Australian Security Magazine, April/May 2018 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au April / May 2018

The impact of AI technology on cybersecurity

Mounted security & mounted first responders

Cybersecurity in space & military operations

Beware of the black swans

SMART ID: Ethereum blockchain identity management

Australian Signals Directorate sets priorities

Women in Security: Pip Wyrdeman, Director Cyber Systems and Services, Elbit Systems of Australia

ASEAN in Australia summit – security enhancements

APPLICATIONS, IMPLICATIONS, IMPACTS $8.95 INC. GST

PLUS

Women in Security | Techtime

Cyber Security

Weâ&#x20AC;&#x2122;re TRANSFORMING Join us as we embark on the next phase of our journey

- visit our new online store at hills.com.au -

HCORP0011-Jan18-v1

For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit hills.com.au

facebook.com/HillsLtd/ C2 O N N E CT E N T E RTA I N | Australian Security Magazine

SECURE

Cyber Security

Australian Security Magazine | 3

Contents Editor's Desk 5 Cyber Security Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij

Mounted Security & Mounted First Responders

Connection not collection

Judicial Performance Management

Beware of the Black Swans

ASEAN in Australia Summit – Security Enhancements

ASD sets priorities 26

Correspondents Jane Lo

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/ Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Women in Security: Pip Wyrdeman

Cybersecurity in Space & Military Operations

Blockchain briefing

SMART ID: Ethereum blockchain identity management

Page 10 - Mounted Security &

Mounted First Responders

The impact of AI Technology on cybersecurity

Can we take people out of IoT

By 2050 – we will be beyond the cloud and on mars

Executive Editor's Interview with David Kemp from Micro Focus

TechTime - the latest news and products

Book review

Page 12 - Connection not

collection

CONNECT WITH US www.facebook.com/apsmagazine

Page 24 - ASEAN in Australia

Summit – Security Enhancements

@AustCyberSecMag

OUR NETWORK

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors www.australiancybersecuritymagazine.com.au

Page 30 - Cybersecurity in

Space & Military Operations www.asiapacificsecuritymagazine.com

Jane Lo

Nick Johnson

Scott Taylor

Wayne Tufek

www.aseantechsec.com

www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

4 | Australian Security Magazine

Annu Singh www.cctvbuyersguide.com

Chas Capewell

Dan Lohrmann

Terry Flanders

Page 34 - SMART ID: Ethereum blockchain

Editor's Desk "Everything is being digitalised and everything is being connected and everything is driven by software. There is no doubt the full potential of this is yet to be fully realised. However, with these same benefits, comes some serious risk.” - Mike Burgess, Director-General Designate of the Australian Signals Directorate, 11 April 2018, Australian Cyber Security Centre Conference, Canberra.

n their submission to an Inquiry into the Protection of Crowded Places in Western Australia, conducted by the Community Development and Justice Standing Committee, Don Williams and Anthony Bergin observed “the security licencing system is not relevant to those who provide management level advice on protective and response measures. Security is a management discipline with its own body of knowledge, research and literature. Those responsible for protecting crowded places should recognise that formal qualifications and certifications exist and should use appropriately qualified professionals to develop the required capabilities.” In addition, the submission proposes; “that rather than seeking ‘best practice’, consideration could be given to assessing ‘good practice’ i.e. one that provides for a safe, secure and suitable environment through effective communication between government and corporate sectors; well-trained aware and empowered staff; effective and site specific and applicable plans and procedures.” Such a set of circumstances is not isolated to Western Australia. It is the case in all jurisdictions. Governments, Federal and State, are clearly behind and increasingly they are coming to admit the fact. In my interviews with Austrac at the Austrac Codeathon, part of the ASEAN in Australia Summit, the regulator confirms that the fast pace of technological change and innovation is outstripping Government’s capabilities and they’re turning to the private sector and regional partners for assistance and collaboration. Likewise, legislative changes in data protection and breach notification in Australia and Europe in the first half of this year is driving much of the news. Cybersecurity will continue to increase in sophistication with use of automation, behavioural analytics and autonomous systems both in the protection of networks and systems, as well as how they are attacked and breached. Cybersecurity must continue to evolve to enable

new IoT (Internet of Things) technologies such as autonomous vehicles, sensory systems and far greater computer processing power. Yet, we are not seeing the same drive and collaboration when it comes to physical security and protection of the public in crowded places. Another highlight of the convergence is the CSIRO Data61 Sunrise Industries Report, 2018 which identifies a Cyber-Physical Systems Security Industry. This evolving industry provides cybersecurity for cyber-physical systems, which consist of both software and physical components (e.g. smart grids, autonomous cars and drone fleets) and the report identifies how cyber-physical security is becoming increasingly important as acts of geopolitical aggression are executed through attacks on cyber-physical systems. But industry is providing leadership. In early March a global group of significance met at Standards Australia in Sydney, being the International Organisation for Standardisation Technical Committee 292 - Security & Resilience. With new standards in the final stages of development, these will provide protective security frameworks, architecture and guidelines. It will be incumbent on Australian governments and enterprise to adopt these standards, as they will be internationally, and will provide the much-needed direction the security profession has been lacking for so long. Another key trend to watch, in particular across the Asia Pacific, is the cyber war games and cyber espionage in play between the US, China, Russia, North Korea and related allies, including Australia. The investments being made by China in artificial intelligence is a good example of the scale this is reaching and how the application of new technology in military systems is contributing to the change in the balance of power in the region. As provided in our Report Review, the US Cyber Mission Force is seeking a US$647 million budget for 2018. The recent expulsion of Russian diplomats from Australia and 20 or so

other countries, along with the commencement of a multi-billion dollar trade war between the US and China is just the start of what will likely be the continued disintegration of modern liberal democracy’s homogenous controls. For security professionals protecting an enterprise or public precincts and crowded places, all of these trends and events have an impact on localised and organisational risk. It remains imperative that government work with the security profession on a basis of trust and with equal expertise. Along with a number of podcast interviews with security and technology professionals from across the world, in this issue we have articles on global space technology, artificial intelligence, policing and professional standards, mounted security deployments, emergency management and our Women in Security feature is Philippa ‘Pip’ Wyrdeman, the Director Cyber Systems and Services Australia at Elbit Systems of Australia. We also have takeaways from the ASEAN in Australia Summit and the Australian Cyber Security Centre Conference, where ASD set out its priorities for the next 12 – 18 months, including executing counter cybercrime campaigns alongside expanding outreach and influence to improve the identification and management of cybersecurity risk. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage

Sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 5

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au 6 | Australian Security Magazine

PODCAST HIGHLIGHT EPISODES

Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation

Episode 15 – Protecting media & journalists in hostile environments – Shannon Sedgwick, CEO of GM Risk Group

Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.

In this interview, Chris Cubbage interviews Shannon Sedgwick, CEO of GM Risk Group, a consulting firm specialising in protecting media staff, both in terms of physical and cyber security, as they travel in hostile environments.

Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Shannon has personally provided protective services to media companies and has travelled to over 30 countries this year, including the Congo, Afghanistan, and Iraq. Shannon discusses the services that GM Risk Group provide, how to mitigate risk, and the increased focus of media companies on duty of care and overall safety for journalists. If you, or members of your team work in regions of the world, where data or physical safety are at risk, then you’ll enjoy this interview with Chris Cubbage and Shannon Sedgwick.

Episode 25 – ECU Cooperative Research Centre & Dr Peter Hannay’s research into historical location data within digital devices In this interview, Dr Peter Hannay of Edith Cowan University (ECU) provides insight into the recent completion of his doctoral research which focused on historical location data that can be gathered from small and embedded devices. This research was used by WA Police to assist in homicide cases, for tracking a suspect’s movements, as well as providing a credible alibi. Peter also talks about ECU’s Cooperative Research Centre, a $130 million-dollar project, as well as leading research in cyber security, particularly IoT. If you’re interested in cyber security research, and true crime, then you’ll enjoy this interview with Chris Cubbage and Dr Peter Hannay.

Episode 8 – Meet Renowned Autonomous Vehicle Security Architects & “White Hat” Hackers, Dr. Charlie Miller and Chris Valasek, GM’s Cruise Automation You’ll love this interview with Charlie Miller and Chris Valasek. As the sixth interview at #AISACON17 in Sydney, we met these celebrity ‘security architects’, who first hacked two non-connected, commercially available cars using a diagnostic port. While some consideration was made to security in the original software, Chris and Charlie highlighted that with a little problem solving, and a lot of patience, control systems, effecting steering, brakes and lights could be manipulated. Later, the dynamic duo set their sights on ‘remotely’ hacking a Jeep SUV. In this interview, we’ll learn how they were able to bridge the gap between the ‘head unit’ or radio, and the control systems, and take control. All while the driver was travelling at over 100 km per hour. Enjoy the discussion!and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Episode 17 – Tackling online extremism through inclusion and tolerance: The Raqib Taskforce In this interview, Chris Cubbage interviews Anooshe Mushtaq, Chair and Founder of The Raqīb Taskforce, an organisation that promotes social inclusion and cohesiveness for Australia’s Muslim community, particularly the youth. Anooshe shares how her grassroots organisation is helping to debunk hate speech, remove division, and promote the voice of young Muslims, to counter extremism both within and outside the Muslim community. This involves a host of online and social media strategies. Ultimately, the Raqib Taskforce aims to build a tolerant and cohesive society, through better understanding of all sides. Please Note: This interview was arranged and conducted by MySecurity Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 9 – Cyber Threat Alliance (CTA) President Michael Daniel in Sydney #AISACON17 Our seventh interview at #AISACON17 in Sydney in October, is with the President of the Cyber Threat Alliance, Mr Michael Daniel. In this interview, Michael Daniel talks about his new role at the Cyber Threat Alliance, or CTA, and how his organisation and the 12 member companies are sharing threat intelligence at speed and scale. In particular, you’ll hear about the CTA’s ‘sharing rule’, that ensures collaboration, and improves all members’ products and services. And this sharing is quick. Michael highlights that the time from detection by one member company to deployment by another member company can be as short as only 54 minutes. In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’.

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 7

PODCAST HIGHLIGHT EPISODES

Cyber Security

Episode 49 ASEAN-Australia AUSTRAC Codeathon 2018 – Interview with AUSTRAC’s Chief Innovation Officer & Director for Innovation, Information & Transformation Chris Cubbage talks to Leanne Fry, Chief Innovation Officer, and Rajesh Walton, Director for Innovation, Information & Transformation, both of AUSTRAC, at the ASEAN-Australia Codeathon held in Sydney.

Episode 37 Red Hat, the world’s largest open source software company in APAC & video surveillance You’ll hear about the role of Red Hat as a technology steward, bridging open source software with enterprises, while maintaining piece-of-mind, the Red Hat product suite, and their role in reducing the costs within the surveillance market through more efficient data compression algorithms and storage.

Episode 47 The entertaining Adam Spencer, MC of the ASEAN-Australia Codeathon, hosted by AUSTRAC

Episode 36 Artificial Intelligence, Deep Learning & Neural Networks

The always entertaining and intelligent Adam Spencer, MC at the ASEANAustralia Codeathon in Sydney, hosted by AUSTRAC. Adam discusses the importance of regional collaboration, with respect to cyber security, and also how blockchain technologies could help to increase integrity in our daily lives.

Hans Skovgaard, the Vice President of Research & Development with Milestone Systems discusses Artificial Intelligence, it’s changing popularity over the past 30 years, and its resurgence in relation to deep learning, due to the power of today’s computational neural networks

Episode 48 Implications & Opportunities of the European Union’s GDPR and Australia’s NDB scheme

Episode 31 Women in Cyber – Sandra Ragg, Deputy National Cyber Security Adviser within the Department of Home Affairs and Cabinet & Heide Young, National Events Manager, Australian Women in Security Network

David Kemp, Specialist Business Consultant, and Matthew Hanmer, Regional Director Security Software, both from Micro Focus, the 7th largest pure software company in the world, discuss the implications of the European Union’s GDPR, or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.

Episode 45 Insight into MarkLogic’s Secure NoSQL Database Tim Macdermid, VP of Sales for APJ, and Jason Hunter, the CTO of Asia-Pacific, both of MarkLogic talk about the company’s growth, and expansion starting from servicing publishing, public sector, intelligence agencies, and financial services, big and small, as well as its application within cyber security.

Sandra Ragg, Deputy National Cyber Security Adviser within the newly formed Department of Home Affairs and Heide Young, the National Events Manager for the Australian Women in Security Network, or AWSN discuss the role of the AWSN, its rapid growth in membership, future plans of cooperation and initiatives, its role in mentoring women in cyber security, as well as the cultural change required to increase the percentage of women in cyber security, but also the importance of inclusion of women, not just diversity for diversity’s sake.

Episode 30 CISO Insights – Narelle Devine, Chief Information Security Officer – Australian Department of Human Services

Episode 22 Analyst Insights – Enterprise cyber security market & China’s citizen score card with cyber regulations

Narelle Devine, Chief Information Security Officer for the Department of Human Services discusses the difficulty in going out to market to find talent in cyber security, and how it takes ‘all sorts’ with a broad experience to build a strong cyber security team. The interview also discuss her role as a CISO and the importance of developing a peer-to-peer network to generate solutions and collaborate on ideas.or General Data Protection Regulation, and Australia’s Mandatory Notifiable Data Breach (NDB) scheme.

