September 04, 2024

00:43:18

Episode 275 Deep Dive: Shannon Sedgwick | Geopolitics and Cyber Risk

Episode 275 Deep Dive: Shannon Sedgwick | Geopolitics and Cyber Risk
KBKAST
Episode 275 Deep Dive: Shannon Sedgwick | Geopolitics and Cyber Risk

Sep 04 2024 | 00:43:18

/

Show Notes

In this episode, Shannon Sedgwick, Partner – National Cybersecurity Practice from MinterEllison, comes back on the show to talk about cyber warfare and its potential to precede physical warfare, especially targeting critical infrastructure. He also shares his insights on the intersection of geopolitics, technology, and cybersecurity, exploring the potential for AI to exacerbate global divisions and influence economic landscapes. The conversation also dives into the impact of increasing cyber threats, the challenges of AI regulation, and Australia’s position in the international technology landscape.

After two decades of working globally, consulting on risk and cybersecurity, Shannon has keen insight into what makes an organisation both protected and resilient from cyber threats. Shannon’s focus is on cyber risk governance and providing strategic advice to executive leadership and boards. Shannon works with government and corporate clients to develop solutions to incorporate cyber risk into their strategies. Shannon helps clients meet risk-reduction and compliance objectives and advises on the implementation of new and evolving technologies by ensuring they are secure, fit-for-purpose, scalable, and continually driving efficiencies. By employing his unique blend of experience in finance and cybersecurity, he assists in uplifting internal due diligence capabilities, focused on reducing risks and increasing return on investment.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: Cyberattacks will be a precursor to kinetic warfare and almost an advanced warning of kinetic warfare should the saber rattling progress beyond what is still largely words and minor skirmishes in the cyberspace. It's now apparent that most organizations where an attack would cause a material impact to the populace is now classed as critical infrastructure and expected to allocate sufficient capital to cybersecurity. But from a critical infrastructure perspective, if we really view it from the CIA triad, which is the confidentiality, integrity and availability of systems, most attacks on critical infrastructure as a precursor to kinetic warfare will be on the availability of systems, not so much around confidentiality or integrity of data. [00:00:48] Speaker B: This is KBCS. [00:00:50] Speaker A: Are they completely silent? [00:00:51] Speaker B: As a primary target for ransomware campaigns. [00:00:54] Speaker A: Security and testing and performance risk and compliance, you can actually automate that, take. [00:00:59] Speaker C: That data and use it. Joining me today is Shannon Sedgwick, partner national cybersecurity practice for Minta Allison. And today we're discussing the rise of geopolitics and cyber risk. So, Shannon, a very warm welcome back on the show. [00:01:14] Speaker A: Thanks, KB. It's been a while. [00:01:16] Speaker C: It has. So on that note, I want to start with, you know, given your background in the military, and I think we were discussing before your, you know, you're one of the very first people I've ever interviewed on the show, and we'll hit 300 episodes this year. So people may not be aware that you have that military background, but you've also brought forward your pedigree and your knowledge and your experience in the military for what you do now. So maybe that would help shape the narrative around, like, give us a bit of an overview of your thoughts on geopolitics and sort of what's happening today, if you can sort of make sense of it. [00:01:48] Speaker A: I didn't do a great deal in the military. A lot of my overseas experience came with the work that I did post military, working independently in Middle east and Central Asia and Africa. A lot of that work had a cyber angle to it, so it gave a unique lens at the coal face of geopolitics and the intersection between that and technology and cybersecurity and data privacy, particularly for the clients that we were working with. But from a geopolitics perspective, there's a lot of, we live in a fantastic age right now. There's a lot happening at the moment where between geopolitics and geo environmental issues and esg and cyber and workplace issues and the rise of nationalism and populism versus the old trend of globalism, these types of things are building up to quite a steady momentum, particularly since COVID And none more so than I would argue probably. Aihdenhe and governments are racing to regulate AI to reduce the potential of sociopolitical risks. But what they're simultaneously trying to do is foster that domestic AI innovation to compete geopolitically. So as a result, AI has the potential to deepen already existing divides both within and between countries as a result of the distribution of the related benefits. You look at some reports, and North America and China are likely to be home to 70% to 75% of the global economic impact of AI, while other developed countries will probably take much of the rest of it, like Europe and Asia. But America for example, theyll have like a 15% gdp boost by 2030 just from AI. In China its going to be 20% to 30% by that point. So this situation risks spawning a competitive race between countries for AI dominance. But the widening of that knowledge gap will leave