0:00:01.4 Max Havey: Hello, and welcome to another edition of Security Visionaries, a podcast all about the world of cyber, data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we're talking about the intersection of military and cyber defense with our guest, Marcus Thompson, Director of Cyber Compass and a veteran of the Australian army, where his time culminated in a four year stint as the inaugural head of Information Warfare for the Australian Defence Force as a Major General. Marcus, welcome to the show. Thanks for joining us here.
0:00:30.4 Marcus Thompson: Hey, good day, Max. It's good to see you and thanks so much for having me on the show.
0:00:34.5 Max Havey: Absolutely, I want to jump right in. I've got many questions for you here, so to jump right in here, can you tell us a bit about your role in the Australian army and how that wound up crossing paths with cybersecurity and all things? I know that's probably a long story, but give us the Cliff's Notes version.
0:00:49.2 Marcus Thompson: Yeah, I can try. Because of course it was a 34 year journey, well, maybe a 30 year journey to get to that last four years where I stood up our information warfare capability. So, Max, I grew up in the Signals Corps. That's the part of the army that does all of the ICT information and communications technology for the combat force. I was an electrical engineer originally and then lots of time in conventional forces, a little bit of time in Special Forces, some time in capability development. All of my important command time was with our high readiness conventional forces. And I commanded at every level from troop to brigade. In fact, I was the first Australian permanent Army officer from a Signals Corps background to command a brigade. We did different scale here in Australia compared to the US Army and then finished... As you mentioned, finished with that final four years as the inaugural head of Information warfare. So how did I come to that job? Well, I just as a brigade commander, set up and nurtured Army's cyber capabilities. How did I find myself in that job? Well, I'd not long finished a PhD in the field, so lots of academic opportunities on the way through, lots of wonderful regimental and command opportunities on the way through. And like everyone, certainly from the Australian army who served during that time, you know, operational deployments to Iraq, East Timor and a couple of times into Afghanistan. So yeah, that's 34 years in a nutshell.
0:02:14.7 Max Havey: Very cool. And going from that, as someone who has only ever worked on the civilian side of things, how does a role that is focused on cybersecurity within the military work compared to that of a civilian cybersecurity leader.
0:02:27.5 Marcus Thompson: I think the biggest difference, Max, is that my role wasn't exclusively focused on cyber security, so it was more sort of cyber operations. And of course free and working closely with relevant intelligence agencies meant that we legal authorities to develop those capabilities that could then be available to be used if they wanted to. But of course the defensive aspect of that is as important today as it was back then and I've been really pleased to see quite a significant overlap in the cyber security and the defensive cyber techniques that relevance and a role in government and in military settings. Seeing those techniques and functions in Civvy Street.
0:03:06.7 Max Havey: Definitely seeing those sort of techniques transferring over. Like, you know, we have a lot of buzzwords that we throw around in cybersecurity. Were there any sort of buzzwords or terms that you from your military time that sort of carried over or were there some like domain specific ones that sort of hung around? I'm always very curious about that.
0:03:23.0 Marcus Thompson: Yeah, sure. I guess I should say up front, Max, that it's four and a half years or approaching four and a half years since I stepped out of uniform. So in technology world that's an eternity. So of course we've seen changes and evolution in cybersecurity techniques and effects, but I think there are some things that are... That I was really pleased to see had immediate relevance and I think they still do. And sure, there's different tools and there's different sensors and there's different techniques that are available commercially now. Certainly the Australian market, I'd argue it'd be the same for your listeners around the developed world. But there's things that just have not changed. Having a good security culture that you can actually protect yourself, don't be that person who clicks on the link in the phishing email, don't be that person who finds a USB stick in the car park and out of idle curiosity plugs it into your systems. What are you posting on social media from a corporate perspective? What is your workforce putting on social media that a professional threat actor with a targeting mindset can use, turn around and use to target you and your organization?
0:04:28.9 Marcus Thompson: I think that that's the same. I think there's a basic net... What I consider to be basic network hygiene is still as important today as it ever was here in Australia. The Australian Signals Directorate, which is our signals intelligence and cyber intelligence agency that includes an entity called the Australian Cyber Security Centre, whose part of its role is to advise and support across the economy. That entity's published a lot of advice, but one of the highlights is that they've published the Essential Eight and now these are eight security measures which if applied correctly are going to go a long way to stopping what we know about threat actors, be they criminal or otherwise. Things like patching your software, patching your hardware, things like implementing multi-factor authentication. And there are others. And if your listeners are interested you just go and google SD Essential Eight and you'll find it. It's a really good way to do it. So all of that sort of stuff, what I consider to be basic hygiene is really important. And now I think the third aspect that was... And in fact was my priority capability development area as the head of information warfare, and it's still relevant today, is that ability to quickly detect and respond.
