Asia Pacific Security Magazine, July/Aug 2017 by MySecurity Marketplace

THE REGIONâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com July/Aug 2017

Converging Security Threats in a Changing World

Preview: CyberSecurity Asia 2017

The Keys to Enabling Transformation June/July 2017

ID Document: Holograms Innovate & Protect

INTERPOL World 2017: Australian Delegation in Singapore

Effective IT security methodology: SysSecOps

Review: CommunicAsia 2017

INDIA: Tackling the Turmoil Within

$8.95 INC. GST

PLUS TechTime, Cyber Security and much more...

26-28 JULY 2O17 ICC SYDNEY DARLING HARBOUR

THE INTELLIGENCE OF SECURITY The Security Exhibition & Conference returns to Sydney this July to reunite the security industry for three days of business networking and intelligence sharing. Offering inspiration and innovation to tackle your security challenges, you can source solutions from global suppliers whilst learning from local and international experts and connect with industry peers.

PRINCIPAL SPONSOR

LEAD INDUSTRY PARTNER

ORGANISED BY

SECURITY EXCELLENCE CALL FOR NOMINATIONS

#SecurityAwards 2017 g By

Natalie Shymko, Marketing and Communications Manager, Australian Security Industry Association Limited (ASIAL)

he vital role performed by Australia’s private security industry will be recognised later this year at a special awards ceremony in Melbourne organised by ASIAL. The 2017 Australian Security Industry Awards for Excellence and Outstanding Security Performance Awards will recognise excellence in the security industry. Nominations are open to all and provide an opportunity to recognise individuals, including frontline security personnel who have gone beyond what could reasonably be expected of them in providing a level of service that exceeds client’s expectations. Likewise, organisations and teams who have demonstrated leadership and innovation will also be recognised. Judging of the awards will be undertaken by an independent panel of judges, that includes Kate Hughes, Chief Risk Officer, Telstra; Damian McMeekin, Head of Group Security, Australia & New Zealand Banking Group Ltd (ANZ); John Yates, QPM, Director of Security,

Scentre Group; Chris Beatson, Director, PoliceLink Command, New South Wales Police Force; John Adams, Editor, Security Electronics and Networks Magazine; John Curtis, Director, IPP Consulting Pty Ltd and Vlado Damjanovski, CCTV Specialist and MD, ViDi Labs. Nominations are now open and close on 1 September 2017. Winners will be presented at a special awards ceremony to be held at Crown Melbourne on 19 October 2017.

2017

Award categories include: • Individual Achievement – General • Individual Achievement – Technical • Gender Diversity • Indigenous Employment • Special Security Event or Project • Integrated Security Solution • Product of the Year (Alarm,

Access Control, CCTV – Camera, CCTV-IP System/Solution, Communication/Transmission System, Physical Security (bollard, gate, barrier)

Award categories include: • Outstanding In-house Security Manager • Outstanding In-house Security Team • Outstanding Security Training Initiative • Outstanding Security Partnership • Outstanding Security Officer • Outstanding Guarding Company • Outstanding Security Consultant • Outstanding Security Installer • Outstanding Information Security Companybarrier) For more detailed information on the award nomination criteria and process visit www.asial.com.au/ securityawards2017

RECOGNISING EXCELLENCE

Australian Security Industry Awards Nominations close 1 September www.asial.com.au

2017 EVENT Winners announced - 19 October 2017 The River Room, Crown Melbourne. The Australian Security Awards Ceremony & Dinner The night is an opportunity to celebrate excellence and innovation in the security industry, and network with likeminded security professionals.

Organised by

2017

#securityawards

Lead dinner sponsor

Entertainment and centrepiece sponsor

6 | Asia Pacific Security Magazine

EVERYTHING CYBERSECURITY. ALL IN ONE PLACE. RSA Conference 2017 Asia Pacific & Japan is the only event you need to stay at the forefront of global and regional issues. Learn from the best and brightest minds in expert-led sessions covering all aspects of cybersecurity. Experience visionary keynotes and discover where the industry is headed. Fine tune your skills in immersive tutorials. And demo the most advanced products and solutions. Register now for the chance to save! Be one of the first 50 registrants to use discount code 5A7MYSECFCD and youâ&#x20AC;&#x2122;ll save S$100 off a Full Conference Pass. Go to www.rsaconference.com/ACSM and register today!

Follow us on: #RSAC Stay up to date on the latest news, special offers and updates about our worldwide events. Sign up at https://go.rsaconference.com/emailsignup Asia Pacific Security Magazine | 7

Contents Editor's Desk 9 International Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Fiona Edwards Jane Lo Morry Morgan

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/ Copyright © 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Converging security threats in a changing world

Australian Delegation in Singapore for Interpol World 2017

KASPERSKY Lab chooses Singapore for new central Asia Pacific office

REVIEW: Cyber Security Asia 2017

REVIEW: Communicasia 2017

The keys to enabling digital transformation

ID Document: Holograms, innovate and protect

Effective IT security methodology: SysSecOps

Plant Protection against Industrial Cyber attacks

Next generation security intelligence operations

Will Bluetooth 5 be IoT’s saviour?

Page 46 - The Robocop Continuum: Confronting automated policing

Overhaul urged for Australian Biosecurity: The consequences of Complacency could be irreparable.

44 Page 50 - Latest Terror: Is London bridge falling down

INTERPOL World - Policing Feature The Robocop Continuum: Confronting automated and robotic policing

The security implications of driverless vehicles

Latest Terror: Is London bridge falling down

Tackling the turmoil within

An evolving threat to the U.S. Pacific Fleet

TechTime - the latest news and products

Editor's book review

65 Page 42 - Will Bluetooth 5 be IoT’s saviour?

CONNECT WITH US www.facebook.com/apsmagazine

OUR NETWORK

www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

www.australiancybersecuritymagazine.com.au

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Page 38 - Next generation security intelligence operations

Correspondents* & Contributors

www.asiapacificsecuritymagazine.com

www.malaysiasecuritymagazine.com

www.drasticnews.com

Sarosh Bana*

Debbie Evan

Dr Monique Mann

Andrew Macleod Page 32 - ID Document Holograms

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

Morry Morgan

Mark Deakes

Fraser Holmes

Jane Lo*

Additional: Sam Cohen, CF Chui, Jack Pouchet, Fiona Edwards* 8 | Asia Pacific Security Magazine

Editor's Desk

"We continue to face threats of illicit use of cyberspace and criminals will continue to materialise their abhorrent intents…no single country or profession can stand alone when faced with transnational and organised crime" Opening address in Singapore to INTERPOL World 2017 by INTERPOL President Meng Hongwei, July 4, 2017.

echnology is turning traditional models upside down and indeed some are clearly, already broken. The adoption of technology is faster than ever before, leap frogging market or regulatory readiness. Data is more secure than ever before and will continue to be so, though many of the systems relying on this data may not be and most importantly, data sharing is not a technical challenge, it is a policy challenge. One of the key takeaways from INTERPOL World 2017 was that cybercrime is significantly under reported to police. Continuing to be so is the fundamental reason why police investigations and response is being inhibited. Opening a panel session for the World Economic Forum Cybercrime Dialogue, Dr Jean-Luc Vez, Head of Public Security Policy and Security Affairs, World Economic Forum confirmed that action is needed to reduce the damage expected, with the cost of cybercrime in 2016, US$450 billion and by 2020 on the trajectory to cost US$3 trillion. In a recent global survey by the World Economic Forum, 74 per cent of world business expect to be hacked in the coming months. “What is business doing now? Is it possible to fight against this threat or lay back with sand bags and wait?” To compound the threat of cybercrime, speaking in Singapore on 7 July, Dr Jolene Jerard of S. Rajaratnam School of International Studies presented at an anti-terrorism regional update seminar, ‘CT Terrorism in South East Asia Quest for the Wilayah’. The threat of radicalisation and power of social media is an ongoing threat and challenges the ability to combat the Islamic State’s propaganda. There are other threat actors other than the Islamic State and recent meetings between IS

and Al-Qaeda have resulted in calls for them to work together. In April, there were calls for groups to unite across Malaysia, Philippines, Thailand and Indonesia, with training camps being established and extremists using ‘kidnap for ransom’ to raise money. Despite the success in Syria and the fall of Mosul, the Islamic State has made a general call to arms to all groups and to individuals who wish to affiliate themselves. The aggregation of these groups is a growing threat and Marawi is just one example. Dr. Jerard highlighted the situation in Marawi, Philippines, with the most recent media reports of 80 militants continuing to hold hostages and the military confirming 366 terrorists, 87 government troops and 39 civilians have been killed, more than a month since the siege started. As Dr. Jerard confirmed, the Philippines siege came as a surprise to police and military forces, when they were initially confronted by a hornet’s nest of militants and foreign fighters, including some from as far afield as Saudi Arabia, Morroco and Belitsa. Marawi is now at a tipping point and if the military and police can’t defeat this group it is likely to serve as inspiration to other groups in Indonesia, Malaysia and Thailand. In the United Kingdom, some 2,000 items each week are removed from the internet by counter terrorism and intelligence units in an attempt to combat efforts of radicalisation and in an initiative by Microsoft, Google and Salesforce, they have commenced removing extremist related content whilst providing NGOs with service delivery promotional content, to replace the message of recruitment and radicalisation. And as one may see an increasing need for world leadership, we see Australian political editor

Chris Uhlmann’s analysis of Donald Trump at the G20, describing him as an “uneasy, lonely, awkward figure” who was left “isolated and friendless” with “no desire and no capacity to lead the world,” and this “takedown” hit home in the United States, and went viral. This being alongside the North Korean’s ruling party’s Rodong Sinmun newspaper which has accused the U.S. of “reckless military provocations” and said the danger of nuclear war is reaching an ‘extreme pitch’. The US flew two B-1B bombers over the Korean Peninsula in a show of force, carrying out a 10hour, multipart mission alongside fighter jets from South Korea and Japan, four days after North Korea launched its first-ever intercontinental ballistic missile. In this issue, we cover regional security with an analysis of China’s land-based anti-ship missiles, at a time the US is preparing to test its THAAD systems in the South China Sea and we have a review of CommunicAsia 2017, keynote speaker interviews with Cyber Security Asia 2017 and introduce the PLuS Alliance Global Security Launch. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Asia Pacific Security Magazine | 9

International

Converging security threats in a changing world

gainst a backdrop of geopolitical instability, society is being transformed in unanticipated ways, with unprecedented levels of threat to security. War, terrorism, conflict and forced displacement of peoples pose international socio-political challenges even in the most stable of societies. The â&#x20AC;&#x2DC;war on terrorâ&#x20AC;&#x2122; has run for a longer period than World Wars I and II combined, and continues unabated with no likely end in sight. As a result, modern antiterrorism laws have taken on a character of permanence, and will reshape society, creating new precedents, understandings, expectations and political conventions. In other areas of global impact such as rapidly emerging new technologies, laws and technical procedures to mitigate risk are either entirely absent or not fit for purpose. Technological and scientific advances in computer science, biology, artificial intelligence and weaponry have occurred at a much faster pace than our legal and regulatory frameworks for maintaining security. Dual-use technology is that developed to benefit humanity, but which may also be used to harm humanity, either deliberately or by accident. The world is in uncharted territory, with no systematic means

10 | Asia Pacific Security Magazine

of risk-analysis of dual-use technology. These technologies, whether cyber, biological, artificial intelligence, nuclear, or new generation weaponry, are equally accessible to terrorist groups as they are for legitimate use. The convergence of such diverse security threats is an existential threat to human survival and cannot be addressed through traditional approaches. These threats cross national boundaries, and cannot be effectively managed either in the traditional disciplinary silos or by individual nation-states, but require coordinated research, thought leadership and novel, crossdisciplinary, global solutions. War, terrorism and biological weapons of mass destruction War and conflict continue to be the common feature of the human experience, but with advanced technology compared to previous conflicts. Compounding this, there are more displaced people and refugees in the world today than any time in history. The recent change that has upset the previous understanding war has been the advent of powerful

PLuS Alliance Global Security Launch

Large-scale cyberattacks affect not only home conveniences and basic business continuity but also interrupt life

INVITATION TO

saving interventions such as mechanical

Launch of Global Security PLuS

ventilation in intensive care units, or home oxygen for bed-bound patients in

FREE public event

their homes.

Wednesday, 19 July 8:30 am – 5:00 pm

non-state actors across the globe, using constantly changing methods of attack. This has challenged the fundamentals of the nation-state that has been the template for the modern understanding of war since the Treaty of Westphalia. The weapons used in war, conflict and acts of terrorism are also changing, including the use of drones and artificial intelligence in warfare. Changes have also occurred in methods used in terrorist acts, such as use of aircraft in 9/11, or the use of vehicles by homegrown violent extremists. Technology has led to quantum advances in biological and cyber weapons, which create new vulnerabilities. Revolutionary new tools and technologies such as CRISPR Cas9, a precision gene editing capability, can equally benefit or harm humanity. Whilst CRISPR Cas9 enables cures to diseases, it also enables engineering of deadly viruses as weapons of mass destruction. Global planning for bioterrorism is still largely framed by the Cold War, within the limited scope of thinking around agents such as smallpox and anthrax. However, there is a vast array of other possible biological WMD which fall outside of the scope of such traditional thinking and planning. This emerging field has eliminated the mandatory requirement of access to a laboratory suite, for major research can be performed using mathematical models and genetic codes, with such information readily accessible. There is an unprecedented increase in the frequency of serious epidemics such as Ebola virus, avian influenza, MERS coronavirus and Zika virus in the last decade, which cannot be solely explained by environmental and ecological factors. Whether natural or unnatural, the risk of a pandemic is higher now than any time in the past, and requires new capability in risk analysis, prevention, detection and response. Cyberattacks, critical infrastructure and health security Cyber attacks can affect any aspect of societal functioning, from critical infrastructures, to banking and health. In the case of financial crimes, the outcome may be the loss of money or assets, or it could adversely affect confidence in the financial system and the markets that fuel the international economy. In the cases of critical infrastructures or health, the outcome may be loss of life, possibly at a grand scale. Cyberattackers have already successfully demonstrated the

REGISTER HERE Global security is an area of cutting edge research and education within the PLuS Alliance, making Global Security PLuS a one-stop shop for government, nongovernment and industry stakeholders. Quantum advances in science have outpaced our governance frameworks in areas such as cybersecurity and biosecurity, with revolutionary new tools and technologies equally able to benefit or harm humanity. Against a backdrop of global political instability and conflict, this accelerates the risk of war, terrorism, cyberattacks, bioterrorism, chemical, radiological and nuclear threats. In addition, disasters and forced displacement of people pose additional challenges which require an understanding of emergency response and disaster recovery. These threats extend beyond the reach of national boundaries, and require global solutions. In 2016, Arizona State University, King’s College London and UNSW Sydney, formed the PLuS Alliance. This unprecedented and innovative alliance between three of the world’s leading universities enables us to join forces to help find research-led solutions to some of our most pressing global challenges. The three countries represented are also natural allies in security and defence, providing a framework for advancement of the first truly global security alliance in the world. About the Symposium Global Security PLuS will be launched on July 19th 2017 with a one day symposium. Come and hear about research from UNSW, ASU and KCL experts. Industry and government stakeholders can view our research and network with academic experts. Student research prizes will also be awarded at this event.

Asia Pacific Security Magazine | 11

International

ability to take out major portions of a power grid - the 2015 attack on the Ukrainian electricity network knocked out power for several hours for approximately 225,000 customers. Large-scale cyberattacks affect not only home conveniences and basic business continuity but also interrupt life saving interventions such as mechanical ventilation in intensive care units, or home oxygen for bed-bound patients in their homes. Backup generators, the common insurance for such systems, can fail as a result of poor design or placement, or as a result of a coordinated attack by others. The convergence of health security and cybersecurity is illustrated by recent ransomware attacks on hospitals, which are crippled when electronic systems fail and vital patient records, diagnostics and treatment histories cannot be accessed by healthcare practitioners. Worldwide, there has been an escalation of attacks on hospitals precisely because of critical dependence on information systems in an increasingly paperless environment, along with poor cyber security practices. Hacking allows hostile group to access the health information of individuals – their illnesses, medications, their doctor, scheduled surgery and so on, which provides new modus operandi of attack for organized crime or terrorist groups. Democracy, law and countering violent extremism Lawmakers around the world are grappling with how to best protect the community from terrorism. In legal terms, the challenge can be simply expressed: how can anti-terrorism laws be enacted that confer extraordinary powers upon government and its agencies, while at the same time not undermining the democratic freedoms we are seeking to protect from terrorism? Rather than fading away since 11 September 2001, this question has assumed even greater importance. If nothing else, it is clear that the response of democratic nations to terrorism is more than a temporary, emergency reaction to those and other catastrophic attacks, and to the possibility that such indiscriminate violence might be repeated at home. As the years have passed, it has become clear that anti-terrorism laws amount to much more than a transient, short-term response. In many ways, this makes these laws of a greater significance than the exceptional measures found on the statute book during World Wars I and II. Those conflicts were of more definite duration, and wartime legal measures ceased to operate soon after the conflict ended. By contrast, modern anti-terrorism laws have taken on a character of permanence, as the so-called ‘war on terror’ continues unabated. While a few anti-terrorism laws are the subject of ‘sunset clauses’ that could see them lapse after a specified period of time, most have effect for an indefinite duration. All this points to the fact that anti-terrorism laws may be altered in the coming years, but will not likely be repealed. The realisation that extraordinary anti-terrorism laws are here to stay has important implications. We can expect that the inroads made into human rights by these laws will endure. In doing so, the laws create new precedents, understandings, expectations and political conventions when it comes to the proper limits of government power and the role of the state. Indeed, many

12 | Asia Pacific Security Magazine

anti-terrorism measures are becoming seen as normal rather than exceptional. This is due both to the passage of time and the fact that anti-terrorism strategies are being copied in other areas of the law. All this suggests that anti-terrorism laws are not themselves only shaped by human rights concepts, but in turn are shaping those concepts so as to bring about a historical shift in our understandings of liberty and security. Global Security PLuS is an opportunity for academia, governments and industry to partner in a new way – join us on July 19th 2017. This article is written by: Prof Raina MacIntyre Head, School of Public Health & Community Medicine, UNSW Sydney Professor George Williams Dean, UNSW Law, UNSW Sydney Wes Herche Global Security Initiative, Arizona State University Prof Luca Vigano Head, Department of Informatics, Kings College London A/Prof David Heslop School of Public Health & Community Medicine, UNSW Sydney and Australian Defence Forces Chief Thomas Engells University of Texas Medical Branch and UNSW SPHCM Professor George Poste Chief Scientist, Complex Adaptive Systems Initiaitive, Arizona State University

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

.a www

ustr

alia

Post

000032

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1

Approve

ine.

com

.au

te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia

nsec

uritym

agaz

ep 20

Aug/S

RNM

OVE

DIN

LEA

.au

ov 20

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

N COU

ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95

INC.

ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech

GST

Time Tech

erl Cyb

1 YEAR SUBSCRIPTION

city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive Can a proac with oach appr

TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00

A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Asia Pacific Security Magazine | 13

Australian Delegation in Singapore for INTERPOL World 2017

acilitated by MySecurity Media, the Australian delegation

With the INTERPOL Congress theme on Day 1 focused on

in Singapore on the 4th July, was suitably hosted at the

Cybersecurity, the luncheon conversation centred around the

Dallas Restaurant, atop the Suntec Sky Garden at the

need for continued collaboration, reporting cybercrimes to police

Suntec Convention Centre, courtesy of INTERPOL World 2017.

and the threats and opportunities cybercrime has for business

Opened and addressed by the Australian Ambassador

and industry. Importantly, there is also the need for continuing

for Cyber Affairs, Dr. Tobias Feakin and accompanied by Zoe

business opportunities with developing a cybersecurity industry,

Hawkins, Cyber Policy Officer with the Department of Foreign

trading between Singapore and Australia.

Affairs, the delegation luncheon was attended by representatives

On the second day of the INTERPOL World Congress, the

of INTERPOL, Australian High Commission, Australian Federal

Australian delegation, accompanied by the Australian Federal

Police, Australian Strategic Policy Institute and the Aerospace

Police, toured the INTERPOL Global Innovation Complex, visiting

Maritime and Defence Foundation of Australia Ltd, attending

the Digital Forensics Lab, Command and Control Centre and the

to promote the CIVSEC 2018 Congress in Melbourne in May

Cyber Fusion Centre. Sponsored by Kaspersky Lab, MySecurity

2018. Guests were delegation supporter Kaspersky Lab’s Vice

Media also attended the Opening of the company’s new

President for Public Affairs and Asia Pacific Managing Director

Singapore Office and seminar series.

and Oracle’s Australian representatives and Global Director,

The event served as an important template for which to

Public Safety & Justice Solutions. Local support was received

base future Australian delegations in the Asia Pacific region and

from the Singapore Chapter Chair of ISACA and MySecurity

MySecurity Media would like to thank the Ambassador for Cyber

Media’s Singapore Correspondent.

Affairs Dr. Feakin and Kaspersky Lab for supporting the initiative.

14 | Asia Pacific Security Magazine

KASPERSKY Lab chooses Singapore for new central Asia Pacific office: Releases Spring Dragon research – China & North Korea seen as initiating active APTs Kaspersky Lab aligned alongside the INTERPOL World Congress and Exhibition to formally open their new office in Singapore, now with 35 staff and as the central management office for the Asia Pacific, where they have 200 personnel operating across the region. CEO and Chairman, Eugene Kaspersky proudly declared Singapore as one of his favourite world cities and was also strongly encouraged and assisted by the Singaporean Economic Development Board (SEDB). “Singapore is a key regional city and one of the most developed cities in the world. The cybersecurity start-up sector is being assisted and we feel this will facilitate new vectors for industrial security, smart cities and the ‘cyberised’ Internet of Things.” Mr. Kaspersky said. Mr. Teo Chin Hock, Deputy Chief Executive of the Cyber Security Agency of Singapore (CSA) also presented on the need for a resilient and trusted cybersecurity environment. Singapore has four pillars to their cyber security strategy, Mr.Hock said, “First is on strengthening critical infrastructure, the second is on mobilising business, third is to create a cyber security industry and fourth is to develop strong international partners, in an effort to make Singapore a smart and safe nation.” As part of the efforts between the SEDB and Kaspersky Lab, a talent pipeline of skills development is being established with five Singaporeans sent to Kaspersky Lab’s head-office in Moscow for cybersecurity training and now two of these are working with the Singapore Cybersecurity Agency. Further collaboration is occurring between Singapore’s leading universities, including collaborating with National University of Singapore and Nanyang Technological University in the research areas of critical infrastructure protection.

