Australian Security Magazine, Oct/Nov 2017 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct/Nov 2017

Australian Cyber Security Features Emerging threat landscape

Machine learning in Cyber Security Cyber Insurance: A Buyer’s Guide Part 2

The age of the invisible enemy

Mandatory breach notifications and the GDPR effect

Biological agents: enduring threat to national security

You’ve had a data breach…what happens next? Helping Australia build a secure healthcare network Know your enemy - Part 2

Special Feature! Australian Cyber Security Magzine

$8.95 INC. GST

PLUS

Women in Security | Techtime

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 3, 2017

The active directory botnet

Mandatory Breach Notifications and the GDPR Effect

Cyber insurance: A buyer’s guide Part 2

Machine Learning in Cyber Security

Know your enemy : Part 2

Honeycutt Social Engineering

Interview with ANZ's Security Team

WA’s Capture the Flag Competition

- PLUS -

D I V E R S I T Y F E AT U R E S Gender Minorities within STEM | Bridging the Gender Gap | Seeking diversity in Cybersecurity

Contents Editor's Desk 3 Q&A with Morey Haber

Cyber Security Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij

Cyber Insurance: A buyer's Guide - part II

Mandatory data breach reporting

Machine learning in cyber security:

You’ve had a data breach … what happens next?

Helping Australia build a secure healthcare network

Know your enemy Part II

Page 8 - Cyber Insurance: A buyers guide Part II

Women in Security

Correspondents Tony Campbell Jane Lo

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/

Tali Friedman, Principal Solution Architect, Data Security, Micro Focus

Singapore Conference : End-to-end Cyber Security

Playing in the sandbox to combat ransomware

National Security Shake up & uncertainty for Australia’s domestic security arrangements 34Emerging threat landscape

The role of intelligence in maximising security capability

Emerging bio-threats: The age of the invisible enemy

Page 14 - Machine learning in cyber security

Biological agents, the almost forgotten but enduring threat to Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au

national security

TechTime - the latest news and products

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Page 22 - Know your enemy Part II

CONNECT WITH US www.facebook.com/apsmagazine

OUR NETWORK

www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

www.australiancybersecuritymagazine.com.au

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Page 40 - Emerging Bio Threats

Correspondents* & Contributors

Also with Aaron Waddell Brook Chelmo Debbie Evans Zoheb Ainapore

www.asiapacificsecuritymagazine.com

www.malaysiasecuritymagazine.com

www.drasticnews.com

Mark Luckin

Wayne Tufek

Michael Sentonas Dr Jodie Siganto

Dr John Coyne

David StaffordGaffney

Stewart Hayes

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

2 | Australian Security Magazine

www.cctvbuyersguide.com

Tony Campbell*

Jeff Corkill

Editor's Desk "I told Rex Tillerson, our wonderful Secretary of State, that he is wasting his time trying to negotiate with Little Rocket Man... Save your energy Rex, we'll do what has to be done!" - US President Donald J Trump, @realDonaldTrump Twitter posts, 10:30am & 10:31am, October 1, 2017

s the threat escalates of nuclear war with North Korea and an increasingly recognised Cold ‘Cyber’ War between the USA and China and Russia, there is a glaring gap in Australia’s policy in regards to the national security industry. Government initiated segregation is supporting cyber security and defence industries, whilst at the same time closing institutions, such as the Protective Security Training College. The departure from recognising physical security, in a cyber-physical environment is apparent and appears as a knee-jerk policy panic. The calls for collaboration are contradicted with a focus on silo security sectors. Indeed, even the Australian Government funded Australian Cyber Security Growth Network, has changed its name within months of its launch, now just ‘AustCyber’, dropping what ‘were’ key words of ‘security’, ‘growth’ and ‘network’. For two decades, security industry groups have repeatedly called for policy and legislative reform to state based regulations. Yet they have been ignored. There is no shortage of evidence showing Industry support, so any self-claimed ‘Industryled’ group, funded by the Federal Government, better have the right intentions. Yet, will they recognise the cyber-physical security domain? If physical security continues to be sidelined in a cybersecurity discussion, those pushing ‘only cyber’ can hardly have ‘security’ credibility or genuine intent. The security industry, as a whole, needs to generate and continue vigorous debate and firm discussion of the necessary policy and regulations needed in a digital, dangerous environment, where threat actors increasing gain foothold and create opportunity for themselves. To say cyber threat actors don’t engage with or circumvent physical security frameworks of an enterprise is ill informed and demonstrates a lack of capable threat modelling. To highlight this issue, in late September I spent a week visiting San Francisco, San Jose and Silicon Valley, courtesy of NetEvents. The ‘Innovators in Cloud, IoT, AI & Security’ program started with a panel session with MK Palmore of the FBI’s Cyber Branch, based in San Francisco, Dr. Ronald Layton, Deputy Assistant Director of the US Secret Service and Michael Levin, former Deputy Director of US Department of Homeland

Security. The FBI’s MK Palmore confirmed the four primary cyber threat actors are those with a financial motive, nation states, hacktivists and the Insider. His primary message to Enterprise is to have three key things; “Commitment from management, security fundamentals and information sharing. Yet this message is not being followed and these are not complex issues. There are basics involved in protecting information, protecting systems, and in our investigations, we have always found some of the fundamentals, like patch management, auditing, getting buy-in from senior management for enterprise risk management, and empowering security people, time and time again, folks are not doing it.” Michael Levin confirmed, “as the bad guys get more sophisticated, the private sector has to get more sophisticated.” Organised crime is now a global organisation and attached to global networks and makes it harder to align and connect the dots”, said Dr. Layton, “the US Secret Service has a 25 year history in electronic crimes, so we know these crimes, we know the criminals know each other, we know they collaborate and we know they speak Russian. They are very good at the human factors and know how to make people curious to a sufficient degree to click on a link. If I have $10 for cybersecurity, $8 is going to education. It is not a cat and mouse game, it’s a game of rock, paper, scissors, where there is a constant exchange.” As Dr. Layton highlighted, currency crimes have moved from paper, to plastic and now electronic and digital – the crime itself remains the same. A qualified electrical engineer and former code writer, Dr Layton views the modern era as a time “we have become attuned to simplicity and convenience. Convenience is the new nicotine, with information instantly available. Simplicity is ubiquitous, seen with such passwords as ‘1234’. Human factors are a significant reason why we are not further advanced in cybersecurity.” “Simple things like using two-factor authentication is an obstacle and a good example of cyber hygiene”, said Michael Levin, “where the common cyberthreat actor is likely to move on to another target. Not taking the time to educate people was a problem 20 years ago and is still a problem today. For the rest of our lives everyone will

have a computer, we have to find a way to educate people on how to protect themselves online.” Cybercrime remains a priority for the FBI and like most organisations has identified there is a shortage of skilled personnel, with the added pressure of having to compete against the private high-tech sectors. For the US Secret Service, Dr. Layton confirmed, “we are on an aggressive campaign for STEM backgrounds. It doesn’t necessarily take someone with an engineering background to be a good electronic investigator. We are not there yet but we are close to getting to where we want to be”. Michael Levin highlighted the need to push public service as a factor, “what law enforcement is paying is so much less than entry positions in Silicon Valley. We have to get back to the public service piece of the puzzle. We have to do a better job at asking the best and brightest to join us.” In this special, final edition of the Australian Security Magazine for 2017, we highlight the ‘black swan’ factor of biological warfare, uncertainty around the national security landscape and all alongside our dominant content from the Australian Cyber Security Magazine for the AISA National Conference in Sydney and the WA Chapter’s Perth Conference. We will also see you at the ASIS International’s National Security Conference in Melbourne, amongst our own round-table events supported by Palo Alto Networks and Micro Focus. It has been a busy and challenging year, including business conditions, political obstipation and global threats of nuclear catastrophe – in 2018, we should expect nothing but the same or worse. I predict with a degree of pessimistic certainty that it will not be better. Regardless of where the world turns, we look forward to engaging, educating and entertaining you next year. And on that note, as always, we provide plenty of thought provoking material and there is always so much more to touch on. Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 3

Cyber Page for ACSM & AISA Cyber Cyber Security Security

....with Morey Haber Vice President of Technology, Office of the CTO

By Tony Campbell ACSM Editor

With more than 20 years of IT industry experience, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently overseas strategy for both vulnerability and privileged identity management. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and key customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.

4 | Australian Security Magazine

With more than 20 years of IT industry experience, Morey Haber joined BeyondTrust in 2012 as a part of their eEye Digital Security acquisition, working in overseas strategy for both vulnerability and privileged identity management. ACSM: Hi Morey, thanks for agreeing to speak with us today. Can you give our readers an idea of what brought you into cyber security and why cyber security? and what aspects of your career to date have helped you get where you are today? In all fairness, I stumbled into cyber security almost 20 years ago, while working in the network management space of operations. The security models for SNMP only included v1 and changing community strings was not possible on many devices. Simple discovery scans revealed that devices could have their MiBs modified and the runtime of the devices altered for malicious activity. This included changing email addresses on multifunction copiers to send copies of all copied/scanned material to an attacker. These basic attacks in the late 1990’s raised my interest in cyber security and so began my journey on my current career path. In the early 2000’s, a former executive of mine joined eEye Digital Security and recruited me to grow the business. At that time, we were a young start-up with only two dozen

employees and very limited venture capitalist funding. There were only two commercial vendors performing vulnerability assessments and the security community barely existed. Most organisations were in denial of the potential threats and the risks. Within a few years, I assumed responsibilities for product management and business development for our network scanner and endpoint protection platform. I will state candidly, that the learning curve was steep. There was very little training at the time, anti-virus was typically signature-based, and intrusion prevention solutions were just emerging on the market. Today, we take firewalls and basic threat protection for granted, before the wild west days of SQL Slammer and Code Red. In fact, many businesses at that time would not even put anti-virus on their server’s due to performance issues, let alone apply security patches, in fear of something breaking. In 2012, BeyondTrust acquired eEye Digital Security. The focus from vulnerability management to privileged access management was an easy pivot. Privileged attacks are just another method for a threat actor to breach an environment and conduct similar malicious activities as the defaults used in SNMP community strings. The only curve was learning the permutations of privileged attacks and applying them to data exfiltration and lateral movement, both of which vulnerabilities and exploits have been doing for almost 20 years. Privileged access was not much different than the threat landscape I learned in the past. Therefore, after all this time, my duration of being in the security community and watching threats and technology evolve, have been my greatest asset in bringing my career to prosper to date. New professionals to the security community should not only learn about modern threats, but also study past attacks and history. After all, history is what has brought us to the problems we face today and we can learn how similar problems have been mitigated in the past, and what has been proven to be most effective. ACSM: What advice would you give to Australian businesses and governments regarding both the national and international cyber threat landscape? There are several key recommendations all organisations should adhere to regardless of government, commercial, and even home use, to mitigate risks, regardless of the geography. These are critically important because they represent the lowest hanging fruit, threat actors are leveraging to attack our IT resources: 1. Education, Training, and Measurement The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do, however, understand that if you click on the wrong thing, you may lose all your work, infect your computer, and cause massive damage to the organisation. If you can translate the threat from an attack into terms the average user can remember, then the human element of social engineering

Cyber CyberSecurity Security

can have some definable mitigation strategy. Most modern threats come via phishing attacks and the training needs to cover the threat, identification of phishing emails, and the hard lesson of what to click on and when not to open a file. A simple phone call can verify if the email is legitimate and we need to instruct team members how to verify the source before continuing. It is not hard to do--just like looking both ways before crossing the street--but we need to teach all users about safe computing practices. And, for most organisations, penetration testing with phishing samples is recommended to measure the success of your training initiatives. 2. Secure and Verifiable Backups One of the worst-case scenarios for any attack is you become infected with malware that wipes the environment. That means your data is encrypted by ransomware or simply erased (wiped). So how do you recover? Secure Backups. While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most important secured, such that a malware infection or advanced persistent threat cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files to a pristine state. A common mistake for organisations, however, is to attempt a restoration before a malware infestation is cleared. While some anti-virus solutions can remove the malware, best practices recommend rebuilding or re-imaging the host(s). There is always a chance the threat was more sophisticated than the endpoint security solution can detect and resolve, and that a persistent threat may be present for a future attack. A complete reload is the only way to be moderately sure that the issue has been resolved. If the infection is bad enough and found its way to a domain controller, you should strongly consider reloading the entire environment. It is the only way to be sure. 3. Secure Macros Some of the newest ransomware and clever malware is taking cues from older viruses that leverage Microsoft Office and other application macros. This isn’t easy to resolve, because many of our spreadsheets and documents depend on macros to satisfy business and functional requirements. For example, a recent addition to the long list of ransomware, “PowerWare,” comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro, which then calls a PowerShell script, which carries out the payload. This email is scary because Word and PowerShell are very common and approved applications at almost every organisation. Therefore, they represent a trusted attack vector for modern threats. In newer versions of Microsoft Office, they do contain a setting to drastically reduce the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will do just that, prevent a macro without a valid certificate authority from executing. This provides secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros your

business requires may be signed, or otherwise the certificate for them may be expired. Wherever possible, insist any vendor that provides software containing macros sign them and establish a process internally to sign macros, so this setting can be properly enabled for everyone. 4. Patch and Update Frequently As if the thought of an angler phish is frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organisations do not patch third party applications regularly — let alone the operating system itself (think WannaCry). Maintaining software to their most recent versions is nothing new, but we continue to see outdated--and sometimes years outdated--software in production environments. It is important to have a regular schedule to assess your environment for outdated or vulnerable software, and have a tested process to remediate any findings. These are security basics and if your organisation is not doing it well, it is an easy problem to solve and see some tangible threat reduction results. This includes keeping endpoint protection technology and local anti-virus up to date as well. Businesses still rely on this for a first line of defense when education fails and a threat has been identified (and prevented) before the infection. Basically, if it can be updated to a more secure version, it should be, and as frequently as technically and business friendly as possible.

'While defenses for monetized crimes are the same as other cyber security threats (monitoring privileges, patching, reviewing activity, etc.), organised hactivism is much more difficult to control without censorship.'

5. Remove Administrator Rights Most threats propagate by leveraging the user’s privileges to move laterally or infect files. If the user only has standard user rights, the only files and systems visible are the ones they may have local or via a network share. While the scope of this may be large, it can be much worse if the user has administrator privileges. Then, potentially every resource visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. The fact of the matter is that most threats requires administrator privileges just to launch or leverage an exploit. If you reduce a user’s privilege to standard user, threats that try to install a persistent presence are generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the clear majority of malware, that needs to own a system to begin infecting files and lateral resources. If this strategy is bundled with application control and least privilege technology, only a few forms of threats (like WannaCry ransomware or macro based) cannot be prevented. This proves that to successfully prevent an attack requires a blended approach from the removal of administrative rights to handling the edge cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits. In conclusion, if you look at these closely, they are covered in the ASD Top Four and Essential Eight. The Australian Government recognizes these recommendations and their >>

Australian Security Magazine | 5

effectiveness, and has taken the additional steps to formalize the recommendations for all applicable organisations. ACSM: What can organisations do to identify, evaluate and measure cyber risks, and put in place mechanisms to manage and minimise risks? Organisations have a plethora of security tools at hand to identify, mitigate, evaluate, measure, and prioritize cyber security risks. Each one of these tools as standalone solutions, regardless of vendor, have valuable events and logs that individually provide breadcrumbs to measure risk. I recommend to all organisations to invest in a Security Event Information Manager (SEIM). SEIM’s are designed to consolidate all this information and provide correlation, analytics, and depending on the vendor, automated actions to manage the risks. If they do nothing else, they provide a central location to look for security information, verses hunting through a network and manual correlation to identify a threat. ACSM: Where do most cyber threats affecting Australian organisations originate from? It is a false assumption that cyber security threats are originating from one region or another. While we hear in the news about attackers from Russia, Ukraine, and North Korea, it does not mean the threats themselves “actually” originated from those countries or geographic regions. Consider the recent breakout of WannaCry. The vulnerability and accompanying exploit originated in the United States, was stolen during a security breach of the NSA, and posted illegal to the web by ShadowBrokers. The information needed to create the ransomware worm was the culmination of prior art, but ultimately distributed by a threat actor; somewhere. In short, cyber threats affecting Australian organisations can originate anywhere. While the majority may appear to be originating from one region or another, an insider threat like Edward Snowden can overshadow all of them and prove that our greatest enemies could be anywhere. Organisations should therefore not focus defenses based on region, but rather consider the Internet a hostile risk all together and raise privileged access based on context aware decisions to mitigate any regional anomalies. ACSM: Is there a growing cyber threat posed by international terrorist organisations and organised crime and what can we do about it? There is a growing cyber threat posed by international terrorists, hacktivists, fake news, and organised crime. Their goals, however, generally follow two models: money or antiestablishment. Just like any organised crime, money is the attractor. This could be attacks against banking infrastructure like the SWIFT network or credit card skimmers. If a criminal can easily steal money anonymously, they have an easy crime they will continue to proliferate. As for the antiestablishment, it is all about politics. Whether it materializes as fake news or hacktivism, the goal is to destabilize a

6 | Australian Security Magazine

government, organisation, or create conflict. While defenses for monetized crimes are the same as other cyber security threats (monitoring privileges, patching, reviewing activity, etc.), organised hactivism is much more difficult to control without censorship. The Australian Government recently participated in a parallel effort to block websites containing stolen entertainment videos to protect the companies and revenue they generate. The same philosophy is enabled by China to block any questionable or controversial content. The problem becomes when does civil liberty become stunted by the need to protect the establishment. This is a freedom of speech issue that will play out for many years. ACSM: From the perspective of national critical infrastructure, how is Australia faring compared to other countries? While I can speak to the “actual” state of the nation’s critical infrastructure, I can unequivocally state that no other nation has produced a simplified requirements document like the ASD Top 4 or Essential Eight for end user (organisation) consumption. While other governments issue standards around HIPAA, GDPR, NIST, etc., all of them require a level of expertise to read, comprehend, and ultimately implement. I would say Australia is ahead of everyone else by promoting guidelines everyone can understand and implement, that solve the clear majority of cyber security threats. It is now up to organisations to implement them and measure their success. That measurement is something this security professional does not have intimate knowledge of since its introduction in 2014. ACSM: What can businesses do to keep abreast of the threats to Australian interests? I would recommend that all businesses have a security professional or trusted advisor to keep them informed of the latest cybersecurity threats. Depending on the size of the business, this could be a full-time employee or trusted technology partner, that helps with cyber security solutions and best practice recommendations. In addition, specialised news websites and blogs are good outlets for those who want to embark on a self-education process and stay abreast of all modern threats.

