University Cybersecurity

Recently I was interviewed by Patrick Brischetto about emails sent to university graduates saying their degrees had been revoked ("What we know about the latest university cybersecurity breach - and how to protect yourself", 9 News, Oct 8, 2025). As I explained, this form of attack exploits fear, reducing the reader's normal critical abilities.

Australian Cyber Resilience in a High Threat World Learning from Estonia

 

Greetings from Australian Computer Society's TechUplift 2025. At the Hyatt Hotel Canberra. Next to me is the first speaker, Ms Kersti Eesmaa, former Estonian ambassador. She is now working for Vertical Scope Group, a Canberra security company. I first met Kersti, as the ambassador in 2021, speaking on digital Estonia. As she pointed out today, by building a new nation based on digital technology they were able to create efficiency, but create a target for attack by nation states. 

Over the last few years, Australian National University hosted a series of talks by small european states under threat, or in the case of Ukraine under direct attack. This may not seem relevant to Australia, but out online systems are under constant online attack. Ms Eesmaa described Estonia's industry security vetting system, which allows staff from those companies to more easily assist the government when needed. This is something perhaps Australia should adopt. Another suggestion was exercises with industry involvement. As a defence civilian employee I have been involved in defence exercises, but while these included personnel from allied countries, the only industry involved were contracted companies providing services. The ACS has run some hackathons for the Australian and NZ defence forces, and ANU has run simulations for students with support of security agencies (I mentored teams). This format could be used to include industry at low cost. 

A more radical proposal was Capture the Flag (CTF) competitions for school children, funding by industry and the Department of Defence. In these students learn about cyber defence in a fun way. The Australian Signals Directorate and the Australian National university have run CTF Competitions for school students. I asked the next speaker from ASD about expanding this to industry. Bsides do some of this but could do with government suupport.

Cyber security industry

Greetings from Launch on Northbourne, UNSW's startup centre in Canberra. They are hosting a Canberra Cyber Hub panel on research collaborations with industry. Andrew Muller from Ionize represents industry and Professor Debi Ashenden academia. The panel emphasized relationship over a transactional arrangement. The different speeds of industry and academia are also an issue. The chair is Melissa Larkins, from Canberra Cyber Hub.

TechUplift25: Empowering Cyber Security through AI-driven Capability

I just registered for TechUplift25: Empowering Cyber Security through AI-driven Capability, being run by the Australian Computer Society at the Hyatt Canberra, 26 June 2025. Ironically, this morning Facebook blocked my access, requiring me to prove I was human.

The Fax on National Security Secrecy

Greetings from the seminar "Neither Confirm Nor Deny: National Security Secrecy and Australia's Liberal Democracy" from ANU. Emily Hitchman points out that technology has presented a challenge for national security in the past, with fax machines providing a way to breach security long before Wikileaks. This may have an effect on the AUKUS agreement with the USA and UK. One way I suggest would be the question of nuclear weapons. 

ps: I am actually in a bus shelter waiting for a bus to take me to the University. I am listening to the presentation via video conference on my phone. A tip is to use "driving mode": this turns off video and the microphone, avoiding embarrassing images and noises on the conference when you are out and about (it also reduces the bandwidth required on your mobile connection). 

Magic of Cybersecurity

Greetings from a panel on Cyber Security: Exposing the  THE magic involved in product evaluation, at the Australian Computer Society in Canberra. This is timely with Friday's Microsoft Windows/CloudStrike outage. The discussion so far is focused on the Australian Information Security Evaluation Program (AISEP). One topic of interest to me is that the Australian Signals Directorate is looking at training for security certifiers with other countries. Some of my uni students have been interns at companies carrying out government security checks.

