Spy Boss Says AU’s Cyber Security Sketchiest in the World
In an interview with AFR Ian McKenzie, the former director of the Australian Signals Directorate (ASD), said that Australian businesses requirements of cyber security remained the sketchiest in the world.
ASD receives the largest funding from the government among other intelligence agency in the country. As how AFR described the agency, it is a "hybrid of ASIO and ASIS."
Mr McKenzie said that cyber attacks against businesses are usually conducted by an insider, "a disgruntled employee."
"We used to worry predominantly about state actors. But the internet enables both individuals and organisations to do extraordinary damage. This includes malicious action both inside and outside an organisation."
He said that for several incidents ASD worked on an "insider" cyber attacks.
"The insider threat is one of the more likely problems business will face, especially with our highly mobile workforces."
Despite the growing cyber attacks, Australian businesses remained unclear in terms of the requirements they set in addressing hacks.
"You're the CEO of a large company and you're advised that the core of your network has been hacked by either a foreign government or organised crime, and that they have your IT administrator privileges. This nasty actor has broad control of your network. And you are a company that provides services to other firms. But you don't know exactly what they have done. What do you do? Do you tell your customers? Do you tell the ASX? It is not clear what the answers are. This is unchartered territory."
He said that most of the time, businesses leaders were surprised to discover attacks that their own employees cannot understand.
"The private sector owns most of the important infrastructure in Australia, and it is important for the country's economic well-being that industry achieves appropriate standards in this space, which may mean security obligations beyond those imputed by straightforward commercial goals," he said.
He advised for the companies to be knowledgeable on information that is most valuable to the company and to employ outside agencies that could check on their internal staff.
"Internal IT providers, or external suppliers, often cannot see the problems, or don't want to admit shortcomings, and, in a connected world they can be a weak link in your information security. The issue of data security needs ongoing attention - it should be a regular agenda item on management committees and sensible component of any risk management process in a modern company."
Such outside agency can be the recently established Australian Cyber Security Centre.
"About five years ago we realised that cyber security was an issue not just for government, but also the private firms. It is a team game: coordination across government, and between government and industry, is absolutely essential."
Seventy per cent of ACSC's staff will come from ASD and will be headed by ASD deputy director, Major General Steve Day.
Scott Ceely, a former Australian intelligence official, is highly critical of agencies such as ACSC and ASD.
"The intel agencies are not engaging enough with business and sharing insights on threats. We are starting to see companies that know they are getting continuously compromised claim this is just a cost of doing business." Mr Ceely said.