0:05:40.8 Marcus Thompson: We're talking about some sort of security operations center, a SOC that can quickly detect and respond to incidents, be they attacks, be they configuration errors, be they insiders, whether malicious or dopey. And I think all of that is... I consider that to be essentially the basics now. And then on top of that, you know, with this market is always moving, there's a real push towards zero trust now, which I think is... Has been a long time coming. And I'm watching closely to see what happens with AI as a present consideration. And then of course, everyone in this industry is musing and wondering and speculating about what Quantum might bring. So they're all the things... So, Max, I'm monologuing. I'm sorry.
0:06:24.3 Max Havey: No, it's okay. It's good stuff.
0:06:24.6 Marcus Thompson: I'll shut up, but that's what's on my mind. Right.
0:06:26.9 Max Havey: I appreciate it. No, and I mean you're covering lots of bits that we like to talk about on here. Just the idea of talking about cyber hygiene and I think we've called it the human firewall before. We've talked about it as security, as a team sport in a past life on this show. And I think those are all so important things. They're not huge things, they're very simple things that people can take, whether in organizational or their own personal daily lives.
0:06:51.0 Marcus Thompson: Yeah, I mean we learned this from real life experience here in the Australian army, but we were able to take those lessons into a broader view across the entire Australian Defence Force. And the lesson came from an exercise. Now fortunately, an exercise, not an operation in the big picture of things, no harm, no foul. So every year the Australian army conducts a certification exercise. And the outcome of that certification exercise is that a combat brigade with all the supporting elements around it is certified as the ready brigade, if you like. If you could picture me putting air quotes around that, the ready brigade. And so this happens every year. And this particular exercise a few years ago now, as a brigade commander, I had a team of 12 people who were supporting the Red Force, the enemy force, whose job it was to put this brigade that's being certified through their paces. And the 12 people were five cyber operators, five intelligence analysts, and two lawyers. And what they were doing, what that team of 12 was doing, was just monitoring social media activity inside the exercise area. Because you can geofence that, because the folk in the exercise area in the military would say were in the box.
0:08:02.7 Marcus Thompson: They hadn't had their phones and devices taken off them. And I'd encourage this because I kind of suspected what was going on and I wanted to expose it. That team of 12 took less than 48 hours to completely unpack that Blue Force, that brigade that was being certified, we had unit nomenclature, names of key individuals right through the chain of command. We had unit locations through geotagged images that had been posted to social media. And in some cases we had unit intent. People on social media say, I'm about to go and do this. And of course, all of that fed into the Red Force, the enemy force, whose job it was to put this brigade through its paces. The Brigade is about 4,000 people. My team of 12 that 48 hours generated 671 individual files that led directly to actionable, targetable intelligence that put a particular unit in a particular place at a particular time, therefore vulnerable to being targeted. It was a massive wake up call. And of those 671, 100 were so egregious. We conducted individual debriefs. Are you aware your social media profile is giving this away to anyone with an Internet connection?
0:09:09.4 Marcus Thompson: So that that forced us to really have a look at that. Yet I think your words, Max, the human firewall as the first line of defense. And so it was a big cultural, big educational effort that was... Had some success there. So you fast forward 12 months, similar exercise, similar activity, and there was a significant improvement in the collective performance of the organization. However, Max, during that subsequent exercise, an individual posted to social media a geotagged image from the inside of a command post. And the image included the battle map. So here I am, and here is everything I know about the battle space. So it just goes to show that you're only as strong... You're only ever as strong as your weakest link. From a cyber security perspective, we can talk about security platforms and market offerings and highly technical multi-factor authentication systems and whatnot. If your culture isn't right, if your human piece is not right, then you really are pushing the proverbial uphill.
0:10:15.8 Max Havey: Certainly. And that exercise is such a good illustration of all of the different things that constitute security. It's not just making sure you're not sharing your passwords, but all those little operational things in the physical security. And everything holistically goes into security. And the way that you all were able to figure all those bits out so quickly within 48 hours, like, it's so easy to pull.
0:10:37.8 Marcus Thompson: Yeah, well, much harder now that we've educated our workforce and all that sort of stuff. But it... Look, it does... It's a really good point that you make that there's no point viewing cybersecurity in isolation. You know, it's... Cybersecurity must be viewed as part of a holistic view of security. When I'm talking to boards and education seminars and whatnot, these days, I'm just forever reminding people that you're going to have the best cybersecurity in the world. But if your doors are unlocked and your filing cabinets unlocked, then there's a risk that you're going to lose your data. One of my favorite vignettes here to illustrate this is we can talk about Snowden, but I like talking about Chelsea Manning. When Manning grabbed all that stuff off the US secret system, off SIPR to give it to WikiLeaks back in... I'd have to have a look. I can't remember now which year it was, but it's...
0:11:22.3 Max Havey: I believe it's 2012.
