It seems strangely appropriate that the first Pathbreaker Blog post should arrive in the wake of large scale state-sponsored Australia-wide cyber attacks . Cyber resilience and capability building is a core focus of this company, and these attacks have only driven us to respond by delivering more and better cybersecurity services and new innovative solutions as we do our part to anticipate, resist and repel cyber threats wherever they might emerge.
That said, the events of the last 48 hours or so are far from surprising.
Just yesterday I was quoted by Nick Easen in a special supplement to The Times on remote working .
…it’s currently open season for criminals. Distracted, afraid, frustrated, confused and isolated from colleagues, it would be impressive if we found a way to make remote workers into easier targets for cyberattacks than they are right now
A day later, I am bombarded with messages telling me to turn on the news since it's now 'a good time to be in cyber', because Australia is currently the target of round the clock saturation cyber-bombing by an unnamed-but-obviously-known-adversary . We need not point fingers, but it is worth noting that a failure on the part of the administration to clearly communicate what needs to be done, and more importantly how to do that which needs doing, is an enduring and recurring problem across the industry to which I will return shortly.
First, I want to clarify that my remark in that article comes from a larger commentary and an ongoing campaign that I have pursued for some time now aimed primarily at conveying the thoroughly established fact that the bulk of cyber risks are the result of human error or human actions: E.g., social engineering.
When I say this, it's important to emphasise that I am not saying that cybersecurity risks and threats start and end purely with so-called 'human factors' like phishing attacks and passwords on post-it notes. Similarly, I am certainly not denying the centrality or relevance of technological exploits, defences and system vulnerabilities in cybersecurity.
The reality is that cybersecurity, in practice, closely mirrors the meaning of its namesake.
That which is 'cyber' is the intersection of technology and humans, and we can see this in its origins in the Greek word kubernētēs, which means "to steer". If that which is cyber originates from the concept of 'steering' (i.e., a boat), it helps to recall that anything which we call 'cyber' should therefore involve both a boat (technology) and a steersman (humans).
With this in mind I and my colleagues at Pathbreaker pursue holistic socio-technical responses to emerging cyber threats - an approach often overlooked and urgently needed if we are to achieve a state of cyber resilience.
This brings us back to the question of what we are to do when faced with not one, but multiple national crises at the same time, and when both the problem and the solutions to those crises are more than a little bit complicated.
Not everyone is an epidemiologist, and neither are we all trained or experienced with the maintenance and preservation of a strong cybersecurity posture. However, in the current context of decentralised work forces, endless structural transformations and constant uncertainty, many are now left to fend for themselves and perform the role of the epidemiologist or the CISO at a moment's notice and with little to no support.
To be fair, the Australian government did instruct its citizens to head directly to Cyber.gov  for information and advice. My initial takeaway from that expedition was twofold.
First, the advice offered, while sensible and valuable, also routinely strays well beyond the cyber literacy of most readers. For example, what proportion of the Australian public do you think knows what malicious web shells are? If the public cannot understand the threat or feel unable to learn how to repel a threat, then they will relegate the task to someone else, or they will give up entirely.
Second, reading the ‘campaign summary’ of the attacks revealed that, as usual, human factors lie at the core of the vulnerabilities upon which this attack campaign was executed:
The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.
Translation: HUMAN ERROR. Or, to use the classic car keys metaphor: Someone left the keys lying around in the lab, or they forgot they had a key in the first place.
When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques
Translation: SOCIAL ENGINEERING. In keys metaphor: 'Someone was tricked into handing over their keys to a fraud'.
In short, the information and advice offered to the public that I saw was, to be blunt, mostly unintelligible to the audience for whom it was supposedly written, and the bottom line was essentially a reminder that essentially every vertical in Australia is ill-equipped to resist basic social engineering attacks and/or does not know how to secure their systems.
Again, this is not news to us, but it is a tremendous problem that must be addressed.
Pathbreaker is here to help, we have a formidable array of tools and resources at our disposal suited to doing just that, and we intend to make them available to as many people as possible as quickly as possible. At Pathbreaker we feel that everyone should have the opportunity to be cyber secure, and using technical jargon, mystifying computers and attempting to railroad a one-size-fits-all solution to a highly idiosyncratic issue is counterproductive to say the least.
So, this first post might not have come at the best of times, but I can at least say this much: You can resist cyber attacks, you can build your own cyber resilience, and Pathbreaker can help you to become a very hard target indeed.