Episode 310 Deep Dive: Sam Mackenzie | Securing Society and the Future

[00:00:00] Speaker A: There's an incredible cost to making sure everything's fully secure. So organizations are looking for return on investment for balancing their books. And I guess what we're trying to do is work out where is that balance. So how we design products, how we make them secure, is starting to become requirements out of not just our government, but other governments worldwide. And it's something that organizations are going to need to factor in to how they design and build products and support them after they're released. [00:00:30] Speaker B: This is KBCAZ as a primary target. [00:00:34] Speaker C: For ransomware campaigns, security and testing, and. [00:00:37] Speaker A: Performance, risk and compliance. We can actually automate that, take that. [00:00:41] Speaker C: Data and use it. Joining me back on the show is Sam McKenzie, Cybersecurity Committee member from ACS Australian Computer Society. [00:00:52] Speaker A: And. [00:00:52] Speaker C: And today we're discussing securing society and the future. So, Sam, welcome back. [00:00:57] Speaker A: All right, excellent to be here, Carissa. Thanks for having me. [00:01:00] Speaker C: Okay, so let's talk about the convergence between cyber and physical security. You sort of say, sam, you know, we're not in crisis mode, but are aligned with international security agencies like asd, azo, FBI, cisa, ncsc, et cetera, who are raising coordinated alarms, so keen to understand, which you say is a clear call to act. But what do you think act sort of looks like if we're not in that crisis mode? [00:01:29] Speaker A: It's a great question, I think, you know, and when I was on the podcast last, last time, we spoke about, you know, the impacts that the digital world can now have on our physical world. The actuators and pumps, circuit breakers and things in water, energy and utilities can be controlled digitally and that there's great advantages there for resource management, for optimization of assets and, you know, slimming the bottom line by managing those assets effectively. And I guess what we get into then is this opportunity effectively for cyber attackers to also control those devices right down in the physical world. And attackers are taking advantage of that. Luckily, it's few and far between, but there have been occurrences and we're looking at now is like, what are the solutions? How can we deal with that? Especially now that the advanced cybersecurity agencies worldwide, and you mentioned many of them, then both Australia, us, UK and others are raising coordinated alarms about these risks. So one of the key things would be to acknowledge the cyber physical risk, that cyber physical outcomes can occur and then, you know, particularly for critical infrastructure asset owners and operators, for them to make sure that their cyber teams are working really closely with their engineering teams, with their operations and maintenance teams and understanding the potential outcomes and that they're Aligning all of that risk and rolling it up into the enterprise risk register and to make sure it gets treated, to make sure it gets the funding. Treatment could be mitigation. There's lots of different ways to treat risk. Obviously there's probably three things. So there's treatment and management of that risk. There's having cross functional leadership teams that blend operational technology teams, IT teams, physical risk, safety and cybersecurity, and has those teams working together. And companies that succeed and defend successfully are organizations that do that. Well, that has collaboration across those teams because they're often siloed. So that can be quite a cultural challenge. The third thing I would say, you know, because there's lots of things to do, but probably if we're just looking at three, would be incident response and resilience. That recovery piece, we spend a lot of time in a few, the National Institute of Standards and Technology from the uas, we've got a cyber security framework called NIST CS and they've got it structured in sort of detecting, identifying, protecting. And we spent a lot of time over the last 20 years doing that. And that's really important. We should do that. But now we know that the attackers get in anyway and we need to spend some more time off the budget of our resources, of our effort in the recovery and response. Three things. Long answer, I realize, but get serious about understanding, you know, the cyber physical assets and that risk and have the teams work closely together across silos and, and make sure that we're spending time and effort in response and resilience. [00:04:14] Speaker C: Okay, so there's a couple of things in there I want to get into a little bit more. When you say get serious about the risk, would you say now or nowadays people are getting a little bit more serious about this, whereas maybe historically they haven't been, or they were unaware or they didn't see the convergence between the physical world into the cyber world, for example. What are your thoughts on that? [00:04:31] Speaker A: I think there is sort of wider acknowledgement, I guess so. And we'll come to some of the research that I've done in the past year or so. One of the quotes was from an engineer who, who spent time out with their customers and he highlighted that some of their customers are managing sort of risk from a technology perspective. That cyber risk in an IT spreadsheet, it's not really connected to the physical world, it's