Cyber News Roundup - Critical infrastructure bill, a national ransomware strategy, and the Bombardier cyberattack

Gar and Brad bring you the latest cyber security news and insights including the tech giants criticising Australia’s critical infrastructure bill as ‘not fit for purpose’, calls for a national ransomware strategy from the Australian federal government, and the ever increasing volume and frequency of cyberattacks including the Bombardier breach. 

The Get Cyber Resilient Show Episode #43 Transcript

Garrett O’Hara:  Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. This podcast and its sister website, getcyberresilient.com has a simple mission; provide insights from local cyber resilience professionals in our region, while tapping into a global network of intelligence. With that today is our news roundup, so let's get into it with co-host Bradley Sing. Welcome Bradley. How are you doing today?

Bradley Sing: Hey, really well thanks, Gar, for a short month, how are you?

Garrett O’Hara:  I am doing well, I'm doing well. Yeah, the short months kinda throw me a little bit if I'm honest. Um, stuff happens too early, you know, it's like the 25th, 26th, and, you know, weird things are happening that really should only happen on the- the 29th or the 30th. Anyway, anyway, anyway, let's get into it.

Um, look, first story off the- off the rank is that the tech giants are not convinced that our critical infrastructure bill is currently fit for purpose. Can you kinda talk us through that one?

Bradley Sing: Yes, certainly, so correct. I think for a lot of listeners there'd be, you know, we've- we've kind of covered the critical infrastructure bill before. Um, but we have certainly seen some recent advancements, but also some commentary from different providers out there. Just as a reminder, uh, to- to all the listeners out there, effectively, the bill, um, helps give the government access to effectively help respond to security incidents, and if we look at, I guess, you know, globally [laughs], at our kind of cybersecurity recently, you know, there's a lot of nation states, there's a lot of, I think, you know, big different targets, we've kind of seen as well. So it's a- a bit of a recognition from the government.

Now, in terms of some of the statements, I'm kind of reading through, you know, one of Microsoft's as an example, um, one of their submission statements was, they want to make sure the government distinguishes between what are cloud services, and data center operations. And I was just thinking, I guess, you know, like, you know, where does it fall? Like, is it on the data center provider? Or is it on the SaaS provider? Like, there's so many layers, you know, I- I guess I'm keen to think, and what are your position on that is as well, Gar?

Garrett O’Hara:  Yeah, I think my position would be, this stuff is so complicated. Um, it's... yeah, I- I- I think, where my head goes, and I know part of this is the ability of the government's come in, and I think you kinda [laughs] said it on other conversations, like a black-ops team come in, and sort of rescue private enterprise. It's a bit of an interesting conundrum; I get why we are starting to feel the need to do that, you know, given the... oh, look, the huge risk that we all face based on cybersecurity, um, within private enterprise, but also critical infrastructure. It- it starts to feel a little bit funny. Um, you know, what's the solution there? Is it, sort of, better funding is it... like, I'm- I'm not really sure, uh, if I'm honest. Um, but, [laughs], I also don't want to be somebody who's sitting in, you know, a city where the electricity becomes unavailable because something's happened. Or, you know, being in a hospital needing care and, you know, being in a position where I'm not- not getting the- the help I need because of a cybersecurity attack.

So, like so many of these conversations that I think you and me have [laughs] all- all the time, I don't think there's a simple, you know, "Which- which side am I on?" Or, "Is it right, or is it wrong?" But it- it's complex, to your point, in- in how we a- approach this as a society, it's definitely an interesting one.

Bradley Sing: And- and there's a couple of things Microsoft call out as well. So it's, like, uh, respect for the privacy of the data, and I guess, you know, f- for a lot of these big platforms, they're holding a lot of, dare I say, identifiable information of- of us as individuals, a- a client, or an end user, or a consumer, or business to business, whatever it may be. Um, so, you know, so I think, [laughs], whilst you can see why the government definitely wants to come in and help, by the same time, you know, [laughs], it's my customer's data, it's my client's data list, it's my intellectual property.

Um, by a similar vein as well, a- another company, which was actually already part of the- the- the infrastructure bill before, which is AGL, um, they recently came out with a statement as well, and their commentary was around if the government does make recommendations in terms of, let's say, "You need to do ABC," potentially the government should bear some of that responsibility, or- or bear some of the cost.