Claudio Stahnke, Research Analyst focused on IT security with Canalys, recorded at the Canalys Channels Forum, 5-7 December, 2017 in Perth discusses the enterprise cyber security market in general, the EU’s General Data Protection Regulation, or GDPR, as well as mandatory reporting on security breaches, cyber insurance, vendor mergers, IoT predictions, and China’s citizen score card (Social Credit System) and their cyber regulations.

www.australiancybersecuritymagazine.com.au 8 | Australian Security Magazine

Cyber Security

W O N

S G A E E-M

T U O

N I L N O

THE

VERN

G GO

EADIN

’S L NTRY COU

e s in th try Trend logy indus o n h c e t d

fine are de Softw ing th every RIT

IN AZ

SIO

ous

onom

sics

l foren

Digita

n tio uta p e r ur t yoeach c e r t Pro er a b aft ncy rre u c pto ity Cry ecur ain s kch ent c In o l m m B age reu Man e h Et ntity ple Ide peority? e k u c ta we T Se Cant of Io ou $8.95

INC. GS

curity

maga

zine.c

om.a

Feb /

March

2018

e 4,

S RATE ORPO

Issu

F RO

U t ECf au So IONe RTis s MA R le O vehic INF IAN

anse

sa nge a e u te cha Clima security iss S l a n io nat he sing t p THE Clo a REG g ls IO il kN urity s ’S LEADING c e S r GOV .au Cybe ERN om MEN e.c T AN Cybe azin DC n a ag ORP g m in r t s ORA a e ity e r r c ag u TE S C o u M c f 201 c rity T orld – ECU Se r rse e e RITY w 8 r yb e yb e tC n c c s MAG n d n u s e s m lia ig @A AZIN ll a te r e s t y S in E | ust e a n . to www 8 w s 1 e 0 il 2 .asia ww pac MIPS The s M ifics ecu tate ncr ritym o i of m aga t y p zine a t a o h c .com l m i c c fi i i n ous rity ing ti rea n o S u m c n b e o a S i r t h ou cat t Pho in l n c a e n o m a Wo l: Pers ver Cont nes as Ac Bre st ab notifi Altern pecia li rol C poweanadtive pa S iration to de rity rede cess t ju ’ n ntial is secu d nby yinmspents tre orew s c B e Trend lockc Sp eltd s h a i n i n M the t i n d Dark ustry ec d – op hnology b, bri Anon WeH por ymit yTosr i&cs s c ale & tunity, yren Chin o F a AGAZ

ITY M

ECUR

ND NT A

INE

ali .austr www

000032

ed PP1

t Approv

Print Pos

201

READ NOW

ost e m ster h t e o is ve t m? Wh ensi e roo h ff o in t

Auto

nom The Rise ous V ehicl of es

echtim ty | T

CA YBERH T SECURIT A C Y TREND D EA S R B Wome

INC.

2018

Intel Creating ligen a t Wo n rld

$8.95

/ April

ecuri n in S

READ NOW

GST

READ NOW

March

2F O0C1U S 8 R BE

PLUS

Wom en

in Se

curit

y | T echt im

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 9

Frontline

Mounted security and mounted first responders

A By Scott Taylor CPP

10 | Australian Security Magazine

s a security consultant I'm often asked to attend various sites and also to test various types of security related equipment to give my thoughts on its suitability and effectiveness. The type of work we do is quite varied, and no two weeks are the same. When I was first approached by Lisa from “Mounted Security” to attend their premises and give my thoughts on their scope of services, I was a little apprehensive on a number of fronts. The first of those being whether this visit was going to culminate with me riding one of the large Clydesdales that I had seen in the initial images that I have been forwarded and the second point being my thoughts on the industry level of acceptance for what is a relatively untried and untested resource. There were also multiple considerations that I wished to investigate with the visit. Some relating to the selection of the personnel, the selection and training of the horses, questions regarding the deployment logistics response methodology, animal welfare and a number of other related elements. On arriving at the premises, (a 5 acre facility in northwest Sydney, equipped with a large Barn consisting of seven rubber lined stalls, multiple paddocks and a riding arena) I could see the property was well equipped for this type of unit to operate from. Lisa was quite forthcoming with information regarding the recruitment and vetting protocols in place for the selection of the mounted unit riders. The personnel obviously had to be carefully selected for their ability to competently ride and their personnel have a broad and colourful history of horse related roles such as track work riders, vet nurses, stunt doubles and competition riders. Additionally, all personnel had qualifications, licenses and diverse backgrounds in both security and law enforcement.

But that was only half of the recruitment pool. The horses also had to be uniquely selected to both the temperament and ability to cope with a variety of situations in unique environments. The horses undergo a range of continuous training involving scenario situations relating to crowds, traffic, unique landscapes as well as a range of other elements such as loud noises from fireworks. the horses are also trained to disregard normal noises, activities and physical contact. I asked Lisa some specific questions regarding the manoeuvrability, stability and response range of the units to which Lisa replied “we can cover off more of those specifics with the practical demonstration which you can witness first hand” which further reiterated my first concern. Upon arriving to the stable area, I was first greeted by what could only be described as incredibly large equine that was quite professionally attired in hi-vis security -related signage. Whilst this is not a sight you see every day, the first item that caught my interest was the Oxy Viva and semiautomatic defibrillator that was mounted on the horse’s back. The first-aid capabilities of this mounted unit were further enhanced by an advanced first-aid kit, communications equipment and crime scene preservation kits. Although this horse was designated as a mobile first responder, I can validate that it's overt presence would clearly serve as a highlevel visual deterrent to antisocial crime and poor behaviour. It was now time for some practical demonstrations. A number of the mounted security team were mustered in an open arena type area. The first scenario demonstration was escorting a VIP through a crowded foot traffic area. The mounted units moved briskly into place and were surprisingly quite efficient at positioning and maintaining the safety of the designated VIP through the group of people provided for the demonstration. This same response could just as easily

Frontline

have been utilised to escort a paramedic through to a serious incident in a crowd dense area. Due to the height of the mounted units, they have enhanced visibility over crowd dynamics and are therefore able to monitor and adjust accordingly. In practical terms, a mobile security operative has the vision set at a level of approximately 6 feet off the ground, however with the mounted units it is elevated to 10 feet above. I must add that even when the unit encountered slightly more stubborn resistance, the continued movement coupled with communication was extremely effective in clearing the needed path. The additional benefit of the height of these units will allow people in a broader area to help see the mounted security officers which will help people find security personnel when they need them. Therefore, the mounted units can see and be seen over cars, shrubbery, fences and other obstacles that standard security personnel cannot, in addition to offering a reassuring presence. The next demonstration was with regards to crowd control. Due to the imposing mobile mass and height advantage of the units, I was confident that they would be able to physically assist with crowd related duties, but I was keen to see how effective they would be with a mobile antagonist. From watching this demonstration play out, it was evident that the mounted units were more agile and

physically responsive than I had imagined. They were able to turn quite rapidly and maintain effective marshalling without making forcible physical contact with the antagonist. The combination of two mounted units was extremely effective in providing a mobile physical barrier of containment that could easily point be supported with conventional security personnel. To put it in layman's terms, should the situation escalate the mounted units can in effect “sandwich” the antagonist between both mounted units. Whilst I did not seek a demonstration of the long-range capabilities of the units, I am confident in their ability to cover broad areas with differing terrain and large distances in an effective manner. The final element of the practical component of the visit was for me to have a hands-on, or more specifically buttocks on experience with one of these units. whilst I have stated above that the personnel's visibility level is approximately 10 feet, I must say that it seemed personally much higher than that. My experience riding horses and the equines I have shared that experience with in the past were substantially smaller than the towering beast I found myself upon. What I found most surprising during this riding experience (aside from my greatly elevated heart rate) was the fact that Lisa is able to give directions to the horses by hand signals rather than just verbal or leg and seat aids. With regards to the use of mounted units and mounted first responders, there are obviously additional logistics considerations that needs to be taken into account. Additional space for car parking, animal welfare and space for the engagement/disengagement of the units needs to be factored in and there is the additional element of defecation that needs to be mentioned as it was probably on your radar as you read this article. From reviewing the capabilities and suitability of the use of the Mounted Units and First Responder Units, I believe these high profile, well-equipped “all-terrain” environmentally friendly, living vehicles can enhance the security response of both large open areas and relatively crowd dense spaces alike. The improved first aid capabilities of the mounted first responders can provide rapid care and assistance in areas of larger events or isolated areas that would take substantially more time for common practice first-aid support to reach. When those capabilities are coupled with their crowd management capabilities and are supported by clear operating procedures clarifying the totality of their duties and also specifically confirming the inter relation of their duties with the other engaged security resources, it is my opinion that they can play a valuable role in enhancing both security and safety. About the Author Scott has worked across the gamut of the security, safety and risk industry over the past 24 years. He is a court and tribunal recognised security, and risk expert and has consulted and lectured through the Middle East and USA and has and worked with industry regulators and industry across all Australian States and Territories spanning the spectrum of security and risk as well as all industry verticals. He is a former Chapter Chairman of ASIS NSW and former member of the NSW Police SLED Advisory Council”

Australian Security Magazine | 11

National

Connection, not Collection The Essence of Lesson and Knowledge Management in Western Australia’s Emergency Management Sector.

An adapted article from a research thesis.

T By Chas Capewell

here has been steady improvement toward understanding the value of knowledge through lessons in Australia’s Emergency Management sector, particularly since the National Strategy for Disaster Resilience (Department of the Attorney-General, 2011) highlighted that emergency service organisations must focus on a sector-wide attitude to knowledge sharing. Smith and Elliot’s (2007) argument however, is that any useable post-event information still fails to be properly integrated for it to work and for any length of time. So, the question is if the lessons-learned approach is the way forward, how it is implemented for emergency management agencies to comprehend it? Smith and Elliot’s argument is that although organisations must learn from previous events if they wish to be successful in the future, they must do more to practice information sharing, reflect on learned and acquired knowledge to become valuable in an operational environment full of uncertainty. Study Background Lesson and knowledge management is not a new concept in the emergency management domain. Prince’s (1920) examined the lead up and response to the 1917 Halifax explosion and outlined preparedness stages to ensure such events would not reoccur. This highlights a pioneering

12 | Australian Security Magazine

example into preparedness using lessons-learned (Perrow, 1967). In examining Princes work, Rostis (2007) concluded that lessons must motivate change, or at minimum, adaptation, to ensure repeated oversights do not reoccur. Nevertheless, research continually highlights that emergency management agencies are yet to be as effective as they could be given their operational tempo demands adaptability to changing situations. Torlak (2004) stressed that a critical aspect of staying ahead in such environments, is for agencies to be cognizant of generating a workplace committed to learning and as Edmondson, Gino and Garvin (2008) explain, a competent learning organisation is particularly savvy across two critical skill sets. First, their aptitude to acquire, interpret, share and retain information and second, their ability to adjust their organisational mindset to this new information. Argyris and Schön (1978) and Senge (2003) suggest that if agencies commit to a culture of learning, then decision makers and leaders build the ability to grow individual and operational capabilities through knowledge retention and integration. Study Significance This study examined the barriers to effective lesson and knowledge integration from previous inquiries to potentially advance the capability of emergency management in Western

National

'Uncoordinated response and recovery, specifically those events requiring a multi-agency approach to larger scale incidents were related to an inability to extract and learn from previous experiences to enhance preparedness.'

Australia. By identifying persistent challenges and the means to overcome them, agencies may be better attuned at addressing events in the prevention phase. However, preparedness requires considering why lessons remain unresolved and how as a sector, emergency management may adapt processes to enhance behavioural transformation. Method The study employed a two-phase design through a literature critique of lesson and knowledge management categories to identify the key aspects for knowledge implementation emergency management agencies require. This assisted in developing the semi-structured interviews with Western Australian emergency management agency personnel who were drawn from the areas of risk, capability, impact, engagement, governance and support. Both phases were interpreted and analysed by integrating the literature and interviews to understand how learned lessons can be more efficiently synthesised and integrated into existing emergency management knowledge structures. Phase One Findings There was limited works relative to lessons and knowledge integration for emergency management within Western

Australia. Nevertheless, recent inquiries, such as the Waroona Fire Special Inquiry examined the efficacy of Keelty 1, A Shared Responsibility – Report of the Perth Hills Bushfire and Keelty 2, Appreciating the Risk – Report of the Special Inquiry into the Margaret River Bushfire. The first Keelty report examined emergency management operations surrounding the Roleystone-Kelmscott fires and subsequently produced fifty-five recommendations and improvement opportunities covering agency policy, statutory improvements, interagency and intergovernmental integration. Many recommendations faced an uncertain future as agencies argued that unrealistic timeframes and the number of recommendations expected to meet are unachievable. It was further noted that fire management operates within one of the most complex legislative frameworks that currently exist. While primary guidelines regarding fire (bush) is contained within the Bush Fires Act 1954, it converges with the Fire Brigades Act 1942 and the Fire and Emergency Services Authority of Western Australia Act 1984. (State Law Publisher, 2015). These three Acts not only articulate the different response required, but land ownership also dictates the responding agency. Keelty 2 revealed that some inroads were made towards improving sector-wide collaboration. However, effort was still required by state-level emergency management toward response capability and operations, of note was the assessment of one agencies decision to conduct prescribed burnings. The report noted a lack of communicating and consulting of risks surrounding the burn to other agencies, furthermore, those charged with pre-planning the burn did not account for the risks of a fire escape (Keelty, 2012). Criticism was further levelled at the continued omission and exclusion of volunteerbased agencies and local knowledge. For example, when community members became aware of the fires, they did not call authorities as a heavy presence of fire agency personnel were in the area and assumed the burn was under control. However, communities did not know that it was an escaped fire. Those volunteers monitoring fire agency communications decided to mobilise and directly engage the fires on their own accord. Keelty 2 (2012) found this was a failure in communicating event severity and a lack of using local knowledge, revealing that most decisions were based on agency culture, referred to as ‘bias for action’ (Keelty, 2012, pp. 64). It was noted this culture was accountable for not fully appreciating the risks associated with the fire, citing

Australian Security Magazine | 13

National

that this approach was inhibiting agency decision making and demoralising agency personnel. The report noted, such a culture made others (personnel) in the agency “with less stronger personalities more difficult to question the actions of those in leadership positions”. (Keelty, 2012. p. 64). The Waroona Inquiry claimed that Western Australian emergency management must move from response and recovery to prevention and preparedness by reinvesting in education and training of local communities and agencies, as the inquiry highlighted the continual oversight rural fire services. Ferguson (2016) discovered that several recommended treatments against identified threats emerging from Keelty’s reports had not been fully implemented, either operationally or within governance procedures. Fire agencies received criticisms for absences of structured procedures to capture lessons for improvement opportunities through their Integrated Planning and Reporting System (IPRS), a system specifically designed to synthesise post-event data to produce learning material. (Ferguson, 2016, p. 45). The inquiry stressed that agency transparency, oversight and accountability would benefit from the establishment of an independent governing body to ensure recommendations have been implemented and understood, to avoid what was described as “counting recommendations completed” (Ferguson, 2016, p. 46). Phase 2 Findings The emergency management literature supported the view that there are profound cognitive, social, and organisational barriers preventing emergency management agencies from learning as effectively as they could (Thompson, 2012). Likewise, participants highlighted that the agency directly responsible for the hazard do not reflect past their own remit and while participants agreed that agencies work well together in principle, it was clear that a significant barrier is a commitment to sharing. Although it was discovered Western Australian agencies want to learn, it was evident that a significant barrier inhibits long-term and sustainable commitment to sharing. Agency culture and leadership. This translated into missed opportunities for sector improvement, a widely held view by participants who associated this as a lack of agency transparency and accountability, a factor whether collaboration occurred. Milton (2009) stated that leadership must encourage, apply and ensure lesson management and collaboration is a priority within an agency doctrine, Meyer (1982) and Levitt and March (1988) add that organisations learn by interpreting not only their past but those from others. These methods capture the practical lessons, making them available to those who have not lived through such history as some agencies were viewed as open to change and collaboration. Of those agencies, they received minimal attention with recommendations, particularly lesson sharing and knowledge integration. However, some problems were reported to be self-inflicted, as some agencies do not appear to place any sense of priority toward seeking out improvements, inferring that culture has a significant impact on what has been discovered. Furthermore, the study identified that a satisfactory model does not exist for Western Australia, or, a system to address agency lesson and knowledge retention.

