Subscribe
Share
Share
Embed
Technology and Security (TS) explores the intersections of emerging technologies and security. It is hosted by Dr Miah Hammond-Errey. Each month, experts in technology and security join Miah to discuss pressing issues, policy debates, international developments, and share leadership and career advice. https://miahhe.com/about-ts | https://stratfutures.com
Transcript: please check against delivery
[00:00:01] Dr Miah Hammond-Errey: Welcome to Technology and Security. Bts is a podcast exploring the intersections of emerging technologies and national security. I'm your host, Doctor Miah Hammond-Errey. My guest today is Michelle McGuinness. Thanks for joining me. You're welcome. Pleasure to be here. Lieutenant General Michelle McGuinness is Australia's national cyber security coordinator. Prior to this appointment, she served as deputy Director, Commonwealth Integration in the US Defense Intelligence Agency. She has served in the Australian Defence Force for 30 years, in a range of tactical, operational and strategic roles in Australia and overseas. We're coming to you today from the lands of the Gadigal people. I pay my respects to their elders, past, present and emerging and acknowledge their continuing connection to land, sea and community. So, as Australia's National Cyber Security Coordinator, you lead the coordination of responses to major cyber incidents. You lead whole of government policy and cyber incident preparedness efforts and the strengthening of Commonwealth cyber security capability. You've been in the role since February. What did your 100 day report say?
[00:01:08] Lt Gen Michelle McGuinness: Well, Miah, thank you. You know, the 100 days, I was really just reflecting on what a language I'd learnt, what a distinct shift some of that's got to do with my history. I am a serving army officer, so I changed departments. I seconded into home Affairs. Whilst I'm intimately familiar with the threat and the complex environment around our cyber security threats, this was a whole new level for me personally. At 100 days I was able to reflect on really the organisation, the National Office of Cyber Security hadn't yet existed for a year, and the coordinator had not existed for six months. At that point, it became clear that really there was a little more to do in aligning the roles and responsibilities as directed to me and the way we were structured to be able to get after that fantastic and ambitious vision in the strategy of being a world leading cyber nation by 2030. So there was a little bit of internal housekeeping that was reflecting on really feeling like I knew enough to direct and move forward with clear, distinct priorities on what needed to be done next. And so.
[00:02:22] Dr Miah Hammond-Errey: Can you give us some insight into what those priorities and kind of movement have been?
[00:02:26] Lt Gen Michelle McGuinness: So I think the key thing, if I simplify my job down to the most basic level, I have three job jars. I have prevent, prepare for and respond to incidents. So that's a bit simplistic. But when I look at each of the functions that I do, they can fit into one of those in the prevent. It really comes down to quite a significant communications strategy, outreach across the nation, build the foundations. And there are so many things that our experts, including at the ACSC, at the Australian Cyber Security center tell us that we are empowered to take charge of our own security. So at the very basic level, encouraging and trying to communicate across Australia about the things that every individual can do. It also impacts small businesses. So cyber security threat from a criminal perspective is such a disproportionate impact on the small and medium businesses who don't have the resources, intellect. So there's been a big lot of uplift. We've got a range of initiatives from our engagement across the private sector and a really, really strong, genuine private public partnership all the way through to our attribution framework where we try to deter criminals in the future by taking action and partnering in the region and with our our major partners in the prepare for.
[00:03:41] Lt Gen Michelle McGuinness: There really is a very comprehensive exercise program. I run the National Exercise Program for Consequence Management and coordinating across government and industry, with a particular focus on our critical infrastructure sectors, building playbooks so that we can help collaborate with those sectors on how to respond rapidly. And that exercise, the heart of it. It builds trust. It builds trust and understanding. So the first time that I'm working with an entity or a sector and my team are that it's not we're not figuring out who we are, what we're doing and what we might bring in the middle of a crisis. We've had those conversations beforehand and then in the responding, well, that's what we do fairly frequently to minor and some more significant incidences. In any given week. We're monitoring and managing a couple of incidents across the economy. In the first 100 days, I'd say that there was probably half a dozen that we were monitoring of varying significance and impact across the economy at any one time.
[00:04:35] Dr Miah Hammond-Errey: Can you talk us through the coordination of responses to major cyber incidents.
