For years now, chief information security officers and others have been telling organisations to share cybersecurity information to improve their defences. But few do, except perhaps within their own closed industry groups.
In Sydney on Wednesday, Steve Ingram explained why.
Ingram is the Asia Pacific Cyber Lead for PricewaterhouseCoopers, and has worked previously with the NSW Independent Commission Against Corruption, the Australian Federal Police, and the Commonwealth Bank of Australia. He was speaking at the InnovationAus.com conference, “Cyber Security – the Leadership Imperative 2017”.
“Hands up, if you had a breach … if you had some threat intelligence data, if you would send that information out just on your Facebook account, your LinkedIn account, just out to anyone,” Ingram asked.
No hands were raised.
“Why not? Hands up, if you had a friend whose child went missing, and they’ve put a campaign out there to share information about ‘My child’s gone missing, can you keep an eye out for this person?’, who’d do that?”
Virtually every hand in the room was raised.
Ingram’s message was that information sharing is what solves society’s big problems.
One example was how we tackled the death toll from road accidents.
In 1970, when Australia’s population was 12.5 million, traffic accidents killed 3,798 people. That’s more than 30 deaths per 100,000 people per year.
“The road toll was carnage, but we always thought [it would be] someone else’s carnage, not ours,” Ingram said.
“As a nation, we took action, and we shared information. We looked at what would improve road safety, and brought in programs like mandatory seatbelts,” he said, as well as consistent speed limits, random breath tests to detect drunk drivers, and tighter vehicle safety engineering standards.
By 2016, Australia’s population had nearly doubled to 24.3 million, but the road toll had been reduced to 1,290. That’s around 5.3 deaths per 100,000 people per year. Not ideal, obviously, but a signifiant improvement.
The same information-sharing approach was deployed in the global fight against the bird flu pandemics in the late 1990s, and in the fight against Australia’s plague of bank holdups.
As The Age reported in 2003, bank robberies were so common back in the 1970s that they barely even made the news.
“Small branches with just a few staff and little security were in almost every shopping strip across the country. By 1987, partly fuelled by heroin-related crime, more than 500 banks were robbed across Australia,” they reported.
But from the mid-1980s, banks began to introduce better security, including bulletproof security screens to protect the tellers, and dye bombs in cash containers. The police changed tactics too.
“It sounds simple now, but when we introduced video line-ups, it revolutionised our clean-up rates,” Ray Watson, former head of Victoria Police’s armed robbery squad, told The Age.
“Until then witnesses were too scared to confront offenders face to face and that would often spoil the prosecution.”
After the introduction of video identification line-ups, he said, police cleared about 70 percent of armed bank hold-ups, “and in the other 30 percent, we usually knew who did it”.
Ingram said we can make Australia a better place to do business, and boost the economy, simply by sharing information that already exists.
So why don’t we share that information?
“It’s fear of embarrassed. It’s trust. It’s not trusting everyone, it’s a bit of paranoia,” Ingram said.
“Someone said if we put all this information into a threat intelligence sharing capability, and share it with everyone, the crooks will know what we’re doing. And that’s right. So what? They don’t know anything that they don’t already know, right? We’re just giving back what they’ve done. And if they know we’re active, we’ll become a harder target. We’ll become a better place to do business, because we know they’ll go for the easier hits.”
Yes, the bad guys already know what they know. That point was also emphasised by Craig Davies, chief executive officer of the new Australian Cyber Security Growth Network, and by Avi Schechter, chairman of the Israeli cybersecurity firm CyberGym.
The criminals are already well-organised. They can work faster because they aren’t hampered by laws or government policies or the need to focus on any KPIs except their own crime. We need to get better to get ahead.
Schechter said that Australia’s integrated cybersecurity strategy is a rare thing. The only other countries doing anything like it are the US, the UK, Israel, and maybe Germany.
But, as I say, we’ve been talking about better cybersecurity collaboration for years. Years and years. Will Australia actually, finally, do it? I mean, properly? Effectively?
I doubt it.
Think I’m wrong? Well, what’s actually changed?