Australian Security Magazine | 7

Cyber Page for ACSM & AISA Cyber Security

PART II

Cyber Insurance: A Buyer’s Guide

P By Mark Luckin

art 1 of Cyber Insurance: A Buyers Guide gave us an introduction to the basics of Cyber Insurance. (covered in Issue 2) Part 2’s intention is to delve deeper into some of the more important aspects of tailoring coverage to organisations, service team offerings and submissions to underwriters. We further look into policy response and its importance with respect to the upcoming mandatory breach notification laws. Tailoring coverage and the limit of liability to organisations associated risks and exposures Whilst every organisation is exposed to cyber risk, the consequences vary across industry and business size. When considering implementing a cyber insurance policy as part of an overall cyber risk management strategy, organisations need to keep in mind the fact the policy provides both 1st and 3rd party protection and well as business interruption loss protection. Ultimately this translates into immediate and slow-burn costs and needs to be taken into account when considering the most appropriate limit of liability. Organisations should be encouraged to consider that beyond the immediate investigation costs, notification costs (see Mandatory Breach Notification Laws), business interruption costs, fraud costs, extortion costs and remediation

8 | Australian Security Magazine

costs, there is potential for consequential third-party litigation expenses, regulatory fines and penalties, customer loss and loss of revenue (“slow-burn costs”). Estimating the potential costs to an organisation of a breach by only considering immediate costs, could lead to a significantly inadequate limit of liability. If this approach is taken, an organisation may find itself with no protection available, for associated slow-burn costs. A proper assessment of the full potential impact of a breach/unauthorised access should be undertaken. With respect to coverage, whilst there are emerging structures that most cyber insurance policies adhere to, there are nuances in policy wordings that if not addressed could have substantial impact on an organisation should a claim/ potential claim occur. Two examples are outlined below: •

The definition of a computer system may vary between insurers to only include systems under the care, custody and control of the insured, or also those systems ownedby outsourced providers that store data on behalf of an organisation. This may have a significant impact should a breach of personally identifiable information (PII) occur through the third party as, under Australian Law the organisation may still be liable for the breach, despite the outsourcing. Organisations outsourcing storage of PII could potentially be uninsured, should the correct policy

Cyber Security

•

wording not be selected. The Business Interruption (BI) Loss definition could also substantially impact an organisation, with some insurers offering gross profit protection only, and others offering – in addition to gross profit loss – “work around” costs (work around meaning power costs etc.). A junior mining explorer, for example, may not be making any profit and without the addition of workaround costs within their policy, they could be at a significant disadvantage when faced with a BI loss. Further, a BI definition may only provide BI loss protection until an organisations system comes back online, as opposed to an alternative insurer, who may offer BI protection until an organisation returns to making a full profit.

The above two brief scenarios demonstrate the importance in a proper review of wordings and limits of liability to industry and business size. A healthcare based organisation, for example, may have less concern around the business interruption loss component, as in example two, but would likely want to make certain that coverage for a breach of their data is afforded to themselves and as a result of a breach from a third party. A consideration of “where may the risk come from?” is essential. Organisations also need to consider future plans of an organisation, in a general business sense and an IT sense and plan for this when considering cover and limits.

'Ultimately the more relevant information an underwriter can receive from an organisation, the better they can construct a bespoke, accurately priced cyber policy that can cover an organisations specific cyber risks. ' -

Evidence of tested business continuity plan (BCP) or data recovery plans (DRP) (in the event of a cyber incident); -

Submissions to underwriters Traditional insurance risk is modelled on years of data from insurers, as well as national and industry data. There are no equivalent sources for cyber-risk for the required modelling. Cyber risk is an evolving risk, with an equally evolving knowledge. Therefore, given such an immature market, the better submission to an underwriter, the better the cover and premium. When considering insuring the cyber risk of an organisation, potential underwriters compile a mass of information on their potential clients to determine their risk exposure. The more information businesses have and share, the more effectively insurers are going to be able to price the risk, and tailor the appropriate cover. Organisations can dramatically improve their breadth of cover and premium by providing: An outline of implemented cyber and IT security practices; -

This does not just apply to the IT team. Evidence of general staff training and their knowledge of cyber risk as well as further evidence of continual review of practices, procedures and training can significantly influence an underwriter’s view on risk. The importance of organisational culture and understanding around this risk is commonly understated. The clearer an organisation can demonstrate an acceptance and want to mitigate this risk, the better the outcome in obtaining coverage at a reasonable price.

Evidence of discussions held at C-suite or board level relating to cyber security risks;

Often also understated, an underwriter will strongly value evidence of discussions around cyber risk at a C-Suite level. This shows an organisational want to understand and mitigate this risk.

By way of example to Office of the Australian Information Commissioner (OAIC) recently released their results of an investigation into the Red Cross Data Breach that occurred in 2016. (https://www.oaic. gov.au/resources/privacy-law/commissioner-initiatedinvestigation-reports/donateblood-com-au-data-breachaustralian-red-cross-blood-service.pdf ). Simply, the Red Cross avoided a fine from the OAIC (but not enforceable undertakings) due to their response to the data breach. Implementing and testing a BCP/DRP can potentially reduce an organisations exposure, and therefore an underwriter’s exposure. This may encourage them to reduce their premium and broaden their business interruption cover.

Results of third party penetration testing and external/independent party review of cyber security/privacy practices; -

Engaging independent parties to review an organisations current security procedures and practices, and then implementing suggested changes again brings confidence to an underwriter when assessing an organisations risk profile. Such assessments give underwriters confidence beyond a self-completed proposal form.

Provision of agreements with third party (managed security) service providers and how these are maintained: -

This is potentially a very large area of exposure for an underwriter, especially around slow burn costs (i.e. third-party litigation). If data storage is outsourced underwriters will want to know whether the third party obliged to let their client know whether there has been a data breach. Contractual evidence to show reporting obligations again can reduce data breach cost and exposure to organisations and underwriters.

Ultimately the more relevant information an underwriter can receive from an organisation, the better they can construct >>

Australian Security Magazine | 9

Cyber Security

a bespoke, accurately priced cyber policy that can cover an organisations specific cyber risks. Finally, with respect to submissions to underwriters, organisations should consider the cost of cyber/IT risk mitigation and the potential reduction in premium this may bring. Conducting a review of an organisations areas of risk, strengths and weaknesses around cyber security and implementing changes could significantly reduce a cyber insurance policy premium and assist in broadening cover. This should be a discussion held with a specialist cyber insurance broker. Service team offerings (third parties) As touched upon in Part 1, a common and unique aspect of cyber insurance policies, is the unique combination within a policy of a (potential) promise to pay, coupled with Crisis Management Service Team offering. These service teams are structured in a “panel offering” by insurers. This comprises a selected group of Lawyers, IT Specialists, Media Relations Specialist, Credit Monitoring Specialists, designed to assist an organisation from the moment a breach, or suspected breach occurs within an organisation. Traditionally this Service Team is accessed through a dedicated 24/7 dedicated incident response “hotline”. These hotlines can be monitored by Loss Adjusters, Internal Claims Teams and even Lawyers depending on the insurance provider. As per wordings, service team offerings differ between insurers. Suitability of service teams also need to be considered with limits of liability and alternative wordings. As per the above point made with respect to discrepancies in wordings, organisations will want to partner with the most suited service team. This again comes down to an assessment on the most likely area of exposure/concern to an organisation i.e. business interruption loss or privacy breach. It is easy to use a healthcare organisation as an example again, in which the main area of concern/exposure may be a privacy breach. Such a healthcare organisation may want to consider a claims team where a Lawyer – as opposed to a loss adjuster – is the first claims contact, given initial discussions with a lawyer will give an organisation legal privilege should a thirdparty claim develop. An alternative organisation whose main concern is business interruption loss (a factory or transport organisation for example) are likely to be more suited to a loss adjuster being the claim first point of contact. It is also understandable that organisations may have alignments/partnerships with third party cyber security providers. Certain underwriters will welcome consideration in placing such a provider on their crisis management service team for specific clients. Mandatory Breach Notification laws Having been on the government’s agenda since 2015, many within the IT, Security, Legal and Insurance arenas have seen this as a long time coming. Under the proposed laws, organisations subject to the Privacy Act 1988 (Cth) would be required to notify the OAIC and affected individuals should

10 | Australian Security Magazine

a serious data breach occur. Most businesses are subject to Privacy Act obligations, specifically those with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive data. This Bill increases the consequences of an already present and growing risk faced by all organisations and in the event of a breach, the affected company will face serious cost and reputation exposures. Significant pressure to protect personal and corporate data, as well as maintaining relationships and brand reputation will be felt by companies regardless of the Privacy Amendment. Mandatory notifications, however, amplify potential damages given: 1. Notified data breaches becoming instant public news. Not only will the person affected potentially disclose such a breach in forums such as social media or web pages but breaches will be reported in the mass media and recorded for perpetuity online. 2. Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches. 3. Contractual counterparties will know about the breach and will be concerned about whether their confidential information has been exposed. 4. A potential increased risk from affected parties, or litigation funders on behalf of affected parties conducting class actions resulting from a breach of data. The Ponemon Institute indicates that without mandatory breach notification laws, companies face up to an 80% chance of losing nearly a quarter of its value in a single month following a significant breach crisis. These costs are only expected to increase once the above Bill comes into effect. The application of cyber insurance as an additional layer of protection, complementing the efforts of IT departments and other information security functions, is where the greatest value lies. This is particularly effective when the cost of additional information security controls does not reduce the risk enough to make the investment in such controls practical. Conclusion As the threat increases, so will the demand for cyber insurance. Discussion around the risk and potential insurance requires the whole of an organisations input and assistance from a specialised cyber insurance broker given: - - - - - -

The assessment involved in determining a suitable limit of liability. The intricacies and associated suitability of various wordings. The detail involved in submissions to underwriters. The risk to organisations and directors and officers. Preferences to Crisis Management Service Team offerings; and Developments in legislation and the potential impact on directors, officers and the organisation as a whole.

In the next issue, we look at specific, yet hypothetical, scenarios and how a policy may or may not respond.

Cyber Page for ACSMFeature & AISA Cover

Mandatory data breach reporting : What you need to start doing right now

n entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third-party to store, maintain or process personal information on its behalf. In February of this year, the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals. Does the Privacy Act apply to my organisation? Australian Government agencies and all businesses and notfor-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions. The Privacy Act also covers small businesses, with a turnover of $3 million or less under the following circumstances: • Private sector health service providers. Organisations

• • •

providing a health service include: - traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional - complementary therapists, such as naturopaths and chiropractor - gyms and weight loss clinic Child care centres, private schools and private tertiary educational institutions. Businesses that sell or purchase personal information. Credit reporting bodies.

By Wayne Tufek

What are reasonable steps? The reasonable steps entities should take to ensure the security of personal information will depend on the circumstances, including the following: • The nature of the entity holding the personal information. • The amount and sensitivity of the personal information held. • The possible adverse consequences for an individual. • The information handling practices of the entity holding the information. >>

Australian Security Magazine | 11

Cyber Security

Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018. • •

The practicability of implementing the security measure, including the time and cost involved. Whether a security measure is itself privacy invasive.

Reasonable steps would include: • Performing or conducting Privacy Impact Assessments (PIA). • Implementing Privacy by design principles. • Performing information security risk assessments. • Creating and maintaining a Privacy Policy. • Having a comprehensive and up to date set of information security policies. • Restricting physical and logical access to personal information on a "need-to-know" basis. • Keeping your software up to date and current. • Employing multi factor authentication. • Configuring your systems for security. • Employing end point security software. • Security monitoring tools to detect breaches. • Using network security tools. • Penetration testing exercises. • Vulnerability assessments. • Having a data breach response process. What is mandatory data breach notification? Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness. The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach". When has an eligible data breach occurred? An eligible data breach occurs when: • there has been unauthorised access to, or disclosure of, personal information and a reasonable person would

12 | Australian Security Magazine

conclude that there is a likely risk of serious harm to any of the affected individuals because of the access or disclosure; or • personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals. Examples of a data breach would include and not be limited to: • Loss of a computer or data storage device containing personal information • Unauthorised access to personal information because of a hacking attack or data breach • Employees or contractors accessing or disclosing personal information outside the bounds of their employment • Emailing, sending or simply providing personal information to the incorrect people What constitutes serious harm? Serious harm, in this context, could include serious physical, psychological, emotional, economic or financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. In assessing the level of harm, an organisation needs to consider the nature and sensitivity of the personal information, whether the information is protected by some type of security measures (e.g. encryption), who has obtained or accessed, or could obtain or access, the information, and the nature of the harm to affected individuals. What does notification entail? In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification statement must include: • The identity and contact details of the entity. • A description of the serious data breach. • The kinds of information concerned. • Recommendations about the steps that individuals should take in response to the serious data breach. Notification must occur as soon as practicable after the preparation of the statement and may be made using the method normally used by the entity in communicating with the individuals. Depending on the situation, other methods of notification are permissible, for example, if an entity is unable to notify each affected individual, notification via the entity's website if one exists, would be satisfactory. What if I'm not sure if an eligible breach has occurred? If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of

Cyber Security

the entity then the entity must carry out a reasonable and quick assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware. If you believe a data breach has occurred then you must undertake an investigation to determine if the breach must be reported or not. Your investigation must be completed within 30 days after you become aware. Are there any exceptions to the requirement to notify? Yes. Following a data breach, where an entity has taken remedial actions and steps to address any potential harm to individuals that may arise due to the data breach, before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply. The key test is whether a reasonable person would conclude, because of the actions taken, that the access or disclosure or loss of information would not be likely to result in serious harm to any of the individuals to whom the personal information relates. This exemption demonstrates the value of early detection of data breaches and well thought out actions. The ability of an organisation to detect a data breach and act in respect of reducing any potential damage to individuals whose personal information has been disclosed or lost, will play an important part in mitigating the potential damage that such an incident can cause. Other exemptions are also listed in the Act. Are there any penalties if I don't comply? Yes. Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interference with privacy. Serious or repeated interference with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities. • • •

Assess the risk of serious harm to affected individuals if personal information is disclosed or lost. Notify affected individuals and the OAIC. Review any contracts with third parties who hold personal information on behalf of your organisation and ensure that adequate contractual provisions are in place to manage compliance with the notification regime.

Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities. The introduction of the new legislation is a good opportunity to assess and measure your compliance with the Privacy Act provisions. About the author Wayne Tufek is currently a Director of CyberRisk (www. cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the ACSC Conference, RSA APJ and CeBit.

What should I do? Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018. We recommend you ensure that your data breach incident response process is updated to include steps to: • Identify if an eligible data breach has occurred. • Investigate any suspected security incidents to determine if an eligible data breach has occurred so that it can be reported.

