The Voice of Cyberยฎ

KBKAST
Episode 131: Kylie Watson
First Aired: September 21, 2022

Kylie is the Lead Client Partner for Defence and National Security in Australia and New Zealand at IBM with the remit to helping solve some of the nationโ€™s more complex national security problems with consulting specialities in data, AI, automation, cyber security, hybrid cloud, openshift, innovative technologies and agile processes. Kylie previously ran Cybersecurity for IBM Consulting as well as Hybrid Cloud and Cloud Security for all industries across A/NZ.ย  Prior to that she was a Risk Partner managing Cybersecurity and data analytics for government clients at Deloitte and a Lead Client Partner for Defence on Risk.

Kylie has a strong interest in human behaviour in regards to technologies including users and cyber criminal behaviour, and regularly advises clients on strengthening security based on her insights. She is both a Sociologist and a Technologist with experience and degrees in sociology, management, cyber and data. She has advised and managed clients across Australia, New Zealand, South Africa, Thailand, Singapore, Malaysia, Japan and Korea with innovation, data management, advanced analytics and security.

Her insights into cyber warfare and criminal activity hinge on the human side of malicious attacks with an intent to determine the intent of the actors, degree of maliciousness and to help teams prepare their cyber defence (or level of offence). Kylie holds a top secret Australian government security clearance. On top of that she loves exploring why people are drawn to cyber crime.

Kylie has won awards for innovation, new products/services, business and community service and has a track record of leading large multifaceted teams of hundreds of people with deep technical expertise on technology projects and programs for consulting budgets as large as $300M+. In her spare time she is the Chair of a Charity Think Tank the National Institute for Strategic Resilience (NISR) that seeks to gather perspectives and encourage diversity of thought on national resilience and security policy…. and can be seen on the basketball court most weekends managing junior premier league teams, coaching, mentoring emerging coaches, and watching her children play.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:23) You're listening to KBKast, Cyber Security podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:38) Joining me today is Kylie Watson, Australia and New Zealand lead client partner, National Security from IBM. So Kylie, it's wonderful to have you here today. I'm really excited to hear your thoughts, your opinions. You've got a great background, so I'd love to start there. Tell me a little bit more about you and where you started and where are you now? Kylie Watson (00:57) Thanks, Karissa. Great to be here. Well, I actually have an interesting background in terms of it's not a linear progression. So I started in military engineering and was really fascinated at the time of what we were doing in those space of explosive ordinance, bridges and roads and various things that you use. And it helps on the warfare front in terms of disruption, in terms of access to deployed environments. So I'm really interested in the human side of it. So I went and studied a sociology degree and started finding out more about how people think, how groups behave, why we do the things we do, and really get into what we call psychological operations side of military warfare. So we might look like we're putting a bridge over here, but actually we're not going to access that area, we're actually going to access over somewhere else. Right? So it's really just a mechanism or a strategy to convince the enemy to say that we're doing X over here, but actually we're really doing Y and really got into it. And so I left the military and went to engineering consulting and really got interested in why we're putting roads in where we're putting them, how we're putting in churches and schools and town planning and waste planning and hospitals. Kylie Watson (02:23) Very different right to where I am today. And on that journey, I did a bit of a change into it. I don't really know why I did, except perhaps my husband was in it and he looked like he was really enjoying it. And I was likely going through what we call the great reflection. I was having a reflection back then, it was the global financial CISOs, so I might show my age a bit here, but starting to think about what I really want to do, what really excites me. And although I was interested in the engineering side of it, I thought, I actually really interested in that cyber security, data security risk. And it was all sort of becoming a thing in technology back then. So I switched over and started to focus on data risk and then linked into cyber security risk, because every time there was data risk, data breaches, data issues, and always went to the heart of being security. And I went back to Uni and I studied data and cyber security and risk and then started running teams of cyber security experts. And of course, with my military background, it made sense that I would take those learnings, particularly in a skill shortage, back into that national security space. Kylie Watson (03:38) So probably long winded, the history there. But, yeah, interesting, from engineering over to it national security at the beginning and then round it off and back to national security again. Karissa (03:52) Well, I love that. I don't think it was that long winded at all, to be fair. I think that was very short. And I asked this because I think it's really lending itself to my next question. You've