All Australian organisations should be compelled to come forward and share more cyber security threat intelligence, argues the former manager of the Australian Crime Commission’s cyber team, and that goes for government agencies, too.
Building relationships with industry has been a key challenge for the joint-agency Australian Cyber Security Centre since it was stood up about two years ago.
But the flow of information about various types of malware within the bureaucracy itself is also an issue that needs attention, according to Tim Wellsmore, who recently moved across the public-private divide and is now the Canberra-based director of threat intelligence for the Asia-Pacific with cyber security firm FireEye.
“My experience from in government would be that they focus on a couple of sources that they always rely on, and they just assume if they’re not getting it from those sources, therefore it mustn’t be happening,” Wellsmore told The Mandarin.
He thinks the ACSC is prone to an “illusion of knowledge” that is obscuring a lot of threat activity that is going on, even right under its nose in the public service.
“You need to go and seek that information, and my experience in government is that they’re trying to drive this sharing of information across agencies, but it’s still very piecemeal.
“I don’t think it’s been achieved yet and I also don’t think that even the cyber security strategy at the moment allows enough information sharing.”
Wellsmore says some agencies he has worked with in his private sector “are looking to the ACSC” to provide more support based on information about the latest threats, which they currently have to buy from private firms.
There’s a lot of factors involved — issues around sharing classified information can be complex to work through, says the former cyber crime investigator, but he also thinks organisational cultures in the public sector come into play. He feels there is “very little accountability at an individual level” compared to the private sector.
“In the commercial space, people feel more responsible for their company, yet in government, you’re removed from owning the risk. And I think that may impact the level of urgency there is around some of the cybersecurity practices that go in place.”
The Prime Minister’s cyber security adviser Alistair MacGibbon also sees public sector culture as a key risk to cyber security. He reiterated to Budget Estimates last week that a box-ticking compliance focus won’t be enough to protect federal agencies in a world of constantly evolving threats.
Industry relationships still an issue
In Wellsmore’s view, the multi-agency model was a good structural decision that has enabled “groundbreaking” collaboration between the agencies that comprise the ACSC, but he says there’s still a lot of “relevant information” they don’t receive in a timely fashion from industry. Changing that has been and remains one of their biggest challenges.
“I think it’s done based on individual relationships, rather than having some framework in place that allows it to happen more readily,” he said.
One effort to build better relationships with industry is the ACSC’s annual conference. At the 2016 event, the centre’s leaders (including Wellsmore representing the Crime Commission) acknowledged they had a lot more work to do in this regard.
They were also upfront about another difficulty they still face — retaining their cyber security experts once their skills and experience become valuable to the private sector firms, which can offer better conditions. As someone who has made the transition, Wellsmore sounds surprised he doesn’t hear from his former colleagues more often.
“I still think they can focus on keeping those relationships alive, whereas at the moment it is, you go [into the private sector] and they don’t keep in touch,” he said.
“Whereas I think there should be some sort of ‘government alumni’ type thing around cyber security; I think that would be a really good approach.”
Increasing the general overall “visibility” of evolving types of malware and methods used in cyber attacks, some of which are very elaborate and long-term, is one of the best ways to improve cyber security for all.
Among government agencies, the way information is routinely classified makes this difficult in some cases, according to Wellsmore.
“And that’s a hard nut to crack because you can’t solve that overnight; classifications are there for the right reasons, but it also hinders the way they do business,” he said.
“You get government organisations that don’t receive information because it’s classified at a certain level, even if that information may be relevant to their organisation, so to me that’s a big problem to try and fix in one go.”
As for companies, he sees the mandatory data breach notification scheme that will take effect next year as “a massive missed opportunity” to demand more information not just for people who are affected by a data breach, but also timely threat intelligence that could help other organisations.
“I think the breach disclosure legislation we’ve got in place is a good start. I don’t think it goes anywhere near where it needs to be for us to understand the size of the threat.”
Being created through Privacy Act amendments, the notification scheme focused on the right of consumers to know when their records might have been compromised. Wellsmore suggests cyber security measures could have been introduced at the same time.
He also points out it doesn’t offer full protection in this regard anyway, as it doesn’t cover state and local government or companies that turn over less than $3 million a year. The new scheme also gives reporting entities a leisurely 30 days to make their disclosure.
In cases where the breach has resulted from a cyber attack, any information about how it was carried out should be made widely available, in Wellsmore’s view, but the amendments do nothing to encourage this. There are various exemptions and much of what is disclosed to the privacy commissioner can be kept confidential.
“That threat information is then no longer shared within the rest of the government,” he said. “And to me, that means that on one hand, we want to understand how big the cyber security threat is, but on the other hand we’ve got this breach disclosure legislation that doesn’t then educate the rest of the government, whose job is to respond to cyber security threats.”
The length of time it took to get any breach notification legislation through the federal parliament suggests the scheme could also be seen as a good starting point that can be built on in future.
“I think the fact that we’ve got it in is a good step … but I think we’ve not even crawled where we need to be running at the moment, around breach awareness,” said Wellsmore. “I just don’t think we’re anywhere near where we need to be.”
Cyber espionage here to stay
When it comes to cyber crime, governments around the world are mostly on the same page, but things get murkier in the world of cyber espionage.
And although there are distinct motivations for different kinds of attackers — criminals want loot, hacktivists want to send a message — some of the most skilled groups ply their nefarious trade for a range of clients. In such a market for valuable information, it is likely that government intelligence agencies act opportunistically at times, as well as strategically, in pursuing the perceived interests of their nation through cyber offense.
It’s not clear what effect the recent China-Australia agreement to cooperate on cyber security will have on this murky world, where attributions are routinely met with stony denials. A lot of pundits have openly questioned whether it has any value at all.
Wellsmore hopes it will at least be a step towards further international agreements that do have a positive effect, but says a similar agreement signed by the United States appears to have done nothing to stem the tide of threats emanating from China. A steady decline has been observed, however, starting about a year before that.
“Our company did a lot of research to understand the attack methodologies and the trends to see if we saw any distinct changes because of that agreement, and we didn’t find any,” he said.
Another highly skilled group of attackers known as advanced persistent threat (APT) 32 has just recently been traced to Vietnam, according to FireEye. But these are not simply distant threats that happen to other people overseas.
No mandate to share ‘because it looks bad’
Wellsmore thinks there’s plenty of cyber threat activity in Australia that isn’t disclosed promptly, or ever, partly because organisations that are affected have no obligation to share that information as they do in the US.
“They hold it closely because if it’s a business it might destroy their business, or if its a government agency, they’ve got no mandate to actually share that information with anyone because it looks bad for the government,” he said.
“So it’s all happening, but there’s not enough people talking about it, because initially it’s only seen as negative news.
“They’ve got to realise that this will happen to nearly every business that’s out there, and this is going to continue happening… It’s going on all the time. If you have an Australian Business Number, you will be profiled.”
Another view, expressed by the Department of Human Services chief information officer Gary Sterrenberg at a recent conference, is that talking about successful cyber attacks publicly could encourage more.
Wellsmore does not agree with this logic. “I’d prefer to be talking about it, rather than pretend it’s not happening,” he said.