Australian Security Magazine | 13

Cyber Page for ACSM & AISA Cover Feature

Machine learning in cyber security: The newest tool in the toolbox

M By Michael Sentonas

achine learning, as a concept, has existed since the first computer was created, which raises the question: Why has the term only recently begun to surface in the security industry? Technological and business changes have certainly contributed to the shift, with organisations far and wide exploring the potential of machine learning across a number of processes. For example, right now it’s near impossible for companies to keep up with sophisticated attack techniques using traditional prevention methods. Even the most advanced Security Operations Centres (SOCs) struggle to manage the overwhelming bouts of suspicious activity and alerts they encounter, when fighting advanced threats such as malware-free intrusions. Machine learning has been hailed for its efficacy in dealing with these security challenges and has become the newest tool in the security toolbox.

analysts as a set of rules that, for example, describe malicious traits and create some resilience against basic modifications an attacker might attempt. On both counts, machine learning can have a transformative impact. With new malware files, emerging at an average rate of more than 10 million every month, signature or IoC based approaches to threat detection are not viable, while human-derived heuristics struggle to scale quickly and accurately. These malware detection approaches commonly rely on data files that are hundreds of megabytes in size and need to be updated daily. This is where machine learning-based approaches step in. These approaches do not attempt to recognise individual malicious files; instead, they search for malicious file traits.

Machine learning pitted against traditional cybersecurity

Machine learning is the ultimate problem-solver for today’s cybersecurity professionals. If properly managed and leveraged, machine learning can be a force to be reckoned with for cyber security teams; able to analyse security-related data, including file “features” and behavioural indicators over enormous data sets. That’s billions of events that can be used to “train” the system to detect unknown and never-beforeseen attacks, based on past behaviours. If machine learning algorithms are trained with data-rich sources, and augmented

Machine learning is undeniably more effective than the traditional workhorses of cybersecurity; signatures and heuristics. Signatures (also called “Indicators of Compromise” or IoCs) can be as straightforward as a hash value or byte sequence that is searched for by a security or anti-virus tool. Heuristics, on the other hand, are often created by human

14 | Australian Security Magazine

Machine learning as the problem solver

Cyber Security

'Finding the right machine learning tool is critical in helping organisations deal with the huge volume and variety of security threats knocking at their doors. This is thanks to the amount of data available to analyse and learn from, which means machine learning is poised to recognise advanced and unknown threats. '

2. Value added via intelligence – Machine learning solutions should deliver more than a yes or no answer. Businesses need as much information as possible about potential threats to ensure the most effective use of IT resources. Having information about the severity of a threat helps to prioritise and act as required, preventing the misallocation of resources, keeping businesses safe. 3. Detecting unknown malware with fewer false positives – Machine learning does not require signatures to be updated frequently in order to be effective. Unlike traditional anti-virus tools, it can learn without needing new data sets every day. It analyses higher-level traits to decide if a file is malicious, which is a superior approach to detecting today’s targeted, unknown malware. with behavioural analytics, they can be an extremely effective first line of defence against threats like ransomware. That said, the value that machine learning can bring to the table largely depends on the data available to feed into it. Machine learning cannot create knowledge, it can only extract it. The scope and size of data is most critical for effective machine learning. Organisations should assess the data they have available to ensure machine learning is a viable option. For those with data readily available, machine learning cloud-based solutions have a distinct advantage allowing large amounts of data to be analysed at the same time from across business systems. For example, Spotify (cloud) can give you better album recommendations than your local music store clerk because it has vastly more data at its disposal. Cloud-based machine learning also combines architectured algorithms with the collective knowledge of crowdsourced communities where threat intelligence is aggregated and updated instantly. Enterprises seeking effective machine learning for endpoint protection, must consider: 1. The need for massive data sets – To be effective, machine learning must have enough relevant data with which to work. It must also be able to implement sufficient rounds of training with speed and efficiency. Without these two things, machine learning can negatively impact results.

Finding the right machine learning tool is critical in helping organisations deal with the huge volume and variety of security threats knocking at their doors. This is thanks to the amount of data available to analyse and learn from, which means machine learning is poised to recognise advanced and unknown threats. Additionally, openness towards cloud has helped businesses to realise the potential of machine learning, allowing security data to be processed at enormous scale, without the constraints imposed by individual machines on a given network. However, it’s vital to remember that an adversary will target an organisation persistently – potentially hundreds of times a day – therefore machine learning should form part of an organisation’s overall defence strategy, as one of many tools in its toolbox for combating threats. About the author Mike Sentonas is Vice President, Technology Strategy at CrowdStrike. Reporting directly to the Co-Founder and CTO, Mike’s focus is on driving CrowdStrike’s APAC go-to-market efforts and overseeing the company’s growing customer and partner network. With over 20 year’s experience in cybersecurity, Mike’s most recent roles prior to joining CrowdStrike were: Chief Technology and Strategy Officer, Asia Pacific at Intel Security and Vice President and World Wide Chief Technology Officer of Security Connected at Intel Security.

Australian Security Magazine | 15

Cyber Page for ACSM & AISA

You’ve had a data breach … what happens next?

Y By Dr Jodie Siganto

16 | Australian Security Magazine

ou know that Australia’s data breach notification amendments to the Privacy Act 1988 (Cth) become effective on 22nd February 2018. Naturally, you are busy planning your data breach response strategy. Aren’t you? Quite a bit has been written about the legal requirements relating to identifying and notifying data breaches, yet little has been said about what’s likely to happen after you notify of a breach. For example, how will the press cover the story? What happens if the Privacy Commissioner decides to investigate? Can your executives be called before the Privacy Commissioner and might you be fined? Could you be sued? This article looks at important considerations relating to your breach response plan, based on how the Office of the Australian Information Commissioner (OAIC) has handled data breach cases so far. I’ll also introduce some of the experiences in the US, where data breach notification laws have been in place for almost 15 years. How Might the Press Cover Your Story? One likely consequence of a data breach notification is that the press will find out from a tip-off or from social media (assuming they are not the source of the story in the first place). Having an effective strategy to deal with the press can reduce reputational harm, with the Australian Bureau of Statistics Census failure offering an excellent example of the reputational damage that a poorly executed communications plan can cause.

Most organisations have a crisis communications strategy, which includes press releases and pre-prepared statements. But have you any idea how the media will treat your corporate comms? Do you expect them to adopt your language and support the same messaging? To the contrary, research from the US suggests that the press will sensationalise the ‘data breach’ aspects of the story and downplay or ignore apologies or remediation efforts. Last October’s Red Cross breach was a great example of how the media can sensationalise a data breach. A file of donor details was placed on a web facing server with directory listing enabled, meaning the file was both discoverable and accessible. The OAIC investigation indicates that only one individual found and downloaded the file before reporting the vulnerability (indirectly) to the Blood Service and others. There was no evidence of wider access to the file. However, media reports included headlines such as ‘1.3m records leaked’, ‘Australia’s biggest-ever data breach’, and ‘Human error exposed 550,000 donor records’, all of which implied widespread access to the information, which was not true. Your communications strategy should anticipate this type of coverage and include ways to neutralise the likely sensationalism. What information should be given to the OAIC? If you decide you need to notify affected individuals of a data breach, a copy of that notice must be given to the OAIC.

The OAIC suggests you should provide the OAIC with additional supporting information together with the notice, to explain the circumstances of the data breach and the organisational response in further detail. This information can assist the Commissioner in deciding whether to make further inquiries or take any other action. The OAIC has also indicated that it will publish an online form to help entities lodge notification statements and provide additional supporting information. Keep an eye out for that. What will the OAIC do with the notice? After receiving the notice, it’s likely that someone from the OAIC will contact you to check on how you are dealing with the breach and to offer advice. Hopefully this will be a fairly brief conversation where you reassure the OAIC that the matter is under control. If the Commissioner is happy, he may take no further action. If not, the OAIC may decide to conduct a more detailed investigation. The OAIC has the power to investigate any circumstances, which might involve an interference with privacy, without needing to have first received a complaint. This is known as a Commissioner Initiated Investigation (CII). A CII may include a review and evaluation of the systems and processes that were in place to protect the information and how the organisation has managed its response to the data breach. A CII is particularly likely in the case of a highprofile breach affecting many people or involving particularly sensitive information. The OAIC undertook a more detailed CII into the Red Cross Blood Service breach in October 2016 and, more recently, has announced investigations into the Cosmetic Institute and Flight Centre data breaches. You’d be unlucky to be investigated (and have an investigation report publicised) unless you’ve had a massive and serious breach. The OAIC records indicate they received over 100 voluntary notifications of data breaches in each of 2014/2015 and 2015/2016. Of those notifications, only two investigation reports have been published and two enforceable undertakings given (for cases not covered by an investigation report) in the relevant period. The OAIC has confirmed its preference to work with entities to encourage and facilitate voluntary compliance with the Privacy Act before taking enforcement action (such as opening a CII). It has also acknowledged that entities need time to become familiar with the new requirements. Accordingly, during the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them (rather than enforcement activities). What happens in an OAIC investigation? In most cases, CIIs are ‘on the papers.’ This means the OAIC will send you a letter asking a whole lot of questions, to which you must reply. The questions will likely concern: how the breach occurred, the information affected, the security controls that were in place at the time to protect the information and the action taken to address the breach.

That process will continue until the OAIC determines whether there’s been any interference with any of the privacy principles and is satisfied that appropriate steps have been taken to ensure that the same breach won’t happen again. It is important to respond to these requests for information in a timely and cooperative way. Previous published investigation reports acknowledge where the entity being investigated has been helpful and suggest that that kind of co-operation is likely to support a better outcome. More importantly, the OAIC has a series of formal coercive powers that can be used in investigations. These powers include the right to require individuals to appear and give evidence and to produce documents. No-one wants their CEO or one of the directors called to appear before the OAIC, so timely and fulsome co-operation in a CII is a good strategy. How is an investigation concluded? Most commonly, the investigation is closed and an investigation report issued, including findings as to whether there has been any interference with privacy. Since the 2014 amendments, the Commissioner can accept enforceable undertakings by the entity to put in place agreed remediation actions and these seem to be becoming more common. The sorts of actions included in enforceable undertakings to conclude an investigation might include: • Engaging a qualified third party to review the organisation’s handling of personal information and implement any subsequent recommendations. • Implementing improved information security, in accordance with an acceptable information security standard, as certified by a reputable third party. • Implementing privacy training for staff. • Offering to reimburse the cost of a 12-month credit monitoring alert service for any individuals whose personal information was disclosed in the incident. Offering an enforceable undertaking may often be the most pragmatic way to finalise a CII, particularly where it is clear you’ve failed to implement appropriate security controls. It should assist in bringing a timely and mutually agreeable conclusion to the investigation. If you cannot reach an agreement with the OAIC on the outcome of the investigation, the Commissioner may make a Determination. In issuing a Determination, the OAIC has wide powers and, for example, may order that the organisation cease doing a specific activity, pay compensation, issue an apology or change the way it has been doing things. What happens if you decide not to give notice of a data breach? The definition of ‘eligible data breach’ sets a high trigger for notification. There may be circumstances in which you decide there is no eligible data breach, and thus no notification obligation, because it is unlikely that any individual will suffer serious harm. The OAIC can challenge that decision. The OAIC can also investigate where it becomes aware of a possible breach and there has been no notification. Again, this would be a CII, as it would not arise from a complaint >>

Australian Security Magazine | 17

being lodged by any individual, but from the OAIC forming a view that there may have been an interference with the privacy principles warranting investigation. The OAIC may couch the investigation in terms of compliance with the data notification provisions of the Act or APP 11 (the obligation to take reasonable steps to secure personal information). If you decide not to notify, you should think about the possibility of an investigation and retain records of the basis of your decision. It may also be prudent to seek legal advice, as some of the provisions in the Act are complex. It is worth remembering that legal advice may be privileged (and so not discoverable) in any subsequent legal proceedings. In the US, many internal data breach investigations are led by the in-house legal department, as part of the data breach response plan, which may extend legal professional privilege over all investigative and forensic reports . Will my organisation be fined? Unlike other jurisdictions (such as the UK), the OAIC cannot issue fines. An application must be made by the OAIC to the Federal Court for the imposition of a civil penalty. The OAIC can make such an application only in the case of serious or repeated interferences with the privacy principles, or the data breach notification provisions. The Federal Court will determine the amount of the civil penalty, which could be up to $1.8 million in the case of corporations. Given the Commissioner’s light touch approach to enforcement of the data breach provisions, it seems unlikely that the OAIC would seek a civil penalty for a failure to notify or for circumstances relating to a notified data breach, unless there are particularly serious circumstances, for example a failure to notify in circumstances where notification would have given a large number of affected individuals a real opportunity to mitigate the damage from the breach. Can my organisation be sued? There is no individual right to sue for breach of the Privacy Act (including, the data breach notification obligations in the Act). There is also some doubt about the existence of a right to sue for breach of privacy under Australian common law. Although there are indications that the courts may entertain a tortious claim of breach of privacy, it would be a change to the current law and such a claim is not the sort of ground breaking test case an average litigant would be keen (or wealthy enough) to take on. Suits could be brought based on negligence, such as an organisation’s failure to take reasonable steps to prevent a data breach. To date, no such actions have been brought in Australia and establishing causation and proving loss may prove difficult. Conclusion As part of your data breach planning, do not expect the media to be nice. Think about how the press might report the incident and be prepared to address any negative spin. Remember, your data breach will get into the press, especially once you’ve given notice, and they like to beat up a good data

18 | Australian Security Magazine

breach story. If you decide to notify, consider what you’re going to tell the OAIC and provide enough information to reassure them that the breach has been stopped, that you’re looking after the people affected and that the breach won’t reoccur. If it’s clear that some failure in your systems has led to the breach, think about offering an enforceable undertaking. If you are involved in an investigation, be as co-operative and helpful as possible. Remember, the Commissioner does not want to punish organisations and, in the first instance at least, will look to educate and guide them to a better understanding of their obligations. Finally, it’s unlikely that you’ll be sued or that you’ll be fined, but that is no reason for complacency. Mitigation costs and reputational damage can still hit hard – just ask Sony, Target, Anthem and the Australian Bureau of Statistics. Disclaimer Ringrose Siganto publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories. About the author Dr Siganto is a partner in law firm Ringrose Siganto, and a highly experienced ex in-house legal counsel. She is an information security and privacy expert and a long-time specialist in information security training. Dr Siganto has been sought out by government departments, international corporations and Australian businesses to advise them on a range of privacy and security issues, including conducting privacy compliance reviews, impact assessments and reviewing technology contracts of all types. In addition to her other work, Dr Siganto pursues research projects into cyber security issues, particularly around the human aspects of information security and regularly talks on issues such as data breach notification, information security practice and cyber security skills. Earlier this year, the Federal Government passed new rules on mandatory breach notification into Australian law. Commencing February 22nd, 2018 many Australian businesses and organisations will no longer be able to remain silent if there is a data breach. The rules are aimed at directing entities to become active in protecting the personal information they hold on behalf of their clients and customers, implementing effective data breach response plans and taking appropriate steps to protect individuals whose information has been lost, stolen or compromised. How can you determine if it’s something that applies to your organisation and what can you do about it? Let’s look at the new rules and how they should be interpreted.

Looking to commercialise innovative cyber security or physical security related technologies?

GET IN TOUCH www.securityventures.com.au

Australian Security Magazine | 19

Cyber Page for ACSM & AISA

Helping Australia build a secure healthcare network Strategies to help protect the healthcare industry from the Cyber dangers lurking in Healthcare.