got a great background, very diverse, and the question I want to know from you is, why do people get into cybercrime? Now you've got that strong sociology background and so I'm really keen to hear your thoughts, especially being it cyber, the military, national security, what's the motivation for cybercrime? And you've mentioned to me in the past it's similar to how people fall into street gang, so I'm really keen to hear your thoughts. Kylie Watson (04:32) Yeah, absolutely. So I think there's two key areas we have to look at with two main things of actors. So we've got the nation state actors and we've also got the organised criminal gangs, and there's slightly different motivations for each of those groups. So we go to the exciting one, cyber organised criminal gains. When you think about it, a lot of the people that ended up in these spaces in organised crime, and the research shows they tend to be looking at thrill seeking rebellion, they tend to have a sense of injustice a lot of the time, struggling for acceptance, and they're really looking for a sense of belonging, how do I actually belong? And that's also different to a lot of the research that was done on street gangs, particularly those back in the nineties in New York, and when there was significant issues there about what they were actually looking for. And it was a sense of belonging. And where that came from is a theory that we call anime theory. So anime theory is essentially describing people who are drawn to crime. People who are drawn to crime quite often, under this theory, have tried legitimate ways to get ahead. Kylie Watson (05:50) They've tried to learn at school and perhaps they've had learning disorders or they've had difficult family life that haven't supported that or socioeconomic constraints, whatever it is that they've tried to get ahead, they've tried to get a job and a good paying job and they've been bullied or something's happened. Or maybe the people that are associated with have undermined that. And so it shows that people intrinsically do try to do the right thing, apart from less than 1% of sociopaths, but the majority of us do try to do the right thing. And so anime theory shows that these people try to do the right thing again and again and they keep getting undermined and they just can't catch a break, they just can't get ahead. And if anyone watches or ever watched the TV shows Chainless, you'll get it because there's a whole bunch of characters in a family there from a significantly disadvantaged background and they keep trying to get ahead and every time they do, something happens and they just come straight back down again to where they were. And it's all wrapped up into what we also call social learning theory. And I don't want to throw lots of theories, but I promise it's the last bit of theory I'll throw at you, where individuals develop motivations and skills to commit crimes through the exposure to others involved in crime. Kylie Watson (07:07) So if you associate with deviant peers, you're going to end up like that. And when I was a kid, it was horrible, but my dad used to say, you lie down with dogs, you get up with fleas. And that sort of jumped into my head when I think of this, because I think, well, of course all of these things are drawn together and they get a sense of acceptance in this world and it goes to the virtual environment because it's less tangible, you feel less likely to get caught. The law is very murky. It's not like robbery and murder where tangible fines you do it physically, it's a bit harder to cover up than it is in the cyber world. And so they feel it's almost like they don't kind of think they're going to get caught and ends up becoming more attractive for them. And those that are particularly susceptible of those who have what we call Internet addiction disorder, I do worry that my youngest son, I think a lot of us worry about our kids like this. You spend a lot of time on the internet, but internet addiction to soda is similar to alcoholism, right? Kylie Watson (08:20) It's a real social dilemma and what it means is people are getting this socialisation, this sense of belonging, they develop a persona even, and I have to admit, I play Pokemon, I have a persona in Pokemon that is absolutely not like me, right? So you could be somebody different on the internet and that makes it feel like it's a bit less tangible that you might get caught and you can become popular online. And we see these movie stereotypes of maybe the person who's a bit physically challenged, doesn't do any exercise, sitting on the couch, eating chips, playing gaming and interacting with other people online. And it's a bit of a stereotype, but you can also see and realise that actually, that is the thing they do get a sense of doing it. They do become addicted and they do know from each other because there's chat rooms and they can be someone that perhaps not normally when they present, and normally is always an interesting word in sociology, but this becomes a normalised system, becomes a normalised part of who they are. And so they really don't think that what they're doing is wrong. In a lot of these cases, it's almost like a job or it's almost like everyone else is doing it and I'm less likely to get caught. Kylie Watson (09:37) So the motivations and skills are very much about that sense of belonging in the group. Karissa (09:44) Wow, that's awesome. There's so much going on there when you're talking. Okay, so my stepfather is a criminal judge and he obviously puts people in prison. And one day I asked him, hey, if these people or children had a better upbringing, do you think that they would