CYBER CONNECTIONS FOR A STRONGER NEW SOUTH WALES - EVENT REPORT - NSW ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CYBER CONNECTIONS FOR A STRONGER NEW SOUTH WALES – EVENT REPORT
CONTENTS
• Contents……………………………………………………………………………………………………………………………….1
• Executive Summary……………………………………………………………………………………………………………….1
• Todd Williams Opening Remarks…………………………………………………………………………………………..2
• Summary of University Presentations……………………………………………………………………………………3
• Summary of Industry Presentations………………………………………….…………………………………………..7
• Summary of Start-up Presentations…………………………………………………………………………………….12
• Summary of Government Presentations……………………………………………………………………………..14
• Summary of Panel discussion………………………………………………………………………………………………16
• Review of Workshops………………………………………………………………………………………………………….17
• Wrap-up………………………………………………………………………………………………………………………………19
Executive Summary:
Cyber Connections for a Stronger NSW was a roundtable hosted by the NSW Cyber Security Network
on the morning of Tuesday the 18th September. It brought together key stakeholders to start the
discussion about developing a robust cyber security ecosystem in New South Wales. Universities,
government services, utilities, businesses, and small/medium enterprises were represented.
Universities pitched the variety of research and development projects they had for cyber security to
demonstrate the collaboration opportunities for stakeholders in the ecosystem. While there were
common areas such as blockchain and IoT, each university presented a unique focus and expertise.
For example, the University of Wollongong demonstrated considered experience in cryptography
while the University of Western Sydney showcased their multidisciplinary approach featuring
psychology.
Government and industry presented their current cyber security challenges, in which people remain
one of the largest and common. However, there were specific issues for different verticals. Hunter
Water shared insights in how challenging it is to manage a network of remotely located vulnerable
infrastructure while nib discussed the complexity of handling sensitive medical data and preventing
mismanagement. Government and industry also highlighted the need for immediate solutions to
current issues rather than long-term research.
A panel of industry, government, and non-government representatives highlighted some specific
aspirations for cyber security in NSW. Specifically, education, outreach, and diversification in the
ecosystem. The key insight to draw from the roundtable is the need for compromise and hustle.
Universities need to recognise that they need to offer immediate solutions (technical or not) to
current problems to engage industry and government. Industry and government need to recognise
the value in investing and contributing to the long-term research which universities are conducting.
This allows them to have solutions ready for some of the problems of tomorrow.
Continually effective collaboration is not going to happen without effort from all stakeholders to
interact and contribute. It’s not only them who hustle should be expected from, the NSW Cyber
security Network needs to continue to create events for these opportunities to develop.
The final session for the day was three workshops in the areas of policy, current threats, and future
threats. These workshops found a variety of challenges and opportunities in each area. The NSW
Cyber Security Network would like to invite stakeholders to consider what was discussed in these
workshops with what each other stakeholder presented. With that considered, the Network would
like to lay down the challenge for stakeholders to envisage solutions and start the conversation with
other stakeholders for collaborative opportunities to forge a stronger ecosystem.
1
Todd Williams Opening Remarks:
Todd Williams, the Director of the NSW Cyber Security Network opened the roundtable with a short
talk on the different stakeholders present and the purpose of the roundtable.
Todd Williams – Director, NSW Cyber Security Network
• Three key groups for the NSW cyber security ecosystem were present: Universities, the
Private Sector, and Government.
• The key for today is defining what the current and future cyber security issues and
capabilities are in NSW and how we can work together to solve them.
• The three key groups need to work together to build connections, opportunities, and
solutions.
2
Summary of University Presentations:
The Seven NSW Cyber security Network universities pitched their current cyber security research
and projects. A summary of each is listed below:
1. University of Sydney
Dr Suranga Seneviratne – Lecturer in
Security School of Information
Technologies at the University of Sydney
Suranga Seneviratne from the University of Sydney (USYD) started the presentations and detailed
their various projects and collaboration:
• USYD has key capabilities in the three areas of Empirical Security, Network Intelligence, and
Systems & Solutions.
• These capabilities have applications in defence, IT Infrastructure, health, and smart cities.
• USYD has signature projects in DeepContent, Blockchain (RedBelly), Visual Analytics, and the
well-known Soufflé Project.
