Episode #81 Should the cyber sector be considered critical infrastructure? with Michelle Price
Michelle Price is the CEO of AustCyber, the Australian Cyber Security Growth Network Ltd, part of the Australian Government’s Industry Growth Centres Initiative. She joins the podcast again to discuss reducing organisational risk, ransomware, cyber as critical infrastructure, and 'purple teaming'.
Michelle Price is the CEO of AustCyber, the Australian Cyber Security Growth Network Ltd, part of the Australian Government’s Industry Growth Centres Initiative. Michelle has an extensive career and held several Government roles, including the first Senior Adviser for Cyber Security at the National Security College, various strategy and risk management roles including at the Department of the Prime Minister and Cabinet (PM&C), and roles in law enforcement and health portfolios. She has also worked in risk management and strategy in Australia’s food industry and also in the advertising industry.
Michelle is passionate about Australia’s cyber security sector enabling all Australian organisations to grow and take advantage of the cyber world. She is also a strong advocate for increasing diversity in the cyber security workforce and inspiring people with the possibilities of cyber innovation.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today we welcome back Michelle Price. We've met Michelle before in episode 5 in season 1, and episode 52 in season 5, and Michelle it is great to have you back on the podcast today.
MP: It's so good to be back with you, Claire. It's a really exciting time.
CP: So we closed out episode 52 last November, and you were talking about how organisations need to accelerate out of the pandemic. 12 months on, I'd love to get your perspective on how organisations have gone, especially in relation to improving their cyber capabilities of course, and reducing organisational risk.
MP: Yes, well, the 12 months that none of us thought that we were going to have, hey. It will probably be the thing that we kept saying for I think probably the next 10 to 15 years. You know, I think that it's much the same as where we were 12 months ago in the sense that, you know, there are a whole range of different segments of sectors that are doing better at cybersecurity than where we were 12 months ago, but not everybody is. And there's a whole range of reasons for that. You know, believe it or not, there are of course still segments and sectors of the economy that are not touched by cybersecurity challenges in a significant way. Although, of course, that just means that they're sort of not educated or are aware enough to understand what's happening within their sector or their segment of their sector, because everyone is affected, of course. But you know, we have seen more focus on the risk side of things, which I think is really, really exciting. And exciting because we're starting to see that as the biggest signal in the last 12 months of organisations paying attention, not just to what's being reported in the news, which is, you know, 99.9% of the time about the badness that's going on in the economy, because of malicious actors. But actually, because it means, of course, that companies are more focusing around why cybersecurity can be an upside for their organisation, and that it's being embedded more and more into companies strategies, as opposed to it continuing to be the IT problem. So from a risk point of view, I think that is exciting. And it really does mean that over the next three to five years, as we see that sort of next big wave of companies go through their security uplift and integrating cybersecurity risks into their whole of organisation risk management, will have greater levels of sophistication in the types of questions that get asked, the types of capability requirements that are needed across different sectors, we'll start to see a lot more tailoring, I think. And we've got some really good early signs of that. And it's not just in the health sector, where we've seen a significant need, because of the pandemic, but right across a whole range of industries that are obviously got their close eye on the critical infrastructure legislation changes. And also, I guess, a range of industries that have been concurrent to those that are most impacted by malicious cyber activity. Which of course continue to be industries like financial services and telcos. But understanding more and more, I think, actually, as a result of the debate around the consumer data right and open banking and those kinds of movements in the economy, people are starting to appreciate the security and privacy matters. And it's also mattering more and more in a social conscience context.
CP: I was going to ask you, and you've sort of led into that a little bit, given your role in AustCyber, what you have seen over the last 12 months more broadly for our industry as a sector. So not necessarily what you've just talked about in terms of how businesses are dealing with cyber, but as a cybersecurity industry, what have you been seeing evolve for us?
