Hello, my name is Maria Rampa and welcome to this episode of Aurecon’s Engineering Reimagined podcast.
While the past two years have been dominated by COVID-19, it has also been a period of dramatically increasing cyber-attacks, as more of us are working remotely, and generating, accessing and sharing more data through cloud apps, creating security ‘blind spots’.
But that’s not the only issue we are facing. Cyber attacks have expanded from just targeting computers and smartphones to harming entire cities, enabled through our ever-expanding connectedness. While data is an integral part of our digitised economy, the opportunities for both innovation and malice are increasing.
So far in 2021, 86 per cent of organisations say they have been compromised by at least one successful attack . And it is predict ed that global cybercrime damages will cost almost 10.5 trillion dollars annually by 2025, which is more profitable than the global trade of all major illicit drugs combined.
Thankfully, there are champions taking on the good fight!
When Professor Matthew Warren established the RMIT University Centre for Cyber Security Research and Innovation in Melbourne, his goal was simple – to bring human understanding of cyber security in line with the modern threat. While our technological approach to cyber security is making inroads with the disruptors, the human aspect of protecting ourselves hasn’t developed much at all since the nineties.
In this episode of Engineering Reimagined, Matthew speaks with Eric Louw, Aurecon’s Managing Principal, Data and Analytics, about how to humanise cyber security, and the unique challenges individuals and organisations face against increasing threats to our online information. They discuss how it’s up to us, personally and professionally, to become ‘cyber smart’ and create a culture of cyber security in our organisations and our societies in general.
Eric Louw: Welcome, and thanks for making the time to have this chat about all things cyber security. On a personal level, how did you get into the field? And what attracted you to it?
Matt Warren: I've been in cyber security for a long time, before it was cyber security, when it was known as information security. So it really started in the 1990s, when I finished my undergraduate degree. And I had the opportunity to undertake a PhD with the European Union, working on a project to develop security standards for healthcare. It introduced me to the impact of information security upon individuals, organisations, and society. And really, that's what's driven my interest ever since. What's also, driven my passion for cyber security is realising from an early stage of my career, that cyber security isn't just about the technology, it's more importantly, about the human aspects of cyber security, as well as the organisational aspects. In the 90s, when we talked about how to train people around security, how not to do the wrong things with technology, they're the same conversations we're now having today. It's a problem we've not been able to deal with, that human aspect of cyber security.
Eric Louw: I probably started around about the same time as you in 1992. I co-authored a book called "Managing Computer Viruses", which was published by Oxford University Press, and there were still some people who didn't believe viruses were real, as part of that we actually use the biological analogy. We realised even back then that, a lot depended on human behaviour and organisational issues. Congratulations on launching the RMIT University Centre for Cyber Security Research and Innovation. A key aspect of the centre’s mission is to be a world class, research centre in multidisciplinary cyber security. Perhaps you could speak a little bit more about the importance of taking this multidisciplinary approach and highlight some of the key disciplines that go into forming a complete picture of this area?
Matt Warren: Thank you. If you look at an Australian context, the majority of the cyber security research centres that exists in Australia are very good, but they focus purely on that technology-first perspective, whereas we wanted to do something different and make the driving point being this multidisciplinary aspect of cyber security. I started at RMIT day one of lockdown so that's something I'll always remember, and in that remote environment looking at what RMIT was doing in cyber security, they had all these pockets of excellence but there was nothing to bring them together. That was another key aim to bring together those pockets of excellence and those researchers within RMIT into the centre under that broad umbrella. So it means that we've got very focused technologists in encryption, network security, we've got researchers interested in policy, small businesses, governance, the legal aspects, the human dimensions, the ethical issues. And again being able to bring all of that expertise together to look at a problem. One of the things that we've also done this year is expanded into Vietnam, and we have three campuses in Vietnam. We have researchers in Vietnam. It was an important element to start to make the centre have that international focus. That's one of the issues in terms of cyber security, is that it is so international; it impacts every country, every government, every industry, every citizen, it doesn't matter where you are in the world.
Eric Louw: It'd be interesting if you're able to share one of your favourite research projects that perhaps highlights how some of these things come into play.