not really connected to the engineering safety and it's definitely not rolled up into the, into the corporate risk register. But there are some organizations that are still sort of behind the eight ball there. Many do manage IT and have the IT and the digital technology risk, the corporate risk register, but then there's still often this gap from the operational technology side, from that cyber physical risk that's not getting into the risk register and not getting its fair share of the treatment and fair share of the budget. [00:05:20] Speaker C: So it's not getting into the risk register, is it? Because people are like, well, that's physical, so therefore it's not going to go in the same risk register as a cybersecurity risk, for example. Would you say they're sort of just trying to isolate it? [00:05:32] Speaker A: I think the gap is probably in the disciplines. So the people who are running the engineering systems, the operation and maintenance teams, the O and M teams, have been doing it that way for a long time and they feel like it's secure. And by all accounts it was secure 10, 20 years ago, before the threat landscape changed and before we had so much technology involved. And so now the face of things have changed. And the digital component and threat landscape, where there's nation state, well funded nation state actors who can get into systems through probably the IT environment or remote access, there's a lot more remote access than there was in the past. And so I think that getting back to the answer of the question, I think it's not well understood that side of physical risk. And that's because there's a separation of disciplines and the separation of disciplines is historic. It's not sort of on purpose. So the IT people perhaps don't understand the impact that IT could have on the physical world. The engineering folks who do understand that probably maybe aren't so clear on the threat landscape changes and how much remote access and access, you know, external access, other parties have. And that just really does present a cacophony of, you know, challenges for managing risk when you've got that separate disciplines looking at it from the different perspectives and perhaps not collaborating and bringing it together. That's what my research showed. [00:06:49] Speaker C: Okay, so how do people, or we as an industry get it to the point where there is that collaboration, where it is like, hey, we're going to operate from the same sort of risk register in terms of the physical, the cyber risk, et cetera? What would you sort of say in your experience with the research you've been doing over the last 12 or so months, how can people move towards that outcome? Because, I mean, in the industry we talk a lot about all these problems, but it's like, well, what do we do about it? [00:07:14] Speaker A: Great question. So do one. One way to address IT would be to have all the teams in operational technology and IT report to the same leader. So that's one way to do it. I've seen that work successfully through the people that I was speaking to in the research. That doesn't always have to be the way that, you know, as long as there's strong ties and collaboration with those teams. So, for example, having, you know, cybersecurity policy and standards set and structured but not isolated to and to make sure, including the OT staffs and their views of risk and having them to collaborate to build the policies and standards rather than sort of, you know, cybersecurity, it, cybersecurity and policing something from an engineering field force. So I think it's really about collaboration in that space of how can we make sure that the it. So because the IT risk gets a lot of visibility. So all the data breaches, obviously over the last few years in Australia, the big ones, you would have heard about many people, probably many of your listeners impacted. Those are the ones that get the visibility. They're sort of the shiny bright one that end up on the front page of the papers. And the cyber physical stuff, luckily, is much fewer and further between, but it's still a risk. And I guess it's a risk to put, you know, to safety and physical outcomes, which in some regards is, you know, it's worse. And so what I saw through the research was really, how do we get these teams to work together to surface that risk and boil it up into risk register to make it, make it useful so that they're getting the share of the funding. And the answer that was resounding from many of the participants in my research was that to get those teams to work together, either through reporting line or purposeful collaboration, not just sort of superficial collaboration where you expect people to work together, but purposeful action to get them to collaborate with purposeful programs, to have them do that and surface those risks and quantify them. [00:09:03] Speaker C: Yeah, that was the operative word that used there was superficial collaboration. So what was coming up my mind as you were speaking, is historically, when I was, you know, working on the internal front, there was a little bit of that angst between teams to work with, security team. Now, obviously this is over a decade ago, things have changed and things have moved on. But do you think that collaboration is there nowadays from the physical and the security side of things? Because even when I was working internally, our whole physical team didn't have anything to really do with us. So I think that we have seen this trend in the industry where there is more