[00:04:39] Lt Gen Michelle McGuinness: [00:04:39]Working with the team, the National Office of Cybersecurity, and we have a response unit. [00:04:43] We will get a call from either a C-suite leader, their lawyer, or from one of our colleagues, Acsc or the AFP. Sometimes I've got the call, and that's a testament to the potential consequence and also build on relationships. Sometimes some of my staff get a call, and at that point we really convey two key messages. First, if you haven't contacted the ax. Contact the ax because there's a technical remediation and support and understanding that we'd like to gain. And secondly, we immediately advise that they should be aware of their obligations under any regulatory notification. Beyond that, we seek to meet with the entity pretty rapidly and typically within hours to actually better as a as a team, as a coordinator, understand the nature of the business if we don't already, and the potential consequences, as well as their planned response and their preparedness for response. In that meeting, we'll outline what we will do to support that entity. And really the trick is in the title we coordinate. So we'll bring together the right government folk and industry folk who either have an equity or a stake or might be impacted in some cases. And really at the heart of it, it's helping that entity on what is potentially their their worst professional day to streamline their communications and identify very rapidly across the government and across other industry partners who it is needs to be involved moving forward and what they can do for them.
[00:06:09] Lt Gen Michelle McGuinness: It's actually from that point, we'll have an assessment on how significant the consequences are. And our Australian government crisis management framework, actually a new one was released last week by the Prime Minister. It actually clearly articulates the tiers. So there'll be a judgment at that point based on that framework as to the level of significance, which also drives, um, what level it might be managed. So you can think of a worst case where the Prime Minister will be involved. The Minister for Cyber Security, we now have a special envoy who's very focused on victims and supporting across the industry, whether I'll coordinated or whether it'll be something that my team will pull together one coordination meeting and help them connect to the to the right people and then move on. At that point, it will be clear to us, if I'm involved, whether or not I need to engage the National Emergency Management Agency and the National Coordination Mechanism, which I think CrowdStrike has probably taught a lot of Australia about that mechanism. And that is just another level of formal mechanism to bring people together. It's all about information gathering. It's all about understanding the needs of the victim. I'm there to try and rapidly identify the potential consequences and mitigate the harm for the most number of Australians across the economy. So it happens pretty quick.
[00:07:25] Dr Miah Hammond-Errey: [00:07:25]I'm often struck with cybersecurity just how broad the stakeholder groups are. [00:07:31] One of the key planks in that current education campaign is to regularly install software updates. And after the CrowdStrike update caused global chaos, you know, how can we be confident that installing updates is okay?
[00:07:46] Lt Gen Michelle McGuinness: Ultimately, and I rely on the Australian Signals Directorate for their world class technical advice here, but ultimately, I can't imagine any scenario where any business or citizen needs to be able to validate their software patch. So I think actually the checks and balances need to be at the other end on the provider. Crowdstrike was a fantastic activity for us as a government, and I'm incredibly proud of the way that we responded and watching the economy come together, using that mechanism to share issues that we could foresee and identify solutions and mitigations to potential harm that was coming. Absolutely. The advice remains update your software as fast as you can. You'd be astounded at the speed at which cyber criminals can exploit a vulnerability in an unpatched software. And when I look at the number of incidents we've dealt with, the complexity hasn't been the technical issue. It's been a known vulnerability. The consequence management is the very long tail and very harmful tail of an incident. I do feel like I'm giving a very basic message. Sometimes it's critical, but the evidence is there that very smart, capable, innovative companies and individuals are not doing it.
[00:09:04] Dr Miah Hammond-Errey: Just before we move on to cybersecurity threats, can you tell me a little bit more about the National Cyber Intel Partnership?
[00:09:11] Lt Gen Michelle McGuinness: I chair the National Cyber Intelligence Partnership. It brings together a diverse range of leaders across the economy from different sectors. The heart of this, really is the early decision to set up a working group to pilot some threat sharing and blocking. So we had one telco and one bank volunteer to partner together. But that bank got to a point where it was passing the threats that it couldn't deal with those that were seeking to imitate them or or fish and smash their customers across the telco. And they were blocking at a DNS level. It was really angelic and very small, but super exciting in proof of concept. It's it speaks to a few other initiatives, including the CTIS platform that ACSC has and is building and and we're looking forward to, um, that constant evolution in that capability. But it's really about industry sharing threats with industry and those that can, blocking them and building that trust around how do we how do we share what's happening because of the speed to the point you mentioned before, the speed at which things evolve and threats come out. So we're looking we're looking to automate it. We have now, um, for banks, all telcos and additional entities across food and grocery and other sectors, all waiting to jump in to see how they can also partake in this pilot. Ultimately, they're preparing and they're, you know, they've got the the ability to innovate much faster than we in government, but they've got the, um, intent to automate it and to get the best out of this pilot and then institutionalize it, which is super exciting.