have committed a crime? And he said, no. And so my question to you, Kylie, would be, do you think a lot of these people are sort of just born into it? Like maybe, I don't know, maybe their parents are criminals and then they're a criminal. Or like you said before, lay down the dog, get up with fleas, is always that analogy we like to use around you are the top five people you hang around. So if your friends are criminals, there's a high probability you're going to be one. Is there a bit of that there from what you're saying? Kylie Watson (10:27) A little bit. In terms of there are ways and means to be able to try to get out of that. Not everybody in enemy theory. There are some that actually get a leg up and it's usually when a teacher might lean in when they're younger and actually care about them and show them a different pathway and really support and sponsor, mentor them. Or perhaps someone that was in the juvenile system. Where somebody actually social work or whoever it is. Took the time and the effort to show them a different pathway. Or perhaps a mentor or somebody. Because it's not as easy as correlating it to something like you're born into it because it is the environment around you. But there are ways and means to be able to step out of it. It's just that it's difficult for them. And it's not that everyone has this disadvantaged background, by the way. And there are also political motivations. You may have bought into a family, it's very political, and you've decided that you can take that to the next level. Right? So, again, the people around you might be quite political, but you don't have quite a sense of belonging. Kylie Watson (11:36) They're quite fit, perhaps, with what they're doing. And you are remember the struggle seeking, the rebellion, the sense of injustice. So it really depends on the actual personality and the wiring of the person as well. And we're just talking here about the mass crime, right? There's a whole different set of motivations for the nation state. Karissa (11:56) Yeah, you're absolutely right. And I guess, look, we're not blanketing everyone with the same brush. It's just more talking like theoretically about things. You made a good statement before. If people are undermined, then is it then they resort to crimes. You're saying that they get pushed down, pushed back constantly and then it's sort of this vicious cycle and then is it sort of after, I don't know, 1000 times something's gone wrong that a lot of these people are then resulting to the crime? Kylie Watson (12:28) No, I think it's more like the street game theory, right? And we see these potentially have to be younger, but you see these younger people who are looking for that belonging and they're looking to online. It's so much easier to be someone you're not, it's so much easier to be cool. You have a different person as what you might actually be. You could be a different gender, you could portray yourself to be in a different country and just hide and route where you're actually from in terms of your own digital footprint. So I think it's a whole number of factors. There's the social learning theory, anime theory, internet addiction disorder, and it just happens to be the right culmination of those things for that personality, for that person to go. You know what I think? And they encourage each other, the chat rooms in particular, who's leading the chat room? Who's actually the leader? Do I aspire to be like them as well? So it's just all these individual senses of connections. Karissa (13:28) Talk to me a little bit more about internet addiction disorder. Kylie Watson (13:32) Yes, so internet addiction disorder, like I said, it's similar to alcoholism. If you've watched the Social Dilemma, a lot of this is wired for you to spend more time on it, right? And so you wrap everything up in it and it's really difficult to get away from the internet. So the more people are on the internet, the more likely they are to lose their human social connections face to face. As you look at COVID, I haven't seen stats on it and when I talk about we need more research, I'd love to go and have a look if there's been any research on this, but I would imagine that there was a lot more time spent online and therefore there's a lot more exposure potentially to being recruited into some of these cybercriminal games. You're spending more time online and you're just exposed more to this kind of potential to be approached or potential to meet people that are giving you a sense of belonging and they have malicious intent that you don't know about yet. Karissa (14:37) Yeah, I think I've sort of read in the past even people are getting to the terrors and stuff. That's how they're like, oh, they gave me a sense of belonging and then I fell into it. Type of thing without them knowing. It wasn't like a conscious decision. And then all of a sudden, they're amongst it, from what I've heard. The other thing as well. Earlier this year, Wall Street Journal brought out this limited podcast. It was called. Hack me if you can. The short version of it was a guy that basically something happened in his car, I think, and he couldn't pay it off or there was some issue, and so his friends said, I'll just get into doing cybercrime stuff. And then he said very quickly, he paid off the debt to these cars, but then I just stayed in it and I couldn't give it up because it was just too easy money. And I found that really interesting that he just stayed in it because he's like, wow, I don't have to leave my house, I don't even have to work that much. And he was saying he was making so much money a day, that would be like, more than he