Director-General of Security Mike Burgess

now next up we do have our opening keynote of the conference and it is an amazing conference it's in fact so you know we're so privileged to have this keynote speaker that kylie you know kylie and i are both going to introduce him so you might have seen in the booklet he is our keynote speaker the director general of security for australia also known as the director general of the australian security intelligence organization or asia mike burgess it really is a historic moment i think to give this keynote speech back in 2012 in defcon keith alexander the head of the nsa spoke to a bunch of hackers and that was a historic moment but this

also is a historic moment for the director general of azio to speak um to to us this is his first um public conference address uh since taking up the appointment and it is just an amazing privilege to have him on the stage really an amazing speaker as well yep so we're tag teaming this one because we had a little fight on who was going to introduce him so we're both doing it and it's always a little bit nervous when you're introducing someone you know of such significance as mike who does make a big difference to the computer security industry in australia i want to say three sort of points about mike before he comes up on stage

hopefully i can remember i've practiced and i'm so nervous so um number one mike has been a big supporter of b-sides canberra and this community for a long time and this this is this is quite interesting um people probably don't know this but uh each year he buys tickets for himself and his partner and his family and he maybe he doesn't even know that we realize that so instead of most you know senior leadership where they think they should get the free tickets we're a bit different here where we give our free tickets to the students and we expect our senior leadership to you know cough up a hundred dollars but he has never expected to get a free

ride to b-sides canberra in fact he's been a big supporter of the community um secondly um mike is an engineer he has a tech background i'm an engineer so straight away i'm friends with him because if you've done an engineering degree that's pretty tough he has a tech background he's been a coder he's been a dev so he's probably one of the most senior techs i know in australia in terms of the government um i think we did i think there was some banter of maybe doing some live demos on stage but i don't think he's going to attempt the demo gods today but i mean he sort of come from this background so he understands where we're

coming from and the third point he wants to engage so he's not going to come up with a bunch of talking points and just talk off to you he wants you guys to ask questions he's asked for about a third of his talk to big questions so get on slack make sure you ask the question sylvia will read them out to him this is our opportunity to talk to someone who's very influential for australia and um computer security so and that's my three points practiced and delivered i think i did okay okay without any more from us here's mike burgess i'm probably going to mess up the setup here so just give me as i get set up

thanks guys for that great introduction um i'd love to see you do a jig or two silvio that would be great what a fantastic event this is and it really is down to many people everyone sitting here everyone listening online the organizers and your sponsors so congratulations this is a fabulous event i'm very pleased to be here and i'll get back to that in a second but before i do i want to address why the fact i'm using paper notes to talk to you today out of respect for this crowd i'm people who know me will know i love my tech and i'm attached to my tech and i'd normally have my ipad here and

whilst my ipad probably has voided apple warranty for what we might have done to it i know there's a lot of people in this room who'd love to have a crack at that ipad and i'd be pretty confident you'd get on it so because i didn't want to be embarrassed and embarrassed probably because the password chosen i can't use face id and maybe my password wasn't up to scratch i'm sticking to notes today and i hope you forgive me now i'm very pleased to be here but of course maybe as the guy said in the introduction maybe some of you are not so pleased to see the director general security here at a hacker conference

but from my point of view it makes perfect sense uh why because asio has expert hackers we have hackers who hack computers we have hackers who hack computer networks we hack phones we hack buildings and actually we even hack humans always lawfully of course and when we're hacking always with a warrant and equally important we're doing it um and only for the purpose of protecting australia and australians and threats to their security and that's critically important so before i go into the security environment i thought i'd share that with you and i will say at this point i'm also very eager for the questions and your questions can be really hard and you can challenge me and i'm very much up for

that if i can't answer the question i'll tell you why i can't answer that question i really do want your questions before i do the threat overview though and i noticed at the front silvio said we're not selling to you i'm selling azio today to this audience because i want to do a shameless plug for the recruitment campaign we have underway before i get into the threat environment so i'm looking for people with a passion for technology and security i'm looking for people who know how to hack we're looking for people who would be part of our digital and physical access capability and some of you would really love to see our locks and key room

also looking for people who could actually take a car apart move it in through the narrow doors of the asio building into our corporate foyer put it back together again like it had never been taken apart all for a training exercise we need people who love to do that we need people who do that and we want to have people who actually will do things that everyone else will think is impossible i know this crowd will think it's possible but generally most people um would think what we do is impossible i think you get the drift so if you want to make a difference actually and you're a lateral critical thinker with deep technical skills i think asia

