If cybersecurity breaches are the new normal – and they are – then it is critical that governments lead the centralised and coordinated defensive efforts at an economy-wide scale.
But that doesn’t mean governments have some kind of cyber superpower, says Peter Bauer, the co-founder and CEO of email and collaboration security specialists Mimecast.
Hardening an economy against evolving threats and building resilience into the system requires coordination, the pooling of knowledge and information sharing – things governments are good a brokering.
In this episode of the Commercial Disco, Mr Bauer talks candidly about the roles that governments, law enforcement and intelligence agencies play in building resilience broadly, and responding to incidents specifically.
Having set up Mimecast 20 years ago in 2003, Mr Bauer has steered the company through many generations of technology, and many generations of cyber threats.
He been the CEO through its early days as a bootstrapped startup, to taking friends and family investments, through to venture capital funding and growth funding and then six years as a NASDAQ listed company.
And finally, the company was taken private with a US$5.8 billion acquisition by private equity giant Permira.
Talking generically about the federal cybersecurity overhaul announced a week ago – which includes the creation of a National Office of Cyber Security, as well as new powers for government to take control of private systems where a damaging breach had occurred, Mr Bauer said working together was key.
The takeover powers might not be a bad idea, he says, but its complicated.
“I’m not sure that’s a bad idea. Cybersecurity is a team sport, so working together is critical,” Mr Bauer said. “[But] displacing a private sector organisation’s cyber team and replacing it, that is a tricky activity.”
“What we saw in the US, which was a very high stakes game around the Solar Winds breach… was a very coordinated public-private teamwork to counteract that [incident].”
The FBI and other agencies were able to advise private companies, giving them insights and indicators of compromise, as well as key data points that allowed those companies to more successfully deal with the Solar Winds issues.
“The reality is that the government doesn’t have any special cyber superpowers. But by pooling knowledge, pooling resources, having playbooks for coordination, and threat intelligence sharing… that’s constructive,” Mr Bauer said.
“It’s really a teamwork approach. I think that’s critical.”
The changing technology landscape means an endlessly changing threat landscape, and that has been a simple narrative since Mimecast was founded, he says.
In email security, data breaches are often the result of social engineering through human to human contact.
The arrival of AI systems that are relatively easy to use are definitely exciting because they offer new forms of productivity and creativity, Mr Bauer says, but they are absolutely a double-edged sword.
“Adversaries can use those tools too, and I think the one thing we worry about quite a bit are the human-to-human scams … [because] productivity enhancement tools like ChatGPT, can quite plausibly allow an attacker to have very targeted attacks at scale,” he said.
Do you know more? Contact James Riley via Email.
Great comments James and might I add that I cannot see why Governments in Australia cannot collaborate more with other software implementation concerns it would save a hell of a lot in wasted time and resources in IT Spend. For example you mentioned Sharepoint which does not truly fully meet the specific requirements of a records and information management system. It has been thrown in at the deep end not only in the private sector but also in the Govt sector matching it with Office 365/Teams. Agencies then have to go through the hoops and money to integrate it with software like Avepoint/Content Manager and other like software to comply with regulatory requirements in each state/territory and federally
James, if we all followed Malcolm Turnbull’s policy of “cloud first”, and all our transactional systems are “in the cloud”, and all the data that is used in those processes is stored “in the cloud” – I’m here to tell you that any unauthorised access to my stuff in their cloud is their liability. People get their hands on my stuff – I sue Amazon / Microsoft / Vault for all the money in the world. I expect to have “built in resilience”, because I’ve paid lots of taxpayer money to a big cloud vendor. Mr Bauer talks about the roles of governments, law enforcement and intelligence agencies – but not AWS, Azure and the other vendors. The APS has outsourced cyber-security through “cloud first”. Great! We can all stop screaming about it and throwing lots more taxpayer $$$ at it – can’t we? If all the APS transactional systems are “in the cloud”, and all their secret documents are in a Sharepoint instance, any penetration is the vendor’s problem. Isn’t security “baked in” and we already pay, don’t we? Didn’t Malcolm say the cloud was “more secure”?