KB [00:00:10]:
I recently attended SPHERE by Atmos to sit down with some of the presenters on the day for one on one interviews and to meet with people attending to find out what brought them there and what they learned from the day. Over the next few weeks, we’ll be releasing these conversations to the public, providing rare insights into the state of cyber security and risk for Australia, New Zealand and on a more global scale. We’ll find out exactly what moving beyond just a responsive moment of crisis actually looks like. Stay tuned. Joining me now in person is Chris Krebs. Chris is widely regarded as one of the most influential figures in modern cyber defence policy. As a founding director of the Cybersecurity and Infrastructure Security agency under the U.S. department of Homeland Security, he led the agency during a formative period, shaping national efforts to secure critical infrastructure and safeguard democratic processes.
KB [00:01:07]:
So today he continues to influence the global cybersecurity conversation through advisory work, public commentary and his leadership at the Krebs Group. So, Chris, thanks for joining us and welcome.
Chris Krebs [00:01:17]:
Thank you.
KB [00:01:18]:
Really long title, but I wanted to make sure I got it correct, which I believe that I have
Chris Krebs [00:01:23]:
And whoever wrote that I need to hire as my hype person. That was, that was pretty good.
KB [00:01:26]:
Good. I’ll let them know now.
Chris Krebs [00:01:28]:
Whether it’s true is a different matter,
KB [00:01:29]:
but yes, definitely true. Big fan. So I’m excited to interview you here today. So Chris, I really want to start with you said at the intersection of policy, industry and public debate through your advisory work. So what does that vantage point allow you to see about the threats that perhaps wasn’t as visible from inside the walls of government?
Chris Krebs [00:01:49]:
So I sit and over my career have sat in a place that kind of rotates in and out of government, private sector government, and that tends to be viewed in the US sometimes as less than, you know, maybe the ideal spot. They call it the revolving door. But I actually view it as giving you a kind of full spectrum view of what’s happening in the world. So you go into government, you know what the capabilities are, you know what the constraints are, you go out in the industry and you understand what’s actually needed. So when I came into government the most recent time in the first Trump administration, I had just come from Microsoft, I had been in the consulting space, but I had actually been at the Department of Homeland Security at its startup. So I kind of knew where things were going. So you bring it all together and you really tie together what the demand signal is and then what government can actually deliver on. And that’s just a really clean way of saying the government needs to be listening to industry, particularly when you don’t have heavy regulatory authorities like they do in the us you have to be listening to industry to really figure out what the problems are and then provide solutions.
KB [00:02:58]:
Do you know it’s happening now?
Chris Krebs [00:03:00]:
No, it’s actually not. And I think that’s part of one of the conversations we’re having down here. But you see in the headlines coming out of the US that CISA, the agency that I led, has had a pretty significant headcount reduction on the order of 30 plus percent. You’re seeing budgetary cuts as well. You’re seeing senior leadership leaving. There’s no Senate confirmed leader. There has a. That has a real impact on the ability to execute against the mission.
Chris Krebs [00:03:27]:
Now, I also think that perhaps this gives us an opportunity to think a little bit more deeply about where does CISA need to be positioned going forward? What sort of services capabilities does it need to deliver? We did stand up in 2018 from a existing entity, but it kind of happened in a hurry and then Ginny Surly came in and built further. So I don’t think it’s ideal where we are. Of course we should be moving forward. The Chinese, the Russians, Iranians, everyone else certainly is. But we can also take this moment what follows, I think to really kind of optimize and dial in on what CISA is supposed to be.
KB [00:04:06]:
And you’ve got a closing keynote today, is that right? Yeah. So the model you shared or will be sharing for how business leaders should view risk in the current climate. Provide a bit of a synopsis.
Chris Krebs [00:04:17]:
Yeah. So I think it’s really hard to make the case right now that the world’s a stable place. Look, right. I mean, we’re looking at what’s happening in the Middle East. We have to challenge a lot of the assumptions that are baked into our risk management and governance strategies. And so I go in and sit with boards and C suites all the time. And I made a point in an earlier panel about I walk into a board and I see a risk registry and now we’re on like R19, R20, R21, adding 3, 4, 5 from the last meeting. And that’s just not a sustainable pace.