14 | Australian Security Magazine

Interpretation The barriers to lesson and knowledge integration encompass a lack of sharing and understanding of both individual and sector-wide responsibilities. Of which, trust is a critical component. Additionally, there was a need for strengthened, multi-organisationally aligned, clear strategies from inquiry recommendations, mainly from the view of Ferguson (2016) who supported improvements across the operational structure of Western Australia’s emergency management sector. The report commented, “there is still significant work to be done to have a true multi-agency, pre-formed, incident management teams” (Emergency Preparedness Report, 2016, p. 92). Uncoordinated response and recovery, specifically those events requiring a multi-agency approach to larger scale incidents were related to an inability to extract and learn from previous experiences to enhance preparedness. This was highlighted within Keelty (2011) and Ferguson (2016) reports, stating that failing to learn from the past translated into overlooked opportunities for future capability. The challenge however, is how to establish a common framework that appeals to Western Australia’s sector. Consequently, the lack of guidelines, particularly for sector-wide preparedness has resulted in suppression tactics, rather than anticipation strategies and missed opportunities impact the ability to learn from previous experiences. Conclusion Keelty (2011) summed it up when he stated that a shared responsibility must shift to a shared resilience and it was clear that culture influences an agency and how it impacts on what manner they analyse, build and collaboratively share knowledge. This may provide an explanation as to why agencies wrestle with understanding the value of lesson and knowledge sharing strategies. Although there is a widespread willingness to learn, siloes still exist and will remain to do so if agencies continue developing their own distinct methods, impacting on sharing. Yet for any recommendation to be achievable, they must focus on areas which have the best opportunities to survive and prosper. About the Author Chas Capewell BSc(Security)Hons AFAIM MAIPIO: JLL WA Precinct Security Manager for the Government of Western Australia Dumas Precinct. Responsible for all aspects of security and serves as the expert advisor in the development, implementation and maintenance of physical protection systems, continuity management and systems resilience.

INNO VATE

Cyber Security

HOW ARE YOU MANAGING YOUR CYBER RISK? Attend the most comprehensive cyber conference in Australia! Participate in business tracks free of technical language, hear from international thought leaders in cyber and engage in workshops and training to equip you with a better understanding of how you can manage this risk.

Register now at cyberconference.com.au From only $275 Save up to $825 on conference fees by becoming an AISA member today and access the many benefits received by our membership network

OCT 9-11

2018

AUSTRALIAN CYBER CONFERENCE

BROUGHT TO YOU BY

aisa.org.au Australian Security Magazine | 15

Frontline

Judicial performance management - fact or fiction?

A By Terry Flanders CPP

16 | Australian Security Magazine

ll stories need a setting. Our story involves the organisational management practices of the NSW Police. When I was a boy, stories started with “Once upon a time…”. Nowadays, it seems that in the context of this subject, police stories begin with, “So help me God”. Performance management as applied by businesses now, evolved from performance appraisal practices that retrospectively compared individual worker’s traits (worth or value) with criteria set by the organisation. Early iterations of performance appraisal denied the worker the right of appeal. Over time, workers were able to offer feedback and appeal against a poor performance rating. Business practices now set metrics to evaluate worker alignment to business strategic objectives or tactical goals. Metrics can relate to enterprise, regional, site or task management expectations. If you can’t measure it, you can’t manage it. The current system is intended to acknowledge that workers add value to an organisation. So, performance appraisal evolved into performance management, an accepted way in which to mentor, coach and improve the human asset in line with management expectations. Almost sounds to good to be true. Performance management is not all about happy endings. Like all tools used by people, performance management has a dark side.

In the real world, a butter knife can be used as an offensive weapon, so can performance management. The dark side of performance management can also activate other management processes like investigations, the disciplinary system and of course, to be fair and just, the appeal system. When used unethically to achieve management objectives or objectives that are not necessarily the objectives of the organisation; performance management can cause psychological harm and even death. Suicides and murder can be linked to poor performance management outcomes as they place workers, who are the subject of the process, under greater stress. Australian Courts are filled with cases of litigants who have successfully sued their employer for unfair dismissal after being performance managed out of their job at work. Like the butter knife, it is the operator of the performance management system who determines how that system will be applied in any given situation. Our story, so far, relates only to performance management within commercial or not for profit workplaces. Our story does not relate to the performance management system that is operating within the NSW Police. Sure, the police have all the industrial protocols in place you would expect from a government department, but the police also have the power to

Frontline

'"..there were many opportunities for police managers to intercede on Steve’s behalf. They did not. The effect was that Steve was caught in a procedural machine that did not recognise his value as an employee or as a person. A machine that used the judicial system as a performance management tool."

supercharge the dark side of performance management with the use of a judicial enhancements. Police can charge other police with crimes investigated by…other police. Being charged with a criminal offence usually removes the police officer from the operational policing environment until the criminal matter is finalised. Once finalised police managers, no matter the outcome of a criminal hearing, can seek to have the police officer removed from the Police Force. Again, this process if appealed, includes going back to Court. Now, I’m not suggesting that police engaged in criminal activity should not be investigated and prosecuted, if the evidence supports a criminal charge or complaint. What about circumstances where the evidence does not support the complaint and judges hearing matters use terms like unfair, unjust and harsh when describing the actions of police? You would think that police managers would change their practices to a system that was fair and just. Like preprogramed machines, Police managers continue to engage in the same apparently unfair, unjust and harsh treatment of other police. Let’s look at one example. “Steve’ (not real name) was a sergeant who had spent the last 25 years working in a high-risk section of the NSW Police. At work Steve not

only saved lives on a regular basis, but Steve had to deal with death. Steve’s relationship started to suffer. He was transferred to general duties police work and he started drinking. Steve was diagnosed with post-traumatic stress disorder (PTSD) but he kept soldering on. Alcohol didn’t help and as Steve spiralled out of control his behaviour on and off-duty became aggressive. Later he assaulted another officer at work. Although there were a number of pre-cursor warning signs that existed before the assault, it wasn’t until after the assault that police managers acted. Evaluating Steve’s actions against expected ethical conduct, those managers found that Steve was performing below expected standards. Instead of being offered support and counselling, Steve was charged criminally with assault but was not convicted due to his previous diagnosis of PTSD and Steve’s past exemplary work history. The police performance management system undaunted by this first failure moved on, like the machine it can be. Having used the judicial system to performance manage Steve once, police managers tried again. Steve was now subject to a Section 181D application by police managers. A Section 181D application under the Police Act initiates a process whereby the Commissioner (or his Deputy) finds that the Commissioner has lost confidence in a police officer and seeks to have that officer removed. On receipt of a 181D determination, an officer has 21 days within which to make a written appeal. If this appeal is rejected by the Commissioner a further appeal to the Industrial Relations Commission (IRC) can overturn the Commissioner’s decision. If the appeal to the IRC is not made, a pre-set termination of employment date comes into effect and the officer is removed from the workplace. I’d like to tell you that Steve appealed to the IRC and just like 80% of similar matters involving PTSD sufferers, was successful in his appeal. In these other matters Judges at the IRC when granting an appeal, often described the Police submission as unfair, unjust or harsh. In Steve’s case this is not what happened. Steve took his own life. Steve’s story is an amalgam of separate incidents that when viewed collectively form a disturbing pattern of behaviour. A pattern that has either been overlooked or is being ignored by police managers responsible for the practice

Australian Security Magazine | 17

Frontline

of judicial performance management. In Steve’s story, there were many opportunities for police managers to intercede on Steve’s behalf. They did not. The effect was that Steve was caught in a procedural machine that did not recognise his value as an employee or as a person. A machine that used the judicial system as a performance management tool. Judicial performance management seems to be a costeffective way for police to abrogate their industrial relations responsibilities. The argument against this view is that police officers, because of their position in society need to be held at a higher standard than others. I believe that statement is true when the police officer who is subject of a complaint is of sound mind. Another argument that is thrown around to support the practice is that police managers ‘must be seen to be doing the right thing’. This argument carries no weight, in my opinion, when the officer subject of the complaint is psychologically unwell. What can be seen is that the police management system is causing additional harm to officers who do not have the capacity to protect themselves. If there was any doubt that operational police work can cause stress that doubt was put aside by the Administrative Appeals Tribunal in a 2006 decision that found that operational policing was more stressful than active military service. Up to this point our story has been concerned with police officers that were allegedly engaged in acts that were, if not criminal, then could be considered misconduct. One common theme in these cases is that the actions of police were reported and investigated. Collected evidence led police managers to activate the judicial arm of their performance management processes. However, there is another category where judicial tools are used to enhance the dark side of performance management. Police can also apply to Judges for electronic surveillance tools like, telephone intercepts and listening devices. All tools that a human resources manager in the corporate world would love to have at their disposal. This second category includes matters where there is a suspicion of misconduct or criminality and the evidence is not sufficient to support a criminal charge or complaint. An example of judicial performance management that falls within this category is Operation Mascot. Operation Mascot which ran between 1999 to 2001 saw 113 police being electronically monitored as part of an investigation which, at the end, was apparently a waste of time and money. If there had been a legitimate reason for commencing Operation Mascot that reason diminished over time as the operation continued. In other words, insufficient evidence was collected to support a criminal or procedural complaint. Why would police use judicial performance management? The obvious answer is because they can. No, I’m not being facetious. This type of activity was identified during the Wood Royal Commission back in 1996. The Royal Commissions found that police were engaging in practices described as ‘process corruption’. Among other activities, process corruption included police ‘gilding the evidence to present a better case’. In other words, police tailored evidence to secure convictions.

18 | Australian Security Magazine

Why would police use judicial performance management? The obvious answer is because they can. No, I’m not being facetious. This type of activity was identified during the Wood Royal Commission back in 1996. I leave it up to your imagination as to how police would ‘gild’ evidence, but the more important point is, if police gilded evidence in criminal matters, would they gild evidence in procedural matters? The answer to this question is also up to you to decide, but before you do, consider this information. The ‘Mission’ of the NSW Police is to work with the community to reduce violence crime and fear according to Section 6 of the Police Act. Yet, counter-intuitively judicial performance management may be behind at least 3 police suicides and may have caused incalculable harm to other police and their families by causing a culture of fear and self-harm (violence). Section 6 has more to offer as it includes the following statement regarding the ‘functions’ of the NSW police. In effect police are instructed by law “to do anything for, or incidental to, the exercise of its functions”. (http://classic. austlii.edu.au/au/legis/nsw/consol_act/pa199075/s6.html ) If you haven’t noticed, this section of the Police Act does not constrain police by including a phrase like ‘… to do anything (within the law) …’. The very concept of judicial performance management suggests that police are prepared to push the factual boundaries up to and possibly beyond the expectations of the law and what we as part of the community would find fair, just and reasonable. Is this ‘gilding’ the evidence? The pattern of behaviour disclosed by judicial performance management shows that the police disciplinary system is not a safe system of work. The difference between a procedurally unsafe system of work and an unsafe machine in a workplace is the time it takes to harm someone. If you owned a business and you had a machine that injured or killed workers, the police would be there to investigate. If the police operate a system that injures and kills workers, who investigates the police system? At the time of writing, police officers who complain about misconduct of other police officers will most likely have those complaints investigated internally…by other police working for the police. As police are public servants they are exempt from the Fair Work Commission. The Police Integrity Commission, the NSW Ombudsman and the NSW Crime Commission no longer action complaints about police misconduct. A new entity, the Law Enforcement Conduct Commission (LECC) commenced in June 2017 and was formed to investigate serious police misconduct issues. Based on an article from The Guardian on 14 March 2018, the LECC is already in trouble. Understaffed and under resourced the LECC is not able to function in the way

Frontline

it was intended. (https://www.theguardian.com/australianews/2018/mar/14/nsw-police-watchdog-says-cuts-forcedit-to-ignore-misconduct-complaints ) Police managers seem to have lost sight of the big picture view. By focusing on each separate case and treating them all individually, the cumulative negative effect of judicial performance management has been overlooked. That effect ripples back through the police lowering moral, silencing honest police and tacitly support corrupt practices. In many respects it’s like studying individual raindrops and not seeing the damage caused by the looming flood waters. With no properly resourced external agency to independently investigate complaints of police misconduct, police investigate complaints against police, even when those complaints are made by other police. This is a closed system and a closed system is one that cannot be sustained, it can only become corrupt. We expect a lot from our police and other emergency service workers. The NSW Police along with the Police Association NSW are trying, but it may be a case of too little too late. It is hard to change a poor safety culture that supports unsafe systems of work if those unsafe systems are blindly followed under the mantra of ‘this is how we do things here”. Senior executives have to recognise there is a problem before they can change work practices. Emergency service workers are the most likely work group to suffer mental health issues according to one 2015

report. Judicial performance management and ‘gilding’ evidence needs to stop. Proactive measures including peer support with an officer monitoring system that can identify early signs of psychological ill-health need to be introduced and promoted. In order for police to look after us; police have to first start looking after themselves. Fact or fiction, there are no happy endings to this apparently never-ending story. About the Author Terry Flanders is a former NSW Police Detective Sergeant, a trained criminal investigator and surveillance operative. Leaving the police in 1999, he operates his own company (Investigation Systems) and is a Certified Protection Professional (CPP) and member of ASIS, as well as being a Certified Generalist OHS Professional (CGOHSP) and Fellow, with the Safety Institute of Australia.

