Introduction
In this episode our host Fleur Anderson chats with Jessica Hunter, First Assistant Director-General of Cyber Security Services in the Australian Cyber Security Centre about the many ways you can get into a cyber-security career, and how @ASDgovau is looking for curious and innovative minds who want to solve the impossible.
Listen to Episode 6 on:
Transcript
Fleur Anderson:
Hello, and welcome to the Digital Insights Podcast. A podcast brought to you by the Australian government's digital profession, keeping the Australian public service, digital ready. I'm Fleur Anderson, and I'm your host. Today, I knowledge that we are recording this podcast on the lands of the Ngunnawal people, the traditional custodians of the land. I pay my respects to their elders, past and present. I extend that request to Aboriginal and Torres Strait Islander people's listening.
Welcome back to the Digital Insights Podcast. Now, last time we met with two senior leaders in digital government, to discuss the challenges and opportunities in leading a country through digital transformation. Now, today we're delving into the world of cyber security, to learn more about the practical application of cyber security at home and in the workplace, and we're going to find out what it means to be a cyber professional. Today, I'm really excited to be talking to Jessica Hunter, the first Assistant Director General of Cyber Security Services at the Australian Cyber Security Centre. Hello, Jessica.
Jessica Hunter:
Hello Fleur, how are you?
Fleur Anderson:
Ah, very, very well. I am wanting to learn more about what a first assistant director general does in cyber security services. So first of all, I always thought the Australian Cyber Security Centre, which is a government agency, was mainly about talking to IT departments about, for the business teams, on the types of cyber security arrangements that you need to have as a business to be up to date. But then the other day, I saw a really funny tweet from the Australian Cyber Security Centre and it said, "Roses are red, violets are blue, don't let a cyber criminal fool you." And it was just ahead of Valentine's day, warning people who were out looking for love online, just to be careful when they swipe right, they make sure it's in the right direction. So it seems like there's a lot more to the ACSC than just about updates to your software.
Jessica Hunter:
Exactly right, Fleur. And kudos to our media and comms team, they, every day put out a new social media tweet or an idea on Facebook, helping bring technical issues to everyday people, and that's really what we are about in the Cyber Security Centre. I might explain where we sit in the broader government structure, just to have a sense of what feeds all the information which we get in the Australian Cyber Security Centre.
We actually sit in the Australian Signals Directorate, which is an agency which has three main functions and missions, and those are signals intelligence, our ability to do disruptive activity and also the protection of the nation. And all of those three elements and missions come together to ensure that we're informing cyber security from an intelligence perspective, as well as a very broad partnership across industry, working with a range of allied nations and also all the information we receive from the public, such as information, which comes in based on that Twitter romance scam advisement or notification, we then get individuals in the community reporting into us, all that information then helps us provide the best cyber security advice out to the nation.
And you're exactly right, we aren't only focused on protecting government or the big, big businesses. We're actually focused on protecting individuals from security issues, such as you've raised already around romance, cyber security risks. We also help small businesses, we then do also help critical infrastructure, some of the essential services across our nation, which keeps our nation running, and then all the way through interstate and territory and broader government. So a huge remit and a pretty exciting job, being able to see all the threats that are impacting the nation and doing something about them.
Fleur Anderson:
So that's so interesting. So I mean, I'm old enough to remember when the Australian Signals Directorate was mainly about, I don't know, listening to satellite communications and things that are very hush, hush. And now it's become, actually because of the internet, something that just affects us all on our everyday life.
Jessica Hunter:
Exactly right. We've really shifted our public profile as an agency, and that's because of the critical information which we have and the need to translate that to actually provide tangible, practical advice. So in the past, 10, 15 years ago when I joined ASD, around 20 years ago, we couldn't talk about what our job was. We didn't really know what type of work we would be undertaking. We were effectively just being told we will be analysts. Nowadays however, if you come through a digital stream into the ACSC, in particular within ASD, you'll be able to truly see the level of impact you deliver back into the nation on day one. So we have graduates who come through our department with a range of different skills and from day one, they're chasing down those cyber criminals you mentioned earlier on, and they're actually disrupting their networks and then helping ensure that individuals don't get infiltrated, or their networks don't get impacted by some of the malicious code that those cyber criminals drop onto devices. So it's one of those jobs that you can see that real world impact from day one.
