enero 5, 2023

EP 18 – Why Protecting Critical Infrastructure is Critical in 2023

We’re starting the new year with a conversation focused on securing critical infrastructure. The issue, of course, is that we’re seeing increased threats and cyberattacks on critical infrastructure. Not to mention the war in Ukraine. This collective threat is a rallying point, bringing together cyber professionals from around the world, as well as their respective countries. On today’s episode, host David Puner talks with David Higgins, who’s a Senior Director in CyberArk‘s Field Technology Office, about how the critical infrastructure landscape has changed, its global implications and how cyber protectors have had to adapt.

[00:00:00.120] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in Identity Security.

[00:00:23.800] – David Puner
Welcome to today’s episode of Trust Issues. We’re starting the new year with a conversation focused on securing critical infrastructure. Things like energy, communications, dams, water, health care, it’s a long list. What’s determined to be critical infrastructure varies somewhat from country to country, and we’ll get into some nuances in today’s conversation.

[00:00:45.580] – David Puner
The issue, of course, is that we’re seeing increased threats and cyber attacks on critical infrastructure, not to mention the war in Ukraine. It’s a global issue. This collective threat is a rallying point, bringing together cyber professionals from around the world as well as their respective countries.

[00:01:02.520] – David Puner
Our guest today is David Higgins, who’s a senior director in CyberArk’s field technology office. He’s a thoughtful guy who’s got technical chops, and as part of his role, he’s on the front lines with our customers. Last month, we asked David and a few other members of the CyberArk team to sound off on the CyberArk blog about the top trends they see influencing 2023 cybersecurity strategies.

[00:01:27.640] – David Puner
One of David’s contributions to that piece has to do with countries coming together to combat cyberterrorism and strengthen defenses to protect critical infrastructure. In part, he says that push will extend to the private sector in 2023 with enterprise organizations, including their IT and security teams, answering the call to help bring systems back online after attacks, as well as helping defend off future threats.

[00:01:54.600] – David Puner
And that’s the jumping-off point for today’s conversation with David. He’s got some great insight into how the critical infrastructure landscape has changed and how protectors, which likely includes many of you good folks listening, have had to adapt, as well as the global implications that are now at the center of this, pardon the phrase, new normal. Here’s my talk with David Higgins.

[00:02:19.180] – David Puner
Welcome to the podcast, David. For those folks out there who may not know of you, I’m going to say that you are a senior director in the field technology office at CyberArk. To start off the conversation, can you tell us a little bit about what that means and what the field technology office is?

[00:02:38.880] – David Higgins
Absolutely. What it means to me, or what it means for our customers and how we work. I’ve been at CyberArk for quite some time now, coming up to 13 years, I think it is. Within the field technology office, we’ve got a huge range of expertise. I think if you accumulate all the experience the team have when it comes to Identity Security, where we’re approaching the, I think, 40-year mark, if you can pan it all together.

[00:03:06.380] – David Higgins
Really, what we’re doing is it’s a two-way type role. I think the first thing is that we’re out there in the field speaking with customers, speaking with security leaders, identity leaders, and really telling them about what we see working, what isn’t working, what are the trends around Identity Security, but also having that dialog with them, understanding what challenges they’re seeing, what challenges they foresee down the road.

[00:03:29.860] – David Higgins
Then the other direction of that is to work very closely with our product team. Take that information, take those trends and feed it back to our product team and let them know what these senior security leaders are thinking out there in the field.

[00:03:41.490] – David Puner
You contributed to our 2023 Cybersecurity Trends blog post, which is actually publishing today, December 16, this will air shortly after the new year. One of the trends that you said is likely to gain momentum in 2023 has to do with global cyberterrorism and critical infrastructure. What are you seeing there develop and what might the repercussions be over time?

[00:04:08.660] – David Higgins
It was two things you were saying. Generally, I think we can all relate to what’s happened earlier in the year with the invasion of Ukraine. And naturally, I think that’s put a lot more focus on the cyber field, the cyber realm, and obviously, organizations or nation-states specifically talking critical infrastructure, of course, of, say, Russia, Ukraine in that regard.