Australian Delegation INTERPOL World Luncheon

Address by the Australian Ambassador for Cyber Affairs Australian delagtion to INTERPOL Global Innovation Complex

Palaeontology of Cyberattacks Alongside INTERPOL World, Kaspersky Lab held a half day seminar series on the ‘Palaeontology of Cyber Attacks’, with some of the company’s leading researchers in the Asia Pacific region, presenting on cyber-attack methodology and attributions. Vitaly Kamluk, APAC Director of the Global Research & Analysis Team (GReAT) presented on how the Democratic People’s Republic of Korea (North Korea) is Asia Pacific Security Magazine | 15

INTERPOL CyberFusion Centre

Vitaly Kamluk, Director, Global Research & Analysis Team APAC, Kaspersky Lab Kaspersky Labs briefing INTERPOL Secretary General and Dr Jean-Luc Vez

linked to major cyber-attacks through attribution of source IP addresses. Kaspersky Lab’s research has linked North Korea to Lazarus, the group linked to the $81 million bank heist in Bangladesh and the 2014 attack on Sony's Hollywood studio, which the U.S. government also blamed on North Korea. As Vitaly explained, there were three conclusions drawn from the research; someone has invested a huge amount of money to frame North Korea in these attacks, a third force outside North Korea could be assisting them or third, if the attacks are indeed from North Korea, it means we know very little about their current motivations and use of cyber offense. Another key area of research from Kaspersky Lab is the APT (Advanced Persistent Threat) actor operating since 2012, which has been targeting South China Sea countries, starting with a focus against Taiwan. The Spring Dragon or Lotus Blossom has been researched by Melbourne based Noushin Shahab, on behalf of Kaspersky Lab. These highly specialised attacks target Government organisations, political parties, education instructions, universities and the telecommunications industry. Using customised C2 servers with over 200 unique IP addresses, the Spring Dragon is attempting to actively hide its real location. Despite these efforts, 40 percent of IP addresses are registered in Hong Kong, followed by mainland China and Japan. For attribution, analysis is based on the victims, political tensions, file compilation timestamps, which are predominantly in GMT+8 and the two prominent time activities indicates the group is either working in shifts in the same time zone or involve two groups in two different time zones. For analysis of the malware developers, there have been 600 malware samples obtained. The attacker’s toolset includes various backdoors and backdoor injectors. These include Elise, first identified by Palo Alto Networks’ Unit42, yet once identified, these variants stopped being used. The backdoors provide a wide range of capabilities, including transferring files and system administration. The code evolution goes back to 2004 and the Backdoor injector injects an encrypted file and predominantly enters via a web browser. According to Noushin, the long running APT campaign is clearly part of a massive scale operation and therefore likely to continue to resurface regularly in the Asia Pacific, with social engineering techniques a particular element in having the victims click a link or download a file. The source code is unique and private, therefore unlikely to be picked up by other researchers and should it be released into the wild, the attribution would become difficult.

Noushin Shahab presenting in Singapore

16 | Asia Pacific Security Magazine

7-8 August 2017, Sheraton Imperial Hotel Kuala Lumpur

Developing a Resilient Future Ready Organization

Casey Fleming

Dan Tentler

BLACKOPS PARTNERS CORPORATION

PHOBOS GROUP

Chairman & CEO

Founder

Shahmeer Amir

Nitesh Dhanjani

VEILIUX PAKISTAN

UNITED STATES

Bug Bounty Hunter

Global Head, Information Security Researcher

Niclas Kjellin

Mustafa Al Bassam

SIGMA SWEDEN

SECURE TRADING UNITED KINGDOM

Mobile System Architect & Security Expert

Information Security Advisor,

David Meléndez

Dato’ Dr. Haji Amirudin Abdul Wahab

ALBALÁ INGENIEROS, S.A.

CYBERSECURITY MALAYSIA

CEO

R&D Embedded Software Engineer

Ali Rebaie

Jorge Sebastiao

REBAIE ANALYTICS GROUP

HUAWEI TECHNOLOGIES

Cloud Practice Leader

Data Science Anthropologist,

Michael Wright

Manish Bahl

GRAB

COGNIZANT

Talent Acquisition Director

Senior Director

Brett Williams

Ashutosh Kapse

Sales Engineering Head

Head of Cyber Security,

CARBON BLACK AUSTRALIA

IOOF HOLDINGS LTD

Angel T. Redoble

Chairman and Founding President

Paul Craig

Head of Offensive Security

VANTAGE POINT

PHILIPPINE INSTITUTE OF CYBER SECURITY PROFESSIONAL

Choong - Fook Fong

Dani Michaux

LE GLOBAL SERVICES

KPMG MANAGEMENT & RISK CONSULTING

CEO

Exclusively by:

Platinum Sponsor:

Executive Director

Supporting Organization:

Media Partners:

Asia Pacific Security Magazine | 17

Book Your Seats: T: +603 22606500 │ E: karen@thomvell.com or admin@thomvell.com

CYBER SECURITY ASIA 2017

Developing a Resilient Future Ready Organisation

// Introducing the Keynote Speakers Dan Tentler is one of America’s top and well-known security researcher and the Founder of Phobos USA. Previously, Dan has been the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego. He is routinely parachuted into various clients in the continental United States, as well as speaking engagements abroad in Australia, the UK and Amsterdam. Dan has presented at 44con, BreakPoint, DefCon, BlackHat, ShakaCon, and much more. Dan has been interviewed by the BBC, CNN, The San Diego Reader and a variety of information security blogs and publications. Dan is skilled in the arts of the professional bad guy.

18 | Asia Pacific Security Magazine

Casey Fleming serves as Chief Executive Officer of BLACKOPS Partners Corporation, the leading intelligence, think tank, strategy, and cyber security advisors to senior leadership of the world’s largest organizations. Mr. Fleming is widely recognized as a top thought-leader, leading expert and speaker on intelligence, strategy, national security, asymmetrical hybrid warfare, and cyber security. The Cyber Security Excellence Awards recently named him Cyber security Professional of the Year. Mr. Fleming led global organizations for IBM Corporation, Deloitte Consulting, and Good Technology. He served as the founding managing director of IBM’s highly successful Cyber division, now IBM Security. Mr. Fleming earned his Bachelor of Science degree from Texas A&M University and has participated in executive programs with Harvard Business School and The Wharton School.

Dani Michaux is the Executive Director of KPMG Management & Risk Consulting based in Malaysia. She is currently the Cyber Security Lead for ASEAN, and Cyber Strategic Growth Initiatives (SGI) Lead in ASPAC. She has over 15 years of experience where she has had the opportunity to consult multiple clients on Unified Compliance and Risk Management, Business Continuity Planning, Information Governance, IT GRC, Information Security Management Systems, Architecture, Remediation Programs, Security Assessment especially to the Financial, Telecommunications, Energy, and Government sectors. She has also performed a number of information security engagement within Energy and Telecommunication Companies covering Process Control Domain Systems and critical infrastructure for Telecommunications Company. She is currently the Chief Information Security Officer (CISO) of a telecommunications company in Malaysia, and she was the acting Chief Information Security Officer (CISO)

for large vertically integrated energy player in Malaysia in 2015, and for a Telecommunication player in 2013. She is also part of the Cloud Computing Group in KPMG MY and leading the Cloud Security initiatives. Ashutosh Kapse is currently Head of Information security, technology risk and audit at IOOF Holdings Ltd., one of Australia’s largest financial services companies. He is a senior-level professional experienced in security, risk management and audit leadership for over 20 years. His subject matter expertise is independently validated through industry certifications including CISM, CRISC, CISA, IRAP, CCSK and ISO27001 Lead Auditor. He has worked as a consultant in Australia and has provided advisory to numerous organizations in developing and implementing Governance, Information Security Management Systems, and Risk Management Frameworks. He has a proven track record in being able to present and influence at the board and C-suite level. His thought leadership is evidenced through speaking invitations to various international security & GRC conferences including Ignite2015 in Las Vegas, North America CACS in Dallas, International Security conference in Mexico and Asia Pacific. Shahmeer Amir is the Information Security Analyst, Application Security Researcher, Bug bounty hunter, and Forensics Examiner of Veiliux based in Pakistan, Veiliux is a Cyber Security startup, one of it’s kind aiming to provide adequate cyber security services to online businesses that are cost affective, resource reductive, time reductive and of quality. Shahmeer is a competent and skilled Security Researcher that specializes in all aspects of Information Security and also a vibrant Electronics Engineer. He also hold many certifications that emphasize and promote his skills as a Security researcher as well as an Engineer. He has worked with one of the leading Security Services Providers in Pakistan as well as in the middle east. He also remained Top Hacker on Hackerone platform for almost 8 months and ranks 3rd best bug hunter in the world. Paul Craig leads the offensive security “Tiger Team” at Vantage Point, in Singapore. Paul originally hails from New Zealand and is an avid hacker with a passion for the dark art of exploitation. Paul has been hacking professionally for the past 13 years and considers nothing impossible. Paul Craig works with Asia's strongest and largest banks to help raise their security bar and keep Singapore safe. He developed techniques and tools that are taught in the SANS Advanced Penetration Testing (SEC660) course and he has spoken at over 50 international security conferences world-wide.

Niclas Kjellin is one of Europe’s experienced mobile and security architect and working with the development of Enterprise apps he knows the importance of security early on. He is the team leader of the most creative and innovative app dev team in South of Sweden and security is always considered for every step in each project. Working with technology that enables new experiences and makes people connect from all over the world, while never forgetting the importance of security and privacy. Apart from his knowledge within mobile development and security architecture, Niclas is also an experienced speaker and have held several talks about digital security, particular security related to software development, but also on more softer sides, involving the actual users and the forces that drives us all. Niclas Kjellin is an IT security expert at SIGMA and has many years of experience in developing secure software. Together with an education at Stanford University in software security, he can also entitle himself Certified Ethical Hacker and fights for the ordinary user in a connected, although insecure, world. David Melendez works as the Research and & Development software engineer for TV Studio manufacturer company, Albalá Ingenieros in Madrid, Spain. He has won several prices in robotic tournaments in Spain like CampusParty and ISACA, and has been speaker in several conferences worldwide about drones architecture and security, like RootedCON, NavajaNegra, 8.8 Security Conference Chile, Nuit Du Hack, Codemotion, HKOSCON or Cymass Dubai. He has a Bachelor Computer Degree by Wales University.

// Can you give our readers

an idea of what brought you to cyber security and why cyber security is your primary area of focus? Case Fleming - As founder of IBM’s Cyber division, now IBM Security, it is one of the top national security threats to most countries. The cybersecurity industry is fundamentally broken and requires a 180 degree transformation. From product – based focus to human element focus. Ashutosh Kapse - I started working in technology risk and security way back in 1992. I was a networking engineer and one the networks I was managing got infected with the Dark Avenger virus. My interest in security developed while I was troubleshooting and helping the customer. Later on the area was termed as

Information Security and has now evolved into the term Cybersecurity. I kept getting opportunities to work in security and my own knowledge and expertise developed and evolved. Armed with this expertise, I believe I am able to positively influence organisations, be the trusted advisor and help safeguard businesses. Today I work as Head of Cybersecurity at IOOF Holdings, one of Australia’s largest non-banking financial institutions. David Melendez - Researching about the inner working of drones, I detected several communication security issues in the state of the art technology, and I decided to invest my efforts to develop solutions to this growing problem, among other (classic) cybersecurity areas. Niclas Kjellin - My background is in programming and at heart I’m still a developer and making secure applications that protect users’ data is the ultimate challenge and I guess somewhere within that challenge it all started for me. Paul Craig - I began as a ‘non-professional’ cyber security practitioner at the age of 14 and this was mostly due to the challenge it presented to me in my youth. Cyber security to me has always represented the ultimate challenge and the ability to do the impossible with very limited resources (myself). Now 21 years later, cyber security is a hard-wired obsession and a highly valuable skill I offer to my clients. Dani Michaux - I like the field of cyber security and I think it’s cool; besides, I run on adrenalin! Shahmeer Amir - I have a Bachelors degree in Electrical Engineering. So cyber security was never something that I planned, but I was always fascinated about the fact that computers can be hacked. I did not have a clue as how to actually do it back then, but had a keen interest to discover it. So I started learning from online resources and the rest was history. Cyber security is my area of focus because I believe that at a certain point of time in the future, the world will need people like me to save it from the bad guys as wars will not be fought with guns and tanks but keyboards and computers. In the coming years, the demand for security experts and work for research in this field will increase exponentially, I look forward to contribute in any way I can. Dan Tentler - Originally, I began my career doing systems administration and systems architecture, and after continually having to redo my work and experience systems becoming less and less secure because of the actions of developers and business folks, I couldn’t take it anymore. I quit my role as a systems architect and went into security full time.

Asia Pacific Security Magazine | 19

CYBER SECURITY ASIA 2017 // What advice would you give to businesses and governments in the Asia Pacific with regard to both the regional and international cyber threat landscape? Case Fleming - Become much more aware of who your cyber adversaries are and what their intentions are. Flip your security strategy to be 90% human / 10% cybersecurity products. Ashutosh Kapse - Cyber threats are a clear and present danger for organisations irrespective of their size and type. Cyber criminals and state threat actors have enormous resources at their disposal which requires a focussed and measured response from organisations to keep themselves adequately protected. I would advise organisations in Asia Pacific the following • Recognise and accept at Board level that Cyber is a key risk to the organisation. Allocate appropriate resources to tackle this risk. • Think of Cyber-resilience rather than cyber security. All efforts must be to increase cyber resilience of the organisation. • Understand that cyber security is not binary. That is, it’s not a question of “are we secure or are we not secure” – organisations need to think in terms of “what is cybersecurity posture of the organisation and how can we work to continuously increase the maturity” • Have the right structure in place (or create structure) so that Cybersecurity becomes a focus within the organisation • Understand that Cyber security is not IT’s problem but a business risk. Hence the best approach will be to have a holistic view, that covers Technology, People and processes. David Melendez - Security is a non-stop investment. In order to be a step forward to any threat, resources shuold be as stable as possible. Cyber-security works in the same way, with de different that the enemy is a diffuse entity. Niclas Kjellin - In almost all security setups the weakest link is likely to be the user, who will make mistakes in configuration, handling and miss-handling of data, who will click on links and download malware. So, education is the key, the more each and everyone of us know about potential threats the better prepared are we to stop them. Paul Craig - Due to the ease and relatively low cost of cyber-attacks they have become the new norm of warfare for nation states, activists and criminal gangs. Cyber-attacks typically have no human causalities,

20 | Asia Pacific Security Magazine

limited media exposure, low cost and require minimal manpower resources. I find too many organizations in Asia are still complacent when it comes to cyber-attacks and assume a physical threat is more likely. The global concept of cyber is also often overlooked, although your organization may not be attacked domestically you are connected globally to the internet. This concept of global threat actors is lost on most individuals who believe their doors are only open to a domestic audience. Dani Michaux - I would remind businesses and governments that cyber risks should be at the top of their minds, considering the high-profile nature of many recent cyber-attacks (such as WannaCry) and the catastrophic damage they have caused. To be complacent would be foolhardy. Shahmeer Amir - The best way to keep up in the prevention of latest threats in cyber security is to adopt security as a culture; it is the best way to move forward. Security is as strong as its weakest link, the weakest link is always the human factor, it should be a prime focus for all governments and organizations to train its individuals. Building in house CERTs and teams to proactively counter attacks is the best way to prevent threats. In this era the best way to prevent an attack is to be quicker than the attacker, so keeping up to date with the latest attack vectors helps out a lot in overall infrastructural security Dan Tentler - Unless the business has specific threats that are directed at it, the threats are global, since the internet has no borders. Targeted threats are a different animal. The best thing to do is to be prepared to deal with the typical day to day threats, that way if there are any greater threats, they become very clear. Directed threats could be things like targeting specific types of hardware, like cash registers or ATMs of a specific model.

// What can organisations best do to identify, evaluate and measure cyber risk, and put in place mechanisms to manage and minimise the risk? Case Fleming - Begin with knowing your adversaries, focus on the human element and stay current on all updates and patches. Ashutosh Kapse - Cyber risk management should be an integral part of the enterprise risk management system. Organisations should take care not to get carried away by all the hype relating to cyber security and ensure that the cyber security posture is commensurate with the risk. • The first step should be to fully understand the

• • • •

business context and then shape cyber risk mitigation based on the business context. (eg. A utility that has critical infrastructure, a financial services organisation, a bricks and mortar retail company and a web-services company all have different cyber risks and different threat actors, based on each organisations business context). A complete understanding of business context will ensure appropriate risk minimisation strategies. I would advocate a “back to basics” approach which is key to minimise the risks and put in place appropriate mitigations. Understand and enumerate organisation’s key assets and information. Know what is the value of these assets and what is the impact if these assets are compromised/lost Identify where these assets are located Determine who has access to these assets and who is the custodian Know how these assets are currently protected

David Melendez - Silver bullet does not exist, so you have to be as precise as possible identifying the activities that you want to protect, and think about how they can be attacked. We have to think in the same way as cybercriminals in order to anticipate their movements. This is not always possible, so, we have to take into account, with the same importance, the mechanisms to recover quickly our infrastructure in case of damage. Niclas Kjellin - Make sure you protect the right things, start by identifying important assets and outline the processes surrounding them. This will make it easier to prioritize, manage and minimize the risks for those valuable assets. And of course, defense in depth is always recommended, never trust one mechanism to keep your assets safe. Paul Craig - The two largest threats for any organization today are the applications in use and staff members within the organization. Organizations need to understand the risk associated with both and be sure they are addressing that risk seriously. Any organization that is developing software (ie web or mobile apps) need to have security requirements and guidelines available for developers and they need to be performing security testing in-house (preferably within QA teams as software is being developed). Security maturity models such as BSIMM are an effective tool to measure security within an organization but these should be complimented with security based KPI’s and a clear security mandate and direction. Red teaming and simulated threat exercises are also a highly valuable method of evaluating cyber risk scenarios. Conducting 6 monthly exercises such as spear phishing, ‘open scope’ compromises, and common social engineering techniques should be used as a method of evaluating and benchmarking an organization and their staff over time.

Dani Michaux - Firstly, the top management must agree that cyber security has to be a strategic-level priority. Having one-dimensional, technology-focused solutions focused on protection alone is missing the bigger picture and may put your organization at greater risk. At KPMG, we always advice our clients that cybersecurity is not just a technology problem; it’s a holistic one. But don’t just focus on prevention; companies should go one further to ensure cyber preparedness. No matter what industry you’re in, data is the lifeblood of modern business. A high-quality cyber preparedness program will not only focus on keeping the data safe and secure, it will also help to increase and improve the integrity of that data to make sure that you have the right and complete data upon which to base your business decisions. Ultimately, cyber preparedness will enable you to focus on new opportunities for revenue growth. Shahmeer Amir - Organizations need to put the right skill-set in their security teams who have technical expertise as they have managerial expertise. The biggest problem with organizations is that they focus on managerial aspects of security and somewhat neglect the technical aspect due to which there is no clarity on the risk. The best way to cater to cyber risks is to act proactively towards them, this includes recursive cyber drills, proper risk mitigation strategies and management Dan Tentler - That is called “Threat Modelling”. I’ll be going over it in some detail in my presentation. It is the mechanics by which one can decide what one intends to protect, define what possible entry points there are, and establish risk measurements surrounding the relationships between attackers, entry points and what it is you intend to protect.

// Where do the majority of cyber threats affecting organisations in Asia originate from? Case Fleming - Our intelligence indicates it is split between nation-states and private hackers or ‘hacketeers’. Ashutosh Kapse - Categorise threat actors as follows • Cyber criminals who are increasingly finding that cyber-crimes pays well and criminal does not have to be physically present in the vicinity of the target to commit the crime • State actors who find that cyber espionage and cyber weapons are much more effective than traditional means • Third parties who have access organisation’s computer network but do not have appropriate protection, thus unwittingly becoming accessory to cyber crime

Internal threats – • Accidental – internal employees through accident or negligence cause cyber breach • Malicious – internal employee acts maliciously to cause cyber breach • Criminal – cyber criminals placing their operative in key positions within organisation with the sole purpose of imitating cyber breach from the inside.

// From the perspective of national critical infrastructure, how is the Asia Pacific faring compared to other regions such as Europe, ME and Americas?

David Melendez - Cybersecurity is a worldwide problem, and every country tries to figure out why is a “primary target”. For example, terrorism has evolved from being a local thread, related to regional issues, to be a global threat, and has to be solved as a global issue.

Case Fleming - Overall, the Asia region lags Europe, ME and Americas. However, several Latin America countries also lag.

Niclas Kjellin - Already the whole world is seeing many different threat actors, such as national governments, terrorists and hacktivists. Two actors I believe will grow rapidly and become more frequent are industrial spies and organised crime, who are often driven by pure profit. Paul Craig - Asia is perceived as a soft and highly attractive target by global threat actors and we have seen attacks originating from all over the world targeting Asian organizations. The highest concentration of threat actors attacking Asia appear to originate from the Asia region and could be due to political or diplomatic reasons. This is an unscientific detail though as the source of attacks can be easily masked to appear to originate from another country. Dani Michaux - Predominantly, we have seen attacks originating from the West but that’s not to mean there aren’t any cyber criminals in this part of the world. The internet has enabled online anonymity, and it’s because of this that notorious groups of criminal hackers are able to thrive in cyberspace. Shahmeer Amir - There is no geographical location to put a mark on, cyber threats can originate internally or externally from Asia, it depends on the motive of the attack and the attacker. However, a large number of cyber-attacks worldwide originate from Russia Dan Tentler - There are two basic types of attacks. Opportunistic, and targeted. The opportunistic attacks (the ones that comprise the vast majority of attacks) are global. They are not constrained or targeted against any particular country. The targeted attacks, however, are targeted based on the business or vertical market the business is in. We don’t normally see attacks specifically targeting companies in a particular country “just to target that country”. There are, of course, some exceptions, but most of them are political in nature and do not often involve Asian countries.

David Melendez - Recently, Europe was attacked massively by ransomware including several big companies, but tomorrow, the target can be everybody else. Security policies can vary dramatically even between countries on the same continent. Even in the same country, policies can vary due to excessive bureaucracy. That’s because every country has to be prepared taking its own responsibility. Niclas Kjellin - We will see much more attacks such as the one against the power -grid in Ukraine and I believe that most countries in Asia Pacific, Europe, ME and Americas are not at the moment well-equipped to stop these from happening, there are much needed work to be done here. Paul Craig - Critical infrastructure all over the world is being compromised so it is hard to say that one region is doing any better than any other region. Security awareness and security investment does vary region to region and this does have a huge impact on the difficulty of a breach, however when the attacker is determined or well funded it only becomes a matter of persistence and time, unfortunately all regions appear to eventually fail in this respect. Dani Michaux - Considering that Malaysia is ranked in the Top 10 of countries globally affected by ransomware attacks, there is always more that can be done to improve cybersecurity nationwide. Shahmeer Amir - Let’s just say, APAC was late in the race but it is doing well now. However, APAC needs to quickly scale up, as the region is becoming more technologically advanced, it is also become a fruitful target for the attackers. Dan Tentler - Based on my findings, evenly across the board, globally – it’s a mess. It appears that critical infrastructure, when averaged out, is doing the bare minimum to secure equipment.

Asia Pacific Security Magazine | 21

CYBER SECURITY ASIA 2017 // What can businesses do to keep abreast of the threats to their national interests and supply chains? Case Fleming - Stay connected and share incidents between the private and public sectors, ramp up focus on the human element and stay current on updates and patches. This includes your extended supply chain – whoever has access to your sensitive data. Ashutosh Kapse - I would strongly recommend: • Formal methods of information sharing and exchange across businesses – eg. ISACs (Information Sharing and Analysis Centre) • Formal arrangement with government CERT in your country in order to understand geographic threat profiles • Cyber and risk professionals in the organisation becoming part of not-for-profit organisations such as ISACA to keep abreast of the field and developments. • Developing a mentoring model within each geography to ensure continuous development of security skills David Melendez - Government <-> companies coordination and threat-related information sharing, is key. Niclas Kjellin - Information is the key and this can be gathered in many different ways. We will see many new businesses being formed that will provide tailor made predictions about potential threat against organizations. For this, big data, AI and machine learning will play a huge part in the coming years. Paul Craig - Threat intelligence has become a requirement for any CSO/CISO as this can provide a condensed feed of current attack trends and threats. Staying abreast of these attacks requires having a relativity open mind and overlaying the current trends and attack methods over an organization. Attacks are ever evolving and threat actors are trying to manoeuvre into an advantageous position so the threat intelligence feeds should be used as a starting point for determining possible attack scenarios. Shahmeer Amir - Train its people to adopt security as a culture, no matter how secure your technology is, it can at any point in time be breached using the human element, therefore the best way to for a business to country cyber threats to stay up to date and educate its team about security Dan Tentler - Consider a vulnerability management program and take routine security hygiene seriously. The reason that millions of computers all over the world became infected with the Wannacry ransomware is

22 | Asia Pacific Security Magazine

purely because they didn’t install patches available for free from Microsoft. Defending against the “background radiation” of the internet by taking care of low hanging fruit and easily exploited vulnerabilities makes an attackers job staggeringly more difficult.

