The Australian Signals Directorate should be applauded for sharing publicly the details of a serious data breach at an Australian defence contractor at a conference for cyber security professionals in Sydney this week.
And the Australian government should be applauded too, for allowing the public disclosure of the breach.
The mainstream reaction to this low-profile speech by an ASD cyber response executive to an audience of security professionals has been predictably breathless, spilling to hyperbole. The point of the presentation – obviously – was not the fact of the breach, but what happened once it was detected and what we can learn from the experience.
Now that everyone has stopped running around in circles and yelling, it is worth taking stock of what’s happened in the past couple of days and to make a few points.
Firstly, government has been pressing business about the need to be more open about sharing breach information, and collaborating on security information about the latest attack vectors and the latest ways to deal with them.
The better we get at sharing threat intelligence among our security professionals, the more secure it will be for everyone.
If it’s not possible to share that kind of breach intelligence with the pointy-headed professionals of the security community, then where would it be possible?
The Australian Information Security Association’s annual conference was an entirely appropriate forum for this kind of presentation.
This is precisely the information-sharing that both the government and the industry has been trying to foster. The fact that the Australian Signals Directorate is able to share case notes from a breach has tremendous value. It needs to be encouraged, not discouraged.
This is how the speech by the ASD’s Mitchell Clarke was promoted to potential conference attendees:
“Representatives from the Australian Signals Directorate’s Incident Response team will take you through a recent case study and share their experience in how to identify, investigate, and remediate these sophisticated intrusions,” the conference blurb says.
“They will cover some of the recent techniques sophisticated cyber actors have used to compromise networks, move laterally, maintain persistence, and exfiltrate data – as well as a detailed explanation of how ASD performs incident response.”
These are the conversations that government has been trying to encourage. It would be a travesty if the breathless reporting of the mainstream media caused the ASD to pull back.
It is worth noting that this was not a recent case study. It is understood the ASD has presented it at least twice before, at security conferences in front of security professionals.
And let us assume that the ASD are not idiots, and that the breach and response details shared were in after-the-fact mode, useful to no-one except the security professionals who can benefit from the lessons learned.
The fact that the Australian Signals Directorate is taking a lead role in the discussion is also entirely appropriate. You would hope that having the mainstream press hyperventilate about it won’t stop government from having these sensible, common-sense conversations.
With Australia’s mandatory data breach notification regime coming into force from February, the ASD has done the business community a huge favour. (And so has Stilgherrian, the security journalist who sent a recording of the ASD speech to mainstream media outlets.)
Here’s the thing: From February it will be a legal requirement for organisations make public details of security breaches involving personal information. That is going to flush-out the details of some ugly breaches that would hitherto have been hidden from public view.
The fact is cyber security breaches occur far more frequently than anyone is currently comfortable with. Those breaches are about to become more public.
That the ASD and the government are providing case notes about specific breaches, and is being soberly endorsed by Cabinet level ministers, is as good a way as any to getting the discussion about cyber responsibilities out into the mainstream.
Stilgherrian orchestrated the start of a conversation. Cyber is a whole-of-economy issue in which everyone has a part to play. Our consumers need to be more cyber-aware, our small businesses need to understand where they can get help to secure their systems, and our corporates and government need to work better together to share intelligence.
Alex Tilley spent a decade with the Australian Federal Police as part of its High Tech Crime Centre before joining the Secureworks’ counter threat unit 18 months ago. He was at the AISA conference this week and says the ASD presentation was “brilliant”.
“This took real courage from both ASD and from Mitchell Clarke personally and it’s really important that they be able to [make these kinds of presentations],” Mr Tilley said. “They should be encouraged to do it even more.”
He said the spill-over into the mainstream media was a good thing. “People need to understand what’s going on. It’s a serious game these days.”
The one issue with the presentation is about language. There is an element of hyper-geek in security culture that is expressive in a way that doesn’t necessarily translate well into mainstream press.
Naming the hacker ‘Alf’ after a character from Home and Away, and calling the period of the breach “Alf’s Mystery Happy Fun Time” is a cultural affectation of the cyber community. It does not demonstrate a lack of seriousness.
Australia’s Defence Industry Minister Christopher Pyne did well this week to take a business as usual tone to his Radio National interview on Thursday. The point being that cyber threats are constant, and that we learn what we can from the breaches.
It was a “salutary reminder” he said. “When the government says business’ need to take their cyber security measures seriously, it isn’t joking. There are some very serious threats out there.”
“These types of cyberattacks are happening all the time. And they are going to be successful from time to time.”