By Zoheb Ainapore

20 | Australian Security Magazine

he healthcare industry in Australia has been fortunate enough to avoid being in the limelight, considering the recent spike in cybersecurity incidents affecting other industries. There have been a few high profiles, honourable mentioned globally that come to mind in recent years, such as the Anthem data breach, which potentially compromised the personal information of 78.8 million individuals [1] or the more recent WannaCry ransomware attack that wreaked havoc around the world and took out over 60 National Health Service (NHS) trusts in the UK affecting more than 200,000 victims [2]. There are over 1,330 hospitals in Australia [3] providing hospitalization facilities to over 10.6 million patients in a year. That translates to an average of more than 29,000 patients requiring inpatient care every day. In addition to the private and public healthcare facilities, critical support networks such as Medicare play an important role in ensuring that patients receive the appropriate healthcare on time. Healthcare in Australia centres around the public hospitals, private hospitals and medical centres. These are supported by the publicly funded Medicare health care scheme and operated by the Department of Human Services. The recent cuts to Medicare and the Medicare Levy Surcharge has resulted in many individuals taking out private health insurance. A targeted cybersecurity attack on the Australian healthcare sector can have catastrophic consequences and can directly affect the care provided to thousands of patients every day and have a direct effect on their lives. Consider the following headline that was reported in the media in Aug 2017 "Inside the New York hospital hackers took down for 6 weeksâ&#x20AC;? [4]. Hackers took down the computer systems of the Trauma Centre at the Erie County Medical Centre in the US for six weeks, resulting in staff going back to pen and paper for until the systems were back online. The story above is fact and not fiction and we're a step away from experiencing similar consequences in Australia. The cybersecurity risks that the Australian healthcare

industry faces isn't much different from the risks faced by institutions in other industries. To protect the healthcare industry from the various cybersecurity risks that it faces, it is better to think of the various threats from an attackerâ&#x20AC;&#x2122;s perspective. What assets are we protecting? Looking at it from an attackerâ&#x20AC;&#x2122;s point of view, some of the consequences that an attack on the healthcare system would have are: - Data breach of personal information. - Unauthorised access to data or systems. - Denial of service. - Ransomware attack. - IOT attacks. - Regulatory risk. The shifting perimeter Recent trends in technology have resulted in healthcare data moving from being stored locally within healthcare facilities, to being stored in cloud-based systems. Additionally, the emergence of IOT devices has resulted in holes being punched into hospital systems, allowing direct internet access, while bypassing perimeter security controls. Tackling these new threats requires a different mindset that takes into consideration the heightened risk, by implementing appropriate security controls. In the following sections, we'll tackle each of these issues by expanding on the risks that these issues raise and providing recommendations to address these risks. Personal information breaches Data breaches of healthcare personally identifiable information (PII) would result in attackers utilising such information to carry out further targeted identify

Cyber Security

theft, fraud and other attacks. Such attacks are a result of attackers leveraging security vulnerabilities to gain access to a healthcare network, along with the lack of appropriate security monitoring and alerting controls. Centralised stores of healthcare PII data are being targeted by attackers with government Medicare service and private health insurance being prime targets. It is recommended that security controls be put in place to continually monitor healthcare systems and networks for vulnerabilities and to implement an effective vulnerability management program, to prevent unauthorised access due to the exploitation of vulnerabilities and security misconfigurations. Sensitive data must be encrypted appropriately. This ensures that even if a malicious individual has gained unauthorised access to healthcare PII data, the data being encrypted would not be of any use to the attacker. In cases where unauthorised access has taken place, appropriate security monitoring and alerting must be in place to provide notifications of such unauthorised access, or attempts to gain such access. Canary tokens provide an effective method of monitoring unauthorised access within an internal network. Unauthorised access Attackers leverage security misconfigurations and vulnerabilities to gain unauthorised access to healthcare networks and systems. There was a recent security vulnerability affecting pacemaker devices manufactured by Abbott that resulted in the US Food and Drug Administration (FDA) alerting people to a voluntary recall of 465,000 pacemakers [5] due to the possibility of hackers reprogramming the devices, potentially putting patient lives at risk. Exploitation of such vulnerabilities would directly affect the lives of patients using the vulnerable medical devices. Dealing with these challenges requires a two-pronged approach. It must be ensured that healthcare systems, networks and medical devices are securely configured and patched on a regular basis. Security vulnerabilities must be monitored and continual vulnerability assessments carried out to provide alerts when such vulnerabilities are found. Apart from the clinical trials and tests that medical devices undergo as part of their release into the general market, government regulations must be enacted to ensure that all such devices undergo a process of stringent security assessments. Denial of service Attackers can cause a denial of service to restrict authorised healthcare users from utilising health services. Healthcare systems and networks must be designed and architected to provide high availability, that is resilient to a distributed denial of service (DDoS) attack. Critical internet facing healthcare services must implement appropriate DDoS protection. Ransomware attacks With the recent increase in ransomware attacks affecting multiple industries, it is imperative to ensure that in case a

ransomware attack eventuates, the hospital systems are not affected and can be quickly recovered. Attackers launching ransomware attacks generally target data by encrypting it and holding the client ransom by decrypting the data if the ransom is not paid. It must be ensured that in cases of a ransomware attack, appropriate security incident management processes are in place and are followed. Affected devices must be segregated and disconnected from the rest of the network. Backups of all data must be present on dedicated data stores that are not directly connected to the affected client devices. Application whitelisting and advanced endpoint security platforms can be implemented that prevent the execution of malware and proactively detect abnormal behaviour.

'The pace at which attacks are targeted the healthcare sector across the world, it is only a matter of time

IOT attacks

when attackers

The threats that IOT attacks could have on the healthcare sector are three-fold. Many medical and IOT devices have security misconfigurations and vulnerabilities and are connected to healthcare networks. This would result in unauthorised access to, or takeover of, these devices by malicious individuals, leading to attackers using the devices as a pivot to gain unauthorised access to the networks that these devices are connected to. Furthermore, an attacker that has gained unauthorised access to these IoT devices can make them a part of a larger Botnet that could use to launch distributed denial of service (DDoS) attacks on other targets. The remediation to protect such IoT devices is to ensure that they are regularly patched and securely configured. Additionally, such devices are only to be connected to a segregated network that does not connect to the corporate healthcare network.

would choose to focus their efforts into launching a targeted attack on Australian healthcare networks.'

Regulatory risks Healthcare organisations face increasing regulatory compliance and possible penalties if the confidentiality of healthcare data is breached and the data is not properly secured. Healthcare organisations in the US are bound by the Health Insurance Portability and Accountability Act (HIPAA) and Australian healthcare institutions must assess the various regulatory compliance requirements that affect them such as the Australian Privacy Act 1988. It is recommended that healthcare organisations understand the regulatory and privacy compliance requirements they need to meet, to meet their compliance requirements and ensure that they comply with the requirements, as well certified against such requirements and standards. Conclusion The pace at which attacks are targeted the healthcare sector across the world, it is only a matter of time when attackers would choose to focus their efforts into launching a targeted attack on Australian healthcare networks. It is important for the healthcare institutions and cybersecurity organisations to work together, to proactively address the risk that affect the healthcare enterprises of today.

Australian Security Magazine | 21

Cyber Page for ACSM & AISA Cyber Security

Know Your Enemy PART II I By David Stafford-Gaffney

22 | Australian Security Magazine

n the last issue we delved into the world of Business Process Compromises (BPC’s) and demonstrated how the attacks work, based on the case of the driven, yet naive business owner; Steve and the driven and successful attacker; Joanne. The point we made was that both seek success, both are driven and both operate businesses, and most importantly, both follow processes. This is the key, this is our light bulb moment, this is where we seek to gain the upper hand in developing defenses. To recap, a BPC occurs when an attacker makes subtle, unnoticable changes to business processes to gain an advantage. We reviewed the case of the attackers in Antwerp making subtle changes to the location of containers at a dock, in order to make the containers carrying drugs, easier to access. Remember, they needed other attack vectors also in place to complete the heist, including dropping physical USB key loggers. The company being attacked wasn’t massive, it just happened to offer the attacker what they needed. That attack took two years to be successful. As a result, response plans need to consider the long game too and be appropriately measured. We need to understand the risks these organisations pose to our own, as this provides a far

broader understanding of how attacks work and appropriate mitigation strategies, aimed at various points in attack process, can be targeted at more than just the perimeter. Once you’ve mapped the attack surface, you then need to find an appropriate way to communicate what has been done to customers, staff and the executive board. Every stakeholder needs the confidence in the business’s ability to appropriately mitigate risks and increase the security posture of the organisation improves. Back to the Story… Like Steve, Joanne follows a tried and proven process known as the Cyber Killchain® (Lockheed Martin (http://www. lockheedmartin.com/us/what-we-do/aerospace-defense/ cyber/cyber-kill-chain.html), introduced in Part 1. The kill chain allows us to build defence in depth into our organisation. Prevention, as a tactical objective, should have a place in your security arsenal and cyber defence plans, however, the kill chain shows us that we need more. We should ensure appropriate levels of logging and confirm detection mechanisms are deployed. Furthermore, we need to

Cyber Security

be as follows: 1. Identify your critical information. 2. Review who (the actors) might be after your information. 3. Understand how it is protected. 4. Understand how you respond in the event of an incident. Identify your critical information You want a documented list of information that is critical to the business. It’s not always an easy process, so my advice is to ask a few questions: 1. What are my business-critical information and services? 2. Where are they located? 3. Who has access to them?

'“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu, The Art of War'

prevent attackers from going undetected within our networks, buying us time to respond. Then, if we get to the stage of responding, our response plan need to be swift and ruthless. The trouble is, security isn’t easy. It’s a process, not an absolute. Some organisations have large security teams that manage infrastructure, while rely on information risk managers to handle all their security concerns. Very few have it all and many have nothing at all, relying, at best, on the IT team to keep them safe. None of these approaches are necessarily wrong, if that is what your organisation requires. I know that sounds generic and possibly trite, but I can’t tell you what you need for your organisation; at least not without understanding what you want to achieve. Security must underpin and support the objectives of your business and align to your strategy. It must be driven from the top and while it can be delegated as a function in your organisation’s structure, it must be part of every support function and service provided. You’re not alone if you don’t know where to start. Best practice and standards like ISO 27001 say to start with a risk assessment, yet this is not easy and requires maturity in several key business capabilities. So, another approach would

Next, engage the rest of the organisation to gain more insight into your answers, as business-critical information could reside with the HR team or the finance team, the production and manufacturing group, or with your sales team. Be prepared for incomplete answers as this is expected, then help them get to the most complete answer they can. This is not an easy process, but make sure you document everything you uncover as this will form an important baseline moving forward. Your focus should be on ensuring that critical information is afforded the necessary protection, based on its sensitivity. Review who (the actors) might be after your information We refer to this as a threat assessment and it’s important in identifying the types of people or organisations that stand to benefit from stealing or changing your information, or making it unavailable. More importantly, it helps you understand the capability of any given threat actor, which is essential in determining whether you feel the current security controls are sufficient. Start with a workshop where you identify the types of people or organisations that might attack you, then rate them in terms of their: • Capability – technical nous, access to financing, outsourcing possibilities, etc. • Motivation – why are they attacking you? What have they to gain? >>

Threat

Capability

Motivation

Threat level

Organised crime

Formidable

Focused

Critical

General Hacker

Significant

Committed

Severe

IT contractor

Significant

Interested

Substantial

Limited

Interested

Moderate

Guests

Little

Interested

Low

Acts of God

Formidable

Indifferent

Very low

Ideological organization (political)

Table 1 Threat assessment table

Australian Security Magazine | 23

Cyber Security

Your (documented) threat assessment might look like Table 1 (based on a 5 x 5 threat assessment matrix.) Consider all contractors you engage with, auditors, state sponsored hackers, religiously motivated groups and of course, students. This is just an excerpt of an example, and it’s important to note that motivations may change depending on the organisation carrying out the threat assessment. Organised crime is far more motivated to want to manipulate container drops or electronic funds transfers than it is to manipulate the daily schedule of a fencing contractor. Understand how it is protected This phase of the risk assessment shifts to focusing on your technology solutions and how sensitive information is protected. Bring in subject matter experts (SMEs) as they know they systems better than anyone, and explain your plans. Ask them, how they would attack the systems they manage, and explain why you’re doing this. Bring them on the journey with you, so that everyone is aware of the improvements that are needed and are helping patch over the vulnerabilities. Explain that this is not about blame, rather it’s about taking control and establishing some sensible security principles: People – Process – Technology Is access to the information or system audited or logged? How is access authorised? How are users authenticated? Are there procedures or work instructions for activities that are associated with your information systems security? Are daily checks completed and is there proof ? What technology protects business systems and sensitive information? Is your technology patched and free of vulnerabilities? Does it have vendor support (if it doesn’t it won’t get any security patches)? Ask lots of questions and seek evidence. Don’t just ask how, ask to see the what. However, don’t alarmed as you don’t want knee-jerk reactions that simply Band-Aid the issue – treat this like business strategy; it needs to be given the same energy and consideration. Understand how you respond in the event of an incident Ask how they know if an incident has occurred? What sort of events do they collect? What do they do when an incident occurs? Do they have a suitable response plan? – ask to see it and ask for examples of incidents that have occurred and been investigated. Look at running sheets, evidence, forensic artefacts, note knowledge-based items, and remember they may feel threatened, so help them understand the objectives of the exercise. You want to uplift the security response plan to ensure all their jobs are protected, not persecute them for being remiss. By the end of this exercise you will have a better understanding of where your crown jewels, are and how they are protected. You will also know how you respond to an attack. The picture might look bleak, or it may look ok, however it looks today, it can always be improved tomorrow. Now you know what your baseline is, you can at least start planning those improvements.

24 | Australian Security Magazine

Based on what you have uncovered, do you think your protections are adequate? If not, you can now start raising risks that relate the loss of information confidentiality, system availability and information integrity, to the controls you have in place. The IT department will likely jump at the opportunity to remediate these issues and introduce better controls, as they might even get some shiny new technology to play with. If this sounds too much for you to handle, consider engaging a security consultant to assist, since this is the process they will use. The “big four” audit companies offer high-level services that help you understand your security exposure and can be a reasonable place to start, if you have the budget. But prepare yourself for lots of failures in their audit report, and learn to love these reports, rather than see them as your enemy. There are smaller firms with exceptional capabilities to provide a similar service, so cast the net wide and don’t buy the brand, buy the right consultant for your business. Professionals can help establish roadmaps for implementation and work with you to increase your security posture and overall maturity, within the budget and in line with your strategic business plans. Even look to your local security community or professional meet up and ask around. In summary, organisations face threats everyday, some know about them and stand a fighting chance, if not to prevent them, most certainly to detect them and respond in a timely manner. However, those that don’t will be compromised. It’s that simple! If you’re still not convinced, recall we offered a number of real examples of compromises that have occurred, and in one case, they spent 2 years planning the attack, 2 YEARS! Trust me, these people are motiviated and have all the time in the world to get what they need. Your job is to make their life hard, by protecting your business’s life blood with controls designed to fend off the specific threats that are coming after you. Threats that take the form of organised crime syndicates, lone wolf rogue hackers, experimental, curious students and script kiddies, right through to accidental and malicous insiders (staff members). And keep in mind that this is no easy task, however, we’ve offered some simple steps you can take to attempt to prepare your organisation and if external advice is needed, then at least you know your business in more depth and might even save some cash, as the first questions a consultant will ask are the ones we’ve covered in this series. My final advice is, all organisations face threats, yes the types differ and the motivations to attack your specific business differ, but they’re there and you’d be mad to ignore them. About the author David Stafford-Gaffney is an information risk and security professional with over two decades in the ICT sector in roles ranging from hands on technical, to operational management and business development. He has established two businesses from scratch and his strong business acumen enables him to understand acutely the need to align security with business requirements. He is passionate about leadership, Information Security and assurance and improving the industry. Davis currently works as an Information Security Manager for Datacom.

C YB E R S E C U RI T Y F O R W O ME N EXECUTIVE BREAKFAST INVITATION EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO TUESDAY 24 OCTOBER 2017 8:30 AM - 10:00 AM

THE BOAT HOUSE MENINDEE DRIVE, BARTON, ACT

Diversity, Opportunity, Scale Mihoko Matsubara

Vice President & Public Sector CSO for Asia-Pacific Palo Alto Networks We would like to invite you to join an exclusive executive discussion featuring Mihoko Matsubara, Vice President and Public Sector Chief Security Officer (CSO) for Asia-Pacific, Palo Alto Networks. Mihoko, based in Singapore, is responsible for developing thought leadership, threat intelligence and security best practices for the cybersecurity community within the governments and academia in the region. Mihoko was formerly CSO for Palo Alto Networks in Japan and she also worked at the Japanese Ministry of Defense. Mihoko received a Fulbright Scholarship to pursue her MA in International Relations and Economics at the Johns Hopkins School of Advanced International Studies in Washington DC and was a research fellow at Pacific Forum CSIS, a Japan-US cybersecurity cooperation think-tank. In Tokyo, she worked for Hitachi Systems as a cybersecurity analyst researching cyberthreat environments and policy issues and worked at Intel K.K., Tokyo, in the role of cybersecurity policy director. She is the first Japanese speaker (2015) at the NATO International Conference on Cyber Conflict in Estonia and was most recently appointed as an Executive Committee Member of The Armed Forces Communications and Electronics Association (AFCEA) in 2017.

Discussion Focus: This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the key issues for women across the cyber environment. Opportunities abound in cybersecurity and roles for women are actively being encouraged to enter and engage in the industry. However, alongside the challenges of digital disruption and a global cybercrime industry, women themselves continue to be challenged with achieving equal diversity and inclusion, role opportunities and pay scales.Â On behalf of Palo Alto Networks and the Australian Cyber Security Magazine, you are invited to join Mihoko Matsubara for an intimate round-table discussion around the challenges facing women in cybersecurity, including young women, mentoring programs, womenâ&#x20AC;&#x2122;s advocacy, cross-career training and maintaining a diverse workforce. Your participation in this discussion will hopefully enable you to identify ways and exchange ideas to address these challenges and apply them at your workplace. This is a very limited seating engagement so please register ASAP to reserve your seat.

Kindly RSVP by 17 October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

Australian Security Magazine | 25

Women in Security benefit from introducing more diversity. Having different people with different life and work experiences and different thinking will increase innovation and provide new ideas to outsmart the adversaries. Having diverse approaches and multiple ‘voices’ for cyber security can also help integrating security as part of everyday life in the organisation, and help increase people’s awareness to threats. Women in leadership roles in cyber security can help change the perception of the cyber security industry being a male dominated industry (bad guys in hoodies anyone?) and can encourage more women to pursue these challenging and fulfilling roles.

