1

AISA NATIONAL CONFERENCE 2015 – TRUST IN INFORMATION SECURITY

14 October 2015

OPENING ADDRESS – LYNWEN CONNICK

•Thanks Arno, and good morning everyone. Welcome to Australian Information Security Association’s eighth national conference. Before I begin, I would like to acknowledge the Wurundjeri people of the Kulin nation, the traditional owners of the land on which we are gathered, and pay my respects to their elders both past and present.

•I am very pleased to be opening this national conference here in beautiful Melbourne, my home town. It’s always great to get out of Canberra and talk with people about cyber security. My team and I have done a lot of this over the past year and this is my favourite topic.

•The Australian Information Association always chooses interesting and topical themes for its national conferences, and this year’s focus on “trust in information security” is no exception.

oTrust in Australia’s information security systems, practices and priorities is essential if – collectively as a nation – we are to make the most of the enormous opportunities that cyberspace has presented us with.

oThese opportunities and challenges will be discussed at length during the next two days.

oI’d like to kick off this discussion with a snapshot of what my department - the commonwealth department of the Prime Minister and Cabinet has heard during our review of cyber security in Australia. This includes both opportunities and threats – and how this landscape can be shaped to our greater national advantage.

•Australians have quickly embraced the economic benefits of cyberspace.

oLast year the internet-based economy contributed $79 billion to our economy – or just over five per cent of GDP.

oWe expect this will nearly double to $139 billion (or more than seven per cent of GDP) in five years.

•Businesses, governments and individuals are benefitting from mobile technology and connectivity.

oThey are using the internet to deliver products and services in a way that we never dreamed of only five or so years ago.

oAnd they are using information gathered online to create individually tailored products and services.

oThis trend is accelerating as more and more of the things we use – fridges, cars, even pacemakers – are connected to the Internet. This 'Internet of Things' is now often referred to as the ‘Internet of Everything’.

oThis connectivity in cyberspace brings enormous opportunities. Businesses – large and small – can diversify and develop new business models.

oAnd it’s equally exciting for us as users, accessing information and connectivity with others in new ways.

oAs Australians we expect the online environment to be flexible and responsive to our needs, both our personal needs but also to support the country’s economic growth and to encourage innovation across all sectors in business and the community.

•We have heard that if we improve cyber security that will support innovation in cyber space more generally and enable innovation more broadly and growth in Australia's economy.

•But as well as opportunities we all know there are significant risks in cyber space. And we will not benefit to the full extent if people do not trust our information security– do not trust cyberspace. Malicious cyber entities pose risks to Australians and Australian businesses. Information security is a cornerstone of business security and sustainability, and protecting client, financial, and inventory data should be a high priority for us all. But if a business is connected to the internet, it is vulnerable – and nearly 95 per cent of Australian businesses are connected. As you know it’s currently Stay Smart Online Week, and as part of this we’re being reminded that:

oOne in five businesses use paid cloud computing services;

o85 per cent of business activities use the internet for financial activities;

o47 per cent of businesses have a web presence;

o56 per cent place orders via the internet; and

o31 per cent have a social media presence.

•These high levels of interconnectivity mean that a compromise of one organisation’s systems can quickly affect others.

oWe all share the consequences of poor cyber security.

•One in ten Australian businesses report losses to cybercrime of more than A$1 million per year since 2010.

•The direct cost of cybercrime to the Australian economy is conservatively estimated to be around A$1 billion a year.

•Fighting cyber threats needs shared and joined up action so decision makers in government, businesses and households have the information they need to protect themselves and Australia.

•Commonwealth, State and Territory Governments and the private sector must cooperate to secure systems, supply chains and information.

•In short, cyber security is everyone’s problem, everyone’s challenge.

•It is not a problem government can tackle alone and it needs to be a priority at all levels in organisations, in particular senior leadership.

•Senior executives and board members need to consider:

  • What could a serious cyber incident cost our organisation?
  • Who would benefit from having access to our information?
  • What makes us secure against threats?
  • Is the behaviour of my staff enabling a strong security culture?
  • Are we ready to respond to a cyber security incident?

•Knowing the answers to these questions will help us all protect our networks.

•How we in government can partner more with the private sector to improve Australia’s cyber security has been the key focus of our Cyber Security Review.

•As part of the Review we spoke with more than 190 private and public sector organisations, and sought specialist advice from an Independent Panel of Experts.

•During our consultations we heard that we need:

  • Strong cyber security leadership – government and business leaders must work together to make the changes needed to improve national cyber security. We heard that this is not just an issue for the cyber security and ICT work forces or CIOs and CISOs. It is an issue for leaders, for CEOs and for boards.

oIt almost goes without saying that Australia’s networks and systems need to be hard to compromise and resilient to cyber attacks.

