By Carlo Minassian and Professor Michael Blumenstein.
Between us, we have significant responsibilities that span defending Australian organisations and infrastructure from cyber attack, to ensuring that Australian students have access to a world-class IT education.
We serve on the frontlines of an increasingly challenging cyber conflict that is unlike any conflict in human history. In this conflict, threats are asymmetrical, unpredictable, often unrecognised and frequently unpublicised. Serious damage can be done invisibly and the wounds do not ‘bleed’ immediately. When the complete schematics to your latest tractor wind up in a sophisticated counterfeiter’s factory on the other side of the globe thanks to cyber theft, the damage is profound. But the pain from this is delayed – and the effect corrosive – as your supply chain is tainted by counterfeits and the competitive drag leaches strength from your balance sheet.
We also know the quality and scope of the armies of hackers that Australia is up against, the tools and tactics they employ, their persistence and ubiquity. And these threats are relentless as one recent indicator drove home. According to statistics published at the end of May by The Australian Communications and Media Authority (ACMA), an average 16,500 attack malware reports are generated every day. And that is only what is being discovered or reported.
We also have a good idea of our own resources, both technical and human, that can be applied to protect and defend. Unfortunately, we have to report, like military strategists delivering an unwelcome assessment of troop strengths, that Australia needs to build a much better defensive capacity and it must do so rapidly. Some technical gaps can be solved by the right equipment, both hardware and software, but the human talent ‘gap’ is not one you can fill rapidly without an almost society-wide understanding of the urgency – an understanding not dissimilar to the kind of civil preparedness we saw in World War II, involving everything from rationing to blacking out windows.
The challenge, and our response to it, will, of course, be very different than it was over 60 years ago. But, like that period, a successful response will only be driven by a genuine understanding of the urgency of the situation. The first step in supporting this understanding is to step back and take a wider look at the digital society in which we now live.
The world of information has moved far beyond a linear one. Data is not just big, it is gargantuan. And the technology that supports all this data is vast. In many respects, technology – especially when it comes to the nexus of cyber security and privacy – has actually not only outstripped many of our legal constructs, it has even outstripped our ability to understand it in any practical way. In other words, we depend on technology, but generally do not begin to grasp its implications.
Today, most of us hold devices in our hands that have more computing power than all the computing power that existed in the world in 1965. These devices can manage the operations of the current Mars rover Curiosity and still have plenty of computing capacity to play music, take photos and send emails. Fifty years ago, the storage of a single megabyte of data cost $28.5 million. In 2012, that same single megabyte cost a fraction of a cent – in Australia, we no longer have a coin small enough to pay for it.
There is a meme making the rounds with techies that juxtaposes two photographs of a crowd standing in the exact same spot in Rome, separated by just eight years. The difference is striking. In the earlier photo there are few, if any, smartphones visible. In the later, all you can see is smartphones glowing in the air above the people’s heads. The significance is not that all those people now have a device that they did not have eight years ago. The significance is that they are each holding the equivalent of a web-enabled personal computer above their head. Re-imagine the same photo with the smartphones replaced by an entire file room and an office held aloft by each person in the crowd and you begin to get a sense of how revolutionary and mind-boggling this is.
The former head of innovation powerhouse Bell Labs, Ian M. Ross, once captured the extraordinary essence of this change in real world, almost visceral, terms. When this man, who had a hand in perfecting the transistor and shaping the moon landing, was asked to describe the progress made in the electronics industry, he replied like this: “If we had had the same progress in the aircraft industry, you and I could be flying between London and New York in 500,000-seat planes and the fare would be about 25 cents”.
Imagine the largest passenger airplane, the A380, and then multiply that by almost 6,000. You would have to imagine an airplane larger than 125 cricket pitches or about the size of a regional city. In other words: something really hard to imagine. And this is exactly the point. While the user-fronting face of technology has become more accessible and friendly, the “behind-the-scenes” complexity and capacity that supports what we as consumers have come to expect is basically not measurable.