Tali Friedman, Principal Solution Architect, Data Security, Micro Focus With Chris Cubbage Executive Editor

aving spent most of my career in the Software Development Lifecycle (SDLC) space, I was searching for a new field to explore. About two years ago an opportunity came up within HPE Data Security that piqued my curiosity. I have worked in IT for 14 years, first joining Mercury in 2003 upon graduating from university and then joined HPE when it acquired Mercury in 2006. I moved to Australia in 2011, re-joining HPE the following year. In February 2015, HPE acquired Voltage Security, a leader in data-centric security. This was a natural fit for me, having been exposed to encryption technologies during my military service with the Israeli Intelligence Corps and while studying computer science in university. Now, HPE Software is Micro Focus. What are some of the key challenges you think the industry is faced with? I see multiple challenges for the industry. The first one is that adversaries keep innovating and challenging the protection methods organisations put in place. Organisations are constantly facing attacks that are getting increasingly sophisticated, forcing them to keep updating their defences. However, as I speak to our customers, it is becoming clearer to them that there is a need for a new approach. Data-centric security is a very hot topic at the moment since CISOs realise they can’t keep the perimeter safe anymore – there simply isn’t one – and their data must be protected. I believe we will see more and more organisations reaching the same conclusion. The second challenge is a shortage of skilled people to face the adversarial innovations. There aren’t enough people to do it all. Automation can help up to a certain extent, but there is a need for people who can innovate and predict the next attack vector. The third challenge is that there isn’t enough diversity in cyber security, and that is mostly caused by high entry barriers. It is not easy to get into cyber security from other IT domains, and I think that we are missing out on learning from other domains and their experience. Testing experience can be translated into an inquisitive mindset that can look for vulnerabilities. DBA experience can help point out where a suggested defence approach might not work, or assist in coming up with a completely new one. As adversaries are coming up with new approaches so should the defenders. I believe that the security industry will

26 | Australian Security Magazine

Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? Data security is very hot at the moment, with new regulations like GDPR in the EU and other privacy legislation changes. Many organisations are looking into unlocking the value of their data to drive new business opportunities and growth, while keeping the data well protected. I think that the IoT panel organised by Kaspersky-Reesby and HPE and these articles are great to get women more recognised in this field. I would love to see more girls going into coding, computer science and other IT related studies. What are your previously notable positions? I have a very diverse experience which I put into use when I talk to customers about cyber security. I first started as QA engineer for functional and performance testing then progressed to QA management, so I understand very well the challenges our customers are facing balancing the release quality, security and due date. I set up and led a customer-oriented testing team for our products, this team worked with Fortune 500 companies that are HPE largest customers in the US and EMEA. Working with such large deployments taught me a lot about their business and technical challenges, and how such companies deal with change. Alongside this experience, I’ve always been a self-learner and I learn a lot from people I work with, both colleagues and customers. I’m always happy to help others, come up with ideas and solve problems. And finally, I can look at how secure development \ testing matures and see a lot of similarities between how performance and functional testing have matured over the years. Testing used to be an end of project activity done as an afterthought and now it is a valued, front and centre activity designed to ensure positive customers experience. Seeing initiatives such as Secure DevOps I think cyber security is heading in the right direction. What do you do when you're not working? As a working mum, there always seems to be something going on whether at work, school or home. I spend most of my time with my husband and children, our friends and pets. I also love being outside in nature walking and enjoy travelling to new places.

EX E C U TIV E B O ARD RO O M BREAKFAST INVITATION

EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO WEDNESDAY, 25TH OCTOBER 2017 8:30 AM - 10:30 AM

THE WESTIN HOTEL HERITAGE BOARDROOM

1 MARTIN PLACE, SYDNEY NSW 2000

Application Security: Every business is a software business Andrew Kay

Application Security Solution Architect Micro Focus

Overview Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity for software-driven “digital transformation” to stay relevant and competitive in their markets. As software becomes core to Australian business across the value chain, companies are developing and updating applications faster than ever before. Exponential growth in application development represents both an opportunity and a threat. Research conducted by Forrester identified applications as the source of 84% of all data breaches. Why software? Because cyber criminals have identified software as the weakest link. The Australian Government has recently passed legislation to drive a quality approach to data security. 23 February 2018, will see the introduction of the Notifiable Data Breaches Bill, which will ‘strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches’. Micro Focus invites you to attend an exclusive briefing event to discuss the evolving threat environment and practical approaches to application security in the modern software development life cycle.

We would like to invite you to join an exclusive executive breakfast discussion featuring Andrew Kay, Application Security Solution Architect for Micro Focus. With a development background and over 12 years of experience in Software Quality and Security Assurance, Andrew is one of Australia’s leading application security specialists and brings unique insight to the application challenge given his experiences in both DevOps and security. Andrew has designed and implemented quality and secure development lifecycles for clients, performed architecture, design and code reviews, written coding standards and development policies. In his current role Andrew is responsible for enterprise and government client engagement, delivering and advising on security assurance programs and application security activity in the South Pacific region. This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the constantly evolving threat landscape. This is a very limited seating engagement so please register ASAP to reserve your seat. Regards, Chris Cubbage Director & Executive Editor Australian Cyber Security Magazine

Kindly RSVP by 18th October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

SINGAPORE Cyber Security CONFERENCE

// End-to-End Cyber Security: Business Recovery and Security-by-Design World Economic Forum’s Cybercrime Dialogue By Jane Lo, Singapore Correspondent

yber Attacks on businesses by sophisticated hackers demand organisations to embed security principles in the design of digital systems, but also to build capacity and resiliency to recover from these attacks. Two conferences held in Singapore during August address these topics. The Asia Risk & Resilience Conference (ARRC) 2017 (24th – 25th August, Marina Bay Sands Convention Centre), a collaboration between BCP Asia (Business Continuity Planning Asia Pte Ltd Organiser for ARRC), RIMAS (Risk and Insurance Management Association of Singapore) and IAEM (International Association of Emergency Manager), focused on the theme of “Risk and resilience – From Strategy to Reality”. The conference aimed to enhance the awareness and promote the growth of ERM, BCM and Emergency Management in the region. The dynamism and complexity of the digital inancial ecosystem and security considerations were a focal point at the FinTech Security Summit. The event, held at Shangri-La Hotel (25th August), was an opportunity to debate on topics such as building a safe Financial Center,

28 | Australian Security Magazine

strengthening Cloud and IoT security, and reducing the surface for Cyber Attacks and crime through a Security-by-Design approach. Business Recovery and Continuity from Cyber Attacks: Most businesses plan for recovery from hazardous events or natural disasters that cause physical damage to buildings, transportation, infrastructure or critical facilities. However, increasingly, Cyber related: Cyber Attack, Data Breach and Unplanned IT and Telecom Outages are cited as Top 3 Areas of Concern by respondents in a 2017 survey conducted by BCI (Business Continuity Institute). In his Welcome Address, Mr. Sean Chan (President, RIMAS, Singapore) cited the growth of Cyber Attacks, in particular Ransomware, which reached more than 4000 per day in 2016, a 300% increase since 2015. News headlines on disruptions from Cyber Attacks no longer provoke surprises. As we increasingly digitalise our daily interactions with devices, objects, social and business networks, we also as a consequence expand and grow the surface for adversaries to launch Cyber Attacks. The case, for preparing and planning for business

continuity and recovery from Cyber Attacks is thus urgent and needs to be taken seriously. Why Plan? Mr Brian West (Global managing Director, Crisis Management, FleishmanHillard Singapore) highlighted key statistics that support the case for planning: • 75%of companies without business continuity plans fail within three years of being affected by a disaster • 25% of businesses do not reopen following a major disaster • Companies that cannot resume operations within 10 days of a disaster’s first impact are unlikely to survive • Saves money ($1 in DRR saves $4 to $7 in response) A Public Relations strategy is a necessary component of the business recovery plan. He gave an example of Nestle’s loss of 50% market share in India, following Nestle’s challenge to the report by Indian government on the excessive levels of MSG and lead in the instant noodles products. Nestle’s response contrasted with the PR messages sent by Air Asia following its 2014 crash. The CEO showed “authentic leadership” with regular and personal updates on the situation, which resulted in positive public

SINGAPORE CONFERENCE Cyber Security and market reactions, with neither its share price nor market share significantly affected. How to plan? Dr. Roy Rimington, (Vice President, RIMAS), at his “Corporate Enterprise Risk & You” talk on tackling the current challenges of a complex world, pointed to ISO 31000 (the International Organisation for Standardization family of standards relating to risk management) to guide an organisation’s development of framework to business continuity. Interestingly, under ISO 31000, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives". In other words, "risk" refers to both positive and negative consequences of uncertainty.

"To effectively face the challenges, require not only innovations but also collaboration among each other, domestically and globally" This is also emphasized by Mr. Tim Janes (Global Vice-Chairman, BCI - Business Continuity Institute), who pointed out that planning and preparing for business continuity and recovery also allow businesses to identify how they can benefit from a disruption. Indeed, in today’s world of 24x7 news cycle and social media chatter, reputation is an asset that is becoming more important than ever. A meaningful response to a disruption has the potential to enhance the brand. From this perspective, preparing and planning for business continuity and recovery is an investment on growing the business. What are important considerations? Mr Ellis Stanley (Chairman, Global Board, IAEM) – opened his talk “Building Strong Relationship: A Key to the Road of Resiliency” with an interactive questionand-answer session. Participants introduced themselves and their job roles, to illustrate the importance of communication and building partnerships. A network of >>

Mr. Henry Ee, ARRC Conference Chairman and BCP Asia Managing Director. Photo Credit: Asia Risk and Resilience Conference 2017.

Mr. Sean Chan (President, RIMAS, Singapore) Photo Credit: Asia Risk and Resilience Conference 2017.

Mr. Tim Janes (Global Vice-Chairman, BCI - Business Continuity Institute). Photo Credit: Asia Risk and Resilience Conference 2017.

Australian Security Magazine | 29

SINGAPORE Cyber Security CONFERENCE

Mr Ellis Stanley (Chairman, Global Board, IAEM) Photo Credit: Asia Risk and Resilience Conference 2017.

Malaysia ranks highly in the areas of Capacity Building and Cooperation. He pointed to the first Memorandum of Understanding (MoU) signed between Philippines and Malaysia on 8 Dec 2016. This followed a MoU signed a month earlier with KISA (Korea Internet & Security Agency (KISA), an agency under the Republic of Korea Ministry of Science, ICT and Future Planning. At the MoU signing ceremony with Philippines, Dr. Amirudin added that Malaysia "can contribute significantly to the collaboration with the Philippines in many areas including the capacity building. Its innovative approach in dealing with evolving cyber threats has produced a wealth of training materials for both technical and nontechnical personnel." Besides capacity building, the collaboration also includes the development of Digital Forensics and other relevant laboratories capabilities, advisory on policy, strategy, CERT, and relevant cyber security related activities to strengthen mutual cooperation and relationship. Security-by-Design: Proactive Defence

Dr. Roy Rimington, (Vice President, RIMAS), Photo Credit: Asia Risk and Resilience Conference 2017.

partners with common interests is critical to facilitate a consistent operating picture, to enable recovery in a timely manner with minimum destruction to value. This building of network necessarily entails breaking down silos, raising awareness and continuous collaboration during the “pre-crisis” phase. Practically, a way to develop this network is through CERT (Computer Emergency Response Team) or the CIRT (Computer Incident Response Team) at national/ international, inter-agency or sectoral levels. These exercises not only test the coordination mechanisms, decision making procedures and escalation protocols, but also clarify roles and responsibilities, and improve shared situational awareness within the network. A small-scale of this was demonstrated

30 | Australian Security Magazine

through a 4-stage simulation exercise conducted during the conference - to raise awareness of Phising, a Cyber Attack vector which needs to be identified, understood and managed as part of enterprise-wide risk framework. Case Study: Malaysia

“To effectively face the challenges, require not only innovations but also collaboration among each other, domestically and globally,” said DATO’ Dr. Haji Amirudin Bin Abdul Wahab, CEO, Cyber Security Malaysia, pointed out in his talk “Malaysia’s Initiatives in Strengthening National Cyber Security” at the FinTech Security Summit. In this area, Malaysia demonstrates strong leadership. According to the UN ITU index,

Preparing and planning for disruptions is important for Financial Institutions with complex and legal IT systems, especially those with legacy systems, which are vulnerable to attack (for example, the SWIFT system is based on code that was written in the early 2000s). On the other hand, the intersection of Digital Technologies and financial services has paved the way for exciting innovations – and now is an opportune time for instituting a proactive defence against Cyber Attacks while innovations are being built and deployed. At the FInTech Security Summit, in his Special Address “Security by Design – Disrupted”, Mr Boon Hui Khoo (Commissioner, Global Commission for the Stability of Cyberspace; former Singapore’s Police Commissioner and Interpol President) pointed out that 84% of breaches occur at the application layer and that it was 30 times more expensive to fix issues in production than in project phase. Vulnerabilities in the current wave of innovations (such as the hacking of cryptocurrencies private wallets and to steal private keys, or the unbanked sector with limited cyber awareness), where getting to market fast is key with security as an afterthought meant that there is more surface for Cyber Attacks and crimes and, security

SINGAPORE CONFERENCE Cyber Security and data privacy challenges, he added. Why Security-by-Design? Singapore CyberSecurity Strategy defines “Securityby-design is a best practice to ensure that system is developed with security consideration upfront and throughout its lifecycle. By integrating risk assessment into the system development lifecycle, trade-offs between security, cost and functionality are deliberated. The trade-off decisions should be made by well-informed management at the appropriate level of decision making. This ensures that the system is optimized for the conditions in which it is to be used. Subscribing to Security-by-Design will reduce piecemeal implementation and the need for costly and often ineffective retrofitting”. How to embed Security-by-Design? Mr. Khoo provided specific approaches in DevOps and Agile Development to become a “support and partner in the equation” to “secure applications from plan and design phases to on-going operations and retirement”.

Mr Boon Hui Khoo (Commissioner, Global Commission for the Stability of Cyberspace; former Singapore’s Police Commissioner and Interpol President) at the FinTech Security Summit (Singapore Shangri La) – on “Security by Design”

DevOps:

•

Culture: Tighter Communication and Integration between system engineering and development teams Processes: Automated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams Technologies: Advanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc)

Agile Development: • Shorter Release Cycles: Shift work “to the lift” as much as possible, to ensure no major issues or defects are found late in the release cycle • Smaller Batch Sizes: Reviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered • Cross-Functional Teams: norm, to ensure up-to-date information on project milestones and activities in agile developments Case Study: Singapore

Singapore CyberSecurity Strategy calls for an “the adoption of Security-by-Design practices to address cybersecurity issues upstream and along the supply chain”, and that “Cybersecurity will no longer be an afterthought, but will be consciously

DATO’ Dr. Haji Amirudin Bin Abdul Wahab, CEO, Cyber Security Malaysia, on “Malaysia’s Initiatives in Strengthening National Cyber Security” at the FinTech Security Summit, Singapore Shangri-La.

implemented throughout the lifecycle of technology systems”. The Government will promote the adoption of Security-by-Design in several ways: • Progressively institutionalise Security-byDesign into the governance framework for CII (Critical Information Infrastructure) protection; • Promote the practice of penetration testing to discover vulnerabilities early for remediation at the design stage; • Build a strong community of practice in product and system testing based on established international standards, such as the Common Criteria product assurance certification; and • Continue to refine methodologies and develop new security validation tools to improve the efficacy of Security-by-Design.

End-to-End Cyber Security: Business Recovery and Security-by-Design

An effective cyber defence must assume that there can and will be successful Cyber Attacks. When such attacks materialise, the cyber defenders must be able to mount a robust response and implement reliable recovery plans. A well thought-out security design during the system development phase and through its life cycle, will also help reduce the attack surface. These measures should form part of the end-to-end Cyber Security framework to ensure that security controls are commensurate with rapidly evolving trades to minimise potential breaches or disruption of digital services.