MP: Yeah, we've had, interestingly, you know, early days in the pandemic last year, if we can stretch our minds back that far, you know, we actually really did say around about 40% of the industry at risk of going under. And that was, you know, I guess a reasonably high number for an industry that is a horizontal enabler. But by the time we got to the middle of the year, and sort of came out the other end of what we knew to be the sort of stability that was given to the economy by the subsidies and the sort of the cash splashes that were coming out from governments at all levels, it meant that businesses could actually focus on what their continuity actually meant in the cyber industry. And of course, when we saw that massive uplift in the number of attacks that were happening in the economy mid last year, we also saw buyer activity start to move. So in the first half of the year last year, we saw a whole range of buyers just absolutely shut down their buyer behaviour and go full tilt conservative. Which of course when you're seeing an economic depression come upon you, that's very standard behaviour. Butt for cybersecurity we actually then very quickly saw recovery like really, really quickly saw a recovery. And we did at that moment, lose a couple of companies out of the sector, we really didn't lose anywhere near as many as what we had predicted though. We had anticipated that we could lose sort of up to 100 companies. By the time I got to the end of last year, we had only lost four. Now, that's pretty indicative I think of just where we were up to as the maturing of the industry pre pandemic. But also what had happened during the sort of real sort of haziness of the initial waves of the pandemic, and being able to capitalise on the energy around cybersecurity as not just a need in the economy, but also a profession. And so then coming into these past 12 months, we've only lost one more company. And that's actually been much more to do with externalities than it was around whether or not there was buyer or investor demand. That's not to say that there aren't companies that haven't been struggling, they certainly have been. But there's been a lot of focus by a lot of the companies, whether they've been big or small, to use the time if they are struggling to really focus in on what it is that is their niche. As opposed to kind of just keeping on doing the same thing over and over again. And of course, actually, for the majority of the industry anyway, they've just been absolutely flat out. So we've been dealing with some different problems that are actually probably more akin, frankly, to the health industry, where we've seen significant levels of burnout. And I know that this has been discussed on the pod before. And it's been discussed globally around, you know, the level of burnout in incident responders, and a whole range of kind of concurrent skill sets. And, you know, it's not been limited to one organisation or one sort of area of the service offering.
CP: So actually a really interesting way of putting it because we were not on the critical infrastructure list of, you know, the 11 industries that are coming in the new bill. And yet, without us, there'd be a lot of organisations that wouldn't exist today. So it's a real challenge, I think, because if you looked at us in the same way you look at some other critical infrastructure, recognised verticals or industries, things could be very different.
MP: They could be. And I do wonder whether or not it's because we still haven't reached the critical mass within the economy of truly understanding what it is to do cybersecurity well. And if we are doing cybersecurity well, of course, we're seeing it as the enabler to trust. And to be able to do that, well, it means that we actually do see the marriage of security and privacy. So we're not quite at that stage yet. But I really do think we will get there quite quickly compared to where we've been in the past. So I mean, I think that we'll reach a time where, you know, the sort of regulatory environment around cybersecurity is really going to transform. And frankly, we will have to over the next three years to be able to keep pace globally in the capabilities that we have to offer for that economic benefit piece, which of course AustCyber is very focused on. But also to actually deliver our commitments that we're making quite publicly under increasing numbers of security pacts, including things like of course AUKUS. We're going to have to get much more coordinated, which in my language is actually not so much about coordination, it's much more about orchestration, and having a really genuine understanding about what global interoperability genuinely means. And that for self sustainment and self reliance, we do actually have to have a spread of capability for our domestic purposes. But we probably don't need to have globally competitive capabilities on offer in every capability type to go global. And so I think the level of sophistication that we are going to need quite soon will mean that the regulatory environment will have to support that regardless of what the government of the day thinks. Otherwise, we will not be able to deliver on these commitments that we are making globally. So that to me is going to mean that whether it's an inclusion under the critical infrastructure legislation and a future amendment, or it's through an omnibus sort of package around cybersecurity, to harmonise all of the different component parts that we've now got in the landscape, including across different levels of government, you know, the time will come where the economic forces will make it happen.
CP: It's a good segue, I want to talk about the government a little bit. And you spoke earlier about the attacks we saw that started sort of in the middle of, or a third of the way through last year. And we've kind of seen it just grow exponentially across sectors and across the world. But particularly in Australia, we saw a rise last year and this year in ransomware. And in your role as CEO of AustCyber you wrote a piece last month, an opinion piece called 'Why companies will ignore the government and pay hackers the ransom'. In recent months pretty much every engagement I've been in as a consultant with boards, the topic of ransomware is front and centre without a doubt. And with this question of always, should we pay? So boards are grappling with this question, there's no right or wrong in most people's eyes. You know, it's what's contextual for your organisation. But what questions should boards be asking themselves and their management teams to help them get to a position on ransomware?