Matt Warren: One of the projects that we're working on is one that's listed in the Australian cyber security strategy 2020. And that's a government project looking at the technical aspects of cyber security, in terms of being able to improve the capability of the university sector, as well as then the policy aspects in terms of universities, dealing with security threats from a governance, from a risk perspective, then the human perspective, in terms of; raising awareness, how to raise issues of cyber security, develop training materials. And the reason why I picked that example, is because it's about trying to uplift the security capability and posture of an entire sector. And certainly something that we've seen with the new Critical Infrastructure Bill, is that universities and research establishments are now listed as parts of critical infrastructure and systems of national significance.
Eric Louw: It's interesting that some of the tech giants like Google and Atlassian have been somewhat critical of the proposed legislation. Do you share their concerns?
Matt Warren: It's strange, because if you look at Australia, and our journey with the critical infrastructure, in the late 90s, the Australian Government started to talk about at that time, they called it National Information Infrastructure, really it's a conversation that’s been going on for two decades. They've been trying to support industry to improve their security. The problem is, it hasn't really worked. And this is why we're now going down this regulatory route, where for critical systems, government will have the potential power to step in to protect what they define as critical infrastructure. The problem you have, and this is why companies like Google have highlighted concerns, is because of this broadening of what is critical infrastructure. So we now see data storage and processing, ie cloud services as being critical infrastructure. I mentioned the higher education research, space technology, you have a situation where non-Australian organisations control part or one part of Australia's critical infrastructure, and systems of national of significance. And you have a situation where the Australian Commonwealth Government tells that company to take actions. So it's also that tension, about the internet as being global, the problem is governments aren't global, they're regional, and the fact that you have this issue of regional jurisdiction, dealing with global issues or global entities, and this is where we see some of the tension.
Eric Louw: Historically attacks on operational technology and industrial control systems, they've been substantially less common than attacks on what we traditionally think of as IT systems. We are beginning to see more of these attacks, like the attack on the Colonial Pipeline, which is the largest fuel supply in the US. There was a compromised password, and they installed some ransomware and ended up paying something like $4 million because they were worried that that entire IT setup would shut down. But more importantly, availability of critical infrastructure is really at the top of the pyramid there, it's less about losing data, it's more about having a electricity grid shut down, or a water supply stopped. So I’d be interested for you to comment on the differences in that context.
Matt Warren: It’s interesting, because as well as being a researcher and academic, I have also been a consultant in terms of critical infrastructure systems as well as commercial systems. A lot of the thinking was always around information security and protecting organisational assets, because it was deemed the industry control systems and SCADA systems wouldn't be hacked, that they were immune because they weren't connected to the internet. But what we've seeing is a trend, where organisations have connected their technologies to the internet, they're now investing in IoT devices, because they want to be able to control these devices, and being able to control their production or facilities in a much more efficient manner. And with that, it brings a much greater range of security threats. If those systems are compromised, it has a dramatic impact, the loss of power on society, the loss of water on populations. These industries, they have good security because they, from an engineering company's perspective, they're very much focused on safety and safety awareness, but that doesn't automatically translate to cyber security. And I saw many incidences of systems or critical infrastructure or systems of national importance where literally you would walk in and monitors would be made colourful with post-it notes with passwords and usernames all around it, or you find that the technologies that supports the SCADA system actually has no security built into it at all. Because the fact that it's simply there to undertake an industrial function, and security was never a consideration. So, from that sort of engineering to cyber context, you have this real issue of these key technologies supporting industrial processes that actually don't have security built in for a number of reasons. Or you don't have that same level of awareness around a security as you do around safety. The number of engineering mining sites I went on that always amazes me that they always have the safety share at the start of every meeting. And I've never seen a situation where there's been a cyber share where people openly talk about cyber security problems they've come across, or they've noticed the colleague doing something that was sort of poor behaviour. That cultural issue is interesting in an engineering context, because it certainly is there around safety. And it's how to translate that culture into a cyber safety culture as well.