could potentially make in a month with his skill set, like, if he were to go back into the workforce. Kylie Watson (15:37) It's so true. I know. I had a conversation with my husband a while ago and we were joking that exposed to this every day. And we're looking at the colonial pipeline at the time of the attack over in the US on the Eastern Seaboard that obviously had fuel pressures and resulting in people fighting at the pumps and things and looking at the other social impacts for that. And they walked away. I think it was at about $5 million. And I took it to my husband. We're in the wrong business. Seriously. They weren't a major organised criminal gang. That was quite a small group of individuals that moved together and decided to do this. It wasn't a highly sophisticated nation, state or organised crime type of attack. And of course we're never going to do it. But I can see why. Because when you go back to anime. Theory might be in a job. You're trying to get a hit. You haven't got a promotion. You're trying to do the right thing and then the wrong thing just seems easier and it's a bit cool and gives you a bit of belonging and it's going to help you with your finances. Kylie Watson (16:44) Then you can understand people may be predisposed to those theories and those backgrounds may be more likely to do that and to go, okay. And like I said earlier, it feels less tangible. You feel like you're less likely to get caught because you can hold someone up. The service station, the physical person there with a gun or a knife or whatever, threatening and saying some words, right. That's tangible, physical, there's evidence there, but a lot of that goes away when you look at online crime. Introduction (17:15) Absolutely. And I was interviewing a guy in the UK, so he's a global cyber security adviser for ESET and he worked in the police force for 14 years, I believe, for 18 years. And he was saying that it's 1% of people they catch when it comes to cybercrime. He goes, and even if we do Karissa, he goes, they get limited jail time, it's really hard to prove or they've done another country and then there may be no treaties involved or that's it, they don't have to be extradited to the UK. There's so many loopholes, which makes it inherently easier. And the question that I asked him was, like, I'm not a criminal, but if I were to be a criminal, it would be a lot easier to commit cyber crime. Right. But if you go and you murder someone, the penalties are a lot harsher. Right. Kylie Watson (18:00) And you see the person's face. Right. You see the fear, you don't see that it's faithful. Karissa (18:07) Yes, absolutely. So then I guess all the things that you mentioned today on the theories insert addiction disorder as well as covert, would you anticipate that obviously your cyber crime is getting worse, but do you think what's happened with recent times, it's going to accelerate this? And like you said, it is faceless. We can't actually see from an empathetic point of view, like we're hurting people because we can't see them. Kylie Watson (18:31) Yeah, it's definitely accelerating. And we can see there's all these different statistics, but all of them agree that we are facing larger, more advanced, more persistent automated threats than we've ever faced before. And we've obviously got the skill shortage. And then you look at the responses, one of the things people often forget is that you're defending this, you're constantly surveilling it. And if you look at the human side of it, which is obviously my expertise, it's that you're under pressure. You have decision fatigue all the time and you just imagine you're just defending, defending, defending. But when you're an attacker, you can go have some lunch and then come back again and start attacking, maybe just click the button and automate some other things you want it to. And so there's a lot less pressure on the attacker than there is on the responder. And so it means that it is increasing and it is easier to be an attacker than it is to be a defender or responder. Karissa (19:34) So, on that note, what would be some of your recommendations? I could even get worse. I mean, it's not an easy answer and I know that, but I'm just curious to hear from your point of view, with your background and things that you're seeing in your role, what can sort of people start to take away from this? Especially if they do have children and stuff like that, and they're like, oh, my gosh, this potentially may be something that they never thought that their child may fall into. Do you have any sort of advice? Kylie Watson (20:00) Yeah, I do think we need to do more research on the motivations and behaviours and go even deeper. A lot of the cyber security criminal behavioural research has only been done in the last few years. And prior to that, a lot of it was more just on general criminal behaviour, so not cyber related specifically. And I noticed a study, a really cool study that's being done at the moment on can you work out the degree of maliciousness of the attack based on the different patterns, based on the different technologies used, the networks, the servers, know what cloud bases, databases accelerated, that type of thing. But I think you've got to go a step back and go, we've got all these interventions for crime and there's still crime. Crime still exists. It's always going to exist to some former extent in society. It's just how we are. It's been like that since men and shouldn't say mankind, should I? What do we say now? Since time began, right? Since people have been on the planet. And so we do need more research on it to help reduce it. Because when we