All Roads Lead to SOCI: The future of SOCI
The following is a transcription of Episode 3 of our All Roads Lead to SOCI podcast series.
Here, host Sonia Sharma was joined by Jamie Morse, Head of Industry & Policy and James Rabey, Principal Consultant Government, from Macquarie Technology Group, to discuss the future of SOCI.
Key areas discussed include the potential cyber risks to critical infrastructure assets and the steps the Australian Government have taken to mitigate these risks. The trio also explore what Macquarie Technology Group predicts the Government will do in the future to protect organisations from increasing cyber threats.
Sonia Sharma: I want to look a little bit closer at some of the threats to critical infrastructure. So globally, we've seen a broad range of malicious cyber actors, including state actors, criminals and issue-motivated groups, and they've demonstrated this intent and capability to target critical infrastructure. If we look at some global examples, last year, in February 2023 an Italian energy and water provider was affected by ransomware. And while there was no indications that the water or energy supply itself was affected, it reportedly took four days to restore systems like information databases.
But if you had to predict what critical infrastructure sector was most likely to be at risk in Australia, where that next major attack would be impacting our critical infrastructure assets – where would it be? James, you want to have a guess?
James Rabey: Sonia, if I could work out a method to accurately predict when the next cyber attack was going to occur, I'd be bottling that and taking early retirement. What I can say is, what we typically look at when we talk about CTI (Cyber Threat Intel), are the patterns, right? And it goes back to, I think last time we spoke, I talked about the what, the who and the how; who's attacking you, what are they attacking and how are they attacking.
If I look at those patterns, where I would be concerned is critical infrastructure once again. So, in March, the US, UK, Australia and other Five Eyes nations published findings around a state-based threat actor known as 'Vault Typhoon' that had successively gained access to a number of utilities as well as transport and communication providers in the US and its territories. They hadn't done anything. They were laying low, doing what we call 'living off the land', so using actual, legitimate system tools to do what we call ‘elevate their privileges’ so they have more administrative access, as well as finding other assets. So we call that 'lateral movement' in those environments.
Now, great that was discovered, and ourselves and other providers have gone in to search for any evidence of that within our customers. But that is the thing, that if you're not already worried about a potential attack that particular pattern should be setting off the alarm bells.
Sonia Sharma: We don't have a crystal ball, but we can use evidence, and looking historically or looking at current trends to predict what future threats might be, or what they might look like.
James Rabey: Absolutely. Look, even at an individual attack, right, often what we're doing is we're looking for patterns, because sophisticated actors are trying to disguise what they do, obfuscate their activities, right, by making them mimic just normal activities. A lot of those tech stacks that we talked about before that go and look for any anomalies and alert and block those – that's really our early warning system. But, then you can take that at more of a macro stage. So, earlier on you spoke with Hayden in our in our Security Operations Centre, and he talked about a couple of attacks. Now, one of the things that we do and that others do is, is what we call 'Operational Intel', so actually monitoring the telegram and other sort of Dark Web channels for chatter that indicates that somebody's going to be targeted.
Last year, the Australian Government made a number of announcements for aid to Ukraine. And look, I won't mention who you would actually think would be sort of anti that, but a number of those activists, as well as state-supported groups, started to target the Australian Government entities in retaliation to them. Now, we were able to pick-up the chatter. Now, we'd love to say that they were sophisticated, but one of the things we realised is just how blunt this stuff can be. And so they were trading ideas on how they could, first of all, attack websites of the Australian Government, but then get around some of the defences that us and other people were putting in as well. So the intel is absolutely key, knowing it's a bit like predicting the weather, right? Knowing if the storm is going to hit, where it's going to hit, and how bad the winds are going to be.
Sonia Sharma: I'm going to take a punt. I reckon it's going to be education sector, but we'll see what happens. You know, with the Australian Government, we've seen active consultation in this space on its Cyber Security Strategy. It sounds as though we're on a road to more measures to protect critical infrastructure assets under the SOCI Act, and Macquarie Technology has been heavily involved in the consultation process, both in open and closed door discussions. What's your message to organisations who have been less involved in the regulatory reforms. What should they be doing, Jamie?
