Thank you Ian [McKenzie] for your warm welcome and for inviting me to speak to your Conference today.
I am very pleased to be here today to address the Defence Signal Directorate’s (DSD’s) Cyber Security Conference 2012 and to see the launch of DSD’s new information security video ‘Catch, Patch, Match’.
We all understand the importance of the internet in our social and economic lives.
In 2010, over 80% of Australians had access to the internet.
In 2010, the direct contribution of the internet to the Australian economy was worth about $50 billion or 3.6% of Australia’s Gross Domestic Product (GDP).
Our time spent accessing the internet on mobile devices continues its upward trend.
In 2011-12 Australian users spent an average of 4.2 hours per week on their mobile devices, up 20% from 3.5 hours in 2010.
Tablet computers have more than doubled in use in Australian homes: 18% of households now own a tablet computer, up from 8% in 2010 and forecast to be in almost 40% of homes by 2013.
Almost everything is now connected, online and accessible and the internet continues to develop at an historically unprecedented rate.
The internet provides Government and business alike with opportunities to operate more efficiently. Its exponential growth has fundamentally changed the way we work and interact socially, and will continue to do so.
But increased reliance on networked devices comes with additional risks.
The Cyber Threat
We all need to understand the size and scale of the cyber threat.
Australia is experiencing increasingly sophisticated attempts to infiltrate networks in both the public and private sectors.
The threat comes from a wide range of sources: non-state actors – individuals, issue motivated groups, organised criminal syndicates – as well as state-based actors.
Planning for future national security interests is a fundamental responsibility of any Australian Government.
Part of this is being flexible in the face of new threats and new technologies, technologies which can lead to new opportunities, but which can also create new weaknesses or accentuate old vulnerabilities.
Australia takes cyber security very seriously and has invested significantly over a number of years to ensure that we have appropriate arrangements in place to deal with cyber security threats against Australia and Australians.
In the 2009 Defence White Paper, the Government committed to a ‘significant and sustained investment’ in Defence cyber capability.
For the first time in a White Paper, an Australian Government acknowledged that national security could be compromised by cyber attacks on defence, government, commercial or information networks.
In January 2010, as an initiative of the 2009 Defence White Paper, the Government opened the Cyber Security Operations Centre (CSOC) within DSD.
CSOC has two main roles:
(1) To provide Government with a greater understanding of cyber threats against Australian interests; and
(2) To provide response options for significant cyber events across Government and systems of national importance.
CSOC has embedded representation from Defence and other Government agencies, including personnel from the Australian Security Intelligence Organisation (ASIO), Australian Federal Police (AFP) and the Computer Emergency Response Team Australia (CERT Australia), with which CSOC works closely.
CERT Australia was established in the Attorney General’s Department in January 2010 to work with the private sector to identify critical infrastructure and systems that are important to Australia’s national interest.
Cyber Incidents – Australian Networks
In 2011, CSOC identified 1260 cyber security incidents. Over 310 of these were deemed serious enough to warrant a CSOC response.
In the period to the end of September 2012, CSOC identified over 1250 cyber security incidents, of which over 470 were serious enough to warrant a CSOC response.
Working with our Partners
Australia is working closely with our partners on cyber security.
The 2009 Australia United States Ministerial Consultations (AUSMIN) agreed that Australia and our Alliance partner the United States (US) would work more closely together on Cyber Security.
At the 2011 AUSMIN talks, Australia and the US marked the 60th anniversary of the Alliance by issuing a Joint Statement on Cyber.
This Statement recognised the need to work together to address mutual threats and challenges emerging in and from cyberspace and that a cyber attack on either country could in certain circumstances trigger the consultation mechanisms of the Alliance.
At the 2011 Australia United Kingdom Ministerial Consultations (AUKMIN), Australia and the United Kingdom agreed to enhance cooperation on cyber security.
These discussions focused on the need to make cyber security a priority for Australia, the UK, the US and other partners, and for the international community to agree on international norms or ‘rules of the road’ for cyber space.
Cyber security is a global challenge, which we can only combat by working together.
Cyber Security is an Issue for Everyone
Cyber security is not just an issue for nation states.
Cyber security is an issue for Government, industry and individual citizens.
The dangers come not just from nation states, but also from non-state actors.
This issue is one that impacts adversely upon our economic interests and national well-being, not just our national security interests.
There is increasing evidence of cyber criminals extracting significant sums of money from the economy through network-based fraud. The cyber theft of intellectual property is also a serious issue for industry and business.
More than 65% of intrusions observed by CSOC are economically motivated.
Security company Symantec has put the cost to Australia from cyber crime at $4.5 billion, more than the cost of burglary and assault combined.
35 Strategies to Mitigate Cyber Security Threats
There are things that we can all do to prevent the vast majority of intrusions.
In early 2010, DSD developed a list of 35 strategies ranked in order of effectiveness to mitigate cyber intrusions.
These strategies were based on the nature of intrusions CSOC had seen in 2009, its first year of operations.
CSOC estimates that more than 85% of the cyber intrusions that DSD responds to would be prevented if organisations implemented just the top four of these 35 strategies.
This cannot be ignored. Organisations, whether Government or Industry, who do not implement these strategies do so at their own risk. And at Australia’s risk.
The top four mitigation strategies are:
(1) Application whitelisting to ensure that only software that is specified and authorised can run on a system;
(2) Patching third party applications;
(3) Patching operating systems; and
(4) Restricting administrative privileges.
DSD has provided technical guidance, available on its website, on the implementation of these strategies.
Implementing the top four strategies helps to secure an information security system, creating a more robust, protected system.
‘Catch, Patch, Match’
I am pleased today to see the launch of DSD’s new information security video: ‘Catch, Patch, Match’.
DSD has adopted the ‘Catch, Patch, Match’ slogan to draw attention to the need to prevent cyber security intrusions.
‘Catch, Patch, Match’ means:
(1) Catch malware by application whitelisting;
(2) Patch software and operating systems; and
(3) Match administrator rights to the right people.
These are effective ways to prevent cyber intrusions and make your network more resilient.
The launch of ‘Catch, Patch, Match’ also reinforces DSD’s role in protecting Australia’s national security interests.
The evidence to date clearly indicates the ‘Catch, Patch, Match’ approach is the best way to mitigate against cyber intrusions, protect your most valuable information and enhance the resilience of your networks.
To illustrate how important it is to educate all Australians to take these sensible precautions, let’s now watch ‘Catch, Patch Match’.
25 October 2012