MP: The headline for that article was not mine and Marcus Thompson's choosing that was, of course, the clickbait. But it was actually when you take a step back, it was quite reflective, that, you know, the emotive word was ignore, of course. You know, organisations don't set out to ignore governments. But often, when you're in the heat of the moment, what we do know is, of course, that we're actually ignoring everything apart from what's right in front of us. And often, we're actually ignoring all of the obligations that we might have under different pieces of law that might not be immediately obvious that have a relationship to the situation that you're dealing with. So it's really super important that we do have really solid legal advice alongside us to help us make these kinds of decisions. Now, as we start to get into the next wave of maturity in cybersecurity, as you know, we're all describing. One of the things that I think we will have to get used to his understanding that the cybersecurity skills gap is not going to so much be a focus on our vertical, it will actually be the cybersecurity knowledge that exists in the sort of support services that we need. We're so used to supporting everybody else. You know, we need lawyers that forensically understand the contextual nature of cybersecurity and understand that across so many different jurisdictions at the same time. Because one of the key questions, of course, that boards do need to ask themselves, if they have already answered the question around whether or not there's another way through their business continuity practices and policies, you know, the sort of advice that they're getting from their technical people, their risk people and their information management people, is if there's no other answer available from within inside the organisation, is there an answer that's available to the company or the board, from just outside of the organisation. Is there for example, a supplier partner customer that's been through this before that could give some hints or tips in a trusted way? That's not going to make it out into the media and all of those kinds of things. To give a sense of what some of the pitfalls might be, if you go down one path or another. That's often what's missed, because we're so focused inward in these really intense moments. And, of course, the other question that is, I'm finding increasingly not well understood in how you answer, is what is the time quotient that we have on our side here? If we figured out that we don't have any backups, or if we do, you know, there's still going to be a gap perhaps of 24 hours in the data. And if you know, listeners might have also listened to the podcast of AustCyber's, where we did a recording of the hypothetical in cyber week around a cyber attack which was ransomware on a hospital. And we've put that recording out as a pod episode. You know, some of the things that we covered in that were very, very specific around if you're a hospital, 24 hours worth of data is enormous. It's really, really significant. So if you've got the backups right, up until the last 24 hours, great, but actually, that doesn't save you bacon for the patients and the people that you've got in the in the waiting rooms, and all of that kind of stuff, and the outpatient services today. It doesn't help them at all, and so how quickly can you get that data back? Well, of course, immediately what you have to do is move to analogue. And that might not be the preference for a whole range of reasons. So what's the time question that you are dealing with? How long can you survive without having access to the data that you lost as a result of the ransomware? And the sort of environmental piece that organisations who haven't gone through a ransomware attack, and I hope that most listeners haven't, is actually if you do decide to pay the ransom, that's not straightforward, either. You are often having to now deal with ransomware brokers, and how do you know whether or not and how your lawyers know whether or not they are a legitimate organisation or just a front fork and are either the same or a different criminal gang that's ransomed you in the first place. It's weeks in the negotiations, this is not a quick thing. So there's kind of this impression, I think that's given through a whole range of different mediums ,that if you pay the ransom, you'll get your data back within moments. Well, to pay the ransom is not a straightforward thing. And you are actually entrusting through osmosis in the universe that, you know, you pay the ransom, and if that's happened reasonably quickly, that you know, the criminals will actually have the ability to get the data back to you quickly, if they decide to give it back to you at all. And you know, we've got loads of examples now in Australia, not a lot of them have the brand name attached to them, which is not necessarily an issue. Let's just look at the case studies, where it's taken an average of three weeks to get access again to the information and around about two thirds of the situations are getting access to their data again, So that means around about a third are not getting access to it after paying the ransom. But of the two thirds that are, quite a few of them are finding gaps. And this is weeks, months later, they'll find that there are gaps. So not all of the data has been handed back. So what got kept? And how is that being used against you? And how has it been profited from in other parts of the darkness? You know, there's a whole range of different kinds of machinations here that if you wind it all the way back up here, you know, if we've answered the first question, which is around with, is there another way? If there isn't another way to deal with this situation, and we do have to contemplate paying the ransom, what's the time quotient?
CP: I think it's a really powerful question. Because, you know, a lot of people are thinking that it's as simple as what our position is to not pay the ransom, or our position is to pay the ransom. But the steps and the scenario that is around that, and as you say, backups are one thing, and getting your data back is another thing. But the completeness of those data sets, and if you're talking healthcare, or you're talking any industry, really where you're serving clientele who trust you, it's not just as simple as the board saying, well if we got hit with a ransomware, we pay it. And, you know, I love the fact that you talked about external providers, and people getting that advice. And a lot of organisations are able to leverage things like cyber insurance to get the right services and subject matter expertise around those types of ransomware conversations. But it's just not that simple. And I think it's good for us to paint the picture around the fact that for organisations who say, well, I could operate for two or three days or five days on pen and paper, that might not actually be long enough, before you start bleeding revenue.
