to that point that you were saying before about making sure that we're just improving things, that the guidance is useful and practical and putting it in another language, I think is a masterstroke in making that guidance a lot more accessible. So look, I'm afraid that's really all we've got time for today, but I do just want to take the time to say thank you so much for squeezing us into your busy schedule. I know that you appeared in parliament earlier today, and then you've come here to record this podcast with us. So thank you so much for taking the time.

Dan:
Really appreciate it and thanks for having me.