much of the rest of the world behind, because they just dont have the funds or the capability to keep up. Its not only battles for talent and computing infrastructure, and this is the cyber lens to it, its also access to and control of the data thats required to feed AI. The ability of data to flow across borders means that early movers in AI can gain a global influence that make it really difficult for initiatives elsewhere to catch up. We've spoken about it before, individually, you and I, that it's that first mover principle. You did the same with the work that you're doing now. You were a first mover. Very difficult for people to catch up. But a second concern around AI from a geopolitical standpoint, is both unintentional and intentional, is what I mentioned before is exacerbating those political divisions and polarizing societies. We're now very aware of the way that social media can contribute to polarization, but the AI driven algorithms will play a significant role, in addition to potentially keeping users trapped in those bubbles of content that match their own worldview. Confirmation bias that people don't realize they're susceptible to. And it limits access to other perceptions or other perspectives. And it hardens misperceptions like confirmation bias. But they have the unanticipated effect of actively pushing users towards increasingly extreme content. So certain social and digital media platforms have drawn a lot of criticism for the ways in which video streaming services algorithms can push users in the direction of extremist political reviews and also conspiracy theories based on their browsing behavior. And AI is going to take that to a whole other level. It's frequently being intentionally used by nation states and also people domestically to manipulate and polarize viewpoints, and particularly around the issue of deepfakes. Deepfake video and audio content designed to deceive public and targets, and also those that denigrate public figures. You could imagine a large scale historical event similar to something out of a Clancy novel, where a certain nation state leader thinks that the US has declared war on them or launched missiles because of their very convincing deepfake they saw on a news site. So AI is a significant geopolitical issue that we need to keep tabs on, and I'm sure a lot of investment is going to be going into that. Whether regulation can keep up is another issue. And then you've got Russia's continued invasion of Ukraine. Tech production, energy prices, grain supply, it's all been affected. And it creates these risk exposures in capital flows as well. Trade in commodity markets and the semiconductor shortage is another issue that's exacerbated by Ukraine and Russia, though supply chain resilience is a massive concern. But most countries these days, particularly given the rise of electric vehicles and lithium battery industries and things like that, the majority of the production is in Taiwan, which is a contested area. But hopefully Japan getting involved with their semiconductor production like they used to will alleviate some of those pressures. But it'll be interesting to see how China acts over the next one to two years, particularly around the South China Sea, remaining that flash point. Annoying a lot of different countries to put it lightly, like the Vietnam and the Philippines and Taiwan, Malaysia, because its a major shipping route. I think its like one fifth or more of global trade transits those waters. So you can see why they have a vested interest in controlling those waters. So itll be interesting to see what happens. And then youve got climate change, which is massive on every developing countrys radar. And that transition from fossil fuels to renewable energy and climate change is now inseparable from most energy issues. So theres a competition there between governments to secure access to resources, particularly oil and gas. And the Paris agreement is causing a lot of capital investment into removing carbon and greenhouse gases from energy systems and broader economies. But theres got to be consideration of other issues that will come off the back of it, like oil exporting economies have to deal with stranded assets, which means assets that they lose value or they generate new debt or liabilities before they reach the end of their planned life. So its usually in the oil, gas and coal industries, therell be a lot of stranded assets. And then of course, probably the biggest one on mind on your radar is cyber attacks becoming more frequent and severe and they're increasingly being used as a tool of statecraft. The human and financial impacts rises in line with digitization and the adoption of AI and automation. So I've gone on for a bit there, but there's a lot of geopolitical issues at present that are affecting global economies. [00:08:57] Speaker C: No, I appreciate that and I know we can't go into all of them, but a couple of things. What was coming to my mind to ask you about and to do a few follow on questions would be going back to the global economic impact. You mentioned before that GDP for the US was like 15% percent and then China was like 20% to 30% and then the rest is sort of they're going to cop it. So where would you sort of see Australia sitting in that race? [00:09:20] Speaker A: Very little. We'd be lucky to be. We might get a bit of a bump up from AI, but I think there was a story recently about the australian government did a tender recently for investing in an AI