MP: Exactly. Right. And, you know, for, depending on the size of the organisation too, relative to the size of the ransom, we need to also remember and boards need to kind of start framing their minds around to this as well, is that it's not in dollars, it's in cryptocurrency. And so if for example, it's Bitcoin, and you're being asked to pay, say, for example, 40,000 Bitcoin. Translate that into dollars based on the cryptocurrency markets today, you could be faced with a ransom of over a million dollars. So do you actually have the ability to pay it in the first place? You know, that could that could actually end you. So you know, there's that trade off as well around what kinds of revenues are you putting at risk to not pay the ransom. But can you actually afford to pay the ransom in the first place, because you might say 40,000, and you're thinking $40,000. And you think, actually, that's a reasonable amount to pay to be able to resolve this situation quickly. And we'll make sure that we go back in and do all the things that we need to do in the response phase to make sure that it's remediated and it doesn't happen again. But actually, it's 40,000 Bitcoin, it changes the equation altogether. To your point about cyber insurance, you know, if you've got the policy, and you've got the capacity to be able to quickly bring in those experts that go alongside or go with that insurance, that is fantastic. But we've got around about 96% of the economy who don't have access to that kind of capacity. This is an enormous number of organisations that just don't have that kind of environment to be able to do that. And so we're going to have to figure out a way to solve what is in essence, an economic challenge, both in terms of the financials, but economics, in terms of the time management and the expertise management around these things. Which, of course, we need to be doing at the same time as just resolving the fact that we can head off ransomware by doing the basics, and really ransomware should only become something that is the most sophisticated forms of ransom.
CP: Are you seeing different organisations trying to solve this problem of ransomware? And I know that AustCyber is very focused on innovation and looking at startups and where investors want to put their money. But are there trends that we're seeing where people are trying to solve for ransomware? Or is this not somewhere where the innovation sits?
MP: Yeah, it's interesting, actually, I think there is innovation that is going on, but it's more about the people and process, as opposed to the technology. So there isn't an easy fix on the technology, we've actually got all of the technology available to us that we need to solve ransomware because of course it is about making sure that you're managing the risks effectively. And you've got the right tools in place within your systems and across your value chains to be able to have eyes on so to speak. Now that's a very sort of simplistic way to put it but you think about all of the different kinds of components that we can buy in a box these days that actually really does fend off from a technology point of view, the overwhelming majority of issues that could cause a ransomware attack to happen in the first place. It's more about the processes that we have available to us and whether or not they are modern in an agile sort of processes that can adapt to changing context, and of course, the people that go along with it. And, you know, I think the number one thing that any organisation can be doing right now while we get, you know, sort of the right tech stack going on combined with the right processes that are actually using and leveraging that tech stack. Because that's the thing as well, in larger organisations, in particular, you can the most schmicko tech stack in the world and, you know, pay millions and millions of dollars for it, if you're not actually embedding it with your processes, it doesn't mean anything. But you know, the thing that we can be doing alongside that, while we're pulling up our socks around those integrations, is practising. You know, practice, practice, practice. Practice what you are doing in the instance that, you know, the sky did fall.
CP: I think people certainly focus on putting technology in place to solve problems. And I love the idea that we were starting to see the people in the process side coming to the fore, because really, it's about how you leverage that technology. At the end of the day, you need a person sitting in front of it, to do those analytics, and to understand what the tech is trying to tell you, and put that context in and the emotion and the operations behind it. You know, it's not just about the binary nature of what tech can do for you. It's about how that operates within your business and can help you mitigate risk.
MP: Yeah, and so I think this is where, you know, in the industry, we have a bit of a giggle, about you know, red team versus blue team , and now there's purple team. Well, purple team and we can't help but laugh, right, but actually for people outside of the world of security, whether it's digital or physical, purple teaming makes a heck of a lot of sense to them. It really does. And, you know, we've seen innovation happen in that space, including some great Australian companies like Cynch Security and Retrospect Labs, and there's a range of others. Purple teaming actually can be the most effective means for particularly a smaller set of organisations. You think about sort of that value chain approach, if you get a set of like organisations across their value chain, collaborating together and purple teaming, instant uplift. One session of purple teaming of a set of organisations coming together, for argument's sake, around a restaurant that supports high net worth individuals, I'm thinking of some of the restaurants in Sydney and Melbourne here, that is actually a pretty easy target for malicious actors for ransomware. It might sound very straightforward to security people, but it's not at all to people operating those restaurants, because they're often owned by a consortia, there's investors involved, there's multinationals involved in the back end, it actually gets very complex very quickly. You get a bit of a supply chain/value chain kind of situation of exercising together. And within one session, boom, they've already uplifted themselves 200%, from where they were the day before.