Chris Krebs [00:04:52]:
We have to kind of look up and say, wait a second, why is it so chaotic? What are the cracks in the foundation of the modern risk management landscape that we’re not accounting for in our risk management strategies? The way I see it, they’re five key elements. One is the beliefs we have, the assumptions that we baked into Strategies, they’re all blown up, they’re gone. A lot of partnerships have broken. I talked about cisa, the treaties, the alliances like NATO, they’re not as strong as they used to be. Five eyes partnerships. Can you trust the tech that you have? The second is alignment. Are the partners that you depend on, are they going to be there? And that’s partly vendors. Are vendors delivering the things that you need? Can you trust.
Chris Krebs [00:05:37]:
And this is the main conversation I’ve had this, this week is third party risk. The SaaS providers, are they living up to their, to your expectations of how they should be securing the services that now you’ve let into your environment? I got a couple more, but I, I, I, I’ll, I’ll let you, I’m
KB [00:05:56]:
just curious there to understand. Okay, so are they living up to their, what they say they’re going to do? Yeah, and I know there’s like you can do third party risk assessments and we can do all these other things in the audit and all this sort of stuff, but do you think that’s enough though?
Chris Krebs [00:06:06]:
No, no. So the global CISO from JPMorgan Chase last April, Pat Opet had an open letter to industry, to the vendors. And this is JP Morgan. This is probably one of the largest private sector commercial cybersecurity budgets in the world. And Pat’s message was, you guys aren’t doing your part, do better. And there was a set of prescriptions that I think, I thought at the time, I was like, pat, like where’s the second page here? What else are we talking about? Because it’s do better, be more transparent, collaborate and standardize what your approaches are. But the reality is we’ve spent the last 10 plus years segmenting networks. So you think about the notpetya fallout and the takeaway was, well, that happened because those networks weren’t segmented.
Chris Krebs [00:06:52]:
So we segmented our networks. But in the meantime we’ve also taken this shift to SaaS service providers, whether it’s, you know, office back office business processes for payroll and hr, whatever. But we’re now getting trusted, integrated access to these things back into the network. So we’ve almost blown everything up. So we have to be thinking about how to kind of get back control. And what that means is, is, well, the bigs, the JP Morgans of the world are going to lean into that problem. They’re going to start taking control, they’re going to start demanding more of the organization of their vendors and then we’re all, I think downstream where we don’t have that sort of purchasing power are going to benefit as a result because those, those vendors are going to kind of snap to and do what the bigs, the banks, the energy companies, the telcos are going to ask them all.
KB [00:07:39]:
So I interrupt you before. So you had two more bullet points, I believe.
Chris Krebs [00:07:42]:
Three more, but I’ll go quick, I promise. The third is the way power is wielded. So bureaucracy is viewed kind of as a bad word, but actually bureaucracy is good because it gives you predictability and predictability is a public good. You can invest capital, you can bid on tenders, you can hire, you can manufacture and construct based on predictability. But what’s happened is power and authority have shifted into individuals that move quickly. Right. Tariffs are on, tariffs are off. The satellite network, it’s up or it’s down.
Chris Krebs [00:08:14]:
That happens too quickly to really bet against the fourth is, is just that it’s time, it’s speed of events, how they transpire. They’re outpacing a governance structure’s ability to manage and, and, and actually plan against. So you have a ransomware event that kicks off. By the time you can get the risk committee together, the event’s over. Right? You, you’ve already had to figure that out. And then the last thing is just is what information do you know and what information can you get access to? And part of that is just the information environment itself is so polluted and chaotic and also what are the adversaries doing in this space? How are they taking advantage of the pollution? But then it all kind of wraps then. And again like do you actually know what your supply chain is? Just what you were saying about the third party risk, it was like do you know what is exposed? Do you have the ability to get down and do anything about it?
KB [00:09:06]:
So going to your point before Chris around, JP Morgan CISO said we’re going to do this, get back control from the vendors. So what can we start to see now moving forward? What does that control look like in your eyes?
