Calls for threat intel platform
Steve Ingram: A formalised platform for sharing threat intelligence the next step
Australia is progressing on its national cyber defence but what remains missing is a strong, threat intelligence sharing platform that rises above the informal sharing relationships that exist today.
There has been action on many fronts around Australia’s cyber posture since the Coalition launched its $230 million cyber security strategy in 2016, but getting governments of all stripes, academia and the private sector to share cyber threat intelligence is proving more difficult than first envisaged.
So says Steve Ingram, the Asia Pacific Leader for PwC Cyber, who points to his experience attending a recent critical infrastructure security conference where he found the level of conversation around cyber processes – such as threat information sharing – had still not moved on from where it was at twelve to twenty-four months ago.
“We haven’t made the progress in some areas that we need to, and one of them is threat intel sharing,” Mr Ingram says.
There has been good progress on threat sharing at a government level, but industry still tends to rely on informal networks.
“The government has created Home Affairs to bring together different departments so they can improve their intelligence sharing and collaboration for improving our nation's cyber resilience, and also in response to attacks and that’s a step in the right direction,” says Mr Ingram, who will deliver a keynote address at the InnovationAus.com Cyber Leaders: The Collaboration Imperative event in Sydney on May 15.
“It shows they recognise the (threat sharing) issue within government.”
Mr Ingram recognises there are many informal cyber intelligence sharing groups within different private sectors such as financial services and energy, where C-suite executives tend to all know each other.
“They have that broad-based trust with each other, so they have their own informal information sharing networks.”
However, Mr Ingram maintains there needs to be something more structured and part of the answer could lie in the newly formed Joint Cyber Security Centre (JCSC) program, a $47 million initiative that came out of the original Federal cyber strategy.
The JCSCs are designed to bring government, industry and academia together at a more regional level than the more centralised Australian Cyber Security Centre (ACSC).
The JCSC’s now roll up to the ACSC, with a planned focus on threat information sharing; with the JCSC being the face on the ground at a state by state level.
The JCSCs have taken a while to roll out. The first one opened in Brisbane in February 2017, then came Melbourne last October, Perth in December, Sydney in March 2018 and the last one in Adelaide is expected to open later this year.
“We have the JCSCs which are state based. What we don’t have yet in the JCSC network is a national focus, built around a platform to share threat intelligence."
“At the moment the JCSCs are doing good work, in so far as providing a networking opportunity and education sessions on different types of cyber issues,” says Mr Ingram.
What’s missing, says Mr Ingram is a pipe to connect all the disparate government and industry organisations when it comes to threat intelligence sharing.
“Often you find the top ASX listed companies are part of a range of informal networks, so the JCSC is great for companies below those from an awareness and relationship perspective.
:What we don’t have is something that is tying inter-federal-governmental communication, state government communication and the different industry sectors together.
“We don’t have that connectivity yet,” he says, although he does acknowledge the work of the Trusted Information Sharing Network for Critical Infrastructure Resilience, which was established in 2003 to foster business to government information sharing across eight critical infrastructure sector groups.
“We don’t have a system in place outside of informal systems based on relationships. We don’t have a systemic solution.”
He hopes the JCSCs will become more than drop-in centres for cyber-related networking and education.
“We want them to become a critical part of the cyber fabric,” says Mr Ingram, adding the need to build a formal platform that rises above the informal sharing networks already in place.
“These informal networks are all very well but what happens for organisations not part of that network? We are so interlinked today, we are all part of the same supply chains, so there remains a risk that an attack could do full circle and come back to bite you. We need something that is above and beyond the informal network so that the country and the whole economy can rely on it.”
An argument mounted against better threat sharing is that the bad guys will know what we are doing.
Mr Ingram discounts this.
“One of the issues I hear from time to time, is that people are not keen on a (threat sharing) platform as they are concerned that if you share it with everyone then the crooks will know what we are doing as well,” he said.
“But the thing is, all the crooks will know is that we know what they are doing, which is a deterrent in itself.
“They are usually after the simplest and quickest financial return, and this is a bit like someone coming to break into your house but when they see a Police car down the street they run away instead. I don’t see any downside to that.”