[00:10:47] Dr Miah Hammond-Errey: What do you see as the highest priority cybersecurity threats for Australia at the moment?
[00:10:51] Lt Gen Michelle McGuinness: This is a two fold answer. We have a really large impact on the economy, disproportionate impact of criminals who are actually taking advantage of of our cyber posture or lack of strength there. And we are a rich target for cyber criminals. And by some assessments for incident response companies, they tell me, global companies tell me that we are disproportionately targeted, which is why, again, I come back to our uplift and our focus on strengthening our posture. And the other side of it, we've all heard and seen the reports out of Acsc and the attributions around state sponsored malicious cyber attacks. So to me, in the response part of my role on that first day one, I'm a little threat agnostic because I'm about reducing harm, but it is incredibly critical that we continue to monitor both and understand the impacts. Both of them have great potential to go cross-sectoral and to be catastrophic.
[00:11:51] Dr Miah Hammond-Errey: What do you see as the significance of data holdings? I'm thinking here of big data, but also individual privacy and cybersecurity. And can we actually make cyberspace secure without meaningful privacy protection?
[00:12:03] Lt Gen Michelle McGuinness: Yeah, I think I think we can't. If you're going to hold that kind of data, then you have an obligation to protect it better. I think digital ID plays a really important role. I think, you know, aligning and clarifying our legislation on data, holding requirements across different sectors, which are under review to make sure that we streamline and are clear. And the government is seeking to clarify that. And then it really is focusing on what is it that we need. What do we need to hold and at what cost?
[00:12:32] Dr Miah Hammond-Errey: Yeah, absolutely. And maybe not so much in your current role, but, you know, in your spare time, what emerging tech, what emerging technologies are you thinking about the most?
[00:12:41] Lt Gen Michelle McGuinness: I'm really thinking about AI and ML. Of course not. So emerging. They've already emerged, but huge potential. And in this role, I do think of it. How do we adopt them? Through a cyber safe lens? How do we ensure that we have a framework that we're not putting too great a onus on small businesses that are seeking to grow and flourish and innovate, but don't have the capacity to figure out, is this safe or not? We want Australians to be able to leverage the amazing opportunity of tech. So I think of it in that way. I do get some incredible briefs from some sovereign capability sovereign companies that come and share their technologies with me. You know, there are technologies out there that are looking to how do you reduce your attack surface on the internet at certain times? And I equate it to a kind of a military perspective of skids, where you turn on and off when you need to, but that that surface attack area is not there unless it's required. Of course, we have great developments in security and cloud and other things. It's a deep privilege in the job to have great exposure to our sovereign capabilities.
[00:13:41] Dr Miah Hammond-Errey: Because so many of the tools platforms that we rely on are applications on our phone that digital environment expands outside what we think of as critical infrastructure. Where does that leave us?
[00:14:05] Lt Gen Michelle McGuinness: I come back to my thoughts on, you know, automatic updates because the onus has to be on the manufacturer or on the provider, because, again, I'm not sure we we need to be able to inform ourselves and our population on what is safe. And I'm not sure that we're there. I'm not sure that we have the guardrails in place right now to make sure that whether it's my 12 year old daughter or my parents and their friends know which apps are useful to download and which ones are safe. Um, so without giving you standard lines, I am excited by the legislation that's currently going that's being discussed by the government around including Internet of Things standards, and there will be mandatory standards for those devices and moving on to applications and OT. And there will also be a the the view is that we'll have a co-designed voluntary code as well, that will be able to steer a consumer to have a better understanding of what is considered safe. This really has to be secure by design.
[00:15:02] Dr Miah Hammond-Errey: That would be a huge change because you're absolutely right. The software risk problem is burgeoning.
[00:15:13] Lt Gen Michelle McGuinness: Yeah, I mean we all go shopping and we all go looking to see what that energy rating is going to cost us. And we look for it in reviews and we look for a range of things. We don't have that same culture or or accessible information about our software and some of our Internet of Things devices as well. And I think that when we start getting those labelling and whether it be mandatory, mandatory at a minimum, but then the voluntary ones, it should be steering us to, you know, to really Invest in those capabilities that have thought about the security of the end user.
[00:15:43] Dr Miah Hammond-Errey: Are you concerned about the risks of software in electric vehicles? Obviously we've recently seen the US ban Chinese EVs or propose to, as well as a number of other national security interference and data collection risks. Where could that concern in software stop me?