Then finally, when security eventually fails and it will sooner or later, then make sure you have back-ups of all data, this have saved the day for many businesses.

Ashutosh Kapse 1. “Tone from the top” – Board recognition and allocation of appropriate resources from top down 2. Understand the business context and identify critical assets. 3. Holistic approach consisting of people, process and technology with continuously improving maturity as a goal in itself.

Paul Craig 1. Comprehensive Application Security Program: I cannot stress the importance of an application security program! In 2017 software and apps are still not seen as a direct security risk and this is a huge problem. Software security should be owned by a single individual within the organisation and that individual should not be the same person who owns infrastructure or network security. Developers should be trained on software security and taught to ‘bake security in’. 2. Endpoint Protection: Its estimated that 43% of breeches occur from a threat actor located within your organization so protecting the endpoint is really a no-brainer. Whether it’s a Data-LossPrevention agent, a forensic or auditing agent, or a specific APT endpoint protection product, the endpoint is likely a device you will end up paying specific attention to. 3. Employee Education Programs: Keep security in-mind by placing banners or notices around your organization to educate staff. Simple posters that promote skepticism of strangely worded emails, strange attachments, or unfamiliar contacts can make a huge difference to an organisations security stance.

David Melendez 1. All company members have to be prepared and trained against social engineering, because this kind of attack does not require super-specialised technical knowledge, but the damage that they are able to do, can be big. 2. Cyber-security department has to be valued, and taken seriously into account as any other strategic department. For example, sometimes, managers ask to IT department to ignore all security basics in benefit of a comfortable use of their IT equipment. This is a big mistake. Also, skilled people is always better than expensive hardware. Being competitive in salaries and conditions, is not a waste of resources. 3. IoT opens a new market, but a new way to perform cyberattacks too. Drones for example, are a multi-level platform to attack infrastructures, but in the same way, they are vulnerable too.

Dani Michaux - Organisations can reduce the risks to their business by building up capabilities in three critical areas: 1. Prevention – begins with governance and organization. It is about installing fundamental measures, including placing responsibility for dealing with cybercrime within the organization and developing awareness training for key staff. 2. Detection – monitoring of critical events and incidents, and data mining form an excellent instrument to detect strange patterns in data traffic, to find the location on which the attacks focus and to observe system performance. 3. Response – activate a well-rehearsed plan as soon as evidence of a possible attack occurs. When developing a response and recovery plan, an organisation should perceive cyber security as a continuous process and not as a one-off solution.

Niclas Kjellin 1. Most important is security awareness training, in other words educate your employees make sure they know how to identify and handle threats. 2. Secondly, update all software to their latest versions, install patches and put processes in place for doing so.

Shahmeer Amir The top three on my list are 1. Firewalls 2. Intrusion prevention systems 3. Recursive drills and trainings

// Lastly, what are the three top security controls would you recommend businesses need to put in place to manage cyber threats? Case Fleming 1. Ramp up focus on the human element throughout your entire supply chain 2. Classify your sensitive data and restrict both human and internet access 3. Stay current on all updates and patches 4. Know your adversaries, stay current on their tactics

ASIA TELECOMS INNOVATION SUMMIT & AWARDS A Review & Celebration of Global Telecommunications Projects 1 9 S E P T E M B E R 2 0 17 S W I S S O T E L M E R C H A N T C O U R T, S I N G A P O R E

The Asia Telecoms Innovation Summit and Awards celebrate and recognise the industry’s most innovative & successful project partnerships between operators and vendors over the last 12 months and showcase the very best projects from every corner of the industry.

AWARDS CATEGORIES: • Infrastructure Innovation

• Consumer Service Innovation

• Software & Applications Innovation

• Wholesale Service Innovation

• Enterprise Service Innovation

SUBMIT YOUR ENTRY NOW!

Participants include:

Asia Pacific Security Magazine | 23 www.gtbsummits.com | gtbevents@euromoneyplc.com | +44 (0)20 7779 7227

CommunicAsia 2017

28th international communications and information technology exhibition & conference A host of smart future technologies such as big data analytics, cloud, the Internet of Things (IoT), cyber-security, artificial intelligence (AI), robotics, virtual reality (VR) and next generation broadcasting technologies were the key highlights of the three exhibitions - CommunicAsia2017, EnterpriseIT2017 and BroadcastAsia2017 (23rd – 25th

May) – that were held across two venues at the Marina Bay Sands and Suntec Singapore. With thirty-six International Group Pavilions – including Russia, China, Canada, USA, Korea and EU Business Avenues in South-East Asia - the event drew best-of-breed innovations from across the globe, hosting 1,800 exhibitors from 62 countries.

Left – Dr. Hamed Salim Al Rawahi, CEO, Telecommunications Regulatory Authority, Oman; Dr. Yaacob Ibrahim, Minister for Communications & Information, the Minister in charge of Muslim Affairs and the Minister in charge of Cyber Security; H.E. U Kyaw MYO, Deputy Minister for Ministry of Transportation and Communications, Myanmar; H.E. Mustappa Sirat, Minister, Ministry of Communications, Brunei Darussalam. Photo Credit: CommunicAsia 2017

In addition to a show-case of how businesses, governments, and consumers embrace digital transformation and leverage technology to create landscape of global connectedness, Cyber Security was also a key platform feature. In his opening address, Dr Yaacob Ibrahim, Minister for Communications & Information, noted Singapore’s IMDA (Infocomm Media Development Authority) focus area of Cyber Security (the others are: Artificial Intelligence and Data Science, Immersive Media, IoT and Future Communications Infrastructure), and added: “I don’t think I need to belabour how important this is for your companies from

24 | Asia Pacific Security Magazine

operational, financial, reputational, intellectual property, and other angles. It is important as well for all of us here as individuals, and it is essential for our national security.” For the governments around the world, the threat of continuing (and evolving) cyber attacks is a grave concern. At the “Security of Things – Threat-proofing the Future” seminar track (curated and orchestrated by IEEE ComSoc), Mr. Ho Ka Wei, Director – National Cyber Threat Analysis Centre, Cyber Security Agency of Singapore – pointed out the recent WannaCry attack that disrupted government agencies and businesses in 150 countries across the globe, and affected health facilities and hospitals, was

a clear example of how malware attacks (in this case, a ransomware) had evolved from an inconvenience to a public threat which could put lives at risk. Closer to home, the APT (Advanced Persistent Threat) actors who recently gained unauthorized access to two Singapore Universities (The National University of Singapore (NUS) and Nanyang Technological University (NTU)), according to the authorities, to "maybe steal information related to Government or research" was the first sophisticated cyber attack on Singapore universities. It was targeted, carefully planned and "not the work of casual hackers", said authorities.

CommunicAsia 2017

Mr. Ho Ka Wei, Director – National Cyber Threat Analysis Centre, Cyber Security Agency of Singapore, at the “Security of Things – Threat-proofing the Future” seminar track, speaking on “Singapore’s Cyber Threat Landscape”. Photo Credit: CommunicAsia 2017

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," Dr Yaacob had said earlier last month, following the incident. Over the years, the Singapore government had embarked on several initiatives to develop skills and awareness in this area. Recent examples include the Cybersecurity Associates and Technologists, or CSAT programme to train more cybersecurity professionals for the industry, and the “SMEs Go Digital” programme which will enable SMEs to receive specialist advice on the topic of CyberSecurity, amongst others. Under one of the government’s programmes was a study conducted for the Singapore’s Cybersecurity defense project by researchers at iTrust (a cybersecurity research center at the Singapore University of Technology and Design) – which was pointed out by Mr Junaid UR Rehnan, Security Adviosr, HP Inc on his keynote speech “Defending Your Weakest Link – Reinforcing Printer Security”. The research demonstrated how attackers using a drone with an attached mobile phone could intercept documents sent to a seemingly inaccessible Wi-Fi printer. Using a drone to transport a mobile phone with two apps – one that detects open Wi-Fi

printers and the other to establish rouge access point that mimics the printer and intercept documents intended for the real device – the researchers showed how adversaries do not

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," have to be close to a Wi-Fi device to steal data – if they could instead deploy their drones to be near the target. This result exposed the myth of low risk of outside attack in a physically “inaccessible” environment and is especially critical to bear in mind for Singapore’s business district where high-rises dominate the skyline. In fact, printer cyber vulnerabilities are not

dis-similar to those of other “conventional” devices on the network – such as unsecured ports and network connections, compromised firmware and device settings. Simply put, printers are just another device on the network and cyber security guidelines for network devices and endpoints are applicable to printers as well. Mr Junaid Rehnan pointed out specifically the principles published by the “US Department of Defence - NIST 800-53 – Multifunction device and network printers security technical implementation guide (STIG)” – such as to, • Update the firmware • Disable unneeded services, protocols and features • Restrict access to the device based on IP address. • Allow setting and changing of the authentication information passwords and community strings) for all management services • Prevent unauthorized physical access to the hard drive using either a locking mechanism or other physical access control measure • Implement authenticated access to management controls, allowing access to authorized administration based on privilege assignments • Enable and configure audit logging Whilst the increased number of attacks is a key national risk to overcome for Singapore, it is not a challenge that is unique to Singapore. “The Contribution of the UNGGE to Global Cyber Security” (United Nations Group of Government Experts) talk provided an opportunity for attendees to hear about Cyber Security policies from the United Nations Group of Government Experts (UNGGE) from His Excellency Mohamed Abulkheir, Ambassador, Egyptian Embassy of Singapore. Since 1998 when the first resolution was drafted to initiate the discussion of Information Security with the United Nations, there have been Four Groups of Governmental Experts (UNGGEs) that have “examined the existing and potential threats from the cyber-sphere and possible cooperative measures to address them”. From the First UNGGE where policy questions centred around coverage and scope of the discussions (such as if the “impact of developments in information and communications technologies (ICTs) on national security and military affairs” should be considered or if “transborder information content should be controlled as a matter of national

Asia Pacific Security Magazine | 25

CommunicAsia 2017

Mr Junaid UR Rehnan, Security Advisor, HP Inc, speaking at Day 2 of “Security of Things” Opening Keynote “Defending Your Weakest Link – Reinforcing Printer Security”

His Excellency Mohamed Abulkheir, Ambassador, Egyptian Embassy of Singapore, at the “Security of Things” seminar track, speaking on “The Contribution of the UNGGE to Global Cyber Security” (United Nations Group of Government Experts). Photo Credit: CommunicAsia 2017

security”), UNGGE had evolved to include dialogue “on norms”, “confidence buildingbuilding and risk reduction measures”, “capacity building”. As Cyber attacks become increasingly transnational in nature, the UNGGE’s mandate has grown to address this challenge. For example, the scope of the current Group of 25 experts* includes “how international law applies to the use of information and communication technologies by States, as well as norms, rules and principles of responsible behavior of States, confidence-building

26 | Asia Pacific Security Magazine

measures and capacity-building.” *Australia, Brazil, Botswana, Canada, China, Cuba, Egypt, Estonia, Finland, France, Germany, India, Indonesia, Japan, Kazakhstan, Kenya, Mexico, Netherlands, South Korea, Russia, Senegal, Serbia, Switzerland, United Kingdom, United States The seminar ended on Day 3 with “Security Governance Full Day Workshop” with Dr Paul Haskell-Dowland’s (Associate Dean for Computing and Security, Edith-Cowan University) “Ethical Hacking” session. Based on a real-life example (non-public), he took participants through how a hacker

may deface a website with a step-by-step demonstration: (1) Identification of vulnerable website (2) Exploitation of the vulnerabilities (3) Gaining remote access (4) Escalating privileges (5) Probing internal network. As penetration tester mimics the steps taken by a typical attacker to identify infrastructure weaknesses, these check points also form part of a standard vulnerability assessment exercise. Hence it is critical that the appropriate permissions have been sought and granted to perform a legitimate breach of the system. Specifically, Dr Haskell-Dowland highlighted these key considerations: • A controlled evaluation of vulnerabilities Compromised on your terms • Rules of engagement – Permissions; Scope (in/out); When to stop; Privacy/ethics • What do you want from the process? – Reporting Mr. Peter Hannay (Lecturer of Edith-Cowan University), in his “Forensic Computing” session, pointed out that as “many forms of data exist only for a brief period or a prohibitively expensive to recover unless adequate preparation takes place”, “preparing for evidence is an important factor in the success of any forensic response”. This involved obtaining and analyzing digital data, investigating data from a hard desk or other storage media (including recovering data that was hidden or deleted), and telling a story (which formed evidence in civil, criminal or administrative cases). As the nature of evidence had evolved over time, for examples, from printed photos to digital photos, from handwritten notes to email, from

CommunicAsia 2017

The “Security of Things” Seminar Track, co-sponsored by HP PC and Printer; Nomura research institute; Level 3 Communications. Photo Credit: CommunicAsia 2017

money as a physical entity to being represented as a digital number, “organization assets must be considered as to their potential to produce, transit or contain potential evidence”. Whilst it is easy to immediately identify physical assets such as workstations or servers as evidential potential, logical assets (cloud and virtual infrastructure), or transitive (network, telecommunications and transmission media) could also hold information or data critical for forensic response planning. As with penetration testing, a Computer Forensics Analysis plan that proposes intentions (pertaining to an upcoming investigation) is important to allow parties involved to have a thorough understanding of the case and grant the necessary approvals for investigation. He concluded with “Cyber Security is there to SUPPORT the business needs of the organization. Cyber Forensics is there to SUPPORT the security of the organization”. Indeed, as Cyber Security becomes an increasingly important consideration in the fast-paced evolution of hardware and software, robust procedures to respond to incidents that affect the confidentiality, integrity, and availability of these is essential. And these include guidelines to tackle the technical challenges of digital evidence capture in order to prevent contamination or loss. Any investigation of and response to Cyber Attacks will necessarily involve the preservation and examination of electronic evidence; and therefore a digital evidence strategy must form an integral part of the Cyber Security framework.

[Right] Dr Paul Haskell-Dowland, Associate Dean for Computing and Security, Edith-Cowan University, before his “Ethical Hacking” session on Day 3 Security Governance Full Day Workshop of the “Security of Things” track. Photo Credit: CommunicAsia 2017

Peter Hannay, Lecturer of Edith-Cowan University, presented on “Forensic Computing” on Day 3 - Security Governance Full Day Workshop of the Security of Things track.

Asia Pacific Security Magazine | 27

CIOs, IT Leaders and decision makers • Big data • Communications • Cloud computing • Technology systems • Interviews with industry thought leaders plus much more.

28 | Asia Pacific Security Magazine

Asia Pacific Security Magazine | 29

Cyber Security

The keys to enabling digital transformation

A By Chris Cubbage Executive Editor

30 | Asia Pacific Security Magazine

2016 survey of global businesses found that 97 percent of respondents are investing in digital technologies to transform their businesses, yet only 18 percent reported that security has been involved in these initiatives. It seems security could threaten to slow them down. Yet the reality is when accessing and using digital technologies, organisations have no choice but to implement access and identity governance for on-premise and cloud applications. Given that cloud applications are a major component of any digital journey, we sat down with One Identity’s Richard Cookes, Country Manager for Australia & New Zealand to get a sense of the company’s own journey so far. In 2016, One Identity achieved license growth at three times the market rate and continued nearly thirteen consecutive years of profitability. With 700 employees working across 12 countries, the company sold its solutions to nearly 1,500 companies during the year, taking it to over 7,500 organisation clients. “We are a recent spin-off out of Dell EMC and were sold off as part of the software division, in November 2016.” Richard explained. “The software assets were put into Quest and acquired by private equity partners, Francisco Partners and Evergreen Capital. As of June 1, 2017, One Identity became a standalone entity”. With improved business agility, Gartner has positioned One Identity in the “Challengers”

Quadrant for Identity Governance and Administration . Despite the name, One Identity has a number of modular and integrated solutions. Prominent products are: providing identity management, called One Identity Manager, which involves provisioning and identity governance; Cloud Access Manager for access management, and One Identity Safeguard for privileged access management. Each of these is a separate product and customer profiles are commonly Tier 1 and Tier 2 enterprises with requirements across the entire range of identity and access management needs. Identity governance involves reviewing users to ensure they have appropriate access and still work for the organisation. Provisioning places users into the appropriate groups and roles used by applications and systems to determine access. Access Management assesses identity parameters, such as an IP address, group membership, location, time or device type when granting access to applications and systems. A significant driver of the One Identity business has been the standardisation of mobile device platforms and the need of line managers to approve and review access anytime anywhere, for example while in a meeting rather than returning to their desk. Privileged access management controls administrator access to systems via workflow approvals. Passwords are stored in a vault with access control based on predefined policy and ad-hoc approvals, including temporary access

"Our customers repeatedly site our modular portfolio that enables them to start anywhere without having to install a monolithic infrastructure or work with multiple vendors, our focus on their success and the business-centric nature of Richard Cookes. ANZ Country Manager, One Identity

with changing passwords, the entire system is also audited. “One Identity were the first in the market to have hardware based appliances, which are more secure than software-only solutions. You’ll find by sharing administrator passwords you create a new vulnerability. To mitigate this, we utilize Trusted Platform Modules (TPM) chips in our appliances to protect the centralized vault.” Most organisations often don’t know how to harden hardware despite loading it up with software, however with the One Identify Safeguard, the appliance is pre-harden and secured with encrypted password storage. Each product can work independently of one another but rolled out together they provide additional value providing a cost of ownership reduction with an integrated solution. Products are also .Net Windows based and therefore matched to Microsoft skill sets. An additional product is data governance, which is the management of unstructured data, which often makes up the majority of an organisation’s data. In a similar approach to attestation for application access reviews, this involves data access reviews and determining who is the logical owner of said data. Organisations with massive amounts of data they need to transfer to the cloud could have security and vulnerability issues when shifting their data. Before shifting this data, it will help if organisations understand who owns the data in order to marry who has access to the data and match that information to the organisational structure. This

IAM done through One Identity"

reduces unwanted and unneeded data and also reduces storage costs. The platform provides visualisation and reads data attributes for access – One Identity is not reading the data for classification but reading the access rights to it. “Our approach,” according to Cookes, “Is that we don’t do classification but we will take in the classified data and thereby are in the market to support all the data classification vendors.” One Identity’s Connect for Cloud allows organisations to easily extend the governance of identities to cloud applications. The offering removes a significant inhibitor to digital transformation, as organisations can extend identity governance, access controls, compliance reporting and provisioning/de-provisioning to cloud-based apps including Salesforce, ServiceNow, Box.net, Dropbox, Concur, Amazon AWS and many others. Through a single interface and with a single set of policies, rules, workflows, identities, and the full visibility is provided into users’ rights, data and applications, regardless of where they reside. This extends the capabilities of One Identity Manager to cloud applications, representing a major IAM milestone. It was the first in the industry to embrace the System for Cross-domain Identity Management (SCIM) as the common interface between on-premise and SaaS applications, enabling One Identity developers to address the identity access management (IAM) needs of multiple cloud applications from a single SCIM interface. The new SCIM support in Identity Manager uses Dell Boomi (Boomi) technology, an integration platform-as-aservice (iPaaS) offering that enables cloud applications to talk directly to One Identity Manager for complete identity management of cloud-based applications in a traditionally difficult to address hybrid environment. Connect for Cloud provides one interface, eliminating time-consuming custom coding and one-off connections to on-board hundreds of cloud applications. One Identity is a unique vendor building a portfolio of governance, privileged management, access management and identity as a service solutions. John Milburn, President and General Manager of One Identity said in a release, “Our customers repeatedly site our modular portfolio that enables them to start anywhere without having to install a monolithic infrastructure or work with multiple vendors, our focus on their success and the business-centric nature of IAM done through One Identity.”

Asia Pacific Security Magazine | 31

Cyber Security

ID Document: Holograms innovate and protect Dr Mark Deakes, general secretary of the International Hologram Manufacturers Association (IHMA), considers current developments in security holography in the face of continuing worries about fake identity documents.

W By Mark Deakes General secretary of the International Hologram Manufacturers Association (IHMA)

32 | Asia Pacific Security Magazine

hile the production of identification documents is a global business, estimated to be worth hundreds of millions of dollars a year in revenues for designers, producers and manufacturers, the cost of fraudulent passports, driver’s licences and pass cards adds up to hundreds of billion dollars a year in lost revenues, untold damage to corporate reputations, and funding initiatives to combat the counterfeiters. Identity theft affected 17 million people and amounted $15bn in 2014 in the US alone in 2014 while the Department for Homeland Security reported in 2016 that it believed Europe’s trade in forged and stolen passports was so out of control that it had reached ‘epidemic’ proportions. Elsewhere, police personnel in India are being issued with smart identity cards with special security features and a hologram in a move to improve security and identify fake officers. But in the war on counterfeiting, holography remains a

weapon of choice, paramount in securing data and protecting identity documents against interference, tampering, alteration, forgery or imitation. New materials, scientific innovation and state-of-the-art manufacturing practices combine to keep the technology fresh, secure and relevant, continuing to play a seminal role in protecting against the photograph and personal data forgery, otherwise known as the ‘variable information’. However, the ability of holography to provide effective protection lies in the continuous innovation of new techniques. Both optical effects and material science techniques have created authentication devices that are easily recognised yet difficult to copy accurately. They can be safely integrated within the production process and stand-up to the rigorous demands of being in use for a period of anything up to ten years. Modern reprographic technologies make it possible to

copy many things but the real issue is just how accurately can holograms be copied? The answer is that their intrinsic features ensure that the techniques and visual effects make it extremely difficult, perhaps almost impossible, to copy a welldesigned security hologram 100%. Holograms serve as both a means of protection and authentication, and a warning about the dangers of counterfeiting. Therefore, they are not solely to prevent counterfeits but act as an effective detection device, making it easier for the trained eye to distinguish the genuine article from the fake or usurper. Manufacturers are responding to the technical challenges this imposes through new optics and material science technologies used in the production of holography solutions for ID. Since 2010, we have seen significant growth in the number of passport and other documents issued that feature OVD (Optically Variable Devices), which are created in

highly-secure facilities and are at the forefront of overt asset and brand protection programmes - the OVD can be used as a stand-alone feature or combined with printed security features to create devices that are extremely difficult to replicate using conventional photocopy or scanning technologies. New developments Companies currently at the forefront of new developments include OVD Kinegram, one of the leading providers of security technologies used in the protection of government documents and banknotes. The companyâ&#x20AC;&#x2122;s Kinegram digital seal is a copy-resistant feature that interlinks and interlocks physical ID documents with mobile verification processes. It takes the biographical data from an identity document and encodes this information into a quick response (QR) code, which can be encrypted and read by a smartphone. The code

Asia Pacific Security Magazine | 33

is protected against forgery or interference by the optical structure and the information contained therein can be read using a simple smartphone app to verify and check that the document is not stolen, lost or fake. Growing smartphone usage in the authentication processes is also behind the development of high security opto-digital foil technology. Optokey OVDs from Surys combine a digital data matrix code with a high definition micro image, which is part of the holographic security design. Using a dedicated app, specific images and properties can be authenticated without the need for an internet connection. Russia’s RPC Krypten is another firm at the forefront of developments in the sector with its photopolymer laminate 3D Gram-M; an overlay technology that has a bright reflectance at discreet angles and undergoes a colour change from green to gold and then finally red when viewed at acute angles. Passport pages need to be adequately protected from tampering and alteration but it can be difficult to achieve this when there’s such a proliferation of different formats and styles in use by different national governments. However, new printed security laminates can be deployed across multiple formats to provide effective protection of document types and specifications. For example, ITW Security Division’s Holoprotek security laminates utilise proprietary technology to protect against the forgery and counterfeiting of government and personal ID document data pages, combining traditional holographic effects with high security print to provide level one security features for public recognition and simple, easy to verify level two security features. Elsewhere, manufacturers continue to push the boundaries in addressing anti-counterfeiting solutions aimed at end-users. Promoted as a significant step forward in moving further than the current state-of-the-art in light transmission, optically variable coloured effects are visible through Surys’ Plasmogram: a new generation, high security DOVID that combines reflective and see-through effects on a nano-

34 | Asia Pacific Security Magazine

structured film incorporating physical properties. It’s one of a number of ‘break through’ technologies that are now increasingly finding their way into the high security sector where, for instance, they are being adopted by producers of passports to provide beneficial features including added track and trace capabilities. Equally, for ID cards, we are seeing optical security features coming through that can be integrated with almost any substrates - plastic cards, polycarbonate material, composite and paper - to deliver ‘smart’ ID solutions - ones that combine optical and digital technologies to offer both visual and automatic authentication based around the interactions of the user and smart devices. Holograms will continue to play an important part in moving ID documents to the next stage of development as those with responsibilities for safety and security look to stay one step ahead of the criminals; ensuring quality and checking the trade in fake ID while those documents not displaying security holograms are seized and destroyed. Those involved in law enforcement, border protection and ID security will always be reassured by the presence of holography technologies and devices on passports and other documents, clearly seeing and benefiting from the advantages they provide. Moreover, the use of well-designed and properly deployed authentication solutions, enables those with safety and security responsibilities to verify the authenticity of a legitimate product, differentiating it from counterfeits. Even those that carry a ‘fake’ authentication feature can be distinguished from the genuine item if that item carries a carefully thought-out authentication solution. The IHMA (www.ihma.org) is made up of 100 of the world's leading hologram companies. Members include the leading producers and converters of holograms for banknote security, anti-counterfeiting, brand protection, packaging, graphics and other commercial applications around the world, and actively cooperate to maintain the highest professional, security and quality standards.