Fleur Anderson:
It's amazing actually, just how so much more visible it is. And I noticed that even, I think it was this week, that the ACSC put out something with your counterparts in the UK and the US, about the rise of ransomware. I mean, is this the biggest threat at the moment? What are the big threats?
Jessica Hunter:
Absolutely. So ransomware is one of the biggest threats that we're facing at the moment, and that's because of the disruptive nature of it. We've seen a significant increase in ransomware, at the moment I think it's around 13% increase in cyber crime reporting, of which some of that is ransomware, and around 63,000 cyber incidents in the last financial year had hit Australia. What we've assessed based on ransomware and cyber crime activity, is around $33 billion in loss that's been reported to the ACSC in the last year. So huge impact from those types of attacks. And also, the ability for actors to gain that amount of money is fairly easy, and that's why we were quite concerned about ransomware because it's something that an everyday individual might click on a link, and then they may have all of their files and their backups be ransomed, and we are seeing individuals pay those ransoms. And the ACSC and broader government has strongly recommended against paying those ransoms because those individuals then potentially will come back and pull the ransom again on those individuals, which continues to be an economic loss for the whole of the economy.
Fleur Anderson:
So just individuals having their own information hacked.
Jessica Hunter:
Yeah. And we get calls, so we have a 1-300 cyber hotline, we get calls every day from individuals who've said that they've clicked on the link and then they've had a significant amount of money that's been taken from their accounts, or they've had a malicious code dropped onto their mobile phone, for instance, which has then pulled all of their personal information, and then from gaining all that personal information, the cyber criminals are then able to extort them and gain money from that approach. So every single day individuals are impacted by ransomware and by the cyber crime actors in the environment, and effectively in the ACSC, there's two ways to look at that problem. One is from a technical perspective, what can we give in terms of technical advice, and I'm happy, more than happy to talk through all of that today with you Fleur. But also there's an, an angle around in showing that we can disrupt those groups and that's doing that with our law enforcement partners.
And that's where, going to your point, we work very closely with our allies, so we release advisories, as you've mentioned, with the UK and the US, and we also work incredibly closely with other government departments, such as the federal police and the ACIC. So it's a real team effort to go against ransomware and cyber criminals in our environment. So every day we're trying to look out for those threats, to protect people like you and those individuals who've swiped right when they've read the right Twitter posts that have come out from the ACSC.
Fleur Anderson:
Right. Oh, that's so interesting. Well, we might come back to some of those tips and tricks for people a bit later then.
Jessica Hunter:
Oh, of course.
Fleur Anderson:
One of the things that you mentioned before, it was about the types of people who are coming to work for the ACSC. And now I have to admit, okay, so we've all seen those Hollywood movies where the hackers and the cyber experts are sitting in a dark room, pounding on a very noisy keyboard.
Jessica Hunter:
With a Red Bull next to them.
Fleur Anderson:
Yes, with a Red Bull and there's alarms going off, and then people are saying, "We've been breached," and the, "Okay, we're in." And I'm assuming that's exactly what it's like when you go to work every day.
Jessica Hunter:
It is exactly what it's like when I go to work every day, we have no windows, everyone's got a vitamin D deficiency. No, look, the world has changed, and as you've made the point, we're all living on the internet, tech is part of our DNA now. So back in those days, there may have been a select group of individuals who were required to do cyber security type of work, or who were developing the capability that underpinned that. But now effectively, if you come into the ACSC, we've got beautiful big windows, we're very open to industry and very open to the public, and the type of individuals we bring in, come from a whole range of disciplines. There are still individuals who have hoodies and wear their dress hoodies when they go to present, and there are absolutely still some of my amazing technical staff who will wear a suit once in their lifetime to do a presentation, but also have the full spectrum.
