Page 1

Print Post Approved PP100003227


Trends in the technology industry

Climate change as a national Ssecurity issue

Software defined everything

Closing the CyberSecurity skills gap

Rise of autonomous vehicles

Creating an intelligence world – Milestone Systems MIPS 2018

Digital forensics

Women in Security Special: Personal inspiration to deliver security

$8.95 INC. GST


Women in Security | Techtime

Cyber Security

25 – 27 JULY 2018


DRONES (UAV) NEW for 2018, complete with demonstration area, you can showcase your products to a targeted security audience. CYBER After the success of this year's event, our dedicated Cyber zone offers another unique opportunity for technology presentations. Limited stand space still available, contact the team to find out more: or call 03 9261 4500.

2 | Australian Security Magazine


Cyber Security

We’re TRANSFORMING Join us as we embark on the next phase of our journey

- visit our new online store at -


For more information on these and other best-in-class solutions from Hills call us on 1300 HILLS1 (445 571) or visit CONNECT



Australian Security Magazine | 3

Contents Editor's Desk 5 Cyber Security Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Jane Lo

Climate Change as a national security issue


Closing the CyberSecurity Skills Gap


Taking the right risks and reaping the rewards


Trends in the technology industry


Creating an intelligence world – Milestone Systems MIPS 2018


Women in Security : Personal inspiration to deliver security


Software Defined Everything


How to bring Web-scale networking to the enterprise


Rise of autonomous vehicles



Why NDB compliance starts with the security basics

Digital analytics



Digital forensics


Alternative payments powered by blockchain


TechTime - the latest news and products


Book review

50 Copyright Š 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E:

Page 6 - Climate Change as a

national security issue


Page 14 - Trends in the

technology industry

All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.


Page 26 - How to bring Web-

scale networking to the enterprise


Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors Page 28 - Rise of Autonomous


Jane Lo

Keith Suter

Erin Dunne

Alan Zeichick

Also with


Jenny Yang Rebecca Vogel

Page 34 - Digital Forensics

| MySecurityAustralia

4 | Australian Security Magazine

Daniela Fernandez Michael Bosnar

Editor's Desk " “It is now reasonably evident that the cabinets and documents which are the subject of the AFP investigation, came from the Department of the Prime Minister and Cabinet. While it remains unclear, it is likely this occurred some time ago. This casts the Department in a poor light and this failure has implications for the rest of the Australian Public Service." - Martin Parkinson, Department of Prime Minister & Cabinet, 2 February 2018


n late 2017 the Council of Australian Governments (COAG) convened a special ‘Security’ meeting, in the first of a series of security focused meetings, yet to be held. One of the first outcomes was to commence sharing photographs from state motor driver’s licences as part of a national facial recognition and identity scheme. It wasn’t lost on me that COAG overlooked the opportunity to include other police regulated licence categories, such as security and firearm licences, but that’s an issue we’ll come to again later in the year. Facial recognition is also operating in all Australian international airport terminals and will be increasingly applied in other sectors, be it for public transport systems, retailers or even to access your new iPhone X. Indeed, the technology is already being used as part of conference registration, as experienced courtesy of Milestone Systems on attending their MIPS2018 event in Hanoi, Vietnam in January. The discussion has predominantly been on the technical capability and accuracy of biometric identification systems, however there has been an apparent absence of discussion around privacy and trust of these systems and the operators. As being observed in China, facial recognition is forming part of a digital and cashless social and economic system and one which is applying a national citizen score card to individuals. As of 2020 the opt-in or opt-out choice is removed and it becomes mandatory. The reality of an Orwellian society of 1.37 billion people just to the north of Australia may be just a few short years away. Possibly, an inviting concept to be garnered by other countries in order to tackle the weeds of political dissent, corruption, crime and terrorism. As they say, ‘nothing to hide, nothing to fear’. Your privacy for your security. And of course, we can trust the highest levels of Government to do the right thing and follow the key security principles to protect the nation. At a time of heightened political tension with China, ASIO warning of extraordinary levels of foreign espionage, of the Cyber Security Strategy and the Defence Export Strategy; exposed is the

realisation that the Department of Prime Minister and Cabinet released thousands of pages of classified documents within ‘the Cabinet Files’. As reported by the ABC, these documents reveal the inner workings of five separate governments and span nearly a decade, stating, “nearly all the files are classified, some as "top secret" or "AUSTEO", which means they are to be seen by Australian eyes only.” Consider this period is a time when Australia and its allies are highly cautious about China’s strategic positioning, particularly in the South China Sea, and the early deliberations of the NBN and Trans-Pacific Partnership. This type of breach, involving a locked cabinet sold for AUD$10 at a second-hand store in Canberra, naturally undermines security across all levels of government. It presents as a symbol of Government hypocrisy and lack of accountability and responsibility. With that being said, I hope the Cabinet Files are a catalyst for change and reform for the security sector. I hope 2018 is seen as a year to start reform. Despite technology and its advances, security will always remain reliant on the human element. As Australian Police Commissioners call for greater powers and legislation to fight the onslaught of crime in the physical and cyber realms, they must be held to account for the absence of reform to state-based regulations constricting the Australian security industry. It is difficult to take police and government agencies seriously in a security context when they continue to bungle their way, yet ignore industry calls for national reform to facilitate mobility of work, digitalisation of probity practices, national standards, regulation application to cybersecurity, minimum eligibility criteria, permanent residency frameworks and security operations training packages which align security licence classes and offer national security capacity building. The Queensland Commonwealth Games model, developed between government and industry is a shining light on what can be achieved but this needs to be rapidly broadened to a national level. The time for ‘asking for reform’ is

over and it is COAG’s responsibility to take action and demonstrate that Australian governments acknowledge security as a science, a discipline and whether it be top secret files in a cabinet, a person’s biometric identity or the mix of private and public security professionals and agencies, that security is fundamental to all of us and must be taken seriously, with accountability and responsibility. Complacency is not an option. In this edition, we have a strong technology focus, dealing with the key drivers of change, namely cloud computing environments, software defined networking, autonomous vehicles, digital analytics, video surveillance, blockchain and the application of this technology across industries. We are joined by Daniela Fernandez of the Commonwealth Bank in our Women in Security feature, Rebecca Vogel provides guidance on closing the cyber skills gap and Dr. Keith Suter also raises the important issue of Climate Change and the impact on national security. We anticipate a busy and challenging year, if not a roller-coaster ride with Australian and European data breach and data privacy regulations coming into effect in February and May, respectively. This will impact on business conditions and only add to already existing political obstipation and global threats. Regardless of where we end up by December, we look forward to engaging, educating and entertaining you throughout the year. And on that note, as always, we provide plenty of thought provoking material and there is always so much more to touch on. Please also join us on our new Cyber Security Weekly Podcast and download the MySecurity Media App to stay current with the latest news, events and article releases. Sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 5


Climate change as a national security issue

N By Dr. Keith Suter Managing Director, Global Directions think tank Member, The Club of Rome

6 | Australian Security Magazine

ational security used to mean a country protecting itself from other countries. More recently, with the rise of Islamist extremism, there are also now asymmetrical struggles between some countries and terrorist groups. Since the 1970s some of us have argued that “national security” should be seen in an even broader context. The object of national security is to protect a country – the emphasis should be on the objective and not the means of attack. A focus on weaponry will not be sufficient if, for example, the borders are overrun by a mass migration of people fleeing their disrupted environment. There is a continuing debate over climate change. Most scientists accept that there is a problem with human-induced climate change but some media commentators and politicians still reject the scientific consensus. Even for those that agree there is a problem, there is no agreement over the extent of the problem; by the time there is agreement, the problem will be so far advanced that few remedial actions will work in time. Lord John Browne, then Chairman of British Petroleum, explained this problem well in May 1997 that “the time to consider the policy dimensions of climate change is not when the link between greenhouse gases and climate change is conclusively proven, but when the possibility cannot be discounted and is taken seriously by the society of which we are a part. We in BP have reached that point.” This article argues that climate change is a much bigger threat to national security than is currently reflected in the Australian media and political debate. Climate change is a complex policy problem. Perhaps the most complex in our lifetime. It is not simply an

“environmental” problem. No single academic discipline is able to handle all the issues created by it. Indeed, there were not any “climate science” university degrees until recently. Most scientists have come to this problem from other disciplines. Rising Sea Levels There is the issue of coastal erosion. Climate change may result in rising sea levels and greater weather turbulence. Carteret Island in the Solomon Sea, to Australia’s north-east, is an atoll being slowly reclaimed by the sea. Some low lying islands off Vanuatu and Kiribati have also been evacuated as a precaution. Closer to Australia is the Indonesian capital city of Jakarta (with nearly 30 million people), which is sinking faster than any other big city on the planet. Climate change aggravates a host other problems, such as the lack of city planning, limited sanitation facilities, political corruption and ethnic tensions. Rising seas and more turbulent weather also endanger shore-based military installations. The Pentagon (irrespective of the views of the White House) is already working on strengthening sea walls around naval bases. Without publicity and keeping away from political controversy, it is taking the threat of climate change seriously. About 26 million people worldwide are displaced people. They have been forced to move away from their homes because of conflict or natural disasters. New Zealand in November 2017 announced that it would create the world’s first humanitarian visa for “climate refugees”. New Zealand has brought together two strands of international law.


A “refugee” in international law is a person with a wellfounded fear of persecution by their government on the grounds of, among other things, race political opinions or religion. There are about 23 million such people. But New Zealand is talking about a different type of person: someone fleeing environmental destruction (and not deliberate political persecution). It will be interesting to see how New Zealand implements this new policy. The New Zealand initiative draws attention to yet another climate change issue: mass movement of people being displaced by the climate. In 1973 French author Jean Raspail wrote the controversial novel Camp of the Saints (now back on the best-seller lists) in which France was overrun by displaced Asians. It seemed an unlikely plot until the 2015 mass movement of about 890,000 Syrians into Germany. The Syrians were fleeing the civil war back home. Some commentators have argued that the conflict was based partly on adverse climate conditions (a drought which wrecked agriculture and contributed to political instability which was then exploited by Islamic State). Mass movement of peoples may trigger additional ethnic conflicts as peoples move onto the lands of others. There is, therefore, a risk of mass movement of peoples caused by such events as adverse weather, shortage of food, political instability and crumbling infrastructure. The New Zealand approach may eventually be seen as far-sighted. Insurance Climate issues have put insurance companies on a steep learning curve. They are experts at predicting, say, when an overweight cigarette smoker may die. They are having more difficulty in understanding climate risk. Insurance companies were among the first businesses to acknowledge that there was something odd happening with the weather because of the increased weather-related insurance payouts. There is now a risk that with more extreme weather-related events and larger insurance payouts, some areas may become uninsurable. Insurance works by re-insurance, that is, spreading the risk among others. If weather related insurance payouts continue, then insurance premiums will continue to rise. A New Polar Era There is the gradual melting of the Polar ice caps. Half a century ago the polar ice caps were twice as big as they are today. The (declining) thickness of the North Polar ice has been measured by the US Navy for decades because of the risk for submarines suddenly needing to break through the ice if they run into trouble. That is now a much easier task. The melted ice goes into the sea and contributes to the rising sea level. Climate change could lead to a new scramble for the Arctic. It may enable greater access to the Arctic’s considerable resources. This could trigger a new scramble for territory, similar to that of the 19th century’s scramble for Africa. The Arctic used to be of interest mainly to science. Now increasingly it is a matter of political, economic and legal interest. The Arctic is assumed to have vast untapped resources.

For example, the Arctic may hold nearly as much as a quarter of the world’s unexplored oil and natural gas. There may also be other forms of wealth, such as diamonds, gold, manganese, nickel lead and platinum (much the same as is already found in the surrounding countries). There has been an increased presence by the neighbouring countries, if only to reinforce their territorial claims. For example, in August 2007 Russia sent a submarine to plant a Russian flag 4,000 metres underneath the North Pole. Russia now has more military vessels in the region than at any time since the end of the Cold War in 1991. The North West Passage is now open to shipping for some of the ice-free summer months. This goes through the top of Canada, along the northern coast of Alaska and down through the Bering Strait. As the planet warms and the ice declines, so that window of navigation will get wider. This will have implications for the other long range routes (such as around Africa) and through the Panama and Suez Canals. Another wider political implication will be the eventual increase in power of both Russia and Canada. Assuming that the mineral development can flourish, then both will get a benefit to their national wealth and this will give both increased economic and political leverage. 21st Century: “The Century of the Environment” The international think tank The Club of Rome (of which I have been a member since 1993) has argued that the 20th Century will be known as the “century of economics” because it was in that century that the problem of achieving economic growth was solved. Poverty still exists but the world is now richer than ever. We now have better ideas on how to generate wealth. There is now one global economy based on (to varying extents) a mixed market system: a mixture of government and private enterprise. China joined it three decades ago, Russia in 1991, Cuba is now joining; only North Korea remains outside the global economy. The United Nations target of halving global poverty between 1990 and 2015 was achieved five years early. Most of the credit for this achievement goes to capitalism and free trade because they enabled economies to grow – and it was growth, principally, that has eased destitution. The 21st Century will be known as the “century of the environment”. Environmental problems will force themselves upon us. Having found the right ideas for ending poverty, the planet now needs to deal with the consequences of rapid economic growth. The initial speculation over climate change was driven by both non-governmental organisations (NGOs), such as The Club of Rome, and the insurance industry. Climate change as a political issue is becoming self-sustaining; there may be periodic reductions in political salience but climate change will remain on the political radar screen. There are too many people who have too many interests in it and the issue itself is too big simply to be solved by a few immediate legislative changes. Unfortunately the Australian political process is too narrowly focussed on immediate issues. Many people have no idea of the looming threat to national security arising from climate change.

'The 21st Century will be known as the “century of the environment”. Environmental problems will force themselves upon us. Having found the right ideas for ending poverty, the planet now needs to deal with the consequences of rapid economic growth.'

Australian Security Magazine | 7


Closing the cybersecurity skills gap By Rebecca Vogel Intelligence Lecturer Department of Security Studies and Criminology *For the full article and references contact the Editor.


he approaching “fourth industrial revolution” was the theme for the 2016 World Economic Forum, and a global report entitled, Amplifying Human Potential was released at the Forum. The report discussed the digital technologies young workers will need to navigate and the skills they will need. The report reiterated the importance of education—that “through education, there is an unassailable opportunity to prepare everyone for such a change (Infosys, 2016).” The education system, both at a secondary level and the tertiary level, needs to be directly involved in programs to enhance cybersecurity skills. While the tertiary level appears to be moving in the right direction, in 2014, 64% of high school students America did not have access to computer science classes or other classes that would help prepare them for a career in cybersecurity (Raytheon, 2014). Industry experts consider that even if schools place a much stronger emphasis on cyber security, it may take up to twenty years for the skills gap to close (L. Morgan, 2014). Increased Workforce Capability In October 2012, the FBI launched its Next Generation Cyber Initiative, which was aimed at enhancing the Bureau’s ability to deal with cybersecurity issues. To do this, the FBI sought to hire more computer scientists. While the FBI has made some progress toward this goal, recruitment and retention of qualified candidates is reported to remain a challenge; this is because there are higher salaries offered in private industry (Dunsmuir, 2015). Tellingly, a 2015 audit of the Next Generation Cyber Initiative showed the FBI

8 | Australian Security Magazine

'The US Bureau of Labor Statistics releases a biennial report on the fastestgrowing occupations. Its 2013 report indicated that the information-security profession, including cybersecurity professionals, is expected to grow 36.5% by 2022.' was not able to hire 52 of the 134 computer scientists it was authorised to recruit, presumably because of the lower wages the Bureau offered (Office of the Inspector General, 2015). In Australia, the 2013 Australian National Plan to Combat Cybercrime identified two key priorities that were intended to strengthen its response to the cybersecurity skills shortage: 1) Improving the capacity and capabilities of agencies to address cybercrime, and 2) Partnering with industry to tackle the shared problem of cybercrime. The imperative for cyber capacity and capability was explained in the report, saying, “…law enforcement agencies need to keep pace with evolving technologies if police


are to perform their duties in the digital environment (Commonwealth of Australia, 2013). Similarly, the Australian Crime Commission (ACC), Australia’s national criminal intelligence agency, in its National Organised Crime Response Plan 2015–18, cited the need to: 1) progress the priorities set out in the 2013 Australian National Plan to Combat Cybercrime, specifically, … improving the capacity and capability of government agencies, particularly law enforcement, to address cybercrime; and 2) develop a technical capability community of interest, comprising a national forum for relevant agencies and organisations to discover and understand the technical capability challenges facing law enforcement agencies nationally that impede investigations into cybercrime and technology-enabled crime, to identify mechanisms to mitigate or address these capability challenges. (Australian Crime Commission, 2015a). In 2014, the Pentagon announced an initiative that it intended to create a 6,000 strong cyber workforce to defend against threats to American computer networks, citing a challenge to train a cyber workforce, which is expected to run through 2016 (Bottalico, 2014). The US Senate also passed the Cybersecurity Skills Shortage Bill in September 2014, granting authority to hire and retain qualified cybersecurity professionals in an expedited manner, pay recruits more competitive salaries, and provide more attractive benefits and incentives (Chabrow, 2014). Later, in November, 2015, the UK government announced its National Cybersecurity Plan (previously known as the National Cybersecurity Programme) (NCSP) to bolster Britain’s next generation of cyber security professionals. The plan involved an increase in spending on cybersecurity to £1.9 billion by 2020, recruiting 1,900 new staff across the three intelligence agencies. The first National Cyber Centre will be established, which will house the UK’s first dedicated cyber force. A £20 million competition will be run to open a new Institute of Coding to train cybersecurity students in high-level digital and computer science skills. In quite an innovative move, the plan targets the most talented 14 to 17 year olds, providing them with expert mentors, challenging projects, and summer school to identify and train potential future employees (UK Government, 2015). Emerging employment trends The US Bureau of Labor Statistics releases a biennial report on the fastest-growing occupations. Its 2013 report indicated that the information-security profession, including cybersecurity professionals, is expected to grow 36.5% by 2022. This profession is one of only twenty occupations with the highest expected percentage change of employment between 2012 and 2020 (Bureau of Labor Statistics, 2014). Results of research conducted by KPMG are also indicative of the trend toward “upskilling” within the private sector to protect itself against cyber breaches. In 2014, KPMG surveyed 300 senior IT and HR professionals in the UK within organisations of between 500–10,000 staff and found that companies are “increasingly desperate” to in their quest to hire the right cyber people, with 70% admitting their company lacks