Scott Raynovich, founder of Futurium and creator of the Rayno Report, now a part of SDxCentral.

The most effective IT security methodology: SysSecOps Editor’s Interview with Scott Raynovich, founder of Futurium and creator of the Rayno Report, now a part of SDxCentral.

R By Chris Cubbage Executive Editor

ecent ransomware attacks such as Wannacry and Petya highlight the continued disconnect between two enterprise technology silos, and it’s killing both operations and security. I spoke with technology analyst Scott Raynovich, who has developed an enterprise security methodology, SysSecOps, or Systems Security Operations and released the Futuriom report ‘Endpoint Security and SysSecOps – The growing trend to build a more secure enterprise’. As Scott explained, “The context is ‘almost’ perfect as the recent ransomware attacks provide a top level view – security operations and system operations are often separate functions and these organisations aren’t always talking to each other. The ransomware worms are affecting older systems that haven’t been maintained and patched. So, this is a patching issue, which is an IT administration problem.” “The premise of the report – surveying 170 people - was there has to be more integration between security operations but these are management and process challenges. Looking back through some of the largest hacks and attacks, Target, Yahoo, DNC, the pattern is that many of these incidents wasn’t that technology didn’t identify it was happening, it was rather a system process problem. The right person wasn’t informed or the response wasn’t automated.” Editor - Isn’t it also the case that security, as it always has been, continues to be seen as a cost and not a business contributor? “There is a cost component to security and there is a number attached to it. How much are we going to spend? Things have changed in the last year or so and Target was another catalyst, when the CEO lost his job. Yahoo is another case where a significant corporate merger was affected. This is why corporate boards are now more aware and security is now a corporate governance issue. The report highlights the critical awareness that has arisen and the beginning of the change for organisations managing security at the highest levels. It is the CIO and CEO that has the power to make change and a board level process which needs to set new policies. There has to be an integrated approach and the top challenges are lack of time and resources. But this is a budget issue and despite an increase in spend, it is not infinite. The other answer is automation of policy. Thirty-four per

cent cited conflicting IT and security goals and a lack of integration of policy, or a lack of coordination. Everything needs to be integrated at a higher level and therefore policy is required, as well as policy enforcement. The number one response was better management of security budget and better integration between systems management and tools. Some of the newer technology has been focused on better integration, visibility, managing alerts, monitoring and managing end points. Feeding all this data into a broad analytics platform for better insight. Like the way DevOps brought together developers and IT operations, the approach of SysSecOps brings together the CISO’s security team with the CIO/CTO’s operations staff, to provide a unified view of the status of the organisation’s IT infrastructure – and to prevent and respond to security threats, particularly those affecting endpoints. For a copy of the Futuriom Report – visit http://www.futuriom.com/articles/news/the-futuriomsyssecops-report/2017/06 Key Findings 1. Endpoint security integration and organisational coordination are key to building a SysSecOps approach to enterprise security 2. Many of the major hacks of the past five years could have been prevented with better organisational response and integration of security tools 3. Half of the respondents to the 2017 Futuriom security survey believe security technology integration is a major challenge in securing endpoints 4. Integrating security tools is a major goal of SysSecOps, which can have beneficial effects in securing the enterprise, according to Futuriom research 5. Many systems and security operations staff say they are challenged by time and resources, meaning further security automation would be welcome 6. Conflicting security goals within the same organisation can be a barrier to securing endpoints and systems 7. Many current endpoint security tools are inadequate, lacking integration with other security components 8. Malware and phishing remain major threats to enterprise security, requiring integrated system monitoring and endpoint protection

Asia Pacific Security Magazine | 35

Plant protection against industrial cyber attacks Cyber attacks â&#x20AC;&#x201C; the danger from the Web

By Philip Taylor Regional Sales Manager, Industrial Communications, Siemens Thailand

36 | Asia Pacific Security Magazine

Every networked device is a potential target for cyber attacks â&#x20AC;&#x201C; it can be your personal computer at home or industrial devices at production facilities. For businesses, cyber attacks would affect operations and potentially cause huge loss of income. In fact, in Asia Pacific, cyber attacks have caused businesses to lose revenues amounting to $81.3 billion in 2015, according to a professional services company Grant Thornton. It seems that company decision makers are aware of this threat, as evidenced by a study conducted by market intelligence company IDC, which suggests that worldwide investment in software to fend off cyber attacks will increase to more than $100 billion by 2020. This represents an increase of about 38% from the previously predicted total of $73.7 billion for 2016. Asia Pacific (excluding Japan) is expected to be the fastest growing region in terms of investments, with a compound annual growth rate (CAGR) of 13.8 per cent. To comprehensively protect plants, systems, machines, and networks against cyber attacks, all levels must be addressed â&#x20AC;&#x201C; from operating to field, from access control to networks, terminal equipment, and copy protection. Additionally, with increased adoption of digitalization in manufacturing

processes, a holistic and customized approach to industrial security system is crucial to ensure that businesses are secure at all levels against the threat of cyber attacks. Plant security as the foundation With the recent increased cases of cyber attacks happening all around the world, more countries are now taking extra precautionary measures. In Singapore, the Computer Misuse and Cybersecurity Act (CMCA) was recently amended with changes that require operators of critical information infrastructure to take proactive steps to protect their systems and networks. For the manufacturing industry, plant security, which creates the foundation and ensures that technical protective measures cannot be circumvented, includes physical access protection measures such as fences, cameras, and card readers. These are supplemented by organizational measures, in particular a security management process that ensures plant security over the long term. To make an informed decision on which measures make sense, the risks should first be analyzed. In this context, factors of consideration include the probability of occurrence as well as the extent of damage the risk could cause. The results of the risk analysis are then used to establish security goals, which

Whether your business is a Small and Medium Enterprise (SME) or Multinational Corporation (MNC), turning a blind eye to cyber attacks would be fatal and would limit the company’s competitiveness.

Protecting the automation network is crucial Network security is at the heart of the security concept. This aspect includes protecting the automation networks from unauthorized access and checking all interfaces to other networks, such as an office network or the Internet. Transitions to other networks are protected by means of firewalls or a DMZ (demilitarized zone) – a network within a network, with controlled access to the data, devices, servers, and services in it. No connection can be established using the DMZ, even if one of the computers in it has been “taken over” by a hacker. For remote maintenance or telecontrol applications, it is often necessary to connect plants to each other via the Internet. Hackers can easily detect unprotected entry points in plants with critical infrastructure using search engines, port scanners, or scripts. Here, it is important to implement protection measures against unauthorized access, the reading of confidential data, and the manipulation of parameters or control commands. Importance of keeping up with evolution

form the basis for organizational and technical measures. In the next step, the suggested measures are implemented to close any identified gaps. Ultimately, it is the human factor – the employees, specifically – that is and will remain important. Experts agree that 95% of all cyber attacks would become futile in an instant if all systems were updated regularly. So if a user keeps postponing a computer update, this can become a risk, too. Security solutions can only work if the staff understands their importance. Sharing information about specific security incidents Another hallmark of a comprehensive security concept is ensuring system integrity. This includes protecting automation systems and controls as well as SCADA and HMI systems against unauthorized access, and protecting the know-how they contain in the best way possible. The security concept also includes the authentication of users and their access rights as well as hardening the system against attacks. If there are security issues, the service staff informs the companies and provides recommendations, updates, and security patches as quickly as possible. This way, the requirements of laws such as the Singapore Cybersecurity Act in Singapore are met.

The cybersecurity industry is constantly evolving according to rapid technological changes and capabilities of attackers. With the rise of Digitalization, communication networks are becoming more complex; value chains are being integrated on a digital thread and increased dependence on data are making companies emphasize more on security. Applied security concepts protect against potential threats to infrastructure with a high degree of networking and a high number of entry points. Multiple barriers are set up to fend off attackers as a threat management method. For example, even plant operators can access only certain plant sections, devices, or applications. Some have administrator rights, while others have only read or write access. Whether your business is a Small and Medium Enterprise (SME) or Multinational Corporation (MNC), turning a blind eye to cyber attacks would be fatal and would limit the company’s competitiveness.

Asia Pacific Security Magazine | 37

Cyber Security

Next generation security intelligence operations Interview with Vasant Kumar: Future learning opportunities on safeguarding business and industry By Chris Cubbage Executive Editor and Jane Lo Singapore Correspondent

38 | Asia Pacific Security Magazine

ne never stops learning. As in the past, there will remain future learning opportunities on safeguarding business and industry with next generation security intelligence operations. HPE’s ASEAN Information Security Day, held in Singapore, focused on the theme “Information Security – Investigate & Incident Response” and presented new ideas around Security Intelligence Operations, investigating and responding to incidents, and discovering the path of continued innovation. Vasant Kumar, Regional Customer Success Manager for the Asia Pacific region with HPE ArcSight, HPE Software reported “We are seeing an unprecedented growth in the volume of data that is being created, generated and adopted each day, versus, for example, 5-10 years ago when there were not that many mobile applications. The biggest disruptor is the variety and velocity of data – where billions of contents are shared on social media and movies are watched online, and where sensors are built into everyday consumer products.” During his presentation, titled ‘Resilience for Growth’, Vasant Kumar outlined what it means to be able to successfully and intelligently utilise and adapt this exponential growth of data. “To analyse these large data sets to detect patterns, trends and associations of malicious activities – in a shorter frame of time, and at a lower cost, means the need to build a tool to be able to store and perform contextual searches on the growing scale of data in a simple-to-use-andunderstand way. We see this simplification of process, as smart analytics, that is key to resolving and closing issues rapidly.”

The adoption of Big Data Analytics, combined with correlation analytics, is also key to defending against multistaged attacks. The data is ingested into the HPE ArcSight Data platform and event correlation and security analytics is enabled to identify and prioritise threats in real time and remediate incidents early through HPE ArcSight ESM. HPE Security’s State of Security Operations 2017 report of capabilities and maturity of cyber defense organisations highlighted some key findings, including a sharp decline in maturity for organisations that are opting out of real-time security monitoring in favour of post-event search technologies. While this is a disturbing trend, organisations that have adopted hunt team capabilities as an add-on to their existing real-time monitoring programs have seen success in rapid detection of configuration issues, previously undetected malware infections, and SWIFT attack identification. The State of Security Operations 2017 report also noted that “HPE did not observe a direct relationship between the size of the organisation and operational maturity across commercial and public sector organisations. While there are larger organisations at or near the top, an exploration of the lowest performing organisations reveals some large multinationals that have simply not prioritised security operations. The allocation of IT budget and security budget to protect revenue, privacy, critical infrastructure, market share, safety, and intellectual capital is sizable when there is much to lose. Despite access to significant resources those organisations are not more mature. Security as a competitive

Cyber Security

differentiator, market leadership, and industry alignment are better predictors of maturity. The right growth strategy for cyber security maturity How should customers establish their growth strategy, in terms of cyber maturity? What are the key focus areas and challenges? Vasant Kumar considers and outlines the HPE approach. â&#x20AC;&#x153;Whether protecting brand, intellectual capital, and customer information or providing controls for critical infrastructure, the means for incident detection and response to protect organisational interests have common elements: people, processes, and technology. The HPE model, SOMM (Security operations maturity model and methodology), focuses on multiple aspects of a successful and mature security intelligence and monitoring capability including people, process, technology, and the supporting business functions. These four pillars are equally important. Our experience with our clients revealed that, while clients focus on people, process and technology, it is critical to gain the buy-in from the business, who has an important role to play. When we deliver services, the first thing we conduct are the Business Requirements Mapping workshop with our clients. This is a series of a 5-day workshop with the key stakeholders where we establish the business issues. We do this by identifying these across products, services, and use cases, and the associated risk levels. For example, for a banking client, we map against the compliance and regulatory requirements relating to system logs, and help the client automate these reports in an auditable way. In this way, the client is able to demonstrate to the auditors that there is an established protocol in place to review logs and highlight issues. Everyone has a responsibility when it comes to security. And this includes the business, which means the need for the board to be involved in key decisions relating to security. Knowing there was a security risk and not prioritising it is no longer acceptable. Stringent regulations are being enforced in certain industries, for example in financial services. Aligning the cyber security goals against regulatory requirements will also be useful in helping to formulate growth strategy. Security Intelligence and the key sources for Security Operations Security Intelligence using analytics, such as machine learning and predictive analytics across diverse data sets, can help an organisation become proactive, rather than reactive, in managing cyber risk and mitigate threats. Vasant Kumar notes, â&#x20AC;&#x153;this allows our clients to identify threats quickly and accurately so that action can be taken before critical systems are impacted. With the ability to predict, using a data collection platform that is reliable and secure, it provides visibility and triggers for alerts generation. Data collected, normalised and enriched through this platform, include key sources such as: logs, sensors, stream

network traffic, security devices, web servers, customer applications, cloud services and others. HPE ArcSight Data Platform (ADP) 2.0 collects data from these sources and delivers an open architecture that can also send event data to third-party applications such as Hadoop, data lakes, or even proprietary in-house applications. For example, data from the end-device monitoring capability allows for identification of the specific device in issue and reduce time to make an informed decision to fix any problem quickly. In addition, normalising and categorising data immediately after it is collected, and enriched with security context enables faster correlation and threat detection. This also helps our clients to be proactive rather than reactive. Our in-house threat intelligence feeds can be plugged onto the platform. For example, our Threat Intelligence team monitors the cyber underground to understand the threat actors and the indicators of compromise; our experts in vulnerability, malware and defender research perform complex analysis of the latest malware and exploits while putting the trends into context for defenders; and we have our data scientists and security researchers utilise machine learning and predictive analytics to develop use case driven models. We also use Open Source intelligence and collaborative feeds, such as Stix, Taxii, which are integrated into the platform.â&#x20AC;? >>

HPE ARCSIGHT Evolves Beyond Traditional SIEM HPE ArcSight continues its leadership in the industry, helping clients to protect their organisation against cyber threats using a risk-based adversary-centric approach. As the landscape of threats vectors moved beyond the traditional IT environment to OT, to now IoT, HPE had recently launched a rethink of the fundamentals of ArcSight. The roadmap for HPE ArcSight will continue to help protect clients against the most aggressive threat environment in the history of IT security HPE ArcSight is a next-generation cyber defense solution with security and compliance analytics. In coming up with the roadmap, we have taken on client pain points.

Asia Pacific Security Magazine | 39

Cyber Security

The solution allows clients to easily expand the size and breadth of a deployment by delivering an open and scalable architecture. The multidimensional real-time correlation uses rule-based, statistical or algorithmic correlation, as well as other methods, to allow clients work smarter.

•

There are three aspects considered as key in planning the roadmap:

that enables needle-in-the-haystack queries of both active and historical data with a simple search interface. Interesting search patterns can be easily converted into real-time alerts. The investigation and forensic tools help obtain the right information at the right time. You can track situations as they develop and query both active and historical data to investigate possible threats and conduct entity profiling.

Data chaos into security insights with powerful querying capabilities

3. Respond to threats – all alert mechanisms, KPIs, SOC metrics, workflow in place

•

ADP is now architected for the breadth, depth and speed of Big Data collection that organisations demand to improve their security posture. It collects machine data in real-time from a broad range of sources (including logs, clickstreams, sensors, stream network traffic, Web servers, custom applications, hypervisors, social media, and cloud services. It enables you to search, monitor and analyse the data to detect security threats faster. The variety and velocity of data is ingested, enriched, stored and brokered with “Event Broker”. Event Broker is an Event shuffling and distribution of data that uses the Kafka open-source stream processing technology. It streams traffic meant for internal or external use; for examples whether the data is meant for correlation / analytics; or meant for long term compliance and third party repository purposes. This next generation data collection and storage engine allows you to capture data at rates of up to 400,000 events per second, and executes searches at millions of events per second.

•

• •

•

2. Address the challenges of skills and manpower • •

Make it simple to use “simpler & faster searches” ArcSight Investigate, a next generation hunt and investigate solution, features a simple search interface

Events of interest can be manually or automatically escalated to the right people in the right time frame. The robust workflow framework comes with built in case management and can integrate with existing processes and systems.

Information security – investigate & incident response Interview with Stephen Kho: The key IR skills, roles and why non-technical skills are still important. With a computer engineering system background, Stephen Kho, Managing Principal, Consulting Services for HPE Software gained his security experience in firewalls, IPD/ IDS management, and spent more than ten years building and leading pen-testing teams. “The Pen Testing team members I recruited,” Stephen notes, “included professionals from other areas such as chemists and educational specialists. The common traits amongst them, regardless of their technical expertise, was the level of inquisitiveness, motivation to learn, analytical ability and ability to think outside the box, or in other words think laterally. This is the mindset I look for.” The different roles within an Incident Response Team include Intelligence Analyst, Data Scientist, Digital Forensic

Figure 1: Data from everywhere to anywhere: Open Architecture

40 | Asia Pacific Security Magazine

Cyber Security

Investigator and that is why the skills shortage is a real challenge. While technical skills can be taught, Stephen Kho believes that attitude is key. “During the interview, I would ask technical questions, but this is only to allow me to gauge how much technical training I need to give. From an incident response perspective, having ability to think outside the box and analytical abilities are key to enable a Level 1 security analyst to progress to a Level 2 for example, where the security incident related tasks are more challenging. At the security analyst Level 2 level and above, the investigative activities can include digital forensics, network analysis and reverse engineering. Inquisitiveness and having the motivation to learn are vital traits, especially as the attack landscape is constantly evolving and the level of attack sophistication is increasing.” Uncovering cybercrime and expectations from authorities Should a cybercrime be uncovered, Authorities would want to clarify that the data handling & information dissemination steps the client has taken comply with the relevant legal requirements. This includes the policies and procedures that are in place internally. Stephen acknowledges that this encompasses many aspects. “For example, HR policy should set out code of conduct in relation to data handling policy pertaining to privacy and protection of personal and sensitive data. There should also be procedures on data breach notification and the relevant escalation triggers and procedures. This should also include disclosure and confidentiality procedures in the event of a potential cybercrime under investigation, including who is allowed access to the investigation details and progress. These policies would be aligned to the rules and regulations of the relevant jurisdictions that the client operate under. Internally, forensic handlers must understand the regulatory and legal requirements, and these vary across jurisdictions, meaning, how to handle evidence and maintain evidence for admission into the court of law. With HPE

Consulting we share with our clients, in our training sessions, the framework to ensure that adequate policies and procedures are in place to process information and data relating to cybercrime, that comply with the legislations and regulations.”

on the server had

Achieving outcomes from Incident Response

been reported,

The IR platform must have a good reporting and tracking functionality, including workflow and case management functionality. It is important to have a robust reporting tool with time stamped and staged details for events, and acknowledgement of who is looking after which case. This allows members of the team to do immediate investigations, make informed decisions and take appropriate and timely action. Team members who are responsible for responding to incidents need to be familiar with the reporting tool, as well as the policies and procedures on documented standards. This includes the minimum amount of information that needs to be captured to enable handoffs between L1 and L2 security analysts. Or between experienced and newer members of the team. “For example,” Stephen notes, “if a malware on the server had been reported, the reporting tool should highlight if it had been resolved, and if not, what is the resolution stage of the incident, and who is the case owner. It is important for the reporting tool to capture the right information, that is, relevant and timely information. Availability of actionable data is important to enable the team to understand the background of the issue, and the case status. At HPE Consulting we help our clients achieve this by a combination of initial and continuous training and teaching. We share the best practices in terms of opening and closing an incident with an adequate audit trail. We also provide training on frameworks and approaches that allow the clients to standardise the documentation in a consistent manner, in order to allow decisions and actions to be taken. Not only does this reduce the time spent on response, it also addresses the skills shortage challenge, which is one of the key areas we are focusing on in our roadmap.”

the reporting tool

"if a malware

should highlight if it had been resolved, and if not, what is the resolution stage of the incident, and who is the case owner. It is important for the reporting tool to capture the right information"

Figure 2: Hadoop Integration Architecture

Asia Pacific Security Magazine | 41

Cyber Security

Will Bluetooth 5 be IoT’s saviour?

W By Morry Morgan IoT & Technology Correspondent

42 | Asia Pacific Security Magazine

e’ve had Bluetooth since the mid 1990s. The oddly-sharp ‘B’ icon on our desktop and blue light on our peripherals have seeped into our digital décor over time, but ultimately the technology has been unremarkable. It has connected our computer to our phone, and phone to our wireless speakers, but beyond home use, Bluetooth, or more specifically, Bluetooth 4, hasn’t done much more than what WiFi was already doing. The ‘Classic’ version was used in keyboards, mice and wireless speakers, and the ‘Low Energy’ version, in health care, fitness bands and beacons – but again, nothing to write home about, and in no way an enabler for the Internet of Things (IoT). Then along came Bluetooth 5. “Citius, Altius, Fortius” - Latin for "Faster, Higher, Stronger”. This is the Olympic motto, but it could also be that of Bluetooth 5, because this generation of wireless transfer is likely to change the way we live and work - faster, higher and stronger. What’s more, the biggest gains have been made in the Low Energy (LE) version, which will catapult Industrial IoT and home use. Here’s how.