might be the place for you because we're looking for you our technical ability and agility go at the heart excuse me as i make an adjustment we're good at microphones too and i rely on the technical experts for that and i'm a d skilled engineer these days so that's happens to you if you don't use it you lose it and i try hard but i've lost some of the as you can see we need people who are technical because technical agility and smarts go to the core of azio's operations we go up against adversaries who are effectively unconstrained by the law resource and ethics we go up against violent extremists who are acutely security aware and tech

savvy and in both those cases we need to know what they're doing we need to out imagine them out maneuver them we need to see what they're plotting and understand what they're doing always lawfully of course so if you want a licence to hack then i reckon asia is a place for you our mission is really important at this point in time and i'll explain that shortly and the work for our organization is rewarding you'd get a chance to make a meaningful difference to australia's security my offices do extraordinary things it's also important to remember their normal people like every single one of us at work they do things that you would think are impossible

although again i know i'm talking to an audience that probably has a great imagination and ability in this space but after work they're normal people and face the same challenges like we all do so we are recruiting have a look at our technical or technologies graduate program if you're interested apply if you've been at this a lot longer and that's not for you register your interest online and i can assure you we will respond to you we're headquartered here in canberra but actually we're not just here in canberra we live and operate in every state and territory and 12 other countries so we have a broad remit and we're everywhere so if you're interested and you don't like canberra although i

can tell you canberra is a great place to live please do apply all right so we also take diversity seriously we have to represent the people we protect and you'd be surprised by some of our people's backgrounds and i'm a director general with an electronics engineering background so i do take a lot of care and focus on the technical health and the health of my technical capabilities so you'll get good support right from the top down so if you're interested please do apply so let me now turn to our security environment we describe it as complex challenging and changing the terrorism threat remains it probable why because we have credible intelligence that individuals and groups

have the capability and intent to conduct terrorist attacks on shore and these attacks most likely will be a lone actor or a small group small cell rather than a recognized group that will use a low capability attack a knife or a vehicle not sophisticated weapons or we can't rule out that latter but that's what we're currently expecting and at azio we have the difficult job of determining and distinguishing between torque and action aspiration and capability last year there were two terrorist attacks in our country and two people died as a result and there were many disruptions in march last year in sydney an individual was charged with acts in preparation for a terrorist attack in november police charged individual

with planning to undertake a terrorist attack in the bundeberg region and in february this year in new south wales an individual was arrested and charged with acts done in preparation for and planning a terrorist attack this threat is real threat to life is real and will remain asia's top priority because it's a threat to life but now switch to threats to our way of life and specifically espionage and foreign interference and there's an element that's directly relevant to the technical skills in this community countering these threats is one of asia's most important missions in fact it's where our organization started 72 years ago buyers are constantly seeking to penetrate government defense academia research business to steal

intellectual property classified information military capabilities policies plans and sensitive research they're intimidating members of our diaspora community and they're seeking to interfere in our political institutions over the last three years we've seen attempts at foreign interference at every level of government in this country local state and federal across every single state and territory classic techniques in espionage such as infiltration coercion or the recruitment of sources are still a feature of the security landscape that we look at today spice cliches like dead letter drops and writing in code are still actually a thing and they are used by foreign buyers and their proxies and agents in this country last year azio's surveillance team spent a day

following a spy around a capital city as that spy was looking for dead letter drop sites i can assure you we took notes and the fact that i'm probably talking about it probably assures you we took action as well and more often than not though these classic approaches that we see in the physical world are combined with new technologies and i know this group knows that how spies identify meet and recruit people their targets has moved online you know this all too well and you also know the fact that cyberspace represents a scaled up way of conducting espionage it's the pace scale and reach of the problem which makes it significant and the way i look at it cyber espionage

is still espionage and that makes it asio's business and it's alive and well in this country and while cybercrime is the most um biggest portion of activities seen in australia cyber espionage is at levels which are unacceptably high so what have we done about this and what are we doing about it we've used all our human technical capabilities our partnerships our legislative instruments at our disposal to discover disrupt and deter threats to australia both in the real world and in cyberspace and we have significantly reduced harm we've hunted we've discovered and we have dealt with multiple attempts from multiple countries it's always important to make that point the press seem to always want to go to one or two

multiple attempts from multiple countries to steal australia's secret and undermine its sovereignty and last month azio recently uncovered a nest of spies in australia now i didn't actually say who the spies were or where they came from because i wanted the focus to be on what they were up to not who it was these buyers were trying to attain classified information about australia's trade relationships these spies wanted a public servant to give up security protocols at a major australian airport they tried to recruit a serving politician and they were monitoring their diaspora community they successfully cultivated a relationship with an australian government security clearance holder who had access to sensitive defense technology as you'd expect azio acted

