People skills vital for cybersecurity: Australia cyber research CEO

By Chia Jie Lin

Exclusive interview with Rachael Falk, Chief Executive Officer of the Cybersecurity Cooperative Research Centre in Australia.

Australia is under a cyber siege. The country currently receives more cyber attacks than any other country in the Asia Pacific, the Cisco 2018 Asia Pacific Security Capabilities Benchmark Study has revealed. The study found that 90% of its companies receive up to 5,000 threats a day, with one-third of these companies facing over 100,000 threats daily.

But unlike some of its Asia Pacific neighbours, the country is not facing a dearth of cybersecurity talent. “I’m not convinced that there is a shortage of technically-skilled talent. We have a larger problem being the perception that cyber is just a technical area,” Rachael Falk, CEO of the Cybersecurity Cooperative Research Centre (CSCRC), tells GovInsider. The centre was set up last year to facilitate collaborative research between academic, government and industry actors to deter cyber attacks from state-sponsored hackers and organised criminals.

In an exclusive interview, Falk shares her views on the skills that the cybersecurity sector needs, the importance of collaboration, and plans for the CSCRC.

More than technical skills

The cybersecurity sector needs people with a “multiplicity of skills” outside of tech who can “think critically and challenge assumptions”, remarks Falk, who has worked as a lawyer and then as general manager of Australia’s largest telecommunications company. “Technical people - absolutely they are important, but so are a whole range of people with diverse academic backgrounds,” she adds.

Falk's former work experiences have equipped her with communication skills that are essential in bringing different public and private actors to work on cybersecurity together. “I have a private sector background, so I understand the culture; this means I am well-placed to address the challenges of getting researchers and industry to collaborate, and to help both sides think about how to articulate and solve cybersecurity risks,” she notes.

Cybersecurity issues and solutions often run the risk of being too convoluted and complex for the common citizen, but the key to robust security is making it accessible for all. “I’m a big believer in user-friendly cybersecurity," Falk notes. “Throughout my career in cybersecurity, I’ve focused on making technical issues accessible and understandable to everyone.”

Collaboration is key

Australia’s cybersecurity ecosystem is largely “fragmented”, says Falk, “unlike in the US where there is quite a close relationship between universities and Silicon Valley”. This often leaves good cybersecurity solutions that can be scaled commercially underfunded, while private sector companies lack the expertise that cyber researchers can provide. “There is a missing link,” she notes.

This lack of coordinated cybersecurity efforts has left both public and private institutions wide open to cyber attacks. “The private sector is grappling with cyber security risk just like government is as well,” Falk remarks. For one, a group of state-backed hackers from North Korea are likely to be targeting Australian banks, according to a 2018 study by cybersecurity firm FireEye.

Since 2014, the North Korean hacker group, dubbed APT 38, has attempted to steal over US$1.1 billion from countries in the Asia Pacific. Recent investigations by FireEye has revealed that Australian SWIFT banking codes and IP addresses were present in the malware used by APT 38, suggesting that Australian financial institutions are likely to be the group’s next targets.

The CSCRC was then borne out of a federal and industry-led initiative to bring the public and private actors together to co-develop cybersecurity solutions. “This is a space that the CSCRC has a big role in, and seeks primarily to make a difference,” Falk says.

Enabling cooperative research

The centre’s leading focus is to launch research projects to develop “systems, architecture and software solutions” to help protect the critical infrastructure across public and private institutions. “We have research projects right now that are focused on building the cyber security resilience of Australia’s critical infrastructure”, she notes. “This program will deliver outputs that benefit government, cyber security provides, large and SME consumers of cyber security and the community,” she adds.

The centre’s researchers are now developing cybersecurity products and services to make it safer for people to conduct business online. Their goal is to improve trust in digital services, according to Falk. “This is critically important given that almost everything we do is in a connected world,” she remarks. “They can know when to trust digital services and how to take advantage of the digital economy without compromising the integrity of their data or information systems,” she adds.

As the risks of major cyber attacks continue to skyrocket, it is increasingly important for Australia to grow a robust pool of cybersecurity experts. And Falk wants to train one particular demographic: Australian students. “Getting students involved and working on CSCRC projects to deliver research with impact”, she says, is a top priority for the coming year. “By developing and funding researchers and students, we are building Australia’s sovereign capability, so that Australia has the capability to protect its own infrastructure,” she says.

The federal government has committed AUD$50 million (US$36 million) to fund the centre's operations over the next seven years, with another AUD$89 million (US$64 million) from a total of 25 industry, research and government partners. Various government agencies have since joined in this initiative, including the Attorney General's Department, Department of Defence, Data61 and the Australian Taxation Office.

The cooperative research centre follows from sustained efforts by the Australian government to develop cybersecurity capabilities across the country. In December 2016, the government launched a national cybersecurity growth network - AustCyber, for short - that connects cybersecurity projects from nodes across cities to defend the nation’s cyber networks from organised criminals and state-sponsored attacks. The not-for-profit initiative is part of the government’s AUD$250-million (US$180 million) investment plan that aims to grow cybersecurity capabilities for industry and government.

It is just a year into the CSCRC’s operations, and the centre is still in a “start-up mode”, Falk notes. In 2019, the CEO wants to “move out of start-up mode” and build on the centre's emerging pipeline of research projects and activities to develop cybersecurity solutions steadily and regularly.

But at the end of it, it is the people, and not the tech, that need to be at the heart of cybersecurity efforts. “So much of cybersecurity relies on the human factor,” Falk emphasises.