2. University of Western Sydney
Dr Alana Maurushat – Professor in Cyber
Security and Behaviour, Western Sydney
University, Dean’s Unit, School of Social
Sciences and Psychology
Alana Maurushat from Western Sydney University (WSU) highlighted the university’s
multidisciplinary approach which addresses some of the more strategic challenges in cyber security:
• WSU covers a variety of areas including psychology, law and policy, artificial intelligence,
network security, industry standards, and trust and governance.
• This provides the opportunity to not only cover the technical challenges but in addition the
more human centric like privacy by design, social engineering, and data governance.
• WSU also uses collaboration with other universities and organizations to develop their
expertise and understanding.
3
3. Macquarie University
Associate Professor Christophe Doche,
Executive Director of the Optus
Macquarie University Cyber Security Hub
Christophe Doche from Macquarie University (MQ) detailed the university’s work with Industry as
part of the Optus-Macquarie University Cyber Security Hub:
• MQ has a multidisciplinary research approach with focus on privacy, secure and reliable
systems, human-centric security, cyber physical systems, and risk modelling.
• MQ has had success in a collaborative research project with Data61, Optus, and Data
Republic on Privacy Preserving Data Sharing Technologies relying on different privacy.
• MQ has found that communication skills (including good listening), and world class research
were the keys to success.
4. University of Technology Sydney
Professor Ren Ping Liu, Head of
Discipline of Network and Cyber security
in the School of Electrical and Data
Engineering at the University of
Technology Sydney
Ren Ping Liu from the University of Technology Sydney (UTS) presented on their blockchain and IoT
research and projects in cyber security:
• UTS is working with Ultimo Digital Technologies to create IoT and blockchain based supply
chain monitoring and security
• Blockchain is also being used in the development of secure data and certified information
applications
• A key point from UTS was the balance between ensuring trust and protecting privacy
4
5. University of Newcastle
Professor Vijay Varadharajan, Global
Innovation Chair in Cyber security,
Faculty of Engineering and Built
Environment at University of Newcastle
Vijay Varadharajan from the University of Newcastle (UoN) while pitching its capabilities emphasised
their trust and engagement with industry and government:
• UoN conduct work on large scale data systems, IoT and cyber-physical systems, and Cloud
Services/Infrastructure as well as the intersections between these areas.
• UoN shows several research areas and research projects including Adversarial Machine
Learning and security/trust in autonomous systems.
• UoN also understands the distinction and demand between research and a product
6. University of New South Wales
Professor Maurice Pagnucco, Deputy
Dean (Education), Engineering and the
Head of the School of Computer Science
and Engineering at the University of
New South Wales
Maurice Pagnucco from the University of New South Wales (UNSW) outlined their approach of
research in cyber security across the three faculties of Business, Engineering (including
telecommunications, computer science, and electrical), and Law:
• UNSW has expertise in cyber security in a variety of areas including but not limited to:
artificial intelligence, machine learning, networks
• UNSW has had significant success in the L4 microkernel project which has seen them made
“World leaders in application of formal methods to systems”
• UNSW is also currently working on projects including secure UAVs with DARPA, secure
hardware for Cannon, and E-voting analysis for the NSW Electoral Commission.
5
7. University of Wollongong
Professor Willy Susilo, Director of
Institute of Cyber security and
Cryptology, School of Computing and
Information Technology, University of
Wollongong
Willy Susilo from the University of Wollongong (UoW) finished the university presentations
showcasing the cryptographic capabilities of the university:
• UoW Strong cryptography and post quantum research capabilities including recognition
from the US National Institute of Standards and Technology (NIST), and submissions to the
post-quantum cryptography standard
• A key example of effective collaboration was their worth with an Airforce company testing
security software for mission critical infrastructure
• The key takeaways for that success was the efforts in communication, collaboration, and
using the joint expertise of academia and industry
6
Summary of Industry Presentations:
Having heard Universities pitch what they could offer for research and areas of speciality, it was the
turn of industry and government to present on what were the current challenges they were facing.
Hunter Water
Richard Harris Chief, Information and
Technology Officer, Hunter Water
Richard Harris from Hunter Water opened the presentations giving some very real and valuable
insight to the challenges facing a water supplier:
• Hunter Water handles lots of detailed and interesting data as part of their day to day
operation.
• They have a large scope of vulnerability with remote sights not even afforded the benefit of
passive security. They contend with the use of legacy and emerging Information and
Operational technology while digitally expanding. This results in such a large scope to
manage.