[00:04:35.840] – David Higgins
It’s also, I think, put a lot more pressure then on Western allies because, of course, they’re very much backing Ukraine in this situation. And naturally, I think it’s increased the focus that the Western allies now have from will be cyber attacks. And you can see that.

[00:04:52.900] – David Higgins
I think what brought it to my attention is you can start to see that seeping through because governments themselves are reacting. We’re starting to see more regulation come through that says, «Hey, look, you’re in the telecom sector or you’re in critical infrastructure,» you see the new update to NIST for the EU, with NIST 2 being updated. There seems to be a lot more focus coming from the governments themselves to make sure that critical infrastructure is better protected, better defended against what is perhaps an increasingly higher risk in terms of likelihood of attack from nation-state.

[00:05:29.300] – David Puner
It probably then makes sense to talk about critical infrastructure for a moment here at the top of the conversation. What falls under the umbrella of critical infrastructure? And how does what’s defined as critical infrastructure vary from region to region or country to country?

[00:05:44.420] – David Higgins
I think if you’d ask someone that question five years ago, what’s critical infrastructure? They’ll say things like the electricity suppliers, the energy suppliers, oil and gas, water, utilities. It would be those ones that if they shut down, people lose power and water to their houses. That’s, of course, monumental in terms of impact. Still, very much those are critical infrastructure. I’m not saying they’re not anymore. They’re top of the triangle. But what we’re also seeing is now other services, which perhaps we didn’t predominantly presumed were critical, if I can get my words out, but they are.

[00:06:22.000] – David Higgins
If you think telecommunications, absolutely. The telephone networks, internet service providers, absolutely. Any public service that we’re relying on, even waste disposal to an extent. If they stop operating and then we just have rubbish or garbage, do the trans-Atlantic translation there.

[00:06:41.120] – David Puner
Trash.

[00:06:41.420] – David Higgins
Trash. There we go. Thank you. Accumulating in our houses. That starts impacting houses, et cetera. I think all of these things can be deemed as critical national infrastructure. Some naturally will have higher impact and risk should they be shut down. But we’re really starting to see, as I say, internet service providers, telecommunication providers, mobile phone networks, absolutely essential to the day-to-day of everyday life.

[00:07:06.180] – David Puner
Incredible. The variety of things that slot under critical infrastructure at this point, it’s staggering to think what it would be like to have to make do without any of them.

[00:07:19.930] – David Higgins
Absolutely.

[00:07:20.720] – David Puner
We wouldn’t be having this conversation if it wasn’t for the WiFi. And of course, this is a critical conversation.

[00:07:26.670] – David Higgins
Absolutely.

[00:07:28.340] – David Puner
We probably wouldn’t be having this conversation, at least in this way or with this focus, if it wasn’t for the war in Ukraine. It’s considered to be a new era of warfare. And I think, I either read this or you said it at some point, hybrid war, which involves both physical and digital attacks. How has that war in Ukraine altered the cyber landscape globally?

[00:07:58.200] – David Higgins
If we talk about what we saw prior to the 2022 invasion, obviously there’s the annexation a few years back. But if we look at that in the build-up to the invasion, there were several things that took place out of Russia towards Ukraine governmental establishments in the form of ransomware attacks, in the form of denial of service attacks.

[00:08:22.000] – David Higgins
You see these now being used in conjunction, which is worrying and very concerning that these cyber attacks are a precursor or were a precursor in this case for the invasion of Ukraine. Obviously, a reflection that that nation-state saw the value of trying to shut down and be disruptive from a cyber perspective before a physical military invasion began.

[00:08:48.080] – David Higgins
I think that’s really an eye-opener. I think that it makes cyber very much part of national security for sure, which it has been for a while, but it just reemphasizes that point. I think what is also now done is that hasn’t stopped, the attacks from a cyber perspective that predated the invasion. It’s not that that stopped. That’s continued and it’s now continued outside of Ukraine as well. And I think a lot of, as I mentioned before, a lot of Western organizations have probably seen their risk profile increase as a consequence of the invasion.