capability and they didn't choose a domestic capability, they chose one based out of the US just because they, and they probably rightly so, they might have been a bit more advanced than where australian based startups are, but it was still disappointing to see that they weren't investing in domestic capabilities. They were again reliant on international startups. And you know, as well as I do, having spoken to a lot of tech startup leaders in this space and myself, having been a non executive director and a chair of various successful startups, it's very difficult to commercialize ideas in Australia because of the lack of access to funding. So I don't have high hopes for government's involvement in AI. They probably seek to regulate more than they will invest as is Australia's way. I hope I'm wrong about that, but not criticism. It's just the way we operate historically. But I do have hope for the large institutions that are investing a lot in AI, particularly on the cyber side of things. Even from a, a metre Ellison point of view, we're investing significantly in AI and it's playing a huge role in our company. We're not going to be left behind. We're a first mover from a legal and consulting industry perspective in the adoption of AI to assist with rogue tasks and allow us to focus on the more complex problems and issues that require that human factor. So from an australian perspective, I don't think we're going to have anywhere near as a large part to play but that doesn't mean we should stick our heads in the sand by any means. [00:11:04] Speaker C: Okay, so following that example before that the investment went overseas, which you and I have spoken about before, that often happens when you say that goes against those whole sovereign capability because remember how that was sort of a big thing, you know, 1218 months ago. So whatever happened to that theory seems like it's out the window. [00:11:21] Speaker A: I think there's still a lot of discussion around it. And when they do, from a vendor procurement perspective, when they're looking at their due diligence around risk management of adopting vendors into environments, data sovereignty and data residency is still a significant issue. It's one of the main issues. Whereas if you're a major technology supplier and you don't have your data centers located in Australia, it is very difficult to, particularly in government, whether you're state, local or federal, to land those contracts. So you're finding a lot of investment from international players and setting up data centers here just so they can win some of that lucrative defence or federal government work. So its still a concern, but it seems to pass by the wayside when it comes to investment, which I dont quite understand fully. Im sure theres a reason behind it. They want to invest in whats likely to be the biggest success. I wasnt part of or had any privy to the decision making or the assessment done to choose that particular AI provider. It did ruffle a lot of feathers. There was a lot of people very disappointed that that was the choice that was made. And you can understand why. There's a history of underinvestment in technology startups in Australia. [00:12:32] Speaker C: So then going back to the whole GDP thing, so you said before the US 15% and what's happened just here, it's almost like we're allowing them to win. We are putting our head in this am and it's like oh well we'll just give it to a us player. Feels like we're sort of almost not backing ourselves as much. [00:12:48] Speaker A: I think theres certainly intent to, but whether the infrastructure allows it. Australia, weve largely had to. From a tech startup point of view, weve largely had to rely on equity funding to fund technology startups and debt funding from banking institutions. It has been historically deemed as overly risky for mainstream financial institutions to invest into because theres no tangible assets which they can, you know, take taken control over. Should that company fail, how would they get their money back? And statistically, most startups as we know, so it is difficult to get funding, it's not impossible to get debt funding, but other countries make it a lot easier. And there's a way for, obviously a mix of debt and equity funding to make sense, but it's government grants, I think, have been lacking. But there are people in government that we have spoken to that are very tech friendly, but its just about getting that big machine moving. And I think, as is usual with technology and how we progress as a nation, it has to be led by private industry. Well, it doesnt have to be, but it just usually is. So investment by the large corporations that reside here, and particularly big banks, theyre usually quite advanced in terms of cybersecurity and technology adoption. And oftentimes government regulation falls into line. Our investment falls into line because of that influence from those larger corporations. So itll be interesting to see what the future holds. But the investment recently from the Labour party into, and this should be a nonpartisan issue, in my opinion. Hopefully, the new cyber strategy from 2023 to 2030 remains that way. Where funding Isnt lost or redirected because a political party changes in the future. It must be political pressure proof, but I have hope for it. We have increasing funding, not just in ASD's red spice program, where usually most of the money goes in defence, but it's actually going quite a bit in the private