GI: Australia’s cyber crime investigators can’t fund investigations, travel to each other – and these are our frontline.
TS: Government is good at marshalling the stakeholders to make something happen – the fires in Victoria, the floods in Queensland. That’s how they should operate in cyber security as well.
NC: What role does government have when critical infrastructure is owned by private interests? Eric, from a Scada perspective, how much guidance do owners of critical infrastructure get from government and does it seek central failings?
EB: Government dabbled in the North American energy field and that was a trainwreck. But in oil and gas, it's thankfully out of the picture and those organisations’ preparedness is better because they’re solely responsible. What Idaho National Labs does is first- class, providing for Scada operators, particularly Tier Two because they are in trouble; they don’t have any concept of risk, never mind cyber risk. Brendan, you said you’re a risk officer – there are companies that wouldn’t even know what that is.
GI: When I visited Marcus I saw the Telecom ISAC [Information Sharing and Analysis Centre]. During the Cuban missile crisis President Kennedy directed military, government and industry work together to secure the US communications system. That is the closest I’ve seen to a true collaboration and where we need to go – government should be about protecting systems and citizens.
DP: Brendan, how much assistance do you get from government to secure your systems and customers?
BG: I interviewed 12 water and transport operators in Victoria this time last year, just before Stuxnet, and they weren’t talking to each other or government. Until there was an incident, they weren’t willing to talk about it. We don’t share information, we don’t trust anyone and I think sharing is the most valuable tool we have.
TS: US agencies are very open about saying, “Yeah, we got hacked and this is what happened to us”. A company is not going to say that because of their reputation, the impact on their competitiveness. It gets to the point about legislation.
MS: Each US state has its own laws about breach reporting – so for companies that operate nationally it’s confusing: whose law do you follow and if you’re running a cloud where is that? The White House proposed to overrule the states. The bigger question is, so what if you report a breach? That’s fine if customers get notified but does that make you secure or does it get us any closer to catching criminals? The answer to both of those is no.
NC: In Australia, because we have no mandatory disclosure, it’s very difficult even to get people to admit to a breach. We often find out an Australian company was breached because they have an overseas presence that discloses it.
MS: Kennedy set in motion the linking of telephone networks between the US and USSR so the leaders could talk in time of crisis. Then IBM wanted to link its mainframes and that set the groundwork for the internet. The Russian state-owned phone company and the private US carrier had to agree on connections and the governments to logistics of tolling calls, charging and diplomacy. I’m vice chair of the Communications Sector Coordinating Council; we have private-sector people embedded with offices inside the Federal Government where they work face-to-face.