0:11:25.2 Marcus Thompson: It's sometimes... Yeah, I think that's right. I think that's right. Now, a physical security person would say that, well, Manning should not have been able to have a backpack in that facility. A cyber security person would say that the drive should have been locked down so that Manning couldn't be writing data to a DVD drive while reportedly pretending to listen to Britney Spears or whatever was going on. If some of the media reports are to be believed, Max, a personnel security person would say that Manning was not in a fit mind to access classified data when there'd been some behavioral aspects. Such as... I think I read a report once, you know, drew a pistol during counselling session, for goodness sake. So for security to fail, only one of those physical, cyber or personnel security needs to fail. But in that case, all three fail.
0:12:14.5 Max Havey: Absolutely. And to change gears here slightly, I'm curious about, in working as part of the Australian Defence Force in head of information warfare, how did you work with NATO and other Five Eye partners in information sharing and things like of that sort?
0:12:27.9 Marcus Thompsony: Well, I mean the five Eyes is the crown jewels of intelligence sharing and whatnot. And I think because cyber grew out of signals intelligence and you know, you could argue that SIGINT is the tightest INT amongst the Five Eyes. Even when some years back in to the '90s when New Zealand was a bit on the outer, I don't think SIGINT skipped a beat, whereas others may have. And so from a cyber perspective that Five Eyes was incredibly valuable and we were incredibly close. I had counterparts in the US, UK, Canada, New Zealand with whom I was engaging regularly comparing notes. Hey, we tried this, we tried that. How did this work? How'd that work? Because of that cultural alignment. Of course there are differences and there's nuances and different policy aspects, different resource allocations and all of that, as you'd expect. But the cultural alignment, the interoperability that we've developed over 80 years with the Five Eyes had us in a really strong position to be comparing notes all the way through. And so that was incredibly close. Look, I think certainly in my time Max, probably less so with NATO, but I've seen that change in the time since I've left driven of course by the increased complexity in our geo-strategic circumstances and everything that comes with that.
0:13:43.5 Marcus Thompson: It's... And post the Russian invasion of Ukraine and obviously in... Down here in Australia, in our part of the world we're more concerned about more local matters which are just as concerning quite frankly. So that's forced I think friends to get closer and like minded and I think that's where the relationship amongst NATO has been really important. And then down here in this part of the world, obviously the quad and relations with our regional neighbors here, especially Japan and South Korea, but plenty of others as well. And I think this is a good thing, Max. I think it's a good thing.
0:14:19.6 Max Havey: Yeah, I think when you're talking about the troves of data in all of these different territories and all these different countries and all regions around the world being able to compare notes and better understand how other folks are maybe doing something different or doing things the same, like it's a really rising tide, raises all ships in security because the only like enemy in security are your bad actors, your malicious actors and people that are trying to get that sensitive data.
0:14:43.9 Marcus Thompson: Oh dead right. And everyone's using Microsoft and iPhones. Well, most people or the similar. Right, similar. You know it's not like the Google phone in Australia is different to the Google phone in the Philippines. Right.
0:14:54.9 Max Havey: Totally. And to double click a little bit because you said a little bit about this in your previous answer, but since you've left your military role, what are some of your reflections on the rise of cyber threats from that sort of national security and defense perspective?
0:15:06.1 Marcus Thompson: Yeah, we've only seen this threat trending in one direction. Right. And I mentioned earlier the Australian Cyber Security center, which here, amongst other things, publishes an annual threat report. And in their most recent threat report, they were saying that they received a telephone call or contact from an Australian business in distress as a result of the cyber incident. They receive a call every six minutes. Previous year, every six minutes. Year before that, seven, year before that, 12. Like this is trending in one direction. And that's for really good reason. Right. It's because in developed societies, in developed communities such as Australia and the United States and elsewhere, our dependence as citizens, as workers, as friends and family, our dependence on personal electronic devices and data is still increasing. It might not be exponential now, but it's still increasing at a massive rate. And of course, that means that the threat surface increases and the opportunity for threat actors increases at the same rate. And because these threats have no moral compass, we're only seeing them become more and more active, more brazen, more bold, hiding behind international jurisdictions and in a domain that knows no geographic boundaries, that they know, it's tough to track them down. And whilst there have been some high profile successes, this remains hard. Right. For all sorts of reasons. So the threats are still coming. I think that's the main one.
0:16:29.1 Max Havey: Certainly. I mean, in my day job, I'm constantly editing blogs related to threats and things of that sort. And it's an ever evolving thing. I'm always seeing some sort of new malware, ransomware, something of that sort. And it's interesting when that sort of bleeds over into your personal life in the way it sort of makes you take note. You're like, ooh, I'm trying not to fall victim to this sort of thing. I'm trying to do my part as best I can. Because it has to start with you.