[00:16:02] Lt Gen Michelle McGuinness: I'm an intelligence professional, so I am built to be suspicious and and I and I am definitely concerned. And it actually does drive, um, my family posture in a way that it didn't five years ago. The things that I buy, the things that I'm interested, the things that I'm reviewing, my kids devices and what they're doing, my vehicle, those things the government is looking very closely. And actually Home Affairs is engaging really proactively with the US to understand the impacts and what they're doing. And I know that our intelligence communities are incredibly close and understanding the threats and risks. There are different contexts that we all face, and there are obviously different levers and drivers that we all face. But ultimately, I think we're all becoming. Far more alert to the fact that you're right. There's not much that couldn't be leveraged through. Smart software and hardware, that there is endless opportunity for harm and for good. And I think we. Need to be alert to that and driving standards and and having a minimum secure by design standard. For a range of items is going to be the start.
[00:17:07] Dr Miah Hammond-Errey: I think you were in the US when the Australian Cyber Security Strategy 2023 to 2030. Was released. How was it received?
[00:17:14] Lt Gen Michelle McGuinness: Yeah, again, I was in a in a non cyber context really. However, I received it and my CIO and CSO and CDO folk who I was interacting a lot with because we were looking at interoperable technology in the IC. Colleagues commented how pithy and impactful. It's really streamlined and coherent. And I think the big impact and I've seen this before in the US, mass and size and strength strengths has its own absolute unique power. But for them to look and say, can you cohere that strategy that easily? And there's something about our size that makes us a little more able to manage and tie it together. So there was a lot of, wow, this looks like you can bring this all together.
[00:17:54] Dr Miah Hammond-Errey: Can you just talk to the exec Cyber Council a little?
[00:17:57] Lt Gen Michelle McGuinness: So the former Minister for Cyber Security, Minister O'Neill, established that on the day that the strategy was released in November. It is around 30 CEOs of and peak body leaders of our largest enterprises across the nation. So peak bodies Australia. Yep. And they're not all Australian companies, but they're all the Australian leaders here. And they come together. And it's part of the strategy. And they it's a forum for them to share threats, talk about best practice and help uplift and deliver the strategy from their perspective. It met in November and then it met again for the second time in August under Minister Burke, and in the meantime they established four working groups, which we drove to get after four things that we saw were the biggest issues across the economy. One was emerging tech, one was sovereign capability, one was cyber workforce, and the last was supporting small and medium businesses. And they cross-sectoral among deep competitors under any other context formed working groups. And we joke but it's completely pro bono work. Although increasingly we do have the view that you have the privilege of the position you are in that you. This is part of your obligation in giving back to the Australian economy. But they have come up with fantastic initiatives across all three working groups that we continue to evolve, and it's a great connectivity for us to inform policy. But it actually they're making a difference. I wouldn't be doing my job if I didn't say October was Cyber Security Awareness Month, but leveraging those opportunities take looking at the barriers to better cyber uplift across across that sector. The you know, we are looking for clearer pathways into the cyber workforce. We have to embrace diversity.
[00:19:42] Dr Miah Hammond-Errey: So in 2018, you were awarded a Conspicuous Service Cross for outstanding achievement in leadership and training, development and international liaison. Can you tell us a bit about this and also your work in the US?
[00:19:54] Lt Gen Michelle McGuinness: Look, it's a great honour to be recognised in, in in that level of award. I had been the commanding officer at our Defence Force Academy, which I'm also a graduate of, and I'd served there before. What an incredible privilege to to really train and raise the children of Australia. There was a thousand undergraduates and I was upskilled as a mother before my time, for sure, raising 19 to 21 year olds in that forum. It was a great opportunity, and we were able to reform the training curriculum across all three services and drive a new leadership program.
[00:20:25] Dr Miah Hammond-Errey: Where you kids happy about this early upskilling or?
[00:20:27] Lt Gen Michelle McGuinness: I'm not sure they've done as much research as you have. I had quite young kids at the time and quite older now, so it certainly prepared me. And I have had the distinct privilege of serving in and with our, the US for about 8 or 9 years of the last 20. So I've served there in some really heady days early in 2000, 2004, 2005, where I was rapidly seconded into a task force supporting our understanding and detection and prevention of improvised explosive devices working in the Pentagon. I tell you, never a day that you went home without feeling like you actually were contributing to the fight. So we had special forces in Afghanistan and we were moving into Iraq. It was the predecessor. And then the opening of the joint IED defeat organization. So an incredible privilege. I went back there as an assistant attache in 2016, managing and supporting the relationship that the Australian Army had with the US Army and the US Marine Corps, and also working with Canada. And I had the opportunity to go and study and do one of my masters at CIS, at Johns Hopkins, which was also fantastic.