Chris Krebs [00:09:18]:
Well look, I think there are a couple things we have to think about of that. A, the trusted access, what you know, oauth and things like that, letting them into the network. How do we gate that off? How do we either have secure enclaves just for the integration of that third party, things like self hosting vendors perhaps in your own environment rather than allowing them. Because again if you’ve got an organization, I’ve talked to a bunch of companies again down here in Australia that I know are doing the very best they can. They have good dedicated budgets, they have mature programs, but they’re still struggling. There’s absolutely no way, no way that a SAS company that is, that’s younger than some of my kids is going to have a mature enough program that you, as a responsible CISO or security professional are going to allow them to come in and have access to your environment. Again, we are seeing that these companies, even the bigs, the vendors, have really poor security. We have to push the envelope and get them where they need to be.
KB [00:10:17]:
Okay, that’s really interesting. So I want to sort of move on now a little bit. For Australian organizations, specifically, what types of cyber risks tend to be underestimated when they assess global instability, particularly with the most recent sort of news headlines.
Chris Krebs [00:10:33]:
So is historically Australia has kind of had this advantage of being the island continent that, that it has time to see the world changing as it comes breaking across the shores. But I think just the way that the world is so digitally connected now, rather than days, weeks, months, it’s, it’s, it’s, it’s milliseconds, the way that events globally can hit the country. So the way I’m thinking about it when I’ve talked to leadership teams this week and boards, do not let your imagination be the limiting factor. You really have to get beyond the planning standards of maximum most probable event, which is what the regulators are going to require of you. But you have to go beyond, you have to think seriously, seriously worst case scenario, and start rolling out a bit of a doomsday scenario engine that says, how, what’s the worst possible thing that could happen to us? And then once you start playing that game out, then you get to the 10th, 11th, 12th scenario. Each subsequent scenario starts to look a little bit similar and more importantly, the playbook and the outcomes you’re trying to achieve and how you get there are effectively 80% of the same of the one before.
KB [00:11:51]:
Okay, I want to talk a little bit more about regulators. Obviously we’re quite regulated here in Australia and I now live in the US and it’s very different landscape again. So that whole adage around you attract more with honey than you do with vinegar. Obviously the vinegar in some aspects could be viewed as the regulators. So. But do you still think that that works or what is your view?
Chris Krebs [00:12:09]:
Look, I think regulation, particularly in the technology space is inevitable because of the complexities, because of the lack of transparency. You know, we have to get to a space where you can make rational, informed decisions in the market and you have in, you know, more perfect, not perfect, but more perfect information to make better decision Making. But I do certainly think you can go, go too far. And we’re seeing, I think a lot of that in Europe that kind of regulate first, ask questions later approach. In the States, I think we’re kind of pulling back and heading in the wrong direction. I think it is allowing a lot of perhaps products that aren’t ready for the market or products that should not still be in the market, because we
KB [00:12:53]:
know still be in the market still.
Chris Krebs [00:12:55]:
Oh, look, I mean, every month the same vendors have issues. There are a set of problematic vendors that time over time, over time, month over month over month, have vulnerabilities that are exploited actively by ransomware actors by, by the Chinese, by the Russians. So we’ve got to get down and we’ve got to solve for that problem. I think that’s from a policy perspective, probably a good place to start. And then you can kind of move beyond into a negligent standard perhaps that can be more broadly applicable to the market.
KB [00:13:28]:
Okay, so. So there are vendors that. I think I know who you’re talking about. We won’t list them, but what do you think’s gonna happen to them then? So it’s like I was talking to someone here earlier today. It’s like, yeah, but it’s like we have this huge contract with this vendor. We can’t just like oust them and bring someone else. And there’s has to be a whole migration thing or it’s contractually, we need to work it through. What do you think realistically is going to happen to your point earlier around getting the control back? Is it going to be, we need to get the control back, you made too many mistakes. We can’t keep doing it like this.
Chris Krebs [00:13:54]:
So I think that goes to, back to the CISO question of what are you going to do about it? You’re just going to let that out there? I see plenty of times where it’s like, which is, in fact, I was just having a conversation a minute ago in the green room with someone that is working on an incident and there was a problem and that they turned the service back on, the device back on, and they were like, you know, it’s only going to be on for a little bit. We don’t need to update it to the latest version and boom, it got popped. So it’s these decisions that users are making that organizations are making, that they’ve got to think about how to change the physics around how these less than reputable products are being used on a regular basis. What can you put layered defense back on Top of it to ensure that it’s not posing risk to the organization.
KB [00:14:39]:
Do you believe this is something going to start seeing more of now?
