1 00:00:00,000 --> 00:00:08,469 foreign 2 00:00:00,500 --> 00:00:08,469 [Music] 3 00:00:13,940 --> 00:00:18,900 we're going to start another talk so we 4 00:00:17,520 --> 00:00:23,220 have our 5 00:00:18,900 --> 00:00:26,160 Professor Walter C so 6 00:00:23,220 --> 00:00:26,960 Paul Works in areas around cyber 7 00:00:26,160 --> 00:00:30,539 security 8 00:00:26,960 --> 00:00:33,360 concluding governancy risk and 9 00:00:30,539 --> 00:00:35,940 compliance reducing harm online reducing 10 00:00:33,360 --> 00:00:39,180 fraud and scam as well as teaching 11 00:00:35,940 --> 00:00:42,840 Online skills today Paul will talk about 12 00:00:39,180 --> 00:00:44,160 the recent speed of data bridges in 13 00:00:42,840 --> 00:00:47,340 Australia 14 00:00:44,160 --> 00:00:52,640 and how a more transparent culture would 15 00:00:47,340 --> 00:00:52,640 improve our response please welcome 16 00:00:55,260 --> 00:00:58,820 you can clap that's actually okay 17 00:00:59,879 --> 00:01:03,480 thank you for that introduction 18 00:01:02,579 --> 00:01:07,020 um 19 00:01:03,480 --> 00:01:08,640 so before I kind of start my side deck 20 00:01:07,020 --> 00:01:10,860 and I actually really hate PowerPoint 21 00:01:08,640 --> 00:01:12,119 but I feel like I should have a 22 00:01:10,860 --> 00:01:12,900 PowerPoint 23 00:01:12,119 --> 00:01:15,000 um 24 00:01:12,900 --> 00:01:20,040 I'm just gonna 25 00:01:15,000 --> 00:01:22,680 I'm gonna just show something and 26 00:01:20,040 --> 00:01:26,460 briefly and very selectively read it off 27 00:01:22,680 --> 00:01:28,740 is that showing or not no 28 00:01:26,460 --> 00:01:31,680 okay well 29 00:01:28,740 --> 00:01:34,380 I'm just going to read it 30 00:01:31,680 --> 00:01:35,700 and not show it perhaps 31 00:01:34,380 --> 00:01:38,100 um 32 00:01:35,700 --> 00:01:39,840 so this is 33 00:01:38,100 --> 00:01:41,579 how has everybody here heard of the 34 00:01:39,840 --> 00:01:44,880 Optus data breach 35 00:01:41,579 --> 00:01:48,060 yeah okay okay okay 36 00:01:44,880 --> 00:01:50,280 so immediately 10 seconds in you can see 37 00:01:48,060 --> 00:01:52,740 where the talk is heading right so I'm 38 00:01:50,280 --> 00:01:55,680 just going to read off a Verbatim quote 39 00:01:52,740 --> 00:01:59,579 from the Optus CEO and this is a channel 40 00:01:55,680 --> 00:02:03,180 9 news report which is entitled no 41 00:01:59,579 --> 00:02:07,700 victims of crime or financial fraud due 42 00:02:03,180 --> 00:02:07,700 to Optus cyber attacks CEO says 43 00:02:09,060 --> 00:02:12,959 uh and so I'm I'm not going to put words 44 00:02:11,340 --> 00:02:15,900 in their mouth right I'm just going to 45 00:02:12,959 --> 00:02:18,480 read off what uh what they said 46 00:02:15,900 --> 00:02:20,400 and I think just listen really carefully 47 00:02:18,480 --> 00:02:23,040 to this 48 00:02:20,400 --> 00:02:25,640 given how inevitable these types of 49 00:02:23,040 --> 00:02:25,640 attacks are 50 00:02:25,800 --> 00:02:30,660 I'm relieved we were able to act fast to 51 00:02:28,680 --> 00:02:34,020 ensure that ultimately the data that was 52 00:02:30,660 --> 00:02:37,200 exposed was not successfully used to 53 00:02:34,020 --> 00:02:40,080 harm any customers 54 00:02:37,200 --> 00:02:41,640 do I need to read it again or is that 55 00:02:40,080 --> 00:02:44,459 and 56 00:02:41,640 --> 00:02:46,580 I I she has not finished 57 00:02:44,459 --> 00:02:46,580 um 58 00:02:47,040 --> 00:02:50,940 just to Double Down 59 00:02:48,660 --> 00:02:53,519 not a single customer has suffered any 60 00:02:50,940 --> 00:02:57,180 Financial loss or Fallen victim to a 61 00:02:53,519 --> 00:02:59,640 crime through misuse of the data 62 00:02:57,180 --> 00:03:01,980 this outcome should reassure all of us 63 00:02:59,640 --> 00:03:03,840 about what a strong and fast and 64 00:03:01,980 --> 00:03:06,800 collaborative response 65 00:03:03,840 --> 00:03:06,800 can achieve 66 00:03:07,560 --> 00:03:12,620 and most importantly and relating back 67 00:03:09,599 --> 00:03:12,620 to the theme of 68 00:03:12,840 --> 00:03:16,980 this presentation sorry I I paused 69 00:03:15,420 --> 00:03:19,440 because I I really can't believe what 70 00:03:16,980 --> 00:03:23,580 I'm reading sometimes but we were being 71 00:03:19,440 --> 00:03:26,519 transparent open and honest good 72 00:03:23,580 --> 00:03:27,659 we were apologetic and accountable 73 00:03:26,519 --> 00:03:29,760 good 74 00:03:27,659 --> 00:03:31,980 I used four of those words in my 75 00:03:29,760 --> 00:03:34,500 presentation which is great 76 00:03:31,980 --> 00:03:36,599 and finally we did more than any other 77 00:03:34,500 --> 00:03:40,379 company in a Cyber attack before had 78 00:03:36,599 --> 00:03:43,860 done and we did it much quicker 79 00:03:40,379 --> 00:03:46,980 oh it's okay to love I mean I I 80 00:03:43,860 --> 00:03:49,620 and look I'm not um I should be upfront 81 00:03:46,980 --> 00:03:54,019 and honest and say I'm not picking on 82 00:03:49,620 --> 00:03:54,019 any company in particular but 83 00:03:54,480 --> 00:04:00,959 I feel personally quite Disturbed 84 00:03:57,480 --> 00:04:02,580 reading that from someone who was 85 00:04:00,959 --> 00:04:04,920 legally 86 00:04:02,580 --> 00:04:08,400 responsible and had been given a special 87 00:04:04,920 --> 00:04:11,760 license to hold the personal and 88 00:04:08,400 --> 00:04:12,659 confidential data of many of us 89 00:04:11,760 --> 00:04:16,199 um 90 00:04:12,659 --> 00:04:19,739 and it then just does lead me to this 91 00:04:16,199 --> 00:04:22,340 broader question around 92 00:04:19,739 --> 00:04:22,340 sorry 93 00:04:25,800 --> 00:04:33,139 are we doing things right 94 00:04:29,400 --> 00:04:33,139 and are we doing the right thing 95 00:04:33,300 --> 00:04:39,060 nationally in terms of cyber policy and 96 00:04:37,440 --> 00:04:40,139 I'll drill down into a little bit more 97 00:04:39,060 --> 00:04:43,860 detail 98 00:04:40,139 --> 00:04:45,419 in this presentation and touch on I 99 00:04:43,860 --> 00:04:46,500 think some of the things that I come 100 00:04:45,419 --> 00:04:51,000 across 101 00:04:46,500 --> 00:04:52,740 in my day job which uh you know I do 102 00:04:51,000 --> 00:04:55,860 everything from working with you know 103 00:04:52,740 --> 00:04:58,500 corporate clients uh through to quite a 104 00:04:55,860 --> 00:05:00,240 number of Charities and organizations in 105 00:04:58,500 --> 00:05:01,860 the not-for-profit sector 106 00:05:00,240 --> 00:05:03,780 and uh 107 00:05:01,860 --> 00:05:07,280 I just want to kind of provide a bit of 108 00:05:03,780 --> 00:05:11,040 a reflection on that and also to 109 00:05:07,280 --> 00:05:13,919 encourage people to you know if you feel 110 00:05:11,040 --> 00:05:15,419 as outraged as I am about what you just 111 00:05:13,919 --> 00:05:19,020 heard 112 00:05:15,419 --> 00:05:21,780 so get involved in things like the 113 00:05:19,020 --> 00:05:23,580 cyber policy and strategy review that's 114 00:05:21,780 --> 00:05:26,100 coming up the government is currently 115 00:05:23,580 --> 00:05:27,360 calling for submissions 116 00:05:26,100 --> 00:05:30,960 so 117 00:05:27,360 --> 00:05:32,940 you know if we sit back and no one says 118 00:05:30,960 --> 00:05:35,160 anything and we just accept that 119 00:05:32,940 --> 00:05:36,780 standard that we all walk past which is 120 00:05:35,160 --> 00:05:38,759 what we just heard 121 00:05:36,780 --> 00:05:40,860 then government policy will never change 122 00:05:38,759 --> 00:05:42,300 and if government policy doesn't change 123 00:05:40,860 --> 00:05:44,280 then there's 124 00:05:42,300 --> 00:05:46,860 very little that will then trickle down 125 00:05:44,280 --> 00:05:50,160 into those really important areas of 126 00:05:46,860 --> 00:05:52,620 personal data that are held Now by many 127 00:05:50,160 --> 00:05:56,699 organizations 128 00:05:52,620 --> 00:05:59,160 and I'll talk about my experiences uh 129 00:05:56,699 --> 00:06:01,500 with that shortly so 130 00:05:59,160 --> 00:06:03,240 firstly and I would love to pick the 131 00:06:01,500 --> 00:06:05,580 brains of the audience about you know 132 00:06:03,240 --> 00:06:09,300 what is driving this 133 00:06:05,580 --> 00:06:12,120 absolute rash of data breaches at the 134 00:06:09,300 --> 00:06:15,300 moment I wrote a little research paper 135 00:06:12,120 --> 00:06:17,220 about nine years ago where I calculated 136 00:06:15,300 --> 00:06:18,840 the cost of a data breach in Australia 137 00:06:17,220 --> 00:06:19,860 at the time which was about two million 138 00:06:18,840 --> 00:06:23,160 dollars 139 00:06:19,860 --> 00:06:26,639 we did a lot of calculations like 140 00:06:23,160 --> 00:06:28,259 with the Telco company involved wasn't 141 00:06:26,639 --> 00:06:28,979 Optus by the way 142 00:06:28,259 --> 00:06:31,440 um 143 00:06:28,979 --> 00:06:33,840 you know what was the cost of trying to 144 00:06:31,440 --> 00:06:35,639 do password resets I think that at 80 145 00:06:33,840 --> 00:06:37,860 000 of them through their Philippines 146 00:06:35,639 --> 00:06:40,020 call center so we did quite a bit of 147 00:06:37,860 --> 00:06:41,819 detailed modeling work 148 00:06:40,020 --> 00:06:43,620 it was costly 149 00:06:41,819 --> 00:06:46,020 there was an initial stock market 150 00:06:43,620 --> 00:06:47,460 reaction but then within a month and 151 