Professor Jill Slay, Director of Australian Centre for Cyber Security: Exclusive Interview
Professor Jill Slay is the Director of the new Australian Centre for Cyber Security (ACCS) in Canberra. In an exclusive interview for Global Government Forum, she discusses why the cloud may not have a future, why she is giving all her knowledge away for free and why she thinks regulation is the liberal way forward.
Professor Jill Slay was born in Britain, has lived and worked all over the world but has called Australia home since the 1990s. After working as a mechanical engineer in Britain she and her husband left for Hong Kong for ten years. It was a formative time, as she says:
‘I see myself as having grown up with the PC in Hong Kong. I worked with people on the small systems and I never stopped studying.’
All that studying earned her a PhD in 2000 in Adelaide, Australia. But that was more of a problem than a blessing. ‘There was really nothing that I could do with a PhD which looked at culture and systems and education. You are either too soft for the computer sciences or too technical for education.’
She got a job in the computer science school in Adelaide, soon before 9/11. It proved a difficult time. ‘I was working with the Defence Science and Technology Organisation (DSTO) and they were very interested in the effects of culture. I was one of those researchers predicting that culture would make the enemy do strange things with systems.’
Then 9/11 happened. ‘I was actually devastated’ she says. ‘I remember talking to people about what to do next and somebody in Defence asked me to go and learn how to secure systems and then teach other people. That’s what I started doing.’
Deep into Cyberspace
Since that seismic moment she has delved deeper and deeper into all aspects of forensic computing, encompassing critical infrastructure protection, cyber terrorism, information assurance and complex systems. She has instigated cross-disciplinary research drawing on a diverse range of knowledge including anthropology, police and justice systems, drugs and crime, IT engineering and social sciences.
Working and learning in those areas for all this century has given her a world view which is brutally realistic. ‘Speaking about Australia, it’s very hard to get industry to respond in the right way. We have to encourage industry to do research and to resolve its own issues.
‘But the universities aren’t always much better. Even after all this time you have security people like me, then you have the people who teach programming, and the two never actually meet.
‘There have been lots of initiatives around secure codes. I remember when Microsoft pumped a lot of money into universities to do it. When you give people extra funding they will focus on it, otherwise they will go back to just teaching people how to write “hello world” in whatever language it is. They don’t treat it seriously enough. I don’t think we have our act together.’
Educating Those in Uniform
If thatis the case with some universities, it certainly is not the case in Professor Slay’s department. At the beginning of 2014, the University of New South Wales in Canberra opened the Australian Centre for Cyber Security. Professor Jill Slay became the first Director of the Centre.
‘The thing that interested me,’ she says ‘is that for the first time ever a university was putting up its own funds to support a cybersecurity centre. All our undergraduates are military, so we have about a thousand undergraduates all in uniform. Every one of them is going to have to study an introduction to cybersecurity as an undergranduate course. We have at least 500 PhD students, and many come from overseas. I have to take them from zero to hero in one semester.’
Her graduates will go out into the world and, in her words, ‘will be ready to at least protect themselves and hopefully protect the Defence restricted network as well. They’ll be like our allies.’
But Professor Slay has already started putting ‘allies’ in place. She has overseen 16 PhD graduations already and, after working with the Police for over a decade, has trained up many officers who are now serving. ‘Everyone in the South Australian Police E-Crimes Laboratory is either one of my graduates or a collaborator’ she says proudly.
Her 13 years working with various Police forces has helped her in what is an increasing arms race in cybersecurity: ‘I have moved on from hard disc forensics to mobile phones, to the cloud, to memory. I have tried to stay one step ahead of the law enforcement agencies.’
What Happens in Israel
That arms race led her to a recent research mission to Israel, which changed the way she thinks about cybersecurity:
‘After the trip to Israel the phrase that came to me was “the weaponisation of the Internet”. That has really happened there. You can’t transfer what guys in Israel do to Australia or the UK or wherever, but there was a different paradigm there. I would suggest that none of us allies is as ready, or has thought about in the same way that the Israelis have.’