Chris Krebs [00:14:42]:
Look, I think until we get some of the market incentives lined up and there are plenty of these companies that are for instance, private equity backed and maybe, you know, it’s a private, private credit and private equity markets start to unwind a little bit, that creates pressure and put some on these organizations. But you know, when you’re really trying to maximize profits in these organizations that have passive, passive revenue or ARR coming in from these legacy products, you know, why would you touch it? You know, you do, you do not want to encroach on that margin. So that is one of those areas that I think governments that policymakers need to take a hard look at and say, are there other policy levers that we can pull to change the market incentives here? And whether again, it’s on the negligence standard on the other end, because you know, that thing, the code base is old, it’s wobbly and you need to do a better job of bringing it to a more modern standard.
KB [00:15:34]:
So there’s a couple more things before we wrap up today, Chris, would be, is this going to enforce the vendors to proverbially pull their socks up to be like, well, we don’t want that to happen. We have to do something better. Like no one wants to have their clients fire them or be moved off or their whole company dissipates, but they are potentially now at risk of this happening.
Chris Krebs [00:15:50]:
Yeah, but some of these, these products are there and they’re not necessarily disruptible because the TAM’s not worth chasing. The TAM is, is or the, the tams that they want to chase right now are elsewhere. Again, like these are more mature products. These are legacy products that are still sitting in some of these, these environments that are, are not, not high speed. Right. When I say high speed, I mean like they are not state of the art. They are not today’s, you know, top of the line operated among us.
KB [00:16:20]:
And then sort of just looking ahead, where do you see your own focus evolving over the next few years?
Chris Krebs [00:16:25]:
Well, you’ll hear I’m going to talk about a little bit today in my keynote, but I’m really trying to spend a lot of time again understanding how all of this connects from a geopolitical perspective, from a, you know, how cyber is now the, the first shots fired in every conflict. We saw it Russia invading Ukraine. We saw it with the invasion of, of Iran and, or the strikes on Iran. I’m not sure what we’re supposed to be calling that right now, but the, the major combat operations, I guess, is what we’re calling it. But you know how it all plays together and really figuring out what that translation story, that message is to, to boards, to executives on how cyber is not a technical risk. It is, it is truly business risk. It is something you have to bake into every decision and the security team needs to be empowered to take care of the network.
KB [00:17:21]:
Any sort of closing comments you’d like to leave that audience with today?
Chris Krebs [00:17:24]:
No. Hey, look, it has been absolutely wonderful down here. I spent some time in Melbourne and in Sydney. The weather is gorgeous. There was a little bit of rain, but it’s better than what was back home in the D.C. area. There was snowing, I guess, at some point as I’ve been down here, so had a great time. Really fantastic group of companies very passionate about cybersecurity and the Sphere conference.
Chris Krebs [00:17:45]:
The teams, the Atmos team has done a wonderful job.
KB [00:17:48]:
Chris, thanks for joining.
Chris Krebs [00:17:49]:
Thanks for having me.
KB [00:17:53]:
Joining me now in person is Tom Huth, specialist energy market Cyber Incident Coordination at Australian Energy Market operator, and Ryan McLaren, co founder, chief operating officer at Retrospect Labs. And today we’re discussing why the energy sector is ahead and what the rest of critical infrastructure must learn. So, gentlemen, thanks for joining me and welcome.
Ryan McLaren [00:18:14]:
So good to be here.
KB [00:18:15]:
Okay, so, Tom, I’m going to start with you now. There’s a statement saying that the energy sector is ahead. Why is that?
Tom Huth [00:18:23]:
Look, I think it’s been a pretty long and concerted effort, to be honest, and it predates my time directly in the sector. But there’s a couple of things about the energy sector that I think make it unique. One of them is that, you know, the supply chain is so, so direct. And because we’re talking about electrons going down wires, when things stop working, people realize immediately, Right. And naturally kind of lends itself to a collaborative effort from that sense, because we’ve got such a. Such a deep understanding of how we rely upon one another. I think one of the other things that lends itself to the collaboration in the energy sector is the fact that apart from retail and generation, our networks typically have geographies that they have to perform a specific function in. And so they’re more inclined to be collaborative with one another about the common challenges they’re facing as opposed to competitive with one another.
Tom Huth [00:19:18]:
So there’s kind of a real understanding of each of our roles in the supply chain and how a cyber incident could impact one organization. But cause impacts to others.