00:06:46,020 --> 00:06:49,919 this is something that we see time and 152 00:06:47,460 --> 00:06:52,139 time again it's a it's a paradoxical 153 00:06:49,919 --> 00:06:53,940 outcome but there's like often a bit of 154 00:06:52,139 --> 00:06:56,460 short-term Market pain but then I think 155 00:06:53,940 --> 00:06:57,840 the executive team think hang on if we 156 00:06:56,460 --> 00:06:59,880 just hold on 157 00:06:57,840 --> 00:07:02,340 people will forget the market has no 158 00:06:59,880 --> 00:07:03,960 memory Beyond a week or so so we'll get 159 00:07:02,340 --> 00:07:05,880 there don't panic 160 00:07:03,960 --> 00:07:07,199 and then then we'll go and do an 161 00:07:05,880 --> 00:07:09,300 interview and we'll say actually what we 162 00:07:07,199 --> 00:07:12,600 did was grade and everything's cool and 163 00:07:09,300 --> 00:07:15,900 no one needs to worry no Panic 164 00:07:12,600 --> 00:07:17,580 and then what changes so it's about how 165 00:07:15,900 --> 00:07:20,340 I think for me the challenge that we all 166 00:07:17,580 --> 00:07:22,919 face is how do we create that momentum 167 00:07:20,340 --> 00:07:25,259 for a change that will really ensure 168 00:07:22,919 --> 00:07:28,319 that people who hold 169 00:07:25,259 --> 00:07:31,680 very special officers like being a 170 00:07:28,319 --> 00:07:34,740 company director and sit on a board 171 00:07:31,680 --> 00:07:37,199 how do we make them really sensitized to 172 00:07:34,740 --> 00:07:38,340 the significant responsibilities that 173 00:07:37,199 --> 00:07:42,000 they have 174 00:07:38,340 --> 00:07:44,280 and you know to be honest I I did a 175 00:07:42,000 --> 00:07:46,440 whole series of sessions a few years ago 176 00:07:44,280 --> 00:07:49,680 with the aicd and we traveled around 177 00:07:46,440 --> 00:07:50,819 Victoria and um 178 00:07:49,680 --> 00:07:52,380 you know we kind of start the 179 00:07:50,819 --> 00:07:54,539 presentation with well who knows 180 00:07:52,380 --> 00:07:57,539 anything about cyber security and these 181 00:07:54,539 --> 00:08:00,960 are all directors and you know I mean 182 00:07:57,539 --> 00:08:02,880 the level of knowledge was relatively 183 00:08:00,960 --> 00:08:06,000 low 184 00:08:02,880 --> 00:08:08,039 uncomfortably low 185 00:08:06,000 --> 00:08:09,539 some councils I think up in Aubry they 186 00:08:08,039 --> 00:08:11,039 actually it was almost the opposite they 187 00:08:09,539 --> 00:08:13,919 had this crack team that would go onto 188 00:08:11,039 --> 00:08:15,840 social media and identify graffiti tags 189 00:08:13,919 --> 00:08:17,400 and then like pass the information on 190 00:08:15,840 --> 00:08:20,819 the police I'm like 191 00:08:17,400 --> 00:08:21,840 guys you've got it you know um 192 00:08:20,819 --> 00:08:24,720 so what are we doing at the national 193 00:08:21,840 --> 00:08:27,300 level well every four years for the past 194 00:08:24,720 --> 00:08:30,000 10 years or so we've had this cyber 195 00:08:27,300 --> 00:08:31,800 security strategy which has come out 196 00:08:30,000 --> 00:08:33,839 um 197 00:08:31,800 --> 00:08:35,459 when the new government came in last 198 00:08:33,839 --> 00:08:37,480 year they said 199 00:08:35,459 --> 00:08:39,120 scrap that we're going to start again 200 00:08:37,480 --> 00:08:41,520 [Music] 201 00:08:39,120 --> 00:08:43,380 and then some of the people on the new 202 00:08:41,520 --> 00:08:45,540 panel are actually identical to the 203 00:08:43,380 --> 00:08:48,839 people on the old panel and if you do a 204 00:08:45,540 --> 00:08:50,820 top level heading comparison between the 205 00:08:48,839 --> 00:08:52,560 new consultation paper and the previous 206 00:08:50,820 --> 00:08:54,600 two strategies 207 00:08:52,560 --> 00:08:57,899 there's a fair bit of overlap I think 208 00:08:54,600 --> 00:08:59,519 it's fair to say so fresh thinking the 209 00:08:57,899 --> 00:09:01,980 only way we're going to get it is if we 210 00:08:59,519 --> 00:09:04,740 actually speak up and say something so 211 00:09:01,980 --> 00:09:06,480 again I encourage you again we are going 212 00:09:04,740 --> 00:09:08,700 to um 213 00:09:06,480 --> 00:09:11,300 as a company we are going to not just 214 00:09:08,700 --> 00:09:14,580 put it as a submission in we're going to 215 00:09:11,300 --> 00:09:17,339 release it as well and get the 216 00:09:14,580 --> 00:09:19,440 conversation going so by all means don't 217 00:09:17,339 --> 00:09:21,180 agree with what we say please put in 218 00:09:19,440 --> 00:09:23,640 your own and I think it is really really 219 00:09:21,180 --> 00:09:26,040 critical for government to hear many 220 00:09:23,640 --> 00:09:28,519 many voices on these really important 221 00:09:26,040 --> 00:09:28,519 issues 222 00:09:29,459 --> 00:09:34,440 I think related to the data breach you 223 00:09:31,680 --> 00:09:36,540 know issue is it's really around what 224 00:09:34,440 --> 00:09:40,080 are we trying to protect you know what 225 00:09:36,540 --> 00:09:42,300 are the goals with the Cyber program 226 00:09:40,080 --> 00:09:44,580 how do we go through a process of 227 00:09:42,300 --> 00:09:48,420 working out what we should be focusing 228 00:09:44,580 --> 00:09:49,440 on and what we can not worry about 229 00:09:48,420 --> 00:09:53,040 um 230 00:09:49,440 --> 00:09:55,980 and you know I think what I see in some 231 00:09:53,040 --> 00:09:58,920 of my work is that there's 232 00:09:55,980 --> 00:10:01,260 outside of the sort of specialist cyber 233 00:09:58,920 --> 00:10:04,260 area particularly in ICT there's often a 234 00:10:01,260 --> 00:10:06,660 a real lack of awareness of what people 235 00:10:04,260 --> 00:10:08,160 on the Cyber side of things are actually 236 00:10:06,660 --> 00:10:10,800 doing 237 00:10:08,160 --> 00:10:13,140 um apart from paying thousands of 238 00:10:10,800 --> 00:10:15,480 dollars for certifications uh several 239 00:10:13,140 --> 00:10:18,480 times a year not me by the way I'm not a 240 00:10:15,480 --> 00:10:21,360 big believer but um many people do 241 00:10:18,480 --> 00:10:23,580 and you know really drilling down and 242 00:10:21,360 --> 00:10:26,760 saying are we spending money in the 243 00:10:23,580 --> 00:10:29,880 right places and are we spending it on 244 00:10:26,760 --> 00:10:32,399 the things that really matter and to my 245 00:10:29,880 --> 00:10:35,160 mind it's really the data that is held 246 00:10:32,399 --> 00:10:37,080 about us as people which is really what 247 00:10:35,160 --> 00:10:39,240 we should be focusing on 248 00:10:37,080 --> 00:10:41,339 um there's a heck a lot heck a lot of 249 00:10:39,240 --> 00:10:43,500 throwaway data out there that we 250 00:10:41,339 --> 00:10:48,360 probably should never worry about 251 00:10:43,500 --> 00:10:51,300 and you know in an age of social media 252 00:10:48,360 --> 00:10:53,279 where people routinely disclose stuff 253 00:10:51,300 --> 00:10:55,880 about themselves you know what is that 254 00:10:53,279 --> 00:10:55,880 balance 255 00:10:55,980 --> 00:11:02,399 and the consequential obligation on 256 00:10:59,220 --> 00:11:04,860 corporations to then identify and work 257 00:11:02,399 --> 00:11:07,740 out what they should be protecting so 258 00:11:04,860 --> 00:11:10,620 I'm not saying it's easy but 259 00:11:07,740 --> 00:11:12,660 I do think that there's a certain level 260 00:11:10,620 --> 00:11:14,160 of 261 00:11:12,660 --> 00:11:17,399 naivety 262 00:11:14,160 --> 00:11:20,100 about the goals of a cyber program 263 00:11:17,399 --> 00:11:22,140 and it's something that you know 264 00:11:20,100 --> 00:11:23,700 sometimes 265 00:11:22,140 --> 00:11:25,380 you know there's a requirement for 266 00:11:23,700 --> 00:11:26,519 people to put in place a cyber program 267 00:11:25,380 --> 00:11:28,260 so 268 00:11:26,519 --> 00:11:31,200 I'm working with a company at the moment 269 00:11:28,260 --> 00:11:34,680 who work with defense and so as part of 270 00:11:31,200 --> 00:11:37,920 their engagement they have to achieve a 271 00:11:34,680 --> 00:11:39,420 certain status with defense and uh at 272 00:11:37,920 --> 00:11:40,620 the end of the day they kind of got no 273 00:11:39,420 --> 00:11:42,420 choice because they thought when I keep 274 00:11:40,620 --> 00:11:43,440 the contract going forward they have to 275 00:11:42,420 --> 00:11:45,540 comply 276 00:11:43,440 --> 00:11:48,180 but lots of companies I mean yeah we've 277 00:11:45,540 --> 00:11:49,560 got the Privacy Act and other things but 278 00:11:48,180 --> 00:11:50,940 we don't really sort of have this 279 00:11:49,560 --> 00:11:53,339 overarching 280 00:11:50,940 --> 00:11:55,200 set of legislation or regulation that 281 00:11:53,339 --> 00:11:58,019 says this is specifically your 282 00:11:55,200 --> 00:11:59,399 obligations about cyber security and I 283 00:11:58,019 --> 00:12:01,820 think that is very confusing for 284 00:11:59,399 --> 00:12:01,820 companies 285 00:12:03,180 --> 00:12:06,959 and I think related to pursuing those 286 00:12:04,860 --> 00:12:08,339 security goals is you know what are the 287 00:12:06,959 --> 00:12:10,560 values I mean 288 00:12:08,339 --> 00:12:13,740 and I mean really our national values 289 00:12:10,560 --> 00:12:16,019 that we hold about data 290 00:12:13,740 --> 00:12:17,940 I had a bit of a brainstorm and it took 291 00:12:16,019 --> 00:12:19,620 me