industry and helping SMBs. So I have hope for the future, for investment in not just cybersecurity, but also technology startups. I'm cautiously optimistic. [00:15:00] Speaker C: Okay. You said something before as well, around deepfakes. I mean, you said a lot of interesting things and we could go on for hours. You said before around polarizing society. Now this is interesting. Would you say, with what you know, in your experience, do you think we're in a state now, as in today, that we're in this point where things have never been more polarizing than they are today? Or what do you think earlier things were? I have a little bit more to add to that, but I want to hear your response first. [00:15:27] Speaker A: That's something I'm quite excited to talk about, actually, because what comes to mind is the risk of de globalization. So theres a variety of factors that have given rise to questions around the benefits of increased international movements, of good services, people, capital, tech and ideas. The growth of nationalism, which is what youre talking about, that division, that sequestering of ideas and people and tech and capital within your own nation to protect yourself, that creation of both literal and figurative borders. They call it protectionism and populist movements. In recent years, it's created an environment of increasing uncertainty and it could potentially lead to deglobalization that is like a reversal or a slowdown of globalization. And nothing sped that up more and expose that vulnerability than the Covid-19 pandemic. And many countries are heavily reliant on imported goods. With nations worldwide enforcing border closures over Covid and restrictions on an international level, it made it increasingly difficult. And since then, governments have been increasingly keen to diversify their source of imports as a protective measure to reduce their dependence on a single trading partner. And Australia has taken significant steps to do that as well. But despite this, a lot of businesses do remain interested in cross border economic engagement. And even amid heightened tensions and that saber rattling between western society and particularly the US and Australia and China, we continue to engage in that bilateral trade with them. The anti globalization movement. It does pose a threat to economic growth and international relations. But I do believe that there's a bit more of a renewed trend, even in the last six months, towards a bit more of increased pragmatism and collaboration. And a lot of that has been fuelled, as I mentioned before, by that reaction to Russia's invasion of Ukraine. And that new pragmatism that we're seeing is going to counter movement towards a more closed off world of self contained economies where governments are protecting their own industries and citizens from foreign competition. Like they implement subsidies and other incentives that favor domestic producers over foreign ones. There is incentives and all behavior stems from there are incentives to bolster domestic production and domestic capital flows. But it doesn't mean that we should do away, throw the baby out with the bathwater and do away completely with bilateral trade and international cooperation, particularly on issues such as cyber. As I said, that needs to be a non partisan, particularly with the regulation of AI as well, I would argue, falls into that same bucket. Yeah, it is extremely divisive. You only have to look at the US to see that the divisive nature between political parties where people, and it doesn't happen as often in Australia, but it has had an impact here, where people attribute their entire personality to a political party's beliefs, whether they believe it or not. They're not making up their own mind about issues. They're sort of doing what they're told in mainstream media on both sides of the political spectrum, do nothing to help that situation. It's in their best interest to polarize people. But then you look at it from a nation state, enemies of the US, it suits them perfectly. They're feeding into their agenda perfectly. You only had to look at the attacks on the Democratic National Committee back in 2015 and 2016 achieved their aims and they're still achieving their aims without division. [00:19:12] Speaker C: Okay, so I want to expand on, obviously, the US election is coming up now. I spoke to head of research from tenable about deepfakes. So had this whole example around how that can influence certain, you know, certain beliefs of people, as you touched on. So would you say with everything with deepfakes, and, you know, obviously now, like you've mentioned, there is the gaps widening between polarization, between different parties and in different sort of countries, etcetera. Would you say, though, things will just keep getting worse and they're not probably, they're probably not gonna get better. And the reason why I asked that is because. I don't know, back in the day, there wasn't social media. So now you open your phone, it does feel like you are being fed certain bits of information, whether we like it or not. It's just the way things are now. There was no, you know, Twitter and things like that back in the day, there was literally like one newspaper and five channels on television. So you didn't have a lot of choice. Whereas now, like you said before, around confirmation bias, etcetera, where do you sort of see this problem going now? [00:20:16] Speaker A: Well, without significant change to those