Alastair MacGibbon
Former deputy secretary national cyber security adviser, Department of Home Affairs, and head of the Australian Cyber Security Centre, Australian Signals Directorate
As the nation’s foremost thought leader and special adviser to the prime minister on cybersecurity, Alastair MacGibbon oversaw the data safety of 25 million people. At the centre of his roles were the confidentiality, integrity and availability of data and systems in an increasingly interconnected world where massive opportunities are presented by the convergence of critical infrastructure and the Internet of Things (IoT).
MacGibbon, who spoke to Qantas magazine before announcing his resignation from both his government roles, has spent decades exploring how to counter rising cyber threats, working with the Australian Federal Police as chief of the Australian High Tech Crime Centre for 15 years (until 2004) then as head of trust and safety in the Asia-Pacific for eBay until 2008.
What’s changed in recent years? “We have this interesting mix of greater reliance on technology with a higher threat surface, combined with a more aggressive threat environment,” says MacGibbon.
Posing those dangers are insiders within organisations, issues-motivated groups, criminal gangs and nation-states, he says. Witness the zero-day vulnerability. “When I first got into this space, we’d often know months ahead that there was a problem [in a system] and race to fix it. Now we’re seeing vulnerabilities for the first time when they’re being used maliciously.”
Personally identifying information (PII) is typically the target. “On a daily basis, we’re dealing with nations and criminals targeting end users to give away their password, click on a link, upload or download something as a way around systems.”
Last December, MacGibbon called out an “audacious compromise” with the discovery that the intelligence services of the Chinese Ministry of State Security had hacked managed-service providers, including Hewlett-Packard, SAP and IBM, exposing the data of hundreds of thousands of their clients globally.
“Stealing data is one thing; stopping access to data is another,” says MacGibbon, referring to the prevalence of distributed denial of service (DDoS) attacks and ransomware. “You still have your data but it’s not available to you – that can be catastrophic for a business.”
There have been pivotal points in cybersecurity awareness, according to MacGibbon, kicking off with the launch of the national Cyber Security Strategy in 2016. Only months later, the eCensus’s failure to withstand DDoS attacks stymied submissions across the country. In 2017, global ransomware attacks WannaCry and NotPetya – when criminals held the information of organisations including FedEx and the United Kingdom’s National Health Service to ransom – showed the possibilities for a pandemic. Subsequently, Australia launched the Notifiable Data Breaches scheme, which obliges companies to let people know when their personal information has been involved in an eligible infringement.
“PII has been the bit that criminals have wanted,” says MacGibbon. “We need to design out the ability for end users to harm themselves, with better systems design.”
Initially, C-suite executives and boards were slow to move on the “unfamiliar
discipline” of cybersecurity but they’re getting better. MacGibbon (pictured below) has noticed that organisational leaders are gaining confidence, asking more demanding questions of service providers and knowing what good answers sound like.
He was in the box seat to see changing attitudes through the Joint Cyber Security Centres (JCSCs), which the department operates in Brisbane, Sydney, Melbourne, Perth and Adelaide. JCSCs bring together government, the private sector and academia to share insights and strategies for often rapid action. Last year, when cloud-based recruiting platform PageUp reported it had been hacked, potentially impacting hundreds of clients, the JCSCs ran video hook-ups with the company, its incident responders and customers. “It has to be a collective effort,” insists MacGibbon.
Attention has shifted to supply-chain risks as the world becomes increasingly reliant on third parties and IoT. “Companies need to understand they have a greater responsibility than just protecting themselves,” says MacGibbon, pointing to the Essential Eight mitigation strategies published by the Australian Cyber Security Centre to provide a baseline for enterprises and public-sector entities.
He says protecting data essentially means driving down risk. “No-one in cybersecurity will ever tell you that you can get down to zero risk because that’s an unplugged computer. You don’t hang up a ‘mission accomplished’ sign. Cybersecurity is a journey, not a destination. It’s a process of constant improvement and change.”