we verified and we dealt with the activity we saw that government employee lost their security clearance and we confronted these spies and professionally and privately removed them from this country this will not stop and this is happening both in the real world and in cyberspace and if we look forward asia assesses that espionage and foreign interference will supplant terrorism as this nation's principal security concern over the next five years now as i say that it's important to remember what i said about terrorism the terrorism threat level remains at probable and we do not see that reducing any time soon and in fact i've spoken about some of the interesting dynamics we see at play in that space

so threat to life will continue espionage and foreign interference will supplant terrorism as this country's principal security concern the security environment is complex challenging and changing globally some nations few actually will continue to develop cyber tools as military capability and for the generation of military effects and while cybercrime is not azio's business it's not our patch the criminal gangs will continue on their objectives to make serious money and as we've seen recently as they do that they will have a disruptive effect on our society security is now more than important countering espionage and sabotage is azio's patch cyber espionage and sabotage enabled by digital means is very much our business and while we do not expect to see sabotage

actually in the real world in our country short of conflict we are anticipating pre-placement of software for potential sabotage when needed that's where it becomes a problem for us you know this more than anyone else that security requires coherent thinking across your people your places your technology and your information but sadly many don't and a deep technical understanding helps and then again that's a nod for this group this community is critically important for your passionate self-drive in this space you are part of the ecosystem where you're helping this country try and understand what our vulnerabilities are and how we fix them how we identify and manage these risks effectively and you're doing that by simply being you

and i congratulate you for that so why do we need people with deep technical skills and a flair for solving problems well spying is a race to innovate between the spire spy people spying and the spy catchers terrorism is a race to innovate between those wanting to incite and inflict violence on citizens and those trying to prevent it and at asia we're particularly skillful at innovating in this space as we address these threats we know our success depends on our ability to fuse new technologies and opportunities and the advantage they bring into our existing tradecraft and skill sets and to imagine new ways of doing things in our business as a conundrum the better we get

the harder it gets that's okay for reasons you understand better than most again but let me explain what it means if we're successful at doing something disrupting a spy network or disrupting a terrorist gang the extremists or the spies they'll just reverse engineer what we've done and the smart ones can figure out our capabilities every time we do our job it gets harder and what happens then these targets bank that knowledge and they change their approach intact to detect and defeat our adversaries we have to do things they think are impossible and that requires constant focus and evolution so that applies to whether we're stopping to stop seeking to stop a low capably terrorist attack

or preventing spies from being successful spies who are well resourced and unconstrained by law and ethics once an adversary knows what we can do we have to be able to do something else now that's why we don't talk about our capabilities openly our capability protection is critically important but again i'm speaking to a smart audience who knows what's possible it's why we need our laws and our technical capabilities and more broadly our tradecraft to evolve there is no set and forget in my business and that is why asia continues to invest in new capabilities and that's why recruiting techies and that's techies in the broad digital and physical access capabilities we need to keep technology on our side

not on the side of our adversaries so in wrapping up the threats this country face are constantly evolving but my organization is evolving to meet those threats as a result of our actions over the last 12 months it's no longer true to say the level of espionage and foreign interference in this country is is unprecedented our actions have made a material difference to our security environment but as i've said espionage and foreign interference will supplant terrorism as this country's principal security concern especially as tensions continue or tensions increase but it's not a declaration of victory or mission accomplished the spies i worry the most about are the spies i can't know about or don't yet know

about we've seen intelligence gathering requirements continue during covert no one will be surprised there we know some foreign governments desperately want to know the secrets of our success that desperately want to know what's happening in our export industries and these spies will seek to return with deeper cover improved tradecraft and better technology at their disposal in cyberspace they will keep coming at us and as we see every day their tradecraft will continue to evolve and it will improve and as i noted earlier the better we do the harder it gets this game will continue we're constantly honing our skills our approaches and we're on the lookout for new people people who can think outside the box

well actually we're looking for people who can get into a box undetected and better still get into that box whilst it's protected by alarms and cameras that's the type of people we're looking for we need people to think what we do is impossible we do do that we do the seemingly impossible and i know that our work makes a meaningful difference so thank you ladies and gentlemen and i'm really looking forward to your questions or challenges and i understand it's done online for covered reasons so i think silvia you're going to fire away at me on behalf of the crowd absolutely we've got uh some some great questions there have been a continual stream of questions on our slack

uh channel and i suppose i'll start off with um the first one i'm just going to go through them sort of sequentially and you know and and skip maybe i'll not really skip any but if there's any joke ones maybe i'll just add a joke here or there the first one and this is by box bb i don't know how to pronounce this uh this handle but they've said this is a spicy one is it all of asia they can't use biometric auth or just the upper echelons and senior leadership and i suppose they've also asked you know really for the sort of the you know should individuals use biometric authentication um you know is is that a suitable uh