The panel has:

Dr Hin Chan, Manager – Australian Certification Authority (ACA), Australian Cyber Security Centre, ASD

Erin Glenn, Director of Product Management, Belkin International, US

Patrick Campbell-Dunn, Securus Consulting Group 

Government Keynote: RAAF's journey with Agile methodologies Wing Commander Mike Moroney, AI Lead for the Royal Australian Air Force

Wing Commander Moroney,
RAAF AI Lead

Greetings from the Hyatt Hotel in Canberra, where Wing Commander Mike Moroney, AI Lead for the Royal Australian Air Force, is speaking on "RAAF's journey with Agile methodologies". He pointed out that crew-less aircraft are being experimented with having AI onboard. Curiously he mentioned US based projects, not the Boeing MQ-28 Ghost Bat, being built in Queensland. 

Wing Commander Moroney said he never finished "The Phoenix Project" (BY GENE KIM, KEVIN BEHR, GEORGE SPAFFORD), about DevOps, as it was "too triggering", but "The DevOps Handbook" (BY GENE KIM, JEZ HUMBLE, PATRICK DEBOIS, JOHN WILLIS, NICOLE FORSGREN) is okay. Also he recommended Accelerate (BY NICOLE FORSGREN, JEZ HUMBLE, GENE KIM).

Securing Government Data Used with AI a Jobs Growth Area

Jayden Cooke, ASD on 
Secure by Design

Greetings from the Hyatt Hotel in Canberra, where Jayden Cooke, Technical Director, Secure Design and Architecture | Cyber Uplift | Cyber Security Resilience, Australian Signals Directorate (ASD), is speaking on "Secure by Design and Default" (SbD2). This is a keynote presentation at a GitLab event organised by Public Sector Network. ASD not only has a website on Secure by Design, but also detailed documents on how to do it.

This was a refreshing change from the proceeding GitLab sales pitches. It was still a sales pitch, especially with claims of by in from "Five Eyes" partners. The idea is a reasonably simple one: rather than build software and then think about how to make it secure, instead think about security from the start. This requires a systematic approach which ASD has been attempting to have universities teach to their students. At present there is a golden opportunity for this. A few months ago we asked computer project students participating in the award winning ANU Techlauncher Project to write a couple of sentences about what they see as their future career. Many nominated AI, and other cyber security. The intersection (or collision) of the two I suggest will be an area of demand for staff as AI security flaws come to light. 

Cyber Gets Funding in 2023/24 Budget

The 2022/23 Australian Federal Budget Papers are available online. Here are some items of interest on information technology and higher education. 

From Statement 1: Budget Overview, Page 31 (emphasis added):

"Small business cyber security program

The Budget provides $23.4 million to support small businesses to build resilience to cyber threats. Small and medium businesses are the target of 60 per cent of cybercrime, which is now costing Australia more than $33.0 billion in reported losses per year. The Cyber Wardens program will address this vulnerability by equipping small businesses with the foundational skills they need to improve cyber safety. This program will be delivered by the Council of Small Business Organisations Australia and will support more than 15,000 small businesses.

Investing in a stronger, more productive and safer digital future

Data and digital transformation continue to present new opportunities for governments, businesses, communities, and households to change the way Australians live and work. This Budget ensures Australians are at the forefront of the digital economy while protecting them from the potential risks of the digital transformation. The Government is investing more than $2.0 billion in 2023–24 in digital and ICT to deliver easy, accessible, and secure services for people and businesses.

Consumer Data Right

The Government is continuing its investment in the Consumer Data Right (CDR) with $88.8 million to support the CDR in banking, energy and the non-bank lending sectors, progress the design of action initiation and undertake a cyber security uplift. This provides Australian consumers, both individuals and small businesses, with a more secure way to safely share data online. The CDR gives consumers an enhanced ability to control and benefit from the sharing of their data. The CDR will empower consumers to make better informed decisions and find better prices from everyday utilities to the most competitive home loans for their circumstances."

Singapore and Cyber Security

Greetings from Predict22: The Intelligence Summit, at Fullerton Hotel in Singapore. The conference organisers were excited to have someone from Canberra as a delegate, but I admitted I was actually here to speak at a uni & EduTech Asia next week. But computer security is a hot topic, so it doesn't hurt to brush up. The current presentation is touching on an attack on India's power grid, and implications for other coutries.