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

BUSINESS

ACADEMIA

LAW ENFORCEMENT

REGULATION

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration

Supporting and representing intelligence professionals throughout their career lifetime

Sharing cutting edge and emerging global intelligence practices and enabling technologies

Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Australian Security Magazine | 19

Frontline

Beware of the Black Swans

N By Jane Lo Singapore Correspondent

assim Nicholas Taleb’s “The Black Swan: The Impact of the Highly Improbable” appeared in 2007, during the year when the Dow Jones Industrial Average index peaked at 14,164. Topping the New York Times bestseller list for weeks, Nassim Taleb’s argument that banks and trading firms were vulnerable to improbable events and exposed to losses beyond predictions modelled on standard scenarios, was however taken to be an academic one. That was, until the Global Financial Crisis imploded a year later. The collapse of Lehman Brothers, one of the oldest and largest investment banks on Wall Street; Merrill Lynch, another which verged on bankruptcy; and an incessant string of banking bail-out announcements by governments on both sides of the Atlantic sent global markets plummeting and into a period of extreme volatility. “Black Swan”, a term that describes impossibility, is derived from the presumption that 'all swans must be white', until the discovery of black swans in Australia. The Great Financial Crisis hit home the lesson that “Black Swan”- rare, unexpected but highly significant events - are much more common than we think.

20 | Australian Security Magazine

The Cyber-Physical attack on Prykarpattya Oblenergo power plant in Western Ukraine, the first cyber-physical attack since Stuxnet degraded Iran’s uranium processing capability in 2010, was an unexpected but highly significant event. At the Safety Case Symposium 2018 held in the Singapore Institute of Technology (14th March 2018, partnered with TÜV Rheinland, SITLEARN, Singapore Standards Council), with 200+ delegates from more than 10 countries, we sat down with Mike Bates (Principal Consultant, Risktec, TÜV Rheinland), to chat about risks and Black Swans in the critical infrastructure sectors. What were some major accidents in the past? There was the 2005 explosion at the third largest refinery in the US – the BP’s Texas City Refinery, triggered by the ignition of a hydrocarbon vapor cloud, killing 15 workers, injuring more than 180. In Singapore, there was the fire at Shell’s refinery off the mainland at Pulau Bukom in 2011, which began near pipelines carrying petroleum products, and took more than 100 firefighters 32 hours to extinguish. In the UK, the one that lead to the introduction of

Frontline

Safety Case Symposium 2018 held in the Singapore Institute of Technology. Photo credit: Safety Case Symposium 2018.

Mike Bates (Principal Consultant, Risktec, TÜV Rheinland) at the Safety Case Symposium 2018 held in the Singapore Institute of Technology (14th March 2018). Photo credit: TÜV Rheinland

offshore safety case was the 1988 explosion and fire of the Piper Alpha platform in UK North Sea, killing 167 of 226 men onboard. Several recommendations included best practices for operational safety - clear shift handovers, adequate safety and evacuation training, operational firewater system, timeliness of management decisions. Recommendations from this incident also formed useful guidelines for other countries when drafting their own regulations. In today’s world, what does it mean to ensure safety of a modern industrial control system? Digital transformation across the industrial and OT sector means no one process or a piece of hardware is considered completely “safe” in an always-on, connected nvironment. Functional safety and cybersecurity are now inextricably linked in modern plant and process control systems. A plant that meets the necessary functional technical safety design requirement could be compromised by a cyberattack impacting its safety integrity level. Embracing Industry 4.0 means embracing the challenge of both safety and cybersecurity risks. So, in Singapore, you have the Singapore Cybersecurity Bill that was recently passed, requiring critical information

infrastructure owners and operators to take responsibility for securing their systems and networks; while the regulations for Safety Case Regime kicked in last September. What are the obligations under the Safety Case Regime? All Major Hazards Installation (MHI) companies are required to submit a Safety Case. ** MHIs in Singapore comprise petroleum refining, petrochemical manufacturing facilities, chemical processing plants and installations where large quantities of toxic and flammable substances are stored or used .. around 110 in Singapore Fundamental obligations under the regulations to prevent major accidents include identification of hazards and risk that may lead to a major accident, control measures, and how organisational, technical and human factors contribute to safety, and arrangements to rectify identified shortcomings. What are the key concepts for a good safety case? Avoid performing a ‘paper exercise’ and generating reams of documentation that is neither read nor practicable.

Australian Security Magazine | 21

Frontline

Follow a SHAPE approach: S-“Succinct”, H-“Homegrown”, A-“Accessible”, P-“Proportionate”, E-“Easy to Understand”. For example, “Homegrown” means involving staff from different levels of the organization including leadership, middle management, supervisory and ground staff, personnel who understand plant design and operation, staff with expertise in quantitative risk assessment and process hazard analysis, engineers, emergency response team members. By “Proportionate”, we mean the time and effort spent producing a safety case should be proportionate with the risks from the facility. A small plant with high fatality potential may need more effort than a very large facility with low fatality potential. “Beware of Black swans” – does this mean predicting the unpredictable? It is not possible to identify and predict all plausible hazardous scenarios of an Infrastructure Control System where there are multiple interdependencies with millions of possible interlinked chains of events and outcomes. It is more critical to have a crisis management approach to effectively manage the situation, in other words, emergency response and business continuity plans to recover from events. These set out detailed system and flexible resources, appropriate and relevant teams, communication channels to escalate and inform stakeholders, pre-established partnerships including third parties who can work with you to help. Keep the plan up-to-date. Conduct drills, whether is an integrated response drill within the facility or a role-play or desktop exercise, and to attest mutual aid agreement. Simply put, if I were an investor, I would want to know that the company is still running, after an event happen. What are some practical steps? Establish your context and scope of the assessment. Use a recognized framework such as the relevant ISO. Conduct workshops to take an inventory of hazards and risk factors. Involve the right participants, start with what they consider are high risk areas based on their experience. In a refinery for example, high energy materials such as oil and gas present a significant hazard with pressures and temperatures adding to the risk. So, a hazardous scenario could be damage to a live pipework causing loss of containment of these materials which, under specific pressure and temperature conditions, may cause fire or explosion. But how you rate the risk is unique to the environment, for example, depending on your asset’s distance from source of explosion – the nearer you are, the higher the impact for example. Quantifying the risk likelihood and impacts would help rate your risks and design the appropriate safeguards and mitigants. And if you use industry software pre-loaded with scenarios, parameter settings and algorithms – remember that the these may be derived from certain assumptions of laws of physics (e.g .Boyle’s law). So, calibrate these results to your environments. For example, gas and pressure behave differently in a

22 | Australian Security Magazine

'Many industrial major accidents are colloquially described as black swans, when in fact they were entirely foreseeable and preventable...' dessert versus, say, in Jurong Island of Singapore. And the societal impact of an explosion in a dessert is arguably lower given the lower population density. On the other hand, resources to manage the situation is also arguably limited. So, safeguards for the same hazard in two different locations call for different protocols and designs. And of course, the settings need to be tweaked for season (eg. winter or summer). Key things to keep in mind? Your stakeholders extend beyond your company and employees, to suppliers, the neighbors, and ultimately the end-users. What is the contingency plan if power supply is cut off and consumers have no access? Also ensure sensitive information and data are protected and secured when communicating with your client. Manage your physical security risk such as authorized access to facilities. There is also a difference between high-risks from a business continuity perspective, and those from an operational risk perspective. A high dependency on adequate firefighting resources in case of an emergency is an example of a business continuity risk. Whereas a high dependency on the competency of operations staff following the safety procedures is an operational risk. Final Tips? Many industrial major accidents are colloquially described as black swans, when in fact they were entirely foreseeable and preventable - a good place to start is to foster a culture that has a ‘collective mindfulness’ of such risks. So, a safety case could help to foster and formailse a such a culture, and should include all of the above, • • • • •

•

Focus on managing risk Clearly define the scope, and keep within it Focus on what the key users and stakeholders need to know Include ‘workers’ in the development to ensure ownership Present information clearly and concisely – be easy to understand and easy to navigate, minimise repetition, and use up to date, relevant references/supporting information Contain clear and implementable recommendations, either contain or reference an implementation plan

But most importantly, it should be signed by highly senior company personnel to demonstrate commitment from senior management commitment.

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 23

Regional Security

Security enhancements from ASEAN-Australia Summit 2018

T With Chris Cubbage Executive Editor

he Australian Prime Minister called it “a new era of engagement with ASEAN” as the first ASEANAustralia Summit was held in Sydney in March. With special meetings and conferences held across the domains of business, industry, economics and security, the region’s leaders and representatives created agreements and MOUs to address an equally wide range of issues. In a security and technology context, there was ASEANAustralia Joint Declaration for Cooperation to Combat International Terrorism, supported by a package of counterterrorism initiatives intended to strengthen regional efforts to counter terrorist activity, assets and funding. This includes technical and regulatory assistance to develop best practice counter-terrorism legislation, and regional dialogues and workshops on topics such as electronic evidence, financial intelligence, and countering online radicalisation. MySecurity Media attended the ASEAN-Australia AUSTRAC Codeathon and interviewed the always entertaining and intelligent Adam Spencer, MC and Chief Innovation Officer Leanne Fry and Director of Innovation, Rajesh Walton. The Codeathon presented six challenges for participants from across the region to solve in 32 hours: 1. Using big data to combat terrorism financing 2. Disrupting money launderers, terrorists and cyber criminals across ASEAN-Australia 3. Exploiting financial data to gain insights into crime and

24 | Australian Security Magazine

terrorism risks 4. Applying artificial intelligence to improve Anti-Money Laundering and Counter-Terrorism Financing (AML/ CTF) compliance and suspicious matter reporting 5. Applying blockchain technologies to improve financial services, AML compliance or secure intelligence sharing 6. Collaboration and knowledge sharing to combat cybercrime, money laundering and terrorism PODCAST interviews are available at www.australiancybersecuritymagazine.com.au

Cyber-physical systems security industry Amongst government, industry and business events, the SME Conference was held with the Australian Prime Minister announcing the ASEAN-Australia Digital Standards, which will aim to build regional regulatory consistency and a framework for Australia and ASEAN countries to cooperate in developing, adopting and using international standards to promoted digital trade and support inclusive economic growth in the region. The CSIRO’s Data61 CEO Adrian Turner also released a study, ‘Sunrise Industries’ which has identified the top seven emerging industries within ASEAN and neighbouring nations that will fuel future regional growth, international collaboration and job creation. Importantly,

Regional Security

of these industries, Cyber-Physical systems security is identified. Adrian Turner stated, “a new class of assets is emerging, ‘Industry utility assets in a cyber-physical world’, with cybersecurity set to be a US$180 billion global market opportunity’. The Sunrise Industries report states, “While cyberphysical systems (i.e. systems which have intertwined software and physical components) are becoming increasingly widespread, they can be vulnerable to hacking, creating new opportunities for the cyber-physical systems security industry. The report aims to inform government and industry on potential future areas for growth – ranging from AI to energy storage – and help decision makers capitalise on opportunities for the region. The report highlights the use of drones, increasing globally, with worldwide revenue from drone production for commercial and personal use growing by 35.5 percent in 2016; similar growth rates are predicted for 2017. In the Asia Pacific region, spending on robotics (including drones) and related services is estimated to rise from $85 billion in 2017 to $210 billion by 2021 – over 70 percent of the global robotics market. The remote piloting of drones is susceptible to outsider interference and attack; as such, as drone use increases, there is growing global interest in drone-related security. (Reference: CSIRO Data61 – Sunrise Industries Report, 2018, p20) This technology and innovation will drive the Cyberphysical systems security industry. This industry will provide protective security for cyber-physical systems, consisting of both software and physical components (e.g. smart grids, autonomous cars and drone fleets). Cyber-physical security is also becoming increasingly important as acts of geopolitical aggression are executed through attacks on cyber-physical systems. Additional security cooperation agreements include: • The ASEAN-Australia Maritime Cooperation package of initiatives to strengthen the protection of regional fish stocks, civil maritime and border protection, maritime domain awareness, and maritime law and its applications. •

•

An ASEAN-Australia Cyber Cooperation will improve joint efforts to harness the opportunities that cyberspace enables, promote peace and stability in cyberspace, and guard against growing threats online. The ASEAN-Australia Postgraduate Defence Scholarships will bring together emerging defence and security leaders from ASEAN countries and Australia; creating an alumni and fostering future cooperation on regional security challenges. ASEAN-Australia Counter-Trafficking will strengthen criminal justice responses and victim rights protection in ASEAN and support the region’s agenda to stamp out trafficking in persons. An ASEAN-Australia Women, Peace and Security dialogue will strengthen cooperation in the areas of peacekeeping, protection of human rights and promotion of gender equality in contributing to stability, peace and security. The Health Security ASEAN Fellows will increase capacity in the region by fostering professional

"While cyber-physical systems (i.e. systems which have intertwined software and physical components) are becoming increasingly widespread, they can be vulnerable to hacking, creating new opportunities for the cyber-physical systems security industry.”

MySecurity Media attended and interviewed the always entertaining and informative Adam Spencer, MC and Chief Innovation Officer Leanne Fry and Direct of Innovation, Rajesh Walton.

