Graham Ingram, General Manager of the Australian Computer Emergency Response Team, says the banks traditionally have taken information security matters seriously, and their approach starts with acknowledging the fundamental risks of conducting online business.
"I think one of the turning points for the banks was to understand that it's assumed that the machines connecting into the banking system have been compromised," Ingram says. "If you assume that, then you can take internal actions."
Ingram has long worked to protect critical infrastructures, and he believes the banks are among Australia's strongest assets. "I'm not so worried about the banks," he says. "I'm more worried about government institutions."
In Ingram's estimation, government agencies have done a good job enabling electronic transactions that make government systems more accessible - but not necessarily more secure. Agencies need to work harder to protect the integrity of their systems and confidentiality of the information they store. "There are too many people in government organisations who are in denial [of risks]," he says. "They have promoted the online environment as a way to reduce costs and become more efficient. It is more efficient for them," but increases the risk to citizens' private information.
In an exclusive interview on cyber crime, Ingram discusses:
- Top threats to Australian organisations;
- How banks are best positioned to detect and prevent fraud;
- Why and how government agencies should follow the banks' lead.
Ingram is the General Manager of AusCERT. He took up the position in January 2002 after 17 years employment with the Commonwealth government. Immediately prior to joining AusCERT, he worked with the Department of Defence in Canberra where he was responsible for managing computer security incident reporting and response for Commonwealth government agencies.
Ingram has extensive experience in national information infrastructure protection and spent four years working in this area. During this period he managed a number of major IT security and information protection issues including computer network attacks during the Y2K period, IT security threats to the 2000 Olympic games and the Commonwealth Heads of Government Meeting (CHOGM) recently held in Queensland. He has a BSc (honours) and is currently undertaking a MSc (IT).
TOM FIELD: If you can, please, tell us a bit about yourself, about the organisation, and the work that you are doing now?
INGRAM: AusCERT is a computer emergency response team. We are one of the older computer emergency responses in the world, and traditionally we look at computer-based issues, compromises, and then in about 2003 we got involved in a lot of the banking and identity theft -- the incredible problems of malware, malicious activity, organized crime, cybercrime if you want to call it that. So we've now evolved in a whole range of things relating to internet security, and effectively assisting people on the internet to have a safe and probably more rewarding experience.
Cybercrime ThreatsFIELD: Graham, what would you say are the biggest cybercrime threats right now to the banking institutions in Australia?
INGRAM: I think the biggest threat is called the proliferation of compromised machines, compromised computers around the world, which those come in a variety of formats to problems. For example, the compromised machines are being harvested with how to use our data and passwords, which is really the first state of a defensive on the banking system. My view is that's pretty well handled at that stage. But the thing that concerns I guess the law is the route of identity theft. Identity theft allows you to in many ways become someone else and effectively try and be that person on a virtual and even in the physical environment.
So the other one that probably is not so directly is the botnets. The botnets cumulatively have an enormous fire power, and they have the same engines, so I'm guessing probably 80 percent of the world's scams come from Botnets. These are the things that promote the email of attacks, and basically it's put organized crime into an industrial capability.
FIELD: How would you say you have seen the banks typically responding to these threats you have just outlined to us?
INGRAM: Oh. Look, the Australian banks since 2003, 2004 have been right on this, and do a damn good job. I think one of the two things for the banking industry in particular was to try to understand, how would I say, it's assumed that the machine connecting the basic system has been compromised. That becomes one of the fundamental [principles]. So I think the banks have done remarkably well, and really I'm not so worried about the banks.
I'm more worried about things like government institutions because ... there is no doubt that identity makes money. If you can become someone else and assume their trading accounts or whatever, that's how you make this a very profitable enterprise for criminals. And really the banks don't have a lot of that personal information. If you think about it, most of that personal information is held by government and other institutions. I guess what I'm saying is my ultimate concern is the protection of the information held about people.
But coming back to your question, I think the banks have done remarkably well, and it's not a big issue for them now.
Banks as LeadersFIELD: Well, that speaks to incident response, and it sounds like the banks are doing a good job there. Maybe you can talk about what the banks are doing well that government agencies and other organisations could learn from?
INGRAM: The primary thing that the banks had is that they know their customers, and they can profile their customer activity very, very well. You know, other organisations are not so lucky. So for example if you have, PayPal or something like this, they have a much broader customer base and the degree of the transaction is probably more limited. So, the ability to profile a customer's transaction is reduced. Let me give you a quick example. If I pop on my banking session and transfer money to my daughter -- I normally send her 20 dollars or 30 dollars when she is broke -- but also that's a reasonably frequent transaction that I might do. I might do every four months or something like this. So the key elements of that are that the person I'm sending the money to is a known entity. I have transactioned with that person before. The amount of money -- I will never send her 10,000 dollars. That is a pattern that the banks know. Now, assuming I send 10,000, 5,000 dollars to some unknown person, that will flag things in the banking profile. So you can certainly see what I mean that the banks have an advantage here over everyone else.
The other thing is that the banks can in many ways protect money transfers. You know you can, although the details of the transaction may have been stolen, the idea is stop the cash. Unfortunately, for government institutions the currency of their transaction is the information itself. And unfortunately many people don't realize that if a machine has been compromised, it is impossible -- and I use that word very deliberately -- to protect the confidentiality of that transaction. So what the banks are trying to do is protect the integrity of the transaction, but governments have to protect the confidentiality of the transaction, and that is an impossible thing to do. So, you can start to see the dilemma that faces governments and other people who look after their information is the primary currency that they use.
2011 AgendaFIELD: From your prospective, where do these organisations need to improve most in this year 2011?
INGRAM: Look I think there is a whole range of things that need to be done. First of all people have got to understand the concept of privacy. I believe that people are asking for too much information on the internet. This is an absolute gold mine for criminals, because the criminals know where they are based and heavily refined, it will harvest all the information on the PC ,so the more that you transact on line, the more information that is delivered online, the more information criminals are capturing, and they make great use of it. So I think recognition of the growing problem is there. I think there are too many people in governmental organisations who are in denial. Why? Because they have promoted the online environment as a way to reduce their costs and to become more efficient. It is very efficient for them. It doesn't mean that more and more citizens' information isn't being stolen. They are using these online environments to be promoted without proper recognition of the dangers and the risks. I think we have a big problem.
Top TrendsFIELD: Graham, a final question for you. What are the top trends that you see unfolding this year, and how specifically do the banks need to be prepared to respond to those threats?
INGRAM: I think Botnets will continue to be extremely active and become far more sophisticated. I think we will see malware just growing and growing. It's virtually undetectable ...very difficult to deal with this. And I think the weight of compromised machines will continue to climb. The sophistication of the criminal marketplace -- I have seen nothing at this stage that indicates that the trend will be reversed in any way shape or form. I do say to people, perhaps a little bit cynically, that there is a threshold of pain. I mean, if say one in five computers in Australia is infected with malware that we can not detect, we can not remove, and our businesses are uncomfortable with transacting online transactions ... at what point do we say that we have an unsustainable online economy because of the weight of compromise? I don't have the answer to that and I don't see anyone else has, but that is the direction we are heading.