platforms, and I think regulation is the only way to do it, and Australia's regulatory agencies, particularly privacy commissioner, they've taken significant steps, even towards the large social media players to address these issues around, you know, the promotion of hate speech and discriminatory videos and even violent and extremist propaganda and conspiracy theories on mainstream platforms, but they're still a long way behind because they just wield so much power. There's a reason why these platforms are free. You are the product as the user, and it's never going away. So we have to adopt that. It's not like it's similar to the long contested issue of gun control in the US. It's never going away. There has to be a middle ground that has to be found. And it's the same with social media and the proliferation of extremist views because of these algorithms that spin up. If I watch a lot of cooking shows, all I'm going to see is cooking show content across not just one platform, but all of my platforms, because it's collecting information about me. And soon enough, in ads on Google searches are going to be seeing things about cooking products the same way with extremist content. I start watching a Fox News videos and things like that, I'm going to start seeing more along the lines of Fox News content and things from the Republican Party and the likes of Mitch McConnell and these types of content and not criticizing one party or another. Because if I watched Russia tv, I'd get the same. I'd be being fed Russia propaganda mixed in with real news. And it becomes increasingly difficult to discern truth from fiction. We live, and I've said this before in our conversations, we live in a post truth age where someone's emotional reaction to information matters more than whether that information is true or not. And we have this saying that we hear regularly from conspiracy theorists and extremists on both sides of the political spectrum is do your own research. Well, I agree with that in principle, that one should do their own research. But how do you know what your researching is? Providing a critical view of a topic, and it's not just feeding confirmation bias. How do you know it's true? How do you validate it? How do you fact check? Are you reading both sides of an argument or are you just considering your own? And it's validating you and everybody else is stupid, because that's what happens. And unless you've done critical research, typically at a university level, where you understand that necessity for viewing both sides of an argument and researching critically and challenging your own beliefs, most people don't do that. They just see what is fed to them. And it's particularly with people who didn't grow up with access to technology, like many young people have now, it is easy to believe whatever you read, it's a significant issue. It's a massive issue, and it's creating a huge dividend. However, it's extremely profitable for certain large players. So, yeah, it's a thorny problem, and I don't have the answers to it, but the only way is to, in my mind, is through government regulation of those social media platforms. [00:23:38] Speaker C: So following that a little bit more, would you say, as well, it seems like a really basic question, but the things just appear worse because, again, like I mentioned, there is social media now we hit, you know, things are more ubiquitous. Like back in the day, there was none of that. There was one radio station, five channels. Are things actually worse, or do they just feel worse because we can see more of it? [00:24:00] Speaker A: I don't think it's as bad as it's made out to be sure. Things, you know, there's certain things such as the rising cost of living and the issues around housing affordability and things like that, that cause a real issue amongst young people and is deeply concerning, and as well it should be. People can't afford to live even on the average wage or beyond the average wage. That divide between the haves and the have is not, is quite frankly, disturbing. So there is the bad side of things, but there's a lot of good being done as well. The adoption of technology is a good thing. And the counter, as I mentioned before, the counter to that populist and nationalistic movements with not doing away with globalization, there are people with power that want to see that collaboration. And, you know, five Eyes is a good example of that. The intelligence sharing framework set up between five Eyes countries, which Australia is a part of. There's a lot of good happening in the world, but it's good doesn't sell. Bad news is what sells. And if you are a constant imbiber, for lack of a better word, of mainstream media and social media, it can become quite poisonous, because as we spoke about earlier, there's, the algorithms spin up exactly what you've been watching lately, and even from the point of it can be quite harming to your mental health, because you see all of these, you know, there's filters for everything. You see these seemingly perfect people who live their lives, travel world, and they seem to have no cares, and you're working a nine to five in a state office, it can cause mental health issues. And the complaint around Gen Z not wanting to work, I think is utterly wrong. It's just a different. They grew up in a different time, there's different priorities now. Work is not the priority that it used to be. It's more of a way to provide the life that they really want to live. So it's just a