Cyber-criminals as Modern State Sponsored Pirates

Greetings from the Australian National University where Professor Andrew Goldsmith is speaking on "Cyber-criminals as semi-state actors: weaponising ransomware and the Russia/Ukraine conflict". He pointed out that ransomware attacks thought to be originating from Russia are using software which is more normally used for extracting information from systems than simply blackmailing, suggesting a state sponsored role. Professor Goldsmith then went back to the past and pointed out that states in the past have sanctioned private for-profit military operations, in the form of piracy. He says ransomware is attractive as it is financially rewarding for private groups, while being deniable for the state and recommended Egloff (2018). 

Professor Goldsmith asserted that Australian government doesn't have cyber-security capabilities, and has to rely on companies. I suggested that perhaps we needed the equivalent of a coastguard used to combat piracy, that is a force combining the features of military and police. Professor Goldsmith responded that to combat a network, you need your own network, but that having companies conducting offensive cyber-warfare was problematic. The solution, I suggest, is to have reserve ADF personnel, who are continually trained using educational technology, working for the companies. They can look for attacks in their civilian day job, and if an offensive response is needed, put on their uniform. 

References

Egloff, F. (2018). Cybersecurity and non-state actors: a historical analogy with mercantile companies, privateers, and pirates [PhD thesis]. University of Oxford. https://ora.ox.ac.uk/objects/uuid:77eb9bad-ca00-48b3-abcf-d284c6d27571/

Submitting Assignments on Paper No Protection for Students

Senator James Paterson

The Parliamentary Joint Committee on Intelligence and Security, has been conducting an Inquiry into national security risks affecting the Australian higher education and research sector. Committee Chair, Senator James Paterson is reported to have suggested allowing international students to submit assignments on paper. This is to prevent security agencies in their home countries reading their essays. However, a student doesn't just write an assignment off the top of their head, they conduct literature searches, talk to their tutor, and fellow students. These days much of that is done online. Even if the final document is printed on paper, it would leave a long electronic trail, which would indicate what the completed work was about.

Also it is not just international students who have to worry about intelligence agencies. Students who may go on to important jobs in government and industry (or already have them) can expect to be under routine online surveillance by agencies of Australia's potential foes, and friends.

Australian academics need to keep in mind that what they ask their students to study could place them at risk. Universities can seek to secure their electronic systems, but that is not foolproof. Also It will not protect students from old fashioned HUMINT: the collection of information by people.

ps: But perhaps I am a little paranoid, because I used to work for the Defence Department. ;-)

Reference

Protecting international students: get essays on paper, Campus Morning Mail, July 12, 2021

Social Media Attacks on Critical Infrastructure

Guru Raghav Raman, NUS

In a Hypothetical for Teaching ICT Ethics I asked computer science students if it was ethical for them to conduct a hacking attack on an electricity system for the military. However, Raman, AlShebli, Waniek, Rahwan and Chih-Hsien Peng (2020) have pointed out How weaponizing disinformation can bring down a city’s power grid, without any need for hacking. Instead a fake offer of a discount on electricity charges would be used to induce customers to turn on their appliances at peak time and overload the grid.

The authors suggest mitigation strategies can be used, with authorities being ready to broadcast warnings. However, I suggest that if the  warnings go out on "old" media, such as local TV stations, many may not see them. Also the attacker could reduce the effectiveness of the official announcements, by sending out fake official denials on social media saying the warnings were not real.

ANU energy researcher and entrepreneur, Dr Backhall, in 2019 described the current Australian electricity grid as being "duct-taped together".  His work on smart renewable energy would allow for a more robust grid, which could switch off loads and switch on battery supplies at peak times. However, this equipment would need to be secure, as it offers a new target for hackers.

Reference

Raman, G., AlShebli, B., Waniek, M., Rahwan, T., & Peng, J. C. H. (2020). How weaponizing disinformation can bring down a city’s power grid. PloS one, 15(8), e0236517. URL https://doi.org/10.1371/journal.pone.0236517

Report on Breech of Australian National University Systems

The Australian National University has released a 20 page "Incident Report on the Breech of the Australian National University's Administrative Systems". The supporting materials may also be of interest.