do the more research and put the more time and effort to have the interventions, like I mentioned earlier, the social workers and teachers and other people out there in the community, then we will be more effective in getting people to understand, hey, this is not okay. Kylie Watson (21:22) And I really worry about things like we went in the news that was recently since some young boys at a boy school, and I won't mention the school, but who were saying some pretty horrific and horrible things that you shouldn't really be saying at all and you shouldn't be putting in writing. And then you see some of the other behaviours and things that are occurring around you. And I've overheard some nasty voicemails and things that teen girls send each other. And I think if this were starting now, they're getting away with this kind of behaviour and we don't stop it and we don't have an intervention. Will it get worse? Are we actually escalating by not having these interventions, particularly younger people coming through? Karissa (22:06) So true. I have been told from friends of mine what's happening to some of their children. I'm just like, gosh, it was never that vicious when I was at school, which it was only probably about 13 years ago, so it wasn't that long ago. But they've definitely upped the ante in terms of the savageness. So, yeah, you're right. I think if we don't intervene, they could spiral out of control. But I'd like to switch gears now and I'd like to talk to you about syrup. So what is it specifically? Kylie Watson (22:39) Yeah, so Psy Ops is more in the nation state space, right? So what we call the information warfare space, and it's psychological operations. And there's actually a really good example with the Ukraine Russia conflict that I can talk to on it, but essentially Psyops is looking at how you disrupt, confused with a credible threat and has to be credible and based in a little bit of facts, an enemy, or how you actually get them to start thinking down the path that you want them to think. So you're essentially trying to start running the brains of your enemy rather than their commanders and traditional chain of command doing it. And so some really good examples in history have been a lot of people don't realise this, but the toppling of the Saddam Hussein statue in 2003 was actually from an army science team who had got a whole bunch of people rounded up and did that as an emotional reaction around the world to show that the regime had toppled. Right. So it was engineered in 1944, I think it was. This is one of the earlier examples in modern history where the US recorded prisoners of war and they reproduce the sound of lots and lots of tanks and lots of artillery by sounding and misled the German troops that they had at broadcast, misled the German hierarchy and officers and troops to think that they had a greater presence than what they actually have. Kylie Watson (24:23) The one I love the most, and it's in ancient history, is Genghis Khan. So Genghis Khan, he was pretty nasty guy, but he had psychopath nailed. And what he did, and this is very gross, but what he would do, he would go and slay siege to a city and he would kill a whole bunch of people on the way through, right? And then he would get the dead bodies, he'd collect them, they'd be a bit spotted and a bit lucky, and he would get his troops to throw them over the castle walls and actual bodies, right? So can you imagine? You're in your castle area, you've got the enemy coming down on you, but on top of that, he would tie brushes to the tails of his horses and he was in a particularly dry, dusty area, the Mongol Empire desert, where dust would be absolutely a thing. And so what would happen is he'd come down with his cavalry with these brushes tied to the tails of the horses, which would sweep up the dust. So the people behind the castle walls or the fortified areas would just see these clouds of dust just coming at them and they'll do loud, hooting, scary, horrible guttural noises and screaming as they came through and then fling their bodies over the walls. Kylie Watson (25:46) Would you run away? Would you surrender? Would you go? There's no hope. So to the idea of the payoffs and how that's being used inside of security now, it's really recent. So it's the Ukrainian Russian conflict and this is in the news and in the media and quite well known. So I don't think I'm transgressing any national security boundaries in this one. But what they've done in Ukrainian areas, where they've actually captured is Russia has gained control of the internet, so they've rerouted the internet through Russian providers and the internet that is now provided to the Ukrainians in these captured areas is monitored, right? It's restricted, it has censorship. The Ukrainian networks have been blocked, so they have to go through the Russian internet. Russia has been handing out free SIM cards and even to some extent some free phones. So these people really have no choice. But if they want to talk to family and friends that want a connection and we all crave connection, they have to use these Russian operated systems and Starlink and we hear about Elon Musk providing the free internet services to Ukraine style. Link is having to focus on helping the military effort. Kylie Watson (27:12) I could be wrong. I think it was only about 15,000 free user kits that were able to issue for the civilians from the Starlink and the rest of it has been used by the Ukrainian military. So regardless of which side they're on in that conflict, just think about it, it's all been rerouted, right? So they're not getting the information from the sources they