CP: And I think you know, you mentioned around some really great Australian organisations that are doing great things in cyber. And you mentioned since just then in Retrospective Labs. So I'm interested to know how organisations go about engaging with some of these. Because a common challenge I see is that CISOs are going out to market looking for solutions. But the startups or the smaller organisations, Australian homegrown, aren't necessarily making the cut. And I don't know if it's because of a lack of awareness of the solutions, or they're concerned about investing in a startup, maybe because they're not seeing the potential for longevity. They want to solve their security risks though. What advice would you give to organisations, because you say, lots of great organisations through Austcyber. How can they become more informed about the solutions that are out there, outside the big names that we're all familiar with? How would you say they should approach that?
MP: Yeah, I think there's three ways. So one, one is that straight up, they can go to the world's only, like, literally the world's only digital ecosystem for cybersecurity capability, which is aucyberscape.com. So that's a digital ecosystem of Australian cybersecurity companies. Now, not all of the companies are on there. So if you're a cybersecurity startup listening to this podcast right now, it is free to sign up, get on there, like why would you not be on there. But we do have over 200 companies on there now, and that's growing day by day. So for buyers, and also for investors, that's like a one stop snapshot of looking at what's available. And we categorise the capability offerings against the internationally recognised Cyber Body of Knowledge or the CYBOK. So that that's come out of an international consortia from the UK. So it's centred out of Oxford University, but Australians and all of our allies have contributed to that categorisation. So it sort of makes a lot of sense once you get in there. If you're looking for a particular set of tooling or a set of services, or actually you just want to have a browse. You know, it's actually really straightforward to do that. So that's one way that CISOs and their equivalents and everyone above and below can kind of have a look of what's around at the more innovative end of things. The second is actually just to pick up the phone and to give me a call. And and you know, we do a lot of matching of problems. And what I do is get the buyer to articulate what their problems are most often, of course, it's under NDA, and it's quite confidential and sensitive. But most problems are not unique, the context is just different. And, you know, obviously, we've picked up on that word a bit already in the conversation, context, context context, it reigns supreme in cybersecurity. And so matching the context of a problem and the problem itself to usually a set of capabilities. And, you know, those who have followed our pitch days closely will know that I'm always putting together the companies that get to pitch for those events, to be sort of complimentary. So they're individually great companies that are a really great stage of their life journey and their tech roadmap, or their services roadmap for buyers and investors. But actually, also, if you lined them up with each other, they provide an awesome tech stack. That's what I'm doing every time. So those pitch days are quite good. But, you know, coming to AustCyber part of what we do as part of our sort of free advisory services is to actually match, you know, capability against the problem. And also looking at if it's a sort of a large problem set for a large customer, it's also pairing with the prime. So we're doing that more and more and more now. But I think the third part that buyers can be doing a bit differently, is to get out of the channels, you know. So what we find now, of course, is that if you're a large organisation that's operating globally, whether it's a bank or a telco or an even an aged care provider, often they're getting locked into contracts where their major tech providers, they might have three or four, that make up the totality of their environment, and those tech providers are prescribing under contract, which of the niche capabilities can be brought into that environment. Which 99% of the time is shutting out local providers, because they're not part of those channels. And sometimes they're not part of those channels deliberately. Because they do want to be an alternative, trusted source to point out where the procured capability is not getting it right. But actually more often than that, it's actually that, you know, the channel provisioning doesn't allow for the, you know, sort of smaller, more innovative companies. For a whole range of reasons, including trade agreements. Trade agreements can be a really significant barrier. So you know, getting access to, you know, he kind of got to go out and then back in again. You know, going out of the country, getting into a channel arrangement, usually out of the US, but increasingly out of Europe, to then be able to sell back into your own economy. So, CISOS out there listening, please challenge. It's up to you to sign those contracts. Obviously that you're negotiating them, you can negotiate things differently. You can negotiate to have greater flexibility in those contracts. I've seen it happen. It's not a unicorn situation, it's not utopia even, it can be mainstream. And you know, some of these capabilities, you know, they really punch right in it solving problems in a really comprehensive way.
CP: Well, Michelle, thank you for everything you do. And there's so been so much in this podcast that I'm sure people don't know a lot about. And so, you know, it's really great to have you back talking about what's unique about Australia and what's not, and how we can help people solve their cyber security problems. And so I'm really grateful to have you back for a third time. And thank you for everything you do for the Australian cybersecurity industry. I'm sure there's a lot of people out there that would agree with me that what you're doing is incredibly important. So thank you very much.
MP: Thank you, Claire. It's so good to be back again. And you know, your pod really has made a difference in the knowledge, uplift around, you know, all of the different value chains that we deal with. The number of times now that I can have a more sophisticated conversation. I say, where did you hear that knowledge from and they say the pod so you know, it's fantastic. Your service is just as important. Thank you.