Contents of the report

• Vice-Chancellor’s Foreword
• Executive summary
• Detailed timeline of the data breach
• Figure 1: Simplified overview of actor   
• Figure 2: Attack timeline
• Post notification events 
• Malware and tradecraft analysis
• Lessons from the attack and follow-up actions
• Personally identifiable information
• Phishing awareness
• Table One: Issues and Remediation
• Appendix
• Appendix A: “invitation” phishing email    
• Appendix B: “meeting” phishing email    
• Appendix C: “planning” phishing email   

From the Executive Summary:

"In early November 2018, a sophisticated actor gained unauthorised access to the ANU network. This attack resulted in the breach of part of the network known as the Enterprise Systems Domain (ESD), which houses our human resources, financial management, student administration and enterprise e-forms systems.

By gaining access to ESD, the actor was able to copy and steal an unknown quantity of data contained in the above systems. There is some evidence to suggest the same actor attempted to regain access to ESD during February 2019, but this second attack was ultimately unsuccessful. ...

Technical gaps aside, ANU ultimately views this breach and cybersecurity more broadly as an organisational issue, one which requires a change to the University’s security culture to adequately mitigate. It is through this lens we will undertake the next phase of our cybersecurity work – a strategic information security program. This program encompasses the modernisation of IT and security infrastructure and, more importantly, an emphasis on culture and security awareness among students, staff and researchers; and the protection of the data they entrust to ANU.

The investigation following the breach, which contributed to the contents of this report, was conducted in close cooperation with Australian Government security agencies and Northrop Grumman. ANU is grateful for their continued support."

Cyber security Mentoring Program

Greetings from the Canberra Innovation Network (CBRIN), where ACT Minister, Mick Gentleman, just launched the OKRDY Cyber Edition Mentoring Program. An online system will match people with cyber security experience (mentors), with those could benefit from it (mentees). Added to the usual difficulty of matching people, is the needed to considered security clearances.

"A Canberra-based cyber security mentoring program helping local students connect with cyber professionals, organisations and government. OK RDY Cyber Edition is NOT simply a once off event, but a program of activities across, panels, mentorship matching, employer tours, social media and much more.

Our goal is to foster Canberra’s local cyber ecosystem, demystify cyber careers and help employers identify emerging cyber talent. This activity will develop a pipeline of job-ready cyber graduates in Canberra and collectively help to achieve greater employability, diversity and cultural outcomes for the cyber industry."

Cyber threats to the Digital Economy of Vietnam

Greetings from the Australian National in Canberra, which is holding "Vietnam Update 2018". The last session of the day is on Social media, digital technologies and cybersecurity. The first speaker was Mr. Nguyen Quang Dong, from the Institute for Policy Studies and Media Development. He pointed out Vietnam now has a high penetration of Internet users, mostly via smart phones. There were 134,000 cyber-attacks in Vietnam in 2016. One driver for improving security is to be able to join multi-national trade agreements. He pointed out the difficulties where national regulations require cloud computing facilities to be located on-shore.

ps: ANU is now offering a cyber security major in its computing degrees and a Master of Cyber Security, Strategy and Risk Management.
 

Cyber Storm Conference in Canberra

UNSW Canberra has invited papers for  “Cyber Storm”, 18-20 February 2019. The conference will focus on training for cyber warfare.

"Australia’s former Minister of Cyber Security, Hon. Dan Tehan, warned in November 2016, of the need for the country to prepare for a cyber storm, even if it was an unlikely contingency. One view of the Cyber Storm sees it as the contingencies arising from protracted and complex, multi-vector, multi-wave, multi-theatre attacks against cyber assets. Such assets can include critical civil infrastructure, military C4ISTAR, computerised systems in weapons platforms, and even other civilian targets of military or national security significance.

This conference will concentrate on the role universities and professional education institutions, such as military colleges, can play to address the unique challenges of workforce formation for the Cyber Storm.