about 30 seconds and I thought these 292 00:12:17,940 --> 00:12:20,820 were kind of the five that really jumped 293 00:12:19,620 --> 00:12:22,860 out at me 294 00:12:20,820 --> 00:12:25,260 um 295 00:12:22,860 --> 00:12:26,640 particularly things like fairness 296 00:12:25,260 --> 00:12:31,019 [Music] 297 00:12:26,640 --> 00:12:33,660 and and openness but you know 298 00:12:31,019 --> 00:12:35,880 I guess a lot of things around cyber 299 00:12:33,660 --> 00:12:37,380 tend to be very secretive by their 300 00:12:35,880 --> 00:12:40,440 nature but 301 00:12:37,380 --> 00:12:42,420 sometimes I think unnecessarily so and 302 00:12:40,440 --> 00:12:43,740 I'll come to an example later on but I 303 00:12:42,420 --> 00:12:45,240 talk about 304 00:12:43,740 --> 00:12:47,100 I don't know people who want to 305 00:12:45,240 --> 00:12:49,260 standardize and say yep I'm compliant 306 00:12:47,100 --> 00:12:50,940 with a standard well hang on to even 307 00:12:49,260 --> 00:12:53,220 look at the standard you have to pay a 308 00:12:50,940 --> 00:12:55,800 license fee and before you even know 309 00:12:53,220 --> 00:12:57,839 what you're looking at and so we kind of 310 00:12:55,800 --> 00:13:01,079 come back I think in some ways to the 311 00:12:57,839 --> 00:13:03,839 whole uh open source movement I've got 312 00:13:01,079 --> 00:13:04,920 to say in in my kind of thinking so if 313 00:13:03,839 --> 00:13:07,139 you 314 00:13:04,920 --> 00:13:08,519 if you have a very narrow kind of closed 315 00:13:07,139 --> 00:13:10,440 private 316 00:13:08,519 --> 00:13:12,779 fee paying standards committee versus 317 00:13:10,440 --> 00:13:13,940 one which reflects the views of the 318 00:13:12,779 --> 00:13:16,139 community 319 00:13:13,940 --> 00:13:18,480 I think 320 00:13:16,139 --> 00:13:20,040 looking back at my first question this 321 00:13:18,480 --> 00:13:23,279 is definitely one of the issues that's 322 00:13:20,040 --> 00:13:26,399 driving data breaches okay 323 00:13:23,279 --> 00:13:28,500 so and hopefully you know by the end 324 00:13:26,399 --> 00:13:30,959 people might have reflected on what 325 00:13:28,500 --> 00:13:33,899 their values are and what our value 326 00:13:30,959 --> 00:13:35,339 should be around data as a nation 327 00:13:33,899 --> 00:13:38,959 so hopefully I'm going to sketch out 328 00:13:35,339 --> 00:13:38,959 some of those kind of ways forward 329 00:13:39,480 --> 00:13:45,120 yeah actually I did this little screen 330 00:13:41,760 --> 00:13:47,880 mock-up before we had the the quote from 331 00:13:45,120 --> 00:13:50,399 the Optus CEO so um 332 00:13:47,880 --> 00:13:51,899 but I think it does you know 333 00:13:50,399 --> 00:13:53,700 yeah look 334 00:13:51,899 --> 00:13:55,139 I don't know 335 00:13:53,700 --> 00:13:57,480 I don't know what to say really I mean 336 00:13:55,139 --> 00:13:59,279 it's it's kind of shocking to me but um 337 00:13:57,480 --> 00:14:01,680 but let me move on to something which I 338 00:13:59,279 --> 00:14:04,680 do want to talk about so was anyone here 339 00:14:01,680 --> 00:14:08,279 affected by the Optus data breach 340 00:14:04,680 --> 00:14:10,320 yep a few yeah okay well now we come to 341 00:14:08,279 --> 00:14:12,360 the one that I was affected by 342 00:14:10,320 --> 00:14:14,579 which is 343 00:14:12,360 --> 00:14:17,339 medibank 344 00:14:14,579 --> 00:14:18,540 okay so let me tell you a bit of ancient 345 00:14:17,339 --> 00:14:19,440 history 346 00:14:18,540 --> 00:14:22,740 um 347 00:14:19,440 --> 00:14:24,899 back in about 2001 when I was a 348 00:14:22,740 --> 00:14:26,279 government employee I signed up for this 349 00:14:24,899 --> 00:14:27,600 thing called the government employees 350 00:14:26,279 --> 00:14:31,380 health fund 351 00:14:27,600 --> 00:14:34,440 uh which uh at some point I stopped 352 00:14:31,380 --> 00:14:38,040 being a member of and then medibank 353 00:14:34,440 --> 00:14:41,519 took them over and I ceased my 354 00:14:38,040 --> 00:14:43,139 membership in 2009 I actually went back 355 00:14:41,519 --> 00:14:44,399 and checked my email 356 00:14:43,139 --> 00:14:47,040 and the reason I went back and checked 357 00:14:44,399 --> 00:14:50,279 my email is I got this message from 358 00:14:47,040 --> 00:14:53,279 medibank saying oops sorry we just lost 359 00:14:50,279 --> 00:14:56,639 your data and uh I had never actually 360 00:14:53,279 --> 00:14:58,740 been a medibank customer and even for 361 00:14:56,639 --> 00:15:00,600 the corporate entity 362 00:14:58,740 --> 00:15:02,220 I hadn't been involved with them for 13 363 00:15:00,600 --> 00:15:04,139 years 364 00:15:02,220 --> 00:15:06,360 so I'm kind of left thinking 365 00:15:04,139 --> 00:15:08,760 who made the decision to 366 00:15:06,360 --> 00:15:11,100 put my data on the Internet or make it 367 00:15:08,760 --> 00:15:12,720 accessible for an attacker in such an 368 00:15:11,100 --> 00:15:14,220 easy way 369 00:15:12,720 --> 00:15:16,980 when I hadn't even been a damn customer 370 00:15:14,220 --> 00:15:19,980 for 13 years so 371 00:15:16,980 --> 00:15:22,019 um again I mean really raises basic 372 00:15:19,980 --> 00:15:26,220 questions around 373 00:15:22,019 --> 00:15:29,160 who in a company decides what data is 374 00:15:26,220 --> 00:15:32,100 collected under what conditions where is 375 00:15:29,160 --> 00:15:33,959 it stored what are the protections 376 00:15:32,100 --> 00:15:34,800 what are the proportional protections 377 00:15:33,959 --> 00:15:37,079 for 378 00:15:34,800 --> 00:15:39,600 different classifications of data within 379 00:15:37,079 --> 00:15:42,480 the organization how long is data 380 00:15:39,600 --> 00:15:45,360 retained when is it thrown away how is 381 00:15:42,480 --> 00:15:48,000 it thrown away and so on and so forth I 382 00:15:45,360 --> 00:15:50,699 mean these it seems to me this is a 383 00:15:48,000 --> 00:15:52,920 really basic set of questions but I'm 384 00:15:50,699 --> 00:15:55,680 sure if I went to most companies and 385 00:15:52,920 --> 00:15:57,600 said who makes that call 386 00:15:55,680 --> 00:16:00,060 there'd be multiple people pointing 387 00:15:57,600 --> 00:16:02,940 their fingers at each other 388 00:16:00,060 --> 00:16:05,220 CIO saying well it's a CTO that's like I 389 00:16:02,940 --> 00:16:06,660 don't know a librarian or that's an I.T 390 00:16:05,220 --> 00:16:08,820 problem 391 00:16:06,660 --> 00:16:10,680 it's as well it's probably a cyber thing 392 00:16:08,820 --> 00:16:12,000 so and they'll say well maybe it's a 393 00:16:10,680 --> 00:16:14,639 compliance function let's ask the 394 00:16:12,000 --> 00:16:16,380 lawyers and sometimes yeah I mean this 395 00:16:14,639 --> 00:16:19,880 stuff just goes around and around and 396 00:16:16,380 --> 00:16:24,240 the longer it goes around and around 397 00:16:19,880 --> 00:16:27,720 when the Tire hits the gravel and you 398 00:16:24,240 --> 00:16:30,720 get a breach then this is kind of 399 00:16:27,720 --> 00:16:32,220 what we're left with so yes this is 400 00:16:30,720 --> 00:16:35,040 definitely my impression that we've got 401 00:16:32,220 --> 00:16:36,720 this safe and everything's safe but 402 00:16:35,040 --> 00:16:38,399 maybe it just didn't really turn out 403 00:16:36,720 --> 00:16:39,779 like that so 404 00:16:38,399 --> 00:16:41,279 I've actually joined one of the two 405 00:16:39,779 --> 00:16:43,079 class actions that's being launched 406 00:16:41,279 --> 00:16:44,699 against medibank I certainly don't 407 00:16:43,079 --> 00:16:45,660 expect a million dollars 408 00:16:44,699 --> 00:16:48,779 um 409 00:16:45,660 --> 00:16:53,420 but you know there's I guess given the 410 00:16:48,779 --> 00:16:53,420 the data that can be used to 411 00:16:53,579 --> 00:16:59,279 assume my identity and then to go on to 412 00:16:56,639 --> 00:17:00,660 commit fraud I mean for 10 million 413 00:16:59,279 --> 00:17:02,339 customers 414 00:17:00,660 --> 00:17:03,779 I've got to say to my mind this is 415 00:17:02,339 --> 00:17:06,360 probably the most significant national 416 00:17:03,779 --> 00:17:09,419 issue in cyber we've ever faced 417 00:17:06,360 --> 00:17:11,699 and I don't think the understanding is 418 00:17:09,419 --> 00:17:13,980 still there yet 419 00:17:11,699 --> 00:17:16,799 think both in the corporate sector and 420 00:17:13,980 --> 00:17:18,720 government about what the risks are with 421 00:17:16,799 --> 00:17:21,660 effectively half the population being up 422 00:17:18,720 --> 00:17:24,419 for identity theft from just one attack 423 00:17:21,660 --> 00:17:25,140 so it is really really significant 424 00:17:24,419 --> 00:17:27,600 um 425 00:17:25,140 --> 00:17:28,260 and quite worrying 426 00:17:27,600 --> 00:17:30,240 um 427 00:17:28,260 --> 00:17:33,179 but if I get a million bucks I'll I'll 428 00:17:30,240 --> 00:17:35,460 be thankful to you all for your support 429 00:17:33,179 --> 00:17:36,539 so the discussion paper that has come 430 00:17:35,460 --> 00:17:38,400 out 431 00:17:36,539 --> 00:17:41,120 um again these are kind of the top level 432 00:17:38,400 --> 00:17:41,120 headings 433 00:17:41,700 --> 00:17:45,120 none of which 434 00:17:43,559 --> 00:17:46,740 are bad 435 00:17:45,120 --> 00:17:48,780 I've got to say 436 00:17:46,740 --> 00:17:52,020 public private mechanisms and 437 00:17:48,780 --> 00:17:54,720 Partnerships