Alistair MacGibbon, Cyber Security Advisor to the Prime Minister of Australia speaks with Executive Editor Chris Cubbage at the Australian Information Security Association (AISA) National Conference 2016, Sydney.
EDITOR: Are you getting good engagement with Prime Minister Turnbull and his office?
Yes it’s great. The level of political interest in cyber security in my experience and I’ve been in this game since the 2000s, has significant up-tick. So I have regular involvement with senior politicians and senior bureaucrats and the level of interest is fantastic.
EDITOR: Do you find the role frustrating at all, are they taking cyber security as seriously as they should?
Yes, the launch of the Cyber Security Strategy in its own right by the Prime Minister and bringing the strategy into the Prime Minister’s own department are signs of how important it is being taken in Canberra.
EDITOR: You’ve been in your role for only four months, what have been some of the key challenges for you?
Well I prefer to see it as what key opportunities there have been. I think what happened to the Census was actually an opportunity for the Government. It was a disappointment and frustration absolutely but also an opportunity to take something that was clearly very frustrating but not catastrophic in terms of what actually happened and parlay that into the thinking of government in the delivery of other government digital service delivery. So I look for opportunities out of what are otherwise unpleasant circumstances, and the Census was one of those unpleasant circumstances. So the opportunity is for a better dialogue around better digital service delivery from a Government perspective and indeed to engage the public as to what their expectations are of Government.
EDITOR: Were you engaged at all for the Energy Security meeting held by Josh Frydenburg and do you see opportunity there because if they were to consider major power outages, these could also be instigated by cyber-attacks?
No but I would answer that by saying critical infrastructure of which the energy sector is a key part amongst the critical infrastructure sectors, it is vital. If we don’t get critical infrastructure protection right it is where the most catastrophic things can go wrong. There is a relationship between various critical infrastructure sectors because water is vital to power, power is vital to water, they all interlink.
You take an all hazards approach, be it against fire, high wind or a cyber-attack that takes you off line, you are offline. Cyber is only a vector but I would say it’s a vector that has increased in importance across those various sectors and we need to increasingly turn our mind to how cyber based threat vectors will play across critical infrastructure. We shouldn’t lose sight that we should still take an all hazards approach for business continuity and cyber-ability. I still see our greatest risk as our greatest opportunity.
EDITOR: Do you have much to do with the State Governments, rather than just the big beast of the Commonwealth Government?
My role is supposed to have a national capacity as opposed to just a federal government perspective. I’ve been in active discussions with a number of states bilaterally and all of the states at times in larger forums. There is huge opportunity there because the states are the main service delivery vehicles for the country.
EDITOR: Mandatory reporting was introduced to Federal Parliament on 19 October 2016, was there any particular hold up to this legislation and your views on the legislation?
It’s clearly a matter for the politicians but I’ve always been a supporter of mandatory data breach reporting and see advantages in it. It’s now up to parliament to look at what form that takes, if at all, but certainly in my experience what industry is after is just knowing what is the new level playing field going to be.
EDITOR: Did you have much to do with the ACSC Threat Report 2016?
I’m certainly aware of it and did quite a bit of media associated with it. The report’s objective is to provide more information about the type of threats the Commonwealth is seeing by giving case studies and advice on remediation. I think it was a positive step in the increasingly transparent way the Commonwealth is doing its business. If we want industry to disclose then the Commonwealth needs to disclose. If we want industry to change the way it’s doing business then we need to show the Commonwealth is prepared too.
EDITOR: Why then is the legislative process so slow and one of the areas we have been covering is national security, we mentioned a snap Minister’s meeting on Energy Security and we are still dealing with state based legislative models for physical security. Cyber security consultants are breaching state based legislation in the physical security realm when they look at access control or physical security, say under ISO 27000 Information Security Management Standards, and I’m wondering why we have two models of legislation still remaining?
That is an interesting question. So you’re really talking about the regulation and standardisation of advice. It is not an issue I’ve really thought of. I would say if it improves outcomes then you look at those things and if it doesn’t maybe it’s changing the old industries.
EDITOR: This issue was raised with the Victorian Police Minister and she declined to change their legislation and openly admitted that regulating the information security industry in the same way they attempt to regulate the physical security industry would be overly burdensome. So my question is what about new technologies emerging, will security robots be subject to any form of regulation and legislation?
No but these are very interesting questions. I’ve been a strong advocate for industry led improvements in the cyber security industry so whether it’s an association like AISA or whether its CREST for penetration testing and working out what the best practice is and buying services from people who are recognised as having certain skill sets. In what is otherwise a pretty unregulated space membership of professional bodies and the requirements by those bodies might be the better way of looking at this.
EDITOR: Do you think the cyber security sector needs to be regulated?
Well, I’m neutral on it. I think that businesses will buy services from people who provide the right services and the market will sort itself out. Having said that, I used to run CREST in Australia as the Chief Executive Officer and it was a voluntary industry association that would test people’s skills and certify those skills. It would also look into the companies that employed those people. There were national police clearances as part of the process and went to some way as providing a level of assurance to customers.
EDITOR: I don’t understand why as a physical security consultant I’m restricted from operating nationally whilst an information security consultant is not, don’t you see the convergence of physical and cyber coming together?
They are inextricably linked. If your front door isn’t locked then someone can enter and plug into the backend of your network.
I have nothing to do with the regulation or otherwise of physical security but I can only say in a cyber security sense I am all for the increase in professionalisation. The question I would ask the physical security world is does the current regulatory system actually improve the service delivery for customers who are buying those services. That is the question that should always be asked of any regulatory system.
Editor: Thanks Mr. MacGibbon!