collaboration. But purely from your perspective and what you do day to day, would you say that whole superficial side of things is being lifted, removed or is it still going to take a little bit more time? What are your sentiments there? [00:09:49] Speaker A: It's come a long way. I think that sort of research that I was doing, it really has moved along. I think people understand that security is important. That doesn't mean they always take action to make sure security is included in the program because there's, you know, business objectives and tight deadlines and those sorts of things. But I think there's much more understanding when security does get involved. I think there's, you know, definitely much more involvement of security early on in the process. And that sort of just going back to that word, superficial, I think that happens across all teams, regardless of the topic and the discipline. I think the challenge is that teams have obviously different objectives and constraints. So it takes, it takes strong leadership to clarify how a different team's objectives can work together towards a great outcome. And that's what good leaders do. [00:10:33] Speaker C: Yeah, that's a good sort of point because I don't know when you work in a company you have to do like all of these trainings, but there's someone in the company, they're responsible for making sure Sam McKenzie does his training. But you're like, well, I've got other things to do because I got other priorities because that's not my day job. So then it does become hard for people because everyone's doing their role and everything that they're doing in front of them is important. Right. Or else they probably wouldn't be doing that job. So what would you say then, sort of long term? Do you think that people will just work a lot easier together? They understand that there's the vision. They understand physical security is just as equally as important as cyber. They both work hand in hand. They both have different, different repercussions. Do you think it'll just get to a point where we don't even have like these two different sort of teams, it's just this security team which encompasses physical and security. [00:11:23] Speaker A: So I think on that in regards to how security permeates through the organization, I think it needs to get much wider. It needs to be everybody's business, you know, awareness sessions where we're involving people who receive emails. So everybody's an organization is pretty much receiving email. They need to be aware of security and cyber awareness to make sure that they're not clicking on rings you know, right through to, you know, the architect on the telecoms project who's designing the new proof of concept service to, you know, bring the call centers together. Everybody's going to need to make sure those security is involved in those decisions and that that design. So I actually think that while it might end up with sort of consolidated teams, it needs to be wider in that everybody needs to have it as part of their role. And I guess some things I've been thinking about recently are like cyber awareness programs where instead of just rolling out some online training, we have cyber champions embedded in the business and they take lunch and learn sessions and then bring those back to their teams and share that learning every month rather than sort of a once a year cyber awareness training program that people click a few things on E Learn actually embedded in the team. So there's a cyber champion who's sort of geared up in that team right through to. Probably many of your listeners have been through a cyber incident. And a lot of the times what happens is people get locked out of their computers when those incidents happen and the first thing they do is jump on social media and tell all their friends, I've been locked out and I can't access because we've got having a cyber incident. And then all of a sudden it's on the news because the employees didn't exactly know what to do. And so, you know, right through to having do we need to have cyber safety drills? Like we have fire drills to help staff are aware of what they should and shouldn't do if they're locked out because of a cyber attack. So I think it sort of starts to become everybody's business. How do we make that everyone's business? Just like in say utilities company, you know, safety is usually the number one priority. [00:13:14] Speaker C: The example that you were talking about before, I've asked someone this an interview probably about a year and maybe 18 months ago. So I just want to get your view. So for example, like you said, if something's been locked out, you can't really follow the playbook or the IRP or you know, you've got to sort of rely then off what you know. So I'll give you an example. Like how many times have you had to do a fire drill in a company and everyone sort of goes down not really paying attention or equally when you're on a plane, you've been on a plane multiple times. So have I. I still don't know if I'd trust myself if there were something to happen in terms of opening the door and doing all of that because we sort of just tune out then after a while. So how do we then get it to the stage where, okay, just say we're locked out of our systems, we can't access the IP or the plan or whatever. Do you think people, when you're in a state of panic like that will be able to remember, okay, now I know what I have to do in terms of their own critical thinking because I really, I just use myself as an example. Like I think