threat sharing wonderful 438 00:17:52,020 --> 00:17:56,580 building the skills and talent pipeline 439 00:17:54,720 --> 00:17:59,160 it's been in the last two strategies so 440 00:17:56,580 --> 00:18:00,380 I have myself been heavily involved in 441 00:17:59,160 --> 00:18:02,760 some of those 442 00:18:00,380 --> 00:18:05,940 initiatives particularly through the off 443 00:18:02,760 --> 00:18:08,039 cyber project fund I worked with 444 00:18:05,940 --> 00:18:10,200 a little organization called genius 445 00:18:08,039 --> 00:18:12,600 Armory where we try to create training 446 00:18:10,200 --> 00:18:15,900 materials to encourage people on the 447 00:18:12,600 --> 00:18:16,740 autism spectrum to get involved in cyber 448 00:18:15,900 --> 00:18:18,539 um 449 00:18:16,740 --> 00:18:19,860 that is free by the way if you know 450 00:18:18,539 --> 00:18:21,600 anyone who might be interested please 451 00:18:19,860 --> 00:18:23,340 jump on and register them get them 452 00:18:21,600 --> 00:18:25,080 involved 453 00:18:23,340 --> 00:18:28,200 we actually have a national skills 454 00:18:25,080 --> 00:18:30,120 crisis in cyber for those of you who try 455 00:18:28,200 --> 00:18:31,260 and hybrid hire cyber people from time 456 00:18:30,120 --> 00:18:32,760 to time you'll know what I'm talking 457 00:18:31,260 --> 00:18:33,360 about 458 00:18:32,760 --> 00:18:36,900 um 459 00:18:33,360 --> 00:18:39,600 and we have something like a a 30 annual 460 00:18:36,900 --> 00:18:42,000 churn rate in cyber teams 461 00:18:39,600 --> 00:18:43,200 which is just 462 00:18:42,000 --> 00:18:45,000 I 463 00:18:43,200 --> 00:18:47,280 don't I won't talk about that today 464 00:18:45,000 --> 00:18:48,960 because it's very frustrating but you 465 00:18:47,280 --> 00:18:50,280 know absolutely you want to support this 466 00:18:48,960 --> 00:18:52,440 kind of stuff 467 00:18:50,280 --> 00:18:54,720 National Frameworks well we have the 468 00:18:52,440 --> 00:18:57,600 essential eight 469 00:18:54,720 --> 00:19:00,000 do we need the essential 16 or coverage 470 00:18:57,600 --> 00:19:02,039 issues International Frameworks like 471 00:19:00,000 --> 00:19:03,480 nist or is that just a US Government one 472 00:19:02,039 --> 00:19:06,120 or 473 00:19:03,480 --> 00:19:08,820 ISO 27 000 oh hang on it will cost you 474 00:19:06,120 --> 00:19:10,679 120 bucks anyway let's not go there I'll 475 00:19:08,820 --> 00:19:14,460 come back to that 476 00:19:10,679 --> 00:19:16,919 you know investing in the ecosystem 477 00:19:14,460 --> 00:19:20,000 I just love this stuff 478 00:19:16,919 --> 00:19:20,000 but there's a big problem 479 00:19:20,100 --> 00:19:24,480 and I I kind of I challenge myself I 480 00:19:22,320 --> 00:19:26,460 read the thing and I thought 481 00:19:24,480 --> 00:19:28,980 you know I read this and I just feel 482 00:19:26,460 --> 00:19:31,320 really warm and fuzzy inside 483 00:19:28,980 --> 00:19:34,860 but I then went through with my little 484 00:19:31,320 --> 00:19:36,780 fine function and I said okay I'm going 485 00:19:34,860 --> 00:19:38,160 to do a bit of a frequency count how 486 00:19:36,780 --> 00:19:41,720 many times does it mention the word 487 00:19:38,160 --> 00:19:41,720 firewall in this document 488 00:19:41,940 --> 00:19:46,080 zero 489 00:19:43,679 --> 00:19:47,760 anything to do with endpoints 490 00:19:46,080 --> 00:19:50,280 socks 491 00:19:47,760 --> 00:19:52,080 I don't know AV products 492 00:19:50,280 --> 00:19:54,539 zero 493 00:19:52,080 --> 00:19:55,860 any mention of any operating system at 494 00:19:54,539 --> 00:19:58,080 all 495 00:19:55,860 --> 00:20:00,360 nothing 496 00:19:58,080 --> 00:20:02,520 what about the operational side teams 497 00:20:00,360 --> 00:20:04,380 red teams blue teams nope completely 498 00:20:02,520 --> 00:20:07,100 silent 499 00:20:04,380 --> 00:20:07,100 and 500 00:20:07,380 --> 00:20:10,559 give it I think some of the discussion 501 00:20:08,700 --> 00:20:12,120 last week about should we reintroduce 502 00:20:10,559 --> 00:20:14,340 the Australia card and Link every 503 00:20:12,120 --> 00:20:15,539 government service together again and 504 00:20:14,340 --> 00:20:17,160 that's going to be the solution to all 505 00:20:15,539 --> 00:20:21,740 this stuff and make it go away and 506 00:20:17,160 --> 00:20:21,740 National centralized identity management 507 00:20:21,780 --> 00:20:27,679 not a mention in the discussion paper 508 00:20:25,200 --> 00:20:32,299 so 509 00:20:27,679 --> 00:20:32,299 I don't know about you but 510 00:20:32,460 --> 00:20:37,799 when I read a strategy that 511 00:20:35,280 --> 00:20:43,260 is disconnected from the implementation 512 00:20:37,799 --> 00:20:44,640 so radically and completely ignores it 513 00:20:43,260 --> 00:20:48,320 I 514 00:20:44,640 --> 00:20:48,320 how can I say it nicely 515 00:20:49,740 --> 00:20:52,860 there's a there's a gap let me let me 516 00:20:51,480 --> 00:20:54,840 just I was going to say something rude 517 00:20:52,860 --> 00:20:56,820 but I'll just say that there's a gap 518 00:20:54,840 --> 00:20:59,700 there's a gap I think between what 519 00:20:56,820 --> 00:21:02,120 people in this room would understand the 520 00:20:59,700 --> 00:21:05,460 actuality of protecting data to be 521 00:21:02,120 --> 00:21:08,100 versus the the idealization from the 522 00:21:05,460 --> 00:21:10,620 panel at this stage so 523 00:21:08,100 --> 00:21:12,539 please please please please set them 524 00:21:10,620 --> 00:21:14,940 straight send them a one word submission 525 00:21:12,539 --> 00:21:16,200 to say where is the firewall question 526 00:21:14,940 --> 00:21:18,780 mark or 527 00:21:16,200 --> 00:21:21,419 where is the cryptography or you know 528 00:21:18,780 --> 00:21:23,520 where is 529 00:21:21,419 --> 00:21:25,919 the compliance Frameworks where's 530 00:21:23,520 --> 00:21:28,500 legislation you know 531 00:21:25,919 --> 00:21:31,440 but unfortunately uh I might be 532 00:21:28,500 --> 00:21:33,360 disappointed with it I mean it really um 533 00:21:31,440 --> 00:21:37,200 but it's not finalized right so it's the 534 00:21:33,360 --> 00:21:39,600 consultation paper we can change this 535 00:21:37,200 --> 00:21:42,360 so the thing about data is that you know 536 00:21:39,600 --> 00:21:44,280 data is important to all of us but 537 00:21:42,360 --> 00:21:47,100 you know it has a market value people 538 00:21:44,280 --> 00:21:49,080 are buying and selling data because data 539 00:21:47,100 --> 00:21:52,919 can be used for identity theft and 540 00:21:49,080 --> 00:21:54,600 identity fraud as I mentioned before so 541 00:21:52,919 --> 00:21:58,620 unfortunately where you've got something 542 00:21:54,600 --> 00:21:59,520 there that is so easy to steal 543 00:21:58,620 --> 00:22:04,620 um 544 00:21:59,520 --> 00:22:07,860 the Temptation is very high and with the 545 00:22:04,620 --> 00:22:10,679 lack of concrete mechanisms to bring 546 00:22:07,860 --> 00:22:12,240 people to Justice who actually steal 547 00:22:10,679 --> 00:22:13,440 this stuff 548 00:22:12,240 --> 00:22:15,480 um 549 00:22:13,440 --> 00:22:18,179 you know we've we've got to do two 550 00:22:15,480 --> 00:22:20,280 things we've either got to try and you 551 00:22:18,179 --> 00:22:22,559 know reduce the value of that data 552 00:22:20,280 --> 00:22:24,419 somehow or just make it really hard to 553 00:22:22,559 --> 00:22:25,740 get in the first place 554 00:22:24,419 --> 00:22:27,240 um 555 00:22:25,740 --> 00:22:29,460 now if there's one thing I've learned 556 00:22:27,240 --> 00:22:32,460 over many years in working with 557 00:22:29,460 --> 00:22:34,500 companies in cyber 558 00:22:32,460 --> 00:22:36,720 it's pretty rare that I go into a 559 00:22:34,500 --> 00:22:39,000 company and they say 560 00:22:36,720 --> 00:22:40,860 you just we'll give you a blank check 561 00:22:39,000 --> 00:22:42,600 you just tell us what the cost is and 562 00:22:40,860 --> 00:22:43,860 we'll just do it you know 563 00:22:42,600 --> 00:22:47,100 um 564 00:22:43,860 --> 00:22:47,880 typically it's you know it's just 565 00:22:47,100 --> 00:22:50,520 um 566 00:22:47,880 --> 00:22:52,980 it's more like this is on the cost side 567 00:22:50,520 --> 00:22:56,159 of the business our quarterly profit 568 00:22:52,980 --> 00:22:57,780 results are coming up uh what's it going 569 00:22:56,159 --> 00:22:59,940 to cost us 570 00:22:57,780 --> 00:23:02,520 because then we have to remake that that 571 00:22:59,940 --> 00:23:04,580 money again 572 00:23:02,520 --> 00:23:04,580 um 573 00:23:04,860 --> 00:23:09,780 in the charitable space and and this is 574 00:23:07,140 --> 00:23:11,880 where yeah honestly I do get a bit uh 575 00:23:09,780 --> 00:23:12,840 heartbroken at times 576 00:23:11,880 --> 00:23:14,880 um 577 00:23:12,840 --> 00:23:16,980 you know I did an assessment last year 578 00:23:14,880 --> 00:23:19,799 and you know we've talked about costs 579 00:23:16,980 --> 00:23:22,500 and things and uh this was for a charity 580 00:23:19,799 --> 00:23:26,580 that among other things provides you 581 00:23:22,500 --> 00:23:29,400 know beds for homeless people and uh 582 00:23:26,580 --> 00:23:32,280 so what they said was 583 00:23:29,400 --> 00:23:33,240 sure we we accept that we need this 584 00:23:32,280 --> 00:23:35,400 thing 585 00:23:33,240 --> 00:23:38,460 but 586 