We've got a large range of females who are coming in, particularly coders, and those who have an innovative or creative mind, those are the individuals who we're bringing at the moment because ultimately, it's about analysis and finding those cyber criminals. We also have a really neuro diverse range of individuals coming in, and that's of their specific skillset, and we're really looking to bring more of those individuals in with those unique capabilities. Also age wise, we have quite a young workforce and that's because tech is part of your upbringing now in the way that you are brought up in school and in the work environment. So we're really seeing a lot of entry level programs and individuals come into ASD, as well as some of the more senior managers as well, a huge mixture. We have military staff in our organisation as well, and we still work very closely with the Australian Defence Force.
But I think if you came into the ACSC now, you wouldn't be able to pick that we're a very technical workforce and that's because we bring in such a diverse range of skills. To share with you, I think probably my two favourite techs at the moment, one is a geologist by trade, who is currently one of those individuals hunting down the hackers and doing the mitigations against them, and the other one is studying in a PhD to be an archaeologist. So that gives you a sense of those individuals don't come through the traditional IT engineering background, but in ASD, we train them, we re-skill them, and as long as you've got a really curious mindset and you're not afraid of technology, then there's absolutely a home for you at ASD, and in the Australian Cyber Security Centre,
Fleur Anderson:
That's fascinating a geologist and an ...
Jessica Hunter:
Archaeologist.
Fleur Anderson:
Archaeologist. And so you mentioned also neuro diverse people that you're actively recruiting there, I think that's so interesting because I think we all have got friends and family who may be on some sort of spectrum there, either ADHD or autism spectrum disorder. Not that I'd call it a disorder, it's more of a superpower, isn't it?
Jessica Hunter:
Is an absolute superpower. And particularly in our organisation, the unique skill sets that individuals bring, we have to be incredibly open to and welcoming to, because of the outcomes that they can achieve. And that's been very at the core of ASD and our recruitment for many years, recognising that we're looking for individuals who have a curious mind, who are innovative and who want to do almost the impossible. One of our values is about being audacious in concept, but meticulous in execution. So it's about having that mindset to think, what is the art of the possible, what can I do within the bounds of my functions and my compliance regime, to make sure that I can achieve the impossible and protect the nation? So all of those individuals who have that mindset, are the people we're looking for.
Fleur Anderson:
And so how do you recruit? So say, and we all know -
Jessica Hunter:
Are you going to sign up Fleur and come and join us?
Fleur Anderson:
Well, I have to admit, I was looking at it thinking, wow, this looks pretty interesting. But say, if you're either leaving school or just starting uni, I mean, how do you get in touch and get onto the radar?
Jessica Hunter:
Absolutely. So great question, because if you are from Canberra, it's fairly straight forward, because we're a government town and everyone knows how to get into government, but we're really interested in bringing all of those diverse skills from across the nation. We have linguists who work for us, we have software developers, we have archaeologists. So we have a range of different entry level programs, some of which may start in our internship program, or even our work experience. That means you're still either at high school or at first or second year university, and you can join one of our entry level programs, and when you do that, you get a little bit of a taster of what we get to do. And as I mentioned before, when I joined 20 years ago, I went on blind faith that this would be an amazing organisation, and obviously I'm still there, so there's something in that.
But the individuals can go to our website, asd.gov.au, and cyber.gov.au, and they can see entry level programs. So often when you're going through school and university, you don't know who you are and what you want to be. These programs are a really great way to dip your toe in the pond to see if it's of interest to you. So those are the first level, and then we have graduate programs as well, where we bring individuals in with specific degrees. And again, those are not limited only to traditional IT degrees, we also bring in engineering, language skills, art skills, the whole gamut of skill sets. And then we also have a lot of direct entrance programs, so we are doing rolling recruitment the moment, and that's because our approach is we will train you into some of the specific skills that we offer, and also the type of work we produce.
We don't expect you to have the full kit and caboodle when you arrive, so you can come in as a direct entrant and then identify several different careers in either the cyber centre or ASD in total, and we'll help you navigate your career through that process. So many, many ways for individuals to come in and our website is probably the best starting point for that, or if you've joined one of our entry level programs, you often might have a mentor. So I actually mentor several of the high school and university students who are coming through our entry level programs. So they get direct insight into what our organisation does and what I do to support it. So that will again, give you more of a flavor as to whether this is the right fit for you.