Singapore Prime Minister Lee Hsien Loong and Australian Prime minister Malcolm Turnbull presenting at the SME Conference

development of field epidemiologists to address disease outbreaks across the region creating opportunities to build links between our communities so that our region is equipped with a health workforce well placed to prevent and respond to infectious diseases. For a full list and further information on the ASEANAustralia Summit initiatives and outcomes, visit: https://aseanaustralia.pmc.gov.au/asean-australia-specialsummit-initiatives

Australian Security Magazine | 25

Cyber Security

Minister of Home Affairs, the Hon Peter Dutton MP addressing ACSC Conference 2018

ASD sets out to ‘comprehensively understand the cyber threat to Australia’: ACSC Conference 2018

D With Chris Cubbage Executive Editor

26 | Australian Security Magazine

espite opening statements by the Minister of Home Affairs, the Hon Peter Dutton MP to the Australian Cyber Security Centre Conference 2018, held 10-12 April in Canberra, the Shadow Assistant Minister for Cyber Security and Defence, Gai Brodtmann MP highlighted Australians need to develop the same attitude to cybersecurity as we impose water-safety on our beaches. Dutton outlined the diverse range of government initiatives including new Critical Infrastructure legislation, foreign espionage legislation, new departmental structures and addressing the scale of the cyber security problem, in terms of cyber bulling, child exploitation and now impacts on the small business sector. However, Brodtmann proposed, “I don’t get a sense we are working towards a common goal. What is Australia’s mission in the context of cybersecurity?” In terms of water-safety, Brodtmann referred to ‘slip slop slap’ and ‘swim between the flags’. “What is the key message for cybersecurity?”, she asked. The government and opposition understand that cybersecurity is everyone’s responsibility, Brodtmann said, “We need to address, in light of all the changes going on, a range of challenges that still prevail in our ecosystem, and that begins with Government. I’ve been calling on the government to take the cybersecurity of government agencies seriously since the release of the 2014 ANAO audit and Cyber Resilience Report, when no agencies were found to

be compliant. In the follow up audit, only one government agency was found by the ANAO to be compliant with security standards. Government agencies should be the standard that others in the community measure themselves. Frankly, we have got to do better on the government agency front. We have to get our house in order.” “This is a whole of community issue and we need a national education campaign”, she said, suggesting ‘patch and backup’ is a suitable message. Brodtmann also claimed, “We need one point of truth. There is no clear ‘go to’ in Australia.” With Australia reported to be short of up to 19,000 cybersecurity professionals, as well as needing diversity in skills, Brodtmann asked what the Government’s key performance indicators were and asked how do we know we are succeeding in this space. “We need to get industry and government working together to address these issues,” she said. Mike Burgess, Director-General Designate of the Australian Signals Directorate, who commenced in January, reiterated cybersecurity is global problem and that the successful identification and management of cyber risk across the community, business and government is critically important, referring to the 2017 Independent Intelligence Review which recognised this and the requirement to have a seamless connection between the ACSC and the ASD. In March, the Intelligence Services amendment, the establishment of the Australian Signals Directorate Bill was

Cyber Security

passed by Parliament. Outlining his priorities for the next 12 to 18 months and his new role, Burgess said, “We will establish a seamless integration between the ASD and Australian Cyber Security Centre and from July 1 this year, the ACSC will become part of ASD, including staff from CERT Australia and small contingent from the DTA. “Absolutely certain”, said Burgess, “the collaborative protentional will increase as a result of this but you will also see a change of emphasis and span of engagement will be changed. The new legislation introduced two key changes in this regard. First ASD’s advice and proactive assistance remit on cybersecurity is now expanded to include community, business and Government and the legislation also included a new function to combat cyber enabled crime. The ambition and expectation of the Ministers is high”, confirmed Burgess. In the context of cyber enabled crime, this includes pure play cybercrime, that is hacking for criminal purposes. This also includes nation state actors, as well as, cyber enabled serious crime. Combatting cybercrime will continue to be a ‘team sport’, said Burgess, and will include the coordination with the Australian Federal Police, Australian Criminal Intelligence Commission and the Australian Security Intelligence Organisation (ASIO) will be more important than ever. “ASD focus will shift and broaden,” said Burgess, “the Centre’s focus will cover business, community and government, backed with the full support of the ASD. My expectations for the Centre include, comprehensively understanding the cyber threat to Australia, providing timely proactive advice and assistance that makes a real difference across the community, business and Government. The Centre’s work must lead to an improvement in the identification and management of cybersecurity risk for all Australians. My key priorities for the next 12 months include a national assessment on Australian cybersecurity, with an initial focus on critical infrastructure. Collaboration with major internet service providers and critical infrastructure providers to drive out known problems and equally important, identify first seen new threats. Executing counter cybercrime campaigns will also be a priority, as will outreach and influence to improve the identification and management of cybersecurity risk. We live in a connected world. Everything is being digitalised and everything is being connected and everything is driven by software. There is no doubt the full potential of this is yet to be fully realised. However, with these same benefits comes some serious risk. In this digitalised world it is timely to remind ourselves that security also includes integrity and availability, not just confidentiality. We all have much to do.” Alastair MacGibbon, National Cyber Security Adviser and head of the Australian Cyber Security Centre outlined the top level threats and activities. “We do security for the purposes of enabling of opportunities. Time for incremental shift is over and there is an ambition and expectation to do more.” Describing the 2016 Cyber Security Strategy as now being in a state of accelerated cybersecurity strategy plus, MacGibbon confirmed the Government is seeking to be doing things faster and with more ambition. The Census failure in resilience helped change the

Alastair MacGibbon, National Cyber Security Adviser and head of the Australian Cyber Security Centre

political dialogue. WannaCry and Not-Petya ransomware attacks helped educate on how fast things can spread and the Russian interference in the US elections has shown the threat to democratic systems. With the Notifiable Data Breach legislation, and the OAIC releasing NDB statistics this week, it is clear that since the since the 2016 Cyber Security Strategy, there has been significant changes to the government ecosystem. Providing a top level view, MacGibbon outlined the increased sophistication in tools and tradecraft, increased infiltration and exploitation of third parties, such as global ISPs and exploitation against routers to compromise networks. “We expect more nation states to enter this field”, said MacGibbon, “and the weaponization of malware is expected to increase.” Cyber espionage is alive and well and in March the USA formally accused Russia of cyber attacks against the US energy sector since 2016. MacGibbon reported seeing more modulised processing attacks again SCADA systems to override safety systems and noted this may be indictive to how some nation states are thinking. Alongside cyber warfare and cyber espionage, cybercriminals continue to launch large and targeted ransomware campaigns, wholesale theft of personal data and targeting attacks on banking systems and cryptocurrency exchanges. Increased credential harvesting malware and rising DDOS attacks and social engineering continues, including business email compromise. Over the next 12 months, envisioned MacGibbon, “anything worth money, criminals will try to steal.”

LISTEN TO MORE FROM #2018ACSC: PODCASTS MySecurity Media will release a series of podcasts interviews conducted at the ACSC Conference 2018 including interviews with Alastair MacGibbon, Liz Jakubowski, Director of Ribit.net, Rupert Taylor-Price, CEO of Vault Systems, David Holmes of F5Labs and Shamane Tan of CyberRisk Meetups.

Australian Security Magazine | 27

Women in Security

You’re a genetic engineer How did that get you into cyber security? Pip Wyrdeman, Director Cyber Systems and Services – Australia, Elbit Systems of Australia

With Chris Cubbage Executive Editor

28 | Australian Security Magazine

eople look at her strangely when she tells them that the journey actually began back when she was a patent examiner in genetics, biotechnology and food sciences. The next question is inevitable: You’re a genetic engineer – how did that get you into cyber security? Australia’s former Senior Adviser Cyber Policy, Department of the Prime Minister and Cabinet, Philippa ‘Pip’ Wyrdeman, is now the Director Cyber Systems and Services Australia at Elbit Systems of Australia. Where did it all start, ten years ago? Pip found herself seconded out of a scientific role and into a change management role, acting as the key conduit between a parent business unit and an IT project in a transition to a paperless environment. “That experience was priceless to me,” recalls Pip, “during that time I developed a number of procedures and policies around the new IT system that led, eventually, to a contract role to develop a policies and procedures framework for the IT environment of AusAID.”

“In that role I also took on responsibilities for the intellectual property, records management and the IT security policy development. That led to a role in ICT Policy in Defence, which led to working up architecture strategy and eventually into business relationship management for Defence’s intelligence functions, including for the Australian Signals Directorate and the Australian Cyber Security Centre. All this, almost naturally, led to me applying for a role in the Office of the Cyber Security Special Adviser. The opportunity to drive and influence Australia’s cyber security policy settings across industry and academia was too good to miss.” Throughout her life, Pip was fortunate to have had one mentor of the greatest influence, her Father. A retired Rear Admiral in the Navy and with subsequent leadership roles, Pip was able to leverage her own challenges and seek guidance based on his experience. “As I developed as a manager and leader, and he took on bigger challenges that saw him dealing at the highest levels of government, I learned

Women in Security

Women are an obvious demographic in this discussion. Only 11 per cent of cyber roles globally are filled by women which means we have a huge, untapped resource of different perspectives there.

by watching him – what worked, what didn’t. This has given me far more than any official mentoring framework ever could have. I was very lucky to have it.” Pip returns the reward, having been an official mentor and an official mentee but prefers a less formal approach to mentoring. “I’m seeing a lot of effort being put in to get more women into the industry. I’m still hearing a lot of complaints about “we would have more women but they just aren’t available/don’t apply/don’t put their hands up” and I think that is still an issue to be addressed. It’s as much a societal and cultural issue as it is a cyber industry issue. So, there’s a lot of work to be done around understanding and addressing that.” “I think businesses are doing what they can to get women into senior roles but what that looks like at the moment is a bit like my current work environment. One or two senior women, lots of men and no women in the pipeline to step up later. I think that’s just the nature of where we are right now

because we have more young women going into university to study the right things but they will take some time to come through the ranks. In the meantime, it’s going to be a bit of struggle to fill those middle levels with enough women to ensure there are enough to move up to senior positions later.” “As a futurist, I tend to take a fairly optimistic view of things and I think we should extend this to the cyber security industry. It needs a makeover – and I don’t mean by including more women – I mean that we need to ensure we look at our industry as the foundation for the future instead of seeing it through the lens of needing to lock down and protect ourselves from bad actors. If we do our jobs right, if we can train our people to operate securely, we can provide this country with a foundation upon which to take advantage of the benefits that ongoing innovation in the digital space can give. That’s my passion and the reason that I do what I do – because the future will be amazing if we only ensure it has the right foundations.” However, the key challenge the industry faces, affirms Pip, is the pace of change. “This industry moves faster than any I have ever seen, and that includes during the heady days of biotech and genetics when it seemed innovation and development was outstripping our capability to understand the implications of that technology. As cyber security has grown out of the shadows and become a means for malicious actors, be they criminal or state based, the challenge of change has only grown. We are barrelling down the path of technological change, into our digital/virtual future. And we have no idea what that’s going to mean for us. Our ability to manage, regulate or control this is challenged and for that reason we need as many people as we can get who can look at things from a different perspective. That means people who are different from those who currently fill the ranks and leadership positions. Not to displace them but to enhance them.” “Women are an obvious demographic in this discussion. Only 11 per cent of cyber roles globally are filled by women which means we have a huge, untapped resource of different perspectives there. We need those different ways of looking at things if we want to have a hope of dealing with our changing technical environment.” But where to escape? For this futurist, it’s the outdoors. “I have an extensive garden and a couple of greenhouses that I spend as much time as I can in. I also have a bush get away where I go with my family to get away from technology. Nothing like sitting by a campfire, away from the hustle and bustle. And reading, “If it’s got dragons, cyborgs or space in it, chances are, I’ll love it.”

Australian Security Magazine | 29

Cyber Security

Photo credit: Global Space and Technology Conference 2018 Singapore

Cyber Security in space and military operations

C By Jane Lo Singapore Correspondent

omparisons of the Apollo Guidance Computer (AGC) with our modern IT inevitably brings to attention the relatively primitive technology that put man on the moon. That an iPhone is millions of times faster and more powerful than the AGC adds to our appreciation the incredible engineering feat achieved with a 64kByte memory, and the relentless pace of technological development encompassed in Moore's Law. At the Global Space and Technology Convention (GSTC, Sheraton Hotel Singapore 2-3rd February 2018), world’s leading companies in Space technologies, including Airbus and Thales Alenia Space presented the take-up of Artificial intelligence, BlockChain, Machine Learning and Big Data Analytics in the Space Technology sector. Not surprisingly, Cyber Security, was also an important area of focus. Dr Alexander Ling, Principal Investigator, Centre for Quantum Technologies, National University of Singapore, The “Future of Unhackable Data” introduced the role of Micius satellite in shaking up the field of cryptography. But “why should we care?” he asked. Reliability of an encryption approach requires unhackable keys – a problem which Quantum technology is deemed to exacerbate on one hand, but able to solve on the other. Breaking mathematical encryption schemes is extraordinarily difficult today but with powerful computers, reverse-engineering the keys is perceived as a near-term

30 | Australian Security Magazine

reality and less of a theoretical discussion. Arguably “hackability” can be mitigated with a larger key size, provided that keys are distributed with maximum security. So, how can key negotiation protocols (short of a physical transport) be designed to ensure that only intended parties have them - that is, no eavesdropper has copied the key during its distribution? While quantum computers which are likely to break encryption and reverse-engineer keys are still at the early stages of research, there are already working prototypes of QKD, or Quantum Key Distribution. This technology exploits properties of photons to transmit data for secure sharing of a key between a sender and a receiver. To steal the key would require knowing the photon properties – which due to quantum physics law, is impossible without changing the properties’ behavior and alerting the sender and receiver to the attempted hack. The best optical fibers carry these photons to 200 kilometers before light absorption distort the process. Entanglement, where two particles behave like one regardless of distance apart, enables QKD over long distances. The Micius satellite demonstrates this over 7,600 km by distributing the key from orbit. When the satellite is over the Chinese ground station (at Xinglong, Hebei province), it sends the one-time pad to the ground, encoded in single photons. As the Earth rotates beneath the satellite and as the ground station at Graz in Austria comes into view, Micius sends the same one-time pad to

Cyber Security

Global Space and Technology Convention (GSTC, Sheraton Hotel Singapore 2-3rd February 2018) – From Left, Mr Jonathan Hung, President, Singapore Space and Technology Association; Mr. S Iswaran, Minister for Trade and Industry, Guest-of-Honour. Photo Credit: Global Space & Technology Convention 2018 Singapore

Mr. S Iswaran, Minister for Trade and Industry, Guest-of-Honour, Opening Address.