if the whole building is on fire, I just want to get out of there. I wouldn't sort of sit down and go, okay, like here's the plan, we're going to run through it. I mean, I'm just speaking very honestly here because when there is that state of chaos, people do operate in a state of chaos. So do you have any sort of insight on that? [00:14:30] Speaker A: Yeah, I think so. I mean I haven't been on a plane. I think there's some, some great examples there. I haven't been on a plane for, for quite a while and I get that the drop down oxygen came that I would help myself before, you know, helping others. I would, I would note a tuck and brace, I'd work out where the life jacket was, but probably under my seat. Starts to become sort of inherent knowledge, tribal knowledge because we've done it so many times and I think similar for fire drills. Funny enough, I recently became a fire warden in like a, in my work. The feedback from the training is that people don't panic. They are really orderly during those events and they take their time and they follow the rules and they know what's expected of them and they do what's expected because they've been through it so many times. So I do hear what you're saying around. Does it sort of just, you know, meld into the, you know, I've done this again, done it so many times, but I think it does become inherent in the group and the group then knows what to do. [00:15:19] Speaker C: But I mean like in the state of an actual incidental breach and they can't log into your systems, you have to rely on, like you said before, the example with the plane, it's like, well, I know the oxygen and you know, my life, Jack and all these sort of things. Because people out there being on plane multiple times, even if you're not fully listening to it, you sort of conceptually sort of know. I'm just sort of trying to use that as. Draw a parallel of that example to how do we sort of Inject that into some of the stuff that we're doing in our everyday work where we don't have, you know, have to rely off a plan because people know it so well. They're not panicked in a state of. A real incident, for example. [00:15:55] Speaker A: Yeah. And you know, where it does this really well is hospitals, because they've got a. They've got a drill sheet. I've forgotten exactly what it's called. It's been a while since I worked in healthcare. But they've got all the different codes, obviously. They've got medical emergencies, they've got bomb threats and they've got the different colors. And you, you know, when you're in a hospital, sometimes you hear the different codes called. And, you know, the staff on those sort of frontline phones, even if they're not maybe at the reception desk, they know what to do because that checklist is. Or that decision tree is next to their phone. And they've had it there and they've had the training and they go through practice exercises. So, yeah, I hear what you're saying. I think that practice learning is the best way to do it. When your colleagues have done it, when you've done it, when you've got the reminders there and people get on with it. [00:16:37] Speaker C: Yeah, I think that's a good point. And I would say as well, like I worked at Westfield maybe about 12 years ago, and like you said, they were code, like code blue was like medical emergency, code red. It was like, that was a severe problem. But every day there was something going on. Every day you had to deal with something multiple times a day. So you sort of just. You get used to it. To your point, in a hospital, there's always something going on there. However, in our organizations, not every day people are dealing with these sort of incidents. So do you just think that it's just going to be like a muscle, it's going to take time to build up to that point. It is going to be practicing the plan and all of the things that we all know, et cetera, out there. So do you just think we just have to spend more time to get it to a point where it does become that inherent knowledge? [00:17:18] Speaker A: Yeah, absolutely, I think so. So, for example, like the scenario exercises, those tabletop exercises of practicing the events, I think some of the biggest realizations in those events that I've been. Those activities that I've been part of and the real ones is building the connections with the other teams. So say the legal team might not think that they've got much to be involved in in a cyber incident. But there's a huge amount of involvement that they need. If they're not available at X time in the morning, then that can be a challenge. And the procurement team to, you know, get support from partners, comms team, huge corporate affairs, those sorts of teams that maybe aren't that close to the technical operations, to the individual computer breaches that organizations might be having on a regular, sort of monthly or weekly basis. The bigger events absolutely need all of those teams to support and they need to know their role and what's expected of them and be able to practise and prepare what they need to do. So for example, corporate fairs or comms teams as part of the cyber incident playbooks, makes sense to have a whole bunch of written and approved comms ready to go out so they're not on the back foot writing those under pressure. And similarly legal would have reviewed those beforehand. Those are ready to go, maybe with a minor tweak or two, depending on the scenario. So that that has been practiced, that the legal people and the comms team know who to talk to. The decision path is clear to