[00:21:39] Lt Gen Michelle McGuinness: Um, most recently and unpredictably in that it is a five eye job. I was nominated and then selected to be the deputy director, as you said, for the for Commonwealth integration at the Defense Intelligence Agency. Amazing opportunity. I had served there first in 2005 when I first went to the US. Coming back there as a deputy director, being the most senior foreign general officer inside the US IC, and actually being a deputy director in uniform was a distinct challenge and a privilege of a lifetime. You know, I really was there to drive interoperability across policy, technology and culture, all of which had their own challenges and opportunities. I got there in the, you know, pretty dark days of Covid and an agency of over 16,500 that whilst they are singularly unique for strategic or source intelligence, They had organic capabilities across every intelligence discipline that you can think of. So Covid and the real intelligence and personnel impacts of that were clear. And we manage that through the first few months. We had the Afghan withdrawal and then we had Russia, Ukraine. And then towards the end we had Hamas and 7th October Israel.
[00:22:53] Dr Miah Hammond-Errey: That's quite an incredible list of events to have to have lived through and led through.
[00:22:58] Lt Gen Michelle McGuinness: And at the same time, we we reimagined the governance around our intelligence engagements, which was fantastic. We aligned it for the new environment and we as an organisation, the director set us on an absolute fantastic vision and critical mission to adjust from the nine over 11 post 9/11 CT focus to strategic competition and being there and being in Australian and watching the agency. My boss used to say in 2013, President Obama said, we're going to pivot now in 2023. We're actually pivoting. And I was there to witness that.
[00:23:30] Dr Miah Hammond-Errey: What are the biggest changes you've seen throughout your career in intelligence? Is there something that stands out?
[00:23:36] Lt Gen Michelle McGuinness: I think I've seen the distinct professionalization of and from an Australian Army perspective of our capabilities from a time and huge growth, again, quite inward looking with the Department of Defence. But the establishment of a Chief of Defence Intelligence as a group and the evolution of, of that capability has been fantastic. Fantastic to watch. Um, when we when I look about our interoperability, I had the privilege of being the first, um, person ever to use a Usta system called torch. It's a TTS system for integrated partners. And I think in 2005, when I served in the US, if someone told me I'd be on the TTS fabric in DC, I'd have said, I'll bet my house I wouldn't be. And with the amazing help of amazing professionals and vision and drive and trust That system was built for me when I first got there, and is now proliferated for all of our Australian and 5G integrated intelligence professionals in the US.
[00:24:37] Dr Miah Hammond-Errey: We'll go to a segment on alliances. It's so hard to describe to people outside the community what the significance of the Five Eyes relationship really is. I recently reviewed Richard Coeur Badger's book and was struck by the stories. And I want to ask, what do you think makes it so unique? Mhm.
[00:24:55] Lt Gen Michelle McGuinness: Well, because it's very special. It is incredibly special. And it's not just special. It's incredibly powerful. Um, I'm going to assume your listeners know a lot of the history and I won't rehash that. A common mistake is it's not a it's not a treaty. It's not an alliance. It's a little a alliance, and it's a big partnership. Um, I think we need to look at it. When we look at it, we need to understand that it's not a gift. It's an obligation as much as it is an opportunity. The thing that sets us apart. And I never, um, I never speak in the US about Five Eyes without being asked Will it be Six eyes? Will it be seven eyes? As controversial for some audiences as it might be, I don't believe it ever will. And the simple reason is we have too much of a head start and.
[00:25:39] Dr Miah Hammond-Errey: The cultural and personal relationships.
[00:25:43] Lt Gen Michelle McGuinness: And we've been.
[00:25:44] Dr Miah Hammond-Errey: Through so much together.
[00:25:45] Lt Gen Michelle McGuinness: Absolutely. Blood and treasure founded on deep shared values, built for interoperability. But I'll say the the key barrier to others is that we all meet or exceed a standard, and that standard is from tradecraft and interoperability all the way through to security processes, to vetting, to our cyber security, to our IT compliance, and then all the way to prosecution. So we have the same standards we guard and protect and share under the same set of rules. And we constantly prove to each other that we meet or exceed the standards. So no one's gifting someone something and saying, oh, because you're a good partner, let me show you this. It's we are trusted to actually meet and exceed the standard, which comes at great cost. And then over the decades, we have built in interoperability, like pure interchangeability in some areas all the way through to niche capabilities that bring the diversity of our geography, of our culture, of our history to that powerful alliance. And the whole thing together makes us so much more powerful than the sum of our parts.
[00:26:55] Dr Miah Hammond-Errey: What's one thing about intelligence that the public don't know that you wish that they did?
