The biggest questions need the boldest answers. That’s why we’re using our global scale, technology expertise and collaborative spirit to move towards a better today and a brighter tomorrow...together
Dr Praveen Gauravaram, Senior Scientist at Tata Consultancy Services Australia and New Zealand answers key questions senior leaders are asking about the foreshadowed cyber security risks and changes coming for Australian industry.
The challenge of a health crisis and fighting an invisible virus has taught us many valuable business lessons, including that complacency and recklessness have consequences. The same applies to cyber security.
With the recent release of 2020 Cyber Security Strategy, Australia’s federal government has foreshadowed the risks and changes coming for Australian industry. The strategy flags regulatory change for public and private organisations which - as The Australian Financial Review put it succinctly – are being advised to “get their cyber security houses in order”.
Dr Praveen Gauravaram, Senior Scientist at Tata Consultancy Services Australia and New Zealand, knows more about the government’s new strategy and its deep origins. He has been a key leader in TCS’ role as an industry partner in the Cyber Security Cooperative Research Centre (Cyber Security CRC), which was established as a result of the federal government’s 2016 cyber security strategy, and has also contributed to the 2020 strategy now being forensically reviewed by corporate Australia and beyond. From his home in Brisbane, Dr Praveen Gauravaram is seeing businesses react positively and pro-actively to the 2020 strategy, and the big questions are coming around subjects of what business need to understand and what they need to do.
The strategy’s main focus is cyber security around critical infrastructure, in areas such as the energy & utility, health, banking & financial, transport, water, communication, food and retail sectors. As Dr Gauravaram explains: “The last thing anyone wants is any disruption of these essential services, such as power in your home going off”.
There is also a touch of irony when understanding the risk for businesses as they journey through a remarkable transformation to remote virtual workspaces, triggered by COVID-19. The sanctuary of home as a working environment has been a necessary protection in the fight against the virus – and an incredible success story in many ways - but at the same time it has opened a new “threat landscape” for cyber attacks.
Anyone with a laptop or company device working from home is connecting to networks in their home environment, and that’s a long way from the contained infrastructures of office buildings. It’s now a hacker’s paradise, which means the efforts to protect private data and communications is top of mind as companies increase emphasis on cyber security.
The government needed the 2020 Cyber Security Strategy as a framework to how it will work with industry to clarify the cyber security obligations of industry in the future. This will include regulatory reforms. Regulatory requirements, which in a lawful sense will be mandatory cyber security obligations to be met by critical infrastructure providers going forward, is a big focus and is already a major question being raised by business leaders.
The idea is that these infrastructure providers will need to meet minimum expectations in cyber security practices. The big questions are around what these actual obligations will be and how any new regulations are going to be enforced. As a result, close co-operation is now happening between government, including through its law enforcement and intelligence agencies, and these industry bodies. The importance of the privacy of information in this co-operation – and how that’s going to be exchanged – will be critical, and I expect the regulations will certainly cover this point.
No matter where you fit in the supply chain – making products or buying products – you are going to be asking a lot of questions about these products. Any business, and for that matter household consumers also, should be asking for all in-depth detail from the government’s guidelines in assessing security and safety.
At the moment there is a lot of talk about a code of practice for devices in the category of the Internet of Things (IoT). The IoT is going to play an even bigger role in the digital transformation of the current conventional systems. In the energy and health sectors, for example, the threat landscape will be quite high, and that’s simply because there are new ways for systems to be compromised. How critical infrastructure companies transform to these so-called smart infrastructures is going to be critical.
For executives who are asking questions around these risks and complexities, they are going to need to see transparency around where any devices are coming from, assess any risks of those supply chains and ask questions of the vendors designing these systems. Those questions will need to cover every stage of the process, from the manufacturing of the device, to the point of adoption, deployment and maintenance. It’s not just from a business risk view, but also from a regular consumer perspective.
An average consumer could rightly observe that they don’t have much depth on what the vulnerabilities are – or if there are any - in devices they are purchasing. Take for example a camera or device hooked up to a private residence network – how does a consumer know if they are protected against any activity or information being leaked outside of their home?
When we consider the importance being given to the health crisis right now – and rightly so - I also suggest we might see an increasing emphasis on cyber security.
The reason is we all work from home. A big issue for consideration is the patching of computers that we use and the surrounding infrastructure that's in place in our homes, with the Internet and networks that we are connected to.
The situation now is that official work devices are a part of these interconnected systems, whereas before the devices were contained in office premises, so now we see an increased threat landscape for hackers to get into. The importance is heightened especially for confidential data, even for the metadata layer, which has become more popular in the past six months. It goes without saying that we don't want any communications to be bypassed or listened to by people who are not authorised.
The federal government’s strategy also has touched upon the point of situational awareness in cyber security. There is a need to know about where a particular threat has originated and where it has spread to - or where it could spread to – and the risk for enterprise as a whole. So now that the risk is being transferred to this work-from-home system we are in a challenging position where visibility is limited to the machine where the person operates, but it doesn't take into consideration other devices operating on the network.
The Australian Government’s 2020 Cyber Security Strategy has evolved from the 2016 strategy, and one of the outcomes of that previous strategy was to establish the Cyber Security CRC.
TCS has been an industry partner of the Cyber Security Cooperative Research Centre from day one and I have been leading activity from TCS since the beginning under the leadership of TCS CTO and TCS ANZ. Since 2016, TCS has been very active in this government-backed program and we have had several conversations with our customers, business units and Cyber Security CRC on cyber security thought leadership and where research and innovation should go ahead in this program and this dialogue will continue.
Work has also been happening across with some of the academic partners in Cyber Security CRC, on building new research projects that we can undertake. In the lead-up to the 2020 strategy, Byron Langslow, the TCS Director for Federal Government, and I used our consulting, research and innovation experience and spent good amount of time on our contribution in 2019 to the government’s strategy.
From September to November in 2019, there were more than 200 contributions that were submitted before this strategy was finalised by the Department of Home Affairs. They came from across many sectors such as banking, energy, and telecommunications, education sector, consulting firms and leading IT services companies such as TCS. A lot of our time over that four years was spent on what the future strategy might look like, and we stressed on points of critical infrastructure and operational technology, including the regulations that might go with them.
From an ongoing research viewpoint at TCS, we are looking at what our customers are asking about cyber growth areas, and not just necessarily the problems, but questions such as “what’s the growth area like for a particular digital transformation taking place?”; and “what's the cyber strategy that needs to be put alongside it?”.
In 2019, Australia has become one of the top phishing host countries. We see these phishing attempts on a larger scale in industries where cyber awareness is minimal or even does not exist. For instance, industries that operate heavily using remote workers and temporary staff are highly vulnerable to these attempts.
If I look at cyber security incidents from 1 July 2019 to 30 June 2020 reported in the strategy, the Australian government and State and Territory governments were top of the list of those affected. Higher education, banking and financial services and health industries have also been impacted more than others.
Different sectors are at varying stages of maturity in how they are prepared and dealing with cyber security. In the banking sector, for example, technologies in cyber security that are addressing problems may already have a high level of maturity in protecting assets.
But when you look at the manufacturing sector or energy & utility sector where digital transformation - or what we call in technical terms the operational technology and information technology convergence - which has been happening in the recent years, then the maturity levels may differ.