the ability to assess incoming threats (KPMG, 2014). There are positive trends being seen in bridging the gap in cybersecurity skills and reasons for optimism. The 2015 ISACA report showed enterprises are beginning to look at cybersecurity as an issue for the business itself, and not just for the security manager. Security Operations Centres (SOCs) are being implemented, budgets are increasing, and executive support for security programs is more apparent, helping to elevate cybersecurity programs (ISACA, 2015). Another emerging trend in employment practice is to use Cyber Challenge competitions as a means to vet the cybersecurity skills and know-how of prospective employees. The US Cyber Challenge, in partnership with private industry, is creating “mini-challenges” to be piloted in late2016, which will allow job applicants to demonstrate their cybersecurity abilities and potential employers to evaluate their skills in real-time (Chabrow, 2016). Employment challenges There are challenges surrounding developing and maintaining a robust cybersecurity workforce within the national security community, encapsulated in a 2015 article from The Times of London: Technological skills are at a premium, and the Confederation of British Industry calculates that in three years there will be 600,000 vacant slots for able technological graduates. People who work at GCHQ are on government pay; many could earn far more outside. ‘Cheltenham is not much like San Francisco. If you’re a techie, this might not be the first place you would want to come,’ the head of personnel says (MacIntyre, 2015). Across the Atlantic, US report (2016) reiterated similar challenges seen in the Federal Cybersecurity Workforce, namely: 1) demand outstripping supply for cybersecurity professionals, 2) skills gap in cybersecurity positions, and 3) agency strategic workforce plans that do not specifically address cybersecurity workforce needs (Francis & Ginsberg, 2016). Compounding the challenges faced by the cybersecurity skills shortage are those of enticing and retaining the information security experts needed within the National Security space and public sector space more broadly. The 2014 KPMG survey mentioned earlier indicates a higher “churn” rate for cyber professionals than for IT professionals, and 52% of those IT and HR professionals surveyed agreed there is aggressive headhunting in this field (KPMG, 2014). This presents an obvious challenge to the public sector, as the public sector, with its historically lower salaries, will surely struggle to retain cyber-skilled individuals who can and will be easily headhunted by the private sector, with its much more robust capability to offer attractive pay packages. Private sector entities, including the large Professional Services, Technology and Financial Services firms, will no doubt increase salaries and compensation packages offered to public sector cybersecurity specialists, effectively cherry picking many of the best potential employees. A 2015 report by the US Department of Justice highlighted the struggle facing the FBI in attracting computer science recruits, mainly due to low pay (Dunsmuir, 2015). The FBI, responding to the report, said “the cyber workforce

Australian Security Magazine | 9

challenge runs through the federal government” and that it was necessary to develop “aggressive and innovative recruitment and retention strategies” (Dunsmuir, 2015). An encouraging move to address the pay gap issue was the introduction of US legislation (S.1,691—Border Patrol Agent Pay Reform Act of 2014), which incorporated the Department of Homeland Security’s Workforce Recruitment and Retention Act), aimed at mitigating the significant problems of successful retention and recruitment, which was passed in December 2014, enabling qualified recruits to be paid more competitive salaries, benefits and incentives. Implications for practice The global cybersecurity skills gap has important implications for the private and public sectors. There is a critical need to address the talent shortage by increasing the number of individuals who have cybersecurity skills. While problematic, this situation presents a unique window of opportunity for those individuals looking to work in the national security community. Current IT professionals, university students and others interested in the cyber domain have abundant opportunities to upskill in cybersecurity areas such as forensic computing, social media exploitation or threat intelligence reporting, and move into this dynamic, growing field. Numerous government initiatives are in place to address the cyber skills shortage, as well as legislation which will provide the means for the public service to become more competitive in attracting and retaining the best and brightest individuals. The public service, facing challenges of competition from

10 | Australian Security Magazine

the private sector in recruitment and personnel retention, will need to innovate and respond in a much more agile way to market forces in order to attract and keep the best cyber personnel. Given the challenges in competing on remuneration, organisations that offer additional benefits on the job, such as ongoing training and professional development, a clear career path within the cybersecurity field, ongoing engagement with outside stakeholders, vendors and academia, to inform their employees’ cybersecurity expertise, will likely have a stronger case for retaining their cybersecurity professionals. These aspects of a strategic workforce planning and retention program will ensure that the next generation of cybersecurity professionals remain engaged in the national security sector to combat the cyber threats of the future. The implications of the ongoing and growing threat posed by criminal and foreign adversaries are clear for cybersecurity operations and intelligence practice. The gap between the need for individuals highly skilled in cyber and the numbers of cyber-trained intelligence analysts within the National Security and Law Enforcement communities provides a challenge, but also numerous opportunities. Reskilling and upskilling in cyber expertise within the national security community will be important in dealing with the dynamic, technically savvy cyber opponents. Creating an agile, skilled cybersecurity workforce is the current challenge. The bottom line is that national security communities will need to invest in their workforce, to improve the cybersecurity capability and capacity of their people through further education and training.

Taking the ‘right’ risks and reaping the rewards By Jenny Yang Security Architect, Versent


here is a common perception of the stereotypical security professional who always says ‘no’. However, there are a growing number of security consultants who have come to approach new projects and clients with the response ‘yes - if….’. The role of the security consultant is to ensure they have assurances over what the business is doing, and to do that it’s not as clean cut as a yes or no answer. Security has never been about holding anyone back, but rather to protect the business by enabling senior leaders to take the right risks, in order to reap the rewards. To do this, the security consultant needs to have a transparent view of the business. Then it’s about taking a layered approach, and layering your recommendations with context. Real-time visibility of security posture To better understand the business and its challenges, it’s critical to know what your security posture is. Without knowing where you currently are, how do you know where you are meant to go? The traditional approach is to hire an external consultancy to compare the current security maturity to external standards such as ISO27001 or PCI-DSS. The findings will be analysed based on a time-boxed set of interviews and subset of documents, rather than what is actually in the environment. The response and analysis to which can be shaped by what the auditor perceives. This is not to discount the role of an external auditor, however in this changing climate, these audit controls need to be automated and assessments cannot wait until the next time there is funding for an external consultancy and a maturity assessment. General controls are typically assessed from two aspects: design effectiveness and operational effectiveness. The guardrails built into your CI/CD pipeline form your design effectiveness. The operational effectiveness is where monitoring and security orchestration tools come into play. The benefit of going to cloud service providers is that there are ‘plug and play’ products that can give visibility. Stax is a perfect example of this. Executives expect quarterly cybersecurity reports and managers spend at least a few days every month generating governance risk and compliance reports; however, this can

now be reduced to an automated task that can be produced in real-time. Automate security auditing Security consultants are designed to be advisors, not auditors. With the shortage in cybersecurity resources, time is better spent on automating controls, not on ticking check boxes and spending countless hours generating monthly compliance and executive security reports. Migrating to the cloud was considered to be a significant risk 10 years ago. It’s important to remember, just because you migrate to cloud platforms like AWS, does not automatically grant you all the certifications that come with AWS. It does however, give security professionals the optimal opportunity to leverage new and improved tools, build in the automated security controls and enhance visibility of their own resources. Build in the controls, then trust and verify Trust that your developers know what they are doing but still verify to check against human error. A good developer will want to share their learnings, learn from others and build continuous improvement into the pipeline. Your developers know the ‘ins and outs’ of the application and where it could be improved which enables the company to fine-tune their policies. Greater visibility of how to improve the code and the technology with static code analysis and runtime vulnerability management scanning, will ultimately educate the developer community. The trusted advisor Managers and executives need to change their expectations around what the security team is providing, moving beyond monthly reports, to see the security consultant as a ‘trusted advisor’ to inform the business of its risk, rather than simply providing a yes or no answer. And once the security consultant has a better understanding of the business, and its challenges, only then can they enable a business to take the ‘right risks’.

Australian Security Magazine | 11

E TUN IN ! NOW 12 | Australian Security Magazine


Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation

Episode 15 – Protecting media & journalists in hostile environments – Shannon Sedgwick, CEO of GM Risk Group

Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.

In this interview, Chris Cubbage interviews Shannon Sedgwick, CEO of GM Risk Group, a consulting firm specialising in protecting media staff, both in terms of physical and cyber security, as they travel in hostile environments.

Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Shannon has personally provided protective services to media companies and has travelled to over 30 countries this year, including the Congo, Afghanistan, and Iraq. Shannon discusses the services that GM Risk Group provide, how to mitigate risk, and the increased focus of media companies on duty of care and overall safety for journalists. If you, or members of your team work in regions of the world, where data or physical safety are at risk, then you’ll enjoy this interview with Chris Cubbage and Shannon Sedgwick.

Episode 25 – ECU Cooperative Research Centre & Dr Peter Hannay’s research into historical location data within digital devices In this interview, Dr Peter Hannay of Edith Cowan University (ECU) provides insight into the recent completion of his doctoral research which focused on historical location data that can be gathered from small and embedded devices. This research was used by WA Police to assist in homicide cases, for tracking a suspect’s movements, as well as providing a credible alibi. Peter also talks about ECU’s Cooperative Research Centre, a $130 million-dollar project, as well as leading research in cyber security, particularly IoT. If you’re interested in cyber security research, and true crime, then you’ll enjoy this interview with Chris Cubbage and Dr Peter Hannay.

Episode 8 – Meet Renowned Autonomous Vehicle Security Architects & “White Hat” Hackers, Dr. Charlie Miller and Chris Valasek, GM’s Cruise Automation You’ll love this interview with Charlie Miller and Chris Valasek. As the sixth interview at #AISACON17 in Sydney, we met these celebrity ‘security architects’, who first hacked two non-connected, commercially available cars using a diagnostic port. While some consideration was made to security in the original software, Chris and Charlie highlighted that with a little problem solving, and a lot of patience, control systems, effecting steering, brakes and lights could be manipulated. Later, the dynamic duo set their sights on ‘remotely’ hacking a Jeep SUV. In this interview, we’ll learn how they were able to bridge the gap between the ‘head unit’ or radio, and the control systems, and take control. All while the driver was travelling at over 100 km per hour. Enjoy the discussion!and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

Episode 17 – Tackling online extremism through inclusion and tolerance: The Raqib Taskforce In this interview, Chris Cubbage interviews Anooshe Mushtaq, Chair and Founder of The Raqīb Taskforce, an organisation that promotes social inclusion and cohesiveness for Australia’s Muslim community, particularly the youth. Anooshe shares how her grassroots organisation is helping to debunk hate speech, remove division, and promote the voice of young Muslims, to counter extremism both within and outside the Muslim community. This involves a host of online and social media strategies. Ultimately, the Raqib Taskforce aims to build a tolerant and cohesive society, through better understanding of all sides. Please Note: This interview was arranged and conducted by MySecurity Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.

Episode 9 – Cyber Threat Alliance (CTA) President Michael Daniel in Sydney #AISACON17 Our seventh interview at #AISACON17 in Sydney in October, is with the President of the Cyber Threat Alliance, Mr Michael Daniel. In this interview, Michael Daniel talks about his new role at the Cyber Threat Alliance, or CTA, and how his organisation and the 12 member companies are sharing threat intelligence at speed and scale. In particular, you’ll hear about the CTA’s ‘sharing rule’, that ensures collaboration, and improves all members’ products and services. And this sharing is quick. Michael highlights that the time from detection by one member company to deployment by another member company can be as short as only 54 minutes. In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’. Australian Security Magazine | 13


Trends in the technology industry – opportunity, scale & China

Insights from the Canalys APAC Channels Forum, December 2017, PERTH

T By Chris Cubbage Executive Editor

14 | Australian Security Magazine

he opportunities for the technology industry and channel providers are moving fast and in some parts of the globe, the technology strides are leaping ahead. It will be the Technology Channel eco-system who will sell, support, configure, secure and maintain these interconnected networks, systems, robots, drones and autonomous vehicles. The market opportunity is looking explosive. As 2018 gets underway, every sector will continue to increasingly experience a digitalisation and automation transformation. In manufacturing, or what is termed Manufacturing 4.0 is being seen in China, Japan and South Korea, with the value chain moving faster than ever through the application of 3D printing, robotics, analytics, virtual reality, augmented reality and the concept of digital twins, where a real product and a digital copy of that product is created to manage and track the entire life cycle, including the intricacies of the farm and factory.

Driving Transformation: Cloud Environments & Ecosystems The cloud environment will support these evolving and innovative applications but with the use of edge computing, local processing and storage will still be necessary. The ability to process multiple data sources at high speeds, close to the source of the data will continue to rise sharply. There will be a need for speed and overcoming the latency of cloud environments. As a result, there is an emergence of microsolutions, combined sensors, analytics, machine learning that are rugged, heat resistant, water resistant and portable. This will be a new form of computing. It is being driven by increases in CPU and GPU processing capability and solid-state drives are exploding in terms of capacity, currently available in 32TB. These micro-clouds will exchange data with the public cloud and the Technology Channel partner network sees enormous opportunity around the integration


driven and centred around cloud infrastructure and it is now who partners with who, for providing cloud services. These partnerships bring together the operational technology and IT technology companies, such as HPE partnering with APG, announced in Madrid in October, 2017. In Microsoft’s case they’re working with HPE, DellEMC, Lenovo, and Cisco Azure stack for edge computing. AWS is working closely with VMware for cloud architectures. Google is behind but catching up and Cisco and Google have released products for providing hybrid cloud environments, capturing Salesforce as a preferred cloud provider. It is not just the USA cloud providers. China’s Alibaba and TenCent are also growing fast in South East Asia and will continue to expand globally. The scale of capital investment is enormous, with massive purchases for server and storage capacity by the super seven cloud builders, Amazon, Microsoft, Google, Facebook, Alibaba, TenCent and Baidu. Microsoft and AWS are spending US$2 to US$3 billion dollars a quarter each, on building datacentres. These companies are buying more servers per quarter than either HPE or DellEMC sells per quarter. The component suppliers are responding and there is a need to take cost out of datacentres and some are building their own custom silicon in order to reduce costs and accelerate deployment. The super seven will ultimately face a huge capital expenditure challenge on maintaining current investments and whilst dealing with legacy technology. As technology continues to develop, these datacentres will ultimately require upgrading, as faster and more efficient processing and storage becomes available. What is the outcome of these investments? The race is on to capture as much of the cloud infrastructure market as possible, as technology continues to reach into every aspect of an individual human’s life, a product’s life and the way the two interface with each other from here on in. The human and machine have become inseparable. That is the opportunity and scale. Facial Recognition Delivers Service Automation

'...In China, more than 20 airports are using facial recognition to check who is traveling through the airport and in Singapore.' and management of these environments. Many of the technology solutions will still need to be delivered locally to comply with industry regulations and ensuring the delivery of faster performance. The cloud will evolve and big cloud providers, mainly in China and the USA, will start to move to other countries as part of the next trend, being a need to build ‘city’ clouds that sit closer to the data. The entire technology industry is increasingly being

In China, Kentucky Fried Chicken (KFC) is taking payments from people’s smiles, with no device or card required. The system confirms it is a real person through voice and movement verification and then verifies the customer’s smile using facial recognition, initiated through an annual service sign-up. Facial recognition, with the launch of the iPhone 10 will be a major driver of new technology solutions over the next two to three years, as it becomes mainstream and better accepted. In Singapore, retailer Challenger Technologies is using facial recognition to monitor the number of visits a person makes to the store, noting the sex, race, age and product interest of each customer and each of their visits. A convenience store called Cheers, also in Singapore, has no staff – you go in, select your items and the items are automatically self-checked out as you leave, with facial recognition being one, among of a range of integrated technologies applied, during the shopping process. These stores will increasingly become common place, with ‘process automation’ replacing the need for human capital. But despite

Australian Security Magazine | 15


" has invested heavily in drones, building 185 drone ports for delivery services to the rural areas of China, providing 24 hour delivery across the country. These drones fly 100 kilometres per hour and can deliver packages up to 15 kilograms"

the human service roles being replaced ‘front of house’, what the store still requires is to manage the system analytics and maintain the store’s software. People will be moved from the ‘front office’ to the ‘back office’. In China, more than 20 airports are using facial recognition to check who is traveling through the airport and in Singapore, Terminal 4 is now open, as one of the most advanced terminals in the world, providing self-service check-in, automated bag drop and immigration clearance and boarding, with passengers only needing to show their passport once. In addition, with 3D scanning, electronic devices and laptop computers no longer need to be removed from baggage to speed up the security screening and boarding process. City Surveillance capabilities are being demonstrated in China and facial recognition is being increasingly used widely for searching against criminal profiles. With a need to cover expansive geography, China is seeing network cameras deployed on a massive scale, with video analytics increasingly applied for extracting facial recognition. It is now a requirement in China for tender documents to have facial recognition as standard for all City Surveillance applications. Robotics, drones & displays

Cheryl Cook, Senior Vice President Global Channel Marketing, DellEMC Steve Brazier, CEO, Canalys

L-R: Cheryl Cook, Senior Vice President Global Channel Marketing, Joyce Mullen, Senior Vice President and General Manager for the Global OEM and IoT Solutions, & Tian Beng Ng, Vice President and General Manager Channels, Asia Pacific & Japan, DellEMC

16 | Australian Security Magazine

In Japan, Heather Hotels have launched the first robot-based hotel, with 140 robots and only seven human staff. The hotel includes two novelty dinosaur robots that speak five languages and in the bedrooms, a communication device called TAPIA, which works much like Amazon’s ALEXA, allows guests to instruct what they want – ‘please turn the lights on, please turn the TV on, please order room service.” Another food chain in Singapore, Koufu, is using robots to collect the dishes and will move around the restaurant, detecting if there’s an obstacle in the way. In the Guizhou province of China, a new Virtual Reality (VR) theme park opened in November 2017 offering 35 virtual reality attractions, from shoot-‘em-up games and virtual rollercoasters to tours with interstellar aliens amongst the region’s most scenic locations. The Made-in-China 2025 initiative has the goal of exporting 100,000 industrial and commercial robots, per year. has invested heavily in drones, building 185 drone ports for delivery services to the rural areas of China, providing 24 hour delivery across the country. These drones fly 100 kilometres per hour and can deliver packages up to 15 kilograms. In transportation, it is expected that fully autonomous cars will start to appear on roads within the next three years. It will be a race on who achieves it first, with Singapore and Seoul anticipated to be the first to allow autonomous vehicles on main roads. In Hong Kong, Minh Phung, a supply chain company, is using 3D design software to create its product samples, rather than what has been a traditional approach of sending customer’s physical samples, they now build, model and send in 3D. Though still not the same as a touch and feel experience, what previously took days and weeks is now just hours and sent to customers instantaneously, as well as provided in multiple sample forms. The factories are also being transformed with sensor filled factories in China, India and Bangladesh monitoring productivity, the progress of work


and the components and capacity of each factory. The same approaches are being made in other sectors such as agriculture or healthcare to measure and monitor the efficiencies across farms and hospitals. Likewise, in schools and on campuses, with the threat of active shooters, a sad but common threat in the USA, technology is addressing how it is applied in defending staff and students. Active shooter scenarios are now planned for with automatic locking systems on all the doors and panic buttons, with sections of the school or campus able to be locked down to prevent offenders from accessing areas and to provide valuable time to allow students and staff to escape to safety. Digital signage is another major growth area. A pizzeria in Norway is using a digital sign which is measuring when people look at the advert, how long they look and which aspect of the advert they look at. High resolution signage is rapidly gaining in quality, where the difference between a sign and a window may not be clear. This will allow digital signage to be more readily applied elsewhere, such as in homes, hotels or office rooms without windows. Commercially this is applicable to cheaper apartments or hotel rooms with a need to provide a sense of greater space, views and promotions. Even in aviation, aeroplane windows could be replaced with digital signs, displaying what the passenger prefers, including the replication of a window.