[00:09:21.570] – David Puner
Telecommunications and WiFi and interconnectivity. I think it seems like more than ever because of these things globally, we are interconnected. I was looking at the latest headlines and there was something on BBC.com that said today there have been new strikes across Ukraine. But one of the things I saw was really interesting is Ukraine has accused Russia of weaponizing winter by striking essential facilities as temperatures fall below freezing. We’ve heard about these things, but the actual phrasing, the weaponizing of winter, how is that potentially connected to attacks on critical infrastructure?

[00:10:01.020] – David Higgins
Sadly, in Ukraine, that attack on winter or weaponizing winter, which is a really interesting way of putting it, they’re doing it from a military standpoint. Obviously, it’s missiles raining down, sadly, on that population. But if you think about it, another way you could do that naturally, there’s an energy crisis right now in terms of cost of living and all that fun stuff, a lot of that infrastructure… The world’s become more connected.

[00:10:25.720] – David Higgins
Once upon a time, I think these utility providers and manufacturers and all sorts very much talked about that air-gapped environment. We’ve got our IT corporate network and we’ve got our OT environment. It’s completely air-gapped. It’s the OT… Operational technology, to debug the acronyms. We love acronyms in IT security. The OT environment is there to actually run the actual critical infrastructure side, the flow of water, the flow of electricity, whatever it may be. But that one is becoming more and more connected.

[00:10:58.160] – David Higgins
Yes, you could strike it physically in a military sense that we’ve seen. Or of course, and we saw this before, we actually saw this before in the Ukraine, in 2016, I think it was, where there was a target attack against energy suppliers that shut down the supply of energy to Ukraine. I think it’s two-thirds of the population lost power as the result of a cyber attack.

[00:11:19.410] – David Higgins
And that’s the other way that you could weaponize winter in the way that they phrased it there, is you base it on an external cyber attack. You gain entry into the environment, perform lateral movement and you get to that critical system and you shut it down. That’s exactly, as I say, what we saw very worryingly in 2016, also in Ukraine.

[00:11:41.000] – David Puner
Absolutely.[inaudible 00:11:41]. The global uncertainty around energy as a result of the war in Ukraine, how does that factor into global critical infrastructure cyber challenges and concerns across the board, not just there regionally?

[00:11:58.960] – David Higgins
I’d say naturally… I think the advice… Obviously, the Western allies, of course, are supporting Ukraine commercially and with weapons and all that fun stuff. We see it in the news. Those governments, of course, now providing advice back to the organizations within their countries to say, «We’re expecting an increase in the number of attempts from nation-states. So better prepare yourselves.» That’s the advice. They may not necessarily give specific examples that has happened, but the advice is you better get better prepared. We’ll see what that’s meaning, I think, for organizations, both in critical infrastructure but private sector too.

[00:12:40.000] – David Higgins
Critical infrastructure, by the way, we also got financial services. There’s another huge one. Banking systems go down, that’s pretty damaging. Banking sector, et cetera, they naturally have to now start thinking about, «We’ve got a risk registry, we’ve got a series of vulnerabilities that we know we need to address at some point.» But they’re categorized based on risk.

[00:12:59.120] – David Higgins
We’ll handle certain vulnerabilities in a certain period of time. But also, there’s only so much change that can happen in the environment, so we need to make sure some of that change is innovation and we need to make sure some of that change is updating applications and services that they offer to their customers. But I think now what we’re seeing is because of this advice from the government to say, «You need to be better prepared,» it’s almost putting pressure to fix a lot more of the vulnerabilities than they perhaps would have done in the past.

[00:13:24.580] – David Higgins
We may start to see where organizations are so embedded or so involved in the fixing vulnerabilities that it stagnates a little bit. Innovation stagnates a little bit of improving services, et cetera, to their customer base. It may be one of the unforeseen circumstances of this increased risk from nation-state attacks.

[00:13:44.500] – David Puner
Are you starting to see that now, the decrease in innovation based on the needing to essentially play whack-a-mole with vulnerabilities?