Garrett O’Hara:  And that's where things get really interesting, [laughs], you know. Because if you're- if you're mandating things that are expensive, and let's be honest, cybersecurity can get very, very expensive very, very quickly, just given how complex it is, yeah, the downstream co-, like, the downstream costs that to, kind of, take care of, you know, I suppose mandatory requirements, or regulatory requirements and aligning with those, is there a runway? Like, do you... how long do you get to, kind of, come into line? You know, what's the expectation of a- a date? Or if you're not in line with, um, you know, government regulations about best practice cyber security, what do you do?

The flip side being, there are some things that, um, let's be honest, it's easy to kick down the road, unless somebody makes you do the right thing, or- or do the thing that's better for broader society. Like, you can externalize costs if you're a- a board, um, and you can save some money on cybersecurity and you're... you look better as a- an organization to investors, I mean, that's great. The downside then- then, is that if you're a customer of that company, that looks great to shareholders, but your data gets breached, or you're providing, sort of, on-services into a critical infrastructure or a critical, you know, critical service, regulation's a pretty good lever, [laughs], a pretty good mechanism, to get people falling in line, and it removes the competitive edge, right?

Because if everybody has to do it, then everybody's gonna have to bear the same cost, so there's no kind of... you know, when you boil it all down, there's no real impact to compare... uh, oh, that's not probably true, right, there is an impact in terms of, like, smaller organizations will find it more difficult to do than larger ones, which they'll have the budget for-

Bradley Sing: Mm-hmm [affirmative].

Garrett O’Hara:  ... uh, security controls, personnel, you know, pay for the best staff, the best minds, to kind of go and do security. Whereas if you're a mom and pop store you're probably not gonna be able to do that. Um, again, a- assuming you're providing services into critical infrastructure, or critical services, you know, it's- it's a very specific use case, but it- it starts to get interesting there.

Bradley Sing: I mean, look, we're- we're cybersecurity dudes, so, [laughs], we'd- we'd say any investment into cyber is great. And I imagine some of the recommendations would be, you know, simple things, like awareness training, educate your staff, et cetera-

Garrett O’Hara:  Mm-hmm [affirmative].

Bradley Sing: ... which potentially some organizations aren't. Um, interestingly enough with all the stuff which has come out of the US recently, th- there's a bit of commentary suggesting that a lot of private enterprise is handling security a lot better than- than governments. Um, so when I think of that, then I also think, you know, for the really mature enterprise security teams, you know, that are running in Australia, again, do- do you want somebody coming in who's, you know, potentially not as adept or, you know, is there more stuff they can share?

Garrett O’Hara:  Yeah, um, [laughs], and- and there you go, like, that whole... I mean, this is an age-old conversation, right, who's better capable of doing things, you know, is it private enterprise where competition drives excellence in theory? Um, but also you've externalizing costs versus governments where, you know, traditionally they're- they're seen as maybe a little bit, um, inefficient sometimes. You know, I- I could argue that there's amazing things happening in governments, and amazing initiatives.

So, yeah, um, yeah, like, I- I hate to not have a really strong perspective, but it just feels really complex, and I'm just glad we're having the conversation, you know, if nothing else.

Bradley Sing: Oh, I 100% agree. Look, I think it's a great recognition, like, and I think for [laughs] all the listeners- listeners on the call as well, like, we talked about IoTs, we talk about different places we can get breached, but to have formal recognition and regulation around this is- is a step in the right direction. Um, but we- we need to be mindful of it. And- and I think we need to hold, you know, hold- hold our own government and, kind of, I guess, the direction we take, accountable, to make sure that we can still deliver the services we need.

Um, because something like this shouldn't get in the way. And- and I take your point, Gar, like, you know, it's never a bad thing for a company to advertise that they're investing in cybersecurity and they take their customers and, you know, their data seriously. So I see this as, you know, anything... a benefit for organizations, and hopefully also a way for- for certain teams to help unlock potential funding. Because if the government is coming in and saying, "Look, you need to have [inaudible 00:07:45], you need to have [inaudible 00:07:46], you need to have threat intelligence, whatever it is, then potentially that helps some organizations which have struggled to get that funding, you know, go down that route as well.