Steve Brazier, CEO, Canalys

Financial Systems Finance is rapidly being transformed by technology. The ability to deploy blockchain for auditing and inventory purposes will be increasingly important. The bigger trend is in countries now rushing to become cashless. Already in China, small micro payments are now cashless and has allowed even the homeless to go digital and receive street donations through QR codes and direct to their accounts. In India, de-monetisation has accelerated online adoption and online payment systems, growing over 20 times in 2016/2017 alone. With a population of 1.32 billion people, around 1.17 billion now have Aadhaar biometric identity cards and these are now linked to personal bank accounts. Once the link is established, payments can be facilitated using Aadhaar cards and will revolutionise Indian banking. Singapore too is introducing a cashless society with the government working with seven local banks to implement a pay-now system, which allows citizens to transfer money between each other using their phone numbers, without the need for their banking account number system. Government Surveillance Government will also play a role in driving a digital agenda. China is rolling out a social credit score system, which involves rating their 1.37 billion citizens based on their digital activity and use of their smart phones. For example, if you play games on your phone for eight hours a day then your social credit rating will go down because the system will detect you being lazy. However, if your purchase habits include buying nappies, your rating will go up, because you’ll be considered a responsible citizen by being a good parent and contributing

to society. If you chat with one of your friends who is an antigovernment activist, then your rating will go down, as you will be flagged as being connected to them. But despite the loss of privacy, some of the benefits will include quicker identification, such as checking-in at hotels, access to credit loans and getting travel visas. Today, the system is voluntary but by 2020 the system will be mandatory. If your social credit score falls to below a certain level, you may be blocked from the use of certain services or social inclusion, such as being blocked from using online dating sites or social media channels. And despite this concept being pursued by only China, it would be naïve to think that other countries will not look to adopt a similar system in the future. DellEMC: Announces Dedicated Iot Business Unit The DellEMC briefing, provided by Joyce Mullen, Senior Vice President and General Manager for the Global OEM and IoT Solutions and Cheryl Cook, Senior Vice President Global Channel Marketing outlined the company’s recent

Australian Security Magazine | 17


"The Infrastructure Solutions Group (Dell EMC) experienced growth of 2 per cent quarter over quarter, with third quarter revenue of $7.5 billion and operating income of $678 million. Servers and networking revenue was $3.9 billion"

commitment of US$1 billion into an IoT Business Division and touched on their dedicated Smart Cities team. With positive Q3 results, Dell Technologies has launched a dedicated Internet of Things (IoT) division aimed at coordinating development of IoT products and services across all of their businesses. This approach includes IoT-specific products, labs, partner programs and consumption models to help customers speed the implementation of their IoT solutions. Joyce confirmed, “We’re pretty happy about where we are in the market and in the industry and with our progress against our own internal goals. We’re very much focused on our infrastructure capability and has helped solidify where we partner and where we put our R&D. IoT is right on the cusp of taking off. I’m not sure if it’s a year, two years or three years but its going to take off at some point.” The Infrastructure Solutions Group (Dell EMC) experienced growth of 2 per cent quarter over quarter, with third quarter revenue of $7.5 billion and operating income of $678 million. Servers and networking revenue was $3.9 billion, which was an increase of 32 per cent year over year and three per cent quarter over quarter. Storage revenue remained flat at $3.7 billion quarter over quarter. For the first time, Dell EMC became the worldwide leader in server units and revenue share and maintained its global x86 server leadership for the fourth quarter in a row, with 18.8% unit share. Additionally, Dell EMC’s x86 revenue share increased 37.9% year over year. Subsequent to the end of the quarter, Dell EMC announced the expansion of its midrange storage portfolio with two new SC All-Flash data storage arrays, along with key software updates to Dell EMC Unity designed to boost efficiency and cost savings for mixed block and file workloads. Lenovo: High Performance Computing A Major Focus There are four key segments Lenovo is focused on: Cloud,

18 | Australian Security Magazine

Private Cloud, Analytics and Data Centre Infrastructure. In hyper-scale, Lenovo provides data centre infrastructure to four of the seven largest cloud providers. Software defined data centres are driving the cloud environment into software defined storage and hybrid cloud environments, such as Azure stack. “The third focus is High Performance Computing (HPC) and Artificial Intelligence (AI). Lenovo is a top two HPC provider and the fastest growing super computer company in the world”, confirmed Sumir Bhatia, President of Lenovo’s Asia Pacific Data Centre Group, “The objective is to be number one by 2020.” Lenovo has achieved some of the world’s best installations, including in June 2017 completing the delivery and implementation of the world’s largest, next-generation Intel-based Supercomputer at the Barcelona Supercomputing Centre at the Polytechnic University of Catalonia, Spain. The 11.1 petaFLOP Supercomputer called MareNostrum 4, is being used to power human genome research, bioinformatics, biomechanics, weather forecasting and atmospheric composition. The system is powered by more than 3,400 nodes of Lenovo’s next-generation servers, featuring Intel Xeon scalable processors, interconnected with more than 60 kilometers of high-speed, Intel Omni-Path Technology 100 Gb/s network cabling. It is the third leading-edge HPC system that Lenovo has installed at the Partnership for Advanced Computing in Europe (PRACE), making Lenovo Europe’s largest provider of leading-edge HPC systems. The next focus is AI with over a billion dollars investment going into Lenovo’s AI lab, with three labs around the world: Raleigh, North Carolina, Stuttghart, Germany and Beijing, China. These innovation centres are building an ecosystem around two key brands, Think System and Think Agile. Think System encompasses next gen servers, storage and network switches and in August, 2017 Lenovo announced the ThinkAgile VX Series, a preconfigured hyperconverged infrastructure appliance for software defined data centre capability. Sumir Bhatia highlighted, “With the new offerings


around the Think System and Think Agile, we have a total of 88 new world record benchmarks and 46 of these are on the new Purley platforms – more than any of our competitors.” When coming to market in the Asia Pacific region, Lenovo spreads the region out to Australia & New Zealand (ANZ), ASEAN, India, HTK (Hong Kong, Taiwan & Korea) and Japan, with a General Manager in each of these sub-regions to manage the four business units. For ANZ there is 65 people under the leadership of General Manager, Rob Makin, with coverage in all states supported with customer facing solution consultants and a separate channel team looking after the managed partners and distributors. Success in the ANZ has been achieved with the largest super computer sold in 2016 to the National Computational Infrastructure (NCI), based at the Australian National University and, since April 2017 is signing two to three HPC customers a week in Australia, having just experienced the sixth straight quarter on quarter growth. For Rob Makin, Lenovo is winning in the SDN space because of the quality of engineering in the products and the integral depth of partnership with the software providers. “This is not a standard server and some software”, Makin said, “this is an engineered appliance. What is very important is that when you put software on a server or engineered appliance you need to make sure that server is optimised for the best performance from that software. The second angle is when you put electricity through anything, at some point it is going to break. Statistically, we’re the most reliable by a factor of 10 against some of our competition. You need to have the support mechanism in order to fix these systems.” “If you take our pedigree with SAP, where for over 10 years we have over 50 per cent market share in the SAP HANA Appliance. This system consists of some server hardware and firmware, the SAP HANA platform and then a storage layer, which happens to be IBM Spectrum. We don’t have to attach a SAN to any of our appliances and it comes with RedHat software. All of this has to talk and function and when SAP decide the customer has to go to a new service pack, everything has to be configured.” The analogy Makin uses is it’s like running a Formula 1 real time analytics system. Rob said, “If that Formula 1 system is out of kilter you have to understand how to work with the software partners at Level 3 engineering in order to get things fixed, as well as design ahead of the curve. This is all an important message for the customer. If you deliver this technology that gives that cloud functionality to the business, whilst meeting the cost and data sovereignty point of view, all of a sudden, you’re relevant again.” Extreme Networks: Securing Network Growth Founded in 1996 with release of 1GB and 10GB switches, Extreme Networks came under new management in 2014, immediately acquired a range of high density wi-fi solutions and in 2016 acquired what was the Motorola wi-fi product line from Zebra Technologies. Now with two ranges of wi-fi solutions, Extreme Networks highlights itself as the official supplier to the NFL, including Official Wi-Fi Analytics Provider of the Super Bowl for the fifth year in a row and with a growing portfolio of major USA stadiums using

their network switches and multiple kilometres of fibre. In Australia, the company has gained Cricket Tasmania, installing a new network in Hobart. In July 2017 the company acquired the IP Networking division of Avaya, and in November 2017 they acquired the datacenter networking assets of Brocade. These acquisitions have built a suite of technologies able to service enterprise solutions at the network edge. The major markets are in hospitality, hotels, stadiums, logistics, healthcare and education, and increasingly to the broader enterprise sector. Importantly, security is built into the platform with network access control (NAC) provided by AirDefence, a Wi-Fi intrusion prevention system. “Despite many companies spending money on firewalls and network security”, said Simon Naylor, Vice President for the APJ Region, “they often don’t invest in securing the perimeter of their Wi-Fi networks. AirDefence spots rogue IPs, produces heatmaps, provides network assurance and we’re finding a lot of companies now looking at their networks in more detail.” Deploying Wireless Next Generation provides a triple radio access point, with two of the radios for data at 2.4 or 5GHz, providing traditional Wi-Fi and then the third radio can be used as a sensor to monitor for illegal access, attacks or activity. The solution is a mix of software and hardware and access point radios can also be used as sensors to secure the perimeter. Simon Naylor confirmed the company has the largest Café chain in China, with every single store installed with the Extreme locator providing location-based services. This allows customers to provide a first time log on, but once that device is registered, then the system will retain the customer’s details, preferences and when you enter another store in the chain it will auto-detect the device and offer, by name, preferred items and services. The same services are provided in Singapore for 16 shopping malls for Capital Land and in Australia, David Jones and HealthScope are major clients running their department store and healthcare networks. An attractive aspect offered by the Extreme Networks product range is a compliance platform which can create different policies specific to the industry network requirements, as well as network auditing configurations. In Australia and New Zealand, Managing Director Chris Georgellis is seeing market maturity growing rapidly, confirming, “companies are increasingly recognising the network as an asset and in the last 12 months the customers are seeing the business benefits on offer. People are opting into network and location-based services, with a new App, both Bluetooth and network location identification can be provided which tracks where people are in a department store, how long they spend there and then you can start to target people with offers and this will start to be integrated with digital signage and advertising.” Extreme Networks appears to be on an exciting growth phase, having leapt to the number three networking vendor globally, from number 13, through both organic growth and acquisitions. As a 100 per cent channel business, partners are critical, along with the likes of Hills and NEC in Australia, Extreme Networks is clearly focused on best of breed endto-end networking solutions to help manage, protect, analyse and monitor networks.

Australian Security Magazine | 19

National Security

Creating an intelligent world Introduction to the Milestone Systems MIPS 2018, Hanoi, Vietnam APAC Leading The Surveillance World

By Chris Cubbage Executive Editor

20 | Australian Security Magazine


s of 2016, the global video surveillance market was valued at $15.4 billion and mostly driven by the China market with 42% market share, exceeding $6.4B. Across the world, eight countries have higher growth rates than the global average, with five in the APAC region, being China, Indonesia, Vietnam, India and Thailand. The remaining three are Mexico, Brazil and Argentina. The APAC region will be the gravitational pull for continued growth of the video surveillance segment and its dominance in the physical security sector. Globally, physical security’s convergence with ICT infrastructure will drive growth in video and system analytics, hybrid deployment from Artificial Intelligence (AI) edge to AI cloud infrastructure and most importantly, will need to be increasingly supported by cybersecurity to protect privacy, accuracy and capability. By 2021 the APAC market forecast for video management systems (VMS) is to double to $663M, with China demonstrating a much larger video channel concentration, with 250 and over channels and 1000 and over channels

representing over a third of the total VMS license revenue. In opening the MIPS2018 Conference for Milestone Systems, January 23-26, 2018 in Hanoi, Vietnam, Monica Wang, senior analyst with IHS Markit provided an overview of the physical security market, with a focus on the major trends in video surveillance. The physical security sector is separated into security equipment and security services, with consumer video surveillance and video analytics showing clear growth trends. Indeed, the fastest growing sector in security equipment is the consumer video surveillance segment and in security services, video analytics is showing the greatest potential for continued growth. For the APAC region, enterprise storage and video surveillance are two of the fastest growing segments. Analytics & Ai - Market Drivers In Video Surveillance The key market trends driving growth is the continued transition from analogue to digital cameras and this trend will continue with the advent of network cameras, representing 71% of the market by 2021. The next transition for digital

National Security

cameras is moving to higher resolution cameras. As camera resolution improves there is corresponding growth in video analytics, which has forecast triple digit growth rates with capability to automate the video monitoring process. Growth is being supported with the advent of a new generation of video analytics that is building market confidence with its accuracy. By 2022, the number of cameras with inbuilt video analytics will grow by a factor of 4 and for video recorders with inbuilt video analytics, it is expected to grow by a factor of 5. Why is there a growing market demand for deep learning video analytics? Digital video streams can create big data pools and with cloud computing and better deep learning algorithms, the benefits of rapid image processing across cloud platforms will allow the algorithms to focus on accuracy and have a capability to improve the efficiency of the video analytics solution, processing video images in a fraction of the time and in much higher volumes. For the market segment verticals, in particular for transportation, government and retail, this capability creates new opportunities and will see the strongest growth. City Surveillance capabilities are being demonstrated in China. With a need to cover expansive geography, China is

seeing network cameras deployed on a massive scale with video analytics increasingly applied for extracting facial recognition. It is now a requirement in China for tender documents to have facial recognition as standard for all City Surveillance applications. The additional major trend is the deployment of Artificial Intelligence (AI) technology in video surveillance, using a mix of technologies at the AI edge and integrated to the AI cloud. AI at the edge saves on bandwidth and relieves on computing capacity at the headend with object detection, crowd monitoring and feature extraction done by the camera before image transmission. As new chip vendors enter the market, AI camera prices will also continue to decline and video surveillance will continue to converge with ICT equipment, bringing significantly improved capability for feature extractions of humans and vehicles, object searching and data mining. The final trend is in cybersecurity and the key challenge to overcome before video surveillance becomes a major aspect of the IoT revolution. Video surveillance and cybersecurity will become critical in terms of privacy and the path to cybersecurity for video surveillance includes connectivity, data

Australian Security Magazine | 21

Stephen Bose, Business Development for Icetana briefing APAC MIPS in Hanoi, Vietnam

surveillance market is a key area where these capabilities will be demonstrated. By 2025 it is forecast there will be a billion AI cameras deployed in world cities. With this level of intelligence and video analytics operating across these cities, this will bring a far greater understanding and insight into city activity, with the capability to drill down to the individual and specific objects. With a billion security cameras operating at 30 frames a second, this creates over 30 billion frames a second every day. The human ability to process and understand these images will not match the capability of AI. Currently, a human can understand about 5 frames a second, where the Tesla V100 system can handle 900 frames a second. The 8x Tesla can do 7,000 frames per second with less cost and greater accuracy. Over a short time, with machine learning, the systems will become faster and more accurate in applying biometric and movement algorithms for people and object matching on a scale never seen before, let alone imagined. Milestone Systems Transformation

"By 2025 there will be a 1000x GPU-computing improvement in performance over the current CPU. The integration of big data, neural networks and AI platforms will see massive increase in capability and the video surveillance market is a key area where these capabilities will be demonstrated." collection, data computation and the creation of biometrics, such as face, gate, movement, behaviour, as well as object and people correlations. Cybersecurity has become a major cornerstone of the video surveillance sector and includes the need to have pre-defined processes in dealing with and responding to identified vulnerabilities, effective vulnerability notifications and software patch delivery, best practices in standards for vendors and camera product features relating to camera encryption of images and certification by third parties. Era of Ai The era of AI is changing every environment, including in web services, intelligent machines, healthcare, security and finance. By 2025 there will be a 1000x GPU-computing improvement in performance over the current CPU. The integration of big data, neural networks and AI platforms will see massive increase in capability and the video

22 | Australian Security Magazine

"It is inevitable that all devices will be connected," states Milestone CTO Bjørn Skou Eilertsen. As an industry leader, Milestone Systems is focusing on the three key trends of aggregation, automation and augmentation, with aggregation of devices, automation of systems and augmentation with humans. Milestone is transforming the way it thinks about its solutions, products and platforms. With 22 solution partners, the company is maintaining its attention on the customer requirements with the Milestone video technology platform consisting of the presentation interface, device hardware, video services interface and cybersecurity. Each segment sets out to meet the corresponding key trend, with how devices are aggregated, with automation occurring in the video service interface and the augmentation provided via the presentation interface. One of the key investments for Milestone has been on expanding the driver framework into the IoT framework and to aggregate all of the sensor information with the video services interface, through building greater video processing services at the GPU level and improving compute capacity exponentially better and faster, with more innovations coming to market in 2019. One such innovation will be in the Mobile market, with a Mobile SDK to allow customers to adapt mobile applications to their own requirements. And in cybersecurity Milestone will be certified in data privacy and security to create more confidence in its approach to security by design, security by default and security by deployment.