[00:13:54.880] – David Higgins
I couldn’t specifically say seeing the lack of innovation, but I’ve certainly heard that concern that I just shared directly from customers. As I say, they got a certain amount of changes they’ll push through in a particular change window. There’s a mixture of things that happen. Security updates will be some of those. But certainly in the initial aftermath of the start of the Ukraine War, I think a lot of that change was consumed by patching vulnerabilities that perhaps were only low to medium on their risk register. That’s naturally, I think, had an initial stipend.

[00:14:27.760] – David Higgins
I can’t say I’ve personally witnessed it, but I’ve certainly heard the concerns from customers in the field.

[00:14:33.580] – David Puner
Customers is definitely something I wanted to get into a little bit with you because you’re talking to them all the time, you’re speaking to customers all around the world. Who are you talking to and what are their concerns about all of this, critical infrastructure and cyber attacks on critical infrastructure? How is, whether it be the war in Ukraine impacting them or other cyber aggressors? And I want to talk about them in a bit. What are their concerns and what can they do? I’ve already asked you 20 questions, so I’ll let you roll and we can get into it.

[00:15:12.990] – David Higgins
I’ll try to handle a couple of them. And it links a little bit to what I was saying before about we started to see more regulation seep through government, whether I base it here in the UK, where, of course, I’m based, where we saw new legislation come out of the UK government focused purely on the telecom sector. That was all about improving the security resilience of the telecommunications network. But for obvious reasons that we just talked about.

[00:15:40.860] – David Higgins
We’re starting to see that in other places as well. The Australian government have made a stance to say they want to improve their cybersecurity posture. We’ve seen EU NIST be updated to the secondary version of it, which refocus and redefine what they determine as critical national infrastructure to make sure it’s consistent.

[00:15:59.620] – David Puner
You wrote a couple of big blog posts on the CyberArk blog around NIST 2 recently. Folks should check those out. They’re really insightful and helpful.

[00:16:10.160] – David Higgins
You directly plugged me. I was subtly plugging it, but it’s good. I appreciate that. Thanks, Dave. Generally, I think critical infrastructure organizations they’ve had their own risk registers, of course, and they’ve been aware, I think, of the increased risk of being ever connected. Big pressure point now, big concern, of course, is now it’s being backed up with regulation and there’s consequences of not being compliant. That naturally creates a lot more attention and a lot more pressure.

[00:16:39.860] – David Higgins
Take the telecom sector in the UK as an example, all the telecom providers are now reacting to the TSR, TSA to make sure that they’re ready and they’ve got the right things in place for what the UK government is asking them. There’s always that joy with… Cybersecurity professionals would love to do everything, address all the risks, but it’s always a balancing act with other priorities and budgets. But when there’s some regulation behind that really does drive the pressure point.

[00:17:07.270] – David Higgins
That’s certainly been something that’s recurring, is organizations now starting to work out how do we make sure that we can adhere to this. By adhering to this, we should be in theory more cyber resilient from nation-states or cybercriminals. I’m going off on a tangent, I do this a lot, apologies.

[00:17:23.980] – David Higgins
We shouldn’t forget cybercriminals in this whole conversation because there’s so many examples out there where it will be cybercriminals backed by nation-state X, Y, and Z. They can hide behind these cybercriminal organizations because it was not us, it’s these cybercriminals who are performing the attacks. But there’s quite a few examples out there where cybercriminals appear to be nation-state funded or nation-state backed. It allows the nation-state to disassociate itself directly from the attack.

[00:17:51.860] – David Puner
Do you have a solution for that?

[00:17:57.240] – David Higgins
Certainly from my perspective, what I see, and I speak about this a lot with customers is, everyone’s going to have their own threat intelligence. Everyone’s going to identify where an attack is most likely going to come from to them. If you’re in government, you’re probably thinking nation-state is your biggest concern. If you’re in financial services, nation-state for sure, but cybercriminals as well.