For middle powers like Australia, immense challenges exist in framing education and training solutions for these contingencies, as the research foundations on which these policy responses depend, are very weakly developed, or even non-existent. This is especially case in the sub-field of simulations. The conventional wisdom, or at least the dominant practice, has been that the knowledge, skills and abilities needed would be acquired “on the job” in highly classified environments. There has been little space for open-source research and therefore minimal open-source education and teaching. This scholarly conference will discuss research papers on these subjects by leading specialists from universities, professional colleges, think tanks, government, and industry. The academic portion of the conference will not have any special national focus, but papers that can address the U.S. experience or that of middle powers like Australia will be highly regarded. The academic portion will be followed by a one-day invitation-only policy workshop to give strategic planners in government, the armed forces and business the opportunity to reflect on practical recommendations arising from the scholarly research."

Training for Australia's Offensive Cyber Capability

In the Australian Strategic Policy Institute paper "Australia's Offensive Cyber Capability" ( May 2018), Fergus Hanson an Tom Uren, ask how to build and use the capability. Part of this is simply having trained IT professionals, in and out of uniform available. As well as running courses in "Defensive Cyber Security Operations" (COMP3701), the Australian National University also offerers "Offensive Cyber Security Operations" (COMP3702):

"Offensive Cyber Security operations introduces and exercises a complete range of reverse engineering techniques and attack patterns. Students will also learn and exercise analysis of systems based on minimal information. This is a complete course in cyber attacks which enables students on successful completion to identify and test systems for vulnerabilities without full knowledge or direct access."

As part of the ethics training for ANU IT students I offer a hypothetical on Cyber Warfare over the South China Sea.

E-learning Missing from CSIRO's List of Sunrise Industries

Horton, Devaraj, McLaughlin, Pham, Naughtin and Hajkowicz (2018) have identified seven "Sunrise Industries" in ASEAN and neighboring countries. Curiously this report, from CSIRO and Data 61, does not identify education as a sunrise industry, despite it being Australia's third largest export. There is strong growth in demand from the region for quality education. In a report released around the same time as CSIRO's, the AI Group (p. 5, 2018) point out that digital transformation of the economy will require new skills of the workforce, changes
to education systems.

The industries identified are:

1. AI and automated systems
2. Financial and regulatory services technology
3. High value nutrition
4. Next generation energy storage and distribution
5. Cyber-physical systems security
6. Personal health and ageing
7. Digital infrastructure and connectivity

References

Ai Group (2018). Developing the Workforce for a Digital Future: Addressing critical issues and planning for action, Australian Industry Group. URL https://cdn.aigroup.com.au/Reports/2018/Developing_the_workforce_for_a_digital_future.pdf

Horton J, Devaraj D, McLaughlin J, Pham H, Naughtin C and Hajkowicz S (2018). Sunrise Industries: A snapshot of seven emerging industries in the formative stages of growth within ASEAN and neighbouring nations. CSIRO, Brisbane. URL http://www.data61.csiro.au/~/media/D61/Files/SunriseIndustriesReport.pdf

CEO Needed for ANU Cyber Institute

The Australian National University (ANU) is looking for a CEO for its new ANU Cyber Institute. This is an initiative of the ANU's College of Engineering and Computer Science (CECS) and the National Security College (NSC).

"The ANU has recently announced the establishment of Australia’s first interdisciplinary Cyber Institute, bringing together expertise across a range of areas to deal with the increasingly complex issues in the cyber domain. 

The Institute will present exciting new opportunities for research, innovation and education. The Chief Executive Officer (CEO) is the Institute’s Head, operating under the broad direction of the Institute Advisory Board. 

The CEO will be responsible for driving the strategic vision and operational plan for the Institute, working closely with executives and stakeholders across the University, industry and government, to create a globally pre-eminent Institute focused on addressing Australian and global cyber needs."

From: Chief Executive Officer - ANU Cyber Institute, Reference 10646, KPMG, November 2017.

Fake day care center website

ANU students get a preview of some cyber issues in the Networked Information Systems course (COMP2410/COMP6340), where I run them through a Cyberwar Hypothetical Over the South China Sea. This includes the example of a fake day care center website, apparently targeting Australian intelligence staff in Canberra.