“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked” — Richard Clarke, former White House Cyber Security Advisor
The cash will be given to the ASD over the next decade to “disrupt foreign cyber criminals and better identify malicious hacks” by hiring more government cyber security professionals, build offensive capabilities against foreign threat actors, share threat intelligence with private companies, and “expand its data science and intelligence capabilities to identify emerging cyber threats to Australia over the next 10 years”.
Government IT Systems
The role of government under libertarianism is to protect citizens’ rights, protect the country, and enforce the rule of law and private contracts. In short: Get the government out of the way, as much as possible. Beautiful, isn’t it?
Clearly the government must protect itself from foreign threat actors; for instance, we cannot have hackers gaining access to military systems, which would undermine the government’s ability to protect its citizens.
Unfortunately the government’s failure to protect its own IT system results in more bureaucracy, an expansion of powers, and more of our money being spent. In short: Government failure results in the expansion of government rather than the contraction. The result is shown below. Too many departments, too many responsibilities, and hence too much bureaucracy. And we all know about bureaucracy and efficiency…
Undoubtedly the federal and state governments would do better protecting their IT systems if the government had less involvement in private industry (e.g., MyHealthRecord), less bureaucracy, and didn’t spend so much time spying on their citizens (e.g., the Snowden revelations). Less government means a more effective government, more focused on protecting its IT systems rather than and ever increasing set of responsibilities. Keep it simple, stupid.
Government Co-operation with Private Companies
Governments are uniquely placed to gather intelligence information. Why? Because in the world of software vulnerabilities, unknown software exploits are scarcely used on high value targets. As soon as a vulnerability is exploited, the possibility of identifying — and hence developing and distributing a software patch — increases. If the vulnerability is unknown, it’s difficult to identify. And who are the highest profile targets? Governments.
The vast majority of companies cannot come close to building this capability. For most companies, threat intelligence is gathered by subscribing to external companies’ or open source threat intelligence feeds. The vast majority of threat intelligence feeds are from private industry; however, government feeds do exist. The vast majority of feeds are from US organisations. The federal government runs an intelligence feed under AusCert.
As we’ve seen with attacks, foreign actors attack Australian federate, state, & locals governments and private companies at the same time. Therefore, given the existence of such specific attacks against Australia — and the likelihood of such attacks using unknown software vulnerabilities — the government is in a unique position to identify and share such information with private companies, information that private companies are unlikely to obtain (at least quickly obtain… today’s unknown software vulnerability is tomorrow’s old news). Likewise, given the government’s monopoly on mass surveillance, the government has a unique capability that private companies simply do not — and should not — have. (And, yes, the government shouldn’t have the capability, either.)
Hence it’s reasonable for the government to be in the threat intelligence business, sharing such data with private companies. Of course the government isn’t likely to share the juiciest software vulnerabilities — if they can be kept secret — because the government is increasing its offensive capability. This is why we need private companies’ threat intelligence feeds.
For the reasons above, I’m in favour of the Morrison government’s investment in cyber security, although suspect $1.3 billion is a bit much.
Government Funding Cyber Security Training
The government obviously funds cyber security training. I’m going to leave this topic for another today, because cyber security training is nested within universities, and that’s a topic about which I don’t have time to write right now.
However, I do have a few brief points:
- When the government gets out of the way, industry will respond by investing in training.
- Most cyber security professionals come from other areas of IT — architecture, operations, etc. It’s more effective for companies to train IT professionals in cyber security rather than train individuals in both IT and cyber security.
- The federal government’s permanent visas include cyber security specialists. Does importing talent disincentivise companies from investing in local talent? (And, no, I’m not for open borders.)
Government’s Role in Cyber Security Advisory
I’m going to keep this section short. Outside threat intelligence, the government does not have a role to play in cyber security advisory. There is little of value that can be provided by the government that doesn’t exist elsewhere. For example, the Essential 8 is nothing more than cyber security 101.
Likewise, the JCSCs — Joint Cyber Security Centres — offer nothing that couldn’t be done more efficiently and cheaper by private companies. The JCSCs should be privatised, government employees removed, and set up as a subscription for which private companies & universities pay in order to participate. Government participation should be optional.
Government’s Role in Cyber Security Research
Data61 — a part of the CSIRO — contributes to cyber security research. I have no experience with Data61, and hence I’m not going to comment.
However, under libertarian philosophy, cyber security research should be left up to private companies.
This is yet another topic for another day. However, the government’s dual roles of national security and privacy/cyber security are often in conflict.
Here are a few thoughts:
- The government’s existing surveillance laws disincentivise cyber security startups from Australia.
- Company tax rates aren’t competitive enough to entice startups and companies in general.
- The government banned two speakers last year.
The apparent industry-by industry standards under development cannot — and will not — work. No one can tell a company what its risks are, what an effective risk profile is, and what the appropriate security controls are. Every company is different. Do you want hospitals spending money on doctors and nurses or cyber security? I’ll take doctors and nurses, thank you.
Standards result in a checkbox exercises, such as PCI DSS, which leads to the wrong areas of cyber security being addressed because a bunch of bureaucrats wrote a document. Moreover, the industry moves far too quickly for government regulation. I’ve spent a lot of time undertaking these checkbox exercises, and they do not improve cyber security in the right areas.
The Cyber Security Industry: We Got This
A friend of mine, an accountant, recently told me that he was surprised how much co-operation there is in the cyber security industry, particularly between people who work for competing companies. He told me this level of co-operation was non-existent amongst accountants.
Personally, I’ve never learnt anything from the government with regards to cyber security. The government’s advice on cyber security is basic at best; cyber security 101 that can be found in many YouTube videos, university courses, blogs, textbooks, or from anybody who’s been in the industry for 5 minutes.
The industry improves through a confluence of new ideas, collaboration, frameworks, personal experience, technology (mostly US vendors), and better management buy-in.
Cyber Security at companies mostly improves not because of the government but despite of the government.
In my view, the government role in cyber security is the following:
- Protect its own IT systems.
- Share intelligence feeds and information that only governments are gather.
- Get out of our way. We don’t need government standards.