[00:18:22.640] – David Higgins
But really, what I talk about with customers is whether it’s nation-state, cybercriminals, hacktivists, whatever, they’re going to have different resourcing and different patient levels, et cetera. Some are operating as a business that needs to be profitable, et cetera. But forgetting all that, once they get in, and that’s the assumption, once they get in with the world being ever more connected, they’re going to get in.

[00:18:45.660] – David Higgins
What happens next is usually always the same. I think Microsoft themselves released a recent report about the state of play from cyber attacks, did a lot of focusing, and mentioned there’s been a huge increase on attacks on critical infrastructure, almost doubled. But called out at the end, the best defense still is good cyber hygiene, good control of who’s got entitlement, who’s got privileges, who’s got admin access.

[00:19:11.380] – David Higgins
Because it doesn’t matter if it’s nation-state coming through the door of its cybercriminals or hacktivists, or really where they want to go, whether it’s espionage, disruption of service, stealing data, that bit that happens in the middle, it’s pretty much the same that we see play out. We just manifests with different tools behind the scenes. But it’s compromised identity, perform credential theft, do lateral movement, elevate privileges, execute an objective.

[00:19:33.670] – David Higgins
Execute objective might be shutting down the power, as we saw in Ukraine in 2016. Or it might be exfiltrating data, as we saw many years ago with the OPM in the US and lots of personal data records being stolen. Different objective, different intrusion, bit in the middle by and large, it’s pretty much the same. I’m simplifying massively, I’m sure.

[00:19:54.480] – David Puner
If you need to start somewhere, it’s back to basics. You’d mentioned the consequences of not being compliant when you’re talking about customers and obviously new regulations that are coming into play or being established. One of the things that crossed my mind was if we’re having this conversation in a year and talking about trends to look out for in 2024, could compliance fatigue wind up being one of those?

[00:20:29.740] – David Higgins
I’d say it’s a bit of a double-edged sword, if that’s the right expression. In that it gives both positive and negatives. If you look at sectors like financial services, which have been heavily regulated for many years, I would say they probably do feel a little bit of regulation fatigue, or perhaps auditor fatigue.

[00:20:48.240] – David Higgins
Some of the customers I speak to feel like they’re constantly chasing their tail in terms of just reacting to order point X and order point Y and never having the ability to be proactive. That sometimes can be the downside of too much regulation, is it perhaps stifles organizations being proactive in the cybersecurity strategies.

[00:21:08.380] – David Higgins
But the flip side of that, as I said, I’m not sure the double-edged sword was the right term, but we would use flip side, that’s probably better. The flip side of that is regulation does drive people to invest in their cybersecurity policies. It does drive people to put the right controls in place.

[00:21:26.420] – David Higgins
Sometimes that has to be caveated because we don’t… I’ve seen where organizations have deployed security technology to appease regulation X or some order point, and it becomes a tactical deployment. They can demonstrate that they’ve done what they needed to do in the particular area, but if they’re not able to stand back and think like an attacker and think all the other intrusion routes, yes, that area may be got the right security controls in place, but they’ve left the rest of the environment open.

[00:21:56.200] – David Higgins
Attackers don’t think about, «Oh, I’m not going to touch that because it’s in a regulated environment. They’re going to have security controls.» There’ll be a plethora of other ways to get in.

[00:22:04.690] – David Higgins
What I’m saying is sometimes I think we see regulation drives the right behaviors for sure. It gives security professionals the budgets they need to go on to do things. But sometimes they also end up being tactically deployed as perhaps more, again, linking back to my proactive statement, being more proactive in doing something in terms of an overall cybersecurity approach.

[00:22:22.980] – David Puner
Are you generally feeling like it’s being welcomed with open arms? Then the second part of the question would be, how do our cyber realities, your and my cyber realities differ?

[00:22:36.890] – David Higgins
Is it being welcomed? To an extent. Because what it’s always doing, I think all this increased regulation, increased appearance and media around cyber attacks, what it’s doing is it’s just continually driving up awareness. I think awareness is huge. We need to make sure people are aware about the risks the organizations they work for face.