00:23:35,400 --> 00:23:41,340 I want you to really think about 587 00:23:38,460 --> 00:23:43,500 do we have to put 10 people out on the 588 00:23:41,340 --> 00:23:45,960 street tonight or could we shrink it 589 00:23:43,500 --> 00:23:50,460 down so we only put five people out you 590 00:23:45,960 --> 00:23:51,539 know and uh it's it's pretty harsh and 591 00:23:50,460 --> 00:23:54,059 um 592 00:23:51,539 --> 00:23:55,980 you know 593 00:23:54,059 --> 00:24:00,179 but 594 00:23:55,980 --> 00:24:01,320 the consequence of them having a breach 595 00:24:00,179 --> 00:24:03,000 um 596 00:24:01,320 --> 00:24:04,740 and what we sort of uncovered through 597 00:24:03,000 --> 00:24:06,539 our Discovery was that actually held 598 00:24:04,740 --> 00:24:07,280 quite a lot of data about children who 599 00:24:06,539 --> 00:24:11,100 were 600 00:24:07,280 --> 00:24:14,039 under various uh court orders and things 601 00:24:11,100 --> 00:24:16,140 and and in different types of state care 602 00:24:14,039 --> 00:24:20,039 and at that stage they really had 603 00:24:16,140 --> 00:24:22,440 nothing in place to protect that data so 604 00:24:20,039 --> 00:24:25,320 to protect 605 00:24:22,440 --> 00:24:27,480 the 395 606 00:24:25,320 --> 00:24:28,980 had to go without a bit I mean I think 607 00:24:27,480 --> 00:24:32,220 that's the consequence of what we're 608 00:24:28,980 --> 00:24:33,840 really talking about so it is really um 609 00:24:32,220 --> 00:24:36,960 sad 610 00:24:33,840 --> 00:24:38,220 um but it is something that you know in 611 00:24:36,960 --> 00:24:39,840 that conversation we talk about well 612 00:24:38,220 --> 00:24:42,120 with your budget next year when you go 613 00:24:39,840 --> 00:24:44,400 back to funders particularly government 614 00:24:42,120 --> 00:24:46,500 you just need to have the line item that 615 00:24:44,400 --> 00:24:48,600 says you know we are serious about 616 00:24:46,500 --> 00:24:50,220 protecting the data of honorable people 617 00:24:48,600 --> 00:24:52,620 and I said really don't think you're 618 00:24:50,220 --> 00:24:54,059 going to have much argument but it's not 619 00:24:52,620 --> 00:24:58,520 something that people have consciously 620 00:24:54,059 --> 00:24:58,520 been building in uh up until now I think 621 00:24:58,559 --> 00:25:03,059 so 622 00:25:00,840 --> 00:25:06,659 you know you can't protect everything 623 00:25:03,059 --> 00:25:08,580 and it's it's not necessary to do so and 624 00:25:06,659 --> 00:25:10,260 as I said before like with social media 625 00:25:08,580 --> 00:25:12,840 and so on it's really about 626 00:25:10,260 --> 00:25:15,179 I think backtracking from the data that 627 00:25:12,840 --> 00:25:17,880 can be used for things like identity 628 00:25:15,179 --> 00:25:20,460 theft and identity fraud or where 629 00:25:17,880 --> 00:25:24,779 the disclosure that data is going to be 630 00:25:20,460 --> 00:25:25,880 uh uh embarrassing or in some ways uh 631 00:25:24,779 --> 00:25:29,020 dangerous 632 00:25:25,880 --> 00:25:29,640 uh for people and so you know 633 00:25:29,020 --> 00:25:30,960 [Music] 634 00:25:29,640 --> 00:25:32,820 um 635 00:25:30,960 --> 00:25:34,860 with some of the medibank data for 636 00:25:32,820 --> 00:25:36,779 example that was disclosed I mean it was 637 00:25:34,860 --> 00:25:39,059 uh pretty pretty awful it wasn't just 638 00:25:36,779 --> 00:25:41,400 identity data I mean there was a range 639 00:25:39,059 --> 00:25:43,440 of you know highly personal medical 640 00:25:41,400 --> 00:25:45,960 records that were completely released 641 00:25:43,440 --> 00:25:47,760 with full identifying information and uh 642 00:25:45,960 --> 00:25:49,620 again I really feel for the people 643 00:25:47,760 --> 00:25:52,020 who've had to to go through that 644 00:25:49,620 --> 00:25:54,840 disclosure 645 00:25:52,020 --> 00:25:57,000 and then of course the consequential 646 00:25:54,840 --> 00:26:00,779 scam phone calls and things which I'm 647 00:25:57,000 --> 00:26:03,360 sure have have been a part of that um 648 00:26:00,779 --> 00:26:05,520 so are we chasing this Fool's Paradise 649 00:26:03,360 --> 00:26:06,720 where we can't keep things secret in the 650 00:26:05,520 --> 00:26:07,799 first place 651 00:26:06,720 --> 00:26:10,919 um 652 00:26:07,799 --> 00:26:12,860 you know I mean I I looked at a few 653 00:26:10,919 --> 00:26:15,140 Graphics around privacy versus 654 00:26:12,860 --> 00:26:17,700 confidentiality and it was all about 655 00:26:15,140 --> 00:26:20,039 privacies about people but confidential 656 00:26:17,700 --> 00:26:22,559 is about data and then I thought but 657 00:26:20,039 --> 00:26:24,480 what about personal data that is also 658 00:26:22,559 --> 00:26:26,640 private but needs to be confidential and 659 00:26:24,480 --> 00:26:28,320 at the end of the day I thought you know 660 00:26:26,640 --> 00:26:31,020 there's probably nothing blanket that 661 00:26:28,320 --> 00:26:33,600 you can really say about it except that 662 00:26:31,020 --> 00:26:35,159 every company an organization needs to 663 00:26:33,600 --> 00:26:39,240 go through a process 664 00:26:35,159 --> 00:26:43,100 where they classify that data and assess 665 00:26:39,240 --> 00:26:43,100 the risk in terms of disclosure 666 00:26:43,200 --> 00:26:47,580 but you know 667 00:26:45,059 --> 00:26:49,440 they're also kind of numerous tools I 668 00:26:47,580 --> 00:26:52,260 think that um 669 00:26:49,440 --> 00:26:54,299 that we can bring to bear to try and 670 00:26:52,260 --> 00:26:57,299 shape the way that we 671 00:26:54,299 --> 00:26:59,159 not just respond to data breaches but to 672 00:26:57,299 --> 00:27:02,279 try and prevent them in the first place 673 00:26:59,159 --> 00:27:04,200 and so this is a really great Matrix 674 00:27:02,279 --> 00:27:06,600 which if you've never seen before this 675 00:27:04,200 --> 00:27:09,480 is the situational crime prevention 676 00:27:06,600 --> 00:27:11,279 framework and um 677 00:27:09,480 --> 00:27:14,580 it's sort of hard to summarize because 678 00:27:11,279 --> 00:27:16,440 there's 25 different strategies 679 00:27:14,580 --> 00:27:19,100 I can't remember them all but really 680 00:27:16,440 --> 00:27:21,360 across five high-level Dimensions so 681 00:27:19,100 --> 00:27:23,220 increasing the effort increasing the 682 00:27:21,360 --> 00:27:28,980 risks reducing the rewards reducing 683 00:27:23,220 --> 00:27:32,940 provocations and removing excuses and so 684 00:27:28,980 --> 00:27:34,559 I think where we see say CEOs making 685 00:27:32,940 --> 00:27:36,179 excuses then 686 00:27:34,559 --> 00:27:37,860 it's something that we have to push back 687 00:27:36,179 --> 00:27:39,480 on and say well 688 00:27:37,860 --> 00:27:41,940 we don't need excuses we need 689 00:27:39,480 --> 00:27:44,940 explanations but what could have been 690 00:27:41,940 --> 00:27:46,500 done to to prevent this in the first 691 00:27:44,940 --> 00:27:48,539 place and of course 692 00:27:46,500 --> 00:27:50,640 classic Kind of Blue Team engineering 693 00:27:48,539 --> 00:27:52,620 stuff down the left how do we Harden the 694 00:27:50,640 --> 00:27:55,860 target how do we Implement Access 695 00:27:52,620 --> 00:27:58,440 Control you know how do we screen data 696 00:27:55,860 --> 00:28:00,080 going out I mean data exfiltration I 697 00:27:58,440 --> 00:28:02,580 mean there's Technologies around to 698 00:28:00,080 --> 00:28:03,539 detect this kind of thing 699 00:28:02,580 --> 00:28:07,200 um 700 00:28:03,539 --> 00:28:09,059 deflection and so on no smart guns I've 701 00:28:07,200 --> 00:28:11,580 got to say but you know this is just a 702 00:28:09,059 --> 00:28:13,980 generic list of things but 703 00:28:11,580 --> 00:28:16,080 you know increasing the risks like 704 00:28:13,980 --> 00:28:18,120 having better Guardianship and kind of 705 00:28:16,080 --> 00:28:19,260 custodianship of data I think is really 706 00:28:18,120 --> 00:28:20,100 important 707 00:28:19,260 --> 00:28:22,080 um 708 00:28:20,100 --> 00:28:23,640 you know 709 00:28:22,080 --> 00:28:25,980 as I talked about before kind of 710 00:28:23,640 --> 00:28:28,080 reducing those rewards making sure that 711 00:28:25,980 --> 00:28:30,120 people can't make as much money out of 712 00:28:28,080 --> 00:28:31,980 it as as they hope to 713 00:28:30,120 --> 00:28:36,659 um 714 00:28:31,980 --> 00:28:38,880 and you know I guess other kind of 715 00:28:36,659 --> 00:28:40,919 things around you know reducing 716 00:28:38,880 --> 00:28:43,500 provocations may be a little bit less 717 00:28:40,919 --> 00:28:45,179 relevant in this context but I actually 718 00:28:43,500 --> 00:28:47,520 think this is a great a great tool 719 00:28:45,179 --> 00:28:51,380 generally speaking but certainly really 720 00:28:47,520 --> 00:28:51,380 relevant to to data breaches 721 00:28:51,900 --> 00:28:55,980 so values are kind of talked about 722 00:28:53,580 --> 00:28:59,640 before 723 00:28:55,980 --> 00:29:01,980 um and I guess in many of the previous 724 00:28:59,640 --> 00:29:04,320 talks that have gone on today I think 725 00:29:01,980 --> 00:29:06,600 we've seen some of these come to the 726 00:29:04,320 --> 00:29:09,900 force so you know the idea of many I 727 00:29:06,600 --> 00:29:11,880 many eyes kind of uh bringing their own 728 00:29:09,900 --> 00:29:13,460 perspectives and having