appropriate response or is it or should it not be trusted can you just repeat the first part i'm having a bit of trouble hearing with the way i'm sorry about that it's just that they've asked uh is it all of asia that can't use biometric authentication or just the upper echelons and the senior leadership um i would say no comment but i'll give you a better answer than that um there are um four individuals that are declared in asia beyond that i would not comment fantastic actually let me give a bit more um seriously our people they they operate in the real world just like you so they're out there doing the same things that you do and

they're subject to the same things you're subject to we have to live in that world and that's part of our tradecraft our officers identities are protected for very good reasons it's part of that we have to do things which the adversaries think are impossible and just a follow-up to that question should biometric authentication is it safe for the public to use i suppose that they've asked that question as well i would use it but of course this group knows in this technology world and the scorecard for corporations and governments protecting that information is not where it needs to be and we continue to struggle but communities like this help find the problem so they can be fixed

and just to be clear there's a hint in my title i'm the director general of security not the director general sneaky spying we do this for the protection of australia and australians and i am very comfortable and in fact i encourage the rising tide of improved security in the people space technology space information space because we all need that yeah great um the immediate question after that one uh is an interesting one actually and it says it asks how damaging were the snowden leaks for the intelligence community in terms of reputation and what did you have to do to repair that reputation yeah thanks that's a really good question well where you stand on snowden depends

on where you sit say okay i'm the director of security who also spent a long time in the australian signals directorate uh unfortunate damaging to capability real world damaging to capability which actually does not only hurt nations including potentially our own it puts people's lives at risks i can't say anything kind about mr snowden but he's a free man and he took his actions and i guess in countries things like that can happen and people can choose to break the law in terms of reputation i think the australian people are quite savvy when it comes to they know there's intelligence agencies and security agency in this country and they expect us to do their job

and rightly through parliament and through their own public advocacy they challenge and they question and that's brilliant in our democracy that could happen but generally i don't think our reputation was tarnished by that because people expect us to do the job and there's history is replete of examples of where intelligence and security intelligence actually does keep people safe yeah fantastic answer um another interesting question i think just immediately after that one as well this is by uh score of the last one was by adam by the way on the on the slack this one is by skorov and it says mike um with the increase of ransomware against critical services like hospitals some people are advocating for active

retaliation i suppose this is the hackback argument i suppose has azo done this and what are your thoughts on the subject well so we don't have a mandate and we're not against crime we're not an anti-crime agency we're not law enforcement we're not like the australian signals director that does have a role in preventing and disrupting electronic attack or cyber crime coming in australia offshore so we don't have a role but i do have clearly have a view i'm not a fan of hacking back unilaterally i don't think that solves the problem i'm an engineer i always go to what's the root cause and we know in the root cause there's some things that actually generally when

a company suffers a ransomware attack and you go back and look at the root cause that was a known problem with a known fix and i know it's complicated and now it's hard but actually seniors in corporations need to pay attention to their techs and actually do what's needed because that would doesn't stop at 100 but it would give you a little bit more resilience yeah fantastic and a recruitment question actually i suppose what are some tips you would give for someone who wants to get into the intelligence space and this person has said they're really passionate about human intelligence social engineering incident response and especially our leadership down the line so what would your advice be to them

well my tip is continue that passion and just share what you are and why you want to do this and that is the best foot forward so apply um and if you you know we have tech grounds open you can express your interest online our intelligence offices and intelligence analyst rounds are also open so depending on where you see yourself give it a crack put your best foot forward that's great that's awesome uh another uh interesting question now this is by a noble and he asks what are the challenges balancing the need to maintain an operational edge basically keeping exploitable vulnerability secret and balancing that with the need to protect australians and australian entities pretty much by applying patches and

closing holes so i suppose it's the protector or defender attack sort of argument here yeah thank you that's a great question and a good one to ask um yeah absolutely there's a question of equities in terms of do we keep does my organization keep something that actually works really well for us in a lawful sense but actually exposes all of you to compromise and damaged by spies or criminals and we do have a process by which we go through and if there are and we do make decisions about that and we do release stuff in the community to vendors it's a tricky one we do need to maintain a capable edge but if i had something

which was bleedingly obvious in terms of a vulnerability we would get it out there so people could patch it yeah fantastic question to a difficult question i think um this has 11 likes 11 smiley faces and four likes and and three um very strong likes does azio or asd have the better hackers uh absolutely the real question would be which one a azo or asd yes yes but no one asked me that question so it's okay i don't have to be in that difficult position oh great great answer so far mike and we'll keep the questions coming there's there's quite a few there's just a stream of questions so go on to the slack and keep on asking them

