It seemed like a good idea at the time. Roll the government’s Australian Cyber Security Centre (ACSC) conference into the professional Australian Information Security Association (AISA) conference to create a great, big, mega cyber-conference.
But from day one, it’s looked like this might not have been such a good idea after all.
Succumbing to what this writer understands to have been very heavy pressure from a “partner” — the ACSC of course — AISA dumped two speakers from the program with only a week’s notice.
The speakers were told they were “incongruent” with the content of CyberCon, officially known as the Australian Cybersecurity Conference, which kicked off in Melbourne on Tuesday. No further information has been given.
One speaker was Thomas Drake, a whistleblower formerly of the US National Security Agency (NSA), who was scheduled to speak about the state of digital surveillance by both government and commercial entities.
The other was Dr Suelette Dreyfus from the the Department of Computing and Information Systems at the University of Melbourne, who was to speak on technology that could enable secure communication by whistleblowers.
At the time of writing, neither AISA nor the ACSC have responded to media requests for comment.
The Australian government is rather focused on whistleblowers these days, however, so it’s not hard to guess why the ACSC might want to suppress discussion of whistleblowing — or is under political pressure to do so.
The Australian Federal Police (AFP) reckons journalists’ networks are a national security risk, for example. The Witness K saga, meanwhile, highlights the lengths to which the government would be prepared to go to hide potential misconduct by our intelligence agencies.
The ACSC has also been trying to limit reporting on some of the sessions it sponsored by barring media from attending what were labelled “closed sessions”.
One such session on Tuesday was described as an “international panel”.
It featured Dr Ian Levy, technical director at the the UK’s National Cyber Security Centre (NCSC); Karl Hanmore, First Assistant Director-General for Engagement, Operations, and Intelligence at the Australian Signals Directorate (ASD); and Rob Pope, director of CERT New Zealand (CERT NZ).
While the media was banned, everyone else was free to tweet about what happened. It’s a public conference too, so literally anyone can attend, along with their smartphones.
Such tweets revealed that Levy began by calling out the organisers for assembling an all-male “manel”, and rightly so. Others discussed the need for more diversity in cybersecurity, ironically, and other such “threats” to national security.
Later, there was a session on the public consultation for Australia’s new cybersecurity strategy for 2020, the follow-up to the strategy released in 2016 when Malcolm Turnbull was Prime Minister.
That session was closed to the media too, but why? ZDNet’s non-media non-banned moles report that it contained nothing that isn’t already on the relevant Department of Home Affairs web page, a call for views.
One mole uncharitably described the session as being “boring as batshit”.
“The whole thing is being delivered in monotone. It’s torture,” they said.
It takes a particularly warped mind to imagine that a bland description of a public consultation process that’s already been published should be kept secret, but here we are.
Another closed session was an NCSC senior incident coordinator’s presentation titled “The boy who cried wolf — Was it already too late?”. I can only assume that cyber wolves are indeed a dire threat to national security.
Dumping Drake and Dreyfus is a bit of an own goal for ACSC, of course.
With 3,459 registered delegates at CyberCon, their messages might have been heard by a thousand people. Now, thanks to the Streisand Effect, thousands or tens of thousands more will want to look up their stories.
Go for it, folks.
Assuming that CyberCon is to remain a thing, the challenge for AISA and ACSC now is to decide who they’re serving. The interests of cybersecurity professionals? Or the interests of the Australian government?
Australia’s cybersecurity agency joins the nation’s peak body for cyber professionals to deliver development programs through the government’s Joint Cyber Security Centres.
MacGibbon’s decision to resign at the “end of the electoral cycle” makes sense both organisationally and personally, especially given the potential for uncertainty ahead.
As head of the Australian Cyber Security Centre, Noble will be taking on her third stint with the Australian Signals Directorate.
When Australia’s signals intelligence agency finds a cybersecurity vulnerability, it discloses it — except in a few cases where it might help fulfil a “critical intelligence requirement”.
Out goes multi-factor authentication via SMS messages, emails, voice calls, or software certificates for all but the most immature implementations of the Australian Signals Directorate’s Essential Eight.
Differing views within the recently restructured Australian Signals Directorate, described in one media report as an ‘internal brawl’ and ‘internal frictions’, could highlight a deeper, more challenging division.