Building a secure digital future: educating cybersecurity professionals
Speech by Assistant Commissioner, Dispute Resolution, Andrew Solomon, to the National Cybersecurity Summit, University of New South Wales in Sydney
[Note: This is an edited version of the address for web publication]
Good afternoon everyone. On behalf of the Australian Information Commissioner, Angelene Falk, I’m very pleased to be able to contribute to this important summit on cybersecurity education.
Commissioner Falk, who unfortunately is not able to be here today, had been greatly looking forward to this opportunity to speak with you all. The education and skills development of the next generation of cybersecurity professionals is of great personal interest to the Commissioner and she acknowledges Professor Richard Buckland’s considerable efforts in advancing that agenda.
The theme of ‘building a secure digital future’ goes to the heart of our office’s vision, that is, increasing public trust and confidence in the protection of personal information.
And it would be no surprise to anyone here that concerns about the privacy and security of our personal information are growing globally.
This increasing awareness of the value and risks associated with our personal information is a top order issue for the community, for business and for governments and regulators around the world.
And as we can see by the range of participants here today — it’s a significant issue for educators, cyber experts and our future cyber leaders.
So today, I’d like to talk about how everyone here has a crucial role to play in securing our digital privacy, both now and into the future.
- the human factor in digital privacy; the impact and the cost
- what privacy means, our office’s role and some of the challenges we’re facing in the current environment, and
- how privacy is interlinked with cybersecurity. In other words, what do you need to know as our cyber leaders about keeping our personal information safe, and earning the trust of the people who share it with you?
The human factor
It can be easy, when we’re talking about data, systems and processes, and technology, to forget what underpins all of that is people.
In our data-driven economy, our personal information is an essential and valuable economic input.
It’s people — for the time being anyway! — who create the databases and data lakes and ways of collecting and storing our information.
And it’s people who are behind the cyberattacks and who cause the human errors — and some say even the system faults — that result in data breaches.
In the context of data breaches, it’s what we have been calling the ‘human factor’.
While businesses’ reputations and finances may be affected, we can’t ever forget that it’s people who suffer the ultimate consequences.
Impact of a data breach
So what does that look like, for the average person whose privacy is breached? That is when there is unauthorised access or disclosure or loss of their personal information.
The costs can be significant — not just in time and money, but the emotional toll.
In some cases, there can be risk of physical or psychological harm, even life threatening.
One Queensland case that’s been widely reported involved a woman’s personal information being accessed through a police database and leaked to her abusive former partner. That forced her to go into hiding, fearing for her safety.
This was a data breach that created great distress, significant safety fears and material harm to the individual involved, including the cost of relocating her family.
Impact on people
According to the national identity and cyber-support service IDCARE, trying to prevent the damage a data breach can cause, for example, to keep your identity and your accounts safe, takes the average person more than 27 hours of solid work.
It involves more than 60 individual tasks — and it’s up to the consumer to perform almost 50 of these steps themselves.
These include tasks like changing an email address, changing a phone number, changing log-ins, replacing identity documents, cancelling and replacing credit cards — the list goes on. The impact of navigating the multiple organisations and tasks required to remedy the effect of the breach can be significant.
The impact of a data breach can also be delayed, in ways that can exacerbate the harms experienced by the affected individuals. For example, an individual may not realise that their identity has been successfully stolen until they apply for finance and the credit provider conducts a check of their credit report. The potential for harm may then be compounded where defaults have been listed against the individual’s report, and there is a time-sensitive financial decision to be made, such as a home loan application.
And some damage cannot be undone. Some information cannot be changed and this can have damaging effects for many years as the information circulates around the digital world.
Some statistics on the costs of data breaches
According to an Attorney-General's department report in 2016 identity crime and misuse results in costs of $2.6 billion a year.
This includes direct and indirect losses incurred by individuals and government agencies, the costs recorded by police and the costs of seeking to prevent and respond to identity crime.
And the cost of a data breach to business is growing — now an averageof $3 million per incident in Australia according to the latest Ponemon Institute Survey.
Where businesses fail to take reasonable steps to protect personal information, significant regulatory costs or fines may also follow.
The recent US Federal Trade Commission (FTC) and New York State settlement with Google over its YouTube service violations of children’s privacy laws amounted to A$250 million.
Facebook has also been penalised A$7 billion for failing to respect users’ privacy, again by the FTC.
And in January this year, the French privacy regulator, CNIL, imposed a financial penalty of 50 million euros on Google for lack of transparency, inadequate information and lack of valid consent in the processing of the personal data of its users.
I note the Australian Government in the 2019 budget flagged a new Code and increased penalties to help strengthen online protections for personal information.
What is privacy?
So what’s at stake here — what is privacy? Not just as a legislative concept, but what it means to the individual.
Privacy is a fundamental human right recognised in the UN Declaration of Human Rights.
Information privacy, which is what our office deals with, is about protections in relation to collection and the handling of information that says who we are, what we do and what we believe.
It can be anything from your name to your most sensitive medical records. It includes your photo, your political opinions and religious beliefs, your fingerprint, voice print, iris, and a wide range of other information or opinion where you are reasonably identifiable.