FASTER Bluetooth 4, the one that is currently sitting within your PC, Mac and smartphone, is about half the speed of its successor, Bluetooth 5. This means that assuming there are no physical barriers, the Bluetooth 4 is roughly 1 Mbps. Bluetooth 5 is double that. This latest version is therefore faster to sync, while also transferring video and audio twice as fast. Better still, that speed doesn’t come at a cost. In ideal situations, Bluetooth 5 uses two and a half times lower power. Possible new use cases: Battery and/or solar charged video surveillance cameras, both for home and commercial use. HIGHER Sure Bluetooth 5 is faster, but more importantly, especially for the Internet of Things (IoT), it is by far more practical. That’s because it offers something that Bluetooth 4 doesn’t – Bluetooth Mesh. Bluetooth 4 requires a hub, to which all of the connected devices can communicate directly, like spokes in a wheel. In a

Cyber Security

data is only stored locally on the device. Possible new use cases: Parking meters lining streets in a city, stocktaking sensors in a warehouse, and long perimeter fence surveillance cameras. STRONGER With the Low Energy version of Bluetooth 4, the outdoor and indoor range was approximately 40 and 10 meters, respectively. With Bluetooth 5, that distance has been boosted to a 200 meters line of sight – or 40 meters within a building. That means Bluetooth 5 devices could replace the more power intensive WiFi devices in the home and office, and become ubiquitous in open plan factories. And then there’s the commercial utility – beacons. Beacons, an unimpressive application of Bluetooth 4, suddenly become practical in version 5. With a limit of 31 bytes, Bluetooth 4 was only ever able to transmit a Universally Unique Identifier (UUID) number, which required a mobile phone to be connected to the web to translate that UUID into an action, such as opening a website or email application. But with Bluetooth 5, over 255 bytes can be transferred directly from the Low Energy beacon to the phone, independent of an Internet connection. Payment details, GPS coordinates, department store specials, and website URLs can all be included within a single transmission, and since it’s low power, such beacons can be added into everything from parking meters and smart farming to advertising signage and warehousing. Possible new use cases: Parking meters within multilayered car parks, security on shopping trollies, SO WHAT’S THE CATCH?

wireless environment, this is a significant limitation, since the distance from the hub to Bluetooth 4 supported peripheral device, say a camera or parking meter, is the absolute limit of the connection. But with Bluetooth 5, a network mesh is possible, allowing every device to be able to transfer data from every other connected device, extending the range indefinitely. This is a game changer for Industrial IoT, and the myriad of cheap, low powered sensors that can now be added to a factory’s production line, warehouse and office. As long as one Bluetooth 5 device can connect to another Bluetooth 5 device, it is able to connect to all. All for one, and one for all, which makes for higher efficiency. And of course, this allows for IoT edge computing. Edge computing, where rudimentary processing is done by the device, rather than the server to which the data is sent, reduces the pressure on networks and associated costs with high data transfer. Surveillance cameras need only send images and video to the server once movement is detected, or certain shapes (eg. human) enter the field of view. For the 23 hours and 55 minutes of the day where there is no change, the

Since Bluetooth 5 has a longer reach, so too do malicious individuals. In many ways, Bluetooth 4’s weaknesses were also its strength in terms of innate security – limited distance and speed. Attacks utilising Bluetooth 5 can come from a much greater distance, and if the breach is successful, then data can be stolen at twice the rate. What’s more, while there is device authentication, there is still no user authentication built into the Bluetooth 5’s. That responsibility still falls on the mobile phone software and application developers. Of course, these security holes might be plugged with the release of Bluetooth 5.1 or later versions, just as 802.11 wireless Local Area Network (WLAN) evolved from Wired Equivalent Privacy (WEP). That being said, for now a properly secured phone using the latest version of Bluetooth and a user authentication-enabled app will suffice for most enterprise use cases. But, if Bluetooth 5 is to support the huge growth in IoT, further iterations focusing on security will be absolutely necessary. This is the world of Bluetooth 5. Only last year, Bluetooth was the awkward second cousin of the networked ecosystem, trailing behind WiFi, but in 2017 version 5 presents itself as the cooler, older brother that will undoubtedly catapult the IoT into our living rooms, boardrooms and factory floors. And it will do it Faster, Higher, and Stronger.

Asia Pacific Security Magazine | 43

INTERPOL World - Policing Feature

Overhaul urged for Australian Biosecurity: The consequences of complacency could be irreparable.

T By Debbie Evan

44 | Asia Pacific Security Magazine

he term ‘biosecurity’ often conjures images of biological decontamination units, letters containing Anthrax spores, remnants of State sponsored biowarfare programs, and laboratory created super viruses that have the potential to infect millions of people across the globe. Global discourse, along with some of the world’s most educated and influential people such as Bill Gates, warn of scenarios where terrorists or bio-criminals with malicious intent obtain deadly pathogens from synthetic genomics companies, unsecured laboratories or from naturally occurring pathogens found in the environment. The potential for biological weapons to be developed and delivered into overpopulated cities with relative ease is a frightening but realistic prospect. The global biosecurity literature therefore takes a multidimensional, layered approach to the threats which pose a security risk. Of specific note is the Danish biosecurity system which addresses modern biosecurity threats evolving and emerging from the global environment. The legislative framework operates under a single, national biosecurity agency – The Centre for Biosecurity and Preparedness (CBB). In Denmark, biosecurity is understood as ‘the prevention of malicious use of biological substances and related materials’ and the biosecurity effort aims to secure biological agents and related materials from potential theft, loss, accidental release or malicious use. The contemporary Danish operating model is reflective of the multidimensional concept of global biosecurity, and is pre-emptive in nature, rather than reactive. In Australia however, the term ‘Biosecurity’ is often

synonymous with quarantine. Biosecurity is frequently understood in an agricultural context and on a practical level, is mostly an extended quarantine function – addressing the risks of pests, weeds and diseases contaminating our environment, impacting on Australia’s agricultural sector and economy as well as human health. In the Australian context, the Biosecurity Act 2015 (Cth) provides for the legislative administration of biosecurity in Australia, however its focus is predominantly centred on border control and administrative functions, along with powers relating to biosecurity response, post event. Consequently, it is very much a quarantine model, albeit an extended one. So why is there such disparity between the global framework of reference and biosecurity in Australia? At an international level, the Biological Weapons Convention (BWC) came into force in 1975, however there remains no international organisation responsible for biosecurity governance or oversight for the implementation of the BWC. Similarly, although the United Nations Security Council Resolution 1540 (UNSCR 1540) contains legally binding obligations on member states, the 1540 Committee (the Security Council Committee established pursuant to resolution 1540) is not a sanctions committee, and does not prosecute or investigate alleged violations of obligations. The flow on effect for biosecurity policy developing out of international governance essentially does not exist and as a result, Australia has developed its own model of biosecurity. Over time, the Australian model has remained aligned with principles of quarantine, rather than principles of security as seen in other sectors with international

INTERPOL World - Policing Feature

implications. For example, Maritime Security and Aviation Security, through various treaties, have specialised intragovernmental direction to ensure standardised minimum security controls. These include the International Maritime Organisation (IMO) established in 1948, with its Safety of Life at Sea convention (SOLAS). Chapter XI-2 of the SOLAS convention (special measures to enhance maritime security), embodies the International Ship and Port Facility Security Code (ISPS). For aviation security, the International Civil Aviation Organisation (ICAO) sets the consensus direction security standards, embodied with Annex 17, under the United Nations. The influence of these international organisations on national development ensures consistency across countries and regions. Biosecurity has not yet reached this milestone. While the Australian biosecurity framework has provided us with possibly the best quarantine system in the world and cemented a clean, green image for our agricultural sector, it is arguably economics based within the context of international trade, rather than considering malicious centred actions. The current biosecurity focus in Australia is about controlling the introduction of pathogens through non-malicious means, that is; accidental contamination of materials and equipment being imported, the inadvertent importation of high risk items into the country, unintentional introduction of pathogens from the import of plants and animals, and other modes of introduction such as vector borne diseases or pathogens emerging from natural or environmental conditions or sources. These are only a few examples of biosecurity risks and modes of introduction. The broad spectrum of risks seems to have one common theme - the component of malicious intent is at best lacking, if not almost entirely absent. From this, it would appear Australia has deviated from current global concepts of biosecurity risk and as a result, is potentially lacking in fundamental principles of security. In the global threat environment, biosecurity is more than an issue of agricultural quarantine and likewise, Australia cannot afford to be complacent. The implications of a biosecurity system lacking in fundamental principles of security are enormous and the potential impact could be devastating not only to our economy from agricultural losses, but to human health in the event of malicious introduction of disease. In agriculture alone, the potential impact on the economy from the introduction of a pathogen such as Foot and Mouth Disease could reach $50 billion, a 2013 estimate from the Federal Government. The 2001 Foot and Mouth outbreak in the U.K. affected approximately 10 million animals and cost an estimated £8.6 billion (approximately $15 billion AUD). On a much smaller scale, the economic impact of a biosecurity breach is currently evident in Western Australia due to the detection of Tomato Potato Psyllid, a pest which affects tomatoes, potatoes, eggplant, capsicum and other plants in the Solanaceae family. The government has implemented a Quarantine Area Notice (QAN) and emergency interstate movement controls are in force. The impact on the WA economy is estimated to run into the tens of millions, not to mention the impact on the lifelong efforts and livelihoods of vegetable farmers. The detrimental effect on WA vegetable producers is relatively small in proportion to the potential

impact of a major biosecurity event in the cattle or wheat sectors. The National Farmers Federation (2012) estimates the gross value of Australian farm production to be $48.7 billion a year with Cattle, Wheat and Milk being the top three agricultural commodities with an estimated combined annual production of $15.5 billion. As devastating as the impact of Tomato Potato Psyllid is on WA vegetable producers, it is nowhere near as catastrophic as the impact of a deliberately and strategically introduced pathogen on one of our major agricultural sectors. To address this potential catastrophic outcome, agriculture must arguably be re-evaluated and regulated as part of Australian critical infrastructure. Currently, the agricultural sector is not considered high priority critical infrastructure, rather food and grocery is included as a sector group of the 2015 Critical Infrastructure Resilience Strategy – a non-regulatory business-government partnership. However, forward thinking policy developers should be cognisant that the vulnerability of the entire agricultural and food producing sector and regulatory security requirements should be further developed in line with critical infrastructure and national security policy. Regulation of the security of farms, farming assets and infrastructure is key to addressing threats of a malicious nature, consistent with that of the aviation and maritime sectors. Current biosecurity strategy, such as border security and on-farm surveillance training, will certainly aid in the prevention of the introduction of plant and animal weeds, pests and diseases - however, it will not address the risk of deliberate and malicious destabilisation of the agricultural sector. The Beale Review (2008), highlighted that Australia would benefit from a single agency responsible for Biosecurity. Such an approach is arguably necessary if the Biological Weapons Convention as the international legislative framework (until such time as an international biosecurity organisation is established), is to be adopted, and broader biosecurity policy should be driven by collaborative global assessments of biosecurity risks. In the agricultural sector, risk mitigation needs to start at the farming level through the implementation of security regulations developed for the protection of farms – not reliance on biosecurity officers at the border or farm workers as part of the ‘shared responsibility’ strategy. In the interests of long term national preparedness, Biosecurity in Australia needs to be redeveloped into a broader, more threat driven holistic approach with security as the underlying methodology rather than purely being an extension of a quarantine framework.

"The 2001 Foot and Mouth outbreak in the U.K. affected approximately 10 million animals and cost an estimated £8.6 billion (approximately $15 billion AUD)."

About the Author Debbie Evans BSc (Security) is currently undertaking a research based Master of Science (MSc) through the Security Science program at Edith Cowan University, under the supervision of Associate Professor David Brooks and Dr Michael Coole. Her research focus is on Biosecurity in agriculture, and aims to promote a global threat perspective within the Australian biosecurity landscape. Debbie has extensive experience working cross-culturally (South East Asia) and is currently the Director of an agricultural business in Western Australia with an interest in sustainable farming.

Asia Pacific Security Magazine | 45

INTERPOL World - Policing Feature

The

Robocop Continuum Confronting automated and robotic policing

I By Dr Monique Mann

n July 2016, Dallas police deployed and detonated a remote controlled robot laden with explosives, resulting in the death of a sniper. This event drew widespread attention to robotics in policing, as this was the first time a robot had been used to kill outside the battlefield. However the use of robots to slay suspects, as in the Dallas case, represents but one extreme example of robotics in policing. There is a more nuanced continuum of police technologies being widely implemented in Australia, and around the world. Two opposing axes of hardware-software and autonomydependence define the continuum of police robots. This produces a typology of automated and robotic police technologies, including dependent (or human operated) robotic hardware, autonomous robotic hardware, dependent software and autonomous software. From dependent hardware police robots through to autonomous softbots, the social, legal and ethical issues become increasingly more complex and appreciation of this continuum of technologies precipitates important considerations concerning human rights, due process protections and regulatory approaches. Human Operated Police Robots Robots are increasingly part of law enforcement operations, and most robotic devices currently in use are human-operated. That is, the robot or machine complete tasks under human

46 | Asia Pacific Security Magazine

control and supervision. This may include functions ranging from bomb defusal to crowd dispersal (via the use of Long Range Acoustic Devices, LRADs). The actions of these robots can be attributed to human decision-making, however this is not to say these technologies are unproblematic or do not raise important ethical, social and legal concerns. One major unresolved issue concerns the use of both lethal and non-lethal force by human operated robots, as was the case in the Dallas incident. Yet when decision-making becomes increasingly abstracted from human actors, further issues emerge. Autonomous Deception Detection and Robot Enhanced Interrogation Police have historically used the polygraph for lie detection; however, a modern alternative is evolving in the form of the Automated Virtual Agent for Truth Assessments in Real-Time (AVATAR), currently under development by the University of Arizona and United States (US) Customs and Border Protection. Further, the US Department of Homeland Security is working towards Future Attribute Screening Technology (FAST) where a robotic interviewer asks questions while assessing biometric information such as facial expressions, voice intonation and inflection to detect deception. Combining this technology with predictive questioning and access to large and ever expanding police

INTERPOL World - Policing Feature

databases enables robot-enhanced interrogation. There are concerns about an individual’s right to silence and to not self-incriminate, as well as questions around the parameters of legitimate search. Here, ‘black-box’ decision-making creates the potential for limited transparency in how policing decisions are made by machines. Automated and Area Wide Surveillance Automated systems of surveillance including Automated Facial Recognition Technology (AFRT) and Automated Number Plate Recognition (ANPR) have the potential to completely remove humans from decision-making processes associated with surveillance and access control. The integration of this technology with widely implemented existing surveillance systems such as CCTV has enabled automated detection and decision-making. For example, some businesses in the UK are using a system known as Facewatch that scans and cross-references faces with police databases to alert store owners when suspected shoplifters enter their store. In addition to automated surveillance, there have been recent revelations about programs of area wide surveillance by drones and aircraft, such as by the Baltimore Police Department. Together, these programs have the potential to create a world of near ‘perfect’ surveillance with obvious implications for individual rights to privacy.

‘black-box’ decision-making creates the potential for limited transparency in how policing decisions are made by machines. Conclusion The regulatory tipping point for automated and robotic policing has past. Certainly police robots should be considered as not only the agents, but also the subjects of law. Priority areas requiring attention and new regulatory measures include legal frameworks surrounding robot use of force, processes to ensure the transparency of ‘blackbox’ automated algorithmic enforcement decision-making, consideration of how criminal law is converted into algorithm and the admissibility of softbot procured evidence in criminal trials. These issues must be confronted in the futures of automated and robotic policing.

Autonomous Robot Patrol Autonomous patrol by robots is perhaps the clearest example of both automation and robotics technology in policing and uptake is readily expanding across the world. The Knightscope K5 Robot is a popular choice in the US for patrolling shopping centres, car parks and schools. Robotic prison guards have been used to patrol prisons in South Korea, and the ‘Reborg-Q’ patrols public areas in Japan. From May this year autonomous police robots will patrol in Dubai, where officials have set a target that a quarter of all police will be robotic by 2030. Questions remain about the capacity for human decision-makers to override autonomous agents when on patrol making independent policing decisions. Who is responsible for the actions of autonomous robots? How do we translate criminal law into algorithm? What parameters are set to operate? What is the impact of machine learning? And how do we factor in error? Softbots, Information System Security and Cyber Policing Finally, ‘softbots’ (autonomous software) must be considered following last year’s Defence Advanced Research Projects Agency’s (DARPA) grand cyber challenge with programmers competing to develop and deploy autonomous software that both defends and attacks information systems. There are numerous possible applications of autonomous softbots in cyber security and law enforcement contexts. One example is the ‘Sweetie’ softbot, a computer generated 10-year-old Filipino girl created specifically to lure online child sex predators. As these cases proceed to trial, it is unclear whether this use of technology will be considered entrapment.

The Knightscope K5 Robot Asia Pacific Security Magazine | 47

INTERPOL World - Policing Feature

The security implications of driverless vehicles

T By Keith Suter Managing Director Global Directions

his article is designed to help us think about the unthinkable. Mass produced motor vehicles have transformed our life in the past century or so. We are now apparently only a few years away from another dramatic transformation. But there is little public discussion in readiness for the new era. Henry Ford’s revolutionary method of mass production (which we now take for granted) not only changed our methods of transportation but also created its own economic and social eco-system. Thus, cars and trucks could travel long distances; gas stations were needed for refuelling; road side café’s refuelled the passengers; fast food outlets increased the delivery of food. A whole new consumer culture emerged. Healthcare experts might also complain about the increased costs, such as road accidents and the risks of a sedentary way of life. The Next Big Disruption The next big digital disruption will be self-driving vehicles: vehicles that do not need a human driver. They eventually will not even have a driving wheel or “front seat”. The consumer will call up a car via their app. The vehicle will take them to their destination, debit their bank account, and drive off to the next consumer. Uber, which is an investor in this new technology, is already getting users accustomed to not needing their own

48 | Asia Pacific Security Magazine

personal vehicle. Acquiring one’s own first motor vehicle used to be a rite of passage for young people; now that is ending. Uber is getting people used to not owning cars. Instead a customer may now call up a human driver to take them from one point to another. The next stage will be to remove the human driver. The driverless revolution contains a number of promises. Self-driving vehicles will provide: safety (most current accidents involve human error such as texting while driving or driving under the influence of alcohol), convenience (no need to worry about where to park a car) and efficiency (people will have more time to work in their vehicles). The cars will also communicate with each other and so they can work together to reduce traffic jams; the passenger will decide on the destination and leave it to the car to go via the best available route. A new industry will emerge to cater for what goes inside the vehicle: entertainment systems will be built into the vehicle to occupy time while the vehicle is moving. Two demographic groups that may urge greater attention to this revolution are: people with disabilities, and older people who can no longer hold a driver’s licence. Both groups will see the potential for their increased mobility. Currently an average car spends only two per cent of its life on active service; the other 98 per cent is spent being parked somewhere. Self-driving cars will mean less space needed to be reserved for car parks (which are storage

INTERPOL World - Policing Feature

spaces for empty cars). Laws are already being changed in some American states and parts of Europe to permit vehicles to travel “without the active physical control or monitoring of a natural person”. These vehicles (cars, buses and trucks) will be widespread by 2030 or even 2025. Today’s players (notably Google, Tesla, Mercedes, GM and Uber) are expecting the gradual introduction of the vehicles. For example, insurance companies may decide to penalize car owners who wish to drive their own vehicles, and so gradually car owners will opt for driverless vehicles. Human-driven cars will not suddenly disappear; there will be some years notice of the new era emerging. There will also need to be major infrastructure reforms: the creation of “driverless roads” and having vastly increased bandwidth for the sensors to operate. New infrastructure employment opportunities will therefore also be created. Motor accidents in developed countries is one of the most common ways of dying. Driverless vehicles hold out the promise of much safer travelling. How will parents in the future explain to their children that they once had to risk their lives by driving cars? The Wider Security Implications There is, therefore, much to be said about the driverless vehicle revolution. However we also need to go into this new era with an awareness of the security implications. There is a tendency to plunge optimistically into new technology looking only at the presumed benefits without also thinking about some of the possible security risks. Modern societies run on wheels. The risk of disruption cuts across all economic activities: travel to school and work, transportation of goods, marketing of vehicles, medical and legal work on traffic accidents. Here are three issues worth monitoring. First, all discussions involving the Internet need to factor in the vulnerability of the spinal column so to speak. Danny Hillis is one of the Internet’s pioneers (he had one of the world’s first Internet addresses). In a 2013 TED talk The Internet Could Crash: We Need a Plan B he warned about the Internet’s vulnerability to disruption. The Internet is now an “emergent system”. It is constantly changing and so no one person or organization now has a complete understanding of the entire system. A comparison could be could be made with the 2008 Global Financial Crisis: this was triggered by a disruption in a small part of a complex web (a sector of the US housing mortgage segment) which had a contagious impact on the entire system. An obvious point of vulnerability with the Internet is the array of aerial communication satellites. An attack (say by North Korea) on a part of that system could disrupt much of that system. As with terrorism, the North Koreans could rely on the mass media to spread alarm. Depending on the duration of the Internet crash, people could be stranded on motorways long distances away from help. Second, it is impossible to predict extent of the impact on employment. Some new jobs will be created to cater for these vehicles. But a major incentive for innovation is the prospect of reducing labour (and therefore costs). There is bound to be

increased unemployment as the years roll by. In August 2016 Uber bought Otto a California start-up specialising in self-driving cargo trucks. Two months later Uber’s first self-driving truck made its first delivery: 50,000 beers transported without problems across the state of Colorado. While driverless cars may get the publicity, the trucking industry is where major strides are also taking place. A by-product of the decline in retail shopping centres, is an increase in parcel delivery because people buy online. Driverless trucks increase the opportunity for “platooning”, whereby a series of trucks can drive at high speed close to each other, thereby reducing air pressure (and so gaining greater fuel efficiency). The vehicles communicate with each other on how each is travelling. However, trucking is an important source of American employment. It is one of the best-paid sources of employment for people without university education. It is the most common occupation in 29 American states (out of 50). The drivers are at risk of losing their jobs. Trucking is also a key part of an economic and social ecosystem. That ecosystem evolved from the Interstate Highway network created in the 1950s, 1960s, and 1970s. That network replaced an older ecosystem of small towns and villages along such routes as those on the legendary Route 66 (which is now becoming a form of heritage trail). Driverless trucks will not need roadside cafes and diners. Long-term structural unemployment is one of a country’s gravest security threats. At the very least, there is an anger that can be mobilized by populist politicians. The German experience of the 1930s showed that such populism can result in extremist politics. Some unemployed people may turn to physical violence. What could be the employment implications for industries based on coping with road accidents (ambulance, police, trial lawyers, insurance companies)? There is a lot more to driverless vehicles than just the disappearing drivers – many other occupations will also change (and possibly disappear). Third, every new technological development brings new opportunities for crime. Car-jacking has already been identified as a risk. In July 2015 Fiat Chrysler Automobiles recalled 1.4 million US vehicles to install software after a report raised concerns about hacking. The authors of that report, IT researchers Charlie Miller and Chris Valasek, also showed that it was possible to car-jack a Jeep Cherokee by remotely taking control of the jeep’s IT systems. Even before the onset of the driverless vehicles revolution, modern vehicles are already heavily IT-dependent. Like all other forms of IT, these vehicle software systems can be hacked. Looking to the future, will there be car-jacking of important people? Will they be kidnapped off the roads, or their vehicles deliberately crashed to kill them? Or explosiveladen driverless vehicles used for terrorist attacks? To conclude, when I give talks on digital disruption (including the rise of driverless vehicles) and there are politicians in the room, the politicians tell me privately that they are worried about the issues I have raised. But they will not raise them in their own speeches because the voters are more concerned about short-term issues and the issues I deal with are years in the future. Thus, we remain an unprepared society unwilling to think about the unthinkable.

"...gradually car owners will opt for driverless vehicles. Humandriven cars will not suddenly disappear; there will be some years notice of the new era emerging."