Eric Louw: Another barrier, is you could be a an IT cyber security expert, and not really know how to tackle OT (operational technology) cyber issues, partly because some of the issues that you mentioned, outdated or potentially obsolete systems or software that is so tightly integrated with the hardware, as well as the fact that a lot of them were developed and installed in a pre-connected era. And so you've got now this attack surface opening up. Probably you have 20 IT cyber security professionals for one OT cyber security professional.
Matt Warren: And what's also surprising is as we move into the Internet of the things age, is we still face this problem where there's IoT devices that don't have security, or they have poor security or default security set up. I always point my colleagues and students to a website showing freely available webcams around the world. It's an example of simply organisations not being aware, or they haven't got the security features enabled on their webcams, which is just one simple sort of technology.
Generally Australia faces a cyber security skills shortage. And the problem is, as soon as you start to move into those niche areas, whether that's OT security or SCADA , you know that specialisation becomes less and less. In the Australian Government's 2020 cyber security strategy, this is certainly one of the things that they've highlighted is cyber security skills is being a sovereign issue for Australia. One of the greatest challenges Australia faces as we invest more and more and depend more and more on different securities, different technologies. Where is the skill sets coming to do that? And again, it's the same problem engineers face in terms of niche areas of engineering, that there aren't necessarily the skills for those areas.
Eric Louw: I'm interested in your views as to whether Australia in particular, we're a country of a certain size, and we have certain critical mass in each area, whether we face other challenges peculiar to Australia.
Matt Warren: Australia is physically the size of Europe with about 25 million people. So it means our critical infrastructure is thinly connected across our centres of population. That really does raise many potential vulnerabilities, not just from a cyber incidence, but also from a physical incidence. In Australia, when they talk about critical infrastructure, there's also a conversation occurring around disaster resilience, because there's now a connection occurring. When we have had bushfire incidences even here in Victoria, it came very close to taking out the Melbourne water supply. We came very close to losing our main power connection. So we're starting to see climate change having a link to an increase in natural disasters. And then you have that connection with the impact of those events on critical infrastructure. That's going to be an interesting discussion into the future, how to protect our critical infrastructure, not just against those cyber incidences, but also against those other physical events that come out of an increase in potential disaster scenarios.
One of the interesting things about critical infrastructure is you can't compare country A to B. If you look at Singapore, a city state, all of their critical infrastructure is defined within that city state. But yet, their water supplies come from Malaysia. So again you then have an issue where another country provides the water to Singapore.
Eric Louw: I was intrigued to see the broad scope of issues that your researchers are concerned with. Perhaps you could highlight some of the ethical dilemmas or the ethical issues that are prevalent in cyber security.
Matt Warren: We're now seeing an increase in artificial intelligence making decisions in terms of dealing with security situations. But what you then have is an issue around bias with artificial intelligence, because the rules, those systems are based upon the programmers, the people who've designed them. So again there's been proven examples where AI systems make the wrong decision, because they make decisions based upon gender or race or stereotype. So that's an example of where we become more dependent on a technology. But that technology becomes flawed, because of the humans involved in the design of it. Not that they intentionally are making it flawed, but it's just because of their makeup. And where they've come from in their life in terms of their worldview. We have projects looking at ethical issues, like data beyond death. What happens when someone passes away? What happens to all their data? Who actually owns their data? Is it treated as an entity that can be shared with others?
Eric Louw: We increasingly rely on artificial intelligence to do all manner of things for us, including protect the systems on which they dwell. And we've all seen the troubling trends around fake news. It's really fascinating to see this contention around truth. And that line seems to becoming increasingly blurred, pushed in that way by certain actors, for their own gain. But it does make things really difficult because how do you know you're dealing with factual evidences as, for example, training feedstock for an AI system. So I’d be fascinated in your thinking on how you think this might play out, because it feels a little out of control at times.
Matt Warren: The issue around fake news is fascinating because a lot of it comes through the social media sites. And the problem is because they’re global. Facebook has 1.6 billion users monthly, they're that large, they're not able to manage themselves in real time. At least with platforms like Facebook and YouTube, they do have a governance process in place where eventually that content can be removed. The problem you've got is where you have the point to point messaging apps, like the WhatsApp, the more privacy enabled systems like Telegram where there is no central point of control, users who belong to a certain group can share information. If that group is about a topic where disinformation can be shared, there's no way of countering that.