Personal information is highly valuable — to you, and to the organisations and government agencies we deal with.
Australia’s Privacy Act 1988 gives us rights including:
- To know why our personal information is being collected, how it will be used and who it will be disclosed to
- to ask for access to our personal information, and
- for organisations to properly secure the information and to make sure it is accurate before using or disclosing it.
Securing personal information
As the value of personal information to the economy and to innovation has grown rapidly over recent years, so has the volume of that information that is being held by organisations.
People are moving more of their lives online and businesses of all sizes are collecting more and more information on individuals and aggregating it in data sets that give whole-of-life profiles of their customers.
New technologies are being adopted, many of which are designed to reflect principles of convenience and ‘customer experience’ — but is appropriate thought given to security?
In this context, how business and government manage data is ever more critical to our prosperity and to our online safety and security.
It’s why we are working closely with the Australian Cyber Security Centre and other agencies to share information on the risks and how to guard against them.
Interface between privacy and cybersecurity
But the interface between privacy and cybersecurity warrants further consideration.
We need to avoid treating them as separate or discrete domains that are managed by different sets of stakeholders in an organisation.
- Privacy governs how personally identifiable information should be collected, used, shared and retained and be accessible to the person it is about.
- Security restricts access to the sensitive data and protects it from unauthorised access during collection, storage and transmission.
In this way the two areas work hand in hand, each informed by the other.
We also have to accept that we may never have completely secure digital systems or networks that are impervious to either a malicious attack or an inadvertent breach — and we must use this acknowledgement as the starting point for thinking about how much personal information we are collecting, the type of personal information we are collecting, and how we are storing and transmitting it.
Many systems and networks are still reliant on code and programming languages developed before we understood fully the threats posed by malicious cyber actors or how interconnected networks, technologies and people would become.
And, in our rush to build new digital domains and adopt new technologies in our lives, particularly through the ‘Internet of Things’, we risk neglecting the idea of ‘security and privacy by design’ and what the interplay of all these new technologies — many of which collect information about people, their lives and their interactions — mean for our privacy.
This is creating long-term challenges to our ability to meet our privacy and cybersecurity obligations and the community’s expectations.
Notifiable data breaches
However, on a brighter note, a key measure that is driving improvements to organisations’ cybersecurity is the mandatory Notifiable Data Breaches (or ‘NDB’) scheme, introduced just over 18 months ago.
A primary goal of the NDB scheme is to give individuals early warning when their personal information has been compromised, so they can take action to prevent or minimize harm.
It’s now a legal requirement for organisations to carry out an assessment within a short period whenever there has been an actual or suspected data breach.
If serious harm is likely to result, they must notify affected individuals as soon as possible so they can take action to address the possible consequences. Our office must also be notified.
Assessing possible harm is an essential capability in your cybersecurity toolkit.
The prospect of serious financial harm resulting from breaches of financial information, like a credit card number, or identity information, like a passport, drivers’ licence or tax file number, appears to be well understood and regularly triggers data breach notifications.
It’s among the most valuable personal information traded on the dark web.
But it can be more difficult to assess harm when contact details or health information is breached.
This type of breach may not have immediate consequences, in the same way as losing credit card information, but it can enable criminal or other activity that could result in very serious harm over time.
Organisations entrusted with personal information may need to take a longer term approach to monitoring and responding to the risk of harm to affected individuals in these circumstances.
NDB Statistics 2018-19
We now have more than a year’s worth of evidence about the nature of breaches reported to us under the NDB scheme and there are some important conclusions to be drawn for all professionals working with data management and security.
Malicious or criminal attacks remain the predominant cause (62%). Of these, two-thirds were linked to common cyber threats such as phishing, malware, ransomware, brute-force attacks, compromised or stolen credentials and other forms of hacking.
Human error accounts for a third (34%). Typically this involved mistakes such as sending personal information to the wrong email address.
System faults accounted for the remainder (about 4%).
The ‘human factor’ features strongly across all data breaches.
Whether it’s sending information to the wrong person or clicking on a phishing link, employees are centrally involved in many breaches.
This tells us that organisations need to put much more effort into supporting staff to get privacy right, to understand the risks and how to mitigate them.
Data breach prevention — best practice
Now that the NDB scheme has established a clear baseline of evidence for organisations to act — we need cybersecurity experts to be our champions in helping make the case to boards and senior executives.
Your role is critical in ensuring an organisation’s leaders and people are informed and take effective action to manage these risks.
For us, best practice in preventing data breaches has five key components. They are:
- Training your people in basic account and device security, strong password/passphrase use, and how to detect and report threats such as phishing. This should extend to data handling practices and how to report suspected privacy breaches
- Having a comprehensive understanding of your data holdings, including personal information, and how a data breach could affect your customers, so you can quickly assess the impact when a breach occurs
- Prioritising investment in preventative technologies and processes to strengthen the overall security posture of the organisation in line with known security risks
- Thoroughly preparing and rehearsing different potential data breach scenarios so you can manage any incident that occurs and mitigate the impact, and
- Putting the customer at the centre of your data breach response plan, being transparent and communicating clear facts and advice will help them navigate the situation — and help you restore trust.