that kind of 729 00:29:11,880 --> 00:29:15,840 open peer review 730 00:29:13,460 --> 00:29:18,299 assumptions and things being actively 731 00:29:15,840 --> 00:29:20,760 challenged 732 00:29:18,299 --> 00:29:22,320 code being looked at standards being 733 00:29:20,760 --> 00:29:23,640 looked at 734 00:29:22,320 --> 00:29:25,140 um 735 00:29:23,640 --> 00:29:27,539 you know 736 00:29:25,140 --> 00:29:30,539 one of my Long Time Collaborators when I 737 00:29:27,539 --> 00:29:33,240 was an academic Joseph pepasic uh 738 00:29:30,539 --> 00:29:35,760 caused a bit of a kerfuffle when the AES 739 00:29:33,240 --> 00:29:38,760 encryption standard was implemented 740 00:29:35,760 --> 00:29:41,159 because he devised an algebraic attack 741 00:29:38,760 --> 00:29:43,380 which showed that theoretically of 742 00:29:41,159 --> 00:29:45,740 course but with some high school algebra 743 00:29:43,380 --> 00:29:50,399 that you could reduce the search space 744 00:29:45,740 --> 00:29:52,799 very very significantly and 745 00:29:50,399 --> 00:29:55,380 I've got to say he he didn't win any 746 00:29:52,799 --> 00:29:58,080 popularity points I mean I suspect he 747 00:29:55,380 --> 00:30:00,360 was deeply unpopular with standards 748 00:29:58,080 --> 00:30:02,399 bodies for a while because they'd had 749 00:30:00,360 --> 00:30:04,039 this competition and invested a lot of 750 00:30:02,399 --> 00:30:06,360 money they've been implementations 751 00:30:04,039 --> 00:30:10,260 pushing this stuff out saying it's 752 00:30:06,360 --> 00:30:12,539 gazillion times more secure and 753 00:30:10,260 --> 00:30:15,659 well maybe it's only a third of a 754 00:30:12,539 --> 00:30:18,480 gazillion times more secure and with the 755 00:30:15,659 --> 00:30:21,240 Advent of constant Computing and so on 756 00:30:18,480 --> 00:30:23,460 and you know 757 00:30:21,240 --> 00:30:26,100 it just kind of um 758 00:30:23,460 --> 00:30:28,260 yeah set the cut among the pigeons but I 759 00:30:26,100 --> 00:30:31,080 guess that's the point about having an 760 00:30:28,260 --> 00:30:32,279 open process for review and so on that 761 00:30:31,080 --> 00:30:34,980 uh 762 00:30:32,279 --> 00:30:36,059 those kind of things will be caught 763 00:30:34,980 --> 00:30:38,720 um 764 00:30:36,059 --> 00:30:38,720 fairness 765 00:30:39,059 --> 00:30:42,659 I think one of the things that 766 00:30:40,860 --> 00:30:44,460 I'd like to put in our submission to the 767 00:30:42,659 --> 00:30:45,659 government is 768 00:30:44,460 --> 00:30:47,940 particularly in things like the 769 00:30:45,659 --> 00:30:50,039 charitable sector you know 770 00:30:47,940 --> 00:30:52,380 we can't leave an entire sector behind 771 00:30:50,039 --> 00:30:54,720 because they want to devote all their 772 00:30:52,380 --> 00:30:57,539 money to the particular service that 773 00:30:54,720 --> 00:30:59,820 they're trying to provide so can the 774 00:30:57,539 --> 00:31:02,700 government really stump up and provide 775 00:30:59,820 --> 00:31:04,140 you know cold hard cash or a direct 776 00:31:02,700 --> 00:31:07,220 service 777 00:31:04,140 --> 00:31:07,220 for the sector 778 00:31:07,500 --> 00:31:14,580 you know you think about say a domestic 779 00:31:11,399 --> 00:31:16,020 violence shelter women's Refuge this 780 00:31:14,580 --> 00:31:18,360 kind of entity 781 00:31:16,020 --> 00:31:22,080 the privacy of the data for their 782 00:31:18,360 --> 00:31:24,360 clients is really really important and 783 00:31:22,080 --> 00:31:27,480 you know I don't know how people could 784 00:31:24,360 --> 00:31:29,279 sleep at night thinking that hey 785 00:31:27,480 --> 00:31:31,620 we've done nothing to really try and 786 00:31:29,279 --> 00:31:34,380 address that situation and so you know 787 00:31:31,620 --> 00:31:37,260 with our uh 788 00:31:34,380 --> 00:31:39,360 our NFP partner workventures which is 789 00:31:37,260 --> 00:31:41,580 Australia's longest running ICT charity 790 00:31:39,360 --> 00:31:43,620 this is something that we are really 791 00:31:41,580 --> 00:31:44,460 urgently seeking to try and address and 792 00:31:43,620 --> 00:31:46,980 to 793 00:31:44,460 --> 00:31:48,539 provide those Services where they are 794 00:31:46,980 --> 00:31:49,200 absolutely needed 795 00:31:48,539 --> 00:31:51,240 um 796 00:31:49,200 --> 00:31:53,880 that's not to say for some of the really 797 00:31:51,240 --> 00:31:56,039 huge National Charities who are turning 798 00:31:53,880 --> 00:31:58,559 over hundreds of millions of dollars a 799 00:31:56,039 --> 00:31:59,700 year that they can't afford cyber 800 00:31:58,559 --> 00:32:00,899 services 801 00:31:59,700 --> 00:32:03,659 but 802 00:32:00,899 --> 00:32:06,299 at the local level initiatives that are 803 00:32:03,659 --> 00:32:09,059 primarily volunteer run 804 00:32:06,299 --> 00:32:11,940 but provide critical protection for some 805 00:32:09,059 --> 00:32:14,700 of our really vulnerable people in our 806 00:32:11,940 --> 00:32:16,559 community it is really important 807 00:32:14,700 --> 00:32:18,659 transparency 808 00:32:16,559 --> 00:32:21,240 I think it's actually quite good at the 809 00:32:18,659 --> 00:32:23,940 moment because you know we do have a 810 00:32:21,240 --> 00:32:26,100 notifiable data breach scheme which um 811 00:32:23,940 --> 00:32:27,120 you know we all get notifications which 812 00:32:26,100 --> 00:32:29,100 is good 813 00:32:27,120 --> 00:32:31,140 um I do wonder whether some of these 814 00:32:29,100 --> 00:32:34,080 things are not covered up whether those 815 00:32:31,140 --> 00:32:35,520 discussions aren't being held to say hey 816 00:32:34,080 --> 00:32:37,620 there's only three people in the room 817 00:32:35,520 --> 00:32:39,539 know what actually is going on maybe we 818 00:32:37,620 --> 00:32:41,940 can just 819 00:32:39,539 --> 00:32:44,760 but the proposed penalty scheme I think 820 00:32:41,940 --> 00:32:47,580 was going to greatly increase the the 821 00:32:44,760 --> 00:32:49,559 fines which can be levied so 822 00:32:47,580 --> 00:32:51,539 you know I think having that honest 823 00:32:49,559 --> 00:32:53,159 conversation with your customers with 824 00:32:51,539 --> 00:32:54,240 people that are affected is really 825 00:32:53,159 --> 00:32:55,440 important 826 00:32:54,240 --> 00:32:59,340 um 827 00:32:55,440 --> 00:33:01,559 the opposite is also true having a 828 00:32:59,340 --> 00:33:03,659 less than genuine conversation and 829 00:33:01,559 --> 00:33:06,899 saying everything's cool 830 00:33:03,659 --> 00:33:08,399 um it just doesn't cut it I think 831 00:33:06,899 --> 00:33:10,559 collaboration 832 00:33:08,399 --> 00:33:13,200 sharing intelligence 833 00:33:10,559 --> 00:33:15,059 not seeing security and data that you 834 00:33:13,200 --> 00:33:16,620 have about threats as some kind of 835 00:33:15,059 --> 00:33:20,700 fiefdom 836 00:33:16,620 --> 00:33:22,740 uh I've got to say I spent six years as 837 00:33:20,700 --> 00:33:25,860 a research director trying to encourage 838 00:33:22,740 --> 00:33:29,820 collaboration in our finance and banking 839 00:33:25,860 --> 00:33:31,559 sector and sharing data and I absolutely 840 00:33:29,820 --> 00:33:34,740 wore out many many pairs of shoes 841 00:33:31,559 --> 00:33:37,320 knocking on doors and so on and uh 842 00:33:34,740 --> 00:33:39,480 uh sad they've got absolutely no way 843 00:33:37,320 --> 00:33:41,340 so I can say that from experience that 844 00:33:39,480 --> 00:33:43,919 is something that I think we have to 845 00:33:41,340 --> 00:33:46,080 learn about Collective Security that you 846 00:33:43,919 --> 00:33:49,019 know a threat to one of us is really a 847 00:33:46,080 --> 00:33:50,399 threat to to all of us and uh 848 00:33:49,019 --> 00:33:52,919 you know 849 00:33:50,399 --> 00:33:55,019 a customer with one entity is probably 850 00:33:52,919 --> 00:33:57,120 also accustomed with other entities so 851 00:33:55,019 --> 00:34:00,419 if you're protecting your customer you 852 00:33:57,120 --> 00:34:02,279 need to take that holistic viewpoint 853 00:34:00,419 --> 00:34:05,340 and finally the question I think that 854 00:34:02,279 --> 00:34:06,600 nobody wants to really answer 855 00:34:05,340 --> 00:34:10,560 um 856 00:34:06,600 --> 00:34:12,839 we spend a lot of money on on Cyber on 857 00:34:10,560 --> 00:34:15,540 defense as broadly speaking 858 00:34:12,839 --> 00:34:17,580 is it actually making any difference and 859 00:34:15,540 --> 00:34:20,099 how would we know 860 00:34:17,580 --> 00:34:22,320 and who's responsible for actually going 861 00:34:20,099 --> 00:34:24,379 out and doing that kind of analysis and 862 00:34:22,320 --> 00:34:28,080 Reporting 863 00:34:24,379 --> 00:34:30,379 we are soon apparently going to acquire 864 00:34:28,080 --> 00:34:33,980 not just one but two sets of 865 00:34:30,379 --> 00:34:33,980 nuclear-powered submarines 866 00:34:34,260 --> 00:34:38,760 how do I say anything controversial but 867 00:34:36,359 --> 00:34:40,859 you know 868 00:34:38,760 --> 00:34:44,339 it's a lot of money 869 00:34:40,859 --> 00:34:47,159 and it's a lot of money from a fixed 870 00:34:44,339 --> 00:34:49,679 budget that 871 00:34:47,159 --> 00:34:52,200 will be taken away from other budgetary 872 00:34:49,679 --> 00:34:54,839 line items at the federal level 873 00:34:52,200 --> 00:34:57,599 that provide funding for hospitals 