previously had and they have no choice in it. And so that's a classical psychological operations in the internet and everything they're now having to they're being disrupted, they're being confused. It's a credible threat, it's logical and factual. Everyone needs to be able to access their phones and have contacts and it's been subjected to disinformation and propaganda. Karissa (27:55) Wow, that's really interesting because I guess that's what leads me to my next point and from my understanding, from what you've said, is that there's just not nothing done then from a sign ups perspective, I guess from a cyber war then perspective, just touching on the Ukraine Russia thing. Kylie Watson (28:14) Yeah, and I think more generally too. So if we look at and what I hadn't covered is the motivation of those who joined the nation states and a lot of that is nationalism, right? So if you join us at a criminal gang, it's a sense of belonging, quite often dollars you mentioned before, walking away with some money, it could sometimes be a bit of a sense of injustice. If you look at the nation state, it's very much about nationalism. It's usually a lot of ex military involved in there and there's a lot of psychological operations that go on. And in terms of research, we've just not done enough and don't have enough in the psychology or sociology space for this. It has not been a large focus. And we do have a cyberskills engineering shortage, we have general shortages across cybercurity. But I have to say, in my own experience, it's very difficult to actually get the people who are hands on tools as well. So we need to find a way to get those who are more interested in the humanities to start thinking about this and those that say particularly teenagers, and I have teenagers myself, so I encounter a lot of teenage discussions about what they're going to do with their lives and they talk about, well, I'll do criminal. Kylie Watson (29:25) Psychology, and it's not usually in the curriculum to do cyber security, criminal psychology. So I think we need to start, like in the universities. At the moment, I've just finished writing some courses with some universities who are introducing CyberSecurity courses. Perhaps we start with the universities and have some options to focus cyber security. Some of it is happening, but it's really only quite new and we don't have the depth of research that we need. And how do we defend when we don't know the degree of maliciousness, we don't know all of the motivations. It's harder to defend. Karissa (30:01) So you make a couple of interesting points, one of which I think was recently, like last week, the Victorian government said that they're going to waive, like, nursing to study nursing is going to waive the fees. Do you think the government should do it for security? Now, I know there's a few things like that is floating around in this space. I think in Wollongong you can do your degree, but then you also sort of get like an apprenticeship type of model or you've got your standard scholarship stuff. But do you think maybe if the government opened that up, that would encourage people to study engineering or it's not really going to make a difference from your perspective? Kylie Watson (30:38) I think it would encourage it. I think I'm going to try to give back a lot. And I don't like the interviews of young people who are looking to get their first jobs outside of university. And I've had some really interesting experiences in doing that and one of them has been very much safe to a very smart young man. I remember he had 95% plus and everything and he done to capture the flag of Amazon and was in the top five of the country and was really super keen and he wanted to go to a top university. And I felt a bit bad, but I had to start pulling down a bit because it was a little arrogant. And I said to him, you realise that somebody could leave school, do some micro credentials, inside security, learn to code, perhaps they could take it, perhaps they don't, but they might actually beat you if you're going for a job with, let's say, a before company or a major technology company, because they have more handson, practical knowledge. And the university, some of them, not all, but some of them are a bit behind in that he sort of looked at me with his mouth open because he'd been wired to think I'd be the best in everything. Kylie Watson (31:51) I got the top university, I got the top marks, I win everything. Not actually understanding that there are so many other programmes out there and the need at the moment is for practical, hands on tools right now. And so I think we have to think about how we make this really obvious. There was only one female interview. There was a batch of 20 that I was helping, there was only one female in it. And she got to me and she said, Actually, I didn't pick this, but all the other interviews were full and they stuck me with you. Okay, thanks. Karissa (32:25) Okay. Kylie Watson (32:25) And I said, okay, well, do you want me to interview you or do you want me to tell you about cyber security? She said, yeah, tell me about cyber security. So I started telling her some of the stuff we were doing and she was like, wow, that is so cool. I had no idea. So maybe it's just education of these people. And I just ran into her a few weeks ago and I don't know if she was joking, I hope she wasn't, but she said, I'm absolutely wired. I've gone and had a look at all the universities and I'm going to study cyber security. I thought, well, great, because I planted the idea in a head. But one of the things that I've noticed, and I was very impressed by one of the universities