• Despite this, the core issue remains how to handle and manage people. It remains the most
significant cause of vulnerable due to factors like poor security awareness and education.
• For this reason, Hunter Water takes the philosophy of not trusting any of their
infrastructure, and assuming that they are already compromised as they likely are.
• Richard very specifically noted that while research might give something a solution to
something 5 years from now, the reality is that those solutions are needed now.
• The challenge is on top of that, it’s already a time-consuming duty to oversee Hunter Water
so there isn’t the luxury to have drawn out conversations. Something which can be
negotiated and executed without compromising the time Hunter Water must manage
already existing security issues is essential.
7
Nib
Wayne Bozza, Head of Cyber security IT
Governance and Risk, Nib
Wayne Bozza from nib spoke on what were the challenges of being a health insurance company
managing what is arguably some of the most sensitive information:
• The reality which nib has is that it operates in the health sector which is the most vulnerable
to data breaches. Nib has to manage medical data which is considered the crown jewels.
This a variety of data types and is vulnerable to mismanagement – intentional or not.
• The variety of compliance regimes and regulators like APRA, OAIC, and GDPR which nib is
accountable to means there is constant scrutiny.
• Attackers are not only growing more sophisticated but uses areas of innovation such as
automation to increase their capabilities and ultimately the threat they present.
• There are opportunities to provide a better service and offering to customers which nib
would like to provide. In order to do this, they need a strong cyber security approach for
their data, compliance, and the capability to significantly reduce the likelihood of
compromise of that data.
8
Commonwealth Bank of Australia
John Hare, Head of Cyber Outreach,
Commonwealth Bank of Australia
John Hare from the Commonwealth Bank of Australia shared his insights from consulting 3 internal
teams about what the current cyber security challenges were:
• The Reporting Team stated that effective board reporting was the current challenge.
Translating threat from the technical to the non-technical while also adjusting to changing
trends such as an evolving threat environment and quantifying risks.
• The Cyber Innovation and Emergency Tech Team stated developing ways to prevent and
detect insider attacks. They highlighted the difficulties in finding indicators of those who are
likely to conduct an insider attack despite the large number of data breaches attributable to
insiders.
• The Detection and Response Team stated the difficulties in detecting and responding to data
leakage and loss. That existing solutions produce too much noise, don’t scale, and produce
friction for staff trying to undertake their usual duties. There is a need for a solution which
provides better reporting and ease of friction while accounting for the increase variety and
vulnerability of data.
9Cisco Systems
Simon Finn, Security Architect, Cisco
Systems
Simon Finn from Cisco presented on what were some of the new challenges were in cyber security
and how they were approaching them:
• New security challenges specifically to IoT of: Scale, impact, new business models, and
device constraints have emerged
• IoT currently lacks transparency as well as suffering from weak solutions and
implementation. This means where it is used it is a significant source of vulnerability.
• Cisco has identified the need for building transparency and trust. This means making IoT
itself more technically secure, and transparency for IoT device composition, capabilities, and
in implementation of solutions.
• There is a need for the utilising of IoT standards/trust labelling to demonstrated that IoT
works beyond minimum standards. So, consider engaging organisations like the IoT Alliance
Australia, and the Charter of Trust. This can allow for trust building beyond what is the
minimum.
10IMB
Noel Knox, Manager, IT Architecture and
Security
Noel Knox from IMB provided a good wrap-up to the first round of government and industry
presenters and noted:
• Many of the presenters today have already covered the challenges which we are already
contending with, so these are similar challenges which are shared by more than who is in the
room.
• There is also a problem that people still think cyber security is an IT problem. It comes into
its own domain where there is a need for not only technical controls and simply fixing what
is broken, but a buy in from management and policy controls.
• Fostering ‘human firewalls’ can help mitigate many of the simple and potentially costly
attacks which entities attack. It is not only the IT or cyber security team which needs to be
aware of vulnerable and potential attacks but the whole scope of an organisation.