[00:27:01] Lt Gen Michelle McGuinness: It's the relationships, and it's also the innovation, the trust and the creativity. And it's actually knowing that you can see a part of the puzzle, but you need to rely on others for the rest of the puzzle. And then having the ability to say, how do we how do we a communicate that land that, and what do we do about it?
[00:27:19] Dr Miah Hammond-Errey: I just want to add, because I think you will agree, something really significant about the intelligence community that I wish people understood was their motivation is service. Like,
[00:27:27] Lt Gen Michelle McGuinness: Oh yeah,100%.
[00:27:28] Dr Miah Hammond-Errey: Uniquely, people want to make Australia better. They want to, you know, support, um, support Australians. And I wish that that was something that was better understood. You just mentioned that you were you were in the US and in the US intelligence community in an incredible position during a bunch of really profound global events. How do you see the use of intelligence and of course, declassification to achieve outcomes in foreign affairs? What are the risks and benefits?
[00:27:52] Lt Gen Michelle McGuinness: When you think about how we've mobilized at different times over the last two decades, we've had coalitions of the willing, and we can only partner when we can share a huge part of our partnerships and and our ability to actually leverage unique partnerships. The Five Eyes Intelligence partnership is the most unique, powerful and, um, incredible intelligence alliance. But it doesn't negate or reduce the requirement for other partnerships and in fact, in so many areas in Today's climate, diverse partners and like minded partners who aren't Five eyes bring us credibility and legitimacy and bring niche understanding and diversity to our thought. So it's super important. So there's a lot of effort going in across the Five Eyes to establish and leverage new and emerging technologies to allow us to rapidly share whatever we can with willing partners, to the extent that they want to receive and support and and contribute. It's a it's a huge issue. At no point do I think we should be declassifying to the point that we're giving away methods, access or unique sources. We have to be actually looking at it from a pragmatic sense for opportunities, not just risk, but also about how do we how do we use intelligence to validate that which amplifies the truth that's out there, as opposed to the misinformation out there?
[00:29:11] Dr Miah Hammond-Errey: Integrating complex technologies ethically asks a lot from us as leaders. You have held some significant leadership roles during technology and security developments. How have you led others through those changes?
[00:29:23] Lt Gen Michelle McGuinness: Yeah, I mean, change is is really hard for leading at any point in in all ways.
[00:29:29] Dr Miah Hammond-Errey: Unfortunately, it's not going anywhere.
[00:29:30] Lt Gen Michelle McGuinness: It's not it's not going. That's right. It's not going away. Um, I think there is part of it's about diverse teams and a safe place to try and fail and great communications. So there are certainly things. And you raise the really important aspect around ethics. There is no way that that intelligence is going to rely on machines. And I this is this is a human endeavor to understand the behaviors, conduct and intent of other like this is about intent. Are you sure it's about capability? It's about other things. But that's a very human endeavor. Um, so reassuring teams on on where we can grow. Um, you know, there is a lot of people who find change very fearful and concerning. And when you actually reflect, reflect back, the opposite of change is stagnant and we're never stagnant. And in the moment we're stagnant, we're in. We don't have we're not impactful. We don't have have an effect. So really just having that safe space for people to communicate, to move forward, to innovate, to be able to go back when it doesn't work, to try something else and to understand the concerns and and continue to mitigate them.
[00:30:45] Dr Miah Hammond-Errey: I go to another segment. What are some of the interdependencies and vulnerabilities in cybersecurity that you wish were better understood?
[00:30:52] Lt Gen Michelle McGuinness: Are the interdependencies across sectors that you could not predict? I've had the privilege of participating in some exercises where it blows your mind to think, oh, this system goes down. What you don't understand is that half of Australians aren't going to get their pay next week, or we're not going to be able to cash out or and I think CrowdStrike, let's just take that for example. It was a great opportunity for Businesses to look at their networks interdependencies and figure out where was that nub? Like, it's not that obvious. Where was that nub? Where was that nub that impacted a system, an ordering system that failed to go to a factory that failed to trigger a truck? It wasn't at the cash register. The interdependencies are real. Like we are so interconnected and I'd say not just Australia, but globally, that those impacts can be so unforeseen and so devastating.
[00:31:45] Dr Miah Hammond-Errey: We'll go to another segment. It's called disconnect. How do you wind down and unplug.