[00:23:02.510] – David Higgins
Historically, security has been seen as the bad guy in companies that just put stuff out there to make people’s life more difficult. If anything, that’s just the consequence of actually security professionals who are incredibly intelligent and resourceful are probably not the best at marketing. And that’s been a bit of a downside of not very good at marketing, why they’re doing things.

[00:23:22.100] – David Higgins
But increased regulation, increased, as to say, appearance in media and cyber attacks is I think having a positive in terms of just increasing everyone’s awareness about why it’s so important to be doing the right things from a cyber security perspective.

[00:23:36.260] – David Higgins
To your question about UK versus US in terms of our cyber worlds differing. I would say even though there’s a huge Atlantic Ocean in between us, probably not too much. I think the close allies, similar allies between them, similar, therefore, external threats. I think the UK, if you go on to the NCSC, which stands for the National Cyber Security Center, it’s the UK’s cyber security center, our governmental advisory body, and they list the top four nation-state threats in the UK. I’m sure if I list them, they’re probably the same top four for the US.

[00:24:12.330] – David Higgins
It’s Russia, China. The UK Prime Minister very recently came out and said, China represents one of the biggest threats to the UK for various reasons. He called out cyber security and the need to better secure the UK from a cyber perspective because of China. So Russia, China, Iran, and North Korea. If we were to go to the US and check US government websites, I’m pretty sure we’d see the top same four that I listed.

[00:24:37.480] – David Puner
That sounds about right. Wasn’t the UK a victim of cyber attack on its critical infrastructure somewhat recently?

[00:24:49.010] – David Higgins
I couldn’t give you the date. I’d have to just double-check it so we could just insert that as a little update to the blog. But there was an attack on a water supply. It was associated to cybercriminals in the end, so it wasn’t necessarily saying this was nation-state, but they were Russian-based from all accounts. They got into a water company here in the UK. I think it ultimately resulted more in data loss. But the claim is they had access to systems that were controlling the amount of chemicals, et cetera they put in the water.

[00:25:23.150] – David Higgins
We saw something similar, again, that UK, US comparison with Florida. I think that was earlier this year, perhaps, or maybe end of last year, where attackers got access to systems that ultimately could control the chemical supplies and levels that go into the water supply that ultimately get pushed out to the population.

[00:25:39.700] – David Higgins
Naturally, as I’m saying that, that’s something you worry about. No one really thinks twice about turning the tap and the faucet and getting a glass of water. You don’t really worry about what’s in that water. But actually, what’s in that water is controlled by technology that it sounds like, unfortunately, could be compromised.

[00:25:59.820] – David Puner
Really terrifying. The impetus, if you would take a guess behind these attacks, is it to disrupt? Is it to just do it for the sport of it? What’s the motivation?

[00:26:17.440] – David Higgins
I’d say a lot’s going to come back to who the victim is, or the region is, and who the nation-state is. But you see it being one of potentially three or four things. Where it’s data-related, it could be just purely espionage. It could be just to steal information, get a better understanding of how that infrastructure works, individuals that work for them, all things. It could purely just be an espionage.

[00:26:41.240] – David Higgins
It could also be exfiltration of IP. Capitalism, one of the benefits of it, it’s got downsides. We won’t go into that. That’s a different conversation. But certainly, one of the benefits is it drives innovation. We see huge innovation within the US and the UK, et cetera. The value of a nation-state of stealing that innovation to fuel its own organizations, its own companies, makes a lot of sense. You may see it for that reason.

[00:27:07.620] – David Higgins
The worrying one, of course, is purely for disruption, to cause disruption for whatever reasons. In Ukraine, certainly, we saw that as actually being part of the hybrid warfare that we talked about. But we may also see it be used as a diversionary type approach.

[00:27:24.920] – David Higgins
As we talked about already, the Western allies are backing Ukraine in the ways that they’re doing. But if they were the victim of a huge damaging cyber attack that had massive national repercussions, naturally their focus is going to be shifted away from external affairs and focus more internally to solve their own internal problems.

[00:27:45.170] – David Higgins
That’s probably a worry, is that they start to be used to really consume the resources of the Western allies to solve their own problems and means they stop focusing a little bit on what’s happening outside their borders.