Women in Security Cyber Security

Personal Inspiration to deliver Security: Daniela Fernandez With Chris Cubbage Executive Editor


rowing up in Colombia, one of the most beautiful countries in South America, Daniela Fernandez also faced her home country’s complicated daily reality, often involving violence and corruption. Now the Senior Manager Group Cyber Analytics and Reporting at the Commonwealth Bank in Sydney, Daniela took inspiration from tragedy, explaining, “Whilst studying in the first year of my Computer Science and Software Engineering bachelor’s degree, my mother was the victim of Colombian urban violent crime. She was leaving a bank in Cali when a criminal tried to rob her, she received five gunshot wounds in the process, but survived. This experience obviously affected me deeply in many ways, one of which was to develop a drive and a strong interest in security. I now wanted to shape my existing career to assist with crime prevention.” On completing her bachelor’s degree, Daniela moved to Australia to complete a Masters of IT in System Security and seek out opportunities to use her professional experience in Analytics and Software Development, but applied to the security domain. “Initially I worked in protective security services, looking after physical security, such as analysis of bomb threats, gas attacks and ATM skimming attacks, then I moved into an intelligence team and focussed on combating fraud. Later, I joined the cyber security team at the Commonwealth Bank, where I was hired to build the reporting and analytics capabilities for the team.” “Two of the key challenges,” Daniela highlights, “are the skills shortage and the need to raise security awareness. Lack of professionals with the right skills to work in cyber

security is still a global challenge across organisations. Women in leadership roles have a key role to play here – by becoming role models they inspire other women who may have considered a career in security, but have been put off due to stereotypes, or an existing lack of diversity. We need new and better techniques to raise cyber awareness that can easily be understood by non-tech savvy people. Female leaders bring new perspectives and fresh ideas to design innovative techniques that can help raise awareness and encourage safer interactions with technology and information.” Daniela contributes with leadership roles. “I currently have two mentees, a female student who wants to get into the cyber security industry and who is seeking advice for a potential career path, and a male who works in data analytics and is looking to overcome challenges faced to progress his career when English is not his first language. I also have a female mentor who has helped me with the progress of my leadership related goals. Mentoring has been great to gain useful advice and learn about others’ experiences. However, it’s also important to have good sponsors that can advocate for you and help you connect with the right people to get to the next step of your career. Women are being increasingly recognised in the industry, but more needs to be done. Diversity targets of gender and ethnicity have been achieved in some organisations for entry and mid-senior levels, but getting the right balance at the C-level is an ongoing challenge. In addition, due to minority of female leaders in the industry, when things don’t go the way they should, and the accountability falls on a woman, the negative impact is huge for the rest of the females in the industry.” Where Daniela sees the industry heading is a continued focus on collaboration between governments and private sector to strengthen security. “We have witnessed how well cybercriminals work together to achieve successful attacks, and from an industry perspective our collaboration against these threats has been fruitful, but there’s still a lot of work to do in this space. I believe that more sophisticated Artificial Intelligence or Machine Learning techniques will be implemented to prevent cyber-attacks and data breaches. These techniques will not only be focused on analysis and profile of previous attacks, but also on supporting activities related to threat assessment, intrusion detection and prevention, incident response and recovery. Finally, I also think that there will be a strong focus on compliance and getting the basics right with the introduction of security legislation, like the mandatory data breach notification scheme in Australia and the General Data Protection Regulation (GDPR) in Europe.” Daniela is someone who remains passionate about using technology to simplify and secure lives. “I’ve always found ways to do this within my career” she said. “For example, in addition to my day-to-day work I get the opportunity to participate in volunteering activities that have a positive impact in the community, such as the ‘ThinkUKnow’ program that the Commonwealth Bank runs in partnership with the Australian Federal Police and other organisations, that seeks to raise awareness about cyber safety with kids and parents.” An initiative which clearly reaches back to her inspiration whilst in her first year studying computer science.

Australian Security Magazine | 23

Cyber Security

Software defined everything: Moving from simple virtualization to business-critical services

V With Erin Dunne Director of Research Services, Vertical Systems Group

24 | Australian Security Magazine

irtualization and software-defined networks should be a means to an end — not an end to itself. The goal of a data center, after all, is to deliver services (such as applications and microservices) to end users or to drive business processes. It doesn’t matter if those applications run on physical servers or virtual servers or in Infrastructure-as-a-Service (IaaS) or containers – the goal is to deliver those services. Let’s take a step back. Of course, it matters if those applications run on physical or virtual servers; on-prem or in the cloud; or on traditional or software-defined networks. The technology is still evolving, and so are the offerings of service providers, who are scrambling over each other to find new ways of efficiently turning rigid systems into virtualized software-defined systems at every level. According to Erin Dunne, Director of Research at Vertical Systems Group, it’s helpful to define the services that IT wants to deliver as customer-facing services — something an end-user customer or business customer finds valuable, and is willing to pay for. “That's key,” she said, “because the enterprise customer is the beginning of a value chain. If the vendors, the service providers, develop OpEx reducing technologies, and that's all it does is reduce OpEx, that's fine, but is that sustainable? Probably not. They need someone to pay for the applications.” The complexity kicks in when those services become more complex and dynamic, Dunne added, requiring orchestration between multiple servers, applications, databases, and even clouds. How do vendors provision those services on the back end? How do they deliver them rapidly? How do they bill for them? “What are the most important drivers and challenges that you see when you deploy dynamic and orchestrated services? Pretty much by definition dynamic orchestrated services has to be software enabled, because they just doesn't

work in the legacy infrastructure,” she said. Such services need “faster service provisioning, rapid adjustments to existing services, and the ability to scale bandwidth quickly, sometimes instantaneously.” With deployment, Dunne pointed to questions about “how do you orchestrate, not only over your own network, but over multiple networks including access networks, long haul networks, data centre providers, all of those types of service providers?” Similarly, she explained, are questions about the OSS and the BSS systems. “If you can't bill for it, you can't deploy it. We're here to make some money!” For older companies, Dunne mentioned, there are “legacy infrastructures and legacy services. How do they integrate these new software enabled services with what they already have?” Assume the Network is Virtualized Service delivery requires application controls, and effective application controls change how networks operate, said Nick King, Vice President, Cloud Solutions at VMware. “We have to assume that most applications, particularly cloud-oriented applications, will assume the network is virtualized at some level. If the applications are containerized, the control will look at what sort of container runtime system the applications are running on, and that's usually presented in some sort of virtualized networking.” “As we look at traditional systems where applications are sitting inside our own data centers, can those applications span across both sides,” that is, to the cloud, King asked. “That's the big challenge for us. We've seen such a quick movement from software-defined to really-broadly-softwaredefined, like software-defined data centers and networking running into the cloud. That's really going to shift in a very short amount of time.”

Cyber Security

King also mentioned developing new cloud-native applications – which are often delivered as services. “It used to be that you'd build a service and deploy it: The service would live in one location. Today what we're seeing with Kubernetes and Docker is that applications are living anywhere, and that networking is also changing with that. We have to make the network abstraction happen as fast as possible across on-prem, private clouds, and public clouds on Azure, Google, etc.” Align Service Definitions to Business Objectives It’s all about business objectives, said Jeff Baher, Senior Director, Product & Technical Marketing, at Dell. “There is a tendency, when we look at the technologies, to start from the bottom up. With SDN, there was an early focus really on the networking layer, then applying the software, building it up, and software to find storage. Ultimately you get to this top of the stack.” However, he said, the end goal is software-defined businesses — and that’s the best place to start, and then figure out the technologies needed to create that software-defined business. Why don’t we hear more about it? “It is probably deeply proprietary. If you look at an Uber, or an Ancestor, or Facebook, the software-defined businesses are deeply proprietary.” Baher explained that in order for software-defined resources to “really gain traction and roots, it needs to be deeply aligned to what the business objectives are. That's key to understanding which technologies will matter and how they then get assembled to ultimately drive a business.” The Drive to Connect with Public Clouds Connectivity matters. There’s no point is creating wonderful services and applications if users can’t get to them, said Sunit Chauhan, Senior Director of Product Management with Nuage Networks, a Nokia company. “One of the trends that we've seen, whether it's SDN1.0, SDN2.0, is this movement towards the public clouds.” “There are certain trends that the networking industry, vendors in this industry can’t control,” he continued. “We are not going to be able to control where users reside, we are not going to be able to control where applications reside. The challenge for us to provide that secure seamless connectivity on demand in an OpEx/CapEx model that spans all of these different domains. If we are building solutions that are siloed into domains then we're not really solving the problem.” What about aligning software-defined services with a profitable business model? “What is really important is that we have that abstraction layer at the top, but provide a single abstraction northbound to these different systems, because you're not going to control where the applications reside. You're not going to control what applications users are running. That becomes an important aspect,” in making a business, Chauhan explained. Abstraction Aids Large-Scale Deployment “When you look at software abstraction across servers, storage, and networking, that is fundamental for both your private cloud deployments as well as hybrid and public,” said Gregg Holzrichter, Chief Marketing Officer at Big Switch Networks. “We have been able to develop that type of abstraction

as packaged software, and allow that to be deployed across any organization,” he continued. “When you're looking at large organizations, whether it's enterprise or service provider, providing pay to play, it's all about efficiency and automation. It's all about the APIs and programmability, which has been sorely lacking in networking silos until recently.” Moving to the Pay-to-Play Model Enterprise customers like the cloud model for paying for resources consumed, rather than building data centers, said Mike Frane, Vice President, Product Management, for Windstream Communications. “We found that as customers are moving to this pay-to-play model, as they move more of their applications and their capabilities to the cloud, they don't typically think of the entire value chain.” “Containerization all happens in the cloud – in Amazon Web Services, in Azure, in other locations,” he explained. But customers don't think about how data is going to get down to each of their individual endpoints, which may be running on a T1, or on an MPLS network,” or even on DSL or cable. So, Frane continued, “As customers do these evaluations, they have to ask, ‘Is my network ready, my cloud is ready, my strategy is ready.’ – but the network may not be ready. In some cases, customers have to augment their network, or make changes to different technologies, or different access types. So, when they look at the pay-to-play cloud model, they need to look at it holistically end-to-end.” Put the Controls In Before Services Can Fail There’s a cautionary tale there, warned Russ Currie, Vice President of Enterprise Strategy at Netscout, pointing out that any migration to software-defined everything has to be robust, and failure is not an option when implementing critical business service. “We kind of get enamored with the idea of ‘fail fast,’ but that’s not acceptable when you're putting up production applications out there, and your users are dependent upon those applications to get their jobs done. That just isn't going to fly.” “Providing the kind of visibility and control to handle the complexity that we're adding absolutely required,” he added. “That’s one of the bigger challenges that we face as we try to move so fast in rolling out new services.” Virtualization Is Eating the World “Software is eating the world, and if you look at some of the incumbent vendors, this means disaggregation, concluded Big Switch’s Holzrichter. “Just as the VMware disrupted the x86 market 15 years ago with the smart software layer, a smart software layer can do the same thing and disrupt networking. Having that concept of managing your entire network through a single pane of glass, not box by box, is that underpinning.” From software-defined networks to software-defined wide-area networks to software-defined data centers: Those are the means. Software-defined businesses, more agility, more profits: That’s the objective. Software-defined everything: That’s the answer.

Australian Security Magazine | 25

Cyber Security

How to bring Web-scale networking to the enterprise Not everything is moving to the cloud. In fact, the very technology developed for the cloud’s massive data centers is now being used to bring web-scale networking and automation to enterprise data centers.

W By Alan Zeichick, Tech Editor for NetEvents

26 | Australian Security Magazine

eb-scale networking refers to the state-of-the-art technology that is continually being developed by giants like Amazon, Google and Microsoft to create cloud-delivered services that can deliver extremely complex, customized information to thousands or millions – or hundreds of millions – of users, simultaneously, in a fraction of a second, 24x7. Web-scale network architecture is thought to be beyond the means of most of the world’s enterprise IT teams, except that innovative tech companies are bringing this web-scale technology within closer reach. You might think, from all the hype, that the entire future of computing now lies in the cloud, and yet there remains a massive installed base of enterprise data centers. To call those beasts “lumbering dinosaurs” would be unjust: after all, today’s birds evolved from dinosaurs. At this year’s NetEvents Global Press & Analyst Summit in San Jose, California, I met a man who also claims that his company can build enterprise data centers that really do fly. When NetEvents’ interviewer Manek Dubash asked JR Rivers, CTO and Co-Founder of Cumulus Networks, to introduce his company, the answer was surprisingly modest and jargon-free: “Cumulus Networks helps people who have the dubious honor of building their own physical infrastructure. We help them build the networks that make that infrastructure run efficiently, effectively, and serve their business needs.” The Cumulus website has a somewhat bolder statement:

“Cumulus Networks is leading the transformation of bringing web-scale networking to enterprise cloud. As the only systems solution that fully unlocks the vertical network stacks of the modern data center, Cumulus Linux allows companies of all sizes to affordably build and efficiently operate their networks just like the world’s largest data centers.” Rivers pointed out that in the past any sizeable new company would build a data center and take on IT staff, but now they have the option of SaaS and the cloud. So the fundamental question now, he says, is actually whether or not to build a data center: “It's becoming a very conscious decision, as opposed to an assumption that you're going to build a data center… That is the single largest trend that is occurring in the data center space today. It's not about containers. It's not about virtualizations. It's not about storage. It's build, or build not.” Linux Is Trending Another element in that conscious decision will be to build around Linux: “VMware has taken care of a lot of companies for a really long time, but if you sum up all of the virtualizations supplied by Google and Amazon, it dwarfs the number of virtual instances supplied by VMware today, and that trend will only continue forward… Technologies that revolve around Linux – storage, networking and compute technologies – those technologies are going to come to the

Cyber Security

forefront… who would have thought two years ago that Microsoft would stand up and say, we love Linux? Today, Microsoft is a Linuxified company from the data center standpoint. Huge trend.” Rivers sees good reason to support the Linux trend: “There's one thing that I've learned throughout my career is that software that's open for inspection tends to be the most rigorous and most secure software available, as opposed to proprietary software, or even software that was taken from an open environment and held off to the side.” A similar open strategy drives the choice of hardware, and his more holistic overview of the modern heterogeneous data center – whereas legacy data centers were mostly built around equipment from one or two giant vendors. “If you roll back, say, 15 years, you would look at networking as a piece of equipment you got from one of the well-known networking companies - and that was effectively the extent of your network. The hosts were not that involved in the network. The routers oftentimes might be thought of as a periphery of a data center cluster network and the switches were wholly unto themselves,” said Rivers. “All the operational frameworks were developed by those suppliers, with very little layering in there or choice. In the modern data center, he said, “unlocking that vertical stack really is taking each of those layers: the hardware layer – allowing that to be acquired – manufactured and designed independently from the software layers, having operating systems, networking models, routing protocol suites and operational tool chains that all exist at their own separate layers and can, when appropriate, exist on a switch, in a router or on a server.” Stay Loose, Be Flexible Another surprising thing is the stand Rivers takes against the precision, tailored approach in favor of a looser, more flowing structure in which capacity is king: “You need to provide as much capacity – whether it's storage, computer, or network – for your business needs as you possibly can, within a set of cost boundaries.” Explaining further, he says: “When you look at building out a modern data center, you have a ton of different jobs running against each other. You can try and highly engineer your network, but that usually doesn’t work out really well. What tends to work is just apply a lot of capacity to the problem and let things work themselves out in a very chaotic manner.” Rivers also said: “There's always this trade-off when you look at technology between tightly-engineered systems that start from the bottom and go all the way up to the top, versus loosely-coupled systems. Inevitably in industry, networking starts in that very highly-engineered system world. At some point in time all the pieces become so complex that any one organization can't actually act upon it very well.” Thinking Web-Scale Explaining how Cumulus networks microservices and containers, Rivers said, “They're built on a Linux substrate, so for every container deployment there's a ton of networking that occurs - not in some network switch or router, but networking that occurs on the host. So being able to

Those microservices have a lot of chatty communication with each other, and where they get placed is, again, very chaotic. So having a ton of capacity that allows that kind of communication chaos to occur helps these customers roll out their applications really, really quickly, without having to do a bunch of engineering around it.”

connect those hosts to the network in an efficient way, even connecting containers to the network in an efficient way and providing visibility and control around all of that is super important to the modern data center.” Going farther, he added, “Those microservices have a lot of chatty communication with each other, and where they get placed is, again, very chaotic. So having a ton of capacity that allows that kind of communication chaos to occur helps these customers roll out their applications really, really quickly, without having to do a bunch of engineering around it.” The way industry giants like Amazon, Facebook, and Google manage to support millions (or hundreds of millions) simultaneous users or sessions is by developing the loosely coupled hardware, network, infrastructure, and management underpinnings, controlled by the right software stack, built atop Linux. That’s the web-scale architecture. Once the web-scale architecture is place, the data center can expand to handle workloads as big as required – because adding new servers, storage, and networking fits right into the architecture. Need more capacity? Simply add it. That’s how the network evolves and scales seamlessly, without disruption. Maybe this does echo the chaotic environment in which birds and other creatures so successfully emerged from the dinosaurs. If you are looking to build a web-scale enterprise data center, it does not have to be a dinosaur. It could become a high-flying bird, though not one to rival the real giants, who have resources beyond any organization. “You're not ever going to hit the cost structure that Amazon gets,” said Rivers. “But if you get to 60% or higher, that's way better than people are operating at right now… we help people to get in to within 60% of a mega-scaler. That by itself is massive business benefit.”