Asia Pacific Security Magazine | 49

INTERPOL World - Policing Feature

I By Andrew Macleod

50 | Asia AsiaPacific PacificSecurity SecurityMagazine Magazine

live between, and only a kilometre or so from, the last two terrorist attacks in London. I was also in Liverpool Street station about to board a tube when the 7/7 bombings took place in 2005. On the 9th of February 1996, I was around the corner when the IRA set off their huge bomb in Canary Wharf, London. I have been less than a kilometre from four terrorist attacks in London. In Islamabad, while I worked there for the United Nations, the windows of my apartment shook when, in 2008, terrorists threw a hand-grenade into the garden of the Italian restaurant I was about to go to for dinner. I know terrorism well. I have seen its impacts and consequences. I have felt the shock waves of its bombs. I have spoken to people who have been tempted to cross into the path of terrorism (see Lessons From A Would-be Suicide Bomber, here: https://theconversation.com/lessonsfrom-a-would-be-suicide-bomber-on-how-to-defeatterrorism-52540). I know terrorism better than most, but not as well as some. I have written and spoken before on terrorism and counter-terrorism for some time. I have a view on how we defeat this menace, but it will not be easy.

My main arguments run this way: We need to embrace an alliance with 'moderate' and 'normal' people of Islamic faith and understand that they are our most powerful ally to counter extremism. However, at times 'we' often undermine the moderate and normal people of Islamic faith, when our community choses incendiary and inflammatory discourse in place of an embracing language. I call this part 'getting the 'us' vs 'them' concentric circles right and spoke on ABCâ&#x20AC;&#x2122;s Q and A on this following the Paris attacks. Following Q and A the Islamic Council of Victoria asked me to speak on concrete steps to defeat terrorism, where I listed three steps to defeat terror. These three steps are concurrent and sometimes in conflict, requiring a fine balance. The three steps are: 1. Make life worth living for the people who may be tempted to 'take a short-cut to god'. This is hard and takes a long-term focus on economic growth, inclusiveness and extremely careful public dialogue. 2. Counter the extremists' messages that say 'killing people provides a short-cut to heaven'. This has a strong education and theological side that really can only be done by other people of deep religious faith.

INTERPOL World - Policing Feature

3. Have a strong security apparatus to respond to people who still decide they want to kill people in a mistaken belief that they will gain a 'short-cut to heaven'. Point one and point three are often in conflict with the language of security and the language of inclusiveness often coming into conflict. However, allow me to say a couple of words about point three, security, following the latest attack on London Bridge. Firstly, Britain has an incredibly well trained, well organised and incredibly effective response. Police officers were on the ground within two minutes. For this they must be congratulated. Secondly, Britain was on high alert after Manchester, with urgent reviews and focus on searching for potential new terror attacks over the past couple of weeks. Thirdly, last night's attack was planned, involved multiple perpetrators and would have taken some time to organise. Fourthly, either the perpetrators had incredible communications discipline to make them effectively undetectable, or, there was a failing in intelligence gathering. Both options are frightening. Intelligence failings will, without doubt, be examined in detail. The challenge highlights how hard the third step (security) in counter terrorism is to achieve. It is well known

in intelligence circles that the Security forces need to be lucky all the time. The terrorists only need to be lucky once. The third step, security, happens only after people have decided they will or have launched an attack. Security is our 'last line' of defence. Often though we talk of security as if it were to be our ‘first line’ of defence. The first line of defence is not stopping people who are attacking. The first line of defence is stopping people wanting to attack in the first place. That is step one and step two of my three step process – education and inclusiveness. While I recognise that steps one and two are hard, offer no easy headline nor a politician’s photo opportunity, these first two steps are vital. The great risk I see it is, in our community, when an attack happens, we focus on step three - security, our last line of defence, at the cost of our first line of defence. When an attack happens, our community is tempted to forget steps one and two; the need to reach out, economically empower and educate vulnerable people with inclusive language. In the light of the latest attacks, while we can and must examine security, let's not forget steps one and two. Let's not forget who is the 'us' and who is the 'them' as we try and defeat terror. But above all, lets not succumb to fear. >>

Asia Pacific Security Magazine | 51

INTERPOL World - Policing Feature

During the Westminster attack I sat in my apartment 300 meters away as the scene unfolded, knowing that I was about to walk across that very bridge myself. Was I 'lucky' not to have been there 60 seconds earlier? Many people have said that I am lucky that I have not been injured in a terrorist attack, particularly living in London where the latest crazy, evil murderer took innocent lives, presumably following a distorted ideology. But luck should not be cited for those who just missed the tragedy and nor should the terrorists be allowed to succeed by us succumbing to fear. The sirens blared, the people rushed. The emergency services did an exceptional job as their heroism and training dictates. Social media sparked up and Facebook asked people to mark themselves as ‘safe’ – which I did. Many people responded saying ‘glad you are ok, ‘hope all is well’ and all those kind notes that remind one that friends exist. The most common response I received was ‘you are lucky you weren’t there’. During the Westminster attack I sat in my apartment 300 meters away as the scene unfolded, knowing that I was about to walk across that very bridge myself. Was I 'lucky' not to have been there 60 seconds earlier? I am not ‘lucky’ I wasn’t there. Yes, I live 300 meters from where people tragically died and yes, I cross that bridge on foot at least twice a day. Yes, I was just about to leave my apartment and cross that very bridge and missed being there by a handful of seconds. But, and I hate to get finicky, I cross the bridge using the eastern footpath which is the shortest route from my apartment to Westminster tube station. For every 100 times I cross that bridge 99 of them I would be on the eastern side. The murderer killed people on the western footpath. Even if I had left my apartment earlier, even if I had have been on the bridge as I often am, even then I would not have been on the fatal side. Should I let the terrorists win by now being fearful? I can not let these murders scare me because even though I live right there, which so few people do, even though I use that bridge every day, and even though I was about to set foot across that very bridge and the chance on any given day that I would be on the bridge at that exact 60 seconds, is around one in 1,440 - the number of minutes in a day. Given that 99 out of a hundred times I cross that bridge the odds escalate to one in 144,000. How can I possibly succumb to fear and let the terrorists win, when the odds of me being caught, even with such proximity, are so small? How can we let terrorists achieve their objectives by being terrorised, even if the odds of them ‘getting us’ is so small?

52 | Asia Pacific Security Magazine

I recognise that none of this helps the families of the dead or those who still lie in hospital from their injuries. Little of this will console the people who will be traumatised by what they have seen. But as a community we need to be strong when we are confronted with such evil. We need to reject the evil and reject both fear and hatred. One thing did frighten me the day of the incident. I still had to go to my meeting I was about to join. I took a longer route to get to where I was going. Most people in London continued as normal, even with the helicopters overhead and the sirens screaming their warnings. Most people showed that terrorism will not win. But some succumbed. As I walked down Regency Street toward my meeting, a large thug with a Union Jack bandana cowardly covering his face hurled abuse at any ‘Muslim looking’ people. And this did scare me. This is what the terrorists want. The terrorists want thugs like that to divide our society. But we must not allow this fear the terrorists want us to feel grow into division. We must unite in our grief for the victims and unite to defeat the terrorists by doing as the Prime Minister here in the UK has suggested. We must continue as normal, must not succumb to fear and must not allow the thugs to do the work of the terrorists. About the Author Professor Andrew MacLeod is Non-Executive Chairman of British based Griffin Law, Non-Executive Director at New York based Cornerstone Capital, and a Visiting Professor at Kings College London amongst other activities. MacLeod is a recognised global leader, negotiator and communicator in the business, diplomatic and humanitarian field. He has a track record of leading organisations through challenge, crisis and change. Professor MacLeod is additionally part of the Chatham House/ICRC Expert Panel on Humanitarian Negotiations with Non-State Armed Groups, an Affiliate Senior Associate to the Center for Strategic International Studies in Washington DC, served on the Advisory Boards of the World Economic Forum’s Future of Civil Society Project Advisory Board, Kings College Humanitarian Futures Project and the UN Expert Group on Responsible Business and Investment in High-Risk Areas. Andrew has received the Humanitarian Overseas Service Medal by Australia for work in the Balkans and was awarded a second time for work in Rwanda. He received the Australian Defence Medal for service as an officer in the Australian Infantry. He was awarded the Silver Medal for Humanity from the Montenegrin Red Cross and was recognised by the Australian Government for his work in East Timor. MacLeod was awarded as a Vice Chancellor’s Distinguished Fellow at Deakin University in 2016, the 2014 University of Tasmania Foundation distinguished Graduate Award, the 2013 Young Britons Foundation Global Leadership for Freedom Award and the 2008 Australian Davos Connection Leadership Award, amongst others.

PRESENTING THE 15TH ANNUAL

National Security Summit

Policy, Coordination, & Stability

29 â&#x20AC;&#x201C; 30 August 2017

Hyatt Hotel, Canberra

PRESENTATIONS FROM: Major General Fergus McLachlan, Command of Forces Command, Australian Army Major General Marcus Thompson, Army Cyber Advisor, Australian Army Maria Fernandez PSM, Deputy Secretary Intelligence and Capability, Department of Immigration and Border Protection Jo Evans, Deputy Secretary Climate Change & Renewables Innovation, Department of the Environment and Energy Dr Alex Zelinksy, Chief Defence Scientist, Department of Defence Dr Dan Gerstein, Senior Policy Researcher, Washington Office, RAND Corporation USA Jay (Jiyoung) Song, Senior Lecturer, Asia Institute at the University of Melbourne and Global Ethics Fellow, Carnegie Council for Ethics in International Affairs, New York, USA Assistant Commissioner Neil Gaughan, National Manager Organised Crime and Cyber, Australian Federal Police Professor John Blaxland, Acting Head/ Professor, Strategic and Defence Studies Centre Professor Matthew Sussex, Nonresident Fellow, The Lowy Institute for International Affairs, Associate Professor, ANU National Security College Simon Norton, Analyst, Australian Strategic Policy Institute Professor Will Steffen, Councillor, Climate Council of Australia; and Emeritus Professor, Strategic and Defence Studies, Australian National University

International

Tackling the turmoil within

F By Sarosh Bana APSM Correspondent

54 | Asia Pacific Security Magazine

or a 3.29 million sq km sub-continental nation densely populated with 1.28 billion people of all faiths and creeds, and confronted by two hawkish adversaries on its frontiers, India has held itself together remarkably well. Since gaining independence from the British in 1947, the country has broken out of its mould to become the fastest growing major economy today, overtaking its former coloniser last year to become the world’s sixth largest economy, with a GDP of $2.30 trillion. The retreating British, however, left behind a bitter legacy as the Hindu-majority India and Muslim-dominated Pakistan that they cleaved their colony into have since gone to war four times, at the time of Partition in 1947, and in 1965, 1971 and 1999. Three of these wars were waged over the border state of Jammu and Kashmir ( J&K), while that of 1971 engendered Bangladesh from the fall of East Pakistan. Their sustained enmity has strained both sides, diverting vital funding to their military at the cost of their impoverished millions. With powerful China siding with trigger-happy Pakistan in this fray, India has had to batten down its hatches. Its Budget for 2017-18 has lavished $42 billion on defence, while granting a mere sixth of this allocation, $7.5 billion, to public health, alongside $12 billion to education, $28 billion to women and children, and $29 billion to agriculture. The Ministry of Home Affairs (MHA) secured $12.8 billion to oversee internal security. Indian and Pakistani soldiers square off perpetually at the

Siachen glacier, at 5,400 metres “the world’s highest – and toughest - battlefield” where more of them perish not from bullets but from the hostility of the rugged frozen terrain, where temperatures can plunge to - 45° Celsius. While the Pakistani side of Siachen is accessible by roads, constructed with Chinese assistance, the Indian side can be served only by helicopter, necessitating even artillery and daily provisions to be airlifted and radars and Unmanned Aerial Vehicles to be used for surveillance. Chinese troops also intrude at will from across the Himalayas to set up pickets and threaten Indian soldiers and villagers, and at times even build helipads and communications outposts, while terrorists trained in Pakistan infiltrate the beauteous mountainous state of J&K. India’s heterogeneity is unparalleled and makes for an amazingly diversified society that lends itself to the richness of its culture and its heritage. But it is also disparate, and this diversity and disparity at times have inflamed strife and discord. Though rare and largely localised, communal violence flared from the razing of the 16th century Babri mosque by Hindu religionists in December 1992 that led to a militant Hindu revivalism as also to the reprisal serial bombings in Mumbai by radical Islamists just three months later. The burning alive of Hindu pilgrims in a train in Gujarat in 2002 also resulted in a retaliatory onslaught against Muslims in that state. It is civilians more than extremists or security forces who

Cyber International Security

' There are reportedly 94 active terrorist and insurgent groups operating in the region, mostly seeking to secede from secular India along the territories of the ethnic groups they represent.' suffer the most in these conflicts. The South Asia Terrorism Portal (SATP), run by the New Delhi-based Institute for Conflict Management, estimates that of the 44,197 who have perished in J&K in the separatist violence since 1988, 14,748 have been civilians, alongside 6,284 security personnel and 23,165 terrorists. Left wing extremism in the country, in turn, has killed an estimated 13,312 since 1999, of whom 7,640 have been civilians, 2,612 security personnel and 3,060 terrorists. This brutal agenda has for long been pursued across several states by the underground Naxalite movement that has been guided by an anarchic Maoist ideology. Insurgency has also blighted several of the eight exceptionally scenic north-eastern states that are linked to the rest of the country via an umbilical neck of land hemmed in by Nepal, Bhutan and Bangladesh. Tibet and China lie to their north and Myanmar to their east. There are reportedly 94 active terrorist and insurgent groups operating in the region, mostly seeking to secede from secular India along the territories of the ethnic groups they represent. SATP estimates this north-eastern insurgency to have taken a toll of 21,472 lives since 1992, 10,262 of them civilians, 2,737 security personnel, and 8,473 terrorists. As Law and Order is a State, not a Federal, subject under the Indian Constitution, the State governments are responsible for providing security on the basis of threat assessments by security agencies. The MHA also sensitises and passes on intelligence and threat inputs to the State governments when necessary. Policing to ensure citizens a safe and secure environment is a formidable task. More so, when the lawmakers are at times lawbreakers. The Association for Democratic Reforms reports that a third of the MPs in the 543-member Lower House of Parliament have criminal records, with 112 of them facing serious charges like murder and attempt to murder, kidnapping, land-grabbing, causing communal discord, and even leading criminal gangs. The Election Commission is alarmed by the criminalisation of politics as those convicted by courts are contesting elections. This situation emboldens crime syndicates, compromises law enforcement and breeds insecurity. India’s internal security problems hence cannot be treated as merely of law and order. They have to be dealt with comprehensively in all their dimensions and at all levels — political, economic and social. As India’s borders are not fully secured, intrusions occur into frontier states like J&K, Punjab, Rajasthan and Gujarat from Pakistan, into Uttar Pradesh and Bihar from Nepal, into J&K, Uttarakhand and Arunachal Pradesh from China, into Bihar and West Bengal from Bangladesh and into Nagaland, Manipur and Mizoram from Myanmar. Apart from a coastline of 7,517 km, including island territories, India

has 15,107 km of land borders, with 4,097 km of it along Bangladesh, 3,488 km along China, 3,323 km along Pakistan, 1,751 km along Nepal, 1,643 km along Myanmar, 699 km along Bhutan and 106 km along Afghanistan. Using stealth, and bearing firearms of various calibre, and at times grenades and improvised explosive devices (IEDs), indoctrinated and motivated terrorists are causing havoc where they strike. Authorities have been charting plans to upgrade security, and strengthen intelligence and counteroffensive measures. An official committee has recommended technology-based security infrastructure, and the deployment of Quick Reaction Teams at “high-threat” facilities. Another committee addressing the issue of border protection has recommended various measures to strengthen security and address vulnerabilities in fencing along the Indo-Pakistan border. One was for “smart fencing” in difficult terrain and riverine and marshy areas where regular fencing cannot be erected. This will comprise non-physical barriers like laser walls, closed circuit cameras and acoustic radars that map vibration. Gaps in the border areas are also to be plugged, and floodlight installed and manpower increased, apart from border roads and outposts being constructed, and hi-tech surveillance equipment and more effective mobile patrolling introduced. Though these measures are crucial, there have been instances when intruding Chinese troops have smashed Indian bunkers and destroyed and even carted away surveillance equipment. There is a multi-tiered security apparatus tasked for operations at the Centre, at the States and at the borders. Responsible for national stability, the MHA is the nodal agency for dealing with all matters of internal security through its various arms that perform preventive, regulative and investigative roles. Its seven central armed police forces number over 1.3 million. India’s internal and external threat situation warrants continuous upgradation and expansion of its forces and munitions, enormously straining the developing economy.

Asia Pacific Security Magazine | 55

International

AN EVOLVING THREAT TO THE U.S. PACIFIC FLEET China’s Land-based anti-ship missiles

By Sam Cohen

56 | Asia Pacific Security Magazine

ver the past two decades China has committed significant resources towards developing an effective Anti-area/Access-Denial capability in its littoral zones and surrounding Seas. Chinese military forces have sought to integrate advancements made in missile technology and intelligence, reconnaissance and surveillance (ISR) systems to create a credible and persistent threat to any adversary seeking access within Chinese waters—claimed or legitimate. This has resulted in significant range and accuracy improvements for the PLA missile force, and particularly, the anti-ship missile force. These long and medium-range antiship missiles, which are deployed across a variety of platforms and augmented by a high-end, high-capacity Naval Ocean Surveillance System (NOSS), pose a legitimate threat to the U.S. Navy’s ability to access and maintain presence in the maritime areas surrounding Taiwan, parts of South Korea and Japan, and those countries bordering the South China Sea. One of the most concerning threats to U.S. and allied naval forces in the Asia-Pacific stems from the Dong Feng ballistic missile family. Within this family, two of the more highly advanced ballistic missiles are the DF-21D, popularly

known as “the carrier-killer”, and the longer-range DF-26. U.S. military officials have recognized the DF-21D as having reached Initial Operating Capability (IOC) in 2010, while the DF-26, has not yet received this status. With IOC status, in addition to continued research and development initiatives and capability testing since 2010, the DF-21D ASBM has become one of the most pressing and real threats to the U.S. Navy in the Asia-Pacific. The missile has an estimated range of 900 miles (1450 km) and travels at high-hypersonic speeds where targets are impacted at velocities between mach 10 and mach 12 (7672—9206 miles/hour). Although not yet field proven, the missile’s advanced internal guidance technologies combined with the PLA’s increasingly effective and pervasive NOSS, likely provides China with the capability to track and hit moving targets at sea—which is an incredibly complex technological achievement. Using a maneuverable reentry vehicle assisted by a terminal guidance system and an electronic countermeasure capacity to overcome missile defense systems and countermeasures, US security analysts have speculated that current defensive systems fielded by the fleet may lack the

International

'The missile has an estimated range of 900 miles (1450 km) and travels at highhypersonic speeds where targets are impacted at velocities between mach 10 and mach 12 (7672â&#x20AC;&#x201D;9206 miles/hour).' necessary qualities to protect against such an advanced threat. The DF-21Dâ&#x20AC;&#x2122;s systems allow the missile to track targets locally and without assistance from command and control centers, initial targeting data or initial satellite tracking. It also allows the missile to perform high-G maneuvers during its reentry into the atmosphere and during its terminal targeting phase. The missiles highly maneuverable reentry flight path is what is most concerning, largely because this capability reduces the effectiveness of U.S. missile interceptors targeting

the ASBM in its terminal phase of flight, or, in other words, increases the PLAâ&#x20AC;&#x2122;s confidence in success in engaging U.S. naval forces. Although the opportunity to penetrate Chinese airspace with long-range stand off weapons and stealth fighters and bombers would present itself at the outbreak of a conflict, actually tracking, targeting and successfully engaging the highly mobile land-based DF-21Ds before a large salvo attack can be launched against US and allied forces is unrealistic. Keeping this in mind, and noting the possibility of U.S. Carrier Strike Groups (CSGs) and Surface Action Groups (SAGs) operating in this highly contested environment, military planners face a considerable strategic dilemma: suffer large numbers of casualties and lost hardware or decline to defend allies in future conflicts. To deconstruct this dilemma, it is imperative that the US Navy improves its current missile defense posture in the Asia-Pacific to meet the threat of a salvo of DF-21Ds and other capability-similar anti-ship missiles. Are there any possible solutions that can be implemented relatively quickly without creating new systems or drastically >>

Asia Pacific Security Magazine | 57

International

'Losing the ability to project power in and near China’s sphere of influence leaves U.S. Asia-Pacific strategic interests vulnerable.' augmenting existing platforms? Perhaps Land-Based Defensive Systems on the First/ Second Island Chain can offer a tactical rebalancing that promotes U.S. operational access in the region. As a global military power, the ability to project dominant military forces across the oceans underwrites U.S. conventional deterrence. Losing the ability to project power in and near China’s sphere of influence leaves U.S. Asia-Pacific strategic interests vulnerable. To project power and to remain a credible threat to Chinese aggression, U.S. naval forces stationed in the Pacific must be able to overcome China’s ASBM threat. If they fail to maintain this conventional deterrent, the following developments are likely to occur: a. Political consequences: Regional allies may question the credibility of pledged U.S. military support, resulting in the collapse of alliances and the creation of a power vacuum – one that will surely be filled by an opportunistic China. b. High potential for increased regional Chinese aggression, particularly in its near-shore and littoral areas. This aggression will most adversely affect Taiwan, Vietnam and the Philippines, who all border areas of high strategic importance to long-term Chinese interests. c. Limited ability for the U.S. to influence territorial disputes in China’s maritime zones using naval forces (cessation of Freedom of Navigation Operations and reduced capacity to enforce the United Nation’s Convention on the Law of the Sea). d. Proliferation of ASBM technology and strategy development to other countries as a foundation for an effective A2/AD network. Potential adversaries, including Iran, Russia, and North Korea, might see China’s niche tactical doctrine as attainable, and attempt to copy it. The result would be pockets of no-access zones across global maritime commons for the US and like-minded allies. Although electronic warfare countermeasures offer a feasible and promising approach to overcoming the Chinese ASBM threat in the future, current technological limitations make the approach unreliable and incomplete. In the interim, the U.S. Navy needs to modify and augment its sea-based, kinetic intercept capability to guarantee operational access in contested Asia-Pacific waters until new defensive measures are fielded. More specifically, the Navy needs to ensure that CSG’s - the tip of the spear so to speak - have the ability to operate well inside the range the DF-21D, or where a Taiwan or South China Sea conflict would take place. Currently,