[00:27:59.440] – David Puner
It’s such an enormous topic. It really is. A country where there have been some interesting developments recently is Australia. It was recently announced that they’re going to develop a new cybersecurity strategy and it’ll be designed to fortify the country’s critical infrastructure. What’s going on in Australia to fuel this particular initiative, other than the obvious, everything we’ve already been talking about?

[00:28:22.360] – David Higgins
They’ve been witnessing, or actually unfortunately been the victims of quite a few series of high-profile breaches that have hit both telecommunications and private medical care. I think it’s really raised the prominence within Australia about better protecting themselves because these attacks haven’t been small-scale.

[00:28:44.740] – David Higgins
They’ve been huge millions in terms of records, et cetera, divulged, impacting large waves of the population. So it’s really raised the awareness. Again, to what we’re talking about, it’s raised the awareness. And naturally now the government is reacting and saying, «Well, actually, we probably need to get better.» The numbers they are talking about investing into their own internal cybersecurity, but also improving that of the country is huge numbers.

[00:29:11.240] – David Puner
That investment is indicative of something that their Minister for Home Affairs and Minister for Cybersecurity, Claire O’Neil, she said in December this month that the goal is to make Australia the world’s most cyber-secure country by 2030. What’s it going to take to achieve this goal, other than investment, of course? And is 2030 ambitious enough as a goal? And should every country be trying to be the most cyber-secure country? Is that something they can even achieve?

[00:29:47.580] – David Higgins
I’ve got a friend who works in the building industry and he says everything’s possible with the right level of money. So I think everything’s possible with the right funding and the right resource behind it. And that’s probably going to be the challenge, is turning that investment into something that’s going to have that impact in just under eight years time.

[00:30:06.620] – David Higgins
Is it achievable? Possibly with the right sponsorship. But I think it takes more than money because it’s going to take, unfortunately, we’ve touched on the subject already, it’s going to be backed up by some pressure points. There needs to be some regulation and some driving force from the government down onto private public sector that says, you need to be doing these things because if you’re not doing these, the cyber hygiene essentials that we talked about, if you’re not doing these things, you’re more exposed, et cetera we’re going to make you non-compliant.

[00:30:38.760] – David Higgins
Sadly, it drives prioritization as we talked about. I suspect that behind the funding, there will also be some legislation drawn out that says this is the minimum expectation and certainly an emphasis on critical national infrastructure. Like we’re seeing the EU do, the UK has inherited NIST as well. We were still in the EU, I think, when this first came out. So we’ve maintained it.

[00:31:04.560] – David Higgins
Australia will need to do the same thing because you can say these things, but you’ve got to push people in the right direction because for organizations who are making money, that’s what they want to do. They want to stay in business. They want to make money. Investing money in cybersecurity doesn’t necessarily directly equate to more dollars, more pounds, et cetera. There’s probably going to be a little bit of pressure backed up behind that to make it happen.

[00:31:31.580] – David Puner
Interesting to me, and maybe there’s something to this or not, because we know cyber doesn’t really have borders or care about borders or realize there are our borders, but Australia is its own isolated continent. Does that pose more a greater cyber risk, or are there more cyber threats than countries with actual border and neighbors?

[00:31:54.240] – David Higgins
UK, we’re the same. We’re in an island much, much smaller.

[00:31:57.460] – David Puner
Good point.

[00:31:58.500] – David Higgins
Much smaller. As you said, borders don’t mean much in a cyber world. It’s probably what becomes more a little bit what’s the downside of being a small little island or a big island like Australia? And it could be that you rely on… We rely on energy imports, for example, and certain imports like food, et cetera.

[00:32:21.880] – David Higgins
Perhaps being an island means you’re more reliant on certain things to be shipped in. And if you’re reliant on the movement of goods or the movement of energy or whatever it is, then you’re probably reliant on technology to back that up and make sure that it happens. So again, disruption would naturally have a consequence of that.