Australian Security Magazine | 27

Cyber Security

The rise of Autonomous vehicles

T By Jane Lo ASM Correspondent

28 | Australian Security Magazine

he first known death caused by a self-driving car occurred last year in May when a Tesla driver put his Model S into an autopilot mode. The car’s sensors, failing to distinguish a white 18-wheel tractor trailer crossing the highway, crashed full speed into it. Nearly ten months later, an accident involving an Uber self-driving car prompted Uber to suspend its program for driverless cars pending further investigations. Even more recently, Google added to our doubts about the safety of self-driving cars when they disclosed drivers testing their driverless car Waymo(s), equipped with advanced driver-assistance, fell asleep at the wheel while moving at highway speed; some even put on makeup or hunting for cables and the like in the 2013 experiments. These incidents do not quieten the sense of unease when it comes to self-driving cars. A lot of the fear stems from the idea that the algorithms driving these cars are not able to make the split second “right” decisions and reactions that human drivers are (deemed) capable of.

Despite these misgivings, automation is on the rise in the transportation sector (and much more). Waymo, Uber, Tesla are not the only game in town. Automobile industry giants Ford, General Motors have also poured millions in this area. The pace of innovation has not sat idle. In the last quarter of 2017, AI-Asia Show at the Art Science Musesum Singapore, and the Singapore International Robo Expo (SIRE) held conferences and discussions to explore the trends, infrastructure and talents in Autonomous Vehicles (AV), among other aspects of automation and robotics. Singapore’s case for Autonomous Vehicles (AV) At the SIRE’s session on “Requirements to Faciliate Autnonomous Vehicle Deployment in Singapore”, Mr Titus Seah (Minstry of Trasnport, Singapore), elaborating on “MOT’s Vision of AV in Singapore” said: "Self-driving vehicles can radically transform land transportation in Singapore to address our two key constraints - land and manpower”.

Cyber Security

AV holds the promise of addressing these challenges through transforming the public transportation into one is only convenient but also comfortable, and thereby reducing the demand for private car ownership, and freeing us from the drudgery task of driving to focus on more interesting activities. Moreover, it also presents an opporunity to “shape the design of our cities”, he said. Examples include “reduction of carparks, and and narrower car lanes”. Singapore’s AV vision is realised through a few stages: town deployment in the next decade, and full operational deployment island-wide after. Trials prior to deployment are conducted in a phases, with the initial phase running in a controlled enivornment ciruit, before progressing to a small scale testbed with safety driver and full control. Final phase is tested in a complex environment, with or without safety driver with limited control. “The trials will help us shape the mobility concepts which can meet Singapore's needs, and also gain valuable insights into how we can design our towns of the future to take advantage of this technology”, Mr Seah explained.

'The trials will help us shape the mobility concepts which can meet Singapore's needs, and also gain valuable insights into how we can design our towns of the future to take advantage of this technology '

AV technologies in Singapore Mr Colin Lim (Managing Director, SMRT Services), at AI Asia Show’s ”The Inevitable Future of Transportation” panel, said, “unlike autonomous vehicle trials elsewhere, Singapore's focus was to employ the technology for public transport such as buses, shuttles, taxis, which is important to reducing demand for private transport and congestion”. Trialling AV in Singapore is ideal - neither wintry conditions nor heavy monsoon floods, clearly marked roads well-planned traffic system, and drivers who tend to obey highway code. With a government that has set out a clear AV vision, and who cultivates the art of the possible, Singapore has seen a few successful trials. AV in Singapore went public in 2015 within an enclosed ground with the 10-seater Auto Riders that shuttled visitors around Gardens-by-the-Bay. During the same year, testing began in the 2.5-squaremile business and residential district "One-North", for the first trialling of AVs on public roads alongside human drivers. Another important milestone was achieved in August 2016, when nuTonomy kicked off a pilot scheme offering the first ever self-driving taxis available to the public. While companies including Google had been testing self-driving cars on public roads for several years, nuTonomy, a spin-off of the MIT / SMART (Singapore-MIT Alliance for Research and Technology), said it was the first to offer rides to the public. It even beat Uber by a few weeks. Each nuTonomy car — modified Renault Zoe electric vehicles — is fitted with a variety of sensors (LIDAR, cameras, and radar) used to detect obstacles and traffic lights. Data collected as part of its trials in One-North - on vehicle performance, routing efficiency, vehicle booking process, and passenger experience – is used to continually improve the company's software. The company aims to roll out a fullyautonomous mobility service in Singapore in 2018. Dr Eng You Hong (Postdoctoral Associate, Singapore – MIT Alliance for Research and Technology, Singapore), elaborated on “Experiences in Conducting the AV Trial at

Australian Security Magazine | 29

Cyber Security

One-North”, and challenged us to imagine “an integrated autonomous train, car and shuttle system; providing mbility on demand, for both passsents and goods, which is completely adpaitve to how the landscape of any city changes.” Based on a research *, it was predicted that with Singaore’s 2011 population of 5 million, only 300,000 autonomous mobility-on-demand shared vehicles are needed, representing a significant reduction of the approximately 1million vehicles on the roads of 2011. *K Spieser, K Treleaven, R Zhang, E Frazzoli, D. Morton, and M. Pavone. Towards a systematic approaach to the design and evaluation of automated mobility-on-demand systems: a case study in Singapore. In S Beikr, editor, Road Vehicle Automation Lecture Notes in Mobilitiy. Springers, 2014. Doug Parker (nuTonomy's Chief Operating Officer), said at AI-Show Asia 2017, that "when you are able to take that many cars off the road, it creates a lot of possibilities. You can create smaller roads, you can create much smaller car parks." He added "I think it will change how people interact with the city going forward." Running concurrently with the One-North trial is the 2-year mobility-on-demand autonomous (MODA) shuttle trials at Sentosa. Offering the real-world challenges of a mixed-use transport system within the confines of a closed environment, Sentosa is a unique test bed. Integrated into its existing network of on-island bus, tram and monorail infrastructure, the shuttle, a 15-seater Navya Arma minibus, was showcased by ST Kinetics (title sponsor of SIRE 2017). Insights gained from the trial, such as technical and infrastructural features, and commuter behaviour and mindsets, are used for evaluating the deployment of AV in other areas of Singapore. ST Kinetics’s AV technologies are also being developed for larger 40-seater electric MODA buses equipped with GPS, sensors, detection radars and sonars, and more complex navigation functions such as increasing speed capabilities under heavier rain conditions. In addition to public transportation, AV is also trialling for industry applications, with Asia's first launched by the Belgian logistics company, Katoen Natie, at an ExxonMobil plant in Singapore's chemical industry hub. Developed by Katoen Natie in co-operation with Dutch manufacturer VDL Groep, the driverless truck’s transponders communicate with road sensors within the plant, to transport bags of polymer from a packaging center to a storage facility 3-4km away, with the aim to expand the pilot with 11 additional GPS-enabled driverless trucks in the near future. Other commercial pilots include the 30 electric-powered dollies that move containers at the terminals of PSA International, the government-owned port operator, and its "truck platooning" project where three driverless trucks tag via wireless communication a manned-truck on a 10km public road stretch between two port terminals. Most recently, to further catalyse Singapore to become a global player in urban mobility solutions, a 1.5km test circuit that replicates various elements of Singapore roads, such as common traffic schemes and rules, was launched. Jointly developed by the government and the Nanyang Technological University, the 2ha facility also has a rain simulator and flood zone to put AVs' navigational abilities to the test under these conditions.

30 | Australian Security Magazine

Cover Feature

'Autonomous vehicles are still in trial phase, hence sufficient realistic field data may not be available in next few years. An integrated simulator can prove highly useful in bridging that gap' What are AV’s enablers? By integrating processes with GPS and digital data culled from phone apps to optimsie pick-ups and drop-offs, the Fleet Management System (FMS) enables the control of fleet operations including energy and speed management. Explaining that simulation plays an important in the FMS design, Justin Dauwels (Deputy Director, ST Engineering –NTU Corporate Lab) at SIRE2017 said: “Autonomous vehicles are still in trial phase, hence sufficient realistic field data may not be available in next few years. An integrated simulator can prove highly useful in bridging that gap”. Further, simulations become more critical as the technology matures to handle multi-traponsportation system, customer demand modelling, and integration of real-time traffic data. AV deployment is not possible without the ecosystem of engineering skills coupled with certifications standards and framework for validating safety, security and performance functional safety. This was hlighted by Dr Martin Saebeck (Principal Technology Conultat, TUV SUD) at SIRE 2017, “as the pace of technology advancement surpass legislations adnd standard bodies, stakeholders in technnology development and adoption carry the responsibility to mitigate the risks for scalable and dependable automation technology”. Ethics, Law and Anthropomorphization In Saudi Arabia, Sophia, the robot made headlines when it was granted citizenship. “I am very honored and proud for this unique distinction. This is historical to be the first robot in the world to be recognized with a citizenship”, she (it) said. How her claim holds up in court will not only set a legal precedent, but also pave way for how we think about how robotics and automation impact various aspects of our lives. AV is exciting because of the benefits it brings. Aside from freeing us to perform more value-added tasks while we are intransit, there is plenty to look forward to: imagine that we no longer have to worry about drink-and-drive, or falling asleep at the wheel, or be embarrassed about poor parking skills. But, many questions remain. Some are software (are there robust data sets for different regions or climates); some are security related (how easily is the AV hacked), or legal (who is responsible if an AV crash). And some require business model changes (what does an AV insurance cover). Matt Pollins (Partner, Head of Comemrical and Technology – Media and Telecommunications, CMS Singapore), at the AI-Asia Show, speaking on “Legal Issues in Artificial Intelligence: Who regulates the machines?”,

questioned “What happens if Intelligent machines commit crimes? Who owns IP generated by AI?” Amongst concerns such as privacy, biased algorithms, cybersecurity, perhaps how the AV will arrive at an answer to a moral dilemma occupies us most. Dr. Ian Kerr (Canada Research Chair in Ethics, Law & Technology, and Full Professor Faculty of Law, University of Ottawa), on his talk “Predicting AI: The Past, Present and Future Promise of Artificial Intelligence“ (as part of the High Commission of Canada’s Speaker Series to mark Canada’s 150th Anniversary) presented the classic thought experiment in ethics: the “Trolley Problem”: There is a railway-trolley barreling down towards a group of five people strapped onto the tracks. We are standing some distance off next to a lever, faced with two choices: (1) pull the lever which diverts the trolley onto the side track – though this will kill the one person who tied up on this other track or (2) do nothing and the trolley kills the five people on the main track. He explained that our expectations towards non-humans tend to be “anthropomorphised”. Projecting our humanity onto AV, we expect the AV to embody similar human traits, emotions, intentions and react like us. So in the Trolley problem, we will probably program the “right” answer given by an individual or a group into the AV. However, he catuioned that by default, artificial intelligence is “unpredictable by design” and it is “impossible to recognise all scnearios”. Moreover, as “machine autonomy increase, human controls decreases”. The “foresseability problem” – that “AI can be autonomous and operate in ways that are unforeseeable by the original programmers, giving rise a potential laibility gap”, * was highlighted by Mr Matt Pollins. * Regulating Aritifical intelligence systems: Risks, Challenges, Competencies, and Stragies., Havard Journal of Law and Technology, Vol. 29, No. 2, Spring 2016, by Matthew U. Scherer Whether we talk about Narrow AI (which operates in ways that are no longer under the control of those who are legally responsible for it), or General AI (which eludes the control of all human beings), we undoubtedly conjure up science-fi images of Terminators and where lethal autonomous robots are weaponized and kill-decisions are delegated to the machine. What can we do? Dr Kerr suggested an international norms be agreed under a United Nations framework, so that AI is for the good of humanity. Danit Gal (IEEE, Chair of Outreach Committee), speaking on “The Ethics of Artificial Intellignece in Asia”, emhapised the need for a “kill swtich” and “to fail safely”. When will atuonomous vehicles arrive? Mr Koh Poh Koon (Senior Minister of State for Trade and Industry), opened the Singapore International Robo Expo, noting “we are at the cusp of the next phase of industrial revolution, where traditional business models are being disrupted by technological advances in areas such as the Internet of Things, Artificial Intelligence, Data Analytics, and Robotics”.

Australian Security Magazine | 31

Cyber Security

SAE International’s J3016 “International’s Levels of Driving Automation for On-Road Vehicles” Six Levels of Driving Automation Photo Credit: SAE International and J3016

From driverless cabs to commerical trucks, from tests in closed environments to trialling in public roads, Singapore has demonstrated that automated driving is coming; yet, many of us are still convinced that we are no closer to experiencing driverless cars in our everyday lives. How do we make sense of what is really possible in this brave new world of self-driving vehicles? One way: standardise the definitions and expectations of what we mean by “self-driving”. SAE International’s J3016 (formerly the Society of Automotive Engineers) “International’s Levels of Driving Automation for On-Road Vehicles” (issued January 2014) sets out a common taxonomy and definitions, for six levels of driving automation that spans from no automation to full automation. • The first three levels rely on humans to perform the dynamic driving task. This task includes the operational (steering, braking, accelerating, monitoring the vehicle and roadway) and tactical (responding to events, determining when to change lanes, turn, use signals) * • The next three levels delegate the entire dynamic driving task to the automated driving system with varying degrees of human back-up intervention under increasingly complex environments. The idea is that we can be totally free to read a book or finish up an article while the software worries about the driving. • The last 6th level is the fully automated car. In likelihood, level six is what we have in mind when we think of a driverless car. While most believe that is probably

32 | Australian Security Magazine

decades away, we humans simply have poor track record when it comes to forecasting technological breakthroughs. That within half a century of Thomas Watson’s prediction that "I think there is a world market for maybe five computers," – whose company IBM went onto develop Watson famed for its Jeopardy matches against human players and in whose home country witnessed the proliferation of PC in nearly every home – proves that the potential of bleeding edge technology does sometimes surpass our capacity to imagine the impossible.

Why NDB compliance starts with the “essential” security basics

I By By Michael Bosnar VP, ANZ at Ivanti

t almost goes without saying that data breaches have become a headline making daily occurrence. Locally there have been numerous high profile data breaches in the past few months, with both public sector and private sector organisations being targeted. Just to name a few: the Department of Finance, the Australian Electoral Commission, the National Disability Insurance Agency, the Department of Defence, Medicare, AMP, UGL, the Australian Red Cross, Dominos and most recently Uber have all suffered breaches of Australian customer data over the last couple of months. It’s alarming that even Uber, a company commonly regarded as a major digital disrupter, seemingly forgot the cyber security basics and failed to provide proper governance. Moreover, what most of the breaches mentioned above have in common is that the hackers got in through security vulnerabilities that could have been avoided by following basic “cyber hygiene” procedures. For instance, the recent hacking of an Adelaide defense industry contractor in which commercial details of military aircrafts were stolen, revealed that hackers had gained access by exploiting a 12-month-old vulnerability in the company’s IT helpdesk portal. The ASD also found the contractor had not changed its default passwords on its internet facing services. In just a few months no doubt it will be made known just how prevalent data breaches are, with the federal government’s Notifiable Data Breaches Act (NDB) taking effect on 22 February. This will require organisations with an annual turnover of more than $AUD3 million to notify affected customers and report the theft of personal information to the Office of the Australian Information Commissioner (OAIC). Organisations that fail to meet the requirements will face fines that could reach more than $AUD1 million. “Doing an Uber” will be unlawful so organisations need to be working even harder to get their technology, people and processes ready for compliance. Getting the basics right Most cyber attacks are successful because companies struggle with the security basics. Many organisations are

focusing disproportionately on reactive tactics rather than preventative strategies outlined by the Australian Signals Directorate’s “Essential 8” cyber security strategies, which help organisations achieve a baseline cybersecurity posture. The eight recommendations are divided into two groups. Four intend to prevent malware from running and the other four intend to limit the extent of incidents and recover data. A key recommendations is for organisations to be patching their operating systems and apps regularly. They also need to be implementing application control. For instance, the WannaCry ransomware attack could have been remediated against using application control and wouldn’t have spread if the relevant vulnerability was patched. In addition, all unnecessary admin privileges need to be removed. Such steps have been mandated by organisations like the Australian Signals Directorate (ASD) as key in preventing ransomware. In fact, according to the ASD, application whitelisting, application and operating system patching and administrative privilege restriction could mitigate 85 percent or more of cybersecurity threats. Penetration tests should also be carried out regularly; it’s even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities. There are other layers to your cyber security defences to consider. User education is vital to preventing phishing emails from getting in, which are often the gateway to cases of online fraud. It is also important to continuously back up data to avoid the risk of data loss and to correctly configure Windows firewalls, to help to stop the spread of ransomware. However, patching and application control should be first on the list for all organisations looking to fortify their organisation against attack - and can go a long way toward reducing your attack surface. If the “back to basics” approach is to succeed, organisations need to start viewing their security programmes proactively as opposed to reactively, to ensure that the necessary precautions are in place from the bottom up. Only then will we be on course to derail cybercrime in its tracks. Ultimately, when it comes to security and IT, it’s vital to get the basics right first - otherwise your technological innovations will be built on incredibly weak foundations.

Cyber Security National Security

Digital Analytics

Rethinking the role of government, the role of regulators, and the challenges that the community faces.