11Summary of Start-up Presentations:
Two start-ups presented on what they were working on and what they needed in cyber security to
maintain their success:
Airsight UAV
Ashley Cox, Chief Operating Officer,
Airsight UAV
Airsight UAV specialises in drones, AI, and IoT. Ashley Cox presented on what concerned them:
• Ultimately for start-ups the first concern in managing costs and paying the bills, everything
else comes second. Cyber security solutions need to be aware of this
• Everything physical that Airsight uses has a ‘digital twin’ so there is a demand for an
effective and reliable solution
• They need a set of protocols that can simultaneous assure clients that their data is safe and
not inhibit innovation. These need to be tested, cost effective to implement and use, and
proportionate to the risk
12AgriMilk
Tim Williams, Director, Agrimilk
Tim Williams from AgriMilk Consulting outlined some of their challenges:
• Areas of security for Agrimilk include in house systems, data collection/cloud transfer &
hosting from clients, intellectual property collection, and client protection/confidentiality
• It’s important for Agrimilk and other innovation start-ups to develop and retain strong cyber
security with the shift to automation and the 4th industrial revolution
• Agrimilk already interacts with multiple business and industries, so they have multiple
stakeholders to hold themselves accountable and challenges to tackle in: Farming,
AgBuiness/AgTech, Venture Capital, and Tech
13Summary of Government Presentations:
To round up the presentations, two government entities reported on the challenges which they
were currently facing.
Fire and Rescue New South Wales
Asaf Ahmad, Chief Information Security
Officer, Fire and Rescue New South
Wales
Asaf Ahmad from Fire and Rescue NSW outlined some of the specific challenges to the organisation:
• Fire and Rescue NSW has a lot of responsibilities and scale due to the wide variety of areas
of responsibility which extend beyond responding to fires. They are working with the NSW
Digital Government Strategy – 2018 which emphasises a secure, integrated and responsive
system as a minimum.
• Their network extends into a variety of functions including training, restoring, despatching,
incident management, portable interfaces, finance and asset management. Thankfully, the
NSW fire service keeps its Corporate and 000 network separate but an impact on either
creates a variety of issues which translate to more than just loss of business
• The key current challenges for the service are in capability, maturity, blending
security/information/data architecture, culture, and security posture.
• The current key threats of prominence are user awareness, protecting sensitive information,
and incident detection & response. An example of this is the information leak regarding the
Tathra fire controversy.
• Fire and Rescue NSW would also like to develop their detection and response capabilities
but have limitations in skilled resources and budgets.
• They are also open to collaboration with universities and business but have limitations in
policies and schedules
14New South Wales Pathology
James Patterson, Chief Information
Officer, NSW Pathology
James Patterson from NSW Pathology spoke on how the cyber security environment was changing
and some of the new challenges which they were experiencing:
• Two significant disruptions to how NSW Pathology are digital specimens and data retention
legislation. The detail and variety of data which they manage has increased as well as the
period for which they retain that data.
• There are also opportunities in the quantification, patterns, clinical relevancy, and genomics
of that data which means it is more valuable. This also means it is more important to
manage and protect this data.
• NSW pathology has a diverse operating environment with at least 7 different systems,
emulated alphas, operational technology, (OT) and Legacy systems
• James noted that despite this they are ASD certified and use cloud services which are more
secure than their internal network
• Two significant attacks that NSW Pathology has had to contend with are the WannaCry
ransomware and spear phishing.
15Panel Discussion Summary
Left to Right
Louise Chappell, Director, Australian
Human Rights Institute
Brian Williams, National Security and
Solutions Manager, NEC
Richard Harris Chief, Information and
Technology Officer, Hunter Water
A Panel of Louise Chappell, Brian Williams, and Richard Harris discussed the current needs for the
development of cyber security in NSW:
• Education in cyber security that extends from schooling to the workforce, this is so that both
people and entities in New South Wales can be more resilient to threats. People need to be
more informed on the basic issues such as privacy, password security, and the unfair ways in
which malicious actors may try to exploit them.
• A development of outreach, communication, and community in the NSW Cyber security
ecosystem. While there are many meetups and notable initiatives which engage the
technical end of the workforce, a more open-ended newsletter available to all to inform of
strategic issues would be a valuable investment.
• Diversification in the skillsets and expertise backgrounds contributing to cyber security in
NSW. We need psychologists to develop effective strategies for managing people,
sociologists to maintain ethical standards, and a workforce who can communicate how
important cyber security is. Diversification can also mitigate the complacency that can leads
towards significant cyber security issues.
The panellists also presented what their single biggest wish in cyber security is:
• For young people to understand risk and consequence in the context of social media where
callous sharing of information can have very real impacts.