[00:32:39.780] – David Higgins
I think if you go back to the large Danish shipping company that had an attack, they had to ground a lot of ships for a long period of time. I’m not saying that impacted food, et cetera, distribution, but give that as an example that perhaps island nations, Australia, UK included, perhaps a little bit more reliant on imports than those with physical borders where things could be driven over or trained over whatever.

[00:33:05.140] – David Puner
That’s really interesting. Then going back to that Australian goal of being the most cyber-secure country by 2030, is there currently a cyber-secure country that you know of? And if so, why would that be? Or how. Not that I know of. Maybe no one wants to brag about that because you can’t put your head above the parapet by saying that. «We’re super secure,» and then you become a target.

[00:33:33.280] – David Higgins
There is a one I could say is the most secure, but from a nation-state perspective, this one that you could say is perhaps the most well-funded and the largest. I think it was actually the FBI director earlier this year stated that he believes that the amount of cyber resources that China has from nation-state attack perspective is more than all the other nation-state actors put together. It’s such a sizable one.

[00:33:59.900] – David Higgins
I’m not saying they’re more secure, but from a… I’m not answering your defenses question, but more from an offensive side of the question. You’ve got a better offense. And from what the FBI director said, it would imply that China is probably the nation-state with the biggest threat, poses the biggest threat.

[00:34:16.380] – David Puner
Thank you, David. Looking at critical infrastructure as it pertains to cyber attacks and this trend, again, if we’re looking at it as a trend, which we are for the construct of this conversation, if there’s one final thing that we haven’t touched upon in this conversation that we should be on the lookout for as it pertains to critical infrastructure and cyber attacks, what would that be?

[00:34:44.220] – David Higgins
I’d give you two. I know you said, what’s the one thing. I would give two [crosstalk 00:34:46].

[00:34:46.920] – David Puner
Two is even better. Thank you.

[00:34:49.550] – David Higgins
I’m going to leverage what we talked about a little bit with the NIST 2. Some of the updates did, which are very logical, and I think we haven’t really touched on too much on the implications they have for critical national infrastructure. Because when we’re talking about energy suppliers, we’re really thinking about the energy supply themselves and how they should be better protected or water suppliers.

[00:35:08.000] – David Higgins
But again, with the world becoming more connected, people working remotely more and more, supply chain is definitely something that critical infrastructure perhaps is reliant upon. And that’s another vector for an attack to run attack. If regulation does get pushed down and these organizations do become more secure…

[00:35:28.840] – David Higgins
It’s like we’ve seen a little bit with the banking sector, the banks have always had, compared to other industries, fairly sizable cyber security pots because of what they do, they become a pretty tough nut to crack. Logically, attackers then start focusing on their subsidiaries, the supply chain as that easy route in. And critical national infrastructure definitely needs to be thinking about that as well.

[00:35:48.950] – David Higgins
The only other area that we didn’t touch on is, more acronyms coming, the IoT, Internet of Things. Again, it ties into the ever-connected, better-connected world that these IoT-type systems being used in our homes, smart meters, that kind of thing, what risk perhaps they play, because it all ties in back into the critical national infrastructure conversation.

[00:36:12.600] – David Higgins
We can now remotely control our heating from the internet connection. Our homes themselves have become more connected. What implications could that have if… Because those smart meters talk back to a mothership. If the mothership is compromised, what implications could that have for homeowners? Probably another conversation for another time, perhaps, but probably two topic areas we missed.

[00:36:35.300] – David Puner
You’re setting up a number of conversations, which is really I look forward to those. It’s staggering, I think, the implications of all this and the interconnectivity of everything, really, if you think about it.

[00:36:51.280] – David Puner
Really interesting. Really a lot to think about going into the new year and thank you for joining us at the end of 2022. We look forward to talking to you again.

[00:37:03.900] – David Higgins
Absolutely. My pleasure.

[00:37:05.590] – David Puner
Thanks a lot, David.

[00:37:06.540] – David Higgins
Thank you.

[00:37:17.510] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you, or an episode suggestion, please drop us an email at [email protected], and make sure you’re following us wherever you listen to podcasts.