For me, if there’s one thing that has long typified the battle against cybercriminals it’s a The Far Side cartoon.
You know – the one where a pioneer under siege inside the circled wagons asks his partner: “Hey they are lighting their arrows. Are they allowed to do that?”
The answer, while obvious, doesn’t bode well for those in the wagon: “Yeah they can do that – they can do whatever they want...they are criminals. They don’t need to observe the rules.”
For the cybersecurity community, we’ve faced a similar situation for more than a decade. If you believe the media, things have actually been pretty bad for even longer. It was 18 years ago that a paper carried the headline: “Hackers can turn your computer into a bomb and blow your family to smithereens!”
Yet before hurling your computer out the window, remember that the same journalists also wrote around the same time that a World War 2 bomber had been found on the moon, seemingly by blasting into orbit with enough fuel to land 238,000 miles away.
What is true is that in the past 18 years, computer enabled attacks on real word infrastructure – such as attacks on power grids and “Triton” malware taking out industrial safety systems – have been successful and the rate of attacks increasing. For us as a bank, there’s also been a concerning increase in malicious activity by cybercriminals and other threat actors.
But it’s systemic and affects us all.
The good news? Well, we have a common enemy. And to win, only a coordinated defence makes sense.
Yes, we all come from different organisations with different drivers and goals. But at the end of the day, the same attacks are focused on all of our organisations – they aren’t just targeting banks or governments. My customer is your customer, who is your supplier, who is your investor, who is your brother or sister.
They just want money or personal information to convert to money, and they don’t necessarily care where they get it from.
We’re all in it together.
We learned this in financial services more than a decade ago when we collectively saw our customers getting targeted by the same phishing attacks from the same threat actors. Around 2007, grass roots collaboration led to the formation of the Interbank Forums to help shape and drive our knowledge of the threat landscape and how to best respond.
The interbank, which meets regularly, is based on trusted peer relationships and allows cyber analysts to share actionable intelligence. We have learned through this that security is not a competitive advantage, and that sharing intel and lessons learned can only strengthen the overall ecosystem and help make it harder on attackers.
The thing about collaboration is that it has a tendency to become self-perpetuating. The Interbank forum has enabled the financial services industry to more meaningfully collaborate with other forums, both local and international, such as the Financial Services Information Sharing and Analysis Center, the UK's Computer Emergency Response Team and the Australian Federal Police.
Five years ago, there were maybe 10 chief information security officers in Australia and I could name them all. Today, there are maybe 40 CISOs and the number is growing. The recent establishment of the CISO Lens forum is a notable development, enabling improved sharing of actionable intelligence across cybersecurity functions across larger companies in different industries.
Kudos to James Turner from Intelligent Business Research Services for building up this network of white-hats through persistence, passion and sheer goodwill.
Positively, there are some other really exciting additional developments ahead on this front.
One is The Joint Cyber Security Centre (JCSC) partnership between business, government, academia and other key partners to enhance collaboration on cyber security without needing security clearances and travel to The Australian Cyber Security Centre headquarters.
JCSC’s are being set up in capital cities – Sydney’s was launched yesterday – as hubs for cyber specialists from ALL industries and ALL government/ law enforcement agencies to work together to develop a common understanding of threat actors, attack vectors and mitigation techniques. They will foster sharing of cyber research and countermeasures, including Westpac working with small to medium enterprises who do not have the same scale for the mutual benefit of the entire ecosystem.
But it’s people who play a critical role as the first line of co-ordinated defence.
A major challenge, however, is finding new ways of bringing in talent to match the incredibly high demand for cyber security professionals. At Westpac, we’ve had great success building a pipeline through co-op scholarships for University of NSW and UTS students in a particular degree/discipline who spend six months working with us.
Half of my senior managers have come up from these programs. And it’s not just people with traditional technology degrees – hiring for interest and passion rather than just strict technical aptitude is a great opportunity for cyber security. This is exactly what we’ve found through the “WithYouWithMe” Cyber Military Training Program, which launched in 2017 to build a cohort of highly skilled candidates to fill the labour gap in the Australian cyber industry due to the many parallels between cyber security and national security interests in the digital age.
Like never before, Australia is well placed to collaboratively drive improvements in technology innovation in cyber security. It’s great to see more start-ups emerging, such as Kasada, which has received an investment by Westpac-backed venture capital firm Reinventure.
But there’s more work to do in establishing the local industry. And working together is the only option.