‘To what extent can some control be shared with another entity?” and “If something goes wrong, who’s responsible for the real-world effects?” the receiver there. The two locations then both possess the same key for secure communication over a classic link. Space, Cyber Security and Electromagnetic Systems In “Cyber Security for Space Elements”, Esti Peshin (General Manager, Cyber Division, Israel Aerospace Industries Ltd) said that “most of the space asses are actually ground based” which “have all, and maybe more traditional cyber vulnerabilities of IT and ICS/ OT”. The growing internet and cloud connectivity of ground stations mean that we need to go “back to the basics of cyber security” and “apply end-to-end holistic approach to cyber threats and defense- protect the entire matrix: Ground, Communications and Space”. This holistic view towards protecting and defending against threats arising from the Space and Cyber Space domains, can also be seen in US Army’s approach to “CyberSpace and Electronic Warfare Operations”. It recognizes that “space provides a key global

“Cyber Security for Space Elements, Esti Peshin (General Manager, Cyber Division, Israel Aerospace Industries Ltd”). Photo Credit: Global Space & Technology Convention 2018 Singapore

Dr Alexander Ling, Principal Investigator, Centre for Quantum Technologies, National University of Singapore, The “Future of Unhackable Data?. Photo Credit: Global Space & Technology Convention 2018 Singapore

Australian Security Magazine | 31

Cyber Security

Ulf Lindqvist (Program Director, Computer Science Laboratory, SRI International), at the IEEE World Forum Internet of Thing ,on “Security and Privacy Regimes” was also a focal area. Photo Credit: SRI International

At the Asia Defence Expo & Conference 2018, Lieutenant Colonel Chris Walls, US Army, ÜS Army doctrinal approach to Cyberspace and electronic warfare operations). Photo Credit: Asia Defence Expo & Conference 2018

connectivity capability for cyberspace operations” and “many cyberspace operations occur in and through the space domain via the EMS (electromagnetic spectrum), resulting in an interdependent relationship between space and cyberspace.” Lieutenant Colonel Chris Walls, US Army, summed up very well at the Asia Defence Expo & Conference 2018 (Marina Bay Sands, Singapore 30-31 January 2018), “US Army doctrinal approach to Cyberspace and electronic warfare operations” that: “Cyberspace pervades the land, air, maritime, and space domains through the EMS and wired networks. Cyberspace enables integration across physical domains by moving data along transmission paths through links and nodes in cyberspace and the EMS.”. Internet-of-Things Indeed, as we become more inter-connected and the Internet of Things permeate our lives, what we commonly

32 | Australian Security Magazine

refer as Cyber Space will extend from ground-based assets to Space, which raises the question of jurisdiction and ownership, when it comes to building protection and defenses. Ulf Lindqvist (Program Director, Computer Science Laboratory, SRI International, said, at the IEEE World Forum Internet of Things “Security and Privacy Regimes” track (Marina Bay Sands, Singapore 6th -8th February 2018), “when the security of a single system is under consideration, then it’s easy to imagine that a portion of the system is responsible for limiting access and actions. In an IoT setting, it’s possible that some sensors and some actuators won’t be owned by the same organization.” As the boundary of Internet of Things expand, the questions of ‘To what extent can some control be shared with another entity?” and “If something goes wrong, who’s responsible for the real-world effects?” makes holistic approach an increasingly important one, but also cooperation between public and private sectors at national, and inter-national levels.

Cyber Security

Blockchain technology briefing – analyst insights Session Takeaway: Nick Heudecker, Research VP with Gartner, speaking at the Gartner Data & Analytics Summit in Sydney in February. Nick provided a session on the misunderstanding, or the overwhelming hype, of blockchain technologies.

by Chris Cubbage Executive Editor

here is so many different dimensions to blockchain and how it can be applied to existing and new business models that there is going to be a lot of confusion for a very long time. One of the things that is driving that confusion is the potential upside. An estimated $3.1 trillion business impact by 2030 – but there is a long way to go. Nick reports to have yet heard of a single production blockchain use case that has scale beyond four to five nodes that couldn’t easily be done with a centralised database. What is blockchain? It is a distributed ledger. A way to introduce trust in an untrusted network of participants. This provides mechanisms that order transactions and so that double spending can’t occur. Blockchain is not a database per say but a linked list. Every transaction builds on the previous transaction, or block of transactions. Anything that can be digitised, be it a dollar, cryptocurrency or a photograph, the blockchain will record where it came from, who has handled it and who currently has it. Today, you can download the entire Bitcoin blockchain, at about 160GB, which has been in existence since 2009. You will see precisely all the way back to the Genesis block. And no one is identified. Everyone has a wallet identification of 32 characters and there is no personal exposure. But just because you may not be linked to that Wallet ID, doesn’t mean it can’t be determined who you are. Particularly, if you’re posting on web forums, or used the Wallet ID on some other platform. So, despite not readily being identifiable, there is still other identifiable attributes that can be applied. However, for business use, there is a general requirement to know who you’re dealing with, so there is potential for new centralised identity services and privilege management. Another key aspect of the blockchain is that there is active data, where behaviour or logic can be applied. The Blockchain can apply a smart contract, with a programming language, which looks at different pieces of data, called Oracles, which

provides data sources of truth for the smart contract to verify against and act on. The current challenge is that there is no way to ensure the contract data is ‘bug’ proof or even legal. Programmers writing smart contracts need to ensure accuracy and being comprehensive to the smart contract requirements. For business, this will require bridging application development with legal, procurement and other sources of expertise. One good example is referred to the DAO Hack, where a code vulnerability was exploited and $35 million in digital currency was stolen. The four types of blockchain initiatives are blockchain disrupters, digital asset markets, efficiency plays, records management and auditing. Blockchain disrupters are those seeking out new business based on a blockchain foundation, however the business model may not be new. The digital asset market is new markets based on digital assets formed from nondigital ones (physical and virtual). Efficiency plays comes from creating efficiency improvements in transactions, interactions and tracking provenance of assets. Finally, record keeping for trust verification by one entity, for oneself or a community. Data analytics can also be applied, however data in blockchain can’t be manipulated. It is a write only record but it can append information. Integrity concerns still requires enforcement. It is a data tree and key value pair. Blocks also need to be small, so if a MRI Scan is being verified, you would not load the MRI, you would use a hash which appends the MRI. A blockchain is yet another data source to integrate into an analytics program. There remain challenges for blockchain technology. The current platforms are not scalable or complete, an ecosystem of competitors is yet to fully form, agreements on structures and formats of data is still being developed and though a complex and powerful solution, a blockchain can consume huge resources to build. For more information visit www.gartner.com

Australian Security Magazine | 33

Takeaway - Australian Cyber Security Magazine

SMART ID: Ethereum blockchain identity management

W By Annu Singh

34 | Australian Security Magazine

e all know the mere mention of the words ‘Papers Please’ or ‘KYC’ (know your customer) conjures up an uncomfortable image of a pile of documents provided by individuals as proof of identity. This picture does not get any better with Financial Technology (FINTECH) and Regulatory Technology (REG TECH) firms investing significant money, effort and resources in verifying, validating, storing these identity proofs. Furthermore, duplicate records are maintained across the transaction lifecycle. Keeping information consistent and up-to-date becomes a big challenge and is a constant source of frustration, with extreme risks relating to loss of PII and identity fraud. Smart Identity is being looked at as a viable option for individuals, corporations and governments, as it helps introduce efficiencies into the process lifecycle of identity management and expedites verification and validation outcomes. First, let’s look at what Smart Identity is and how it works. Smart Identity (Smart ID) is the digital identity of an individual created using smart contracts based on Ethereum’s blockchain – one of the most well-known

blockchain technologies. A smart contract, in layman’s terms, is a software program that is executed when defined conditions are met. To create Smart ID identity artefacts, known as attributes, such as birth certificates, driving licenses, addresses, passports etc., they are added by the identity owner to the blockchain and stored within the smart contract in the form of an immutable hash. Identity endorsement is performed by storing a corresponding endorsement hash against the attribute’s hash by the attesting authority, which normally is a third-party. Endorsements can be revoked by issuing authorities, if needed. Endorsements act as a notarised record of attestation by a third-party in relation to a specified attribute, stored with the attribute, within the identity contract. Attributes can be added, deleted or modified by the identity owners, but only while endorsements are added using the required public keys. Smart ID works as a universal electronic passport for identity representation and verification. Users have full control over who they share their information with and what attribute of information is shared. Smart ID reduces the dependency on centrally provided systems or services, such as the passport office, to acquire, use and verify identity

Takeaway - Australian Cyber Security Magazine

information – so there are certainly applications for this kind of service within the Federal government that have not yet been considered. Smart ID can also be used as a digital wallet for digital assets owned by an identity, as well as contracts for identity to a third party and as a controller to identity-linked distributed applications (known as Dapps). Smart ID needs to be easy to use and low cost for wider adoption, but the upside is it offers significantly enhanced security as the blockchain authenticates personal identity on an immutable, tamperproof ledger, by associating each identity with an encrypted code, for which only the individual controls the private key. Thus, private data (PII) remains under the complete control of the individual and is selfmanaged and certified. An Ethereum developer, Fabian Vogelsteller, proposed Ethereum Request for Comment (ERC725) to develop a standardised identity management system for humans and machines on GitHub in Oct 2017. Fabian proposed ERC725 as a standard function for a unique identity for humans, groups, objects and machines. This identity can hold keys to sign actions and claims (transactions, documents, logins,

accesses, etc.,) which are attested to by third parties (issuers) or self-attested by the individual. They also serve as a proxy function to act directly on the blockchain. Details can be found here: https://github.com/ethereum/ EIPs/issues/725. Interest in this RFC was so intense over the first 24 hours after submission that discussions went all over social media and it trended significantly on Twitter. This is a big deal. Digital identity opens door for wider integration into distributed master identity record management, which facilitates a number of areas like cross-border travel and immigration, access to financial services on relocation, creation of risk profiles, which can be used to personalise insurance products. It could also be used to transfer digital ownership of assets, IP, and provide access to government services and facilitate e-voting, all of which are areas that are being explored through other technology solutions. But none have the immutable qualities that blockchain can offer and none have the Smart Contract ecosystem that Ethereum offers. Due to its myriad advantages, many organisations and governments are exploring the Ethereum blockchain for identity management. Some major corporations, such as Deloitte, Cognizant, UPort, MONI and Persona are all researching and prototyping applications in this space. Zug, a region in Switzerland known as “Crypto valley” – the name was allegedly attributed to Ethereum’s co-founder Mihai Alisie (Ethereum HQ is in Zug) – has collaborated with UPort to use the Ethereum blockchain identity management to create self-sovereign digital identity of its residents. Using the UPort App citizens encrypt their personal information and receive an ID, which is linked to a cryptographic address on the Ethereum blockchain. This address is a Smart Contract address known as a UPort proxy contract. Once the information is verified by the city’s authorities, which needs to be done just once in person (presenting normal ID paperwork), users can then use e-services like residency proof, e-signature, parking fee payments, etc. Estonia is another such country with high adoption rates of blockchain technology – much of which is based on identity management (XROD) for its residents through their e-residency program. Finland uses Ethereum Smart ID for refugees’ identity management. Finland also provides asylum seekers with MONI debit cards, linked to their identity on the blockchain. Even their Immigration Services uses this to track both the spending and identity of these refugees, with the added benefit that the blockchain data is immutable and uncontestable. With Smart IDs, individuals can create and securely store a digital form of identification, that cannot be tampered with and is universally accessible. Smart IDs will need to be slowly incorporated along with existing ID Systems, by the institutions and not targeted as replacements for existing ID systems, for the technology to succeed. If done correctly this can have a far-reaching impact on how individuals, organisations & society validate & verify identity, conduct business and avail services at large. “I AM WHO I AM’ said GOD to Moses to assure him that God would become what they would need Him to become; but for rest of us lesser mortals we would need

Australian Security Magazine | 35

Cyber Security

The potential impact of Artificial Intelligence technology on cyber security.

A By Nick Johnson

36 | Australian Security Magazine

rtificial Intelligence (AI) is the application of technological solutions to problems which typically require human intelligence â&#x20AC;&#x201C; think of identifying objects in images, recognising and correctly reacting to human speech, and making decisions based on inputs which vary. In itâ&#x20AC;&#x2122;s various guises, AI is increasingly being seen by the commercial world as having the potential to add significant value to the balance sheet. Together with developments in machine learning (computers learning from data without being explicitly programmed what to learn) it is now almost inevitable that AI will become integral to the IT systems of many major companies. Whilst this will undoubtedly produce tangible benefits, increased deployment of AI solutions will create cyber security issues that are not currently being considered by the wider industry. James Clapper, the former Director of US National Intelligence, concurs with the view the growth of AI will introduce new threat vectors. He believes AI will become common in financial, energy and weapons systems to name but a few. He states America would therefore be wise to focus on threats which AI may pose to society as a whole. It is interesting to note Bill Gates and the late Stephen Hawking, men not known for their lack of vision, also agree with the notion that increased use of AI brings with it a new

type of threat component. But is it a realistic proposition that AI becomes a common tool of the commercial world? Tech-industry heavy hitters certainly seem to think so. Microsoft recently used itâ&#x20AC;&#x2122;s huge library of recorded technical support calls to build an AI that recognises conversational speech as accurately as any human. Given that both sides of helpline calls are recorded, and can therefore be comprehensively studied by an AI, it is surely only a matter of time before we see a virtual call centre staffed solely by an AI which reacts verbally, as opposed to using a message box. This would have the tangible benefit of reducing staff and phone line costs, not to mention the prospect of multiple AIs working for multiple companies from the same (now considerably smaller) call centre infrastructure. Although many call centres currently rely on speech recognition to direct calls to human call centre representatives, this is far from the flexibility and accuracy which could be potentially offered by a well trained AI. From a hardware perspective, the current market for AI chips is largely dominated by Nvidia, although only because the graphics chipsets it produces happen to be the most cost-effective tool for the job at present. Google, IBM, Intel and other industry heavyweights are developing processor chips specifically for running AIs. A quick search on Google

Cyber Security

'It is not difficult to imagine a corporate environment in which Friday night drinks involve an ‘Our AI is better than your AI’ discussion.'