I By Chris Cubbage Executive Editor

34 | Australian Security Magazine

f you’ve ever worked on solving large complex problems or within multi-jurisdictional agencies such as national intelligence or government services, you will appreciate how frustrating it can be to often get even the simplest of answers. Hence, it is encouraging to get an insight into the initiatives underway by Dr. Ian Opperman and his growing team at the NSW Data Analytics Centre. Presenting at Clariden’s Disruptive Innovation Forum in Sydney last October, Ian commenced, “One of the great things about running something new like the Data Analytics Centre is trying to not only change the way data thinks, but also how to change how government behaves with industry and push the boundaries, push the frontier of just how smart solutions can start to look. We are using Artificial Intelligence (AI), we are using convolutional neural networks and we are using a lot of machine learning.” “The view we take of the world is that data is a way of seeing the world. Science is a way of understanding the world. Bringing those two together, we’ve got a powerful new set of tools to address what is termed, Wicked Policy Challenges.” Across the NSW community, the areas being examined by the Data Analytics Centre (DAC) includes compulsory third-party insurance, understanding public safety issues and through to understanding family domestic violence and children at risk of significant harm. Dr. Opperman highlighted, “I’m going to end on a note around the privacy issues. That is fundamental for the work we do and there are some fundamental challenges in the world of data analytics

when we start to bring many, many data sets together, which relate to the nature of information and the nature of information which is captured by data.” The DAC turned two years old in late 2017, starting off with no staff, no budget, no compute and no resources. “There were two of us and a pot plant” Dr. Opperman recalled, “The approach that we took, with the ten problems we had been given, was let’s think about where we want to go. Let’s take an outcome focus. A design of thinking type of an approach to the challenges we had.” “The one thing we did have was data sharing legislation. We talked to government agencies about the challenges they had and would say to them, ‘just imagine a future world, all digital, all joined up. You’ve got access to any data set you could possibly imagine. What are the questions you would ask of that data? If you knew the answer to those questions in real time, what would make the biggest difference to the way you deliver your service, present the challenge or understand the challenge, or evaluate the effectiveness of the interventions that you are offering?’ And that’s the blue-sky position that we work towards.” “Then we come back to a series of horizons and fixed horizons. Each with fixed and variables that we are looking to address with the data piece, the software piece, the business process piece, the educational piece and the policy piece. But we deliver a proof of concept and predictor, so identifying the patterns of risk, the predicted outcome, and build an intelligence model, or a classifier, such as, is ‘is it one of these

National Security

and one of those’ and then a break it down further, to take them from a ‘what if ’ scenario, such as ‘what if we did this, what if we did that’. And we give that back to the agency and put it into their analytics environment or their IT environment and empower them to explore what a powerful question may be, such as a journey of a child, a family, a household, a community, a business, a building and in the world of agile for government, we start with that proof of concept and work towards that blue-sky picture.” “We give ourselves an immediate step, where we operationalise the proof of concept, and call that a minimum viable use case, and then work with that over time until we ultimately come up with a minimum viable product. Partly because when we started this journey, we weren’t sure of what we could do. So ultimately what we’re talking about is doing things differently. We’re looking to help agencies bring together those pieces of the digital world, as a way of seeing the world, use modeling, predictive capability, and analytics, as well as artificial intelligence to better understand the challenge, to better predict certain outcomes, certain stages of that journey of child, a family, a household, a community, a business, and to do the development of that ‘what if ?’. “ ‘What if ’ my challenge for juvenile justice is not just build a new jail? What if the challenge is really doing something in education or in family and community services, or in health, or something else in the Justice System? And as we’ve been developing, we’ve been following this agile process. We started out as two people, a pot plant and ten projects. Now we have 51 staff, which includes a cohort of 18 in-turns and a cohort of 35 projects, some of which we’ve taken through to making a difference in the world, and they’re the ones we want to highlight, and some of them are still at the proof of concept stage, some have reached the information management stage, where we’re going to operationalise them.” “And in order to package all these up together, we see the world, the digital world, being all digital, all joined up, and we have access to any data set. Every single question is actually just a different entry point into that digital environment. We’ve started to group our 35 projects into what are called ‘practice areas’. We get a better understanding of the community, a better understanding of the vibrancy of the community and a better understanding of the composition of the community. What we call human centric services, where we really are following that journey of a child, family, household, and realistically a victim and a perpetrator.” “We have projects around complex systems, like transport, waterways and projects around risk, and ultimately fraud and insurance. And rolling those all up is part of the design thinking and building a stronger and stronger governance around the data challenge, as we understand the data challenge more and more.” “There is a large data ecosystem being developed, as part of a digital marketplace. This was announced as part of the NSW Digital Economy Strategy earlier in 2017, and the Data Analytics Centre is part of that. We’ve just turned 2 years old, but the basis of how we collect, process, link and govern data is starting to inform a much bigger data ecosystem. This is all becoming real and as the data ecosystem continues to grow you’ll see more and more parts of government API accessible, accessed through governable

machine-controlled interfaces. This takes away the friction associated with sharing data inside government.” The DAC is the first of its kind in Australia and internationally unique due to its function and supporting legislation, with a charter to advise the NSW government on the challenges and potential solutions using data analytics, best practice data analytics, data governance and privacy measures, as well as making de-identified data open to the public. The DAC is bound by NSW privacy legislation and policies, as are the agencies involved, including the Data Sharing (Government Sector) Act 2015, Information Protection Principles, Health Privacy Principles and NSW Government Digital Information Security Policy. For more information visit

Australian Security Magazine | 35

Digital Fore Cyber Security

Digital ForensicS T By Jane Lo Singapore Correspondent

36 | Australian Security Magazine

he eagerly anticipated iPhone X launch at the Orchard Road Apple Store in Singapore drew massive crowds to its doors on 3rd Nov. Amongst the die-hard fans who had been queueing before 8am, an opening time that was two hours earlier than standard, were some who had flown in from neighbouring countries or even camped overnight. The enthusiastic response was further proof that each iPhone’s release had not failed to disappoint since Steve Job’s introduction in 2007. From a million units sold in 70 days, to more than 10 million in a weekend 10 years later, the evolution of iPhone, in its first astonishing decade, had seen a string of innovations that came with each upgrade. Packed with horsepower, imaging and voice-enabled technologies, iPhone spawned the age of “Smart Phones” with touchscreen features for us to navigate our news feeds and our geo-locations, and “apps” that entertain us and manage our daily lives. Not only did these spark the development of competing Android devices, “Smart Phones” also contributed to the exponential growth of other “Smart” devices - “Smart TVs”, “Smart Cars”, amongst others. This rapid pace of “Smart” innovations presents significant challenges to digital forensic practitioners. Each new feature, hardware, operating systems and

applications requires the development of new tools and techniques as part of evidence preservation. Additionally, each step of these new processes to extract and prepare data for evidence examination is set out to necessarily comply with the relevant Criminal Procedure and Investigations Code. Other technological advancements such as “Big Data” – where data are stored in multi-media, unstructured format – also makes it time consuming to isolate vital digital evidence. And most of all, the rising sophistication of Cyber Criminals also means digital forensic practitioners are more often than not, playing catch-up. At the DiCyFor Security Summit (7th, 8th Nov 2017), two digital forensic specialists, Mr. Christopher Church (Senior Mobile Forensics Specialists, Innovation Centre, Interpol) and Mr. Mohd Zabri Adil B Talib (Head of Digital Forensic Department – Cyber Security Malaysia) elaborated on the challenges and what are needed. Law Enforcement Investigations in the New Digital Era - Interpol With 192 member countries, Interpol spans a wide network to assist law enforcement agencies around the world in combating transnational crime and terrorism.


Cyber Security

November 2010: INTERPOL Secretary General, Ronald K. Noble (centre left), and Singapore Minister for Home Affairs and for Law, The Hon. Kasiviswanathan Shanmugam (centre right), sign a Headquarters Agreement, in the presence of INTERPOL President, Khoo Boon Hui, and Commissioner of Singapore Police, Ng Joo Hee (far left and far right respectively). Photo Credit: Interpol

Christopher Church (Senior Mobile Forensics Specialists, Interpol) on “Law Enforcement Investigations in the New Digital Era”. Photo Credit: DiCyFor Security Summit.

Supported by facilities such as Digital Forensics Laboratory (focuses on extracting digital evidence from electronic devices), Cyber Fusion Centre (brings together law enforcement and industry, in sharing and consolidating Cyber Incident information and best practices), The Interpol Global Complex for Innovation (IGCI), located in Singapore had successfully coordinated a few Interpol-led operations. Some success stories One was the April 2015 take-down of Simda (a network of malware infected computers in US, UK, Russia, Canada and Turkey). The global operation was coordinated by the IGCI, with collaborations from the private sector (Kaspersky Lab, Microsoft, Trend Micro), Japan’s Cyber Defense Institute, and law enforcement agencies, including the Dutch National High Tech Crime Unit, FBI, the Russian Ministry of the Interior’s Cybercrime Department “K”. Another (with participating countries Cambodia, Korea, Philippines, Thailand and Vietnam), was the June/July 2015 Operation Aces, which led to the arrest of 48 suspects, seizure of 100 pieces of electronic evidence, and shut down of illegal gambling offices and call centre-type operations running online scams.

Success stories notwithstanding, Chris Church emphasized that law enforcement has to change and adapt as more crime is transferring from the real world to online, and that law enforcement cannot fight Cyber Crime on its own. Criminals constantly evolving “Criminals are constantly evolving, adapting their tools and methods in an attempt to stay ahead of police. This is especially true when it comes to cybercrime. Law enforcement must therefore keep pace with innovations in technology and embrace the latest crime-fighting developments”, he said. Law enforcement have struggled due to various challenges, some which are not dissimilar in the private sector such as inadequate investments or knowledge, others such as criminals’ ability to rapidly adapting to law enforcement intrusions, or, lack of consistent standards in digital forensics. Digital Innovations – double edged sword Chris Church added that the proliferation of cloud where a “user’s life is replicated on the cloud – such as pictures, videos, audio flights, hotels, concert bookings, purchase histories

Australian Security Magazine | 37

from online / offline instant messages, behavioural analytics”, that “the Cloud is becoming more essential as technology moves ever onwards”, with more powerful processing and larger storage capabilities. “Cloud brings a world of opportunity not seen before”, such as more “Virtual Reality, Immersion Gaming (Pokémon GO) and advanced processing power and utilisation of Artificial Intelligence and machine learning.” Add to this, is the “IoT integration” - mobile phones, laptops, SmartTV, Smart Watch, Tablets, Motor Car and such connected to a vast Cyber Space network - we are living in an era where “everything is always on and always communicating and collecting data around the user and their habits." The ubiquity of digital devices means that digital evidence is present in almost every crime. While this offers new opportunities for police investigations, it also means collecting evidence from a wide diversity of devices which have varying degrees of technological complexities, and which, not uncommonly, cross jurisdictional boundaries. Complication Digital Forensics - Encryption Adding to these complexities is the debate over encryption and access to secured devices and communication. Common situations where crucial evidence such as text messages or photos in the suspect’s device exist but are inaccessible due to a PIN key, court-order for vendor’s assistance to unlock a device could be hampered by regulations / concerns on data privacy and protection. The pitting of security against privacy considerations - as witnessed in the San Bernardino’s shooter’s case – to arrive at the “right approach is both a legal and social challenge. Forensic tools not catching up with increasing sophistication “The digital technology is becoming too varied and complex for traditional forensic tools to access, examine, process, visualize, compare and analyze data. And Cyber Criminals are becoming advanced and organized at large scale. Another challenge is the increasing of zero day attacks like Ransomware and APT”, said Mohd Zabri Adil B Talib. These challenges, the volume of data stored on the devices requiring significant time spent isolating relevant evidence, on top of those posed by rapid technological advancements are “leading to slow results and massive case backlogs” and “digital forensics field needs new techniques and methods to cope with big scale of data evidence and complexity of APT attack”, he added. What’s being done Chris Church said “to promote best practice guidelines in dealing with digital evidence, in the UK, all digital forensic practitioners working for the Criminal Justice System need to be accredited to ISO 17025 for most of their work”. Further work remains to bridge the gap between digital forensics and these codes of practice and conduct associated with the accreditation, such as analyst competence, the validation of

methods, and the handling and storage of test items which tend to focus on physical forensics. Mohd Zabri Adil B Talib said, “due to the complexity of the technological issue, CyberSecurity Malaysia introduced CyberDEF service in 2015”. CyberDEF is combination of a standard CSIRT (Cyber Security Incident Response Team) and element of forensic science which focuses on Detection and Eradication, and Forensics. This formalisation ensures that forensic science is an integral part of Cyber Defense, the next level of Cyber Security which “to analyse the attacks, and to prevent future attacks, at the same time adding the ability to bring Cyber Criminals to justice”, he elaborated. The battle continues Cyber Crime can be labelled as too difficult to prosecute on the basis that Digital Forensics is too complex and evidence is elusive. But there are also other reasons. In the Interpol-coordinated operation targeting sextortion around the world: Operation Strikeback in April/ May 2014, which resulted in the arrest of 58 suspects and seizure of 250 pieces of electronic evidence, some suspects were bailed and yet to face criminal charges. Prosecutors in many countries, often have anti-corruption laws to charge those caught taking bribes in exchange for favours or influential decisions. But when sex is involved, prosecution is harder because sextortion as a legal matter (often) does not exist, and prosecutors have to lean on existing law. And with victims often shying away from coming forward, it is one of the hardest-to-prove crimes. Even when Cyber Crime prosecution is successful, there could be a sentencing gap between what is perceived to be fair and proportionate to the crime committed, versus the actual penalty handed down by the judge. In the excerpt from Australian Broadcasting Corporation program “Four Corners: Transcript - Fear in the Fast Lane”, Andrew Fowler the investigative journalist, interviewed the law enforcement officers involved in catching the Cyber Criminal selling 50,000 credit cards (equivalent to $110 million) for sale on the net. That the accused got off with a $2,000 good behaviour bond and a one year suspended prison sentence, plus $150 in court costs, “left many gobsmacked”. In yet another example of the complexity law enforcement faces is the translational nature of Cyber Crime. Though the criminals are identified, taking them into custody may not be possible due to lack of jurisdiction over them. Recently, The Prague High Court ruled that Russian citizen Yevgeniy Nikulin, accused of hacking social networks including LinkedIn, who was arrested in Prague, can be extradited to the United States. Russia also accuses him of a small cyber theft and both countries have requested his extradition, leaving him in a tug-of-war between Washington and Moscow. These are just some of the challenges in combating CyberCrime. To keep their enterprises alive, Cyber Criminals share their experiences and learn from the past. Law Enforcement around the world must do the same to keep up.


Register online at

20 - 22 March 2018 I Pullman Melbourne Albert Park I Australia

FEATURING LEADING INDUSTRY EXPERTS: JARMO ESKELINEN Chief Innovation & Technology Officer Future Cities Catapult, UK

CLAYTON BANKS Chief Executive Officer Silicon Harlem, USA CHARLES CASUSCELLI Chief Executive Officer Western Sydney Regional Organisation of Councils

BENEFITS OF ATTENDING  Leverage technology within cities for social good, sustainability, resilience and equity  Examine what’s happening in the foundational sectors of smart cities - from mobility and transportation to health, infrastructure, energy and finance  Connect together silos within city administration to make smart city decisions  Understand how data and analytics are enabling insights into city operations to tackle urban challenges

DECLAN CLAUSEN Deputy Lord Mayor The City of Newcastle

 Develop procurement strategies to support the partnerships needed for collaboration  Integrate people, networks, analytics tools and platforms at the start of your smart city journey to ensure success  Benchmark and identify smart city projects that you can model



Held as part of the Cities 4.0 Summit it will focus on security and privacy aspects of smart cities that are relevant to areas like Internet of Things (IoT), Smart Buildings, Smart Grid Systems, Critical Infrastructure Networks and Intelligent Transportation Systems. More information here: Supported by:

JULIE WAGNER Non-resident Senior Fellow & Co-Director Brookings Institute, Switzerland PROFESSOR MARK BURRY Founding Director, Smart Cities Research Institute & Professor of Urban Futures Swinburne University of Technology CLAIRE HOWLETT A/First Assistant Secretary Department of the Prime Minister & Cabinet KEVIN MACK Mayor, Albury City Council & Chair Evocities

Media partners:

Organised by:

TOBY KENT Chief Resilience Officer Resilient Melbourne To see the full list of speakers visit

REGISTER NOW!  +61 (0)2 9977 0565  Australian Security Magazine | 39

Cyber Security

Alternative Payments powered by BlockChain By Jane Lo, Singapore Correspondent


he stratospheric rise of BitCoin, from its humble beginning when 10,000 bought a developer 2 pizzas, to breaking through several resistant levels to trade as high as USD19,000, set off a series of skepticisms amidst a flurry of responses from regulators. Banking titans, Jamie Dimon of JPMorgan famously said he would "fire in a second" any JPMorgan trader who was trading BitCoin, noting: "It's against our rules and they are stupid"; and Lloyd Blankfein of Goldman Sacs said “something that moves 20% [overnight] does not feel like a currency. It is a vehicle to perpetrate fraud”. Chief Information Officer of the largest lender in Southeast Asia, DBS, claimed, “We see BitCoin as a bit of a Ponzi scheme,” describing transaction fees as “incredibly expensive,” and “hidden through the cryptomechanisms.” Some countries in the Americas (Bolivia, Ecuador) or Asia (Kyrgystan, Bangladesh, Nepal) have outright banned BitCoin trading. Some see it as a solution to its struggling economy, such as Venezuela which launched an oil-reserves backed Crypto, or North

40 | Australian Security Magazine

Korea who could be mining digital currency to generate income. Some have officially recognised BitCoin as an instrument of payment, such as Zug Switzerland since last year; or Japan which moved on from the collapse of its Tokyo crypto exchange Mt. Cox and granted BitCoin the official status in April 2017. Regulatory actions by some larger economies have been less clear-cut. China, while demanding the closure of the domestic cryptocurrencies exchanges and outlawing ICOs, has not explicitly banned private citizens’ trading of BitCoin. Russia issued a draft bill to ban cryptocurrencies three years ago but had yet to follow through. In the US, the SEC (Securities and Exchange Commission) declared that ICOs may need registration, but its exchanges CME, CBOE (Chicago Merchantile Exchange, Chicago Board of Exchange) are cleared to offer trading exposure to cryptocurrencies. Others embrace the innovation by experimenting with BitCoin’s underlying BlockChain and DLT (distributed ledger technology), such as Canada’s Project

Jasper or Singapore’s Project Ubin – a DLT payment system prototype for interbank currency exchange, developed by a consortium of Singapore-based banks and R3, with the support of MAS (Monetary Authority of Singapore). Gibraltar is launching GBX (Gibraltar BlockChain Exchange) a new crypto exchange and token sales platform. The interest in BitCoin has clearly outgrown its geeks and devoted user community. Cautionary remarks, deep suspicions, speculative fervour, optimism and enthusiasm - these myriad reactions are perhaps the clearest evidence yet, of the immense potential of the BlockChain technology underpinning BitCoin, that allows exchange of value in a tamper-proof and transparent way with pseudo anonymous counterparties. With its low barrier of entry (you just need digital connection and software), BitCoin’s sprawling ecosystem spawned offshoots such as Ethereum Smart Contracts and other derivatives including ICOs. While a host of challenges such as mis-information, volatility, association with criminality, or

Cyber Security

"But many of these are technological challenges that could be addressed over time” and so “it may not be wise to dismiss virtual currencies,"

Nick Cowan, CEO and Managing Director of the Gibraltar Stock Exchange (GSX) took to the stage at BlockAsia Show 2017and elaborated on token sales best practices, something that the Gibraltar Blockchain Exchange (GBX), a new crypto exchange and token sales platform, a subsidiary of the GSX, is implementing to bring stability and standards to the industry. Photo Credit: GBX

Singapore (ACCESS), Monetary Authority of Singapore, speakers at the Singapore FinTech Festival 2017, and the Asia BlockShow 2017.