Australian Security Magazine | 31

Cyber Security

Playing in the sandbox to combat ransomware By Brook Chelmo Sr. Product Marketing Manager, SonicWall

ecurity companies have been making great strides in protecting and preventing cybercrimes. According to the SonicWall 2017 Annual Threat Report, point of sale malware has decreased 93 percent since 2014 and encrypted traffic grew by 38 percent, very positive numbers going forward. Unfortunately for all the good, there have also been some challenges companies large and small had to handle. Last year the Australian Cyber Security Centre found that of those surveyed, 90% faced some form of attempted or successful cyber security compromise. Ransomware is still a threat to Australian businesses and large-scale global attacks known as WannaCry and NotPetya prove that ransomware is definitely something to worry about. As ransomware becomes ever so much more complex and costly, it is imperative that businesses and security professionals incorporate sandboxes to their preferred methods of combating ransomware, targeted attacks, and zero day threats. Once IT professionals understand the challenges they are facing, the different protection methods that can and canâ&#x20AC;&#x2122;t keep malicious code out and the risks associated with some protection methods, security professionals will have a better understanding of why using a multi-engine network sandbox to catch evasive malware is the best way forward. IT Teams Nightmares As hackers have combined the opportunistic nature of automaton with a software vendorâ&#x20AC;&#x2122;s mindset the growth of security threats has grown astonishingly. Hackers are

32 | Australian Security Magazine

continuing to refine their craft creating threats that are continually evolving and nearly undetectable. The real problem however, lies not in the ransomware that has already had devastating effects on organisations but the targeted attacks and zero-day threats that are most dangerous to companies. Targeted attacks involve never-before-seen code built for the organisation that is being attacked, while zero-day threats exploit newly discovered vulnerabilities that vendors have yet to issue patches. There are a couple of choices in how companies decide to detect malicious attacks and eliminate the threats. The real trick to the trade is to detect and remove malicious code as close to the source of the attack as possible. As far as where to address an attack, companies typically fall into two groups: endpoint security, in which malicious code makes its way to an endpoint and is then detected and stopped, or Network Security in which malicious code is identified and destroyed before it enters the network by using gateway security and multi-engine sandboxing. Organisations like SonicWall promote the idea of embracing both disciplines but finds the network security approach to be the most effective at eliminating the highest number of threats. Keeping the Good Away from the Bad If protecting a network is like protecting a house, the first step is to lock all the points of entry and control who

Cyber Security

“... by themselves they can be tricked by zero-day threats and threats that have been mutated. The sandbox defence is the most effective detection method. Even with zero-day attacks that have no signature and code that has never been seen before"

comes in by using the front door. The front door is a good place for IT teams to investigate who is trying to enter and what threats they possess. By placing solutions that can detect malicious code just inside a next generation firewall (NGFW), it is similar to having a bouncer at the door checking ID’s. Nothing gets in without the bouncer knowing about it. As large volumes of data flows through, it is scanned, using several methods to detect malicious code: •

•

Signatures – Using a database of malicious digital signatures, traffic is scanned to seekany data that matches a signature. Should a match be found, the code is flagged as malicious Heuristics – Unlike signatures, which look for specific matches within a database, heuristic-based scanning uses rules and algorithms to detect code that might have malicious intent. Sandboxing - Rather than try to comb through code to find malicious signatures or intent, the sandbox allows the code to be detonated, or run as intended within an isolated environment, and monitors the behaviour for malicious activity. This process is accomplished in a purpose-built environment, or sandbox, where no harm can be done.

Using these technologies in conjunction has proven to be effective and efficient. Threats that are easily picked up

with signatures and heuristics are automatically discarded quickly allowing the sandbox to focus on the potential threats that require a bit more detail and examination. However, signatures and heuristics alone are not sufficient in protecting a network. Signatures and heuristics run passive scans of traffic, but this doesn’t allow the code an opportunity to become active. Hackers are now able to obstruct their threatening code within a non-threatening code. The most effective way to detect malicious code is to interact with a completely hostile version. Additionally, hackers have found ways to evade sandboxes, which is why it is recommended today to use a multi-engine sandbox that can detect more threats within different parts of a system than one that does not use this discipline. Life inside the Sandbox The only way to catch advanced malicious code is to “detonate” it. Detonation acts very differently to a passive scan of code. Detonation consists of using a safe place, like a sandbox to open and run potential malicious data and observe if it is indeed a threat or not. If the code is dangerous a good multi-engine sandbox contains it, disposes of it and allows the vendor to learn from it. The sandbox monitors malicious code and its interaction with the operating system. The sandbox can even go as far as to create signatures of malicious code it finds, updating the threat database, and protecting others from harmful code. Enter Sandman Signature-based detection and heuristics detection are a step in the right direction, looking for abnormal patterns in code. However, by themselves they can be tricked by zero-day threats and threats that have been mutated. The sandbox defence is the most effective detection method. Even with zero-day attacks that have no signature and code that has never been seen before, sandboxing is the only method that detects malicious behaviour. So make sure to lock up the front door and keep cool while leveraging the sandbox with important networks.

Australian Security Magazine | 33

National Security

Shake up & uncertainty for Australia’s domestic security arrangements

O By Dr John Coyne Head of Border Security, Australian Strategic Policy Institute

n the 17th and 18th of July this year, Prime Minister Malcolm Turnbull made two different announcements, on three separate issues that are set to shake up Australia’s domestic security arrangements for many years to come. While there has been plenty of excitement about these changes, much needs to be done before they can be implemented let alone considered a success. On the 17th of July, Prime Minister Turnbull and Defence Minister Marise Payne announced a raft of proposed changes to the arrangements for the deployment of the Australian Defence Force (ADF) in response to terrorism. Prime Minister Turnbull's proposed changes will provide some counter-terrorism (CT) decision makers with several new options. The proposal to simplify the arrangements for ADF call out for domestic terrorism incidents has merit, but is in no way a panacea for domestic terror threats. To be sure the States and Territories’ governments should be closely examining the wider impacts and limitations of the Commonwealth’s proposal. On the 18th of July Prime Minister Turnbull released an unclassified version of the 2017 Independent Intelligence Review report authored by national security stalwarts Mr Michael L’Estrange AO and Mr Stephen Merchant PSM.

The report’s 23 recommendations cover a lot of ground, but the establishment of the Office of National Intelligence (ONI) as a statutory authority within the Prime Minister’s portfolio is likely to see a lot more coordination across the Australian Intelligence Community (AIC) which has to be a good outcome for all. While these announcement were newsworthy enough on their own, it was Prime Minister Turnbull’s announcement regarding the establishment of a Home Affairs Portfolio that represents what could be a once in forty year reform of Australia’s domestic security arrangements. The proposed portfolio, in a broad sense, is to be similar in nature to the United Kingdom’s Home Office arrangements. Our proposed Home Affairs Portfolio will bring together Australia’s immigration, border protection and domestic security agencies. In a practical sense Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP), the Australian Border Force (ABF), the Australian Criminal Intelligence Commission (ACIC), the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Office of Transport Security (OTS) will become federated under a portfolio arrangement. These agencies will then be supported by a central department, created from the existing

National Security

Department of Immigration and Border Protection (DIBP), which will oversee policy and strategic planning and the coordination of operational responses. While the introduction of the ONI is underpinned by the substantial and independent review of the AIC, the drivers for Prime Minister Turnbull’s decision to establish the Home Affairs Portfolio are far less clear. Even the overarching strategic guidance from Prime Minister Turnbull appears to be contradictory. Although the Turnbull government has acknowledged that the operational agencies like AFP and ASIO will retain their statutory independence, he has also said that the new arrangements will ‘improve the strategic policy planning and coordination’ that guides their activities. It seems that at least some conflict between the operational agencies and the Portfolio’s Department is inevitable. A point made crystal clear when both the AFP Commissioner, Andrew Colvin and Director General ASIO Duncan Lewis expressed publicly their concern over the Home Affairs arrangements. Australia’s continued success in disrupting terror plots makes it unlikely that anyone is going to be crafting drastic changes to CT arrangements. But there’s much more to home affairs and domestic security than CT. By way of example, Australia’s strategies and policies for dealing with transnational serious and organised crime and illicit drugs have nowhere near the same level of coordination or success as those in the CT domain. That becomes clear when you consider the following: • In June 2016 the ACIC estimated that serious and organised crime cost Australia $36 billion in 2013–14. • Australia’s current national drug strategy is now two years out of date—and the replacement National Drug Strategy 2016–2025 is still only in draft. • The ACIC’s latest Illicit Drug Data Report found that, for the most part, illicit drug purity is unchanged and that drugs remain easy to obtain and, in some cases, their street price is dropping not increasing. • Australia’s National Organised Crime Response Plan lacks relevance to law enforcement decision-making at operational and tactical levels. Arguably, a lot of the most dramatic changes that the Home Affairs portfolio brings about will relate to Commonwealth law enforcement structures, policies and strategies. So there is an opportunity for the Home Affairs Minister and his Departmental Secretary to work with its federated partner agencies to develop new whole of government strategies. As the minister responsible for Australia’s national law enforcement strategies, Dutton will encounter more than a few conflicts between state and territory jurisdictional priorities and those of the Commonwealth. Nevertheless, the resolution of those conflicts, in the form of a clear national law enforcement strategy, is well overdue. In making changes, Home Affairs Minister designate, Peter Dutton, ought to be mindful of the importance of independence and accountability in law enforcement. Interestingly, the Turnbull government has decided to implement this policy initiative as a change in the machinery of government, delaying the need for legislative amendments. This said, it is likely that in time, the home Affairs changes will require legislative changes that will

"The final form and function of the new Home Affairs Portfolio, and its operational agencies still remains far from clear. With an election on the horizon for the second half of 2018, fast tracked change seems inevitable." need to pass through both houses of government. In the absence of substantive justification for such changes it is likely that these kinds of amendments will face a bumpy ride. Until these changes are implemented, the Home Affairs Portfolio’s longevity will be brittle, and particularly vulnerable to changes in the political landscape. Minister Dutton is well versed in how much time, energy and effort will be required to implement this kind of dynamic change. Minister Dutton has gained plenty of experience in dealing with those kinds of challenges following the creation of the DIBP and the ABF. The secretary of the DIBP, Michael Pezzullo, and the commissioner of the ABF, Roman Quaedvlieg, brought together two very different agencies to achieve both operational and strategic successes. But two years down the track, they still face a long and difficult road in building a new organisational culture. A key lesson learned is that this kind of change may take up to a decade to fully mature. Prime Minister Turnbull has established three separate taskforces to implement these new initiatives. One task force was established, to review and implement the recommendations from the 2017 Independent intelligence Review. Two further taskforces have been formed to establish the Home Affairs Portfolio: one to coordinate the structural changes, the other the changes in Portfolio operations. With an implementation date of 30 June 2018, Home Affairs planning will need to move at speed. The final form and function of the new Home Affairs Portfolio, and its operational agencies still remains far from clear. With an election on the horizon for the second half of 2018, fast tracked change seems inevitable. For both the private and public sector there’s likely to be a lot of uncertainty around Australia’s final domestic security arrangements for the next twelve months to two years About the author: Prior to ASPI, John was with the Australian Federal Police, where he worked on transnational serious organised crime, national security, and counterterrorism. Over the last twenty years he has been an intelligence professional at tactical, operational, and strategic levels across a range of military, regulatory, national security and law enforcement organisations. During this period he has worked extensively in the ASEAN region, delivering a range of bilateral research projects. His more recent work in this area has focused on enhancing multilateral ASEAN information exchange regarding non-traditional illicit commodity flows.

Australian Security Magazine | 35

Cyber Security National Security

Emerging threat landscape Where Will Your Next Threat Come From?

By Stewart Hayes

Organisations are today more aware of the threats facing their business than ever before. These are extensively covered in the media and increasingly highlight the vulnerabilities and exposures they face. At the same time the environment for doing business is changing with increased globalisation, calls for quicker response to market demand and changes to the political landscape. As a result it is becoming increasingly difficult for the executive to decide where best to spend the ‘security dollar’; in cyber controls or physical security systems. Add to this the internal threat posed by employees and contractors and the potential is to develop a largely reactive security ecosystem. Security professionals advising executives should be able to develop a strategy that is based on realistic scenarios and is able to protect and support the business operation in the face of changes to business objectives and emerging threats. This approach is based on the ability to understand the enterprise risks, normalise the threat horizon and address the risks that most matter. Anatomy of a Crime in Three Steps To understand the risks they face, organisations and security managers must understand the threats, why they are relevant and how they are likely to impact the business’s operation and objectives. Aside from the natural hazards an organisation must tackle, it is essential that a clear picture can be defined of the deliberate threats that are faced. Using the ‘Anatomy of a Crime’ analogy below there are essentially three components to be considered: What is the value of the target? This defines the value to the attacker in terms of financial or political gain or more often now, notoriety; How easy is it to access the target? What controls will

36 | Australian Security Magazine

need to be circumvented to enable the attacker to access the target, how much will it cost; and What is the likelihood of getting caught? Are there controls and response mechanisms in place that will identify the attacker and lead to them being apprehended in a short time? This is the basis of an enterprise risk assessment and should be defined and maintained for existing or known threats to the organisation’s operation and form the basis of a strategy for emerging threats. Emerging Threats Whilst controls are widely defined and established for known threats in the Physical, Cyber and Personnel environs, organisations have been lax in maintaining these and as a result identified weaknesses or vulnerabilities have been exploited. Alongside this are newer threats which, whilst they may have been developing for some time, are now mainstream and must be considered within the enterprise risk management plan as real threats – worldwide. Radicalised Individuals Whilst this was considered an issue in localised areas of the world this has now become a problem endemic to

National Security

society. Not only are groups of individuals being targeted and encouraged to cause mayhem and disruption, there are individuals with psychopathic and anarchist tendencies using established terror groups as a channel for carrying out acts of violence and destruction. The danger with these individuals is they do not fear getting caught! State Based Cyber Attacks Nation-state hackers are increasingly targeting government institutions, industrial facilities and many businesses with powerful and sophisticated techniques, which interrupt business operations, leak confidential information and can result in massive data and revenue loss . In most cases, nation-state based attacks have relatively unlimited resources and look for long term strategic gain, not short term profit. Advanced Persistent Threat An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target . APT usually refers to a group, such as a government, with both the capability and the intent to target, persistently and effectively, a specific entity. Internet of Things The IoT is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cell phones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig. "If one thing can prevent the Internet of things from transforming the way we live and work, it will be a breakdown in security". That is anything that is accessible can be targeted. Cloud Services The ‘cloud’ is now a commonly used term for the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Whilst convenient and accessible, the Cloud (essentially a computer under someone else’s control) is a shared environment and is now providing business leaders with ease of access to capability that is seen as costly and intransigent when provided internally. It is likely there are numerous Cloud Services in use by an organisation that fall outside the company’s security envelope and present unqualified vulnerabilities. Phishing Targetted ransomware attacks against organisations has been on the increase causing significant disruption to national and essential services. Vehicles as Weapons There has been a noticeable increase in the use of vehicles (buses, truck and cars) as weapons against members of the public. This gives the attacker abundant accessibility and

potentially the ability to damage buildings as well as cause injury and mayhem to staff. Political Changes Changes to the political climate of the region may impact any services that are delivered or supported from that region. This could adversely impact any investment made in countries that change their trading and operating policies. Global Warming Global warming is impacting local weather patterns in regions around the world. Services provided by or supported in some regions are becoming impacted by previously unusual natural events which in some cases is impeding their ability to provide an adequate service. Moving Forward Referring back to the anatomy of a crime model, organisations must consider the value of their assets and how accessible these are. Value may not just be monetary or political gain but could also be interpreted as notoriety or disruption. Putting this together with ease of access to public institutions or shared computing environments, the ability to potentially access any internet based system and the low likelihood or fear of being caught makes for a broader risk profile than organisations have previously encountered. An organisation’s security ecosystem must be able to respond to emerging and changing threats. Some of these may be predictable and judicious oversight of the enterprise risk management framework will highlight these. Others however are less predictable and the organisation must rely on key security concepts to be able to manage a multitude of threat events: • Understand the organisation’s operational environment, strategy and risk appetite; • Maintain and test the security controls and ensure they address emerging threats. Don’t rely on single points of control – layer them; • Maintain and test business continuity and disaster recovery plans: not just the technology but the people as well; • Ensure staff, contractors and other stakeholders are aware of the risks and their responsibility in managing those risks. Security is never a black and white concept, there will always be areas of grey or ‘residual risk’. New threats cry out for new controls, however making sure existing controls are functional is a big step forward. These threats may not be treated directly but may be contained and managed if the right preparations have been made, maintained and tested. About the Author Stewart has over 25 years experience in security and risk management covering the hazards presented to the cyber, physical and personnel operating environments. As a strategic security services consultant Stewart has defined and delivered security ecosystems that both manage the risks and enable the business.