Garrett O’Hara:  Yeah, no, definitely. Let- let's stay on a government theme.

Bradley Sing: [Laughs], oh, fun.

Garrett O’Hara:  Um, [laughs], yeah. Right. Well, so, I- I think this one, for me personally, is kind of interesting. So, I saw that the, uh, Shadow Assistant Minister for Cyber Security, a guy called Tim Watts, has called for a national ransomware strategy. And here's why I think that's interesting, I think, you know, we've- we've had the conversations around cybersecurity and its importance at a national level, global level. And, you know, we saw the Prime Minister come out, um, last year and, you know, get on the podium and- and talk about, you know, a sustained attack on Australia, some of the stuff that's happening, and- and has happened in December. I think it's interesting that this guy, uh, Tim Watts, is calling out ransomware specifically. And, um, you know, there's- there's a quote here, "Ransomware is a jobs and- and investments destroyer, at a time when the nation can least afford it."

And it's true, you know, ransomware has been the bane of our life, um, you and I get to have many conversations with many organizations around ransomware, given what we do, uh, [laughs], in our- in our day jobs.

Bradley Sing: Way too popular, um-

Garrett O’Hara:  Yeah, it is, but it's- it's successful, is the problem, right? And it's easy to get into organizations, it's effective, um, and you and I have seen that evolution where, you know, it was encrypting files, and it was encrypting files with X fill, the it's encrypting files with X fill and some version of, you know, personal blackmail based on maybe some of the PII, or PHI that's been exposed.

Yeah, what do you think? So calling ransomware out, and- and almost as a... like is it, like, is that our top priority in terms of cybersecurity? I mean, let's be honest, it probably isn't, um, given all the other things that we have to do, but it's probably the biggest one in terms of visual effect on an or- on a, sorry, an organization, on a- on a country, on the globe, you know, it's the one we talk about all the time.

Bradley Sing: I'm feeling very patriotic now, but it's- it's a national emergency, Gar, like it really is. [Laughs], um, like, and- and- and not to kind of, like, you know, o- over say what it is, I think it's great that we're seeing, you know, federal recognition, um, of it as a problem because... an- and again, this ties back so nicely in terms of what we were just talking about before, in terms of, you know, potentially the government with the infrastructure bill trying to be more of an overlay, a support for cybersecurity. But unless we treat this problem as a- a national problem, like any other, you know, threat to our nation, then there- there's no way we can ac- we can tackle it. And I think it's absolutely great but, you know, I think we need more discussion as well.

Garrett O’Hara:  Yeah, absolutely. Like, I take your point, it is, it's a national problem. And, you know, and it links perfectly back, if you think about, you know, the- the critical infrastructure effects, they're significant, you know, if- if you see that, you know, that horrible story from last year with the German hospital, where ransomware-

Bradley Sing: Oh, yeah.

Garrett O’Hara:  ... you know, attack, yeah, I mean, it's st- it's stuff like that, right? Um, but it's more than that, and to Tim Watts's point, and, you know, not, uh, politicizing it, I- I tend to agree with the statements that, uh, ransomware is- is, sort of, it is affecting investment and jobs, and it is affecting probably sm- small to medium sized enterprise, but also larger ones.

We've seen huge stories, you know, over the last 12 months, of very large logos being affected thi- by this stuff in a very, very significant way. So wh- what I take from this is the importance of- of having the conversation first of all, at a federal level, um, and, you know, within a, sort of, g- a government, um, environment, treating it as a priority because of the effect that it's- it's currently having. But then what it potentially leads to in terms of collaboration with, hopefully, other countries, other, like, sort of, jurisdictions that maybe have similar mindsets, and are suffering similar problems, and how that kind of collaboration, potentially, you know... obviously, I don't think we're gonna solve ransomware, but are we able to make the problem... make- make- make it so that it's har- you know, um, I was almost going to say something quite Pollyanna-

Bradley Sing: [Laughs].