get those comms released. Similarly, procurement team need to make sure they're on board, that they're ready to involve and request help from suppliers so that you can build the best response and recovery team that you can at the time. [00:18:52] Speaker C: Yeah, okay. All right. So I now want to talk through control rooms. So these rooms are the front line of cyber physical operations, as you very well know. So I want to sort of talk through your thinking here. What are the risks, do you think as well, people sort of forget about control rooms. I just think they're safe in their mind. And then I also want to make me talk about your. You've recently joined the management committee of this sort of niche organization that, that talks through this a lot more. So I'm keen to sort of hear your thoughts on that front. [00:19:24] Speaker A: Yeah, thanks. So the acrna, so the Australian Control Room Network association is a small, not for profit organisation and joined a management committee there. Fantastic organization for anyone who's interested or working in critical infrastructure essential services that do need these types of assets. So a control room, some people might not be aware they're the sort of nerve centers of these organizations that manage the transport networks, support emergency services. They've got a lot of screens and they've got 24 hour shifts. They might be controlling the energy grid or, you know, the water supplies and gas networks. They're critical to the service, the performance of the service, the Ongoing running of the service because they're making decisions in that room, they're getting alarms and they're treating those alarms. Transport's another good example, ports. And so you've got many of those industries and sectors represented at the acrna and we have a conference every year. Exciting about, I guess the ACRNA is that there's people who design, build and implement control rooms right through to the people who operate in control rooms and work the 12 hour shifts. And we get such a lovely cross section of people that we can have really interesting and valuable conversations that drive the industry forward in that space. So I guess one of the things around control rooms is it does sort of bring together a lot of the, it brings the engineering world, the technology world and cyber physical world together because we're controlling physical devices in a lot of those rooms. But then it does start to, you do start to understand that this is a risk to society, to these services running. How do we make sure the control rooms are being built and designed now with the future in mind? [00:21:08] Speaker C: So would you say when these control rooms are being built with the future in mind, would you say that that's happening currently, at the moment, or that's, that's what sort of people are discussing around how do we build these for the future state? [00:21:20] Speaker A: Yeah, that's what we're discussing definitely at the acrna. You know, there's some key challenges that we're faced with, so I'll just outline some of them. So the more frequent weather events is an obvious one that obviously hits the media. So there's a huge demand on control rooms. There's more impact, they're longer duration. So the controllers, the shift patterns, even down to things like, you know, that starts to hit fatigue management. You start to look at, you know, in a control room is the lighting right, is the acoustics right, those sorts of things to make sure that you're getting the best out of the people that are there for their shift and that they're operating at the highest capacity that they can. Aside from, you know, the weather events. There's data requirements because, you know, organizations are looking for more data and insights. Other areas like new technologies are coming on like renewable energy, battery electric storage, IoT for smart cities and things like that, IoT for Internet of industrial technology and things like drone technology. So you're unlikely to get all of that in a single control room. But each of the control rooms that are dealing with their sort of chosen sector are getting more and more demands across their services. They might even be managing emergency Events for staffing crises or something like that, if that was to happen. So there's a wide demand on control rooms and I only see the need for control rooms as increasing. Such a warm and positive society for the, for the betterment of the industry. [00:22:43] Speaker C: I like your comment around weather events. So like catastrophic events that are occurring more and more nowadays as we've clearly seen. Do you think as well that now that's putting these control rooms, like you said, under a lot more pressure because perhaps historically we didn't have as many of these weather events that have occurring, I would say. I mean I'm originally from North Queensland so we always had the cyclones but the cyclone occurring earlier this year in the Sunshine Coast Brisbane. Never seen that in my lifetime. So how are people sort of responding now to the way in which like the weather, these weather events are sort of taking place more frequently as well. What are your thoughts then on that? [00:23:23] Speaker A: I was actually just speaking to some of the people in Queensland who were dealing with some of those horserve events earlier this week and running the control rooms and they're having to have a refresh of their fatigue management strategies because the events are lasting for longer. Previously they'd be over in a few hours or a day and they'd have their field crews out, you know, restoring power networks or the services that they needed to provide. But now they're dealing with how do we maintain services in the control room for an extended period, have high utilization and how do we, how do we get the best out of the room and the organization's assets to, you know, deliver good services to the public? There's lots to do in that space and I think that's probably only starting to get realised now. [00:24:06] Speaker C: And would you say Sam, given like all of the events and health, global warming, etc. But equally I would say just people out there online just maybe aren't. They're just not as forgiving as what they used to be back in the day when something would happen like someone has an issue for 30 minutes and straight away they're already on X complaining about oh well, I can't access, you know, my, my net bank or something or my CBA application. I've just, I see it all the time. So would you say that that sort of adds to it as well in terms of that PR media customers complaining a little bit more quick quicker than perhaps. Whereas like back in the day when I was Queensland cyclone would happen. Like we'd sort of just have to stay put because like Internet sort of wasn't really around, so there's nothing to really do and you couldn't really call anyone up because the phones were down. So I don't know whether it's just because of the whole digital world and people now have a voice to be able to talk about their frustrations out in the public. But do you think that sort of weighs on these folks as well? [00:25:03] Speaker A: It does. In the conversation I had earlier in the week that the key thing was that if they could provide a time when their customers had be back on supply, then the customers were okay with that, even if it was sort of two or three days down the track, if they couldn't provide a time like an estimated time of service restoring services, then that's when the complaints happen. We're all humans and we like to have some certainty, even if it's only estimated certainty. But if you know that you say it's Thursday today and you're looking at you're going to have your service back on, even if it was Sunday lunchtime, you can now plan for that. You're like, okay, that's kind of is what it is. I can now plan my life around, plan the activities. I know it's coming back around lunchtime, might be a bit earlier, it might be a bit later, and you can go and plan for that. And you're okay with it because you've got some relative certainty. So I guess that puts some demands on because it's quite a complex thing to be able to give a customer that, say an energy company. So I spent quite a lot of time working at a distributor and you need to be able to crunch the data. So you need to be able to understand how many other people are of supply, round about how many fuel crews you've got, how many surge staffing you can print on how many field crews that you can get out in time, considering that the roads might not be clear and then considering that you've got to get all the sequential power lines up and running to get to that customer's house, how do you forecast that across a geographic area? That's where that data, crunching that data, you know, in both ways, I guess, you know, social media gets more visible because people are talking about it. On the flip side, you've got more tools at your dispense in regards to better business models of calculating restoration and that can give the customer certainty and then they can be more at ease about, okay, I'm getting my power back then, and they can plan the rest of their recovery efforts around that personally, in their Own home. [00:26:45] Speaker C: Yeah, this is really great that you address that because if I look at like an airline company, for example, I think someone recently was upset because online the airline said, hey, you know, we're going to take off now. And obviously things change. And they just kept saying this is the new sort of time we'd be departing, but they kept changing it. So going back to your pointer and you've got the data be able to to indicate, hey, you know, your power is going to be back on on the Sunday, you can plan for that. But what about when that doesn't go to plan and it's like, oh, now we have to go back, it's going to be a Monday. So do you think that becomes difficult on things do go wrong? Of course we want to get people back up and running by the Sunday. But again we've already said it's Sunday, now it's going to be Monday and now we have to go back. So would you say that people then should go back to say, well, we're having a little bit more difficulty, we have to. Then it might be Monday. How does that sort of then work? Because I do see your point. People are eased if they sort of have this arbitrary timeline or the timeline given by these companies. But again, if people miss, that's when I start to see the angst and the rage start to permeate more online. [00:27:51] Speaker A: Yeah, those estimations need to be relatively accurate, I would say, and that you probably only got, you know, one or two chances at changing them or updating them. If they get too many updates then you're going to start to get backlash. In the power example, I guess the customers are trying to work out if they need to go and buy down to a hardware store to buy a generator or not. That's probably what they're trying to work out. Can they manage till that Sunday example? Can they manage till Sunday without a generator or