differing priorities. So it'll be interesting to see where future generations go as the boomer generation and Gen X generation, they go through their exit positions of leadership, and millennials come into positions of power, and then Gen Z after us. It's going to be interesting how that worldview is shaped from people who lived through drastically different generations. It's going to be quite interesting to see. But I don't think the news is as bad as we think it is. I think it's just. It seems worse because of the media that we ingest. [00:26:35] Speaker C: You also mentioned before around keeping tabs on AI. Would you say that we are doing that? Or again, I know it's a big thing, a big problem. It's not an easy fix, it's not a flick of alliance, which I get that. But again, does it feel like we're keeping tabs, or are we in actuality keeping tabs? [00:26:54] Speaker A: Would you say, I think we are keeping tabs. You know, from my conversations with people in government, those with a vested interest in this, in government defence and particularly our intelligence agencies, have a close eye on this issue, but also from a regulatory and a policy point of view, the Department of home affairs, rightly so, are keeping a close eye on this. And their regulatory and legal frameworks are being considered around how to govern AI. But it is a difficult problem because how do you regulate something that's so fast moving you have to future proof any regulation because of how, how long it takes to pass through their government systems. So I think that theyre certainly not sticking their head in the sand. Theyre aware of the risks, but I think were also aware of the benefits of AI. And again, thats being led by private industry. In my experience from property and infrastructure and construction groups, insurance in a massive way, financial services that is, banking, critical infrastructure, marketing in particular. AI is, and from a manufacturing point of view as well, AI and automation, in just assisting with maintenance of plants and equipment, has been a game changer. And AI, I think people are coming to the realization that it isn't the threat to taking workers jobs as they once thought it was, it's more of a bolstering their capabilities. So what government is doing right now is not only looking at, you know, the risks of AI being used in a reverse sense, but also looking at how we can use it and educate and that continual training for staff so that they're not replaced by AI, but they're allowed to be more effective than AI. AI is a long way from being autonomous or being able to have the same level of quality outputs that a human would in most tasks. Obviously, some things which require drawing inferences from large sets of data, nothing beats AI. It's what it's made for, it's what it's built for. And that's why it's perfect for things such as sort of law firms and those who are blaming intelligence or actionable intelligence out of large sets of data. So there's benefits and risks. And I think we have some very smart people in government that have their finger on the pulse of this issue, just depending on how well we can craft that language. But they're pushed towards collaboration between private industry and public is something that should be lauded, and it's been great recently. [00:29:22] Speaker C: Okay, so Shannon, you said as well, and I'm trying to go all the things you said at the start, I'm trying to touch on all of them because it was all interesting. You said it's going to be interesting to see how China acts over the next two or so years. So how do you expect them to act if you sort of had to hypothesize what they're going to do? [00:29:41] Speaker A: A lot of what they do will be largely reactive. Obviously, theyre pushing for more control over major shipping lanes in the South China Sea and going hard after Taiwan. And they make very aggressive overtures in the public. But then again, so is the US and so do we. And theres become a back and forth of saber rattling sort of heightened with the cattle industry, the beef cattle industry being impacted dramatically and I think grain got impacted dramatically as well around Covid time of them not accepting any of our exports, which was, most of our exports from an agricultural perspective, are heading out to China. And that was severely impactful to our economy, which is not very mature in, compared to other countries in diversification, were reliant on three or four different industries as a whole, rather than ten or more like a lot of other countries. So largely agriculture and the tertiary education sector and tourism is probably the main three that I think that comes to mind, at least. I think we need to be very careful as that we have to play the hesitant maiden, for lack of a better term, bit of Switzerland to play where we're neutral. Whilst we obviously have taken the side of the US in most issues, we need to be very careful about toeing that line when it comes to China because we are economically reliant on them and we need to ensure that, that bilateral trade continues. So, yeah, we have to tread carefully with this. We can publicly denounce some of the actions that they take, but I think nobody wants kinetic warfare or even any form of warfare because it's just bad for business, to be frank. But we've already seen from a cyber perspective almost a cold war happening behind the scenes with attacks between nation states on increasing attacks on nation states on critical