Because trust is an essential ingredient in the exchange of personal information.
Global privacy landscape
For our digital economy to flourish, it needs to have the confidence of the consumer — and at the moment, that’s in deficit.
That’s no surprise given the large number of high-profile data breaches over the past few years.
Facebook is a case in point, and the OAIC’s investigation into its personal information handling practices and the Cambridge Analytica incident is well advanced.
At one time, the company’s mantra was to ‘Move Fast and Break Things’ — clearly, that approach is not acceptable when it comes to privacy, to the community, government or regulators.
Last month, our Commissioner and her counterpart in the UK brought together privacy and data protection regulators from the US, Europe, Canada and elsewhere to jointly put Facebook on notice over its proposed Libra cryptocurrency system.
The Commissioners want assurances that Facebook is building in privacy protections from the ground up.
This is just one example of how privacy regulators around the world are working together to align best practice and work towards interoperable privacy standards and enforcement, in an era when personal information has no national borders.
We are also working closely with the Australian competition regulator, the Australian Competition and Consumer Commission, the ACCC, on tighter regulation of digital platforms, including strong protections for our personal information.
Looking to the future: cybersecurity education
At the OAIC we often find ourselves dealing with the fall-out from a data breach. From our experience with the NDB scheme, and your own experience at the coalface, it’s clear that cybersecurity awareness is increasingly important.
It’s how we can try to manage the human factor and guard against the increasingly sophisticated cyber attacks we are seeing here and around the world.
But there’s a critical step that comes well before that — building better safeguards for our personal information into our systems from the ground up; making privacy protections an integral part of our cybersecurity approach.
The key point I would like to make today is that you, the emerging cybersecurity professionals making your mark in this challenging new world, also need to see yourselves as first-rate privacy professionals safeguarding everyone’s privacy and security online.
So how can the cybersecurity professional become fluent in the language of privacy?
There are some core privacy considerations that should be part of the educational foundation for our next generation of cyber leaders.
The information lifecycle
First, how to incorporate the information lifecycle in every aspect of online security.
This extends from the initial collection of information, through to how and why it will be used and disclosed, how it will be safely and securely stored, and how it will be disposed of or managed when it is no longer needed.
A basic principle is to only collect personal information that is essential to requirements, and to be prepared to give a full and detailed justification about why it is being collected, and for sensitive information, getting informed consent to collect it.
Our experience is that cybersecurity professionals already give detailed attention to the safe and secure storage of personal information.
But you also need to consider how to manage the personal information when it’s no longer needed. This means building into systems processes to permanently remove or effectively de-identify the information.
Just recently, the Victorian Department of Transport was pulled up by the state privacy regulator when de-identified information about users of the myki public transport card system was re-identified. This is an area where there is a lot more work to do.
Privacy by design
Next, what we call ‘privacy by design’ needs to be well understood.
Just like ‘security by design’, this means building privacy into the design specifications and architecture of new systems and processes.
It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively attempt to alter a product or service to address privacy issues that come to light.
Privacy by design also involves making privacy the default setting in all the systems and processes you build. Individuals should not have to resort to self-help to protect their privacy; the default setting should be privacy preserving.
To build in privacy safeguards, you need to fully understand the privacy impacts. This means mapping the information lifecycle, considering risks and mitigation strategies and working out what would happen if the project changes in size or scope.
How people interact with technology
Finally, the human factor.
As cyber experts you need to consider how people interact with technology, in order to anticipate the risks.
We may be impatient to achieve a result online and fail to take due care, or assume a site is safe because it appears to be safe.
We may take shortcuts such as using the same password for multiple sites.
The human element will always be there.
So understanding human behaviour and how to work with the human-technology interface has to be part of your core training.
And you must recognise that your own awareness raising and training of senior management and other employees in your organisation is also a critical part of your role.
To conclude I’d like to share with you a possible ‘Introduction to privacy for the cybersecurity professional’ (shown on this slide) with acknowledgement to R. Jason Cronk for the Privacy by Design steps.
As you can see, privacy by design is at the core — understanding what privacy is, understanding what it means to people and understanding how to integrate it into everything you, as professionals, design, build and manage.
I think the rapidly evolving challenges are what makes it such an exciting time to work in our fields of data protection and cybersecurity.
Cybersecurity professionals have never been in more demand, and your training and capabilities are essential to keeping our personal information secure.
We can see that the ever-increasing body of personal information available, and the recognition of its power and value as a commodity, is increasing both opportunity and risk.
The upcoming Consumer Data Right gives consumers more choice and control over their personal information held by particular organisations.
The Consumer Data Right offers great potential for business growth and innovation, provided consumers can have confidence in the way their data is handled. We’re building in strong privacy safeguards to the system to help make that a reality.
It’s a great example of why privacy has to be part of the foundation when you are establishing or updating your products and systems, and not just the window dressing. It needs to stand alongside security considerations from the outset, not as an add-on.
By understanding the information lifecycle, from collection to storage, to destruction; by taking a privacy by design approach; and by recognising the human element in how we interact with data, our future cyber leaders will be well equipped to help take us into a safe and people-centred digital future.