Eric Louw: If you view some of what is happening as a bit of an arms race, where you use every tool at your disposal. Whether you're a criminal or competitor or a foreign actor, potentially all of these things could be proved to be formidable weapons. Interested in your views on that.
Matt Warren: One of the key challenges when you talk about threat actors, there are so many threat actors. And each of those threat actors have different motivations, different capabilities. This is one of the reasons why cyber security is becoming so difficult and complex for organisations, let alone governments, to manage because of the sheer number of threats and risks. And they're not always technology based problems. Many organisations invest a large amount of money in their cyber security, they have a very mature approach to cyber security, that then they become victim to a phishing attack, because emails have been sent and someone's made a mistake and clicked on a link and accidentally downloaded malware or ransomware into the organisation. And then it comes back to, how did the organisation set up their systems? Did they put network segmentation in place? If they didn't, then the whole organisation is at risk. So it starts to come back to those other decisions that aren't necessarily cyber related. They're more infrastructure related. It's only when you see an incident like ransomware, then you see that relationship between one decision around infrastructure and how that set up with the security impact. But the problem you then have in regards to the fake news is that that's an information attack, and there's no technology that can protect against that. Now, we're going to see the issue of deep fakes. Where you actually see speeches from like former President Barack Obama, who gives a presentation, which he never gave in reality.
Eric Louw: It was very convincing to the viewers, that's news.
Matt Warren: This is then going to be the problem that we face, is being able to understand the difference between reality and fiction, for the citizens who are using systems or are being exposed to information like this on a daily basis, for them to be able to make those value judgments, I see a major issue. And I see the fake news and deep fake can start to impact the democracy of countries, start to disengage citizens from that democratic processes that have actually helped us grow and expand for so many generations.
I’ve done a lot of work with the Baltic states around fake news and the impact of a large neighbour being able to influence their election and domestic political dialogue. And what you have in those countries is the number of people who take part in voting has decreased. So it actually shows that political disengagement is occurring because people aren't being part of that democratic process.
Eric Louw: The other parallel, I guess, more technological aspect that we see is that there is increasing automation. So, more processes and more systems being controlled by information systems. And as AI becomes increasingly capable, that trend will only continue. I'm wondering whether you can shed any light on whether organisations that embrace AI and automation have special considerations in setting up these kinds of highly autonomous systems run their business.
Matt Warren: One of the areas I'm working on with the School of Engineering is around this impact of autonomous vehicles. And the impact of cyber security. Many of the autonomous systems are going to be run by AI systems that control the actions of those autonomous vehicles and movements of vehicles, if that's able to be manipulated, you can have major consequences. Rolls Royce has launched their first autonomous ship, if that was able to be controlled or manipulated, that could have a major impact. We saw the situation in the Suez Canal, where one captain makes a mistake and blocks Suez Canal and has a global impact on trade. Imagine a situation when you move towards automated systems that you can have a coordinated attack upon something like the Suez Canal, just with being able to get ships to block it, that would have a tremendous impact on supply chains. And that's one of the things that we're now seeing in the COVID recovery. There's concerns about how fragile our supply chains and are now becoming. So cyber could be used as a potential way to disrupt those fragile supply chains even further.
Eric Louw: I feel like we could speak for another two or three hours on this. This is really an incredibly important area for the world in general to bring this kind of multidisciplinary approach and not have that incredibly narrow conception of what cyber security entails. You've tackled it in this broad and holistic way, the only way that we're going to stay abreast of what is incredibly rapidly evolving field. Thanks so much for your time.
Matt Warren: And thank you it's been an absolute pleasure to speak with you, Eric. And to share my thoughts about cyber from I suppose for historical context, but also from a future context.
I hope you enjoyed this episode of Engineering Reimagined! - an extraordinary journey into the densely layered world of cyber security.
We’d love to hear your feedback about this episode and our podcast series as a whole, so why not write us a review and tell us about topics you’d like to hear about in the future! You can subscribe to Engineering Reimagined on Spotify or Apple and follow Aurecon on social for updates. Until next time – thanks for listening.