The Director-General of the Australian Signals Directorate, Mike Burgess, has unloaded on technology hype mongers, warning IT security practitioners and businesses they need to think in one and five year cycles rather than “just the next product or service you will buy”.
In a frank and direct speech delivered to the SINET61 conference in Melbourne, Australia ’s chief cyber spook bluntly cautioned those charged with upholding cybersecurity should not be dazzled by shiny new concepts.
Instead they should maintain a relentless focus on hygiene and knowing “what is important to your business and your customers.”
“Don’t get caught up in the hype and excitement in this technology-enabled world. AI is a great example of this – peak hype comes to mind,” Burgess said.
Burgess’ comments set the stage for what is quickly shaping up to be a tangibly more public stance by the hybrid cybersecurity watchdog and military intelligence agency that is charged with both defending Australia’s national assets and gleaning secrets from those outside.
“Our motto is 'Reveal their secrets, Protect our own' and in the words of ASD’s values, we operate in the slim area between the difficult and the impossible,” Burgess said.
It’s a laudable mission statement, albeit somewhat fettered by the limited availability of exceptionally talented people willing to forgo handsome bank and finserv level salaries.
Then there’s the hurdle of passing some of the toughest security vetting the Australian government can create.
On that level, Burgess delivered a firm reality check about where ASD is headed and how it intends to get there.
Put simply, ASD is now tub thumping the incentive to join its ranks not only an elite cyber badge –but an opportunity to make a tangible difference to defending the nation’s interests – even though you can never talk publicly about it.
“Gaining the ability to flexibly recruit, train and retain our specialist staff is one of the major reasons why ASD became a statutory agency on 1 July,” Burgess said.
“The culture comes from the kind of people we seek to employ and retain,” Burgess said.
“Some of the best and brightest across several generations, from all walks of life, not just engineers - including a large chunk of frighteningly clever millennials,” the ASD chief added.
In the bluntest terms, this means ASD can, and will, now legally compete for talent outside the Australian Public Service’s often limiting pay bands and merit selection criteria in the same ways as specialist agencies like ASIC who need people with real world financial services skills.
Burgess also spelled out where ASD intends to put its skills to use. His nuanced prognosis of the cybersecurity landscape appears to be that it’s headed more towards an active battlespace, rather than a fortress, at least in resilience terms.
It’s less about being able to duck and weave around assailants (though that’s a highly desirable attribute) than organisations on their feet and in the ring.
“For the last 10 years, the security world has been focused on dealing with the problem of wholesale theft of data. As the full potential of technology, connectivity and software are further realised, I think it is time we turn our mind to integrity and availability,” Burgess said.
“The successful identification and management of cyber-security risk across the community, businesses and governments is critically important.”
Burgess also spoke directly to the broadened mission of ASD as encapsulated by its absorption of the Australian Cyber Security Centre and CERT Australia which he said would increase “collective potential” but result in a visible “change of emphasis and greater engagement.”
Changes to the Intelligence Services Act “the Act that governs ASD,” Burgess said, had introduced two key changes,:
- “firstly, ASD’s advice and proactive assistance remit on cyber security is now expanded to include the community, business and governments, and
- secondly, a new function to prevent and disrupt serious cyber-enabled crime.”
He added that within the “whole nation focus” there was also an important “new function to prevent and disrupt serious cyber-enabled crime” before adding a definition.
“In this regard, cyber-enabled crime will include:
- pure play cybercrime – that is hacking for a criminal purpose - I’d also include nation-state actors in this, and
- cyber-enabled serious crime,” Burgess said.
Ever the realist, Burgess also debunked the idea that addressing cyber risk was beyond the reach of everyday people, despite the hype.
“We are all dependent on technology and connectivity and there are few people who actually understand how it all works, Burgess said.
“However, managing this risk isn’t rocket science.”