874 00:34:54,839 --> 00:34:59,940 schools cancer treatment 875 00:34:57,599 --> 00:35:02,280 sorry ma'am no radiotherapy for you 876 00:34:59,940 --> 00:35:04,560 today because we had to 877 00:35:02,280 --> 00:35:06,420 buy another submarine you know and 878 00:35:04,560 --> 00:35:08,040 that's just the reality of a budget-free 879 00:35:06,420 --> 00:35:10,440 process right 880 00:35:08,040 --> 00:35:11,820 but I do think it's really important for 881 00:35:10,440 --> 00:35:15,660 cyber to 882 00:35:11,820 --> 00:35:18,180 really be clear about the outcomes 883 00:35:15,660 --> 00:35:21,079 that can be achieved and what is 884 00:35:18,180 --> 00:35:21,079 actually realistic 885 00:35:22,020 --> 00:35:25,079 so values I think is really important 886 00:35:23,700 --> 00:35:26,400 and I'm not going to pick on any 887 00:35:25,079 --> 00:35:29,400 particular country I'm going to give 888 00:35:26,400 --> 00:35:30,900 just two examples in these infographics 889 00:35:29,400 --> 00:35:33,599 um 890 00:35:30,900 --> 00:35:36,240 so you know does does Cyber and 891 00:35:33,599 --> 00:35:38,460 protecting our data mean the government 892 00:35:36,240 --> 00:35:41,359 looking at every packet of data that we 893 00:35:38,460 --> 00:35:41,359 store or transmit 894 00:35:41,400 --> 00:35:46,680 you know and I'm kind of thinking of the 895 00:35:43,500 --> 00:35:48,780 the Snowden kind of scenario where it's 896 00:35:46,680 --> 00:35:51,240 just a big Hoover and it just goes into 897 00:35:48,780 --> 00:35:54,480 a black building somewhere and 898 00:35:51,240 --> 00:35:56,760 there's no oversight there's no control 899 00:35:54,480 --> 00:35:58,859 and of course I've got friends who say 900 00:35:56,760 --> 00:36:01,140 if you're doing nothing wrong you don't 901 00:35:58,859 --> 00:36:03,240 need to be afraid 902 00:36:01,140 --> 00:36:04,859 trust us 903 00:36:03,240 --> 00:36:07,200 okay all right 904 00:36:04,859 --> 00:36:09,000 just chucking it out there is 905 00:36:07,200 --> 00:36:10,859 and I've got to say I don't have all the 906 00:36:09,000 --> 00:36:14,099 answers to these questions by the way 907 00:36:10,859 --> 00:36:15,420 but is this approach consistent uh with 908 00:36:14,099 --> 00:36:17,900 our values 909 00:36:15,420 --> 00:36:17,900 okay 910 00:36:18,780 --> 00:36:22,680 here's another example that we find from 911 00:36:20,820 --> 00:36:23,760 a a federal government's uh National 912 00:36:22,680 --> 00:36:25,260 level 913 00:36:23,760 --> 00:36:30,000 um 914 00:36:25,260 --> 00:36:32,040 you know I've I've got to say uh 915 00:36:30,000 --> 00:36:34,380 back in the day when I used to travel a 916 00:36:32,040 --> 00:36:38,160 lot in China you know I 917 00:36:34,380 --> 00:36:40,619 I never felt unsafe on the street you 918 00:36:38,160 --> 00:36:42,540 know I uh I knew that I could walk 919 00:36:40,619 --> 00:36:46,740 around at one o'clock in the morning 920 00:36:42,540 --> 00:36:49,079 after a a few hearty uh ales at the 921 00:36:46,740 --> 00:36:50,520 local pub and have absolutely no issue 922 00:36:49,079 --> 00:36:52,740 at all in terms of Public Safety 923 00:36:50,520 --> 00:36:53,700 personal safety 924 00:36:52,740 --> 00:36:56,280 um 925 00:36:53,700 --> 00:36:56,880 yet to achieve that 926 00:36:56,280 --> 00:36:59,460 um 927 00:36:56,880 --> 00:37:01,440 there is this vast collection of data 928 00:36:59,460 --> 00:37:03,240 about every aspect of personal life 929 00:37:01,440 --> 00:37:06,000 which goes into a 930 00:37:03,240 --> 00:37:08,220 a big algorithm and um 931 00:37:06,000 --> 00:37:10,680 what comes out of the algorithm is your 932 00:37:08,220 --> 00:37:14,099 score and if you are 933 00:37:10,680 --> 00:37:15,119 scoring in a pro-social manner it's all 934 00:37:14,099 --> 00:37:18,480 good but 935 00:37:15,119 --> 00:37:20,460 I don't know if you have a bad day or 936 00:37:18,480 --> 00:37:22,859 everything just all happens to go wrong 937 00:37:20,460 --> 00:37:25,380 at once then there's this kind of 938 00:37:22,859 --> 00:37:27,119 cumulative effect so again that that 939 00:37:25,380 --> 00:37:29,520 notion of 940 00:37:27,119 --> 00:37:30,300 large-scale surveillance 941 00:37:29,520 --> 00:37:33,480 um 942 00:37:30,300 --> 00:37:36,720 is it what we want you know if you use 943 00:37:33,480 --> 00:37:38,579 your alipay card to buy a fish and chips 944 00:37:36,720 --> 00:37:42,200 two days in a row 945 00:37:38,579 --> 00:37:42,200 your score might begin to drift 946 00:37:42,240 --> 00:37:45,780 because of course that's going to have 947 00:37:43,800 --> 00:37:48,839 long-term consequences for public health 948 00:37:45,780 --> 00:37:50,579 budgets if you do that two weeks two 949 00:37:48,839 --> 00:37:52,260 years 20 years 950 00:37:50,579 --> 00:37:53,880 so what are the kind of limits to to 951 00:37:52,260 --> 00:37:56,700 government looking at this stuff I think 952 00:37:53,880 --> 00:38:00,480 is really important 953 00:37:56,700 --> 00:38:03,119 okay so final slide and definitely don't 954 00:38:00,480 --> 00:38:05,460 want to hold anyone up from going to 955 00:38:03,119 --> 00:38:07,020 their dinner but you know I think it is 956 00:38:05,460 --> 00:38:09,079 this big question for me around how do 957 00:38:07,020 --> 00:38:11,880 we build a 958 00:38:09,079 --> 00:38:13,260 values-based approach to cyber at the 959 00:38:11,880 --> 00:38:14,220 national level 960 00:38:13,260 --> 00:38:15,780 um 961 00:38:14,220 --> 00:38:18,060 one which really takes into account 962 00:38:15,780 --> 00:38:21,480 those values I'd love to hear if other 963 00:38:18,060 --> 00:38:23,280 people have got ideas around values 964 00:38:21,480 --> 00:38:25,380 because if we don't have values then 965 00:38:23,280 --> 00:38:26,880 what do we have 966 00:38:25,380 --> 00:38:28,560 you know 967 00:38:26,880 --> 00:38:31,640 we probably have oppression which I 968 00:38:28,560 --> 00:38:31,640 think is the likely outcome 969 00:38:32,460 --> 00:38:36,660 you know 970 00:38:34,380 --> 00:38:39,119 I want to look at the the vast array now 971 00:38:36,660 --> 00:38:43,560 of of cyber security Frameworks you know 972 00:38:39,119 --> 00:38:46,380 there are very few that are genuinely 973 00:38:43,560 --> 00:38:48,900 open and transparent and freely 974 00:38:46,380 --> 00:38:51,960 available and adaptable 975 00:38:48,900 --> 00:38:54,119 I think in the way that we see 976 00:38:51,960 --> 00:38:55,320 code being written and shared and 977 00:38:54,119 --> 00:38:56,820 transmitted 978 00:38:55,320 --> 00:38:59,700 um 979 00:38:56,820 --> 00:39:01,140 I'm not sure why this is but you know as 980 00:38:59,700 --> 00:39:03,780 I said like I mean there's sectors like 981 00:39:01,140 --> 00:39:06,480 the charitable sector that actually 982 00:39:03,780 --> 00:39:09,300 a can contribute really valuable use 983 00:39:06,480 --> 00:39:10,980 cases that are probably unique but B I 984 00:39:09,300 --> 00:39:13,140 mean just don't have a lot of budget to 985 00:39:10,980 --> 00:39:15,060 be going and and paying for this stuff 986 00:39:13,140 --> 00:39:16,619 themselves 987 00:39:15,060 --> 00:39:18,599 um 988 00:39:16,619 --> 00:39:19,920 you know at the national level I think 989 00:39:18,599 --> 00:39:23,280 we need 990 00:39:19,920 --> 00:39:25,619 strategies that can facilitate data 991 00:39:23,280 --> 00:39:28,320 sharing and Reporting you know we can't 992 00:39:25,619 --> 00:39:30,420 go around arresting everybody literally 993 00:39:28,320 --> 00:39:32,540 because they're probably 994 00:39:30,420 --> 00:39:33,780 in a foreign country in many cases 995 00:39:32,540 --> 00:39:36,359 [Music] 996 00:39:33,780 --> 00:39:38,280 so it's difficult to go and use 997 00:39:36,359 --> 00:39:38,880 traditional policing 998 00:39:38,280 --> 00:39:41,700 um 999 00:39:38,880 --> 00:39:43,800 but at the same time you know it's very 1000 00:39:41,700 --> 00:39:45,780 easy to get on a path to say let's just 1001 00:39:43,800 --> 00:39:47,579 lock everything down and lock everybody 1002 00:39:45,780 --> 00:39:49,200 up because that will solve the problem 1003 00:39:47,579 --> 00:39:50,640 and I think that would really be 1004 00:39:49,200 --> 00:39:52,680 contrary to our 1005 00:39:50,640 --> 00:39:55,520 our um 1006 00:39:52,680 --> 00:39:55,520 our values 1007 00:39:55,680 --> 00:40:01,619 do I think CEOs and board members 1008 00:39:59,280 --> 00:40:04,140 should go to jail if they lose 10 1009 00:40:01,619 --> 00:40:05,880 million of our most personal data 1010 00:40:04,140 --> 00:40:07,619 records 1011 00:40:05,880 --> 00:40:08,579 can anybody guess what my answer is 1012 00:40:07,619 --> 00:40:11,579 going to be 1013 00:40:08,579 --> 00:40:13,560 yeah you need an effective deterrent 1014 00:40:11,579 --> 00:40:15,240 think back to situational crime 1015 00:40:13,560 --> 00:40:18,060 prevention you know 1016 00:40:15,240 --> 00:40:20,579 corporations hold a very very special 1017 00:40:18,060 --> 00:40:23,700 type of license to operate in the way 1018 00:40:20,579 --> 00:40:25,740 they do in our society and part of that 1019 00:40:23,700 --> 00:40:26,760 needs to be accountability at the end of 1020 00:40:25,740 --> 00:40:28,820 the day 1021 00:40:26,760 --> 00:40:28,820 um 1022 00:40:29,400 --> 00:40:33,720 we need monitoring you know and we need 1023 