In case you missed it…
Late in the winter of 2012, the Director-General of Security made a rare public address to a significant private sector audience. The transcript is posted on ASIO’s website . Missed that one did you? Well, not everyone is an ‘intelligence groupie’, so chances are it was missed by most.
The first issue of the Weekend Financial Review for 2013 carried front page headlines and four pages of reporting of the Director-General and others on the same subject . Even though many were away on holidays, some would have read it with a cold one in the other hand. Certainly the article carried sufficiently sobering news to negate the effect of one or two beers.
Then, just before Australia Day 2013, the Prime Minister made a significant policy statement. She then issued a press release summarising the key elements. It was reported on every television news bulletin, radio news bulletin, the internet and in the newspapers . Did it affect you or your business? Can you tease it out of the corner of your brain were it is subconsciously stored?
All of these events were linked. A few days, a few weeks on, what do you remember? What were they all talking about? President Obama, the US Defence Secretary, Leon Panetta, and Jonathan Evans, the Director-General of MI5 have been talking about the same thing.
The dependence and vulnerability of a wired society
It is a truism to say information infrastructures underpin and enable today’s information society. It is unthinkable to imagine how we would survive without them – it has totally changed how we work and play. Business would grind to a halt, as would air traffic control, traffic management systems in our cities, water supply and emergency services.
Since the 1980s, there have been references to information warfare. It was a discussion that occurred within defence department complexes and at academic seminars. Roll on one decade, and there was a slew of conferences and seminars on the subject. We started to hear terms like cyberwarfare, information warfare, iWar and others. We read of cyber terrorists or criminals remotely interfering with aircraft controls, crashing bank’s time clocks in vaults and threatening all manner of real and futuristic harm. We remember the television pictures of the first Gulf War, when the Iraqi telephone and public lighting systems were ‘taken out’ and precision-guided bombs destroyed Kuwait’s key infrastructure and Saddam Hussein’s command and control was totally obliterated. We even remember the name ‘Operation Desert Storm’.
The really important message is…
But what about today: how are the messages from the Prime Minister and the Director-General of Security affecting your business and your role as manager? Take it as read that foreign governments are launching cyber attacks against this country and others. There is overwhelming evidence for that. Grave as that is, we are not going to concern ourselves here with the defence, intelligence and strategic implications. Rather, what does it mean for us in business? What is happening at our own portals?
The first message is that we are being robbed blind. A bunch of people who have not worked for it and don’t contribute to it are trying to strip our economic wealth from us. Highwaymen used to be recognisable: they rode horses, carried pistols, ambushed you and demanded your valuables. The modern-day version sits with a mouse in another country. DSD cites a Symantec estimate that puts the Australian cost of cybercrime at $4.5 billion and arguably more . In many cases, nation states are launching these attacks, while hactivist groups like ‘Anonymous’ have claimed significant dislocation and hackers will always seek your information. The ASIO Director-General quoted CERT Australia as saying there has been more than 5,000 cyber incidents in Australia in the first eight months of last year . The purpose of these cyber attacks is to steal the value of years of research and development; to get across big deals so that the market can be affected; to insert malware and knock out capability; and to strip away privacy and confidentiality.
What is to be done?
Value your information – it is truly your most critical asset. Value security of your information over speed and convenience of applications. Understand the consequences to you and your staff if you lose your information. The only way to do this is to undertake some consequence analysis and put dollar values on it, as you do in your business continuity plan. As DSD says in its catchy video, you need to ‘Catch, Patch and Match’ :
• Only allow your approved software to run on your systems.
• Catch all malicious software and block it from running.
• Patch all applications with updates, so there are no security exposures.
• Match the right people with appropriate access to your systems. Administrator access should be severely limited – in the wrong hands it is a death-wish.
Who’s to do it?
You. If you the manager, you the director, you the supervisor, you the worker don’t understand the risks and put in place strategies, controls and policies to mitigate them, you may as well pack up and head to the beach. It takes leadership and discipline. Management must show leadership, resource the requirement and ensure compliance. Everyone else must show discipline and understanding: the discipline not to open emails from unknown sources and understanding of the consequences to their job, the business and their future if information security is not observed.
And if it is left to others…
The Head of NSA described cyber-theft as “the greatest transfer of wealth in history”. He estimated the cost of theft of intellectual property from US companies was worth $250 billion each year and a further $1 trillion was spent on remediation work. The stakes could scarcely be higher.
Have a look at the DSD website. Ask your IT security manager to report on how your business stands against the 35 mitigation strategies listed there and give you a score out of 35. Are you in good shape? If you are not scrupulously careful and leave no chinks in your defences, someone will find their way in.
Most of all, talk with your colleagues and your staff about the risks and their consequences. If you don’t start and regularly pick up that conversation with your people, it may be too late.
Gerard Walsh
Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.
Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.