The greatest existential threat to the Australian economy is cybercrime, according to Alastair MacGibbon, the man charged with leading the federal government’s cybersecurity strategy. The cyber defences designed to protect us will inevitably fail, he said.
MacGibbon, the National Cyber Security Adviser at the Department of Home Affairs and concurrently Head of the Australian Cyber Security Centre, part of the Australian Signals Directorate, was speaking at the McAfee MPower event in Sydney today. He said the conversation and language around cybersecurity in Australia needed to change, as the threat and attack profile grow more complex every year.
- Leadership Webinar: Which-50’s 2019 Outlook and Business Transformation Drivers webinar is set for November 27. Register today!
“Cybersecurity [failure] is the greatest existential threat facing the Australian economy and Australian society … amongst a range of others — I’m no climate change denier,” MacGibbon said.
“But I am going to say that cybersecurity failure could be pretty catastrophic for us.”
One in four Australians are impacted by cybercrimes every year, and it is the fastest growing and most prolific category of crime conducted against Australians, according to MacGibbon.
Some of the defences designed to prevent the cybercrime will fail, MacGibbon said. That is the nature of cybersecurity, although not always widely understood.
Research from McAfee released at the event found there was a considerable disconnect between the expectations and language of cybersecurity leaders and their C-suite peers. MacGibbon said the the findings are not surprising and the industry was mostly to blame.
“I’m going to blame IT security professionals here … I don’t think we’ve actually done a great job at saying what cybersecurity delivers. I think for a long time we’ve sheeted it home as a technology issue.”
According to MacGibbon, no cyber defences can categorically prevent attacks. Instead, cybersecurity should be seen as an enabler and risk mitigator.
“In complex systems, that are doing complex things with complex people, that risk will be realised. And sometimes it will be realised in ways that we were able to predict and prevent. Other times it will be realised in ways that maybe we could have predicted but it was outside the scope of our thinking.”
“The aim is to reduce the impact of that risk.”
But failures are inevitable, MacGibbon said. And when the risk is realised it is cybersecurity’s job to respond and get systems back up as quickly as possible, recover, and learn.
“That to me is one of the failings of our business. That we try to tell people that it’s binary: ‘you’re secure or you’re insecure’. We all know that it’s really just a gradient of risk and a whole series of them.”
“It is about recognising that we will fail and telling people that we will fail. Not in a way that is disappointing but in recognising the complex systems that we have,” MacGibbon said. He believes this is something the government had failed to explain following its census bungle in 2016.
Regardless, the expectation to reduce the failure rate is growing, MacGibbon said.
“As I travel talking to CEOs and boards and small companies, and indeed the public, there’s a greater expectation on the part of government and us as a cybersecurity industry and providers of services to the Australian public to be doing more.”
The challenge will grow, MacGibbon said, as attack surfaces grow and attackers become more sophisticated.
“It is an increasingly complex threat surface that we are protecting. That’s a no-brainer. That’s because of the technologies that we’re wiring in and the things that we’re doing with those technologies and, frankly, the legacy systems we’re leaving in. So what we’re protecting is more complex.”
MacGibbon also noted the challenge the rise of IoT will usher in, which requires a change of operating methods. Threat actors will also continue to innovate, MacGibbon said.