[00:31:50] Lt Gen Michelle McGuinness: Pretty poorly at the moment? There's a lot going on. I have I've alluded to it already. I have two amazing kids. We have a new puppy. It's like having a third child, and my husband is doing a very good job at looking after it. So we have a puppy. My husband and I have found the bear. It's actually a critically acclaimed series, so I'm quite enjoying that. I love to exercise, maybe throw in a little bit of true crime.
[00:32:14] Dr Miah Hammond-Errey: What are the, broadly speaking, what technology trends do you see as critical for Australia and our region in the coming year, and are there any that really concern you?
[00:32:24] Lt Gen Michelle McGuinness: I really think our adoption of digital ID is the next step, and it links to our privacy reform and moving forward and reducing our tax surface. And we've.
[00:32:32] Dr Miah Hammond-Errey: Made a significant investment in the Pacific in supporting their digital hundred per.
[00:32:35] Lt Gen Michelle McGuinness: Cent and ultimately giving individuals, I think, some agency over their identity and how it's how it's stored and where it is.
[00:32:43] Dr Miah Hammond-Errey: I concur that's critical.
[00:32:45] Lt Gen Michelle McGuinness: Quantum are, of course, a huge issue coming that I know we've got some great folk looking at and really just leveraging in an ethical and cyber safe manner, adopting AI as having served 30 years and serving to this day. My heart lies with the Department of Defence, and I think it's an incredible capability, and there's not a single job that I've had that I wouldn't do again. And I'm incredibly proud of of that organisation.
[00:33:12] Dr Miah Hammond-Errey: I teach a course about the political and social side of cyber cybersecurity, and one of my students asked how much you need to consider the political dimensions of cybersecurity in your work.
[00:33:22] Lt Gen Michelle McGuinness: Depends what political dimensions we're talking about. Certainly, our job as senior officials, government folk, is to provide advice to the government of the day and to drive the strategy and to serve and to be honest and to be frank and supportive, um, but clear on on what we know and why we're in these roles. But politics, in terms of domestic politics, don't play a role in how we implement the strategy. It's a national strategy, and we drive forward seeking to be as ambitious as we can in achieving the objectives that have been set to us within the resources we've been given, and leveraging every opportunity we have to drive it. Cyber security, how we're managing it, how we're regulating critical infrastructure around risk and cyber risk, how we're working with industry, how we're collaborating, um, across sectors. It's become a theme of government to government discussions. It's become an issue for national leaders. It's become an issue for politicians because it's impacting every Australian and our economy. It's a national security issue.
[00:34:29] Dr Miah Hammond-Errey: We are seeing the concentration of data, computational and informational power geopolitically as well as within industry. What implications does this have for countries like Australia that don't have the same market size and influence as the US, but also as, say, Europe?
[00:34:44] Lt Gen Michelle McGuinness: Part of it's got to do with understanding and picking the best that we see our partners doing. And you're right, Europe have a different context and have grown capabilities that we are leveraging. We do have a growing sovereign capability. We can't do this on our own. The best we can do is to support and uplift and build a climate for sovereign capabilities, and then partner really closely with those, um entities that we do need to rely on that aren't here.
[00:35:11] Dr Miah Hammond-Errey: Does it blunt our ability to wage war independently. As we're so reliant on these companies, I.
[00:35:17] Lt Gen Michelle McGuinness: Think we're we're at less risk than that. But it does it it does drive that requirement, sovereign and unique capabilities that we build. I think it's something that we have to be alert to, that we're not critically dependent on something that we might not have agency over. I think our partnerships are really an important part of that as well.
[00:35:40] Dr Miah Hammond-Errey: I guess it has a really different kind of relevance when we think about the fact that so much of our civilian population may be involved in or like on the sidelines in real time. So we're seeing a really different shift in the way we engage in conflict as global populations, quite confronting.
[00:35:58] Lt Gen Michelle McGuinness: When we talk about cybersecurity being a national security issue with industry. I think this is just the start in terms of how it leverages all the interconnectedness we have, the issues you spoke about, services and Capabilities that are global or that have become dependencies from. Um, readiness and mobilization.
[00:36:17] Dr Miah Hammond-Errey: And you add in there the the current information ecosystem, which, you know, the civilian population is also reliant on.
[00:36:24] Lt Gen Michelle McGuinness: A huge part of and hugely reliant on. I think it's really important that we do elevate awareness of the risks of, of cyber intrusions and cyber security incidences that will impact you as a citizen. You don't need to be a member of the Defence Force or a member of the government to be impacted by a competitor or an adversary who's seeking to break your resilience, you know, impact your ability to to be clear on what's happening, impact your access to the truth and information.