Jamie Morse: I think the first thing they should do is to educate themselves on the new measures that have been put forward through consultation currently, and they include reforms to the Security of Critical Infrastructure Act, effectively giving it more teeth where incident management response obligations are concerned, and bringing in business critical data as a new element that will fall under the regime.
That's an interesting space for lots of organisations where you're holding data stores which may or may not necessarily impact directly the operations of the critical infrastructure asset, but they may influence the operations of the organisation that is in charge of and controlling that asset. That's quite an interesting discussion, which will potentially affect many, many more organisations than perhaps many will currently realise. I think the education piece there is really important. I think just getting across the spirit, the philosophical underpinnings of the Cyber Security Strategy through which these new legislative reforms now are being directed is very important, and that's really about uplifting the culture of organisations where cyber is concerned.
I know the Minister, she's expressed this publicly and privately, that she believes that cyber is predominantly a human problem, more than a technology problem. I think we certainly see in our experience that there's a lot of truth to that. We would say it's probably 60/40 of both, technology and people, but certainly the change of culture within organisations to better prepare at an individual level how we are practicing better cyber hygiene, how we operate our own digital systems, how we interact with our own organisational digital systems, and our personal digital systems, frankly. All of that is very, very good advice, which the government is leading on.
Probably the other thing to mention is that we're in a period of relatively rapid reform, as rapid as legislation can be reformed, right? But I think to give kudos to the Federal Government, they are moving quite quickly relative to how the wheels of government tend to move. But by that, I mean the reforms that are currently on the table, we should expect that there is going to be further reform. The SOCI legislation is required for review every two years. And I think it's not at all beyond the realms of possibility that the number of sectors, which are currently 11, will be revised. It'll probably grow before it shrinks. And I think, as evidenced by the inclusion of this new business critical data definition in the current launch of reforms, we should expect both the breadth and the depth of the SOCI obligations to be expanded in the coming years. I think it's incumbent upon every organisation now who is either already directly affected by the SOCI regime or may potentially be in future, to just get ready to understand what the compliance obligations might look like for them, and then be in a position where they can meet those obligations going forward.
Sonia Sharma: Jamie, that is great advice, because what you've told organisations they need to be doing is that culture is so important, and I see it time and time again in my practice, the organisations that do well have a culture of privacy and cyber security front of mind. That culture is driven from the top. And the other thing that they do really, really well is have a continuous improvement mindset. And they are across the legislative reforms. They understand the changes and those two, that's really great advice, and I can really amplify those comments from my own practice.
It's quite confronting, just to see how many cyber threats do come through the SOC here at Macquarie, and it really makes those threats so tangible. From your perspective, does Macquarie Technology think the Australian Government's doing enough to protect critical infrastructure assets?
Jamie Morse: I think it's doing all it can, and that's, you know, creating legislation and regulation to uplift sector-by-sector, where cyber security is concerned. There's been a heavy influence through the Cyber Security Strategy, through the 'Six Shields Design'. There has been a heavy influence on industry to do a lot of the heavy lifting. And that's not, I don't see that as government saying; 'come on, guys, lift your game'. I see it more as; 'come on guys, you've got a role to play in this', government can only do so much, and I think government is doing all it can. And I think as well, I would add to that, that the consultation that they have driven through the cyber and infrastructure security centre in the Department of Home Affairs, has just been first rate. It's been first class. There's been a deep and consistent engagement with every sector through multiple public and many non-public roundtables and discussion forums. And I don't really think they could have done very much more than what they have done. That said, where there are still concerns that exist around the direction of legislation currently. And many people may be within organisations who share those concerns, but you can pick up the phone - I've found it pretty easy to get an audience with the people within Home Affairs who are working through this legislation, I've always found them very accessible and open to discussions around those concerns.