• For employers to be more committed to investing in the capability of their staff at all levels
in cyber security.
• For a cyberbullying to no longer be an issue, and for the most likely cyberbullies to not be so
called ‘friends’ of the victim.
16Summary of Workshops:
As a final session for the roundtable, workshops in three different areas were held to identify
opportunities and issues.
Policy
The Policy Workshop found:
• There is a need to move education in cyber security to a new model. It is not acting as an
effective mitigator against phishing and other manipulation attacks. The use of better
simulations may help in this education process.
• Reducing business disruption and ensuring a ‘frictionless business experience’ in both
the ongoing implementation of cyber security and incident response is important.
• Policy makers will have to balance between using data for benefit/insights and the
responsibility to secure it. In addition, there needs to be accountability when the failure
of a cloud service provider can ‘wipe out’ businesses.
• The ‘trust tightrope’ of transparency and privacy will be an ongoing issue. Both
transparency and privacy are essential for an entity but how can they ensure what they
do reveal what won’t be manipulated and how do regulators ensure compliance with
privacy?
• Policy makers needs to compensate for the ongoing issue of vulnerability of technologies
and the limitations of individuals to detect and respond to threats.
• There needs to be a developed understanding of what the restraints of policy are under
Australian legislation and how future legislation can be influenced for a better outcome.
• There needs to be a greater ownership of cyber security at the board level to ensure the
commitment and resilience of entities.
• If the government wants strong cyber security, then it needs to focus on legislation
which advocates it and supports the industry.
17Current Threats and Solutions
The Workshop on Current Threats and Solutions discussed:
• There is a need to question whether policy is currently appropriate and is currently
facilitating vulnerability. Certain sectors are asking for more detailed and rigorous regulation
to comply to, does it indicate an issue of under-regulation?
• In addition, the government legislation in privacy and encryption – undermining resilience?
• The skills shortage is a current issue. It is not only relevant to a shortage in professionals but
general awareness, and training. The user experience and how people are education might
need to change.
• The current behaviour/attitude towards cyber security. Is there an issue with a dismissal of
how pertinent the challenges are?
• GDPR while a good compliance regulation, could be compromising the ability of small and
medium businesses to be resilient. It is cutting in to budget and its insistence of machine-
readable data on request means that it is available to attackers as well.
• How data is currently handled is also an issue. Is there a way to make file sharing and
emailing more secure without impacting the user experience? Could external entities help
with this question?
• The security of IoT devices is a current issue as seen in many attacks. Will infrastructure
automation lead to a lack of visibility and detection?
• As seen in the presentations, the sometimes-conflicting business and security priorities
mean vulnerability. This is especially relevant to small and medium businesses.
• A potential program to support was big business mentoring small businesses in cyber
security.
18Future Cyber Security Threats
The Future Cyber Security Threats summary:
• Individual data rights are likely to become a greater challenge in the future as entities will
have more legislation like GDPR to comply with. Subject-controller relations are going to
need development as well as a test of how feasible the regime GDPR sets out is.
• Health data is going to continually become more important and difficult to keep secure,
especially with the emergence of genetic testing and the MyHealth database.
• We may have to appeal to the wisdom of sociologists. Sociologists might know more about
ethics and security because they have been studying security dilemmas around much longer
than cyber security professionals. Cyber security is a tangled network of complication and
varying ideas.
• There is a need to develop cyber security education with a consistent approach and
framework to avoid growth in a knowledge and skills gap. We need to utilise different
analytics and multi-disciplinary approaches.
• Access to a variety of new and scalable technologies like machine learning and Artificial
Intelligence will facilitate better resilience if used correctly. They will also enhance the
capabilities of attackers, so it is important we are ready to use these technologies.
• Technology can increasingly be used for privacy as well. Will this make cyber security
difficult?
• How do we ensure there are appropriate trust mechanism to mitigate sophistication in spear
phishing attacks like bioinformatics?
• There is going to be an authentication evolution, we need to be ready to take advantage of it
and to mitigate the new varieties and styles of attacks that develop to circumvent it.
Wrapping Up:
Feedback from attendees at the NSW Cyber Security Network event point to it being a success, and
has given the network a deeper understanding of the capabilities and challenges of the NSW
ecosystem. What we need to do now is continue to foster the ecosystem and develop those
relationships between industry, government, and universities to better utilise those capabilities and
tackle those challenges.
19You can also read