I was helping running and designing their programme, we did a competitive search on the other universities and one of them did not require an Ata at all for entry or a Pathways programme. And I thought. That's actually really smart. Because as long as they get in there and they can actually do the work and you have it so that the first subject is not one that they run away and go. Kylie Watson (33:30) This is too hard. Then that's a good attractor. Because after COVID. A lot of these young people are really struggling and not knowing what they want to do and they're scared about their marks and what am I going to do? And if you have a university entry with no apar, that's a big incentive, right? I might apply for this course. Karissa (33:50) Well, then you're letting the barrier down. There's more people for entry. Perhaps maybe they didn't get great marks, but, hey, maybe they'd make a brilliant cyber security engineer. So I'm curious to know if the lady that you were sitting with and she says, I had no idea that's what it was. What was her idea? Do you know? Kylie Watson (34:07) She thought it was a bunch of programmers that just sat there doing Cody stuff, capture the flag kind of stuff and she sort of thought, this is from her words, it was sort of like a whole bunch of nerdy guys all getting together in a room. And it is male dominated right now. There's a lot of industries that are there as well and there's a lot of industries that are females dominated too. So she had a stereotype in her head that was not actually correct. And I mentor a very amazing young woman in a government department who was in a security operations centre and she was, I have to programme, I have to learn the technical side of it. And I pointed out to her that there are a number of other careers and she works in the pen testing team now and just got a promotion. So for her, she's realised that she doesn't actually have to programme and we need more people to programme. But doing pen testing is actually a technical thing as well, and the analytics side of it in the Security Operations Centre. So that's so many different careers, and I don't think they realise that. Kylie Watson (35:13) They think it's just the sitting there, heads down. I wasn't good at coding at school, it was all a bit scary, so I can't be in fibre. Karissa (35:21) Yeah, I know. That's absolutely a massive stigma in the space that people just assume. So that's why we like to interview people like yourself, to break down all of those barriers and understand that there are multiple roles depending on what skill set you do have. I'd like to understand a bit more. I mean, you've touched us a little bit, but I'm keen to hear from your perspective that you've mentioned that more research in our industry does need to be conducted specifically around the degree of malicious intent. So talk to me a little bit more about this. Kylie Watson (35:49) Yeah, so what we want to be able to do is to work out how much attention we should be spending on the attacks that are coming through, all the compromises that we're seeing. So we need to be able to give you an idea. You can tell if it's a complex, because a complex attack is usually a nation state. So expert cryptographic, maybe homomorphic encryption, detailed knowledge of how they could concierge to countries that don't contain dialogues, expert programming, mastering of how communications, that sort of thing. So then you start to know it's a nation state, but then you have to know the geopolitical context. So which country do we think this is coming from? And let's say it's a country close to us that we haven't been having good political discourse with lately. Then we need to start going, okay, well, what type of attack was that? And there's actually degrees of attack, so there's access disruption and forced or armed. So when we look at access, we're looking at just going in and perhaps doing some port scanning, network mapping, they've got access to your systems and that's not particularly malicious. Then there's sort of the disruption. Kylie Watson (37:13) So they're looking to degrade or disable systems. Perhaps it's non critical infrastructure, usually the ransomware type of thing, where you give them some money and they'll go away. They're doing it from that perspective, they will give you dollar back. And then there's the fourth type of attack. So what are they trying to do? Is it death and destruction? Is that damage to the point of critical infrastructure or systems? And why we want to know where that is. It might start with access, with the intent to get to the force or the arms. And when you think about that stat that an infrastructure could be in your system that's 200 days before you actually know it or see it. We want to know the degree of maliciousness and the origins of where it potentially comes from in more detail. Do we think that this is an access that's going to move through to an arms or a forced attack or is it perhaps just an access? So I think it's an area that's completely unstudied, really. In terms of actual, there's only one university I know of that's actually looking at. Let's have a look at what botnets are in there, what type of things are in there, what type of maliciousness do we expect? Kylie Watson (38:32) Because we know that they're potentially going to hit a system here based on this evidence or this data. And it all comes down to should we be offensive, should we be protecting or should we be turning around and pushing back and being offensive? Karissa (38:47) So do you anticipate that more research will be done outside of this one university that you named or you're