mike has generously donated his time and he's being really open and engaging here so we really do appreciate this um he's this question has already been answered i suppose what is the greatest threat to australia's national security and why i suppose that's already been answered in the in the threat assessment but you can add any extra points if you want to that um so espionage foreign interference supplants terrorism but terrorism still remains a problem so that's significant the concern is moving forward is the pre-placement of malicious software for potential disruption and as i said the criminals are doing a pretty good job at disrupting companies and therefore their customers today when a nation state chooses to do

it even to send a message i think we have to draw some air through our teeth and go crap because nation states are more resourced and can do more damaging things that's why security is important that's why this community is critically important we need more people like you who know how things work have a passion for pulling it apart finding those problems and getting them fixed yeah fantastic really nice answers another sort of very um a tough question i think again there have been a few tough questions here already when hacking with a warrant or hacking production resources in the interest of national security without the other party's knowledge how does scoping work how do you make

sure you stay on target and don't access resources that may be unrelated to the job yeah now that's another great question so everything we have to do has to be proportionate to the threat we're facing so when we start out in an investigation whether it's an extremist or a spy we start out at lower levels we start moving up our level of inquiry investigation we go to lawful means which can include our special powers warranted access and it has to be for the purpose and we're not on a fishing exercise when we get a warrant we're not tapping the whole of australia to look for who might be the problem our starting point starts the lower

level with less access and when we learn stuff and we can justify we need a warrant on this computer or this person we then do it but we have to justify why and it can't just be we're kind of interested yeah that absolutely makes sense uh a question now on cyber physical systems and this person kathy reed has asked as cyber physical systems proliferate in our homes and in our organizations azio can't protect australia alone she says how do you partner with manufacturers and consumers and other agencies how do you conceptualize security as an ecosystem i suppose sure so i put that in the bucket of the internet of things and what's happening in the

commercial and the our home worlds i'm a great adopter of that stuff just quietly so it's an important issue that's not asio's remit per se in terms of making sure those devices are secure by design and they've got good security we do need that that does need to be pressed into some companies do it well other companies are just goddamn awful at it that needs to lift up and i know there is some work in that regards of course i will share as you'd appreciate if we're trying to get into a box and a box is protected by those devices it does represent some challenges for us so i need my people to understand how i

can exploit that in a way that allows me to still do my job but my starting point is those devices need to be secure because the person asking the question is right it exposes everyone to those vulnerabilities and whilst it's great tech we can't have those consequences unintended by criminals or even nation-states but i suspect most of the damage there would come from criminal misuse and i've got the microphone site and i've got lots of questions but i do want to ask a question of my own so that i can you know have this opportunity and my question i suppose is that traditionally intelligence agencies have been very closed i suppose and we saw when you were director

general of asd asd coming out of the shadows i think was the phrase that was being used i've actually heard this sort of in a very positive way referred to as the mike burgess effect in fact the opening of you know the opening of information do you how do you see asia fitting into this um do you see asios as as as becoming more open or do you see it you know how do you see the the you know coming out of the shadows being applied to asia sure thank you that the reason for me for doing this both in asd and at asio is several reasons one and i'll speak about the asia role

it's simply i think i do need to we need to explain the threat to everyone that's important i also am a big believer of in our society people need to understand what azo is and why it exists not the how it does it because as i've said i will protect that capability my people's safety and security and our capital allows us to do our job is paramount to me so will we open to a point to explain who we are why we exist and what the threat environment is which helps lift and counter that threat environment and as you saw here today i do it for shameless recruitment purposes because i need people like you that was

the same reason i was doing it in asd a bit of transparency recruitment but explaining the problem but actually it's because asd needs people like you one more yeah fantastic thank you for your time again it's been such a great honor to have mike burgess one more question um what impact are you seeing from social media on your intelligence ops and on your agents oh that's a great question um impact no probably not i mean it's just a it's an information source that can amplify messages it's used by people who have ill intent is it damaging to us no we successfully navigating this digital world in which we live with some capability challenges and again

i'll plug and that's why we need people like you but generally no it doesn't impact us so thank you silvio thank you kylie thank you everyone i would say it's my honor to be here so thank you for having me and colleagues everyone here everyone online keep up the great work this is such an impressive community look at the size of the people you've had respond to this it's not driven by corporations it's driven by you and passionate people who bring you together so you can help each other learn from each other challenge each other i don't think there's another community like this in australia and it's brilliant so i'm pleasured and honoured to be part of it

thank you ladies and gentlemen thank you