Garrett O’Hara:  ... like, that it's so difficult to do, that people won't try and make money doing it. I think that's probably a ridiculous statement, but at least, you know, dial it down, you know, turn the tap off a little bit.

Bradley Sing: Close the internet to- to- to the outside world, [laughs].

Garrett O’Hara:  I keep saying it, we need- we need to go back to abacuses and notepads and, you know, and vinyl-

Bradley Sing: [Laughs].

Garrett O’Hara:  ... for music. So, yeah. Like, there's- there's lots here, you know, there's- there's some language starting around maybe cracking down on, you know, Bitcoin exchanges and, you know, is that the way you chop the legs out from the, you know, from the beast? Where, if they can't get the funds, is there any point in doing the attacks in the first place? You know, the- that's maybe one way. A- again, this is a- a fairly complex issue, 'cause you're dealing with global jurisdictions, where not every country-

Bradley Sing: Mm-hmm [affirmative].

Garrett O’Hara:  ... feels the same way, or has the same ability to enforce protections, or probably the same desires to enforce protections. But I don't know, like, do you think it- it almost echoes back... you know, we were talking on the last episode about EMOTET, and- and some of the collaboration that happens there, like, you know, any thoughts on parallels between, like, how we... well, I say, we, I wasn't part of it, but how [laughs] EMOTET was, you know, at least briefly taken down?

Bradley Sing: I was gonna say, thanks for your service, Gar. Um-

Garrett O’Hara:  [Laughs], I wish.

Bradley Sing: Like, actually right, like, I think recognition from different, you know, government bodies, um, globally... And look, we're seeing this all around the world, right, like, it's not just us who are talking about cybersecurity. Like, you look at nearly every country around the world, cybersecurity has been mentioned on a national agenda, and I don't think until the last, really, three to five years, I'd ever heard cybersecurity mentioned at a press conference. [Laughs], but- but, you know, but now we- we seem to hear about it all the time. Um.

But, you know Gar, I think it's good, and I- and I think you will start to see high levels of cooperation, especially with the formalization of this. And, look, Australia as a country already has great relationships and, I guess, kind of intelligence sharing agreements with, you know, close neighbors and stuff like that. Um, but, you know, the only way to solve this is- is with a truly coordinated global effort. Like, Australia's gonna be a team player here, we're- we're a high value target, as you know, Gar, um, seems people and businesses are getting popped left, right and center, but, you know, how do we share that information back? And- and how do we work with a, uh, work with a global team?

Garrett O’Hara:  Yeah, look, absolutely. The ACSC called it out, um, actually interesting, like, and it's in quotes, "As the highest threat facing Australian businesses, um, and governments, in the cyber domain." So, you know, we- we have a large conversation globally to be had around cybersecurity. But then, yeah, I think ransomware is just that... it's the bane of everybody [laughs] everybody's life, it just feels like it never goes away. You know, we've been having the same conversation for how many years? Um, but it's still... the incentives are there, people are making money from it so, you know, I suspect it's going to continue as long as that's the case.

Bradley Sing: Yeah, look, I mean. Slightly... not- not off topic, but, um, you know, obviously we've had the- the horrible disruption in Texas recently with, you know, snowstorms, and- and your electricity going out. And the one thing I was thinking as I was watching that, like, I was just thinking about the technology. I was, like, I don't know, like, this could almo-... a DDoS would almost do the same thing, right? If you managed to knock out and remove all these different pa- pieces of- of critical infrastructure. So, part of it also just makes you think a little bit in terms of, "How well is everything held together?" You know, is it [laughs]... is there much redundancy there, or?

Garrett O’Hara:  I, yeah, I worry, I think about that at a- at a societal level, it's all just chewing gum and, you know, band aids behind the scenes, and that, you know, it's- it's all creaking along, but, you know, yeah, I'm- I'm obviously kidding, um.

Bradley Sing: [Laughs].

Garrett O’Hara:  I think it's... like, there's so much good stuff as well, you know, I... it- it feels like maybe that's a little bit negative, but I think everything's kind of moving in a pretty good, sort of, direction for the most part, I hope, and I think.

Um, the last story we'll cover, Bradley, um, is around Bombardier. So they've- they've actually reported a cyber attack.