Fleur Anderson:
Wow. I wish I was just at high school, starting a new career, it's just amazing. Okay. So maybe can we have a chat about how you came to be here, because I mean, you did mention that before you couldn't say what you were doing, you were an analyst. So I'm reading between the lines that you actually used to be a spook.
Jessica Hunter:
Oh, that's such a sexy word.
Fleur Anderson:
Well, you're not wearing a trench coat at the moment.
Jessica Hunter:
No, I'm not. I'm sorry, I'm not following the mould, am I, Fleur? So I joined ASD as a graduate and completed a university degree, and I did a lot of work in the traditional your right, spook realm, in that I was effectively providing intelligence support to our military operations to protect us from terrorist groups. So I did very highly operational crisis level work, and very technical work in that area as well, which obviously I can't tell you all the details on, sorry, I'll do that offline. But taking those technical skills that I had developed and ASD taught me most of those technical skills, because there's no university that teaches you how to do intelligence, pivoted that to the cyber security side, where I wanted to see both the real world impact I had from working in the terrorism and counterterrorism area, but pivot that into more of a technical realm and bring the human flavor to that.
As I mentioned before, cyber security can be seen very technically, but ultimately it's a person behind the keyboard hacking, and it's a person behind the victim device that gets hacked. So bringing my operational skills, my crisis management skills and my people skills, I pivoted into the cyber security mission within ASD. And I think first day, the advice given to me was basically now you're not going to be tracking terrorists, you're going to be tracking cyber criminals, make sure that you stop them like you stopped the terrorists, that was effectively the mandate on day one. And I can see a lot of linkages between the two, but really the value of having the cyber security centre in an intelligence agency, is it's fed by all of that rich unique data. But the value now is we can bring in all the industry data and partner data as well, to give that holistic national threat picture to the nation, and that's pretty unique. There's nowhere else within Australia that has that mandate and that visibility that the Australian Cyber Security Centre has, to ultimately help the Australian populace to be more secure.
Fleur Anderson:
That's so interesting. So that crisis management operational role, you've now transferred to ...
Jessica Hunter:
Cyber security.
Fleur Anderson:
Cyber security. So I mean, again, it makes me think of a dark room where everyone's muttering and jargon and like, "Do it now, do it now." Is it like that?
Jessica Hunter:
So there are absolutely days like that, I will say, and that's because of the threat environment deteriorating over the last couple of years. As I mentioned before, the increase in the cyber threats, the amount of reporting we're getting into the Cyber Security Centre, and when we see public vulnerabilities be released. So listeners may recall in December the Log4j vulnerability, and that was an incredibly widespread public vulnerability, which impacted hundreds of thousands of products that all of us use in a day to day basis and all businesses use. So that day probably felt like a crisis day for us, where as a centre, our role is to ensure that the Australian public are forewarned, have an awareness, and importantly, also know what to do about that vulnerability. So there are absolutely days like that, and what I see in terms of a day in the life of an analyst, is all of us pulling together in both the Cyber Security Centre and the broader ecosystem in Australia.
So the cyber security firms and threat intelligence firms, our allied partners overseas, our law enforcement, all coming together and saying, "What do we know about this vulnerability? What does the public need to know about it? And what are we seeing in terms of impact?" And it feels a bit like a crisis coordination meeting when we all get all those various elements together to then put out all of our public advice and guidance. And some of that you see on our cyber.gov.au very technical guidance, which are written by our vulnerability management area and our pen testing area, so those are those skill sets, all the way through to our advice and guidance that we give to mums and dads who may have children who are using devices that could be impacted. So we deal with the full spectrum, but it's really that team effort that enables us to provide the right guidance.
And then we close down that crisis management feeling, and we wait for the next threat that hits us, which as I've mentioned, because of that deteriorating threat environment, is almost daily. Whether it's a cyber criminal, a hacktivist, a nation state actor, Australia remains a very juicy target for those actors, and we all need to remain very vigilant, whether it's the cyber centre or individuals like you and I in our home life and how we're using all our devices.