Let’s return to the cyber security threat. Whether the device fits into your palm or sits on your desk, the ‘border’ that needs to be defended is like no other in human history. We are not talking about a line separating what is yours from the outside world. It is more like a porous, dizzying multi-dimensional space with a myriad of entrances and exits streaming with reams of precious information that can vanish in a fraction of the blink of an eye. The information governs whether a city’s electricity stays on, whether the traffic lights function, whether planes land and, most recently, whether cars drive safely. Almost everything is plugged in and because it is plugged in, everything is vulnerable.
Machines are not enough to protect machines, only humans – talented and trained – can do this, and around the world this elite group is already spread very thin.
The major players, like the United States and Europe, have been determinedly building up their ranks of cyber security talent. Corporates are doing the same. Australia simply does not have enough home-grown cyber security talent to protect our country. And as others suck up this talent pool like a giant sponge, we will increasingly be in the precarious position of looking like an attractive target in a world awash in cyber threats. It is not enough to designate a cyber security centre, we must have the talent and commitment to man it properly and for the long-term. This means taking comprehensive, intelligently planned steps to bolster the human resources needed to mount a viable technical defence to cyber attacks from all corners whether state-sponsored, hacktivist or criminal.
Step one, we must import it; while simultaneously cultivating it here on our own soil. This is already being done by way of 457 Visas and this necessary approach must not be hamstrung by lack of political resolve or a misunderstanding of what lies in the balance. But 457 Visas are not the final answer. Cyber security personnel under this visa program often have difficulty getting necessary government security clearances. So while these personnel are clearly necessary and are able to serve both a functional and even educational purpose for Australia’s cyber security defence, they are not the long-term answer.
After all, even the US, which recently entered the recruitment market in a huge way by more than quadrupling the size of their cyber command by 4,000 technical personnel, has acknowledged that it will be hard-pressed to find talent in either domestic or global markets. There is a finite pool and Australia’s position is made even more difficult because of the perception that it is far away from technical employment centres.
For this reason, we must work to expand our pool of top talent by nurturing it. As a nation we need to raise this awareness and seriously incentivise cyber security education so that the best of the best are attracted to this vital area. If we do not do something about this skills shortage, Australia will be so far behind everyone else that catching up may be nearly impossible. What we cannot afford to become is a soft target because we are not investing enough in our education or thinking intelligently about what resources – whether from abroad or domestic – we need to prepare ourselves for the inevitable.
If Australia is to increase and successfully staff the kind of cyber security force needed to defend the country’s cyber borders, a major change to the educational development system must take place. An effective Australian approach would likely be akin to what is happening in Israel where, at an early age, talented youth are now identified and involved in high-tech programs. Entry-level government job opportunities for high school and college students have been created and well-funded, and the country’s National Cyber Bureau is training students for work in advanced cyber security by using teachers who themselves are former intelligence corp soldiers with extensive cyber expertise.
Our cyber border is indeed a wilderness, but with the right talent guiding us, it is a wilderness that can be tamed.
Carlo Minassian is the founder of earthwave Corporation, a leading Australasian provider of defence-certified Managed and In-Cloud Security services that advocates real-time threat management and was recently acquired by Dimension Data. earthwave clients are defined as ‘security elite’ medium to large enterprises, including banking, finance, telecommunications, utilities, manufacturing, educational institutions and state and federal government agencies that need the highest level of protection. For more information, please visit www.earthwave.com.au
Michael Blumenstein is a Professor in the School of Information and Communication Technology at Griffith University, where he previously served as the Dean (Research) in the Science, Environment, Engineering and Technology Group, and prior to this was the Head of the School of Information and Communication Technology. Michael is a nationally and internationally recognised expert in the areas of automated Pattern Recognition and Artificial Intelligence, and his current research interests include Multi-Script Handwriting Recognition and Signature Verification. For more information, please visit www.griffith.edu.au