#1 Money Laundering One of the most cited reason for disparaging BitCoin is its role in facilitating criminal activities. This is not surprising given that ransomware, illegal drugs, or stolen plastic demand payments in BitCoin. The seizure of 110,00 + BitCoin from the takedown of SilkRoad further linked BitCoin to illicit activities. But … Aside from the inconvenience of laundering BitCoin (BitCoin obscured and layered by using mixers/tumblers expose the launderers to the trustworthiness of these service providers), BitCoin really is nowhere near as anonymous and untraceable as purported. It is pseudonymous - the 26-35 alphanumeric address to send or receive BitCoin can be tied to a user. With each BitCoin transaction recorded on the public ledger of BlockChain, visible to everyone, it is not impossible to find out who is doing what. In the case of SilkRoad, law enforcement first uncovered the suspect’s BitCoin addresses (by seizing the laptop he was actively using at the moment of his arrest), thereby tracing his transactions from marketplaces to his personal wallets.

#2 Price Swings

government crackdown may undermine the nascent ecosystem and ultimately shrink the network, “for now, virtual currencies such as BitCoin pose little or no challenge to the existing order of fiat currencies and central banks. Why? Because they are too volatile, too risky, too energy intensive, and because the underlying technologies are not yet scalable. Many are too opaque for regulators; and some have been hacked,” said Christine

Lagarde, IMF Managing Director at the Bank of England conference, London September 29, 2017. “But many of these are technological challenges that could be addressed over time” and so “it may not be wise to dismiss virtual currencies,” she elaborated. We find out more about the ongoing discussions from Association of Cryptocurrency Enterprises and Start-ups

Unsurprisingly, the roller-coaster ride of BitCoin marked it as a vehicle for speculation, not a reliable store of value. Regulatory crackdown, technological challenges, or just old-fashioned profit taking drive down prices; relief rallies on regulatory approvals or ‘successful forks’ contribute to price spikes. BitCoin started 2017 at ~$1,000. By June it hit $3,000 before losing $1,000 a month later, as uncertainties surrounded an impending fork which produced an alternate “BitCoin Cash”. Fears over the fork subsided but were quickly replaced by surprises over the Chinese government crack-down on ICOs and cryptocurrency exchanges, and unanswered questions about the fates of the Chinese mining companies, among the world’s largest. BitCoin plunged by $1,000 in mid-September, after opening the month at ~$5,000. Market resiliency supported its recovery to $4,000 as peer-

Australian Security Magazine | 41

Cyber Security

to-peer exchanges replaced the closure of centralized exchanges. But … While this volatility makes it hard for merchants to price their goods in BitCoin, it is an inevitable symptom of innovations. Just witness the Apple share price volatility tracking its iPhone launches or Tesla with each of its electric car upgrades.

#3 Power Consumption The last few months had seen heated debates on high power consumption of the BitCoin network, ranking it on par with that of countries such as Macedonia, Ireland, most countries in Africa, or an average U.S. household. Sceptics focus on the vulnerability of the network due to the high power requirements. Critics point out that the usage diverts from more useful economic activities. But … The mining difficulty level can be adjusted downwards, to lower energy consumption if energy cost starts to eat into mining profits. Security professionals argue that high power consumption ironically ensures the stability of the BitCoin – that is, a 51% attack is an expensive power requirement to maintain network disruption. Some maintain that there is still lacking a meaningful comparison between Crypto and Fiat in power requirements.

#4 Cyber Security BitCoin is more secure than alternatives: a larger network not only means it costs more to attack, but also develops a rich ecosystem to be focus of study by cryptographers. But as its value increases, so does its appeal to potential Cyber attackers.

Just last year, more than $60m worth of BitCoin was stolen from one of the world's largest digital currency exchanges, Bitfinex, the biggest since its predecessor, Mt Gox, lost BTC worth $350m at the time of heist and ultimately had to shut down. A network of Ethereum, had also been a victim of a Cyber break-in, forcing a “hard fork” that sparked rebellion splitting it into two versions – one in which the losses were fully reflected and recorded, and the other in which as if the theft never happened. These Cyber thefts exposed vulnerabilities despite having delivered security improvements such as segregated client accounts, two-factor authentication and multi-signatures protocols. But … To be clear, while the exchanges had been hacked, only one major vulnerability of the underlying BitCoin was found in its implementation and exploited. Nevertheless, for this new technology to survive and gain wider adoption, some say it is time for formal standardization of the security requirements.

#5 Overall Crypto Reputation Aside from being labelled as a “criminal” currency, BitCoin also suffers from “guilty by association” as its spin-off, ICOs, come under increasing scrutiny. Recent disputes surrounding the two highest profiles ICOs, Tezos and Bancor underscore the extent to which investors are willing to fund ICO, based on the release of white papers and the involvement of high profile venture capitalists, without demanding working prototypes, or implementation of best practices such as a robust governance framework. Due diligence ... At the BlockShow

Asia Crypto Funds panel, Prof David Lee stressed the need to complete due diligence with the same depth as with a traditional investment on aspects (such as the management team, milestones, and financial discipline). To assess if an ICO would be truly sustainable, he cautioned against viewing the Crypto world through Fiat lens, and instead suggested assessing the business on its ability to follow a 3-pillar model referencing - 3Cs (Community, Compassion, Creativity), LASIC (Low Margin, Asset Light, Scalable, Innovative, Compliance Easy), and 5Ds: digitalisation, disintermediation, democratisation, decentralisation, and disappearance.

#6 Speed and Scalability It is often said that Blockchain technology is today not ready for commercial use cases. Today, the BitCoin network sustains ~7 transactions per second (“tps”). Validation takes a further ten minutes, and longer when the system is congested. Compare this to Visa, which handles an average 2,000 tps (a fraction of their said capacity of 56,000); and Facebook and Google at ~52,000 and 40,000 respectively. On-going improvements … Enter EOS which is implementing asynchronous communication and parallelization whereby multiple transactions are processed simultaneously, enabling horizontal scalability of the network. Additionally, by adopting the Graphene technology (proven to achieve 10,000 - 100,000 tps), EOS can achieve 300,000 tps. In fact, the road map is to scale to process 1 million tps.

BlockShow Asia 2017. From Left: Simon Dixon (; Crystal Rose (Sensay); Igor Pesin(Sreda); Remington Ong (Fenbushi Capital); David Lee Kuo Chuen (Professor, Left Coast)

42 | Australian Security Magazine

Cyber Security

BlockShow Asia 2017. From Left: Benjamin Bliski Founder & Executive Director at The Naga Group AG, Floyd DCosta Management Consultant – Cloud, Blockchain Technology, Shaun Djie Co-founder at DigixGlobal , Toby Hoenisch Cofounder & CEO at TenX, Dmitry Gorilovsky Founder and CEO of Moeco.ioBrendan Blumer Founder and CEO of

#7 Acceptability For a new technology to become mainstream, it must find a fan base beyond the technically-minded. Brock Pierce (Chairman, BitCoin Foundation) at the BlockShow Asia 2017 “BlockChain & The Token Economy” panel suggested “going back to basics” of money: as a medium of Exchange, it should be portable, durable, divisible, fungible and a store of value. There is potential for BitCoin to fulfil these requirements, and also promote financial inclusion thereby reducing poverty, he said. Its characteristics of transparency and decentralization can also help discourage corruption. Some responses … Turning these views into actions is The World Bank, who launched a BlockChain lab a few months ago, as part of a bid to pilot projects that can improve governance and social outcomes in the developing world. But, as Simon Dixon pointed out at the BlockShow Asia 2017 “BlockChain Investments Agenda”, for the USD 300 billion ecosystem to become a self-sustaining economy, we must accept that we each have our own views of what we want BitCoin to be, and overlay our own wants and desires onto the protocol.

Singapore FinTech Festival 2017, panel “Harnessing the Power of the Ledger”. From Left to Right: David Rutter, Founder & CEO, R3 Lab, Joseph Lubin, Founder, Ethereum , V. Laxmikanth (VLK), Managing Director, Broadridge Financial Solutions , Greg Li, Head of Asia, BitFury

Singapore FinTech Festival 2017, panel “Harnessing the Power of the Ledger”. From Left to Right: Chonchol Gupta, Chief Business Officer, IOT Word Labs (Moderator), Brad Garlinghouse, Chief Executive Officer, Ripple Taavet Hinrikus, Co-founder & Chief Executive Officer, Transferwise , Tim Grant, Founder & Chief Executive Officer, DrumG Financial Technologies

In Summary … The enthusiasm surrounding BitCoin is partially rooted in the promises of BlockChain technology. Greg Li (Head of Asia, BitFury) at the Singapore FinTech Festival 2017 panel “Harnessing the Power of the Ledger” said that BlockChain is not about reducing costs, “but the significant value creation through

a boost in efficiency and velocity to trade assets, reducing human errors, and having the transparency for easier audit. We are talking about time, people and resources savings which can be put into other areas.”

But, its application to everyday practicalities may be limited – for now. At the “Alternative Payments: Beyond Hype” panel, Brad Garlinghouse (CEO, Ripple), believed that alternative payments would reduce the

Australian Security Magazine | 43

Cyber Security accounts and identities.” “The best response by central bankers is to continue running effective monetary policy, while being open to fresh ideas and new demands, as economies evolve”, she added. Initiatives in Singapore

MAS (Monetary Authority of Singapore) and ABS (The Association of Banks in Singapore) lead the project, involving 11 financial institutions and five technology companies in Phase 2 of Project Ubin. Phase 1 of the project implements the concept whereby banks receive their Digital SGD transfers from the Central Bank, allowing them to make transfers to each other or back to the Central Bank. The exchange of Digital SGD on the distributed ledger are transfers of a binding claim on the Central Bank’s currency; participants are not exposed to credit risk.

cross-border transfer friction (time, cost) but he did not believe that society can move away entirely from a cash-based system into a cashless society. Taavet Hinrikus (CEO, Transferwise) agreed, and referring to coffee, he explained “it is currently not possible for anyone to purchase coffee using BitCoin, but they can surely do so using cash”. On the other hand, Christine Lagarde proposed, at her Bank of England speech that virtual currencies “may one day be easier and safer than obtaining paper bills,

44 | Australian Security Magazine

especially in remote regions. And because virtual currencies could actually become more stable.” For “new payment services in countries where the shared, decentralized service economy is taking off … rooted in peer-topeer transactions, in frequent, small-value payments, often across borders”, she said virtual currencies “potentially offer the same cost and convenience as cash—no settlement risks, no clearing delays, no central registration, no intermediary to check

Amongst the regulators who have taken a proactive and forward-looking approach is the Monetary Authority of Singapore (MAS). With Project Ubin, Singapore has demonstrated its commitment to “FinTech” and promoting innovation within the Financial Services sector. “Project Ubin is a collaborative project with the industry where we introduced a digital representation of the SGD to explore the use of DLT in interbank payments and settlement. It’s not for retail payments,” clarifies Jacqueline Loh, MAS Deputy Managing Director, monetary policy & investment/development & international/ fintech & innovation. “We believe that central banks like MAS can play a bigger role beyond just providing research funding. Collaborative projects such as Project Ubin support the creation of open intellectual property and foster collaboration between industry players,” she says. On Cryptocurrencies regulations, it has also clarified its stance. Singapore doesn't plan to regulate cryptocurrencies such as bitcoin, but will remain alert to money laundering and other potential risks stemming from their use, Monetary Authority of Singapore (MAS) Managing Director, Ravi Menon, said in an interview with Bloomberg News in October. MAS’s focus is to "look at the activities surrounding the cryptocurrency and asking ourselves what kinds of risks they pose, which risks would require a regulatory response, and then proceed from there," he added. Further, in the wake of an increase in the number of ICOs in Singapore as a means of raising funds, it clarified in August that the offer or issue of digital tokens in Singapore will be regulated if the digital tokens constitute products regulated under the Securities and Futures Act (Cap. 289) (SFA). MAS is also working on a new payment services regulatory framework, known as the Payment Services Bill. The Bill will streamline the regulation of payment services under a single legislation, expand the scope of regulated payment activities to include virtual currency services and other innovations, and calibrate regulation according to the risks posed by these activities.

Available online!





ed PP1


See our website for details


w | w

u w.a















t a jus it trali Aus ’t hack n ca













n ralia




| w ww.a us








o m Com s single state


May 20


Te fundinrrorism g law s Digit aga al War Islam inst the ic Sta te

gy holo a Psyc rviving u for s nt attack viole

Get each print issue per year for only $88.00



2017 orld ol W ecurity Interp Cyber s s | view nect and re t ven Con nal e ines Regio| Philipp re gapo

Sin ek in

r we




ed unifi your : Three ring s Secu nication erations id mu com key cons





T hoekr uch m m gy – RecCByobnolo

d lia? fe an A sa re Austra secu



f war

o rity: gnition & Facial secu r Video en in Senio Wom habab, rcher, Analytics b hin S esea Nous ecurity R ersky La S Kasp




urity r sec e US Cybe ets in th PL s ra s a of nected e &A, Drone con ick TQearr d r u Q te s, n o...rism in rity ime, evcieuw ore re S eTcehcT

VIEW L -RE els ECcIAuss Ctrhaalinann u rSitPy fo s ac’ a ly u u a c A e n rity ltCha & - M G’s s COA onwea Fourtu‘smecu COU



ren o



g the akin n 61: T o DATA n’s lead h o Nati r researc cybe



ep 20




d PP1








Post App


NMEN T AN RSA D CO ps RPO U Edito Conferen l sRteATE SEaC CO tica g U ce 20 r's R THE eview Prac buildin ient RITY MAGAZIN 1 r E - PAR 7 il o T 2 f ber res prise Cybe y r ks: c r c e c t In a n t suran e Time at traffi le c to e– sta conv Vehicminute t ersati rt the on Ten loymen ya ivac dep Is pr t cause s lo C ri sis NY ese eist - Com Manage H Chin - Use municati ment Foc The k Cyber us r Driv o .au Ban role en Plan com ine. The yber nning agaz uritym nsec of c nce alia ustr .a w sura ww e E | the IT in to b Modern AZIN re kes ating MAG Secu isCin ITY Rg avig the futu it ta ity y N t ri o E U S a u ty f E r Wh art c eo ORAT Strate ORP gy scap DC a sm T AN land ING



SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐




(inc GST)





(inc GST)


Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059


GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Australian Security Magazine | 45

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email

Latest News and Products

FLIR Systems introduces FB-Series ID thermal fixed bullet camera with built-in human and vehicle recognition analytics A

ll-In-One Intrusion Detection Solution for Any Size System FLIR Systems has introduced the FBSeries ID, the latest fixed bullet thermal security camera in the FB-Series family. Combining best-in-class thermal image detail and highperformance onboard analytics, the FB-Series ID is ideal for narrow to wide area perimeter detection and sterile-zone monitoring. The FB-Series ID features accurate video analytics that are capable of classifying human or vehicular intrusions. Combined with FLIR’s custom Automatic Gain Control (AGC) and Digital Detail Enhancement (DDE), the FBSeries ID provides unmatched image contrast and sharpness, which improves analytic performance, resulting in fewer false alarms. The FB-Series ID is certified for integration with major third-party video management systems (VMS), as well as FLIR’s United VMS. Outfitted to act as a standalone security system, the FB-Series-ID can also handoff classified intrusions to FLIR pan-tilt-zoom cameras for autonomous tracking of intruders. Featuring FLIR’s superior 320×240 resolution thermal imaging sensor, the FB-Series ID can detect potential intruders in total darkness, and through sun glare, smoke, dust, and light fog. Five lens options – 93, 49, 24, 12 and 9-degree field of views – offer wide to narrow coverage and reduce the number of cameras needed to monitor fence lines, perimeters, and open areas. “As the first FB-Series camera with built-in analytics, the FB-Series ID provides an all-in-one intrusion detection system that classifies human or vehicular intrusions with low false alarm rates,” said John Distelzweig, Vice President and General Manager of FLIR’s Security segment. “The FB-Series ID solidifies FLIRs initiative to expand artificial intelligence and bring thermal imaging to more customers.” The FLIR FB-Series ID comes with FLIR’s industry-leading 10-year warranty on the

46 | Australian Security Magazine


thermal sensor and a three-year warranty on the camera, and will be available for order in late December 2017 through established FLIR dealers and integrators. For more information on the FLIR FB-Series ID and FLIR’s complete line of security solutions, visit

The FLIR Quasar product line introduced a new member to the family today, the Quasar 4x2K panoramic camera. Featuring four, full-highdefinition visible sensors, the 4x2K produces

offers wide area surveillance to monitor cities, critical infrastructure, and other high-profile security areas. With interchangeable field-of-view options of 180- and 360-degrees, the Quasar 4x2K can replace multiple individual cameras, allowing security operators to reduce the number of security cameras required for monitoring wide areas. With automatic stitching that combines the four sensors into a 180-degree view, the camera generates a highly detailed, seamless image that eliminates blind spots and scene duplication. Built-in infrared illumination automatically adjusts to the 180- or 360-degree viewing mode and monitors without the need to illuminate the scene. The Quasar 4x2K integrates with FLIR’s video management systems (VMS) and major third-party VMS. Using a one-step configuration process that guarantees quick and efficient mounting, the Quasar 4x2K easily adjusts to either 180- or 360-degree viewing mode in the field. With an IP67 environmentally-rated dome enclosure to withstand mist, rain, and accidental submersion, the Quasar 4x2K provides 24/7

4K resolution for highly detailed scenes and

video surveillance either in- or outdoors.

Quasar 4x2K panoramic camera

FLIR Quasar 4x2K panoramic camera

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Smart street furniture and free wifi to transform Sydney F

ree public wifi and new bus shelters, kiosks and public toilets equipped with digital technology will start rolling out across Sydney within the next two years as part of a major overhaul of the city’s street furniture. The City of Sydney is calling for expressions of interest from service providers to provide free public wifi and a new suite of street furniture, including bus shelters, kiosks, automatic public toilets, benches and bins – all in a consistent style and with technologies that support the needs of the city’s one million daily workers and visitors.