infrastructure assets. So I think that will increasingly happen and our intelligence agencies would be aware of that and assuring up those protections and ensuring that private industry owned critical infrastructure assets through the Security Critical Infrastructure act and the new obligations coming in there, theyre doing their part to shore up those assets, but were still a long way from being where we need to be from a maturity level at a national, from a national perspective. [00:32:04] Speaker C: So going back to your comments before and hesitant maiden, which I agree with. [00:32:10] Speaker A: Yeah. [00:32:11] Speaker C: Would you say with your experience and knowledge it's a better position to be in, like for Australia specifically? Because again, like, we're not, we're not like a us, we're going to come out and polarize people and, you know, hardcore, we obviously do play. We probably sit on the fence a lot more. Would you say that is advantageous to us? And I know you mentioned before around the economically reliant on China and friends, would you say that would be the better position to be in with our sort of nation and how it is today? [00:32:37] Speaker A: At a simplified level? Yes, I think we need to, as I mentioned, tread very carefully and tread that line. I think if it did come to and knock on wood, that doesn't happen, kinetic warfare, we would obviously have to choose a side because Australia would be a strategic stepping ground for other nation states to use from a warfare perspective. But I think what will be a precursor to that are cyber attacks. Increasingly, as we saw in Ukraine, cyberattacks are precursor to kinetic warfare. We call it preparing the battle space in military parlance, which is where youre softening a target and preparing a target before conducting kinetic activities. And what I mean by kinetic welfare, if people that understand that reference is what you think of as warfare, soldiers, tanks, artillery, navy aircraft, physical warfare, whereas cyber warfare, as we know, is a target against critical infrastructure, assets and anything which will have a material impact on a nationally significant target. And I think with satellite communications and technology and Internet enabled capabilities and targeting those of your opponent. And they're essentially using cyber warfare as a proxy warfighting capability, but it also allows them deniability, which is interesting because it is, attribution is incredibly difficult in cyberspace, attributing in particular attack to a threat actor unless they outright own it. And even then, difficult to be sure, unless you've got offensive capabilities like the ISD and the NSA and other intelligence agencies, which is illegal for anybody else in Australia for them. But in the ASD to do, it's almost impossible to identify who is who. So there's going to be significantly more attacks stemming from nation states. And how we could have approval with them is difficult. There's a good recent example of that, actually from a China based perspective, is, I don't know if you recall, but I think it was a couple of months ago, an australian mining company that works in rare earth minerals, they disclosed a cyber incident to the ASX. They're publicly listed. The day before the attack, Australia's treasurer, they ordered five people, five foreign persons of a certain nationality, to divest their shares in the business. And that decision was to protect national interest and ensure compliance with probably something set out by the foreign Investment Review board that is, you know, their investment framework. And in the ASX incident disclosure, the mining company that got affected, they said that the exfiltrated data had been released on the dark web, but it hadn't had a material impact on their operations or border systems. But this is one of those cases where the threat actor group, which is called Bian Leon, they claimed responsibility on its dark website and said it was personal data relating to employees as well as financial data. And although there is an identified link between beyond Lian and China, the timing of the publication of that attack from Bian Lian is notable. Obviously, there's no definitive proof. Maybe intelligence agencies have it. I don't have access to that intelligence. But you can see that there is recompense sought against perceived slights from nation state actors. Even seemingly innocuous, innocuous decisions of getting rid of people out of the country or getting them to sell their interests in a strategic australian asset can have ramifications at a national level for us. So its very interesting to see that type of proxy warfare, its not quite warfare as an issuer, one upping one another. So itll be interesting to see where that goes in terms of it wont be the last time we see that. [00:36:32] Speaker C: So going back to your military parlance around preparing the battleground, wouldn't you say this is going to be the future now of war? So to your point, precursor, the cyber, cyber warfare, that which then could, may, can lead into a kinetic warfare. Isn't this going to be how it goes now? Because like you said, the precursor of the cyber staff is going to soften that battleground to then, you know, get the target ready to then lead into that kinetic warfare? [00:36:57] Speaker A: Yes, certainly. And the targets will almost certainly be critical infrastructure, which is why critical infrastructure security, particularly in Australia, is a significant