Sonia Sharma: Now, one thing we've been talking about our podcast series, 'All Roads Lead to SOCI', is just this evolution and this pace of change that we're in at the moment, it's really clear that security of critical infrastructure will only become more important in the coming years. What plans does Macquarie Technology have to evolve its SOC operations? Jamie, can you maybe walk me through that?
Jamie Morse: You've had a chance to speak to a number of our staff who work through here. You've got a sense of, you know, the journeys that graduates in particular go through to learn the ropes in cyber security and the work that we do, particularly within the Federal Government space. As a result of that, we've committed to building a 'Sovereign Cyber Security Centre of Excellence' in our next data centre build, which will be on land adjacent to where we are today, and that will double the size of our Graduate Program and uplift just by volume, the people, the number of people that we're able to bring into work, particularly in the Federal Government space.
The graduates are particularly attractive to us, not just because we want to get the best talent as it comes out of universities, but also because we need, predominantly, we need Australian citizens, because, again, to work in the Federal Government space, we have to get them security cleared, so the more we can focus our energy on getting the brightest young Australians. Notwithstanding, much of our offer to market is very much predicated on sovereign control, sovereign capability, sovereign expertise. It's important for us to get the cream of the crop as they come out of university. So that's going to be a an important focus for us as we expand through our next build.
Sonia Sharma: It was so impressive to meet Hayden, one of those young graduates who has come through your Graduate Program, and it's so important because the Australian Government has identified that we have this skills shortage. Actually bringing people through your graduate program, training them and having this people power is actually critical to helping the government achieve its ambition of being the most cyber secure nation by 2030 right, Jamie?
Jamie Morse: We need to be attracting people into the sector. I think there's starting to be a realisation that we're in a growth sector. That's important.
If you're young and you're bright, in university, or you're in interested in IT, cyber security generally, then we'd certainly encourage you to get on board and look at us as a sector of strong growth opportunity, learning, development, and really an exciting place to work as well.
Sonia Sharma: And it's interesting speaking to my clients, that's definitely a challenge that they have, is getting the right people. I mean, a lot of people might be trained in IT, but not necessarily security. That skills shortage that we've spoken about, I'm really seeing that with our clients, and that challenge. So it really is a growth sector and opportunity.
Speaking about evolution, how do we deal with evolving challenges when it comes to cyber security? And let's talk about the tech a little bit. There has been a lot said about AI. James, do you want to talk to that? How do you deal with the challenges and opportunities, let's say, of AI when it comes to cyber security?
James Rabey: AI gets all the headlines, but what's really been happening in the attack landscape is just a level of sophistication and almost commercialisation. We all know about ransomware. Probably what most people don't understand is that ransomware is offered to attackers as a service. There are organisations that create the tools that allow you to get in, and then they rent that out to the threat actors to actually take the attacks, and then they get a share of the action. What I'd say is that the threat of AI is that it will allow those threat actors to speed up the types of attacks. If I was an attacker and I was trying to actually get into an organisation and do damage, what I’d do is I’d try and find the weak links in the organisation just to gain access. And then I've got this whole list of thousands of different techniques that I'll roll through as quickly as possible without trying not to get detected until I get to that next level of access. You know, I’ve got more control over my target systems. AI is going to speed that up, because mostly that still involves a human with some sort of automation, but AI is going to be able to respond to what they see and try the most appropriate attacks, and we're already seeing that happen.
At the same time, AI provides opportunities for those of us in cyber defence to deploy them in tools, so you know, being able to spot a pattern that's anomalous in network traffic or in user behaviour, is often the first point that you detect that a cyber attack is in place. AI, in turn, is going to give us the ability to really speed up the detection of that anomalous behaviour, because the key thing around AI, and when we talk AI, mostly, we're actually talking about a thing called Machine Learning, or ML. ML is really good at identifying baseline patterns and then being able to identify those anomalies.
Sonia Sharma: It sounds like those who are regulated by SOCI need to be thinking about the risks of AI as they evolve into cyber security threats, but also the opportunities of managing those risks as well. It seems like that space is just evolving so quickly, so that risk needs to be managed.
Let's talk about homework, which is one of my favourite things. When it comes to managing cyber security, what would be Macquarie Technology's number one takeaway, if you could dish out one piece of homework to do right now, James, what would it be?
James Rabey: Absolutely would be to understand your threat environment. And what I mean by that is, 'the who', 'the what' and 'the how'. And the who is, who are the threat actors that are most likely to target you? Is it going to be state-based, or is it going to be criminals looking for commercial gain, really understanding that. And you know, assets like the Australian Signals Directorate (ASD) and the peer groups in your industry are absolutely vital to get that information.
The second bit, and to bring this back to SOCI, is the what, what are they going to target? You know, we've talked a lot about SOCI, about how, you know, we're protecting those assets, whether it be water supply or electricity or transport, but it's often the data around those assets, the data that those assets use, or even the data about those assets that has some value to a threat actor.
And then the 'how' is what I call the 'trade craft'. What are the different tools and techniques? And it's not necessarily just technology. You know, organisations have been breached through human risk. Now social engineering, for example, malicious insiders is still a key threat, and one of the threats that the central aid was designed against. So understanding all that, that's what's going to have to drive and guide your cyber security strategy.
Sonia Sharma: The Australian Government has the ambitious goal to be the most secure nation by 2030. We're currently a long way off that right now. Jamie, James, how do we get there?
Jamie Morse: Well, I think the cyber security strategy released last year is an excellent blueprint for how the Government sees Australia getting there, and it's designed through the six shields, which include, obviously, what we can do both here domestically, but also what we can do in multilateral partnerships, working with investigative bodies around the world, and also at a government to government level.
There's a lot in there obviously, from a technology perspective, there's a lot in there from a cultural change perspective. There's something in there for businesses, large, small or otherwise, everybody's got a stake in how we pull together in the same direction to reach that goal. I think that's the first thing I would say. And I think the Federal Government's strategy is very robust in articulating the role that each of us, or each of those individuals or organisations or nations in partnership with Australia, what each of us can do to achieve that goal.
I think it's pretty clear. Is it easy? No, but I suspect two things are going to happen. I think that the process for working collaboratively, and you know, we're here talking about SOCI, which is by definition, or perhaps not by definition, but certainly by design, it's about the interconnectedness of different critical infrastructure assets and systems and how we work together collaboratively. We're doing this really in digital space for the first time. It's difficult at the beginning. I believe it will get easier over time. So I think in that sense, more broadly, how the nation interacts to achieve that lofty goal articulated in the strategy. I think how we work together will get easier. But of course, as we've been discussing throughout this series, the cyber threats will evolve.
The challenges that are put before us are going to continue to become more challenging, whether they're AI supported or enabled or, you know, quantum will be the next new wave of threats from a cyber security perspective. But I think you know, in terms of pulling the nation together to work collaboratively to reach the goal articulated in the strategy, the Federal Government's done a very good job of showing us what the future, road ahead needs to look like.
Sonia Sharma: Yeah, I think what's very clear, is that everyone has a role to play when it comes to making Australia the most secure nation by 2030. The government organisations, citizens, it's a collaborative approach, and whatever way you look at it, whether you are regulated by SOCI, or you're part of the supply chain, or you're just a regular business or consumer. It's clear that the SOCI legislation is a key part of working towards that goal, and we're going to see some hardening there.
It's such an interesting space, and I'm really grateful for you sharing your perspectives on where the future of securing our critical infrastructure is headed.
All Roads Lead to SOCI podcast series insight articles
Next up: Episode 4
Keep up to date with our legal insights and events
Sign upRecent articles
When will employers be liable for compensation for injuries sustained at home?
A recent case serves as a reminder that no fault workers compensation liability extends beyond the employer's premises.
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
New Short Stay Levy to bring challenges and opportunities for owners and developers
There has been a rise of disputes within apartment buildings due to increased growth of online accommodation platforms.
Partner
Sydney