unsure at this stage? Kylie Watson (38:55) Look, I think there will be more being done. I give talks at various conferences and I like it because there's usually two or three people who are in that more forensic investigative space that come up to me and go, yes, I love what you're saying, we have to do more. And then they say, okay, well, can we get some funding? And I work with one company, we can only fund so much, right? We can't fund the entire scope of all the things that need to be done. So we do need to get more companies to invest not just in their own, to their own benefit in the skill shortage, how they can benefit from this, but we need them to go and give back and to fund and to help and to help set up those programmes at university and also to help fund some of these research. Is it through PhD? Is it through residencies? Whatever it is, we need more of it because it's just not out there. There's funding for a whole lot of other things, but there's not the funding at the moment in a huge degree. There will be pockets and there'll be areas, and it has increased in the last two years. Kylie Watson (40:02) But I have to say, five years ago I stood up and I think there was only about 20 credible sources. Now you go onto Google Scholar and you'll see a whole heat coming through, but then when you sift through them, you realise there's really not that many still. Karissa (40:18) So would you say with your network that conversations are being had within the industry to say, hey, let's get a couple of companies together, let's fund this? In terms of research, is that happening or not quite yet, no. Kylie Watson (40:30) I think the focus at the moment is on cyber security shortage and the engineering and getting people to be able to operate the Security Operations centres to be able to have that deeply technical engineering capability. And I know the Department of Defence has got some fantastic programmes. Your defence college has a whole bunch of things and it's growing, but the focus and it needs to be as well, right. We can all be analysts and all look at the motivations of the behaviour and then not actually know how to shut it down once they're in our system. And a lot of the times the forensic investigation is done after the fact, we need to be everything moving to online now, automated, current environment, real time. So it's all very well having an attack and going off and investigating and coming back with a report and. Kylie Watson (41:26) Yes, perhaps that can feed the next attack in terms of helping and how to respond to it. But we need it in real time and the only way we're going to get it in real time is if these engineers actually have this information themselves as well. Or we have specialists in the Security Operations Centres that are analysing this and obviously in things like information Warfare Division and Australian cyclist specialists in this space. But there's a skill shortage and I can't get enough people. Karissa (41:50) Yes, of course. And I'm clearly aware that we definitely need to prioritise things. It's all well and good to have these walls and needs and aspirations, but of course, yes, we've got to start and prioritise these things. So, Carly, I really appreciate your time today. Is there any sort of closing remarks or any final thoughts that you like to leave our audience with today? Kylie Watson (42:08) Yeah, I think a key thing is not to forget the small to medium businesses. Right? So I've spoken today about the nation states. I've spoken about the organised criminal gains and they tend to go for the big stuff. But like I've mentioned with the colonial pipeline and we see it with the high mom cyber threat that's just my mom actually got pings like that a few weeks ago and I was talking to a local small to many businesses. Mortgage provider who asked for my husband's credit card over the email. My husband just happily sent it to him and I'm just now compiling it. He says, I don't understand why that's wrong. So I'm just compiling a whole bunch of dot points to him and getting them off to him and why he shouldn't be asking for that. So I think we also need. Once we've done the big stuff. We can't forget the small to medium enterprises and the mums and dads and the aunties and uncles and all the other people around and help with looking at their own motivations and they're not as sophisticated. But there are people out there who you can buy this stuff on the dark web. Kylie Watson (43:11) They can just download hacking packages and can quickly walk away with a few tens of thousands of dollars. So we have to be vigilant across every sector of society and every cohort, and it's just something we have to be aware of in our homes, in our families, in our workplaces, where we play sport in our lives. Karissa (43:31) I think that's wonderful, and I really appreciate you coming on the show today because I know that you're busy, you got a lot of stuff going on, and you're always out there during presentations. So I am very appreciative of your time and for you sharing your thoughts, your insights and your experiences with us today. Kylie Watson (43:46) Thank you, Karissa. I really enjoyed being here and it's great to share these thoughts. And if we can at least get one extra person out there going, hey, I want to go and study this space, then we've done a good job. Karissa (43:56) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by MercSec, the specialists in security, search and recruitment solutions. Visit Mercsec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI dot digital. This podcast was brought to you by KBI Media, the voice of cyber.
Share This