concern because this is the way wars are fought now. Cyberattacks will be a precursor to kinetic warfare and almost an advanced warning of kinetic warfare should the saber rattling progress beyond what is still largely words and minor skirmishes in their cyber space. It's now apparent that most organizations where an attack would cause a material impact to the populace is now classed as critical infrastructure, and they're expected to allocate sufficient capital to cybersecurity. But from a critical infrastructure perspective, if we really view it from the CIA triad, which is the confidentiality, integrity and availability of systems, most attacks on critical infrastructure as a precursor to kinetic warfare will be on the availability of systems, not so much around confidentiality or integrity of data. So from an industrial infrastructure perspective, there was a Triton malware attack nearly caused a huge explosion because in a saudi petrochemical plant allowed the hackers to take over the plant safety systems. Likewise, during Covid-19 israeli water systems. And we dont have to think very hard about who the potential attacker might have been there, or at least funded by their israeli water systems. They endured multiple cyber attacks designed to compromise the industrial control systems of pumping stations and wastewater plants and agricultural pumps. And then there was a successful one in the US with colonial oil. Do you remember that? It was the largest pipeline in the US that was hit by a massive ransomware attack. And they supply almost 50% of the US east coast gas, diesel and jet fuel. And they were forced to shut down its operations entirely for eleven days. And even after eleven days, they only partially recovered and they ended up having to pay $5 million USD and ransom. And even from an espionage point of view as well, with the evolution of technology, trying to get your hands on secrets in a digital environment has become increasingly more advantageous. And theres that deniability there. Whereas together, secrets you had to develop. Of course, there was still SigiNT, that is, signals intelligence you could gain from satellites and things like that, or overhearing radio communications, but we didnt have the cyberspace to tap into, which is where most information resides these days. You had to rely on human intelligence sources and verifying those, and developing human assets in positions of power in target countries, whether they be allied or what we see as potential adversaries. From an intelligence gathering perspective, it's made it a lot. The digital environment is flattened or even collapsed geography as we understand it, because we can reach out and touch somebody on the other side of the planet. Now our data and assets are increasingly being stored in not just on prem systems and networks, but now the cloud. So the core concept around intelligence and clandestine operations and espionage still persists. But there's the growth of SIGINT and intelligence gathered through the cyberspace has exploded well beyond that of human intelligence gathering. [00:40:22] Speaker C: So, Shannon, this does seem like a very broad question, but where do you think we go from here? What do you think happens now? [00:40:29] Speaker A: We keep going as we have been in terms of Australia's made some significant steps with both legislation, the few changes to the Privacy act of 1988, and the uplift of that be more in line with the likes of GDPR, particular focus on consent of data owners to the use of their information, things like that, and the storage and governance of data, which is a significant issue for most of our clients. 50% of the work we've been doing lately has been data mapping and data governance services and the use of AI as well. In terms of that data governance question around the privacy impact analysis, you know, the adoption of AI and automation will continue to increase unabated. I think that we will be playing catch up from a regulatory perspective. That speed of digitization was accelerated further in Covid-19 but it hasn't really slowed down. And as a result, I think espionage, data theft attempts to disrupt our day to day lives going digital, that'll increase malicious cyber activities and cybercrime will only increase as cyber risks will become more pronounced. But I think from a private industry perspective at least, we're taking the steps necessary, and particularly with support of the government with its new cyber strategy. I'm hopeful that that will continue to spur on investment and capital allocation to not only adoption of technology, but the addressing of risk from both a data and a system perspective. In that adoption of technology, malicious actors will continue to target key assets in critical infrastructure, like disabling healthcare services and stealing research while inflicting reputational costs on corporations and governments. But the online world is going to continue to have significant impact on geopolitics and vice versa. But in both sectors, intelligence is a hugely important factor. So gathering and verifying actionable intelligence allows decision makers in government and industry to address risks effectively and predict what's mostly likely to occur in the future. [00:42:35] Speaker B: This is KBCast, the voice of cyber. [00:42:40] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:42:48] Speaker B: This episode is brought to you by MercSec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes