JT: Brendan, what’s the impact on you as a bank when you’re under attack and attribution is the last thing on your mind and you’re going ‘who do we talk to?’
BG: We don’t care if it’s war or crime – we look to our trusted partners because they’ve got the intelligence of what’s happened and until we have honest conversations with other corporations we rely on them.
GI: A law enforcement officer is the only one who can put on a telephone or data intercept, unless it’s certain the Chinese or whoever have done this, or run controlled operations creating false bank accounts and false identities on these organisations.
TS: Police are not going to respond if there’s not a prosecution . . .
JT: Is that because they don’t have the resources to spread around?
GI: At commissioner level e-crime is seen as a priority and investigators say the same. But at the deputy commissioner level, they ask, how can I say crimes were reduced? Police metrics of success must change. If you saw an operation the AFP recently did – I can’t talk about what it was – but they disrupted operations of the miscreants, shutting down the flow of money.
AM: Law enforcement is a stiff broom that moves crime to a spot that’s away from the rest of us and that’s the attitude law enforcement needs to take when it comes to online crime. But law enforcement hasn't been a powerful lobby because they’ve been dysfunctional internally. And the most likely place for a citizen to go to is their local police – whether it has jurisdiction is neither here nor there.
MS: Everyone wants critical infrastructure to be secure so do you fine them if they’re not or do you build incentives through which they grow into security because it eases their burden?
KP: Government needs either a bigger stick or start having other incentives. The problem we’ve got is a lot of people aren’t even aware of the problem or aren’t making the investments in order to get themselves more secure.
TS: Two or three years ago I was in the camp of no legislation. I ran operations, I wasn’t overly concerned with policy but I got engaged in the policy committees and there was a lot of debate about regulation. The ISP Code of Conduct is a classic case...
MS: Thank you for giving us that...
TS: ...An ISP has thousands of endpoints and yet we do nothing to secure them. The I-Code should be regulated. ISPs say it’s too hard but you can do it: when you subscribe to an ISP they give you a security package, you pay for it, but if you don’t update it they cut you off.
MS: Let’s say someone connects to an ISP and they’re massively impacted, we have a choice – allow them to continue on the internet and cause harm or put them in a walled garden until they patch? GI: Walled gardens would have been a good discussion to have three years ago. Now, the user can’t do anything about malware.
EB: The idea of information sharing and bringing in players with common interests, that’s something that the Commonwealth could do.
AM: Bureaucrats say we’re already doing that, trusted information sharing, and the reality is it is not working; talk to Brendan he says no one really talks to each other.
MS: We look at ISPs as the client connection and the 'core'. If it’s run more securely and economically against another core that isn’t so secure, could you choose as an ISP whose core you run across?
KP: You pay a premium for clean- pipe services from provider A that provider B doesn’t have, so you pay $10 more and they filter them out.
MS: Or if you want a dirty pipe you pay a lot of money, you want a clean pipe you pay less because you’re not getting the filth. But no one's thought of inverting price structure.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