shows the race for an effective AI includes companies as diverse as AOL, eBay and Oracle. Using the aforementioned example of a fully automated yet competent call centre, it is easy to visualise the potential for profit. Even if only half the call centre’s staff were replaced, savings would be swift and tangible. We may see a situation where a company with the quickest, most effective AI has a distinct competitive advantage over those in second place. To get companies started in this endeavour, Microsoft allows open access to AI software they have developed. Like it or not, AI is coming. So what security threats will AI introduce? Fans of the 1983 movie War Games will remember the problems Matthew Broderick had trying to prevent a US military computer from starting a nuclear war. Although this scenario makes for an exciting movie, I would like to introduce a somewhat more benign possibility – that of the AI itself becoming a high value target. If an AI adds value to a company in a particular market, and can be taught how to operate on the same type of data in a different company, it is fair to infer the AI in question would be valuable to a competitor in the same commercial sector. In this way, we would see the AI itself become the high value target, much as R&D materials and customer data is today. An AI could be stolen through a variety of means

including standard hacking techniques and AI "cloning" (the art of building software to ascertain a target AIs' response to specific questions directed toward it). Furthermore, an unwitting AI could grant an attacker access to the network – an approach which may require a different way of securing networks against intrusion, or may require AIs with cyber security features built in from the outset. These early days of AI development allow developers a chance to avoid the security nightmare that is the Internet of Things. We may also see an AI specifically tasked with cyber security: ‘Who wants to access that system?’; ‘Do they need access?’; ‘Shall I give them only partial access, and what are the consequences if I do so?’. It is not difficult to imagine a corporate environment in which Friday night drinks involve an ‘Our AI is better than your AI’ discussion. Similarly, it is not beyond the realms of possibility that an employee tries to trick an AI into delivering a service the employee is not entitled to, be it with innocent or nefarious intention. Consequently, it may be prudent to equip AIs with the ability to recognise when someone is trying to coerce it. An AI incorrectly allowing access to information brings with it a whole raft of legal ramifications too complex to be explored here, but suffice it to say employment Terms & Conditions agreements may have to encompass this eventuality. In keeping with the abundance of potential AI applications, there exists a corresponding number of related security risks. Some of these are obvious (protect the server the AI is based on), and some are not (put an exploit in an image on a 3rd party website you know the AI checks intermittently). If AI proliferates as the large tech companies think it will, it may be necessary to have one cyber security team looking after the network and one looking after the AI. Who knows – if the AI has an issue dealing with sounds it does not understand, we may have come full circle to playing obscure tones down virtual phone lines in order to access the AIs debug menu. Cap'n Crunch*, it would seem, may not have blown his last whistle after all. * In the mid 1960’s the toy whistle found in boxes of Cap’n Crunch breakfast cereal emitted a tone which could be used to access certain features of the US phone network. “Phone phreaking”, as it became known, was one of the precursors to todays computer hacking. About the Author Nick Johnson (MA, BSc (Hons) ) is an Intelligence Analyst with experience across Australian federal and state agencies. He is experienced in diverse areas including counterterrorism, organised crime and money laundering. A former officer in the Australian military, Nick's experience also covers computer programming and systems administration in the corporate arena. His understanding and use of technology allow him to create bespoke solutions for use within Australian state and federal government agencies.

Australian Security Magazine | 37

Takeaway - Australian Cyber Security Magazine

Can we take people out of IoT security?

H By Dan Lohrmann

38 | Australian Security Magazine

ow can we provide better security for Internet of Things (IoT) devices? Yevgeny Dibrov writes that cybersecurity can be improved solely with technology improvements. I disagree. Here’s why I believe removing people from IoT security is ‘mission impossible.’ I recently read an intriguing Harvard Business Review (HBR.org) article by Yevgeny Dibrov, titled: The Internet of Things is Going to Change Everything About Cybersecurity. This well-written and thought-provoking opinion piece begins with the reality that cyber threats are exploding globally and data breaches have led mainstream businesses to spend over $93 billion in 2017 on stopping cybercrime. Furthermore, cyberattacks against Internet of Things (IoT) devices are skyrocketing even faster, causing Congress to get involved. Gartner anticipates that a third of hacker attacks will target "shadow IT" and IoT by 2020. In our scary new normal online, I certainly agree with Dibrov that: “Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.” No doubt, old methods of defending enterprises from cyberattacks are failing and new security solutions are certainly needed. So, what is the author’s solution?

Answer: Take people out of the security equation. Dibrov writes: “It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best… It only took one click on a link that led to the download of malware strains like WannaCry and Petya to set off cascading, global cybersecurity events. This alone should be taken as absolute proof that humans will always represent the soft underbelly of corporate defenses. …” The article goes on to explain that the “Amazon Echo is susceptible to airborne attacks,” and “Users may have productivity goals in mind, but there is simply no way you can rely on employees to use them within acceptable security guidelines. IoT training and awareness programs certainly will not do anything to help, so what’s the answer? It is time to relieve your people (employees, partners, customers, etc.) of the cybersecurity burden.” My Response: Wrong answer. While I certainly agree that humans are often the weakest link in online security and we must do better at equipping staff, relieving your people from the cybersecurity burden is going in the wrong direction. People use the technology, and their actions, and the processes that are followed, will always be essential

Takeaway - Australian Cyber Security Magazine

number of mistakes that can be made by end users. However, pitting effective security awareness training and/or a positive security culture against better technology is a serious mistake and ultimately leads down a path to dismal failure. History has taught us that lasting security answers must include “all of the above,” with people, process and technology working together well. A Short History Lesson Regarding Cybersecurity

components of effective security strategies with the myriad new Internet of Things devices. The conventional wisdom remains true that solutions must involve people, process and technology answers. As I have written in the past, most experts say the largest percentage of our security challenges involve user actions (or interactions). Nevertheless, I am willing to concede that the percentage breakdown assigned to each category is open to debate and may be different for various products, services, companies and/or IoT devices. But before I explain in more detail why I part ways with respected CEO and co-founder of Armis, I want to say that I certainly agree that we need much better security built into IoT devices. I certainly think IoT security is at the cutting edge of cyber issues, and I share Dibrov’s sceptical view that we can keep doing the same things and get different results — in all three categories. Without hesitation, almost everyone except criminal hackers would love to have IoT devices ship “secure by default” or “secure by design” with a hack-proof seal of approval on every IoT box that ships. There is no doubt that much more needs be done with the security built into all technology, and it would be great if we could drastically reduce IoT security flaws and the potential

As I ponder these concepts and especially promises of more IoT security built-in up front, I can’t help but think back more than a decade to the Bill Gates promise of better security. Here’s a very brief history reminder from the days of Microsoft’s Trustworthy Computing. On Jan. 23, 2003, Bill Gates wrote these well-known "Secure by Design" words: “Secure by Default: In the past, a product feature was typically enabled by default if there was any possibility that a customer might want to use it. Today, we are closely examining when to pre-configure products as "locked down," meaning that the most secure options are the default settings. For example, in the forthcoming Windows Server 2003, services such as Content Indexing Service, Messenger and NetDDE will be turned off by default. In Office XP, macros are turned off by default. VBScript is turned off by default in Office XP SP1. And Internet Explorer frame display is disabled in the "restricted sites" zone, which reduces the opportunity for the frames mechanism in HTML email to be used as an attack vector. …” While I applauded these laudable goals more than a decade ago along with other important steps taken by Microsoft to improve security, the sad truth is that many hundreds of "Patch Tuesdays" have come and gone, with more hacked systems than ever before in 2017. The promise of “secure by default” is far from reality across the technology industry software, hardware and even cloud-hosted services. Beyond Microsoft, other companies have the same issues with technology bugs and security holes that hackers eventually find. Even when technology products ship with all security settings enabled, which is not the case with many IoT devices, end users often turn off security features or fail to download critical security updates or don’t follow recommended practices such as changing default passwords. Yevgeny Dibrov is not the first one to suggest that technology can be made secure regardless of people’s actions, and he won’t be the last. However, I am somewhat surprised that this viewpoint remains popular as we head into 2018. Why? Beyond software development flaws, we have witnessed decades of insider threats caused by people like Edward Snowden and others who were able to use processes and weaknesses in people to overcome sophisticated data protections. There is simply no way that IoT manufacturers will spend the kind of dollars on security that the National Security Agency (NSA) spends on technology to protect national secrets. And yet, even those technology defenses were able to be defeated by social engineering weaknesses exploited by Snowden — such as colleagues giving away their passwords. External hackers use those same techniques today, as

Australian Security Magazine | 39

Takeaway - Australian Cyber Security Magazine

demonstrated at security conferences like RSA. Recent cyberattacks against bitcoin exchanges represent another example of how attacks will go after weaknesses in people and process, despite solid technology which is supposedly "hack-proof." Just last week a South Korean bitcoin exchange declared bankruptcy after the second attack in less than a year. This situation developed after commentators still maintain that the bitcoin currency cannot be hacked. Perhaps true, but your bitcoin wallet can still be raided. Similar problems will continue to occur with IoT devices in the future. Fun Movie and TV Examples to Help Understand the Role of People in Security I want to recognize that Dibrov says: “It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success. …” I certainly agree. Nevertheless, the reality is that the main point of his article comes from the last sentence at the end of the article: “It’s time to remove people from the discussion and move towards a more intelligent, secure future.” Really? Take people out of the security discussion? Side note: I immediately posted this article to my LinkedIn and Twitter feeds and received a flood of similar comments to what I am writing in this rebuttal. Some of those same comments from colleagues appear at the bottom of the article at HBR.org. Furthermore, to keep this simple, I’d like to offer a fun illustration of why people cannot be removed from the central security discussion. In the (fictional) film series Mission Impossible, the most sophisticated technical security controls are consistently overcome via weaknesses exploited in people and process hacks. Ethan Hunt (played by Tom Cruise) and a wide assortment of men and women spies in the fictional U.S. Impossible Mission Force (IMF), face an untold number of highly improbable and dangerous tasks that are actionpacked, over-the-top and fun to watch. One common theme throughout these five movies (with number six coming in 2018) is how people can still defeat the most sophisticated technology safeguards put in place. Sadly, hackers overcoming state-of-the-art technology defenses are not just for the movies or TV shows like Mr. Robot. We have seen an untold number of ways that IoT devices can be hacked by tricking people into doing things or not following recommended best practices for security. Sadly, hacking IoT devices is often easier than Tom Cruise pulling off one of his movie stunts. Everyone certainly agrees with the goal to build moresecure IoT devices. Humans certainly make mistakes, and we should aim to automate as much security as possible. Just as we safely fly planes on autopilot, shouldn’t we strive to build human-proof smart devices that are secure out of the box? Of course. And ... I am all for more-secure IoT devices that remove the potential for most end-user errors or security mistakes. Nevertheless, training and working with people and

40 | Australian Security Magazine

processes to protect data will never be an optional extra for secure enterprises, homes or individuals. A False Choice The HBR article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard to change enterprise security culture. It offers a false hope by eliminating “reliance on a humanbased strategy” and offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices. Managers imagine saving significant money by reducing the time required for staff to be trained and/or understand and implement appropriate (and secure) business processes with innovative technology. This invented conflict is similar to another security paradox from a few years back that asked the question: Are data breaches inevitable? Most people now say "yes" without hesitation, but Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing. As I wrote at that time, we need a third answer that adopts all the wisdom contained in the NIST Cybersecurity Framework regarding cyber incident and data breach prevention as well as incident response. The same holistic approach is required for IoT security. Let’s not sacrifice one security best practice in exchange for another, as if we need to pick technology protections over enabling people with better awareness training and engaging in cyber exercises. The NIST guidance encourages an assessment of all cyber-risks with prioritization based upon your specific situation. It recommends that solutions contain end-user training, technical training for developers and system administrators, cybersecurity exercises, management briefings, repeatable technology upgrade processes and much more. Don’t skip over important sections of the NIST Cyber Framework. Final Thoughts Better cybersecurity protections for IoT requires improvements in people, process and technology. So, let’s not pit people issues against technology protections in a fight for dollars — nor pretend that a perfect black box is coming that will enable IoT nirvana, while removing people and process from the security equation. Bottom line: The Edward Snowden story can teach many important security lessons. But no security message is more central than this: People, and their actions, will always matter in cybersecurity. So, can we remove people from the IoT security discussion? Mission Impossible!

Cyber Security

Available online!

000032

Post

ed PP1

Approv

See our website for details

ATE

ENT

VER

AND

R RPO

w | w

u w.a

sec

urity

THE

COU

NTR Y’S

gazi

ne.c

.au 2017

arch

Feb/M

t a jus it trali Aus ’t hack n ca

URIT

SEC

E AZIN

n ralia

LEAD

ING

roved

App Post

natio

THE

OVE

IEW REV ls CIAL anne SPE alys Ch cau a n a M the C oursutrmy Fd ds in

Y’S NTR

COU

DIN

LEA

Tren ology in n tech

efine are d Softw thing y ever $8.95

urity

mag

azin

e.co

$8.95

GST

INC.