It is the first time in nearly two decades that the City’s street furniture contract is being put out to the market, creating an opportunity for designs that incorporate digital technologies and sustainable materials. Lord Mayor Clover Moore said the changes would help make Sydney more attractive and accessible while meeting the needs of today’s tech-savvy commuters, residents and tourists. “This is a unique opportunity to invest in new street furniture with a consistent style and using technologies to make it easier for people to stay informed and find their way around our

New ACIC report reveals financial crime is on the rise T

he Australian Criminal Intelligence Commission (ACIC) has released the Serious Financial Crime in Australia 2017 report, which highlights the sophistication and complexity of serious financial crime facing Australia. ACIC CEO Michael Phelan APM said Serious Financial Crime in Australia 2017 presents the picture of serious financial crime currently impacting on the Australian community. “Financial crime is causing major harm, beyond that being committed by serious and organised crime, and affects Australians of all walks of life. “Financial crimes in Australia are committed by sophisticated individuals and groups exploiting systemic vulnerabilities in areas such as taxation and revenue systems and government health and welfare programs.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

“Financial crime is also being committed by those using offshore structures to evade paying tax in Australia, presenting a significant and growing threat to our national economy. “The role of technology in enabling financial crime has markedly increased—from opportunistic tax refund fraud, to the large-scale online theft of personal identifying information which enables the theft of funds from investment and superannuation accounts. “Money laundering remains a fundamental enabler of financial crime and is a significant and potentially lucrative criminal enterprise in itself. “Professional facilitators, including legal and accounting professionals, liquidators, offshore service providers and real estate agents, remain critical enablers of financial crime, particularly through association with serious and organised crime groups.

city,” the Lord Mayor said. “Eventually we could see real-time emergency, event and transport information displayed on bus shelters. “We want to make sure no one is left behind in this shift to a digital future, so we’re looking for innovative local and international providers with new ideas to deliver fast and free public wifi. “Across the expressions of interest, we’re looking for modern sustainable designs that use energy efficient materials and fittings.” The City’s existing street furniture contracts have been in place since 1998 and are due to expire by mid-2019. The cost of supplying, installing and maintaining the new street furniture items is estimated at less than the cost of purchasing and maintaining the existing street furniture. Expressions of interest are open until 6 February, with the contracts for both the wifi service and street furniture to be awarded around mid-2018. The existing street furniture items will be progressively removed and replaced with new items from 2019. Advertising panels will be allowed on certain items – subject to development consent on a site-by-site basis – with advertising sales revenue being used to fund the supply and maintenance of the new street furniture. A portion of advertising on street furniture items will be reserved for cultural events that support the arts and encourage people to take part in local creative endeavours.

“Serious Financial Crime in Australia 2017 draws on the work of the Serious Financial Crime Taskforce agencies, as well as intelligence and operational data held by a broad range of law enforcement, regulatory and government agencies. “The complexity of emerging financial crime issues will require ongoing multi-agency cooperation to better understand the nature of the crime and to develop mitigation strategies.” Mr Phelan said. Serious Financial Crime in Australia 2017 is available now at

Australian Security Magazine | 47

TechTime - latest news and products


Kevin Bloch, Chief Technology Officer, Australia & New Zealand, Cisco


he following is a summary of my predictions of the ICT trends for 2018. They have been selected because of their impact on the networking industry and they forecast what is expected to happen or start happening, within the next 12 months. “Facebook is a new world order – without any Magna Carter” – Wired. 2017 was a global tipping point that permanently changed the world. A common thread linked political change to the retirement of stalwarts of industries to new trading methods and payment systems. That thread was characterised by trust - or the lack of it, between individuals and institutions - and pervasive online technology. It is a new world order in which digital blurs national boundaries, is boundless and is attracting capital and reshaping value like never before. It is providing exciting new opportunities that promise to improve our lives and generating new challenges including excessive power in the hands of a few large tech companies. Gartner projects the IT industry to grow 4.3 percent to US$3.7 trillion. Really? When you look at the massive migration to cloud, mobile and software, can this be correct? Alternatively, is the IT industry actually shrinking but the use of IT in lines of business (ie operations or OT) growing faster? 1. Augmented Intelligence – Extending human intelligence pervasively, at machine-scale Artificial Intelligence (AI) hype peaked in 2017. There was also tangible progress in the various elements of AI including robotics, computer vision, language processing, virtual agents and machine learning. Business leaders recognise the importance of data and AI and are investing

48 | Australian Security Magazine

with urgency. Those that aren’t probably won’t be around for much longer. But there is much work ahead. Single-skill AI is already common in the form of Siri, Google maps, Amazon Alexa, advertising and online shopping, for example. AI will become multi-skilled, ‘ambient’, pervasive and enable devices to adapt to people in contrast to people having to adapt to the device. The global race is on in software for the master (multi-skilled) algorithm and in hardware for AI chip dominance. 2. Intuitive Systems – Sensing, thinking, acting As humans, we realise that our capability using only our brain, is limited. Yet we are concurrently experiencing a massive opportunity where technology - specifically compute, network and storage performance - is improving at almost exponential rates. Research into the human body and brain, such as sight and intuition, is informing how we can leverage machines and technology to automate. Automation involves eliminating or re-engineering human involvement in a specific process and it requires three critical ingredients – measurement (to generate data), computation (to process the data) and action (to do something with the data). Intuitive-based systems will proliferate across IT in our quest to automate by ‘closing the loop’. 3. Cyber and Trusted Systems – From Denial of Service to Destruction of Service Cyberattacks are now the third-largest threat facing the world, following natural disasters and extreme weather. Revenue generation is still the top objective of most threat actors. However, some adversaries have both the ability and the inclination to lock systems and destroy data as part of their attack process.

“Mobile payments grew to around $5 trillion in China, almost half of the county’s GDP. The Global Financial Crisis, royal commissions and multiple bank investigations have dispelled the assumed trust in traditional banking systems. Payment systems are becoming decentralised, digital, cryptographic systems underpinned by decentralized ledgers (eg Blockchain) that provide more confidence and more data. " Researchers see this more sinister activity as a precursor to a new and devastating type of attack that is likely to emerge in the near future: Destruction of Service (DeOS). Therefore, we must raise our warning flag even higher. Education is required to change user behavior. Cyber technology will adopt an ‘intuitive system’ model comprising local measurement and global, near real-time intelligence. Governments will enforce cyber security as a priority with new legislation (eg Data Breach Notification, GDPR, ePrivacy) and higher penalties. 4. IoT – Systematically combining IoT, AI, Network, Fog and Cyber for true digital transformation Most IoT projects are failing, despite much enthusiasm and optimism. The inaugural phase of IoT was characterised by numerous point solutions from a multitude of new (often startup) vendors. Typically, these solutions were designed to solve a particular societal problem such as lighting or parking. Customers now find themselves with multiple siloes from multiple vendors that don’t interoperate, are not cyber secure, use different protocols and generate more complexity at greater cost. The next phase will be characterised by “platforms” that incorporate modularity, interdependency and functionality to address multiple different sensors and applications from different vendors. When IoT is combined with AI, smart networks, FOG (edge computing) and security (eg Blockchain) as an “intuitive” system, there will be less failure and more successful transformation. 5. Crypto, Blockchain – Cash is (almost) dead, long live digital, mobile and crypto Mobile payments grew to around $5 trillion in China, almost half of the county’s GDP. The

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products Global Financial Crisis, royal commissions and multiple bank investigations have dispelled the assumed trust in traditional banking systems. Payment systems are becoming decentralised, digital, cryptographic systems underpinned by decentralized ledgers (eg Blockchain) that provide more confidence and more data. The transition from plastic cards to mobile apps will accelerate. Fiat and crypto currencies will combine and we can expect more government intervention and regulation. Practical, noncurrency Blockchain applications emerge. 6. Workspace – Meet digitally-by-default, inperson by exception Gen-Y predominantly meet, speak and make arrangements digitally using social apps like Facebook, Instagram, Snapchat and WhatsApp. As the dominant segment in the workforce, their expectations will influence and change the workspace. They expect digital social habits to be the default workspace practice. Unfortunately, most organisations have deployed a plethora of collaboration tools, introducing complexity and fragmenting teamwork. Organisations will start consolidating collaboration options to empower people, projects and teams. The user interface will become more intelligent, frictionless and intuitive, leverage technologies such as AI, VR and AR and respond to speech and presence. Digital distraction will be an increasing challenge at work and in your car. 7. Cloud – Spotlight on DevOps, microservices, orchestration and pay-persecond compute Cloud has permanently changed the IT industry.

In 2017, cloud services grew three-times faster than cloud/DC hardware and software. In 2018, more than half of global enterprises will rely on at least one public cloud platform. However, some public workloads will also back-track to private cloud. Hyperconvergence dominates private cloud infrastructure and the use of containers as a deployment vehicle for applications will grow quickly. Kubernetes wins the war for container orchestration and by 2021, over 95 percent of new microservices will be deployed in containers. Cloud functions (serverless, or pay-persecond compute) will transition to mainstream. By 2021, 80 percent of Fortune 1000 companies will conduct at least one routine task using cloud functions. 8. Mobile – Demand for speed & richer userexperience spurs 5G & Virtual/Augmented/ Mixed Reality Mobile data traffic is expected to surge eight-fold over the next 5 years, reaching 110 Exabytes per monthby 2023. Over 70 percent of this traffic will be video. Industry is responding to this inexorable demand by providing better performance (primarily investing in 5G for higher speed and lower latency) and a richer user experience (with VR, AR and MR). 5G is developing faster than expected with the initial 5G New Radio (NR) specifications being approved 6 months earlier than expected (by 3GPP), heralding the start of the 5G era and a new battle amongst the mobile sector's leading players to claim industry firsts. In the long-term, industry not humans will be the chief 5G driver.

9. Autonomous Vehicles – Accelerating journey to autonomous, connected, electric, shared (ACES) vehicles The vehicle industry continues to be a global exemplar for both constructive and destructive disruption enabled by mobile, IoT, AI and cloud. All-electric car sales will surge in 2018 and car ownership will decline as sharing and subscription grow rapidly. The incentives leading transformation of the industry are more compelling – fewer lives lost, lower costs and a cleaner environment. We can expect further government legislation to enable accelerated progress in intelligent transport systems. 10. M&A, Innovation – Cash repatriation windfall, “Double-A” (Amazon/Alibaba) paranoia It is estimated that US-based companies have about $2.5 trillion worth of capital stashed internationally and that much of this will soon be repatriated, due to changes in US taxes in 2017. This large cash windfall will give large tech companies even more power and inevitably impact global IT, investment and M&A. “DoubleA” will impact almost every industry positively for those who are prepared, and destroy those that aren’t. Companies will race to develop their ‘tech edge’ (in particular in data/AI) through M&A and investing in startups as ‘outsourced R&D’. Countries will grapple with the employment paradox: unemployment concurrent with skills shortages. Fortunately, growth in new businesses (startups) looks promising – 50 million globally in 2015

Hills delivers key projects to transform its business Hills Limited has successfully brought its supply chain operations in house, completing the migration of the Company’s warehouse operations from a third-party logistics provider to the new Hills national distribution centre in Seven Hills, New South Wales. “This is a significant development for our staff, customers and suppliers as we successfully deliver on major projects that will ensure a better customer experience and position Hills for continued future growth,” said Hills Chief Executive Officer, Mr David Lenz. “The new Hills distribution centre integrates the Company’s warehouse operations that were previously spread between facilities in Lidcombe and Silverwater in New South Wales, and the third-party provider delivering an annualised

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

operational saving of approximately $1.5Mil,” Mr Lenz said. “The distribution centre is now fully operational and is providing a simplified and streamlined distribution capability, improving customer delivery times and creating cost efficiencies across the business,” he said. Mr Lenz also announced the opening of the Company’s new Seven Hills Trade Centre on the same site, creating a building technologies ‘super centre’ to showcase product ranges and provide customers with immediate access to stock directly from the distribution centre. Technical support, product management and sales teams are all located onsite to provide a full-service experience for Hills customers. The changes are part of a digital transformation strategy that was initiated

in 2016 to revitalise the business’s performance, and include the development of a new e-commerce platform which is set to launch in February 2018. Mr Lenz confirmed that the e-commerce project is on schedule, and will be implemented in phases across Australia and New Zealand. “Based on early feedback from customers and vendors involved in the project, we’re confident that the new platform will deliver on customers’ expectations and provide the step change needed to help drive our business growth across Australia and New Zealand,” he said. “Hills expects to deliver a first half result in line with the forecast provided at the AGM in November and remains on track to deliver a trading profit in the second half of FY18.”

Australian Security Magazine | 49

BOOK REVIEW | by Sean Jacobs


CAN I SEE YOUR HANDS Gav Schneider, Can I See Your Hands, Universal Publishers, Irvine, Boca Raton, 2017

About the Reviewer Sean Jacobs has worked across government, the private sector, and international governmental organisations in the areas of major event security planning and operations; project management; policy development and analysis; review implementation; partnership development; community engagement; and communications. A versatile policy and operational performer, he has extensive experience producing outcomes at the senior ministerial level and in challenging, teamoriented and complex operational environments. With a background in international development, Sean was a consultant to the United Nations in Papua New Guinea and has extensive change management experience in Fiji’s sporting and development sector. His published work on politics, development, economics, leadership, security and diplomacy has featured in multiple Australian and international publications.

50 | Australian Security Magazine

t’s sometimes said that good governments are focused on making the world a more dangerous place – a more dangerous place for terrorists, criminals and anyone intent on causing harm to innocent and vulnerable citizens. Gav Schneider’s Can I See Your Hands is the first strategic attempt to reverse this arrangement and give everyday people the thinking and skills they need to combat the creative and growingly unpredictable security threats individuals now face. “It’s important to understand that the objective is quite literally to turn ourselves into a hard target,” writes Schneider, “a target that an attacker wold not select. At the end of the day, while ideologically we should strive for a safer society, this may not be within our power to achieve.” Indeed, over the past decade, it has been interesting to see the discussion around building a safer society evolve from a state-led response tilting, perhaps not deliberately, toward individual responsibility. Mitigating terrorism in the West, for example, used to focus heavily on state programs such as countering violent extremism or ‘CVE’. In the UK, the CONTEST and PREVENT strategies caused great public debate among experts and security professionals, while in the United States, Google and the White House invested heavily in CVE round-tabling and, in Australia, the Attorney-General’s Department invested in its own CVE-type funded programs. But despite these year-on-year efforts it’s clear that the climate of fear, from hostile drivers to knife-wielding extremists, has persisted and grown. “We estimate that 90% of situations are probably avoidable,” writes Schneider, who has trained thousands of people in over twenty countries. “Then there is that 5% which we group in to the ‘wrong place, wrong time’ or ‘unlucky category’. Finally, the last 5% are attacks of situations perpetrated by highly trained professionals that may be very hard to avoid and/or prevent or where no matter who you are or what you’ve done, you may be targeted.” Notably, Schneider’s Can I See Your Hands is not the kind of book where you will find particular grappling or fighting styles, or if to slam on the accelerator when encountering a car-jacking. But it is a strong attempt to lay the groundwork for changed thinking. Borrowing from American David Grossman he uses the terminology of ‘wolf ’, ‘sheep’ and ‘sheep-dogs’ in terms of respective predators, law enforcement officials and everyday people. The premise of the book, Schneider writes, “is for you to find that little sheepdog inside yourself.” Predictably, he discusses fight or flight responses and the effects of adrenal rushes. But he also looks at forming good habits, avoiding

predictability, as well as weaving together general tips such as identifying likely areas of risk, walking in groups, and learning basic self-defence. When reading the chapters one notices that Schneider persists with three main themes. First, he spends a great deal of time confronting ignorance and complacency. “People don’t like to talk about things that involve safety and security,” he writes after two decades in security training, “because it means we have to look and consider the worst parts of human behaviour and psychology.” Second, Schneider prepares readers over and over with an insight into the nature of predators. “Whether we like it or not,” he summarises, “the norms of moral rights, human rights, freedom of movement and freedom of expression are not always the norms of attackers, terrorists and criminals.” And third, Schneider does not shy away from broadcasting what readers may need to prosecute in countering a predator playing by a very different rule book to your own. “If you planned to defend yourself using limitations,” he writes bluntly, “such as not being willing to stick your fingers in an attacker’s eye, or you are not willing to strike them in the groin, or take a pencil and stab it into their face, you are at a significant disadvantage because your attacker is not bound by any of these limitations.” To a security professional these themes are not new. But it is clear from Schneider’s persistence that, globally, there remains a great deal of changed thinking required among the ‘sheep’ or “the person going about their everyday life, not wanting to be hassled or inconvenienced by security and safety concerns.” No longer, it seems, can we rely upon purely kinetic state responses or, to use Grossman’s language, ‘sheep-dogs’ and law enforcement officials to be everywhere all of the time. And it’s not only security professionals that aware of this trend but actually governments themselves. Looking at the Australian Government’s Active Armed Offender Guidelines for Crowded Places, observed Schneider in a recent talk, the emphasis on personal responsibility (run, tell, hide) represents a departure from previous national security documents. Despite being a sad indictment of the times, individuals owe it to themselves to stand up and become more security aware. With a diversified threat comes a diversified response. It may not mean spending thousands of dollars on selfdefence courses but could, simply, mean having a basic plan. And Can I See Your Hands is a strong place to start. Have you recently published a security related book? Or have you just read a new, great security book? Please email us at

INTRODUCING OUR NEW MEDIA CHANNELS Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Dedicated channel for all things about Drones, Robotics, Autonomous Systems, Technology, Information, Communications

Your one-stop shop for all things CCTV, surveillance and detection technologies with applications in homes, buildings & cities

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 30 interviews and provides regularly updates, news, trends and events. Available via Apple & Android platforms

Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Australian Security Magazine | 51



Human Security

Cyber Security

Law Enforcement

Border Security For further information and exhibition enquiries contact the Sales Team Telephone: +61 (0)3 5282 0500 Email:

Australian Security Magazine, Feb/Mar 2018  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...

Australian Security Magazine, Feb/Mar 2018  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...