Fleur Anderson:
That's a really I'm point isn't it, because we do have such a crossover now between our devices at home and at work, we no longer just have like a big clunky computer sitting at work, and then we go and switch off. So I mean, how do we ... being cyber safe can look a bit overwhelming when you look at some of those really technical guidances and people don't have time, you're just like, do you want to update now? Oh, later.
Jessica Hunter:
Never say later Fleur, never say later.
Fleur Anderson:
Okay, I've learned something now.
Jessica Hunter:
Always choose the button, update now, never the five minutes later, once I finish watching this streaming video. That's a good tip.
Fleur Anderson:
That's good to know. I have to admit I'm guilty of that.
Jessica Hunter:
And never click on a link Fleur, that's the other one, never ever click the link, because that may take you to a malicious website where they want to harvest your credentials. So harvest your passwords and your usernames, and that's how they often get into bank accounts and are able to then extort information from you.
Fleur Anderson:
And so how do we have that discussion with our friends and family and our work colleagues? What does good look like and what are the basic principles?
Jessica Hunter:
Yeah, absolutely. Great question. And you're right, there's a whole spectrum. There is what we produce in terms of the information security manual for big network owners, the IT staff that people do want to put in a little room and leave quietly there, all the way through to what about my five and six year old, who's using an iPad on a daily basis, how do I protect them from some of the websites that I don't want them to see and develop really good habit. We have a range of step by step guides for those varying different audiences, and you're exactly right, everyone needs a little different piece of information. I guess I've got some starting principles for folks who are overwhelmed by the tech advice and guidance and aren't sure where to start.
We actually produce, and I've got one here for the listeners, sorry, you can't see this, but Fleur is looking at all the colours. We have concertina little hard copy books, which are available online, which literally step through day one, what is my checklist of things to do, day two, what is my checklist, and that is really digestible information. So day one, really simple things such as make sure you've got automatic patching on, make sure that under your settings, whether it's your iPhone, your Android device, your tablet, your laptop, that under the settings, you have automatic setups on. And also what we call in techie land, two factor authentication, basically means second step process, put a pin on your social media, on your chat. So if you're using a chat profile, choose the [inaudible 00:22:53] pin, that just gives you an extra level security against any cyber criminals who are hoping to gain access.
Other really simple things, get rid of all the apps that someone has put onto your device when you weren't looking, whether it's your small child or whether you're purchasing an item, but you never want to go back and do that, clear your desktop. And that's because all of those apps each have their own security settings and some of them may be more secure than others. So by having a legacy app that's sitting on your device, that potentially is the front door for an adversary to come into. So on a regular basis, clear those off. The other thing we also say is to create really strong passphrases. I'll be really honest with you, it is hard to remember passphrases or passwords.
Fleur Anderson:
Yes, I have trouble remembering what I ate for dinner last night.
Jessica Hunter:
Yeah, exactly. And long gone are the days where you could have four or five that you could recycle. We strongly recommend not recycling, but go with a passphrase. So that's something like this bottle of water is fresh. So that's a phrase that obviously the tools that the cyber criminals use, can't easily break that passphrase. But the other tip there is use a password manager, and that actually there are very secure products out there, which help you not have to remember all of your passwords and passphrases, and you just allow technology to support you.
Other thing is ensuring that you have, as I mentioned, automatic updates, and don't delay those, but make sure your devices are plugged in for your automatic update. That's another gotcha, where if you haven't got your device plugged in, the automatic updates sometimes won't work. So you think you've been updated and you haven't been. And as I mentioned before, vulnerabilities that come out, within a day adversaries are turning those vulnerabilities around and exploiting them. So that's how quickly you've got to patch and that's how quickly you've got to do your update. So that's where please don't delay, please make sure you click right now I'll do it this moment.
Fleur Anderson:
Right, okay. I'm going to take that more seriously from now on, because I just think, oh, is it more features that I don't want? But I understand now why they say do it now.