KB [00:19:27]:
So yeah, and then before we cross over to you, Ryan, I’m curious, I just want to stay with this. When people can’t get electricity to work, myself included, people seem very frazzled quickly. Can’t charge their laptop, phone starts dying super hot in Sydney at the moment, can’t turn the air conditioning on. So do you think perhaps it’s more head because the frustration even from consumers is there, whereas other things, it’s like, well, we didn’t really notice that sort of thing, but with like energy and stuff like that. You do.
Tom Huth [00:19:57]:
Yeah. And I think the consumers and businesses will immediately feel the impacts of electricity outages in particular. Gas is super important as well. And AMO operates electricity and gas markets. So yeah, I do think there is an element of the critical infrastructure. Electricity in particular underpins so much of it. And those impacts will be felt very quickly when something goes wrong.
KB [00:20:21]:
For sure. Okay, so Ryan, I’m going to cut over to you. What’s the real difference in your eyes between a tabletop discussion and then functional or simulated testing? And I’ve got like a bit of a theory on this, but I want to hear yours.
Ryan McLaren [00:20:33]:
Yeah, of course. I guess when you run a tabletop discussion based exercise, and that’s a really great way to start testing your incident response plan, start putting your teams through their paces and identifying some of those more surface level issues that you need to focus on in other media, really making sure that you’re basing cyber hygiene and some of those, you know, fundamental security controls that you’ve got in place, your people, your processes, your tooling is working in the way you expect it to. But when you think about that functional type of exercise is much more hands off, where you’re responding to the exercise or the simulation as though it were a real incident, that’s where you really start to scratch below that surface level and start to do really, really realistic and really, really meaningful results because you’re actually putting your team through their paces and as though it were only incident. So a tabletop might identify this kind of cluster of issues or things that you could focus on and remediate. A functional exercise will identify those things and a whole bunch more as well.
KB [00:21:33]:
And so can I ask you another question on that? So when people talk about doing the exercise, the plan, but what about when push comes to shove, for example, there’s a fire in the building, is everyone thinking clearly and go, okay, we’re going to bring up the plan that Ryan said and we’re going to go through it. Oh, People just running for their lives, right? Yeah.
Ryan McLaren [00:21:49]:
And I, I guess that’s one of the key things we’re testing through an exercise. Right. So when we talk about incident response, we really want it to be thought of as a really controlled, really coordinated way of responding to those complex, difficult and you know, very chaotic incidents. So bringing that sense of calmness, that sense of strategic focus and direction is really, really critical. And that’s why documentation like incident response plans or incident specific playbooks are really, really critical and why it’s really, really critical or just as equally critical to test and validate those through regular exercising as well as just making your teams familiar with them as well. So when that crisis does hit, they’re fit for purpose, they’re accessible, and they work the way that they’re intended to.
KB [00:22:33]:
So then on that note, I interviewed the former sizer of Medibank when that breach happened and one of the things he said in the interview on public record was that there is no like blueprint because everything changes incident to incident. So are you saying you can get in the general direction of incident planning specific to maybe the energy sector, although there’s still going to be nuances that you can’t predict everything, right?
Ryan McLaren [00:22:54]:
Absolutely. Every incident’s unique, so there’s no black and white. This is the way to approach incident response. Every incident has its own unique context, potentially its own unique tradecraft that a threat actor has deployed against that target victim organization. So I think those plans are really important to provide you that structure, that guidance and provide that really strong outline that your incident response teams can default back to and use and leverage to help them with their response efforts. But it certainly should not be a stop a SOPs style process. Step one, step two, step three, you still need that independent thought, that critical thinking to respond effectively.
KB [00:23:31]:
And would you say when people are panicked and maybe Tom, you can chime in on this, that people do default to step 1, 2, 3, 4, or is it. It’s like, I know it’s like a muscle, but I’ve just seen over the years that as good as someone could be, they do default to that.
Ryan McLaren [00:23:44]:
Yeah, we talk a lot about muscle memory. Right. And the importance of doing those routine exercises so that you can build that muscle memory. And I guess if we think outside of cyber and we think to first responders, our military, they’re practicing their exercising all the time so that when that incident does hit or that crisis, they’re really prepared and they know how to respond to it like a well oiled machine. So certainly from A cyber perspective. That’s something that we’re really keen to see develop more and more. And why we’ve been working so closely with Tom and the team at AEMO to help build that muscle memory across this sector. Because I guess the last thing we want is that crisis panic mode to set in.