Australian Security Magazine | 37

Cyber Security National Security

The role of intelligence in maximising security capability

T By Jeff Corkill

38 | Australian Security Magazine

he function and use of intelligence is generally well understood in the military and national security domain space. In the private and corporate security space whilst often referred to, the actual understanding of the functions of intelligence is much more variable. Regardless of whether you operate in the national security or corporate security environments good intelligence is essential to your ability to fully exploit your capabilities and resources. Intelligence is defined in many ways, at its most simplistic intelligence is specifically collected information that has been processed and value added for the purpose of optimising decision making. Intelligence offers decision makers environmental and situational context contributing to their understanding of their circumstances. In addition intelligence helps to make sense of the chaotic, to make sense of incomplete and variable data, what has happened and what might happen as a result. Whilst decisions may be and often are made without supporting intelligence, good intelligence enhances the decision process. In order that security can effectively exploit an intelligence function a number of factors need to be addressed. Firstly what is it that security is required to protect? A singular geographically constrained object is very different to a complex international system of assets. What are the capabilities available to you to execute protection of the company assets

and finally where is the real value held in terms of the assets you need to protect. Think reputation, intellectual property or physical asset. Knowledge of these factors is the responsibility of the security management function. It is this that establishes the scope of intelligence operations. The responsibility of the intelligence function is threat, the intelligence function understanding what needs to be protected and why focuses on identifying the threat. Once identified intelligence monitors threat, works to understand threat capability and intent and most importantly anticipate threat actions directed at the assets requiring protection. This relationship, depicted simplistically, between intelligence and security is the key to the successful protection of assets. Security management defines the scope of the problem, intelligence defines the nature of the threat and advises security management. Security management acting on the intelligence is able to make optimised operational decisions on the allocation and application of resources to mitigate and neutralise threat actions. The key to successful intelligence products is access to information. In an information rich world information in and of its self is not hard to acquire, what is required is specific relevant information. Specific information can be collected from a wide range of information sources, these include; internally owned information resources, external information

National Security

repositories, domestic and international information resources. Information can be acquired from corporate stakeholders and or various government stakeholders. It can be garnered from formal and traditional media forms and from new and social media systems. Security information can be textual, it can also be machine data gathered from facilities management and security access systems, or visual data from CCTV. The successful exploitation of this wealth of information is built on a foundation of successful information management strategies. At the lower end of the spectrum it might be as simple as a hierarchy of folders interrogated through windows explorer. At the high end of the spectrum it might be anyone of the many dedicated information management software systems that allow for complex interrogation and compilation of a wide range of report types. For some organisations it may be that the incident management system becomes the major repository for intelligence and security information. Regardless of the system used to have an intelligence capability must be stored managed and retrievable. Whilst information is critical to the production of intelligence it is the analysis and integration of information that transforms information into intelligence. This does not mean information has no value without analysis, there is no doubt much tactical decision making can be undertaken simply on the basis of actionable information. However that is not intelligence and neither is the simple collation of and laying out in sequence evidence without explanation as to its meaning. Analysis provides the explanation of what the evidence means, what might happen and why. Regardless of the tools used analysis is at the end of the day an intellectual task that requires someone to think critically, synthesise the disparate information and evidence and form that into a product. Tools to assist with analysis vary widely in sophistication and cost from the white board and a handful of different coloured markers through to sophisticated software packages and systems such as “Analyst Notebook” and “Palantir”. Intelligence is of limited value unless it meets the need of the decision maker and is provided in a format that is understood and actionable. For the most part it will be delivered as either a written product or provided verbally. Written products that are concise, utilise simple but precise language and clearly states what the evidence means and options for response is more likely to be acted on by the decision maker. Verbal products need to be delivered clearly, confidently and persuasively. Furthermore intelligence products need to be provided to decision makers prior to their need to make the decision, intelligence after the fact is of essentially no value. Whilst intelligence is important to supporting decision making the effort required for successful intelligence production can be significant. At the national security level we see agencies dedicated to information collection and others to the analysis of that information. How does that capability get translated into cost effective system that can support widely variable corporate security needs. Intelligence is scalable, in the smaller organisation it might be that the security manager is in fact the analyst. In bigger organisations a dedicated intelligence capability may be achievable.

“... intelligence is to enable decision makers to make optimised decisions in the context of threat posed and resources available to counter or combat that threat. A security intelligence capability exploits the universe of relevant information in order to tap into internal and external information streams and repositories." The purpose of intelligence is to enable decision makers to make optimised decisions in the context of threat posed and resources available to counter or combat that threat. A security intelligence capability exploits the universe of relevant information in order to tap into internal and external information streams and repositories. Information gained is integrated and analysed in order to develop specific products (intelligence) to support security decision makers at all levels, from a surveillance operator, to patrolman through to general managers. As many organisations move towards integrated management and security systems the belief is system integration enables better decision making because all the relevant information is being captured. However, just how integrated is the information universe in which the organisation operates? Information is messy, it resides in all manner of locations many of which are external to the sophisticated technical systems relied on to provide situational awareness. Security intelligence is the function that creates order out of the information jungle and allows security to add value to the business.

Australian Security Magazine | 39

Cyber Security National Security

COVER

FEATURE

Emerging bio-threats: The age of the invisible enemy By Debbie Evans

PART I - ZOONOTIC DISEASE

he 2001 Anthrax attacks on America were met with shock, fear and disbelief. The horror of the September 11 terrorist attack on the World Trade Centre was exacerbated by the mailing of envelopes containing Bacillus Anthracis (Anthrax) spores to media companies and congressional offices, resulting in the deaths of 5 people and illness of a further 17 people, a nation in panic, and numerous hoaxes and false alarms adding to an already stressed emergency infrastructure. The ‘Amerithrax’ investigation by the FBI alleged that Dr Bruce Ivins, a biodefence researcher working for the US government, was responsible for the attacks. While Ivins committed suicide before he could be formally charged, the attack exposed considerable global vulnerabilities in biosecurity, including the lack of security measures at diagnostic and research facilities. Over 15 years have passed since the Anthrax attacks, and while global terrorist incidents are seemingly on the rise and dominating mainstream media, there have been no significant bio-incidents following the 2001 Anthrax event. In recent times, we have instead witnessed the rise of ‘lone wolf attacks’ by individuals or loosely coordinated groups, utilising

40 | Australian Security Magazine

conventional items as weapons to successfully carry out terror attacks… a far cry from what would constitute a sophisticated bioterror incident whereby deadly pathogens are extracted, cultivated, developed into a viable weapon and successfully deployed. Suicide bombings and sidewalk terror seem a more likely choice due to their ease and impact. Although bioterrorism remains a less likely scenario in the present security environment, other perhaps more worrying global biothreats have emerged. Like it or not, these threats are already here, knocking loudly on the doors of global policy makers. Antimicrobial Resistance, Dual-Use Research of Concern (DURC), Gain-of Function Research, and the DIY-Bio Revolution are featured as the most prominent biological threats. Not to be overlooked however, are the pathogens which occur naturally in the environment, and a result of the evolution of micro-organisms. Health officials and experts predict that approximately 70% of emerging infectious diseases are ‘zoonotic’ – diseases which originate in animals and are transmitted to humans. With global travel and trade, agricultural intensification and urbanisation fuelling pandemic potential of disease outbreaks, it is of little wonder that global health leaders are concerned about emerging and novel zoonotic diseases.

National Security

“Over 15 years have passed since the Anthrax attacks, and while global terrorist incidents are seemingly on the rise and dominating mainstream media, there have been no significant bio-incidents following the 2001 Anthrax event."

Middle East Respiratory Syndrome (MERS-CoV), Highly Pathogenic Avian Influenza (H5N1, among other strains), Novel Influenza A such as ‘Swine Flu’ (H1N1), Severe Acute Respiratory Syndrome (SARS), Ebola (EVD), and Hendra Virus are all examples of zoonotic diseases. According to the World Health Organisation (WHO), the source of MERS-CoV are thought to be camels with fatality rates in humans estimated to be approximately 35%; H5N1 from poultry and wild game birds has an estimated mortality rate of up to 60%; and EVD is thought to originate from bats with human fatalities varying between 25% and 90%. With the increasing human population and global travel part of contemporary society, the U.S. Centers for Disease Control and Prevention (CDC) predict that infectious diseases can spread to any major city in the world in as little as 36 hours. Nowhere is immune – infectious disease knows no boundaries. Given the pandemic potential and morbidity and mortality rates of many zoonotic diseases, the security or ‘biosecurity’ of these pathogens is of utmost importance. Research and diagnostics are at the forefront of efforts to predict, detect and respond to emerging zoonotic disease, however these efforts are not without inherent risks. Within a laboratory setting, securing pathogens from accidental

release and protecting personnel from Laboratory Acquired Infections (LAI’s) is largely the domain of biosafety. Biosecurity on the other hand focusses on building measures of security around the pathogens to protect them from deliberate misuse, theft or malicious centred action. The higher the risk posed by the pathogen, the higher the Biosafety Level (BSL) or Physical Containment (‘PC Level’) requirement for the agent and the holding facility. In Australia, the CSIRO’s Australian Animal Health Laboratory (AAHL) located in Victoria is one of only six highcontainment animal research facilities in the world, operating at a PC Level 4. The AAHL contains a PC4 Zoonosis Suite and is able to conduct research on some of the deadliest agents in the world, as well as providing diagnostic expertise and training throughout the Asia Pacific Region. Biosafety and biosecurity at the facility is a comprehensive system of policies, procedures and measures including physical security and specialised containment systems to ensure adequate protection is afforded to laboratory personnel, the environment and the wider population. Seemingly, Australians may rest assured that some of our brightest scientific minds together with the highest level of security oversight are ensuring these pathogens remain secure in the AAHL facility. However, given that disease easily transcends borders, should we feel the same level of assurance about diagnostic and research facilities in other countries? How do developing countries stack up when it comes to biosecurity? In the past decade, research suggests biosecurity in developing countries is inadequate, with biosecurity breaches and lax physical security posing potential risks to human health. Surveys of scientists across Asia, Eastern Europe, Latin America, and the Middle East for example suggest developing countries do not have the necessary biosecurity measures to prevent biosecurity breaches. Several factors may be attributable to this, including a lack of regulatory framework in developing nations, as well as funding and infrastructure based challenges. Above and beyond international policy and economic challenges of biosecurity regulation in developing nations are a raft of political, social, cultural and environmental factors which should also be considered when critically analysing bio-risk. Respect for law and order including nationally imposed biosecurity legislation may differ tremendously between developed nations such as Sweden and Australia, compared with developing nations such as Malaysia and Indonesia. Even with regulatory frameworks and management controls, biosecurity may still be largely vulnerable to endemic corruption or exploitation issues in some of these countries. Unfortunately, these social, cultural and political factors may continue to permeate >>

Australian Security Magazine | 41

National Security

accepted biosecurity protocols, regardless of external or international pressure, or threatened legal consequence. While research suggests there may be a higher risk of biosecurity breaches in developing nations, these countries aren’t the only source of biological risk from research and diagnostic laboratories. There have been several alarming breaches of biosecurity in recent years in the US alone – from the discovery of unsecured smallpox vials in a National Institutes of Health (NIH) storage room, to reports of live anthrax and plague samples being shipped from US military labs to a number of locations both within and outside the USA. These breaches highlight that accidents and mistakes can occur anywhere and in both developed and developing nations. Biosecurity challenges may differ between nations, but no country can afford to be complacent - particularly when emerging and novel zoonotic diseases potentially lack the medical and diagnostic response mechanisms that other well understood pathogens have. Biosecurity breaches of emerging zoonotic diseases could potentially be catastrophic. Security professionals across the globe play an important role in recognising the threat of biological agents and promoting both biosafety and biosecurity standards in research, diagnostics and other biocontainment facilities. However, developing complex systems of security is no easy feat, particularly when dangerous and infectious agents are not obvious to the human senses. Outside of diagnostic or research facilities, security professionals may also play a role in recognising and responding to broad spectrum biological threats. The age of the invisible enemy is upon us - biothreats have evolved beyond ‘bioterrorism’ and ‘biowarfare’ and security professionals may benefit from evolving their professional knowledge base to include insights from biosecurity material and evidence. Biological threats are reaching a new level of maturity which must be recognised across security disciplines and outside of traditional diagnostics and research laboratories. Security concepts such as Defence in Depth should arguably include a dedicated layer of biological protection. This is an emerging realm which extends well beyond physical security, and as such, the development and addition of biosafety, biosecurity, infectious disease, epidemiology, and global health security into the security professional’s body of knowledge may be a critical step in reflecting the maturation of the global biological environment. This recognition, together with a critical understanding of socio-political and cultural vulnerabilities across specific regions may prove fruitful in years to come. While governments continue to disagree over issues of international security, policymakers and security professionals must contend with the fact a profoundly challenging biological age has descended upon us. International and interdisciplinary cooperation is paramount and developed nations will need to lead the way in addressing biological risks, ideally as a function of their own national security endeavours. PART II - DUAL USE RESEARCH OF CONCERN We are living in an age of exponential scientific development, with advances in technology promoting life changing solutions in numerous disciplines such as bio-medicine, bio-

42 | Australian Security Magazine

technology, and environmental bioscience. The progression of humankind to find solutions for biological challenges is at times awe-inspiring. Technological applications such as bioremediation – the use of biological organisms to break down hazardous or toxic substances in the environment have surpassed the concept stage and have been developed into purposeful solutions which are already being utilised in some parts of the world to respond to environmental incidents such as oil spills. Other biological developments which have emerged from bio-research such as GMO food production offer potential solutions for long term food security and sustainability. Lurking in the shadows of scientific advancement however, there is a darker, more frightening side to technological research and development. In the Life Sciences domain, research and experiments which could be used for malicious as well as peaceful purposes, or which potentially expose the human population or environment to an increased risk of harm through accidental or unintentional means are referred to as ‘Dual Use Research of Concern’ or DURC. The concern is that terrorist organisations, non-state actors, bio-criminals or community based DIY-Bio scientists could use current scientific technology and gene editing techniques to create dangerous pathogens, or modify or enhance existing pathogens into more virulent and transmissible strains. Equally concerning is that biosafety and biosecurity breaches could result in dangerous pathogens escaping research or diagnostic facilities or home-based labs through unintentional release or Laboratory Acquired Infections (LAI’s). In recent years, debate has surfaced among scientists, researchers, academics and other concerned professionals with respect to DURC. Some argue such research is vital to understand pathogenicity, virulence and transmissibility of pathogens in preparation for natural outbreaks, and to enable researchers a ‘head-start’ in the development of vaccines and treatments as part of pandemic response. For example, given that reassortment (the mixing of genes) can occur between human and animal influenza A viruses such as Highly Pathogenic Avian Influenza (HPAI) resulting in transmission between humans, research to deepen the understanding of how, when and why this occurs is seemingly of benefit to global health security. However, others argue the risks of a modified or enhanced virus escaping containment and becoming a global pandemic outweigh the benefits of Potential Pandemic Pathogen (PPP) research. While some PPP research is arguably a step toward global preparedness, the publication of results, along with research methods and techniques are of much debate. The following cases highlight these concerns; The Mousepox Experiment In 2001 two scientists named Ronald Jackson and Ian Ramshaw inadvertently created a super-virus by modifying the Mousepox Virus in an attempt to induce infertility in mice as an environmental biocontrol mechanism. The altered virus was found to be lethal to mice, including those vaccinated against the mousepox virus. Essentially, the genetically modified virus was able to circumvent vaccination which was incredibly concerning – if the same experiment

