Quick Q&A
A I S A
N AT I O N A L
CO N F ER EN C E
....with Alistair MacGibbon
Cybersecurity Advisor to the Prime Minister of Australia Alistair MacGibbon, Cyber Security Advisor to the Prime Minister of Australia speaks with Executive Editor Chris Cubbage at the Australian Information Security Association (AISA) National Conference 2016, Sydney. EDITOR (E) Are you getting good engagement with Prime Minister Turnbull and his office? Alistair MacGibbon (AM) Yes it’s great. The level of political interest in cyber security in my experience and I’ve been in this game since the 2000s, has significant up-tick. So I have regular involvement with senior politicians and senior bureaucrats and the level of interest is fantastic. E: Do you find the role frustrating at all, are they taking cyber security as seriously as they should? Yes, the launch of the Cyber Security Strategy in its own right by the Prime Minister and bringing the strategy into the Prime Minister’s own department are signs of how important it is being taken in Canberra. E: You’ve been in your role for only four months, what have been some of the key challenges for you? AM: Well I prefer to see it as what key opportunities there have been. I think what happened to the Census was actually an opportunity for the Government. It was a disappointment and frustration absolutely but also an opportunity to take something that was clearly very frustrating but not catastrophic in terms of what actually happened and parlay that into the thinking of government in the delivery of other government digital service delivery. So I look for opportunities out of what are otherwise unpleasant circumstances, and the Census was one of those unpleasant circumstances. So the opportunity is for a better dialogue around better digital service delivery from a Government perspective and indeed to engage the public as to what their expectations are of Government. E: Were you engaged at all for the Energy Security meeting held by Josh Frydenburg and do you see opportunity there because if they were to consider major power outages, these could also be instigated by cyber-attacks? AM: No but I would answer that by saying critical infrastructure of which the energy sector is a key
10 | Chief IT
part amongst the critical infrastructure sectors, it is vital. If we don’t get critical infrastructure protection right it is where the most catastrophic things can go wrong. There is a relationship between various critical infrastructure sectors because water is vital to power, power is vital to water, they all interlink. You take an all hazards approach, be it against fire, high wind or a cyber-attack that takes you off line, you are offline. Cyber is only a vector but I would say it’s a vector that has increased in importance across those various sectors and we need to increasingly turn our mind to how cyber based threat vectors will play across critical infrastructure. We shouldn’t lose sight that we should still take an all hazards approach for business continuity and cyber-ability. I still see our greatest risk as our greatest opportunity. E: Do you have much to do with the State Governments, rather than just the big beast of the Commonwealth Government? AM: My role is supposed to have a national capacity as opposed to just a federal government perspective. I’ve been in active discussions with a number of states bilaterally and all of the states at times in larger forums. There is huge opportunity there because the states are the main service delivery vehicles for the country.
E: Mandatory reporting was introduced to Federal Parliament on 19 October 2016, was there any particular hold up to this legislation and your views on the legislation? AM: It’s clearly a matter for the politicians but I’ve always been a supporter of mandatory data breach reporting and see advantages in it. It’s now up to parliament to look at what form that takes, if at all, but certainly in my experience what industry is after is just knowing what is the new level playing field going to be. E: Did you have much to do with the ACSC Threat Report 2016? AM: I’m certainly aware of it and did quite a bit of media associated with it. The report’s objective is to provide more information about the type of threats the Commonwealth is seeing by giving case studies and advice on remediation. I think it was a positive step in the increasingly transparent way the Commonwealth is doing its business. If we want industry to disclose then the Commonwealth needs to disclose. If we want industry to change the way it’s doing business then we need to show the Commonwealth is prepared too. E: Why then is the legislative process so slow and one of the areas we have been covering is national