Ryan McLaren [00:24:20]:
People are running around with not a real clear sense of direction, what they should be doing, what those tasks are that they should be prioritizing and where to start in an incident. Now, during a side incident, time is really, really critical. And so the more focused we are, the more prepared we are, the more intentional we are. Response activities for better outcome.
KB [00:24:41]:
And so Tom, then applying what Ryan’s been saying, how does that work in your sort of day to day, given the energy sector, people are getting frustrated a lot quicker than perhaps other areas. Help me make sense of that in your mind.
Tom Huth [00:24:54]:
Yeah, look, and I think there’s something interesting in that we are inherently preparing for a really bad day. And I specifically look after our plans and preparedness for really significant incidents that’ll impact the energy sector. And so that’s not happening every day or even every year. So if we do not exercise, there’s virtually other than kind of running through our plans and trying to improve them, there’s no other way for us to simulate it and build that muscle memory. There’s a really healthy tension I think, that we’ve got internally in that we acknowledge that we can’t prepare for the real specifics of the scenario that will occur. It’s kind of unpredictable. Right. But your playbooks and your plans take you so far.
Tom Huth [00:25:39]:
And for us, we need to be functionally testing them because when the real thing happens, it’s going to be a really big bad day. So this is our main opportunity we have.
Ryan McLaren [00:25:49]:
Yeah, absolutely. And I guess if you think about it, as network defenders, we have a really tough job. We’ve got to be right all the time. We’ve got to stop all of the myriad of events and attacks that target our networks, that we’re responsible for defending. But from that threat actor’s perspective, they just have to get it right once and then they can have that impact that Tom spoke about previously. So our network defenders might get really, really good at dealing with the things that they see every day, but that doesn’t help them prepare and help them get ready to respond to that incident where it’s news, threat actor trade crap, or perhaps more sophisticated threat actor tradecraft that they’re not used to detecting, that they’re not used to responding. To.
KB [00:26:27]:
Okay, so then if we zoom out, I’m curious to understand biggest capability gaps to today. So maybe, Ryan, I’ll start with you. What are you sort of seeing? Are we closing that gap where we’ll be at the end of the year? I know I’ve thrown a lot of questions at you, but I’m just genuinely curious.
Ryan McLaren [00:26:39]:
No, of course. I think some of the biggest capability gaps are. Or perhaps first I’ll start by saying, you know, cyber is an incredibly tough landscape for people to operate it. The goalposts are continually moving. Threat actors are constantly improving their tactics, their techniques, their procedures, the tools that they use to target our networks. So we’re always on the back foot as network defenders trying to protect our networks. We’re often under resourced. We’ve got a heck of a lot of responsibility and it’s a really tough job to have.
Ryan McLaren [00:27:10]:
It’s a really challenging operating environment that our network defenders operate in. I think one of the biggest capability gaps that I see at a really, really broad level is that organizations don’t continue to invest in capability. It’s not at a single point in time, that investment. When we talk about cybersecurity, I think the conversation needs to be much more around that continued maturity journey and that continued investment to really keep shifting the spy style up and keep things moving forward. It’s not enough to put something in place and say, we’ve achieved this, we’ve got this control, all’s good, because it’s only good for a certain time and it will decrease in its effectiveness over time. So that’s why the work we’ve been doing with AIM has been so critical and so successful is because we’ve seen that constant investment that AEMO continues to put back into the energy sector. And the market participants really working closely with AEMO to improve their own maturity journey and invest in their own capability.
KB [00:28:13]:
And so just before we move on, you said organizations don’t continue to invest. So what do you mean by that specifically?
Ryan McLaren [00:28:20]:
So I guess sometimes we see organizations, they might start spend a bunch of money on some cyber stuff for a period of time and then that’s that budget might get pulled in future years or some key personnel might leave and they’re not replaced, or things like NEXT staff turnover and they’re not continuing to reinvest, they’re not continuing to drive that maturity, drive that growth forward over time. And it just doesn’t work in cyber. It’s not that single point in time kind of activity. You really need to be constantly reinvesting
KB [00:28:53]:
Tom, what are your thoughts? Biggest gaps?