National Security

was replicated using other ‘pox viruses’, such as smallpox, the potential existed for the creation of a super virus which could infect millions of people with no known cure. However disturbing this may sound, undoubtedly more disturbing is that the findings, materials and methods of the experiment were published in Journal of Virology in 2001. Recreation of the 1918 Spanish Influenza The 1918 Spanish Influenza virus is thought to have killed up to 50 million people worldwide. In 2005, researchers in the US were able to extract the 1918 Spanish Influenza virus from samples of lung tissue from US Soldiers using reverse genetics. The sequenced 1918 virus code was then recreated by using an existing influenza virus and individually swapping each gene. As a result, the deadly 1918 Spanish Flu was successfully resurrected. The researchers published their report titled Characterization of the Reconstructed 1918 Spanish Influenza Pandemic Virus in the October 7, 2005 issue of Science. These are only two examples of DURC which caused concern – if not some outrage – that the experiments and their subsequent publication were not only irresponsible, but downright dangerous and potentially unethical. Notably, the above research was conducted in 2001 and 2005 respectively, but the DURC issue remains and if anything – has intensified. A recent article in Science (published July 6, 2017) describes how Canadian researcher Dr David Evans led a research team which synthesized the Horsepox Virus by ordering DNA over the internet from a synthetic genomics company in Germany. Once again, synthetic re-creation of any of the ‘Pox Viruses’ are alarming not only with respect to human health, but for the potential risk posed to animal health. The fallout from the Mousepox experiment among other DURC has obviously had little effect. Although the details of the Horsepox experiment have not been released to date, research and publication of other technological ‘blue-prints’ of biological information has had an almost polarising effect on scientific discourse seeing the creation of groups such as the Cambridge Working Group. However any attempt to ‘contain’ or ‘suppress’ the publication of scientific research has been met with harsh opposition and will likely continue to be. Censorship would not be seen to be in the public interest, and restrictive regulation of scientific knowledge is arguably beyond social and political reach. In an effort to address widespread concerns relating to DURC, the US National Science Advisory Board for Biosecurity (NSABB) published a report in May of 2016 providing recommendations for dealing with proposed GainOf-Function (GOF) Research and GOF research of concern (GOFROC). GOF Research is research which enhances the ability of a pathogen to cause disease, or generates highly transmissible and highly virulent pathogens with pandemic potential. The NSABB developed a framework to guide funding for GOF research in influenza viruses that are transmissible between mammals. However, the recommendations of the report are limited to controlling GOFROC by restrictive funding, and the included pathogens are limited to influenza viruses, SARS-CoV and MERSCoV. The report does not include recommendations for the application of restrictive measures to privately funded

research, nor places of potential research such as privatelyoperated community labs or DIY-Bio groups. Modifications to viruses other than influenza-type as well as other pathogens including bacterium seem to have been overlooked. In Australia, the Gene Technology Act 2000 is administered by the Gene Technology Regulator, and is responsible for identifying and managing risks associated with genetically modified organisms (GMOs). DURC involving modification of pathogens falls under this legislation, and with proper regulation and compliance, DURC risks may be mitigated or at least reduced, particularly in accredited facilities. The Australian National Regulatory System for Gene Technology extends to Do-It-Yourself Biological Research (DIY-Bio), however the effectiveness of administration and enforcement of legislation beyond registered and accredited facilities or individuals remains to be seen. While the legislation may be challenging to administer on a widespread basis, particularly in relation to individuals, it signals the acknowledgment of a significant biosecurity issue at a policy level. Similarly, the Defence Trade Controls Amendment Bill 2015 was introduced under the Defence Trade Control Act 2012 to regulate export of technology and knowledge derived from the scientific and research industries as well as Dual-use industries. The Bill now includes restriction of publications of technology or technologies which may be used for military purposes (as per the DSGL), and specifies that a permit be required for publication where the document or data will be in the public domain. Essentially, the amendment includes the export or publication of knowledge and not just the physical export of materials, goods or technology. A permit is required to supply both controlled military technology as well as controlled dual-use technology, however publication of technology requires approval from the Minister for Defence only for controlled military technology, not for the publication of controlled dual-use technology. Therefore, publication of dual-use research of biological agents or toxins would not currently require authorisation by the Department of Defence. Even if publication or ‘export’ of Dual-Use knowledge was restricted, the mechanics of monitoring, investigation and enforcement would be almost impossible. In a perfect world, all DURC and associated publications would be compliant with relevant legislation and fit within a moral, ethical and risk-free model of scientific conduct however this is simply unrealistic as legislative frameworks cannot possibly regulate free thought – scientific or not. By no means is this a criticism of the Government in its attempt to reign in and mitigate potential adverse outcomes of DURC, rather acknowledgement that scientific advancement is beyond the control of not only the Australian Government, but governments world-wide. The horse has bolted. Global biosecurity issues resulting from scientific research and development of all disciplines under the biological sciences umbrella are well understood within the Life Sciences domain, however it may be time to thrust the issue under the spotlight for consultation with a wider audience. The potential adverse effects of DURC may reach into every corner of the globe. As such, the responsibility of addressing Dual-Use issues rests with all of humanity, not just policy makers and scientists alike.

Australian Security Magazine | 43

National Security

COVER

FEATURE

Biological agents, the almost forgotten but enduring threat to national security By Aaron Waddell

44 | Australian Security Magazine

ith the media, social commentators and the Australian Government in constant overt discussions over the cyber threat to Australia, a long and persistent threat appears to have been largely forgotten. Thus the biological threat in Australia of the early to mid 2000s has largely faded into political and public obscurity but for a handful of security services that monitor and attend incidents. Certainly, whilst a cyber attack would have severe consequences, a biological incident real or hoax will have many crippling consequences. This threat is ever-present and still occurs with the latest incident on 25 August 2017 against the Australian Christian Lobby (ACL) that caused the Canberra mail sorting centre to cease work and evacuate; but it was scarcely reported (Sibthorpe & Pianegonda 2017). As a method of battle, biological warfare has been a tool of war for hundreds of years and has involved complicated state research and simple testing programs to ensure effective use against an adversary. This method of warfare was reportedly first used in the 14th century at Caffa; an act credited as the start of the ‘Black Death’ that devastated Europe, the Near East, and North Africa. The ‘Black Death’ is considered the greatest health disaster in recorded history (Wheelis 2002:971). Centuries later, World War I saw Germany attempting to destroy adversary capability by contaminating animal feed using biological agents. World War

II saw more die as the Imperial Japanese Army (IJA) released biological agents in China (Frischknecht 2003). Since those historical events, biological threats continue in all parts of the world and shows that state and non state actors have long understood the deadly effectiveness of biological weapons well before and now into the 21st century (Riedel 2004). Biological weapons, when correctly deployed, create significant problems for public health systems by challenging their ability to limit casualties and control damage to cities (Kortepeter and Parker 1999). The danger of biological weapons arises from the agents’ ability to rapidly spread to produce disease with a high mortality and morbidity. It has been argued that health is linked to state security and national economics (Feldbaum and Michaud 2010). Therefore, biological weapons can significantly contribute to weaker state capacity and state destabilisation, thus constituting a threat to national security. To ensure global survivability, the international community has invested significant effort in preventing biological weapon use. Although a lethal and complicated method of warfare, known agent biological attacks can be easily contained and limited in nature as some biological agents are self-terminating (Block 2001). As such, this paper seeks to present that biological weapons are an enduring threat to national security and not a passing or past threat that can be taken lightly. The paper includes six sections and starts with a review of the definition

National Securiy

research events and attacks have been

substances processed in a synthetic way that cause biological processes such as neuroparalyzing gas (Repez 2012:14). Biological weapons can be used for political assassinations, infection of livestock or agricultural produce to cause food shortage and economic loss. It can also create environmental catastrophes, and create widespread illness, fear and mistrust among the public (UNOG 2014). The Ebola crisis of 2014 caused ravage in West Africa and also caused serious concern in Australia and the US. In short, general fears were raised, society concern was widespread.

recorded more frequently."

Biological weapons evolution in the 21st Century

of national security and biological weapons before reviewing the development and use of the weapons over time. The paper continues with a review of evolutions of biological armaments in the 21st Century and prospects for containing biological weapon proliferation to establish the argument that biological weapons present threats to national security. Definition of national security and biological weapons Before advancing this paper, it is important to describe ‘security’ and ‘national security’ as well as defining the term ‘biological weapons’. Traditionally, security conveys an image of uniformed elements dealing with an identified threat. However contemporarily, the term ‘security’ is fluid and has been the subject of countless definitions, proposals for redefinition and numerous attempts to broaden its scope or defend its boundaries (Buzan 1998:221-223). Health security is a definition that considers health risks, many of which are caused by infectious diseases that create the threat and determine the response required for containment (Rushton 2011). Therefore ‘security’ now encompasses nontraditional issues such as the burden of disease, in this case by deliberately released biological agents. National security has always been a very elastic concept that reflected time, circumstance, threat and risks created by an ever changing world (L’Estrange 2010). The concept was once only about protecting against invasion and ensuring that society was balanced and harmonised via social services and internal security services such as police. As the nature of threats changed, the term ‘national security’ now puts significant weight on internal national wellbeing. It considers both internal and external threats, and includes all risks that confront a country; this could be a pandemic, major social problem, or terrorism (AI Group 2006). Biological weapons are systems that disseminate diseasecausing organisms or toxins that harm or kill people, animals or plants. They generally consist of two parts; a weaponised biological agent and a delivery mechanism such as a missile, bomb, grenade or spray-tank fitted to aircraft, vehicle or vessel (UNOG 2014). Biological weapons can be classified as: low technological, meaning they use common pathogens for water and food contamination or high technological, for dispersal of pathogens on large areas, usually in the form of aerosol. Finally they also include bio-scientific technology weapons. Biological weapons can be divided into three main groups: microorganism (such as bacteria and viruses pathogens); substances obtained by laboratory work (such as botulinum toxins, hormones and neuropeptides) and

Over the years, advancements in biotechnology and biochemistry have simplified the development and production of biological weapons. This simplicity and the availability of biological agents coupled with a more advanced global technological ability have led to a greater proliferation of biological weapons and an increased desire by some countries to possess them. In addition to concerns that biological weapons could be further developed or used by states, recent technological advancements of the 21st century has seen these weapons part of the arsenal and produced by non-state actors. Biological weapons could be easily produced, hidden or transported with relatively low costs due to the availability of equipment and biological materials as well as information about pathogens (Repez 2012:16). Therefore, terrorists can make biological weapons discreetly with little effort and minimal cost and can use simple mechanisms such as pen caps or paper for disseminating the biological agents. For instance, in 2001 anthrax laced letters were the source of the infection of US postal workers in New Jersey and Washington DC. This bioterrorism attack resulted in four fatalities due to inhalation of anthrax and led to another 32,000 people taking antibiotic prophylaxis to prevent an anthrax infection (Dire 2014). Now with genetic engineering advancements and the growing accessibility of DNA synthesis, computational power and widespread information distribution, biological weapons are safer to handle and propagate, thus causing more spectacular events and higher mortality rates (Foley 2013). Furthermore, as genetic engineering progresses, there are increased concerns that an aggressor is likely to try to first generate agents that have been weaponised before commencing an offensive program. Thus biological agents developed mid 20th century, such as anthrax, botulinum toxin, tularaemia are likely be the agents of choice (Elizabeth and Menezes 2013). It is estimated that releasing 50kg of aerosolized anthrax along a two kilometre line upwind of a population centre of half a million people could kill 9500 people and incapacitate another 125000 (Riedel 2004). This is a major concern for any country. As new techniques such as: binary biological weapons, gene therapy, designer diseases and personalised biological weapons are improved, so too is the lethality of biological warfare. It is also conceivable that in the near future a pathogen that can target a specific person’s genome may also be produced. Such personalised pathogens may spread through a population with minimal or no symptoms, but would be fatal for the intended targets (Foley 2013). This revolution in biotechnology and genetic engineering can >>

“Regardless of possible consequences, many states continue with research on possible offensive use of biological weapons. Now, bioterrorism

Australian Security Magazine | 45

National Security

therefore be considered a potential revolution for renewed biological warfare (Ainscough 2002).

against the threat of biological weapons from both state and now non-state actors (Warns 2011).

Biological weapons, a present threat to national security

Conclusion

History has shown that biological weapons can create widespread disease in a very short period of time. Therefore, disease coupled with wars, natural disasters or extreme economic hardship can cause a breakdown or significant strain to a state’s healthcare system. Consequently, further economic decay, social fragmentation and political destabilisation will accelerate and a complicated problem will ensue more quickly (Fonkwo 2008). As weaponised biological agents multiply quickly in an affected population, this in turn is transmitted to individuals not directly affected by the weaponry, it continues in this fashion until a society is almost completely incapacitated and defenceless. To ensure survivability, containment measures for stopping dissemination requires extensive efforts, resolve and technology for immediate identification of a biological attack (Cenciarelli et all 2013:125). This requirement may overstretch the national medical resources. Biological weapons are unique as the ‘actual weapon’ is invisible and can have delayed effects. These factors allow those who use them to create fear and confusion in a target population as a main objective of biological weapons is fear and confusion. This fear, without discrimination of target demoralises the population thus weakening resolve and ability to function efficiently. As such, in addition to causing sickness and death in a large number of victims, biological weapons also create panic and paralysing uncertainty, disruption of social and economic activities, therefore the breakdown of government authority and the impairment of a military response (Repez 2012:17). The threat from biological weapons is therefore considered to be the most alarming perspective for national security. A combined biological and cyber attack is a more complicated threat with greater wide reaching consequences, but that is not within the scope of this paper and worthy of a dedicated paper in itself. As illustrated in this paper, biological warfare attacks have always been a danger and bioterrorism is a present, constant and serious threat. The US government has mentioned the efforts of terrorist networks, such as al Qaida, recruiting scientists capable of creating biological weapons as a national security issue (Warns 2011). Russia, China, North Korea, Iraq, Iran, Syria, India, Libya and Pakistan all actively maintain various levels of offensive biological warfare capabilities and research facilities (Ainscough 2002:265). Also since 2014, the IS has reportedly been investigating weaponising agents like the plague for use in their military campaign (Harris, 2014), very is known about this activity. Also, the International Committee of the Red Cross has recognised the real risks of new biotechnologies including synthetic biology being misused and emphasized the need to achieve universal adherence to and implementation of the Biological Weapons Convention (ICRC 2013). It is no doubt that the threat from biological weapons is currently a global concern and all countries need to be united in the quest

46 | Australian Security Magazine

As presented, biological weapons are not new to warfare. Biological weapons originated long ago, but remain an enduring threat to our present national security and general societal wellbeing. Scientific evolution as well as the development and use of biological weapons have become more sophisticated. Now poisoning water and food has been replaced by genetic engineered pathogens that have a widespread and more devastating effect. Also now ‘white power’ incidents, real or not also significantly impact our society. The latest innovations of 21st Century biotechnology have also provided the knowledge to create more aggressive and virulent biological weapons. This causes great concerns as such weapons can produce devastating and unexpected effects higher than the most dangerous naturally occurring biological agent. In addition, the rapid increase in computational power along with accessibility of genetic information and biological tools to the public now sees the threat of biological warfare possibly coming not only from nation states but now most likely from non-state actors. The 1899 Hague Conference, the 1925 Geneva Protocol and the 1972 Biological Weapons Conventions have attempted to prevent and control biological warfare. So far success has only been partial and so the effectiveness of these conventions is questionable as member states are still involved in biological warfare programs or research. A combined efforts and strong commitment by all is needed to contain biological weapons proliferation. If not, spill and use by terrorist or criminal groups is a very real probability. But, all is not so tragic; today’s technological innovations have also led to the development of biological technology that could also be used as a defence against biological attacks. These new techniques can help detect biological agents so that a state may take immediate action in the event of either intentional or unintentional biological agent release. Regardless of possible consequences, many states continue with research on possible offensive use of biological weapons. Now, bioterrorism research events and attacks have been recorded more frequently. Therefore the threat from biological attacks, both real and hoax is more plausible than ever and is now the silent but most damaging threat to Australia, particularly if combined with another threat action. In the meanwhile, we as a government and society get distracted by other issues and this threat has almost been forgotten by many. About the Author Aaron Waddell has been employed in the security environment in the Australian Department of Defence for over 25 years. He is a graduate of the Australian National University holding a Master of National Security Policy (with Merit). Presently he is completing a Master of Philosophy at University of NSW (ADFA). His ongoing academic interests are regional security matters, military matters and history with his main focus being on Vietnam and China.

Cyber Security

Available online!

000032

Post

ed PP1

Approv

See our website for details

ATE

w | w

u w.a

sec

urity

THE

COU

NTR Y’S

gazi

ne.c

.au

arch

Feb/M

2017

t a jus it trali Aus ’t hack n ca

URIT

SEC

AND

ENT

VER

R RPO

E AZIN

n ralia

LEAD

ING

| w ww.a us

tralia

Post

DIN

LEA

o m Com s single state

INC.

e.co

May 20

Te fundinrrorism g law s Digit aga al War Islam inst the ic Sta te

gy holo a Psyc rviving u for s nt attack viole

Get each print issue per year for only $88.00

2017 orld ol W ecurity Interp Cyber s s | view nect and re t ven Con nal e ines Regio| Philipp re gapo

Sin ek in

r we

Cybe

GST

1 YEAR SUBSCRIPTION TO THE AUSTRALIAN SECURITY MAGAZINE

ed unifi your : Three ring s Secu nication erations id mu com key cons

GST

INC.

03227

m.au

April/

T hoekr uch m m gy – RecCByobnolo

d lia? fe an A sa re Austra secu

$8.95

PP1000

f war

o rity: gnition & Facial secu r Video en in Senio Wom habab, rcher, Analytics b hin S esea Nous ecurity R ersky La S Kasp

INC. GST

$8.95

azin

urity r sec e US Cybe ets in th PL s ra s a of nected e &A, Drone con ick TQearr d r u Q te s, n o...rism in rity ime, evcieuw ore re S eTcehcT

VIEW L -RE els ECcIAuss Ctrhaalinann u rSitPy fo s ac’ a ly u u a c A e n rity ltCha & - M G’s s COA onwea Fourtu‘smecu COU

$8.95

mag

ren o

RNM

g the akin n 61: T o DATA n’s lead h o Nati r researc cybe

urity

Child

ep 20

Y’S NTR

nsec

000032

d PP1

Approve

Aug/S

THE

roved

E GOV

Post App

GOVE

NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o .au Ban role en Plan com ine. The yber nning agaz uritym nsec of c nce alia ustr .a w sura ww e E | the IT in to b Modern AZIN re kes ating MAG Secu isCin ITY Rg avig the futu it ta ity y N t ri o E U S a u ty f E r Wh art c eo ORAT Strate ORP gy scap DC a sm T AN land ING

EAD

L Y’S NTR

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au