PP1000

03227

m.au

April/

May 20

ren o

f war

Te fundinrrorism g law s

e ing th Clos ls gap kil ity s

Digit aga al War Islam inst the ic Sta te US

, Q&A Dron

e errd an uick T s, an o...rism e, Q ieuw ting rity Crea orTldeTce–hcThimekr re ore Sevc w obono mugch m y–F ence SysRteemcCBosyg lo ig ll a n inte estone 2018 ition & V cial Mil id MIPS rity Secu nal en in rso Wom ecial: Pe eliver Sp on to d rity ati secu inspir

ous

om uton

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

ics

rens

al fo

Digit

nsec

Analy eo tics

INC. GST

of a Rise les vehic

tralia

Child

18 rch 20

cur erSe

Cyb

| w ww.a us

03227

PP1000

Feb /

T AN

roved

EN RNM

Post App

GOVE

NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o Ban role en Plan .au The yber com nning ine. agaz of c nce uritym nsec ra ia al e ustr insu ww.a to b Modern | w as a kes Secu ising y MAGAZINE ange sue it ta ity h c t ri Y ou a IT is ty te R y a CU Wh art c Etr SS ategy r Clim Ssecurit ATE POR a sm al COR ING

EAD

L Y’S NTR

Get each print issue per year for only $88.00

$8.95

INC.

n in

e Wom

rity Secu

hti | Tec

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Australian Security Magazine | 41

Cyber Security

By 2050 – we will be beyond the cloud and on Mars CISCO LIVE! Melbourne, 2018: The reality will be a multi cloud world: the tools to build cloud services and the networks

C With Chris Cubbage Executive Editor

elebrating 25 years, ‘Your IT’ CiscoLive! Melbourne attracted over 7,000 attendees, plus an additional online-record audience, covering over 300 sessions and viewing 100 sponsors at the World of Solutions expo. With Optus Business as the diamond sponsor, the two have jointly invested $12 million over three years to provide cybersecurity curriculum to Australian TAFEs and Universities. Optus was also the digital initiatives provider for the Gold Coast Commonwealth Games, along with Cisco being the Network hardware supporter. Rowan Trollope, Senior Vice President and General Manager, IoT applications group at Cisco provided the visionary keynote, highlighting the company’s 9,000 research and development engineers and the US$8 billion over the last two years spent on acquisitions. Roadmap of the Future Providing a roadmap of the future, with self-confessed pontification, Rowan Trollope reached out as far as 2050. For business and those with near term requirements, much of this was just entertainment. However, for many, including businesses such as Cisco, that have been around for 30 years, casting out so far, should Rowan be correct, or even half right, shows that the future is going to be a challenge, to say the least. By 2022 we expect to see the first driverless hovering drone taxi, flying above Dubai and by 2025 the smart phone may disappear as quickly as it arrived, as the world takes a ‘magic leap’, with the likes of Rony Abovitz (www.magicleap.com) and augmented reality (AR) glasses. Wearable technologies will create new experience platforms, as well as new science through the use of holograms in the field of vision – like the smart phone and the internet itself, this technology will profoundly affect every industry and in a networking perspective, will require an entirely new network built to support the next generation of devices and the digital resolution. As we draw to the close of 2028, text by thinking, which

42 | Australian Security Magazine

is already under development, will replace voice to text for significantly enhanced human brain to computer interfaces. By the end of the decade and into the next, 2030 will see new job titles, like vertical farmer, waste data manager and climate change reverse specialist. By 2034, one terabyte (1TB) connections to the home and on the person will be common. Yet, this bandwidth will only enable more computational and network connected opportunity. By 2036, Alzheimer’s is cured as a result of being able to reverse engineer the human brain. Current research in Queensland is using non-invasive ultrasound technology to show how memory can be restored, which could not only cure and restore memory from Alzheimer’s but significantly lengthen human life. By 2040, the 2020s and 2030’s are already looking ‘sleepy’ and obsolete. The average home will have the computing power of a billion human brains. This may be hard to imagine, today. What will be done with that computing power? This is a time when there is limitless processing capability and bandwidth. It will be up to the imagination. The chief futurist for Google, Ray Kurzweil believes that by 2045 we will have achieved, ‘the singularity’. The moment which computers become ‘more’ intelligent than humans. Artificial Intelligence is already making a transformative force in our lives and will continue to do so for many years to come. Ultimately, AI will change the future, and indeed it seems, human kind. By 2050, thanks to people like Elon Musk, there will be a permanent base on Mars. Humans will be an inter-planetary species. At this time, with 9.7 billion people forecast to be on earth, the planet is reaching the carrying capacity for sustainability. More than 10 billion people will require two earth sized planets. Today, we have to rethink substantially more about efficiency of and with resources. Technology will underpin this transformation, as it comes to underpin human life. Maslow’s hierarchy of human needs should now have battery

Cyber Security

life and WiFi connectivity as the foundational requirements before breathing, eating and sleeping. Technology infrastructure is yet to be built for an age of intelligence, but over the next three decades, the foundation of this infrastructure will need to be intelligence, automation and security. Cisco’s Five Key Pillars Strategy AI is powering innovation across every part of Cisco’s portfolio. The five key pillars of the Cisco strategy is set out as: Security is Foundational, Reinvent the Network, Embrace a Multi-Cloud World, Unlock the Power of Data and Employee & Customer Experience. Security is Foundational Security can’t be an afterthought to the network. The Internet is not secure because security wasn’t thought of as part of the Internet. The attack surface is increasing and so is the number of devices, and so is of the number bad guys. We are not winning and it is easier than ever to hack into our networks. But security will be the first consideration for new network architecture and Encrypted Traffic Analytics (ETA) embeds security into the network. The Cisco security portfolio has proposed a pipeline of innovations coming for endpoints, networks and the cloud. Reinventing the network The network intuitive is in response to having reached a tipping point, with approximately a million new devices connecting to the network every hour. The network intuitive is the first major redesign of networking Cisco has ever done and intent based networking is very much the future. Deployment of the Digital Network Architecture (DNA) Centre promises agile software releases and decoupling new software and hardware innovation. Embracing a multi-cloud world Eighty-five per cent of Cisco customers are using the cloud but ninety-five per cent are using more than one cloud platform. Application Centric Infrastructure (ACI) in the datacentre is enabling a seamless transition of workloads and App Dynamics is used to monitor and track the performance of those applications. Unlocking the power of data There is a multitude of new opportunities for companies able to create efficiency in power, impact and performance around their data. The Internet of Things is unlocking so much new data and one of the key aspects is to create data efficiencies. Unlocking this data is a key strategic initiative for Cisco. The Cisco IoT networking portfolio along with the IoT software platform, called Kinetic, has been rated by IDC as one of the leading IoT platforms in the world and is designed to ‘connected anything’.

Collaboration With connection comes change to workplaces. Cloud products like Spark and Webx are connecting employees and customers and enabling new ways to engage with customers. The customer care portfolio and new Broadsoft acquisition, added with the DNA network assurance engine Spark assistant, makes Cisco’s pace of change impressive – and one to watch. There is indeed a sense of urgency and undoubtedly, commercial risk. As Rowan Trollope concludes, “It is time to reinvent the network. Time to improve the security posture. Time to transform the workforce experience. This time is now. Cisco is doing some very cool and exciting things!”

Australian Security Magazine | 43

Cyber Security - Sponsored by Micro Focus

Executive Editor ’s Interview

....with David Kemp Executive Editor’s interview (Extract) with David Kemp, Specialist Business Consultant with Micro Focus which imposes a penalty of up to 4 per cent of your global revenue or 20 million euros, whichever is higher. 2. Secondly, we can look at client audit. If you had to encapsulate these issues in relation to privacy in one word, it would be “trust”. Can I trust a product provider or service provider, bank, insurer, or even a transportation company, with my information? Many retail consumers are asking, are you GDPR effective? In Australia, the same question is being asked: are you compliant with Australian privacy laws? If not, you don’t get their business. This is a day-to-day occurrence, compared to a fine or a regulatory hit, which might impact only a few entities.

By Chris Cubbage EXECUTIVE EDITOR

View & Listen

There are two fundamental aspects to the GDPR:

General Data Protection Regulation: Insights into the fundamentals, ramifications & opportunities: The European Union’s General Data Protection Regulation comes into effect on 25th May. In March, David Kemp, Specialist Business Consultant with Micro Focus was in Australia to examine the Australian market against three key propositions: 1. To what extent does GDPR impact Australian entities handling the personal data of EU residents? 2. Are the lessons learned over the last two years, relating to GDPR in the United Kingdom, lessons that can be carried across to the Australian market and what is their relationship to the Australian Privacy Act 1988 and subsequent amendments. 3. GDPR is a catalyst for addressing bigger issues, both in relation to security and data lifecycle management – like yin and yang, they are inseparable, in terms of ensuring data privacy. So, we want to see what else Micro Focus can do for the Australian market. In explaining the business benefits of adopting the GDPR Compliance framework, David highlights, “There are several major benefits that we have found in Europe, which we are validating here in Asia. 1. First, the pure compliance piece, making sure you are being a good citizen as a corporate or government agency, and that you are avoiding the reputational damage if you get it wrong, along with any relevant fines. Here in Australia, the fine is $2.3 million compared to GDPR,

44 | Australian Security Magazine

1. The data type – people think this is just about dealing with emails or Word documents. However, it is any data: audio, visual, alphanumeric, and social media data. I was looking at an advert for the OCBC Bank in Singapore last week and they have a capability called voice banking. Both voice and facial recognition data types are also PII. So, Pandora’s box is already open; when I press the button in Europe and say I want to be forgotten in 28 days, you are going to have to find all of it. That’s just one axis. 2. The second axis is very important and it’s about location of data. Regulators seem to think that it’s about where your laptop is or where your Exchange server is hosted, but it’s not just that. It’s all endpoint devices. I was talking to the senior IT architect of a global bank and he said, “the mobile phone is our prime means of communication with our retail customers.” Sponsored I think most people know Focus by Micro that anyway, especially millennials, so from that point of view, where is the data? It could be an endpoint device, a mobile phone, a laptop, stored in a PC, or even a records management system, in an archive, in a backup or stored as hard copy in Iron Mountain. When I press the button to be forgotten with my bank, they need to look in every one of those silos, which is incredibly difficult. These are the two fundamental challenges that lie behind the ability to provide security and data lifecycle management. Regulation & Enforcement Will the regulators in Europe have the manpower and scope to enforce these laws? In David’s view, “They have the power, but this an important point: do they have the resources? I come from a banking background, with over 19 years’ experience, and I have found that regulators rarely have the capability to pursue and audit everyone. But they can carry out selective audits, and they are already warning organisations and government departments in Britain and Ireland that they will be audited by the 25th May. Regulators teach by example. The other issue is to what extent are regulators being

Cyber Security

helpful? The regulations are rather broad. One of the mantras we have as Micro Focus is, you need a legal opinion internal or external, to translate regulations into business functionalities – both in relation to security and data lifecycle management. Only then can you achieve a level of confidence; of course, it’s not always technology, since people, process, policy and procedures are important, but technology also has a role to play. The real question for people is, to what extent is your technology capable? Articles 34/3 and 30 of GDPR, talk about appropriate technical measures being taken to reduce exposure. If you have done that, you are providing yourself with remediation and exemption. But, to come back to answering the question, the regulators will do things by example – so the real question that should be asked is, “To what extent are regulators in Europe helping people?” I would say that in Ireland and the United Kingdom the regulators are particularly helpful, you look at their websites, they have guidance, checklists and recommendations on what you should do. There has been other instances in the Nordic region were the regulators are simply just waiting to see what happens. Who will enforce it? The point is that you cannot afford to wait, and you can’t afford to second guess it. Opportunities: Redundant, Duplicate, Obsolete, or Trivial Many corporations in Europe don’t look at over 30 per cent of their data, they don’t even know where it is or what is in it. It could be what we call ‘RDOT’ - redundant, duplicate, obsolete, or trivial, and someone thought they would load up Game of Thrones on a hard drive, for everybody’s enjoyment. If you take this away, what are you doing? The possibility of proper data analytics. Operational efficiency is an important point. Therefore, what the CIO’s have been doing is they are shrinking the data, they are reducing the size of the haystack, to make it easier to find the needle and that fits in with the bigger, longer-term strategies, of application retirement. At the same time, they are reducing the cost of their backup and recovery. We are talking ROI, which may sound strange in terms of compliance. The third axis is revenue. How can I make money out of GDPR or the privacy regulations? It comes back to ‘trust’ and brand loyalty. I will stay with you, providing that I can still trust you; I will come and join you as a provider of products and services, provided you are compliant. It improves my data mining. I was talking to a CIO of a large Asia Pacific bank recently, who said ‘I want to improve the ability of my high net worth managers and also my retail customer managers, to create new products and services to do that you need to mine the information, but the question is, ‘how can you mine it in an appropriate way?’ That is really where encryption comes in. To a certain extent, they don’t need to know me down to my exact street, they don’t even need to know my precise age, but simply the decade in which I lived. So, the idea of being able to access this information in a compliant way, we are talking about creating ‘new money’ and ‘new capabilities’. Let me just give you one more example. There is a large Japanese corporation that makes Sat-Nav devices. I changed

'Under GDPR, within 28 days you must find my data in any format anywhere in your enterprise and you must delete it and produce an audit trail to prove you have done it' car recently and said to the car dealer, ‘My Sat-Nav tells you quite a lot about where I live, who my friends are, where my family is and whatever. I want that scrubbed.’ What this Japanese corporation is planning to do is not only sell the Sat-Nav to Volkswagen but offer to bring back the data out of my Sat-Nav, cleanse it, encrypt it and send it back so they can use it for marketing purposes, but now it’s cleansed. What have they done? They have created a new revenue stream. Very clever. Privacy By Design Under GDPR, within 28 days you must find my data in any format anywhere in your enterprise and you must delete it and produce an audit trail to prove you have done it. The judges don’t understand the algorithms, but they can see the output. So, you need to prove you have achieved this. When you think of investigations such as with WikiLeaks, the Panama Papers, or the Paradise Papers, this is becoming a much more high-profile issue. I don’t believe that on the 26th May that in Europe there is going to be calamitous class actions, but it is possible. Furthermore, I don’t think you need a class action suit to fundamentally wreck the reputation of the business that lost all its customers’ data. You just need social media, and customers saying, ‘have you seen the same thing as I have?’ The final point to highlight is privacy by design: the concept that, from here on in, every time you create a new product or service, privacy is baked in. That means you are taking positive action in terms of analysis to anonymise or protect data, making this a fundamental part of business. Personally, I think this will change the corporate view, because you don’t have a choice. Micro Focus is a UK-based software company and is the largest tech stock on the UK stock exchange. Micro Focus merged last year with Hewlett Packard’s software division, creating the 7th largest software company in the world, with a market capital of close to $13 billion dollars and a revenue of $4.4 billion dollars. Visit www.microfocus.com

VIEW - VIDEO: https://australiancybersecuritymagazine.com.au/davidkemp-of-micro-focus-provides-an-in-depth-explanationinto-the-gdpr/

LISTEN – PODCAST: https://australiancybersecuritymagazine.com.au/episode48-implications-opportunities-of-the-european-unionsgdpr-and-australias-ndb-scheme/

Australian Security Magazine | 45

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Australian Security Magazine, April/May 2018

Articles inside

Security, Risk & Technology