Tom Huth [00:28:56]:
The good thing about running effective exercises is that you put in all the work to run them and then you identify a huge number of gaps and a huge amount of work that needs to be done off the back of them. I think a few things that we’re focusing at the moment in terms of capability gaps are one, we assume that during a significant cyber incident, our environments will become untrusted and we’ll no longer be able to rely on our enterprise tools to communicate with one another. How do we establish a trusted basis for communication across the energy sector with one another in the event that, you know, your corporate email no longer works, you’ve got a random phone number calling you, and how do I actually work out that the person who’s calling me is who they say they are? And then I think the other part that we’re really focusing at the moment is what, in the event of something sector impacting, what does the broader communications plan looks like? And as you touched on, there are going to be impacts to consumers potentially, there’s going to be upstream and downstream impacts to other energy sector organizations. When we’re all in this together, how do we effectively gain situational awareness and convey that in an appropriate way to stakeholders who need to know the information? So I think one of the benefits of having a few years of functional exercising under our belt now is that the DFIR teams and the incident responders are really getting in the rhythm of responding. And now we’re starting to consider those critical questions that are, are arguably a bit more peripheral to the cyber incident response, but are key to effectively communicating what’s happening and coordinating our response.
KB [00:30:27]:
So, on that note, one of the things that I’ve seen over the years with any incident in Australia or elsewhere, it’s always someone saying, oh, they could have communicated better, they did it too early, too late, they didn’t say the specifics. It’s not an easy one to answer. But do you have any sort of insight on that? Because you’ve got a lot of things you’ve got to do that maybe you can’t speak too soon because general counsel is going to say something and if you say too much, then perhaps you shouldn’t have said that and then you’re in trouble. I mean, it’s a bit of a conundrum, but I’m really keen to understand your thoughts.
Tom Huth [00:30:54]:
Yeah, look, and I’m. I’m far from a cyber crisis comms professional, sure. But from what I’ve observed, there are a lot of Players in this space, we’ve got the Department of Home Affairs, National Office of Cyber Security, who do great work in terms of trying to coordinate that, that public messaging. We’ve got specific comms protocols within the energy sector as well, for how we communicate around emergencies, both to the energy market and into government stakeholders. My it’s a really complex landscape. And so what I’d say at this stage is what we need to. What we’re continuing to work on is making sure that we’re coordinated in our response to that and that we’ve got the right touch points. But as I said, that relies on us having a basis of technology and communications that we can use to coordinate that activity.
Tom Huth [00:31:42]:
And when that’s untrusted, we’ve got a whole other problem there too. So it’s kind of a bit of a layered problem.
Ryan McLaren [00:31:47]:
And coming back to that importance of having those plans, that documentation in place, you know, having templates for communications understanding as a part of your incident response plan to whom you need to communicate and when you’re going to do that. Incidents are really complex and you’ve often got a large number of stakeholders who might be receiving different bits of information at different times. So having that captured in your incident response plan is a really good starting point. Doesn’t help so much with, to your point around the complexity and the conundrum of communicating effectively to the general public, but certainly thinking about how you can tackle it before you have to tackle it is probably a great place to start.
KB [00:32:25]:
Do you think over time that will just get better? Because maybe, unfortunately, more incidents do happen and we learn from it.
Ryan McLaren [00:32:33]:
Yes, I think that what has changed in the last several years is really the general media’s, I guess, interest in cyber incidents. So, you know, perhaps five, 10 years ago, there was a lot of interest in the tech media space, but it wasn’t often appearing on the Channel 9 news. Right, true. Whereas now more cyber incidents are being reported by the general mainstream media and then general public’s becoming more and more aware of it, possibly because they’re simply caught up in so many incidents now, they’re starting to understand a little bit more about what that phase. So I think the landscape there is really evolving. And as Tom’s notice Tom has noted, we’ve had, you know, the advent of the Office of the Cybersecurity Coordinator being stood up in recent years, who plays that really leading role as being the public face for some of our larger incidents. So I think the landscape there has really changed significantly in the last two or three Years alone.