do they need to come and borrow one? Or borrow one. Obviously, you know, flights extremely emotionally sensitive, particularly because you often at the airport already and it's not particularly comfortable for any length of time at least. So, you know, probably sensitivity is really exceptionally high when you're at the airport and obviously flight patterns, aircraft are very challenging things to time and yeah, that timing probably only got a small window of how many times you can change it. [00:28:44] Speaker C: Yeah. This is interesting because it sort of leads me to my next sort of point I want to talk with you about is obviously we know about the crowd strike outage that happened last year and perhaps to a less degree like Salt Typhoon and so forth, things that have been out there in terms of the impact that it's had. But would you say if some of these issues aren't addressed, like the control rooms, et cetera, bringing more alignment with security and physical teams, like where do you think, like as an industry, like what sort of path would you say we're headed down then? [00:29:12] Speaker A: Yeah. So maybe just touching on. So people are probably aware of CrowdStrike because it affected quite a lot of people worldwide. Obviously it wasn't a cyber attack, but it was sort of an example of what cascading failures would look like when you've got a fundamental underlying system that fails and that causes cascading failures across all sorts of different physical systems and you know, customer systems, retail systems, supermarkets, all those sorts of things. So it's a good example of what could happen. And then so salt Typhoon, if people aren't aware, this is an adversary believed to be a nation state backed adversary, particularly focused in the U.S. telcoms networks. So it's infiltrated actually 11 telcoms networks. So it's not just one or two of the smaller ones, it's actually impacted the big ones. So Verizon, TT Mobile and many other networks over there and they got in through some, through some vulnerabilities in some networking hardware. They've been listening in and they've been listening in for many months on that data. Phone calls, on text messages. And so the agencies, as you know, security agency over there, the CIA, the FBI have actually recommended to use encrypted communications, which is a backflip on what they used to say a couple of years ago. So they actually recommended using encrypted applications for phone calls and not to use the phone network. You know, things are really changing. So even agencies like that, the cyber security agencies in the US are recommending quite differently to what they were recommending a couple of years ago. And so I think where we're heading is really that, you know, we need to protect the backbone of our networks, be that the, you know, the electricity grid, the telecoms networks and treat all of those areas as critically important to society. And that's why, you know, the Australian government has focused the Security of Critical Infrastructure act, the Sochi act, on including those sectors to, you know, to make sure that the Australian public get cybersecurity front and centre for those organisations to make sure that we are securing them. [00:31:07] Speaker C: Would you say that people are more focused on the application layer nowadays because of everything that's sort of there in terms of like people's priorities just as you're speaking. That's what just came up in my mind. [00:31:20] Speaker A: There's an incredible cost to making sure everything's fully secure and you know, that's perhaps probably not even really achievable even if there, there was the budget, where's the balance? So most, you know, all organizations are looking for return on investment for balancing their books. And I guess what we're, we're trying to do is work out where is that balance. And I think it's, it needs to shift in that before you could put out products that were, you know, maybe not getting patches and updates even if they had software on them. And now Australia last year released, the government released the Cybersecurity act and now those products need to have updates should there be vulnerabilities in them and a number of other requirements. So how we design products, how we make them secure is starting to become requirements out of not just our government but other governments worldwide. And it's something that organizations are going to need to factor in to how they design and build products and support them after they're released. [00:32:16] Speaker C: So Sam, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:32:21] Speaker A: Yeah, I mean that sort of secure by design, secure by default and secure by operations, is it like emerging principles? In some cases it's becoming law. So that's really important. I guess I'm, you know, super passionate about this area. I've actually sort of recently started a cyber security for critical infrastructure community in Australia. So if there's people who wanted to join that because they're interested, hear more about it and yeah, just get in touch. Yeah, we look forward to helping protect modern day society through ensuring the security of our essential Services. [00:32:55] Speaker B: This is KBCast, the voice of cyber. [00:32:59] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles visit KBI Media to get access today. [00:33:07] Speaker B: This episode is brought to you by MercSec. Your smarter route to security Talent MERCSE Executive Search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.