00:40:31,680 --> 00:40:36,000 monitoring all the things that that are 1024 00:40:33,720 --> 00:40:37,859 our crown jewels and I think when we do 1025 00:40:36,000 --> 00:40:39,540 assessments we often talk about crown 1026 00:40:37,859 --> 00:40:42,680 jewels um 1027 00:40:39,540 --> 00:40:45,359 and I truly do think that we need 24 7 1028 00:40:42,680 --> 00:40:47,400 continuous monitoring of those crown 1029 00:40:45,359 --> 00:40:49,859 jewels to make sure that 1030 00:40:47,400 --> 00:40:51,540 we're not going to have another Optus or 1031 00:40:49,859 --> 00:40:52,320 midi bank and I really hope that we 1032 00:40:51,540 --> 00:40:54,420 don't 1033 00:40:52,320 --> 00:40:57,079 but at the same time you know I I don't 1034 00:40:54,420 --> 00:40:59,220 want us to get on this dystopian path of 1035 00:40:57,079 --> 00:41:02,160 centralized governments controlling 1036 00:40:59,220 --> 00:41:04,200 every aspect of Our Lives all of our 1037 00:41:02,160 --> 00:41:05,880 data because of course when you bring 1038 00:41:04,200 --> 00:41:08,160 all that together 1039 00:41:05,880 --> 00:41:10,140 it just becomes another Target because 1040 00:41:08,160 --> 00:41:11,640 the value is going to be even greater 1041 00:41:10,140 --> 00:41:15,480 when all that data is brought together 1042 00:41:11,640 --> 00:41:16,980 so you know mygov 2.0 I think some of 1043 00:41:15,480 --> 00:41:19,079 the discussions at the moment 1044 00:41:16,980 --> 00:41:20,760 single you know kind of centralized 1045 00:41:19,079 --> 00:41:22,079 identity management 1046 00:41:20,760 --> 00:41:25,320 um 1047 00:41:22,079 --> 00:41:27,660 I'm not sure so why not decentralize it 1048 00:41:25,320 --> 00:41:29,579 you know why not get a range of 1049 00:41:27,660 --> 00:41:31,800 organizations involved in things like 1050 00:41:29,579 --> 00:41:33,720 idam it doesn't just need to be the 1051 00:41:31,800 --> 00:41:34,560 government 1052 00:41:33,720 --> 00:41:36,599 um 1053 00:41:34,560 --> 00:41:38,690 and that's basically it 1054 00:41:36,599 --> 00:41:45,359 thank you 1055 00:41:38,690 --> 00:41:48,240 [Applause] 1056 00:41:45,359 --> 00:41:50,839 yep we got some time for questions so 1057 00:41:48,240 --> 00:41:50,839 anyone 1058 00:41:54,119 --> 00:41:56,839 thanks for the talk 1059 00:41:56,880 --> 00:42:02,579 um I I spoke to my uh local government 1060 00:41:59,720 --> 00:42:04,380 uh like my Council the other day I was 1061 00:42:02,579 --> 00:42:06,900 applying for a grant for for something 1062 00:42:04,380 --> 00:42:09,180 and I they needed to check my address 1063 00:42:06,900 --> 00:42:10,920 and I said well I'm a ratepayer can you 1064 00:42:09,180 --> 00:42:12,660 just compare can check in you and you're 1065 00:42:10,920 --> 00:42:14,040 right and they said no we're actually 1066 00:42:12,660 --> 00:42:15,420 not allowed to do that we're not allowed 1067 00:42:14,040 --> 00:42:18,300 to compare across 1068 00:42:15,420 --> 00:42:21,119 uh you know data like that and I was 1069 00:42:18,300 --> 00:42:22,980 super impressed like how do you how do 1070 00:42:21,119 --> 00:42:24,359 you how can we translate that sort of 1071 00:42:22,980 --> 00:42:28,440 maturity about personal information 1072 00:42:24,359 --> 00:42:29,940 across to corporate entities who are 1073 00:42:28,440 --> 00:42:33,619 whose shareholders 1074 00:42:29,940 --> 00:42:33,619 only really care about profit like 1075 00:42:34,140 --> 00:42:39,960 look and I think that's where you know 1076 00:42:38,040 --> 00:42:42,359 it's got to be it's got to be 1077 00:42:39,960 --> 00:42:46,079 concretized and I think you know it's 1078 00:42:42,359 --> 00:42:48,540 got to be real you know and I think 1079 00:42:46,079 --> 00:42:52,020 where we see that forty thousand few 1080 00:42:48,540 --> 00:42:54,720 forty thousand foot view of what data 1081 00:42:52,020 --> 00:42:57,240 protection really means it's just way 1082 00:42:54,720 --> 00:42:59,880 too in the clouds but coming up with 1083 00:42:57,240 --> 00:43:01,680 with templates and models and policies 1084 00:42:59,880 --> 00:43:04,020 and procedures through some kind of 1085 00:43:01,680 --> 00:43:05,700 Clearinghouse for example that says 1086 00:43:04,020 --> 00:43:07,440 I don't know we've got a community of 1087 00:43:05,700 --> 00:43:09,720 lawyers that sit around the weekend and 1088 00:43:07,440 --> 00:43:11,339 just check stuff because they think it's 1089 00:43:09,720 --> 00:43:13,020 important to the community 1090 00:43:11,339 --> 00:43:14,760 I mean I think that's the kind of thing 1091 00:43:13,020 --> 00:43:16,859 that that we need and that would really 1092 00:43:14,760 --> 00:43:17,460 boost compliance I think 1093 00:43:16,859 --> 00:43:21,000 um 1094 00:43:17,460 --> 00:43:24,000 I think not having an overarching 1095 00:43:21,000 --> 00:43:28,200 piece of cyber legislation that clearly 1096 00:43:24,000 --> 00:43:32,040 spells out obligations is not helpful 1097 00:43:28,200 --> 00:43:34,680 um Privacy Act is great 1098 00:43:32,040 --> 00:43:36,960 I think removing some of the small 1099 00:43:34,680 --> 00:43:38,940 business exemptions for Privacy Act is 1100 00:43:36,960 --> 00:43:41,640 also good but it's also then going to 1101 00:43:38,940 --> 00:43:43,020 reduce profits for a lot of small 1102 00:43:41,640 --> 00:43:44,280 businesses 1103 00:43:43,020 --> 00:43:46,980 um 1104 00:43:44,280 --> 00:43:49,079 if I think about I don't know my local 1105 00:43:46,980 --> 00:43:50,220 tradies you know how they're going to 1106 00:43:49,079 --> 00:43:52,920 juggle 1107 00:43:50,220 --> 00:43:54,660 doing their trading stuff with hang on 1108 00:43:52,920 --> 00:43:56,819 I've got to think about app two and 1109 00:43:54,660 --> 00:43:59,579 three when I take down someone's data in 1110 00:43:56,819 --> 00:44:01,440 my little iPad or you know write it on 1111 00:43:59,579 --> 00:44:04,200 the back of an envelope and so on so I 1112 00:44:01,440 --> 00:44:05,760 think it's really breaking it down to a 1113 00:44:04,200 --> 00:44:08,359 really granular level 1114 00:44:05,760 --> 00:44:10,619 you know coming up with 1115 00:44:08,359 --> 00:44:13,140 artifacts that people can actually use 1116 00:44:10,619 --> 00:44:16,079 software that people can use that is 1117 00:44:13,140 --> 00:44:18,000 actually compliant and complete and 1118 00:44:16,079 --> 00:44:18,900 usable I mean that's what that's what we 1119 00:44:18,000 --> 00:44:19,920 need 1120 00:44:18,900 --> 00:44:21,980 um 1121 00:44:19,920 --> 00:44:24,839 some of the Cyber software is 1122 00:44:21,980 --> 00:44:28,020 extraordinarily expensive and it's 1123 00:44:24,839 --> 00:44:29,460 proprietary and 1124 00:44:28,020 --> 00:44:31,140 probably not even fit for our local 1125 00:44:29,460 --> 00:44:32,280 conditions because it's all done 1126 00:44:31,140 --> 00:44:34,260 offshore I mean that was one of the 1127 00:44:32,280 --> 00:44:38,220 things that I think in the previous 1128 00:44:34,260 --> 00:44:40,859 strategy there was a heavy emphasis on 1129 00:44:38,220 --> 00:44:42,060 kind of seeing cyber as an economic 1130 00:44:40,859 --> 00:44:45,599 boost 1131 00:44:42,060 --> 00:44:47,240 that is still there a little bit in this 1132 00:44:45,599 --> 00:44:51,359 um 1133 00:44:47,240 --> 00:44:53,819 proposal but you know off cyber for 1134 00:44:51,359 --> 00:44:55,859 example as the government-funded entity 1135 00:44:53,819 --> 00:44:59,400 for Innovation and cyber has essentially 1136 00:44:55,859 --> 00:45:01,260 been folded into stoneage hook so 1137 00:44:59,400 --> 00:45:02,880 and somebody asked me recently how many 1138 00:45:01,260 --> 00:45:05,520 Australian you know made commercial 1139 00:45:02,880 --> 00:45:07,079 products to use in your cyber daily 1140 00:45:05,520 --> 00:45:09,300 activity and I said well actually none 1141 00:45:07,079 --> 00:45:12,420 so 1142 00:45:09,300 --> 00:45:14,599 which is sort of sad but 1143 00:45:12,420 --> 00:45:18,420 it doesn't mean that they can't be 1144 00:45:14,599 --> 00:45:20,579 activity in the community which is 1145 00:45:18,420 --> 00:45:22,200 not necessarily profit driven because 1146 00:45:20,579 --> 00:45:23,579 we've all got a vested interest in 1147 00:45:22,200 --> 00:45:25,079 seeing this work 1148 00:45:23,579 --> 00:45:27,420 so I think that's that's my challenge 1149 00:45:25,079 --> 00:45:28,260 out to to the open source Community is 1150 00:45:27,420 --> 00:45:30,480 to 1151 00:45:28,260 --> 00:45:33,480 look at what we've done in terms of the 1152 00:45:30,480 --> 00:45:35,460 approach to to code and think about how 1153 00:45:33,480 --> 00:45:37,380 we can broaden that out to this to this 1154 00:45:35,460 --> 00:45:40,280 cyber area particularly around standards 1155 00:45:37,380 --> 00:45:40,280 and implementation 1156 00:45:42,920 --> 00:45:50,700 okay so I well time is up but do people 1157 00:45:47,760 --> 00:45:51,660 want to ask more questions 1158 00:45:50,700 --> 00:45:55,800 okay 1159 00:45:51,660 --> 00:45:58,260 so yep so I think 1160 00:45:55,800 --> 00:45:59,819 Paul still around right yep yep so if 1161 00:45:58,260 --> 00:46:01,260 you have any question please approach 1162 00:45:59,819 --> 00:46:05,339 him 1163 00:46:01,260 --> 00:46:08,599 thing is about time for today 1164 00:46:05,339 --> 00:46:08,599 thank you thank you