Tom Huth [00:33:26]:
The one thing I’ll add about sort of whether this will inherently get better, I think we’ve all learned a lot from how organizations have communicated through data breaches in particular. And a lot of the wisdom across the sector has now come out as a result of those types of incidents. What we haven’t yet had a lot of is significant outages of critical services. We have them here and there, but I think the messaging that will be necessary and the communications that will be necessary when something really critical to everyday life in Australia has an outage as a result of a cyber incident, those comms will necessarily need to be slightly different, I think, than maybe what we’ve seen previously in response to data breaches and things.
KB [00:34:05]:
I think that’s important because there’s so much of a flow on effect downstream impacts quite quickly, rapidly. So it’s like I was just talking before that people, they just turn chaotic quickly. We saw it in the COVID day, someone couldn’t buy something, everyone’s lost their mind. Someone can’t turn on their hair straightener for the day, they can’t go to work. It is, it does have that impact and I think because from a media journalist perspective, yes, I’m talking to industry and government, but I’m also seeing underneath that mainstream media what is the everyday person saying in the comments about it. And I think it just provides more of a zoomed out view on the whole spectrum and I think that’s what’s really important. So on that note, I want to ask you both, how do you define and embed a shared resilience vision across your supply chain, as we just mentioned? So maybe Ryan, I’ll start with you.
Ryan McLaren [00:34:50]:
So I think it’s about having that more open, honest dialogue between those people that are critical in your supply chain, critical within your organization and taking them on that maturity journey. So if you’re a leader in that space, making sure that you’re bringing, you know, people that are contained within your supply chain on the maturity journey with them cyber. We talk a lot about being a part of community and I think it would be great to see more efforts to actually support that community by some of us that are in it to make sure that we’re actually helping one another out.
KB [00:35:23]:
And so what do you think sort of moving forward now? I know we’ve spoken about some of the gaps. Yes, it will get better moving forward. What do you sort of think with like industry and government now coming together? And I know that’s a big part of today’s event but do you think that it will remove a lot of those barriers of people not being afraid to sort of talk to government? Because, like, back in the day, it’s like, oh, we don’t really want to get in trouble, we don’t want to say too much. It’s not like that anymore. Right. So I’m keen to see what that looks like moving forward.
Ryan McLaren [00:35:48]:
Yeah. So I guess, full disclosure, I used to work for the government, so I used to work for the Australian Cyber Security Centre, spent some time in industry and now working at Retrospect Labs, which I guess it’s a part of industry. I think certainly that shift has been one of, you know, where from the government, we’re here to help and we’re not going to talk to you. That’s really changed to where from the government we are here to help and it is now a shared journey and we’re here to help and support you in a more open and different way. And I think that’s changed a lot in the last several years. This is fantastic to see and a really great direction to be going in. I guess what that has been coupled with, though, are changes in the regulatory environment. So there’s much more emphasis from a regulatory perspective now in terms of what organizations must do and should do in cybersecurity.
Ryan McLaren [00:36:35]:
And I think it was just the other day where the Federal court actually, for the first time made a determination around what adequate cybersecurity preventative measures are the organisation should take. Because we are seeing that advent of the more aggressive kind of legal domain where organizations are being pursued through legal channels for perceived failings in their cyber security posture that may have led to incidents and may have led to harm, et cetera, et cetera. So I do think that’s change. It’s definitely a really positive thing. The more open and honest communication, the more sharing we have between industry and government, the better. The stronger those relationships are, the better outcome for Australia as a whole.
KB [00:37:17]:
And, Tom, anything you want to wrap up with today?
Tom Huth [00:37:21]:
Look, I think I’d just love to reiterate that I think we’re very fortunate in the energy sector. We’ve got fantastic partners up and down the electricity and gas supply chain that we get to work with on exercises, but also lots of other kind of security resilience and uplift initiatives. It’s an amazing, I think, collective effort that goes into it all and I think being able to have a shared vision with them as to where we’re trying to get to understand the specific challenges that they’re having. That we’re having and how we can better solve it together. I think it’s much, it’s, it’s much, much better than working in a silo. But it’s also commensurate with, I think, the threats that the sector faces and the challenges we’ve got ahead of us. So it’s fascinating.
KB [00:38:03]:
Well, Tom, Ryan, thanks so much for joining.
Ryan McLaren [00:38:04]:
Thanks so much for having us.
KB [00:38:05]:
Thank you. And there you have it. This is KB on the go. Stay tuned for more.