Jessica Hunter:
Exactly. Because built into that is anytime they do a new update, it's usually because they've identified just a gap in some of their code and that gap is what allows the cyber criminal in. So that your best defence is ensuring you've got all your updates up to speed and that you've got that automatic setting in place.
Fleur Anderson:
Can we also talk about everyone is on social media basically, unless you make a conscious decision not to, can we talk about some of those things that are creeping through, like the recommended videos to watch and all that sort of stuff, but obviously people out there who know this sort of stuff, know a lot about us, probably more than what we know of ourselves. Can you just talk through who might be behind some of those videos that we get put up, it might be cat videos or crazy boat accidents or that sort of thing?
Jessica Hunter:
And they're based on data analytics, so they're based on what your click ratio is like and what you're previously interested in. And those videos often will take you to websites which are holding malicious software or code, which may then download on your device, but they're designed as lure or bait because they've determined through the analytics of the platform you're on, that you're interested in cats and you particularly like cats who jump away from cucumbers and therefore that video comes up. So they can be particularly concerning because the analytics are designed that you click and when you click, that malicious software might drop down on your device. So for those types of things, it's being really cognisant of where they're taking you, often you're on your own social media platform and that website, sometimes it'll do a popup, if you've got that setting on your device, it'll say, we're now taking you outside of your website or outside of this particular product or that app.
And it's that moment that you should be quite cautious of, because that's effectively saying you're losing all the control of your app or your social media item, and they're taking you to an unknown website with controls that you're not tracking and not aware of. So that probably is the point to stop and not move to the new website. But we do see that activity occur and then individuals will go to those websites, and then those websites will either spoof to look like your banking website so you can put in your username credentials and then they've pulled those by cyber criminals. Or it might take you to a website which then drops malware back down onto your device. So you're exactly right to be cautious of those, and the first step is when it says, we're moving you to a different website or platform.
But the cyber criminals are very clever, I think that's probably the other point there, that they know what you're interested in. We saw a lot of activity around COVID-19 and the pandemic, and some of our entry level analysts were working on these particular issues, where we saw cyber criminals pivot and create fake a SMSs, talking about individuals receiving their MyGov payments, for instance. So individuals-
Fleur Anderson:
Very devious.
Jessica Hunter:
Very devious and so vulnerable as a nation because at the very beginning of the pandemic, that was critical for our economy. So we saw a cyber criminal syndicate undertake that activity, and then this is the power of ACSC working with partners, we then worked with government departments and telecommunications companies in Australia to disrupt those activities and effectively stop those fake SMSs coming out to the populace, because they had already been very successful in soliciting funds from very, very vulnerable Australians.
Fleur Anderson:
Do you also have a role in disinformation? I mean, we see that a lot now and the types of radicalisation that previously it might have been around terrorism, extremism, but now we're seeing a rise of different types of extreme.
Jessica Hunter:
It's a great question. And we are very clear in ASD, in the cyber centre, we actually don't get involved in disinformation. We work closely obviously informing on threat to our colleagues in the intelligence community, also home affairs, with their countering foreign interference initiatives. And that's because within ASD with a technical lens, we are very much focused on the security aspect from a technical network perspective, rather than disinformation, which doesn't have that technical security element to it. And it's a great question because often in government and the populace, trying to determine which government department is best suited, ASD very clearly in the cyber security technical area, versus the disinformation. But I see, and I work obviously closely with partners as they're working through that very challenging manner and issue around disinformation.
Fleur Anderson:
Okay. So just going back to some of the threats that we talked about before, and maybe if we could go through say a real life example that you mentioned, and this is one that I heard of the other day.
Jessica Hunter:
Yeah. Okay. Let's hear it.
Fleur Anderson:
So I'm assuming it was a ransomware issue, so someone gets an email and I'm not saying I'm asking for a friend -
Jessica Hunter:
Is this you, Fleur?
Fleur Anderson:
No, it's not me, I'm going to say this upfront. Someone gets an email from an unknown source saying, "We know what you've been looking at. You should be disgusted with yourself. We are going to, unless you give us $5,000, we are going to send your browser history to all your friends and family, all the people in your contact books, all your work colleagues and your employer." What should that person do?