Managing the Managers
That trip has led her to prepare three new Masters degree courses as part of a cybersecurity programme for those with management background. She explains why.
‘A lot of people in government have to manage the cybersecurity function. They were put into the job, but their background does not give them any tools to do it properly. I have trialled ways of giving sort of “Network Security 101”. I was speaking at a conference and people were queuing up saying “Don’t forget me. I am the person who has to do the acquisition in the governance and I don’t have the background.”’
Giving It All Away
Professor Slay does a lot of speaking and writing – she has published a book and had over 120 refereed book chapters, journal articles and research papers published. Aware that many countries lack the resources of the will to properly tackle cybersecurity issues, she has a direct approach: ‘Essentially you try to give away all your intellectual property for free. This is just an individual response.’
She is both a Fellow and a board member of the International Information Systems Security Certification Consortium (ISC2) [LINK WWW.ISC2.ORG] ‘We do it all for free’ she explains. ‘There are about a hundred thousand members worldwide. I have worked for years with this body, trying to make sure that we certify IT security professionals. We developed curricula, certification exams and test banks, and we helped different countries to certify.’
She sees this as the best way forward since the scale of the problem is so huge. ‘I just wonder which government has enough money to actually remedy this on the scale you would have to. As a researcher I would think that the worlds of tackling high-tech crime and cyber defence might tend to converge.’
As a self-confessed liberal, Professor Slay has reluctantly reached a conclusion: ‘My message to government would be to say that this problem is so huge and it could be so critical that we should consider regulation. We should consider streamlining and aligning our regulations on the security of critical infrastructure. We should be looking at our high-tech crime legislation.
‘At the moment we have both formal and informal channels for getting and sharing information. The formal channels take a long, long time and the bad guys are doing something else by then. Anything where the government has to rely on getting the goodwill of industry is just a really, really slow process. And if you catch one bad guy through the informal channels you still don’t have anything enshrined in the organisation.
‘I think the interesting thing is that, when I go to conferences, it is the Germans and the French who worry about privacy. The Americans tend to be at the other extreme of legislation but governments like ours are worrying about ethics, post-Snowden. I didn’t think I would align myself with the Americans until I saw the extent of cybercrime and the potential damage that can be done through other crimes like cyber attacks. So, I want to go around protecting the world because we deliberately don’t tell the general public the reality of the situation they face.’
Future of the Cloud
Nowhere is Professor Slay’s frustration at official readiness and response levels more evident than in the issue of the cloud. She sees the problem as two-fold: that criminals and terrorists can hide stuff in the cloud which is then legally very difficult to follow, and that there could come a time when the content in the cloud simply disappears through accident or design.
‘I’ve got a lot of research done about cloud forensics. If the bad guy stores bad stuff in the cloud, can I [as a law enforcement officer] get some sort of legal authority to go and get that data from the cloud? Will the bad guy store all his viruses up in the cloud or attack everybody from a cloud in Estonia or Singapore or somewhere? It can take me weeks to get the data from an ISP in Australia, let alone anywhere else.
‘We make assumptions about the cloud. So I have my laptop and I’m connected to the cloud. I’m trying to find what evidence is on my laptop about what I’m storing in the cloud because I assume I can’t ever get my data back. That’s a stupid situation, but that could be true, that could be reality.
‘Governments are interested in the cloud for saving money. Everyone, including universities, all want to put stuff in the public cloud. I don’t think it’s a fad, it’s the fact that companies and governments now think it’s the cheap way to go. We’ve got too many people doing too much for convenience.
‘I just think that we’ll have some disastrous case which will scare the daylights out of everybody. What we preach is that you must embed security in new processes, but they don’t listen, they don’t see the urgency. I am a pessimist about the cloud.’
FOR FURTHER READING on the subject of cybersecurity, see our interview with Brigadier General Touhill of the US Department of Homeland Security.