58 | Asia Pacific Security Magazine

the Navy deploys carrier-based defenses and longer-range defenses stationed on auxiliary platforms that operate alongside the carrier (i.e. destroyers, cruisers, etc.). The fleet’s long-range kinetic defensive systems are comprised of the SM-3 Interceptor, an exo-atmospheric kill vehicle, and the SM-2 Block IV and SM-6 interceptor, which are both endo-atmospheric kill vehicles. The SM-3 is used by the U.S. Navy to destroy short- to intermediate-range ballistic missile threats. It uses an exo-atmospheric "kill instrument," to collide with targets in space. It has been produced in multiple variants, with the most recent and most advanced missile being the SM-3 Block IIA. The DF-21D, launched from a Chinese land-based facility, would travel for a short time period in space to reach nearby U.S. naval forces. This leaves the Navy’s fire control systems very little time to target, acquire and launch an exo-atmospheric intercept considering the proximity of the missile’s launching site relative to the targeted ships. Considering these circumstances, it is fair to suggest that the SM-3 is unlikely to provide a high degree of defense assurance for U.S. naval forces engaged by the DF-21D. The SM-2 interceptor is used for endo-atmospheric engagement of small, high-speed ballistic missiles during their terminal phases of flight (after atmospheric reentry). The SM-6, essentially, is an enhanced SM-2 Block IV missile. It has a greater capacity to engage an agile, anti-ship missile and can be launched at an incoming threat at an earlier stage during the targeting process. Since both missiles have a relatively low flight ceiling when compared to the SM-3, incoming threats not initially destroyed by the SM-3 have a high (or even absolute) chance of survivability until they reach the engagement range of the SM-6 or SM-2. This engagement gap represents a critical defect in the Navy’s layered defense approach to ballistic missiles. The zone between effective SM-3 intercept range and effective SM-2/ SM-6 intercept range allows for an ASBM to face no kinetic threats during a portion of its flight path. It represents a weak-point in U.S. sea-based, long-range missile defense. The fleet’s short- to medium-range kinetic defenses consist of the Evolved Sea Sparrow Missile (ESSM), Rolling Airframe (RIM-116), and Phalanx CIWS (goalkeeper, ‘sea whiz’). The ESSM has been designed to counter supersonic maneuvering anti-ship missiles like the DF-21D, in addition to countering attacking aircraft and cruise missiles. The issue is that if this system is to be relied on as a primary defense against the DF-21D, the Navy is increasing the risk of CSGs or SAGs becoming overwhelmed or saturated during an attack. ESSM’s operational range is about 50km, meaning a large salvo of DF-21D’s, which would likely be combined with other, less advanced missiles, would only be engaged at very close-in distances to U.S. ships. For fire control systems to engage multiple, high-speed targets from multiple directions at such short distances means a successful intercept of (nearly) all threats is unlikely. RIM-116 is used primarily as a point-defense weapon against anti-ship cruise missiles. It has an operational range of about 9km. RIM-116 platforms are used to support close-in engagements and augment ESSM platforms—together they close the gap between the short- to medium-range intercept capability and the medium- to long-range intercept capability

for the U.S. Navy. The platform can rapidly launch several interceptors at once, which allows for multiple, simultaneous engagements. However, due to the threats’ proximity once being engaged by Rolling Airframe, upwards of three or four missiles would be used on one target to guarantee an intercept. This makes the saturation limit for this one system relatively low. Phalanx CIWS is a close-in weapon system, last line of missile defense platform. Alike the ESSM and Rolling Airframe, it is a system that is directly deployed aboard U.S. aircraft carriers in addition to other surface ships, including destroyers, cruisers and Littoral Combat Ships. Due to the high-speeds of missiles like the DF-21D, combined with the 3.5km effective firing range of Phalanx, this gun-system cannot be expected to defend against multiple supersonic weapons simultaneously - rather, it is a ‘cleanup weapon’ for those (very) few missiles that ESSM and Rolling Airframe fail to destroy. The short-term solution for the fleet’s missile defense capability deficit is the deployment of land-based defensive systems on the First/ Second Island Chain. This entails the deployment of Terminal High-altitude Area Defense (THAAD) and Patriot Battery systems, which would not only greatly enhance the fleet’s overall defensive posture, but also their offensive posture. THAAD has the ability to intercept short, intermediate and long-range ballistic missiles both inside and outside the atmosphere. The deployment of this platform to the first and second Island chain could provide a short-term, quick capability increase for U.S. naval forces stationed in the Pacific. If these platforms were to be clustered near predicted critical areas of operation, CSG and SAG could maneuver within the covered areas of THAAD and face a reduced threat from DF-21D and other anti-ship missiles (the SM-3 to SM-2/SM-6 engagement gap would be closed). Combined with THAAD deployments, stationing Patriot batteries in similar cluster-based positions would significantly increase the amount of interceptors the U.S. has in theater. Although the Patriot system does not directly reduce the DF-21D threat, it could effectively engage slower, less advanced ballistic missiles. This could allow for the more advanced missiles aboard destroyers and cruisers (i.e. SM-3, SM-2 Blk4) to be reserved for China’s most advanced threats, like the DF-21D. These land-based defensive systems also increase the saturation levels of U.S. naval forces stationed in the region - reducing the threat of a low interceptor to missile threat ratio. The missile payloads of current U.S. surface combatants largely reflect a defensive orientation, with the majority of missile space being occupied by interceptors. Officials in the Navy have largely criticized this orientation as it represents low levels of lethality for the surface fleet, or, in other words, a weak warfighting capacity. Considering the required amount of interceptors aboard U.S. vessels would decrease when land-based interceptors are deployed, the lethality of the surface fleet could be substantially improved. There would be more room in Vertical Launch Systems (VLS) for offensive (anti-ship, anti-land) missiles, thereby increasing the fleet's capacity to engage in surface warfare operations within China’s A2/AD zone. Also, this is a relatively inexpensive

"Due to the high-speeds of missiles like the DF-21D, combined with the 3.5km effective firing range of Phalanx, this gun-system cannot be expected to defend against multiple supersonic weapons simultaneously"

solution compared to redesigning the Pacific Fleet’s force structure or developing a new platform procurement strategy to accommodate both large amounts of interceptors and offensive missiles aboard surface vessels. Ultimately, land-based defensive missile deployments could allow the surface fleet to regain assured access and presence to the highly contested maritime environments surrounding U.S. Asia-Pacific allies. It would also successfully improve the US Navy’s current missile defense posture in region, and would wholesome meet the threat of a salvo of DF-21Ds and other capability-similar anti- ship missiles currently fielded by the Chinese missile force. However, with the diffusion of A2/AD strategic technologies, the US is facing denied access in multiple regions throughout the world, mainly from Russia in the Black Sea, Baltic Sea, and even the Norwegian Sea, and Iran in the Persian Gulf. Although the land-based missile deployments offer a promising short-term solution for area missile defense in the Asia-Pacific, the same strategy may not necessarily work in other contested environments. About the Author Sam Cohen is completed his B.A. in Political Science at Western University in Canada. He is beginning his M.S. in Defense and Strategic Studies at Missouri State University’s Graduate Campus in Washington, D.C. in Fall 2017. His interests are in the fields of national security policy, international law and defense procurement strategy. Sam has completed internships with the Center for International Maritime Security, Crestview Strategy and Israeli Red Cross.

Asia Pacific Security Magazine | 59

DISASTER & EMERGENCY MANAGEMENT

↘

Main conference: 23 & 24 August 2017

↘

Summit 2017

Workshops: 22 & 25 August 2017

↘

Venue: Singapore

Researched & Developed by:

BRING TOGETHER DISASTER MANAGEMENT AUTHORITIES AND EMERGENCY RESPONDERS TO EXCHANGE BEST PRACTICES AND STRATEGIES ON ENHANCING DISASTER PREPAREDNESS EFFORTS & BUILDING COMMUNITY RESILIENCE

SUMMIT HIGHLIGHTS: ► Hear from Governmental Agencies, Disaster Management Authorities, Frontline Responders ► Case studies on natural disaster and manmade emergencies that occurred

EARLY CONFIRMED ORGANISATIONS √ Ministry of Disaster Management & Relief √ Fire Service and Civil Defence Department

► Overcoming the challenges and developing ways to prevent them

√ Victoria State Emergency Services

► Best practices to strengthen community resilience and reduce disaster vulnerabilities

√ National Disaster Response Force

► Proven strategies to respond rapidly and effectively to an emergency ► Improving communication with local community to prepare them for emergencies

√ NZ Police √ Fire & Rescue NSW √ UNDP AND MANY MORE...

PLUS!

4 In-depth WORKSHOPS Available!

Request brochure for more details.

A: Reducing Vulnerability by Enhancing Resilience at Local Levels

B: Strengthening Emergency Preparedness Planning for Communities to Ensure Rapid Response to Disaster

C: Devising Solutions to Manage the Cascading Effects of Man-made Emergencies

D: Establishing Strategies to Manage Search and Rescue Operations for Man-made Emergencies and Natural Disaster

For more details, please contact us: 60 | Asia Pacific Security Magazine PHONE: 65 6376.0908 EMAIL: enquiry@equip-global.com WEB: http://www.equip-global.com/disaster-and-emergency-management-summit-2017

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products

The Jetson’s cyber concerns – Future smart cities cybersecurity checklist To help guide the development of smart cities, Trend Micro has developed a quick ten step cybersecurity checklist as a gut check when implanting new, smart technologies.

As cities continue to grow smarter, they will also become easier to hack. With millions (if not billions) of dollars going into research for urban domains and the Internet of Things (IoT), there will be more opportunities to utilise technology to define, access and improve smart city services and infrastructure. In these smart cities, information security plays a huge role in protecting the highest levels of confidentiality, availability and integrity for city resources and utilities.

Trend Micro has released a research paper Securing Smart Cities: Moving Toward Utopia with Security in Mind which surveys some of the existing smart technologies currently used in smart cities worldwide. Much like our previous reports on exposed smart devices and the hacking of robots in smart factories, this paper will discuss the risks of using smart technologies in critical sectors and will provide actionable steps to help local governments and urban developers design more secure smart cities.

1 Perform quality inspection and penetration testing 2 Prioritize security in SLAs for all vendors and service providers 3 Establish a municipal CERT or CSIRT 4 Ensure the consistency and security of software updates 5 Plan around the life cycle of smart infrastructures 6 Process data with privacy in mind 7 Encrypt, authenticate and regulate public communication channels 8 Always have a manual override ready 9 Design a fault-tolerant system 10 Ensure the continuity of basic services Cities will continue to grow smarter over time. Whether these cities are built from the ground up, or built around and over established metropolises, it is always important to balance functionality with security. Cities are created by the people, and for the people. So, it’s only right to protect them.

Using your gait to power and secure devices Researchers from CSIRO’s Data61 have developed new technology which uses the way a person walks, their gait, to power wearable devices and also possibly used as a new authentication method, which could replace passwords, pins or fingerprints. Rather than looking at an individual’s unique movements as a form of authentication, researchers at CSIRO’s Data61 have developed a prototype wearable device to capture how an individual’s unique energy generation pattern can be used as a form of authentication.

Small sensors called accelerometers can currently be used to capture an individual’s gait in terms of motion and velocity. However, this reduces the battery life of wearable devices and has prevented gait authentication from becoming more widely adopted. Researchers from CSIRO’s Data61 have overcome this by combining gait recognition with a technique called kinetic energy harvesting (KEH), which translates a person’s motion into electrical energy and improves battery life. “By applying both techniques we have developed a way to achieve two goals at once

– powering devices and the ability to verify a person’s identity using a wearable device by capturing the energy generated from the way they walk,” Researcher at Data61 Sara Khalifa said. To test how secure KEH gait authentication is, the researchers conducted a trial on 20 users. Data was collected from each user using two different settings from various environments. Users walked in several environments including indoor on carpet and outdoor on grass and asphalt terrains to capture the natural gait changes over time and surfaces. The trial showed that KEH-Gait can achieve

Asia Pacific Security Magazine | 61

TechTime - latest news and products

Researchers from CSIRO’s Data61 have developed new technology which uses the way a person walks, their gait, to power wearable devices and also possibly used as a new authentication method, which could replace passwords, pins or fingerprints. Rather than looking at an individual’s unique movements as a form of authentication, researchers at CSIRO’s Data61 have developed a prototype wearable device to capture how an individual’s unique energy generation pattern can be used as a form of authentication. Small sensors called accelerometers can currently be used to capture an individual’s gait in terms of motion and velocity. However, this reduces the battery life of wearable devices and has prevented gait authentication from becoming more widely adopted. Researchers from CSIRO’s Data61 have overcome this by combining gait recognition with a technique called kinetic energy harvesting (KEH), which translates a person’s motion into

electrical energy and improves battery life. “By applying both techniques we have developed a way to achieve two goals at once – powering devices and the ability to verify a person’s identity using a wearable device by capturing the energy generated from the way they walk,” Researcher at Data61 Sara Khalifa said. To test how secure KEH gait authentication is, the researchers conducted a trial on 20 users. Data was collected from each user using two different settings from various environments. Users walked in several environments including indoor on carpet and outdoor on grass and asphalt terrains to capture the natural gait changes over time and surfaces. The trial showed that KEH-Gait can achieve an authentication accuracy of 95 per cent and reduce energy consumption by 78 per cent, compared to conventional accelerometer-based authentication techniques. The KEH-Gait system was also tested against ‘attackers’ who attempted to imitate an individual’s motions. The analysis found only

Senstar announces extended range detection for FiberPatrol-PR Senstar has announced that FiberPatrol-PR, its fiber optic fence-mounted sensor for perimeter applications, now provides up to 50 km (31 mi) of protection per processor, more than doubling the system’s previous detection range capability of 24 km (14.9 mi). The intrusion locating accuracy of the system has also improved to within 4 m (13 ft) from the previous 8 m (26 ft). “This is the second time in just over a year we have implemented extended range capabilities for FiberPatrol-PR,” said Product Manager Stewart Dewar. “By enhancing the system, we are able to provide customers greater protection and more accurate locating with less infrastructure. This results in more economical deployments for long perimeter sites, including borders.” FiberPatrol-PR uses proven fiber optic technology to detect and locate intrusions. The system has a reduced nuisance alarm rate because it can differentiate between disturbances caused by real intrusions and environmental disturbances such as wind and rain. FiberPatrol-PR can detect and accurately locate intrusions even when there are multiple simultaneous intrusions or in the presence of spatially-distributed environmental noise that would mask the detection capability of other long-range fiber optic sensors. As well, the

62 | Asia Pacific Security Magazine

system’s resilient design allows detection to continue right up to the point of a cut in the sensor cable. The system can also be deployed in a cut-immune configuration. FiberPatrol-PR requires no powered or conductive items in the field, making the sensor completely immune to EMI and lightning and intrinsically safe in the presence of explosive atmospheres.

About Senstar Corporation Senstar has been manufacturing, selling and supporting the world’s largest portfolio of perimeter intrusion detection sensor technologies for 35 years. Senstar is also a leading provider of personal duress solutions. Senstar products can be found around the world in more than 80 countries, in tens of thousands of sites including borders, ports, military and government, oil and gas, correctional, and other critical sites.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

New Australian public safety initiative “The Melbourne Shield” launches today BlackBerry Ltd and Briggs Communications, a leading Australian crisis management specialist, have joined together to launch a pilot program called ‘The Melbourne Shield’. The secure, networked communications platform is being offered to help key organisations quickly connect with each other in the case of an incident, obtain and share factual information and help maintain business continuity. The new initiative, combining Brigg’s crisis management expertise with industry-leading crisis communication software, BlackBerry AtHoc, invites any major organisation in Melbourne with a duty of care for people to join the pilot program. The aim of the Melbourne Shield is to create a secured, connected community in both the private and public sector that can effectively communicate with other businesses, departments or personnel in real-time, should an incident take place. BlackBerry AtHoc is being offered as a shared solution between Melbourne Shield members, establishing a critical incident communication network which can connect places of mass gatherings such as stadiums, malls and convention centres, as well as infrastructure such as hotels, hospitals, schools, universities and businesses. Ly Tran, Senior Vice-President at Blackberry AtHoc says, “Melbourne is a well-known cultural and sporting destination that hosts millions of people for its major events. Any city is vulnerable and in times of crisis, organisations need a way to get the right messages to their people. Whether it’s a fire alarm, a natural disaster or a terrorist incident, BlackBerry AtHoc offers a mass incident alerting and

communication platform that can connect the city’s large public venues, businesses, emergency services and others, delivering trusted information to enable a coordinated response and informed safety-critical decisions.” BlackBerry AtHoc is a trusted, secure and networked communications platform that helps businesses and governments protect the people they care about. Whether they are around the block or around the world, the solution gives any company or department the ability to communicate with their people through numerous devices and create permission-based networks to establish interoperable communication with other stakeholders in their community. Allan Briggs, Managing Director at Briggs Communications says, “In the event of an incident when situations change quickly, factbased information is limited. The Melbourne Shield sets out to help organisations share good intelligence among trusted individuals to enable better decisions. The platform is especially ideal for linking security and facilities managers responsible for critical decision-making. If they are located close to an incident or emergency, the members can share information between entities via BlackBerry AtHoc enabling interoperable, transparent incident management.” During the pilot, each member of the Melbourne Shield will be provided with access to the BlackBerry AtHoc solution. Each member of the group is carefully vetted and usually includes a key decision-maker within an organisation who is responsible for the well-being of people on

site. In the event of any threat to public safety, a security or facilities manager will have the ability to distribute secured alerts and information to other members of the Melbourne Shield within minutes. Ly Tran adds, “Thousands of organisations around the world trust Blackberry AtHoc for incident response management. Equipping Melbourne’s businesses and stadiums with the same critical communications technology as the US Departments of Homeland Security and Defense, Parliament of Canada, the UK Civil Nuclear Constabulary and institutions like Macquarie University in Sydney, can assist the city in managing potential threats or incidents. We hope this example of true collaboration in Melbourne will serve as an example for other cities around the world looking for ways to protect its people.” This announcement comes as BlackBerry announced in May that important new BlackBerry AtHoc features have become available in Australia and New Zealand to help account for people. AtHoc Account™ automates personnel accountability and crisis communication processes by providing safety and availability status updates of people before, during and after an event – ultimately providing the decision-making information leaders need for continuity of operations. For more information on BlackBerry AtHoc visit: www.athoc.com/company/about-us.html Businesses in Melbourne are being invited to attend an event to announce the initiative on June 8. For more information on The Melbourne Shield please visit: https://www. melbourneshield.com.au

Tenable delivers the first vulnerability management platform Expanded Tenable.io platform incorporates Nessus Network Monitor alongside new container and web application security products for improved discovery and vulnerability management of operational technology assets like ICS/SCADA Tenable Network Security has redefined vulnerability management for information technology (IT) security and operational technology (OT) security with the latest release of its cloud-based Tenable.io platform, delivering new and enhanced capabilities to

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

empower organisations to understand and reduce their cyber risk across the full range of traditional and modern assets. The software development life cycle (SDLC) is now measured in minutes to hours. Modern computing and software development practices are driving the adoption of a new set of dynamic IT assets, including cloud, microservices and containers, which enable DevOps teams to accelerate development velocity. Container adoption alone is the fastest growing segment of cloud enabling technologies, with the market

estimated to increase in value from US $762 million in 2016 to $2.7 billion by 2020, according to 451 Research. The rapid pace of innovation has put the DevOps team in the driver’s seat — and left security in its wake — increasing the rapidly changing attack surface. On the other end of the spectrum are OT assets, including critical infrastructure such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) and connected medical devices such as MRI/CT/ ultrasound scanners. These systems were

Asia Pacific Security Magazine | 63

TechTime - latest news and products

designed for precision, reliability and longevity, not security. With the rise of the industrial internet of things (IIoT), OT environments and assets are now connected devices which create an unintended new attack vector. The need to manage vulnerabilities and incidents holistically is driving the convergence of IT security and OT security, yet legacy scanning and agent-based tools designed for the world of IT do not work in the safety-critical world of OT. ”Security teams using legacy vulnerability management tools are not equipped to handle the converging world of IT and OT because when it comes to modern assets like containers, they’re completely blind,” said Dave Cole, chief product officer, Tenable. “Massive shifts in computing coupled with today’s elastic attack surface have left enterprises struggling to gain visibility into their exposure areas. Increasing network diversity due to the rise of IoT and the convergence of IT and OT are only compounding the issue. CISOs need a complete and reliable view of the entire modern computing environment so they can take a proactive approach to managing the security challenges of today and tomorrow.” With Tenable.io, for the first time organisations have complete and centralised visibility over the full range of traditional and modern assets, from IT to OT, within a single platform. Only Tenable™ provides unified asset discovery and comprehensive vulnerability management across IT and OT. Tenable.io is integrated into the modern SDLC and DevOps processes, and offers the flexibility to use the appropriate discovery and vulnerability detection technique based on each asset’s unique requirements. With the combination of Nessus Network Monitor™ (formerly Passive Vulnerability Scanner or PVS), Nessus Scanner, Nessus

Agent, and third party data collection technologies, Tenable.io provides the industry’s greatest breadth and sophistication of asset discovery and vulnerability identification across both IT and OT assets — all within a single platform. Whether the rate of change is every four hours or four years, Tenable.io arms security teams and chief information security officers (CISOs) with the visibility required to understand cyber risk at the pace of innovation and digital transformation. New and Enhanced Capabilities of the Tenable.io Platform General Availability of Tenable.io Container Security: Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images as they are created. Through integration with the container build process, it provides vulnerability assessment, malware detection and policy enforcement prior to container deployment — enabling security teams to turn a blind spot into a strength. Nessus Network Monitor Support for OT Assets: Nessus Network Monitor passively analyses network traffic to provide continuous visibility into managed and unmanaged assets on the network, including IT and OT systems. It includes new capabilities for asset discovery and vulnerability identification on critical infrastructure and embedded systems, such as ICS and SCADA systems, which require a nonintrusive approach to vulnerability management. Nessus Network Monitor provides coverage for operational technologies in a variety of safetycritical infrastructure industries, including oil and gas, energy, utilities, public infrastructure, manufacturing, and medical/healthcare.

Vulnerability Management

Applications

Shadow Brokers, WannaCry and Intel AMT Scan Policy Templates: Tenable.io includes pre-built scan templates for identifying systems exposed to all Shadow Brokers exploits, including WannaCry, EternalRocks and any new versions of these attacks, as well as a check for the recent Intel AMT vulnerability (INTEL-SA-00075). T Tenable.io Web Application Scanning: Tenable.io Web Application Scanning, a new product within the Tenable.io platform that safely and automatically scans web applications to accurately identify vulnerabilities, will be generally available on July 14, 2017. About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organisation. Tenable eliminates blind spots, prioritises threats, and reduces exposure and loss. With more than one million users and more than 21,000 customers worldwide, organisations trust Tenable for proven security innovation. Tenable customers range from Fortune Global 500 companies, to the global public sector, to mid-sized enterprises in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus® and leaders in continuous monitoring, by visiting tenable.com

Web Application Scanning

Container Security

TENABLE

Platform

Integration

Sensors

Supported protocols include Bacnet, CIP, DNP3, Ethernet/IP, Modbus/TCP, Siemens S7, ICCP, IEC 60870-5-104, IEEE C37.118, OpenSCADA, and more.

API and SDK

Scanner

Agent Nessus Sensors

64 | Asia Pacific Security Magazine

Network Monitor

VM Provider

App Sec Provider

CMDB Provider

Other Third-Party

Third Party Sources Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

EDITOR'S REPORT REVIEW areas of weakness. Section 2 evaluates issues of execution, and Section 3 suggests ways to evolve the delivery and initiatives of the strategy to achieve its objectives. In addition to analyses of major themes, the report includes a table showing a detailed breakdown of progress against each initiative in the strategy’s Action Plan, and another that examines the funding provided to achieve the objectives of the strategy.”

AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION

This is a welcome and important review to evaluate the progress being made on the Australian Government’s Cyber Security Strategy. As highlighted at the outset, the strategy launched in April 2016 broke a seven-year government silence on cyber policy issues since the launch of the 2009 Cyber Security Strategy. Since 2009, Australian governments have continued to tinker with the country’s cybersecurity arrangements but didn’t have a detailed and comprehensive plan on how to address the security and economic policy issues presented by the digital age. This is troubling in itself and epitomises the national political instability caused by the Rudd/Gillard/Rudd/ Abbott/Turnbull period. “The comparative absence of comprehensive cyber policy direction in Australia meant that the 2016 strategy had a significant void to fill. It needed to provide clarity on national cyber governance, boost confidence in cyber defences and stimulate cyber industry.” “This report provides an accessible and critical appraisal of the government’s implementation of the Cyber Security Strategy over the past 12 months. Section 1 addresses each of the strategy’s five themes, highlighting achievements and

Recommendation 1: Rapid adaptation and evolution There’s a broad agreement with the stated objectives of the strategy, but a focus on execution and adaptation is necessary, evolving as our understanding of more effective and efficient methods and initiatives by which to achieve those objectives grows. Recommendation 2: Measurable and timebound annual action plans Releasing new theme-specific action plans that provide clear timeframes and measurable milestones for activity will enable implementation and private-sector cooperation. Recommendation 3: Undertake baseline research Funding should be provided to undertake and publish targeted strategy-specific research, which will improve the government’s ability to measure strategy success while boosting Australia’s cyber research portfolio. Recommendation 4: More open communications with the private sector Measures such as quarterly threat reporting from the ACSC and regular strategy updates, potentially in the form of a newsletter, would give stakeholders confidence in the commitment to action and delivery. Recommendation 5: Define the division of leadership between sectors The strategy is a government-developed, government-owned document, but it is not solely the responsibility of government to deliver it under the partnership model. Recommendation 6: Better support for mid-tier and small to medium enterprises There’s likely to be an expectation that improved cybersecurity in the top end of town will trickle down to the mid-tier, but evolving threats and government regulation make it unrealistic to expect that this will happen in the timeframe needed. Recommendation 7: Better communications with the public in both implementation and crises Having a strong and coherent communications strategy for the Australian public is essential to the success of the strategy. Recommendation 8: Moving from public awareness to behavioural change

New methods of education and awareness raising that change behaviours positively should be developed and implemented. Recommendation 9: Broaden the conception of cyber skills shortages to include other necessary disciplines When examining skills shortages, government should look beyond the technical community. Individuals with backgrounds in law, psychology, government studies, communications and many other disciplines have an important role to play in ensuring that Australia’s future cyber workforce is equipped to deal with the full spectrum of challenges that cyberspace presents. Recommendation 10: Provide additional financial and human resources to strategy delivery roles Focus on execution and sufficient financial and human capital to manage implementation across many portfolios and private-sector partners. Consideration should be given to supplementing personnel in these roles and providing additional support to senior leadership positions or rationalising their other tasks to facilitate a focus on the achievement of better cybersecurity outcomes. Recommendation 11: The co-location model of the ACSC should be examined for use by policy agencies Elements of cyber policy responsibility are found in PM&C, the Department of Defence, DFAT, the Attorney-General’s Department, and so on. This can be challenging for those responsible for coordinating the delivery of the initiatives. While an agency along the lines of Singapore’s Cyber Security Agency may not be the most appropriate response for the Australian Government, the colocation of key personnel may help to streamline the delivery of policy initiatives and enhance engagement between policy agencies and the operational cyber areas of the government. It would also aid engagement with the private sector by providing a one-stop shop for engagement with the senior cyber officials in the Australian Government. About the Authors Zoe Hawkins Zoe is an Analyst in ASPI’s International Cyber Policy Centre, researching and writing on international and domestic cyber policy issues. Liam Nevill Liam is the Principal Analyst in ASPI’s International Cyber Policy Centre, researching and writing on international and domestic cyber policy issues.

Asia Pacific Security Magazine | 65

17th – 19th July 2017 | Shanghai, China BEST PRACTICES FOR CORPORATE SECURITY TEAMS TASKED WITH SUPPORTING AND PROTECTING COMPANIES OPERATING IN HIGH-RISK LOCATIONS AND INDUSTRIES

KNOWING IS NOT ENOUGH; WE MUST APPLY. WILLING IS NOT ENOUGH; WE MUST DO. BRUCE LEE

INTENSIVE ESCAPE TR AINING Anti-Kidnapping & CounterAmbush This full-day training drill tests your mettle against life-or-death situations your VIPs, Chief-suite Executives and other personnel may face in the fulfilment of their duties. Deploy with unerring confidence in demonstrable response techniques with this precision-training masterclass: 1. Risk Elimination Practices 2. Anti-Kidnapping Measures 3. Counter-Ambush Survival Techniques International Trainer: Nathan Hughes Training Director CSEC4, UNITED KINGDOM Former Firearms Instructor, Specialist Firearms Officer and Advanced Driver DEVON AND CORNWALL POLICE, UNITED KINGDOM

SHOWCASING PRESENTATIONS AND CASE STUDIES BY KEY DISTINGUISHED SPEAKERS Yang Yu Regional Security Director – Asia Pacific MICROSOFT, CHINA Dean Fitzmaurice Regional Security Director Middle East, India & Sub-Saharan Africa SNC LAVALIN, UNITED ARAB EMIRATES Li Hongliang Deputy Director of Security Management BGP INC., CHINA NATIONAL PETROLEUM COMPANY, CHINA Stanley Aloysius Director, Asia Pacific Safety & Security PAYPAL, SINGAPORE Patrick Wang Head of Security BEKAERT ASIA, CHINA Founder & Chairman SECURITY PROFESSIONALS ALLIANCE OF CHINA (SPAC), CHINA

Julius Badillo Security Cluster Lead – Philippines, Vietnam, Thailand DHL, PHILIPPINES Ruben Morales General Manager, Corporate Safety HONG KONG AIRLINES, HONG KONG Mark Niblett Vice President & Global Head of Security HALLIBURTON, UNITED ARAB EMIRATES Mark Sharp Director of Corporate Security SHANGRI-LA, HONG KONG Wynnford Medrano Director – Procurement, Property, Information Security and Business Continuity Management AXA, PHILIPPINES Nick Crouch Director, Global Safety & Security (EMEA, India and APAC) YAHOO! INC, SINGAPORE

WHO SHOULD ATTEND ATTEND THIS INAUGUR AL PREMIER CONFERENCE TO MAKE SURE YOU ARE • • •

• •

Protecting people, profit and brand Unlocking investment opportunities in high risk destinations Defending high value products and corporate assets from theft and damage Perfecting emergency response planning for your company Guarding valuable executives against threats in vital business destinations

Vice Presidents, Directors, Managers and Heads of: Corporate Security Business Resilience Physical Security Business Continuity Asset Protection Brand Protection Loss Prevention Cold Chain Investigations Sites & Facilities Risk Corporate Campus Security Contingency Intellectual Property Emergency Response Planning Business Travel Risk Crisis Management

High-value business interests can only be properly safeguarded with investment into the right corporate security, asset protection and travel risk programmes. marcusevans

large scale events

PAG E 1

THE PROGRAMME - DAY ONE monday 17th july 2017 0800

Registration and Morning Coffee

0830

Opening Remarks by Chair

0845

CONTACT INITIATION SESSION (CIS)

Delegates and speakers are encouraged to get to know their peers and exchange business cards CORPORATE EMERGENCY PREPAREDNESS

0900

CRISIS RESPONSE KEYNOTE

0945

BUSINESS CONTINUITY KEYNOTE

1030

Coffee and Networking Break

1100

p NATURAL DISASTER PANEL

1145

p COMMUNICATIONS AND TRACKING PANEL

1230

Networking Luncheon

Preparing Your Company Crisis Response Plan for High-Calibre Active Threat Management As business opportunities grow so does the security risk your company faces. Evolving operational threats such as terrorism, kidnapping, theft, piracy and blackmail mean that a robust crisis response plan is critical to defending and protecting your business. In this session the keynote speaker will detail top-of-the-line anticipatory and preparative measures you can use to ensure you are ready for the worst before it happens. Ensuring Resilience with Stress-Tested Business Continuity Planning and Disaster Recovery Procedures Eventually something will happen. Your company is a target and corporate security is the crucial line of defence, but you are also the guardian of the company post-incident. This session will define and design a Business Continuity and Disaster Recovery system that allows corporate objectives to be met, and products to be delivered even as the corporate security and crisis response teams are still in action.

Staving Off Business Damage from Fires, Flooding, Earthquakes, Typhoons and More: Mitigation and Resolution Disasters can strike at any time. From typhoons, floods, fires and explosions, to any weather situation that shuts down operations, delays transportation and short-circuits your immediate business plan, what is the disaster management planning in place? Whether monitoring the weather or ensuring security for personnel post-disaster, our panellists have the critical intelligence to help you deploy with confidence. Mass Communication Tools and Global Tracking Methods for Instant Monitoring of Employee Welfare Whether you are operating in a constellation of global locations with executives positioned worldwide, coordinating staff safety across a nation’s worth of outlets, or keeping tabs on heavy duty and high risk facilities or NGO bases, crisis communication and instant tracking ability is paramount to your corporate security responsiveness. This session provides a keen line of sight to your new communication and tracking plan and hardware setup.

ASSETS, SITES, STORES, FACILITIES & SUPPLY CHAINS 1400

1445

SUPPLY CHAIN OBSERVATIONAL TESTING

Protecting Company Supply Chains Against Clear and Present Threat Trends to Guard Your Products • Effective process controls to buttress logistics and transport security against fraud, theft and disasters • Layered defences and security posture options for the door-to-door, stop-bystop security of goods in movement • Fleet security and detection enhancement in coordination for end-to-end security in a sequence of different operational environments Following a 25-minute presentation our expert will give an example supply chain process and delegates are challenged to assess the potential threats at each point along it.

COUNTERFEIT INVESTIGATIONS SESSION

CORPORATE TRAVEL & OVERSEAS ASSIGNMENTS 1400

1445

Forging Concrete Anti-Counterfeiting Process Control to Secure and Protect your Company’s Brand • Loss control for tangible and intangible assets in trucking and railroad supply chain situations • Coordinating anti-counterfeiting and anti-fraud efforts with security support to prevent potential disasters and loss of reputation • Availing opportunities to leverage consumer service support to perform root cause analysis on historical counterfeiting and fraud activity Following a 25-minute presentation our expert will present the audience with a range of product examples for comparison to test your observation and retention skills. Can you find the fake?

TRAVEL RISK POLICY CHECKLISTING

Shielding Overseas Employees With a Provable Corporate Travel Planning Duty of Care Programme • Prevailing legal and moral frameworks for travel risk policy assessment • Ascertaining infrastructure for emergency contact methods and support in place for medical emergencies, evacuation planning and travel disruption mitigation • Flexing for ad hoc inclusions in response to pandemics and changing natural disaster landscapes Following a 25-minute presentation our expert will moderate as audience members contribute their suggestions for the ultimate corporate travel safety checklist. A show of hands decides what stays in!

SITUATIONAL AWARENESS TRIAL

Instilling Heightened Situational Awareness into Executives in HighRisk Locations • Identifying travellers, calendaring travel and establishing training for Emergency Response, Emergency Medical Technician, tactical driving, antiambush and counter-kidnap • Dynamics of executive responsibility for personal wellbeing and insurance needs in various situations • Preparing codes for conduct and integrity and communicating expectations for overseas-stationed executives Following a 25-minute presentation volunteers from the audience will be brought to the stage and wear a blindfold while they are quizzed about their surroundings during the conference. Find out how good your situational awareness is!

1530

Coffee and Networking Break

1530

Coffee and Networking Break

1600

SOC INSIGHT

1600

OVERSEAS SITE SECURITY

1645

Running a Best Practice Security Operations Centre to Ensure Corporate Safety and Asset Protection • Garrisoning customized security services and infrastructure needed to support the SOC and maintain SOC integrity • Entrenching full-capability disaster recovery hot sites, redundant communications arrays and backup power supplies • Securing resources and synchronization for everything from one-man SOCs to worldwide security coordination

1645

R SECURITY COMMAND ROUNDTABLES

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion. Table One: Implementing Thoroughly Planned Options for Timely Executive Evacuation from a Foreign Business Location

Table One: Discovering and Deterring Corporate Espionage to Maintain Site and Product Security

Table Two: Executing Detailed Preparations for Company Medical Emergencies Abroad

Table Two: Developing Physical Security Infrastructure to Protect Company Intellectual Property

1730

R SECURITY COMMAND ROUNDTABLES

Delegates will have the opportunity to select from one of the following scenarios:

Delegates will have the opportunity to select from one of the following:

Participants will get the chance to summarise their discussions and wrap up their practical takeaways.

Protecting Business Interests with Unassailable Security Measures for Sites in High Risk Locations • Obtaining available local assistance and cooperation in the operational host country • Tracking information and area surveys for an overseas network of facilities and assessing threat levels at posts • Allaying vulnerabilities to aged, acquired, and temporary corporate bases

Participants will get the chance to summarise their discussions and wrap up their practical takeaways. 1730

Closing Remarks from the Chair and End of Day One

large scale events

PAG E 2

THE PROGRAMME - DAY TWO tuesday 18th july 2017 0800

Registration and Morning Coffee

0845

Opening Remarks by Chair

0900

EYES PEELED KEYNOTE

0945

CORPORATE BODYGUARD KEYNOTE

1030

Coffee and Networking Break

1100

p STANDARDS PANEL

1145

p COLLABORATION PANEL

1230

Networking Luncheon

GLOBAL PHYSICAL SECURITY Discretely Emplacing Scrupulous Counter-Surveillance Processes to Protect Company Sites and Staff The key to forewarning and forearming against tangible threats to security or emergent crises is surveillance. How do you perform counter-surveillance and mobile surveillance on your surroundings whether in a crowded place or empty area, without drawing attention to yourself, your executives and your company assets? What equipment can you leverage? This session arms you for the daily needs of scrutinising operations, travel and movements. Preventing Loss of Life and Business with Systematic Approaches to Close Executive Protection What new risks and threats does your principal face in a climate of slowed economies and multiplying threat factors? What resources and strategies do you have at hand to provide consistently rigorous close personal protection? This keynote is the compact and comprehensive readiness plan you need.

Mastering and Implementing the Operating Standards and Requirements for a Vigilant Corporate Security Corps Increasingly global corporate activity worldwide needs highly standardised security operations, which should meet consummate international standards wherever possible. This session outlines the A through Z that the corporate security function must fulfill and fortifies you for the hurdles and rigorous needs of booming business and ever-changing global threat scenarios. Building on Measures Taken to Enhance the Relationship and Collaboration Between Public and Private Security Teams Corporate security functions work closely with governments and public agencies for a reason – we are stronger together! Whether liaising with your national security bureau or operating in tandem with foreign police, this session highlights ideal collaborative scenarios and how to reach them.

CORPORATE TRAVEL & OVERSEAS ASSIGNMENTS

ASSETS, SITES, STORES, FACILITIES & SUPPLY CHAINS 1400

HARDENING BUILDINGS

1400

1445

INCIDENT FOLLOWUP

1445

1530

Coffee and Networking Break

1530

Coffee and Networking Break

1600

R SECURITY COMMAND ROUNDTABLES

1600

R SECURITY COMMAND ROUNDTABLES

1700

Comprehensively Ensuring Access Control and Break-In Prevention • Bolstering the guard force’s detection and monitoring best practices with CCTV surveillance, X-ray and alarm system systems • Developing security programmes and procedures, preventing intruders and safeguarding company assets and critical infrastructure • Equalizing and ossifying accreditation, auditing, reporting and recording across your corporate security footprint Enforcing an Exhaustive and Fruitful Investigations Process for Incident Management and Corporate Crisis Response • Root cause analyses on incidents, breaches and threats and analysing various production pressures versus external forces • Working in league with an external investigations corps towards provable results • Consolidating the clear facts needed for effective incident management and followup

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.

EXPAT DEFENCE

Strengthening Global Security with a Sure-fire Reassignment Risk and Expatriate Protection Scheme • Reconciling business gains with the risk scenario presented to the employee • Bracing top-level corporate security with confirmable intelligence on risks to the company via the employee’s overseas assignment • Steeling company operations against international risk frontiers by mapping out and mitigating bribery and extortion potential

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.

Delegates will have the opportunity to select from one of the following

Table One: Countering the Threat of Terrorism Toward Company People and Property

Table One: Comparing and Analysing the Security Situation in Different Countries

Table Two: Hardening Corporate Security Planning Against Known and Potential Criminal Damage and Incursion

Table Two: Safely Managing Corporate Hospitality and Event Security in Unfamiliar or Volatile Destinations

Participants will get the chance to summarise their discussions and wrap up their practical takeaways.

1700

For missed connections and specific questions, write to JonC@marcusevanskl.com to help set up meetings and introductions at the next event! 1730

FEET ON THE GROUND

Establishing a Community of Defenders: Leveraging Local Connections for a Security Footprint in Business Destinations • Deconflicting security structures to consolidate protocols and guard forces • Insights into personnel selection, technical teams and staffing structures that build toward mutual trust equity and sound collaboration • Supporting business continuity planning with local liaisons and strengthened government relationships

Closing Remarks from the Chair and End of Day Two

BUSINESS DEVELOPMENT OPPORTUNITIES Does your company have services, solutions or technologies that the conference delegates would benefit from knowing about? If so, you can find out more about the exhibiting, networking and branding opportunities available by contacting: Ellyna Merican, Media & PR Coordinator, marcusevans Malaysia Tel: +603 2723 6662, E-Mail: EllynaM@marcusevanskl.com

Final Countdown! Wrap Up Time Still have burning questions? Are there problems unsolved? Let the chairperson field your questions or field it back to your fellow delegates for their input. Use this session to take advantage of the amazing expertise in the room. For missed connections and specific questions, write to JonC@marcusevanskl.com to help set up meetings and introductions at the next event!

1730

Closing Remarks from the Chair and End of Day Two

marcusevans would like to thank all the world-leading visionaries, solution providers, associations, operators, end-users and delegates who have contributed to and supported the marcusevans Corporate Security Asia Large Scale Event. We would particularly like to mention our speakers for their help in the research behind the event and also our sponsors for their continued support and commitment. On behalf of marcusevans we hope you have a rewarding, enjoyable and productive time. We personally look forward to meeting you all and working with you at our future Large Scale Events planned in 2017. See you in July!

REG ISTE R NOW large scale events

Tel.: +603 2723 6662 Fax: + 603 2723 6699 Email: EllynaM@marcusevanskl.com PAG E 3

W INTENSIVE ESCAPE TRAINING - DAY THREE wednesday 19th july 2017 PREVENT AND PROTECT: Frontline company personnel on deployment in hostile, volatile or simply unfamiliar environments can be profiled as targets as can their families and residences. Kidnapping, ambush and ransom are very serious security issues for companies operating in or traveling to high risk destinations. You know the risks. Business lost, financial damage, reputational uproar and worst of all a threat to your colleagues’ lives. Insurers have estimated up to 40,000 kidnapping cases per year involving business travelers. Can this happen to your company? What can you do? Understanding the motivation for kidnapping in the context of financial gain and opportunism, and enhancing your situational awareness are just the first steps to mitigating and managing these threats.

INTERNATIONAL TRAINER Nathan Hughes, Training Director, CSEC4, UNITED KINGDOM Former Firearms Instructor, Specialist Firearms Officer and Advanced Driver, DEVON AND CORNWALL POLICE, UNITED KINGDOM Within the police Nathan worked on a team responsible for conflict/crisis resolution and counter terrorism operations. He provided armed venue and residential security for members of the Royal Family, Foreign Royalty, British Prime Minister, MP’s and VIP’s. He was an Advanced Police TPAC (Tactical Pursuit and Containment) Driver and Integrated Firearms Surveillance officer (foot and mobile). He is a licensed National Police Firearms Instructor. His other duties during more than 14 years of police work included police search team, extradition and public order engagements, warrant executions and major incidents covering the whole of the force area.

This full-day training drill tests your mettle against life-or-death situations your VIPs, Chief-suite Executives and other personnel may face in the fulfilment of their duties.

His five years in the 42 Commando Royal Marines of H.M. Royal Marines provided him with heavy weapons (anti-tank), sustained fire (SF), beach landings and assaults, arctic and jungle warfare experience as well as disaster relief in Montserrat and Anguilla following volcano and hurricane damage.

Deploy with unerring confidence in demonstrable response techniques with this precision-training masterclass:

Nathan is certificated for First Person on Scene and Close Protection among many other industry relevant qualifications.

RISK ELIMINATION PRACTICES

CSEC4 is involved in the training and development of International Police Departments, Military Units and Security Organisations with the intention of providing international best practice.

• Minimising risks and opportunities for abduction and ambush • Clear motivations (wealthy appearance, company affiliation) versus leaked and known motivators (remuneration details, connections, other criminal intelligence) and how to reduce them • Even top-shelf provision of secure housing and transport can leave opportunities for criminal interference: contending with opportunists

WHY YOU CANNOT MISS THIS EVENT

ANTI-KIDNAPPING MEASURES • How to know if your principal is being targeted or profiled for criminal intervention • Paranoia vs. obliviousness: building appropriate expectations, behaviours and dynamics in the destination • Low-profile training and counter-surveillance techniques COUNTER-AMBUSH SURVIVAL TECHNIQUES • The first minute: what should you do when you realise a kidnapping or ambush is underway? • The essentials of how to behave and what to say (if anything) • Survival options: weighing your various escape routes, potential extraction plans and safe houses • The long arm of the law: leveraging your connections with local authorities and knowing their parameters for involvement The Intensive Escape Training Drill is suitable for all personnel charged with ensuring the security of company executives in all situations, as well as those tasked with maintaining the impermeability of sites and supply chains to intrusion and unwanted surveillance and profiling.

Your company is a target. There are high levels of security risk to increasingly global and high profile corporations based in Asia, and Corporate Security is the critical support department. Gain best practice insights into protecting people, profit and brand at Corporate Security Asia in Shanghai. Unrest and criminality affect crucial business destinations in parts of Asia and Africa. Meanwhile cost-cutting measures and third party operations are presenting criminals with alarmingly rich opportunities for interference and wilful damage. Protect company products, sites and executives and secure your company against emergencies and crises by joining brand new conference formats. The exclusive Situational Awareness Trial is where your observational skills and surveillance abilities will be tested in a blindfolded trial, while in the Counterfeit Investigations Session you will be tested to catch out tampered products with comparison and analysis exercises. Travel Risk Policy Checklisting is a heads-together delegate-led exercise letting you contribute important considerations for corporate travel planning and take a copy of the checklist home with you after while the Supply Chain Observational Testing lets you assess potential threats along example supply chains. Invest in our upcoming 3-day conference ‘Corporate Security Asia’, which provides you with access to the latest intelligence, preventative security management and emergency response planning. Plug in for ‘Preparing Your Company Crisis Response Plan’, ‘Ensuring Resilience with Stress-Tested Business Continuity’, ‘Counter-Surveillance Processes to Protect Company Sites and Staff’ and ‘Systematic Approaches to Close Executive Protection’ in our sunrise plenary sessions. During our post-conference Intensive Escape Training, get hands-on experience with Anti-Kidnapping and CounterAmbush to pre-emptively prevent and protect your executives from being profiled and targeted in high-risk operations and locations. Follow your own plan with a choice of two exclusive breakout streams: Assets, Sites, Stores, Facilities & Supply Chains: Preventing break-ins, ensuring access control, incident management, anticounterfeiting and layered defences to goods in movement are essential to companies dealing with high-value production and items, as well as those with supply chains extending through multiple jurisdictions with vacillating risk profiles. Join this stream to benefit from detailed security setups for your assets and sites.

SCHEDULE 0830 0900 1045 1245 1400 1545 1700

Registration and morning coffee Training commences Morning refreshments Networking lunch Training commences Afternoon refreshments End of training

large scale events

Corporate Travel & Overseas Assignments: Readiness and planning for situational awareness and duty of care programmes are critical to executive safety and avoiding travel disruption and business damage. Join this stream to benefit from insights into establishing a security footprint in the destination via local contacts and well-protected corporate sites, evacuation preparedness and proper medical planning. This event will give you access to the latest anti criminal intelligence and product security techniques, case studies on successful theft prevention, Emergency Response Planning (ERP) techniques and more. PAG E 4

70 | Asia Pacific Security Magazine