Jessica Hunter:
Right. So that's one that people see often and we get a lot of. So first of all, don't click on the link, don't respond to the email, don't take any forward action on that. And that's because ultimately what the adversary, the cyber criminal in this instant, is probably attempting to do is to see whether your account is active. And we refer to this as click bait, to see whether you're going to respond to it. So definitely do not respond to the adversary in that instance. That falls into, within definitions, a scam, unless there's a technical piece of software in that email, or it's taking you to a website that has technical code in it. So in that instance, the best route you're probably going to take is to notify Scamwatch in the ACCC, you may also wish to notify the e-safety commissioner and the e-safety commission, and they have a portal as well to flag that.
We do get some of that reporting to the Cyber Security Centre, under our report cyber capability, and we'd be more than happy to receive that. But the bulk of that will be scam enabled business compromise, so it doesn't have a technical angle to it at the beginning, it's purely a relationship scam, which would then fall into ACCC and e-safety commission. We work closely with them though, those particular government departments, particularly looking at trends. So do we see across Australia a greater trend in scam emails, such as you've mentioned, or do we see it more in the cyber security spear phishing emails, which then prompt an individual to put in credentials and then malicious code is dropped down the network. So we're monitoring both of those and cyber criminal groups will probably have a range of those tools in their toolbox.
So they might do what we call phishing emails, which is when they'll send you an email and ask you to click to solicit information and drop down malware, or they might do the scam emails to try and solicit a conversation, where an individual might then provide them direct contact details like financial bank credentials. So you're right, the environment is so complex for an individual because there are so many different scams and security incidents, where these very clever cyber criminals are trying any mechanism possible to get into our devices. And that's where those basic hygienes will help you, so the things such as the updates, things such as second step, and also trusting your gut a little bit, this doesn't feel right, why would someone be talking about videos that don't exist, so there's a little bit of personal understanding of your own situation and how to respond to that sort of activity.
Fleur Anderson:
And what I felt when I heard this example, was the fact that they're using shame to try to get ...
Jessica Hunter:
It's emotive. So emotive. Yep.
Fleur Anderson:
So what sort of advice would you give to people who might not actually have that awareness, but who might feel like they have to go and fess up to their employee, that they were looking at cat videos on company time or some other thing, what's your advice to people, on that emotional side of things, on how to brush it off?
Jessica Hunter:
Yeah, that's a really tricky one because it goes to that human nature of technology. And so there are a couple of things, calling up some of the hotlines and talking to someone who has experience in dealing with that, will help individuals. So if it feels unusual, call the scam hotline, call Scamwatch, so that the first point of call is to test that, and then they will also give you direct advice on we've seen this trend before, and this is how we would handle it. I think also being confident in your existing settings that you have on your devices, the more knowledge you have of your own, the more confident you can be, "Actually, no one's in my network. No one's got that video. No one's got that device." So it's about being informed probably as well.
But it's a tricky one because it's a very personal, a range of different individuals respond to those scan very, very differently, and I've definitely seen through our 1-300 cyber one number, very upset and distressed individuals. So you're right, people do take the emotion when they do get impacted like that, and they've definitely called us up and we've talked to them through what mitigations to put in place and how to protect yourself in the future.
Fleur Anderson:
No, I think that's really good advice. And particularly we've all heard of older relatives being scammed and the old phone call on the home phone saying, "I'm from Telstra, we just need to check your IP address." It's insidious, isn't it?
Jessica Hunter:
It is, and it's one of the reasons we, through some government funding, established and improvement to our 1-300 cyber one number, directly for older citizens and that's so they can call us up with their cyber incidents, even if they're just not sure what to do. So we actually have a really, really personal call centre that actually steps them through some really basic things that they can put in place on their device, so that they have that level of assurance when they have received something such as a phishing email that might be trying to solicit information. And those calls are very emotional.
Fleur Anderson:
So I mean, this is just such a fascinating area and I could continue talking to you about this all day and say, "And here's another scam I heard."