[00:36:54] Dr Miah Hammond-Errey: So we talked a little earlier about the existing US concern about Chinese EVs, but I just wanted to touch on the the broad conversation around technology supply chains. Where do you expect to see this conversation going?
[00:37:09] Lt Gen Michelle McGuinness: I think as we move to secure by design, we're going to open up the space for new and innovative companies to fill gaps that meet our standards, whether they be mandatory or voluntary. I mean, that's got to be our our vision here is that, you know, when you worry about reliance on single source componentry, that is not secure. We have to be setting standards so that we can, you know, strengthen our nation from citizens to the military. But opening up that window of opportunity for maybe non-traditional partners. You talked about Europe having a different landscape. Again, in terms of and particularly in terms of the cyber threat. We've got some partners there who've had significant experience as a nation being constantly under attack and have evolved and developed new capabilities. But we are acutely aware, I'm acutely aware of supply chain vulnerabilities, supply chain dependencies. And I'm hoping that as we move forward and look to to build the strong frameworks, whether it be regulatory or policy around how do we invite, encourage and build, you know, safer, more secure supply chains?
[00:38:17] Dr Miah Hammond-Errey: We're coming up with eyes and ears. What have you been reading or listening to or watching lately that might be of interest to my audience?
[00:38:22] Lt Gen Michelle McGuinness: So I actually really enjoy listening to a podcast called Risky Biz. I'm sure you've heard of it, but I actually really enjoy while working out, listening to them nerd out about things that really help, particularly as I took over the job, brought me up to speed on a number of issues. I don't get a lot of time to read, but I do have two books on the bedside table. One is a historical novel called Nightingale by Kristin Hannah, but I've also got The Forever War by Nick Bryant, and it seems to unpick the societal polarization in the US. But it really does hark back to my days studying at Sis and the the pitfalls and drawbacks of Isolationism.
[00:39:09] Dr Miah Hammond-Errey: The last segment is need to Know. Is there anything I didn't ask that would have been great to cover?
[00:39:14] Lt Gen Michelle McGuinness: Um, the one thing we didn't talk about that might be of interest is, is Commonwealth uplift. A part of our strategy is to uplift the Commonwealth collectively, and that's driving the zero trust culture. It's related to the three SPF directives that I'm sure you've had someone talk about. Um, and again, we'll be leveraging the private sector that provides our the bulk share of our capability and really leveraging them to help us find the best solutions. Um, and we want to do that as a government.
[00:39:42] Dr Miah Hammond-Errey: I haven't had anyone to talk about the SPF. Yeah.
[00:39:44] Lt Gen Michelle McGuinness: So there have been three directions given by the Secretary of Home Affairs. It's the first time the SPF came across to Home Affairs, I think at the end of last year.
[00:39:52] Dr Miah Hammond-Errey: That is the protective security Policy framework.
[00:39:54] Lt Gen Michelle McGuinness: Framework? That's correct. And it's a great tool in uplifting our cybersecurity. And we do we do hold ourselves to the same standard that we hold industry. And it's really hard. It's really hard as a government to drive consistent uplift across a really diverse entities of different sizes and different risks. Zero risk across that is a big issue, but the SPF directives in the main addressed foreign ownership and control risks. It addressed a stocktake of what was internet facing under the principle that you can't protect that which you don't know you have, and then it actually required all government agencies to report threats and engage very closely with the Acsc. Now, everyone I know was doing that already, but having in directions, we want to make sure that it's mandatory. It's so important not only from a technical rapid response, but also from a having a full intelligence picture on the threat and actually being able to get ahead of that threat as we actually work across the economy to support cyber incidences. The intelligence that we collect on the landscape is so important. The annual report will come out in the coming months. Last year's report in November said that there was a cyber incident reported once every six minutes. I'm looking forward to that and I encourage everyone to read it. It's when you said, what do you wish people knew that they don't know? These resources are deep and comprehensive, and people think it's magic or it's secret or they don't have access to it. There are so many resources, including on cyber, that that really call out the intelligence threats that we're facing when we can.
[00:41:29] Dr Miah Hammond-Errey: Michelle, thank you so much for joining me. It was a real pleasure to chat.
[00:41:32] Lt Gen Michelle McGuinness: And a pleasure for me too. Thanks so much, Miah.
[00:41:34] Dr Miah Hammond-Errey: Thanks for listening to Technology and Security. I've been your host, doctor Miah Hammond-Errey. If there was a moment you enjoyed today or a question you have about the show, feel free to tweet me at Mia, underscore AG or send an email to the address in the show notes. You can find out more about the work we do on our website, also linked in the show notes. We hope you enjoy this episode and we'll see you soon.