Bradley Sing: Yes, Bombardier and look, uh, just to call out, look, if we ever mention a company on this call, like, it's reporting news, but I think organizations which disclose their breaches, and- and talk all about them-

Garrett O’Hara:  Mm-hmm [affirmative].

Bradley Sing: ... they're the ones we- we want to laud, and the ones we want to applaud. So, again, any kind of companies [laughs], or whoever we talk about, we never ever slag anyone, like, it's- it's absolutely great that- that the community is getting together.

Um, but look, the Bombardier one is potentially an extension of the Accellion hack, so we- we've seen that kind of evolve over the past, really, month and a half. So originally with ASIC, RBNZ, um, a couple of other organizations, and- and quite large ones as well. For me the scary thing here is that, it just seems like there's a... that's a lot of data being stolen, right? Like, Bombardier as an organization manufacture airplanes, you mentioned the data that, you know, ASIC holds, as an example. These are... all these companies are getting hit by the same old file sharing tool which- which, you know, they've been using for years, and years, and years. So I think it's a huge wake up call for them. But, yeah, it's a wake up call, like, that's the best way I can- I- I can discuss it.

But I also wonder what the- what the recourse of this is? Like, you know, like, obviously, a lot has happened, um, you know, where exactly is the data going, as an example, you know, what- what's the next action?

Garrett O’Hara:  Yeah, absolutely. Look, I mean, it is that, it just feels like every time you open any newspaper now, there's just another, you know, another breach, another supply chain attack, um, another organization that's been hit by this difficulty. God, it just feels like a negative episode, we're normally much more-

Bradley Sing: [Laughs].

Garrett O’Hara:  ... we're more- we're more upbeat, normally that this, Bradley, I feel like we need to talk about rainbows and puppies for five minutes, just to feel better about the world. But, look, I- I think that's the thing I'm seeing more and more as I, kind of, talk to security leaders, is that, you know, the- this is mainstream now, you know, the- the cybersecurity conversation is no longer a backroom conversation, it's- it's very much in the front of boards' execs minds, it's definitely... it's been escalated. Um, and it's- it's only been escalated in some ways, because of these stories that are hitting the news constantly. And the fact that it doesn't feel like... nobody- nobody could point fingers at this point, you know, around, uh, anybody being attacked, because it just feels like there's no logo that's, [laughs], that's sacred, you know, that- that anybody will be spared.

Um, which is, you know, to be too on the nose, but that's kind of the point of cyber resilience, right, is accepting that at some point things are going to go wrong, um, cool, like, "What's your plan?" And, um, luckily to see, or- or lovely to see, that so many organizations now are being transparent, are reporting them, have decent, uh, security controls and incident response in place. And every time it happens, we learn more. And I think there's that spirit of- of, again, collaboration, where people are sharing what's worked, what's not worked and, you know, together- together we move forward. Is that the positive note we can- we can sort of start wrapping on? I feel like hopefully it is, um, I think-

Bradley Sing: I think so, I just... I think there's one quick thing we need to talk about, just because we've talked a lot about government tech giants, um, Facebook, like, the whole Facebook news going off, coming back again. I think, just from my perspective real quick, like, it kind of, I guess, echoes what we're seeing with the- with the bill on critical infrastructure, where it kind of shows that government is willing to stand up to these really big companies. Um, what it means, kind of, moving forward though, uh, I'm not too sure.

Garrett O’Hara:  Yeah, that was definitely- definitely the story of the week. Um, and- and really interesting- interesting to see, yeah, the tap turned off and then turned back on again. Strange days, something to think about, um, as we, you know, kind of head into the week, uh, through the weekend as we're recording this on Friday.

Um, Bradley, thank you so much as always for joining us, it's, uh, an absolute pleasure to get to spend this time, um, talking through these stories with you. Again, for those listening, the past archives are available, so definitely get into those. And if you like what you're hearing; we always appreciate it if you subscribe, if you rate us, ping myself and Bradley we're on LinkedIn, you can find us, love to hear from you. Um, any comments, any thoughts on this stuff? Anything you would like us to cover? Let us know.

But for now, thank you for listening to the Get Cyber Resilient podcast, I look forward to catching you on the next episode.