▪To successfully achieve this will require sustained and close government-private sector cooperation. This includes through sharing information about threats, working together to develop responses and exercising our responses so we are prepared for significant attacks. The need to share more information on threats was one of the most frequently raised issues during our review consultations.

▪But as you all know, making our systems hard to compromise is not just about sharing threat information, detecting intrusions and implementing strong border security – it is also about strong internal controls. We need to ensure malicious software can’t run and administrator privileges are protected. And patching our software quickly with updates, while sometimes tedious, makes a significant difference to our security.

▪Those we have consulted with have told us it is important to promote these sorts of practices in baseline guidelines of good cyber security practice that all organisations can implement. This will help ensure all organisations we connect with have reasonable security and these connections will not increase our vulnerability. The need for connectivity is driving the need for better security across the board.

▪As we all know, as people with a strong interest in this field, strong cyber defence requires multiple layers of protection, beyond fences, guards, swipe access cards and clever coding. It is also about good information security practices, training and educating all those we work with, having current and appropriate information security documentation and continually evaluating our networks for vulnerabilities. We know that we are vulnerable from insiders who may maliciously (or accidentally) do us harm as well as from external threats. And our cyber controls need to address these internal as well as external threats.

oAt a more global level, Australia also needs to work hard internationally to ensure we continue to have a free, open and secure internet.

▪The connectivity of cyberspace opens up new opportunities internationally, but this is dependent on countries supporting access to the internet. This is not universally the case – some see an open internet as a threat to their authority and control, and would prefer to limit its connectivity. Australia is working hard to counter these views, in close step with our allies and friends.

▪A key way for us to achieve this is by helping to build confidence in the internet and capacity in cyber security, both globally and closer to home. Regional organisations where Australia is demonstrating its cyber security leadership include the ASEAN Regional Forum and the Asia-Pacific Computer Emergency Response Team Steering Committee, which we are currently chairing.

▪We also need to continue working with international partners to prevent and shut down cybercrime that targets Australians which often emanates from beyond our borders. We are already doing this but given the resourcefulness of cyber criminals, this cooperation needs to be agile and innovative and focus on both detecting and defeating the criminals.

▪Finally, Australia can contribute to the global cyber solution – and boost our economy at the same time – by promoting the development and export of our cyber security products and services. The global cyber security market will be worth around A$140 billion by 2020, and we must encourage and support our local cyber security entrepreneurs to take advantage of this opportunity.

oAustralia is an innovative country that adopts technology and does quality research. We can use this to grow our cyber security business and develop innovative cyber security solutions that enable all Australian companies to diversify, grow and expand internationally through secure cyber connectivity.

oAnother key issue that those we have talked to have told us is that we need to increase cyber security skills in Australia. Everyone is suffering from a shortage of people with the right skills. This is a worldwide problem but we also need to address it locally. The sorts of ideas that have been raised we us include:

▪Addressing cyber security skills shortages by intervening at all levels of the education system from schools to universities.

▪We have also been told we need to get more people interested in cyber security careers.

• One of the best ways to do this is to start early by encouraging children in primary and then high school to think about these sorts of careers and to take the right subjects to enable this.

•Following this up with appropriately targeted, tailored and promoted courses at universities and other tertiary institutions.

oAnd we have been told we should focus on increasing the diversity of people interested in careers in cyber security. For example women are underrepresented in cyber security professionals. We need a larger percentage of the population interested in these careers in order to increase the number of people in this workforce.

▪We also need to develop new cyber skills in current workforces and senior leaders.

▪In addition to improving the number and skills of the cyber security workforce we have heard that we need to raise awareness more broadly about cyber security. It is concerning that studies have shown Australians are more likely than people in many other similar nations to click on malicious links or be infected by malicious software. We have a number of awareness raising initiatives but people have told us a more joined up approach is needed.

•So in conclusions we have been told that improving our cyber security can have a transformative influence on the Australian economy. If we increasetrust in our information security and therefore trust in cyber space this will enable us to fully benefit from the opportunities of the internet age.

oBut this is not easy to achieve.

oWe need practical, realistic initiatives that can be achieved incrementally.

▪Our stakeholders have told us that business, government and academia should work together on this on equal terms.

•Getting our cyber security right has much broader benefits than protecting classified information or preserving government and business infrastructure from attack (although this is of course very important!). The economic implications of cyber security are profound.

•It is you in the audience today, and people like you who work and care about information security, who will be tackling these challenges and in doing so shaping our future. I hope to have a chance to talk to as many of you as possible today and get your views on the way forward.

•Thank you very much for the opportunity to be with you today.

Visit the Cyber Security Review page to find out more about the Government’s Cyber Security Review.