Jessica Hunter:
Here's another one.
Fleur Anderson:
So if you're an existing APS staffer, or you're thinking about joining the public service or you're not in the public service at all, and you're thinking about just looking cyber security as a profession, what's the first start on getting some skills?
Jessica Hunter:
Love it. So I think the first thing is be open-minded to this being a profession for you. And that's because a lot of people self-select out, a lot of individuals at the very first moment of, oh, could I be a cyber analyst, could I be a pen tester, could I be a vulnerability manager, say, "Oh, I'm not technical enough. I'm not smart enough. Or I don't think I have the right skillset." So the first thing is dismiss those ridiculous thoughts in your brain, because if you're curious and you've got innovative thinking, we would love you. So that's the first thing to get over, those personal hurdles. There's a whole range of courses, universities, mentors, and individuals that you could plug yourself into, anything with a STEM feel to it or anything within law enforcement or government. But honestly, I think going to cyber.gov.au and having a look at our website, we have a whole range of resources, a range of programs which you could come in and join.
And also some of our partners who we work very closely with, who provide cyber security training, whether it's a masters, whether it's a one day just getting a sense of what it is to be in a day in the life of a cyber analyst, it's a really great place to start. And from there, you'll start to build out your network and your knowledge. There are absolutely tertiary courses that are designed for cyber security, but equally, there are TAFE courses that ASD has sponsored and run, which allow you to create an accreditation or a certificate in particular areas, such as the iRAP program. So those are avenues that you can take and then they are respected and recognised across Australia, as critical cyber skills and qualifications.
So cyber.gov.au, start there and you'll see that spider web of opportunity once you start in that first place. But this is a huge booming industry, cyber and the threat environment's not going away, so even if you think you're slightly interested in, but you're not really sure where you fit, go to cyber.com.au and see, oh, actually that's a skillset I think I'd like to gain, and then you'll follow the prompts effectively to see which institutions might help you the most.
Fleur Anderson:
Okay. Good advice. So if you're thinking about, always being in a job.
Jessica Hunter:
Yeah, there is always full employment in cyber security. And I should say there's a whole gamut of that. I know a lot of folks, that you've mentioned Fleur, think of it as individuals with hoodies doing code and doing software dev, I have analysts who may have started out in software dev, they're now building the capability that we use to push all of the threat information in millions of IOCs out to our community. I have analysts who are reverse engineering software code, so they're actually like forensic analysts looking at how did the hacker get into that network, what did they do, and almost watching the tracks of the hacker into a network. And then the full spectrum, I have linguists who are understanding the motivations and the intent behind the adversary, and those individuals also who are working really closely with industry partners, translating really hardcore tech into something much more practical that we can provide out to individuals. So there's a whole spectrum of skills, definitely don't feel you've got to be pigeonholed into one particular skill set.
Fleur Anderson:
Oh, that's so interesting. And I love the fact that some people still do have their dress hoodie.
Jessica Hunter:
Oh, they do have a dress hoodie, absolutely, when they have to present and some even have a tie that sits in their drawer, that only comes out once a year for a presentation. It's a great team culture there.
Fleur Anderson:
Oh, look, that's just terrific, and thank you so much for your time. And I'm sure that if people have questions, they'll go to the...
Jessica Hunter:
Cyber.gov.au.
Fleur Anderson:
I knew you're going to, yes, put the plug in, and of course the digital profession program as well.
Jessica Hunter:
Absolutely, with APSC.
Fleur Anderson:
Well, Jessica Hunter, thank you so much for your time today.
Jessica Hunter:
No worries Fleur, it's been an absolute joy. Thank you.
Fleur Anderson:
Thank you.
You've been listening to the Digital Professions Insights Podcast. Find the Digital Insights Podcast on all major podcast services. Stay up to date by following us on LinkedIn or Facebook. And of course, if you haven't done so yet, join the profession today, you'll get access to exclusive learning opportunities, accreditation of your skills, and the chance to connect with peers across government, visit digitalprofession.gov.au for more information. See you next time.