0:16:53.4 Marcus Thompson: Exactly. And again, I'm forever, Max, making comparisons to the physical world from cyberspace. And just like when you get home from work in the evening, you walk in and lock the door behind you. It's having those basic hygiene things, updating your phone and your laptop, having appropriate antivirus and other protections that are commercially available, running on your devices, just to give you that basic level. And all those things we talked about, the culture. Don't put yourself in a situation like you want to go walking down a dark alley on your own at 4 AM and you wonder why you get mugged. Well, hang on, if you're going to those sorts of websites when you're.... And you're giving away your personal information, you're not monitoring your accounts for any evidence of identity theft, you're not thinking about where all of your PII is going around the plan, then maybe you're not putting yourself... Maybe that's the equivalent of putting yourself in a dark alley at 4 AM, you know?
0:17:49.2 Max Havey: Yeah. You don't want to give your Social Security number and credit card to some strange WhatsApp number that is from a country you've never heard of before.
0:17:57.3 Marcus Thompson: That's right. But it's also knowing what is already out there and then watching like a hawk accounts and whatnot for any potential misuse of that PII. And of course, updating systems and multi-factor authentication goes a long, long way. But multi-factor authentication can be procedural rather than technical. Right? All of these things are worthy of consideration. Max. We had, you know, it's two and a half years since we had a one 6 week period here in Australia where we had three massive data breaches. One was with our second largest telco company called Optus, subsidiary of Singtel. Another one was a private health insurance provider by name of Medibank. And the other one was a finance company called Latitude. And that all happened in six weeks, which really put cyber security into our national conversation and into our national consciousness. But some of the responses surprised me and really got me thinking and I've probably since softened my views. But I struggled with some of what I thought was faux indignation that my phone number, my email have been stolen. Well, hang on, mate. They're in the signature block for your email and they're on the business cards that you've been giving out for years.
0:19:10.0 Marcus Thompson: Oh my driver's license details have been stolen. Well, there are parts of Australia where, if you want to check into a pub or a nightclub after a certain time in the evening, where your driver's license as photographic ID would be scanned. So where is that data? There was... My passport details have been stolen. I'm trying to present this faux indignation. I'm waving my hands around here, Max. I know we're only recording audio, but every time you use that passport, the hotel where you stay took a photocopy of it. Where is that data? And so knowing what's already out there and watching it like a hawk so that you're alert to the potential for identity theft and everything that can potentially come with that. And then multi-factor authentication, Max, we go a long, long way to putting yourself comfortably midfield in a group of people that's trying to outrun a bear. Right.
0:19:58.6 Max Havey: Certainly. And I think I'm remiss if I don't ask a question about AI on an episode. I think I actually get my hand slapped by at least one of my co hosts if I don't do that. So in that sort of vein, how have you seen the rise of AI and GenAI playing a part in these sort of developing threats and the changing ways that you're seeing threats out there?
0:20:16.6 Marcus Thompson: Well, I find myself really welcoming AI as contributing to cyber defense and cyber security. I think it's been a long time coming and of course, depending on how you define AI. Right. Because I should just quickly say that I don't think you were yet seeing any sort of of genuine neurocognitive Schwarzenegger Terminator, like...
0:20:37.0 Max Havey: Not quite.
0:20:37.5 Marcus Thompson: AI. Right..
0:20:38.3 Max Havey: It's not Skynet. Yeah.
0:20:38.7 Max Havey: And if that ever comes... Yeah, that's right. And if that comes, I suspect that some way out. What we're really seeing is automation and the speed and scale with which this technology can actually do things. You could argue that we've seen AI used on the offensive side from criminals with botnets and whatnot. And if the attacks are coming at machine speed, then mandraulic solutions aren't going to be able to keep up. And so defending at machine speed is just as important. Remembering that the defender has to be right every single time, whereas the attacker only has to be right once. So I think that some of these automated SOC tools are incredibly welcome. I've seen some really interesting offerings that in terms of AI that can put access control around legacy apps, which I think is really good and really important.
0:21:30.0 Marcus Thompson: Potentially a lower cost solution to aging and unsupported apps that are really important to some organizations and some businesses. Seen some really good market offerings here using AI to actually provide observability of your infrastructure so you know exactly what's on there and where the gateways are and all of that sort of stuff which in some of these big enterprise systems can be really tough and really dynamic. But I think importantly we're just at the tip of the iceberg here and or maybe the thin edge of the wedge. And there's so much coming and I quite frankly, I welcome it.
0:22:03.7 Max Havey: Certainly it's exciting times and yeah, we are truly, I think still very much in the nascency of all this and we're going to continue to see it grow.
0:22:11.1 Marcus Thompson: Yeah. But I think for some organizations adopting AI tools can be really hard. Right. From a confidence perspective, which therefore may be security from a policy perspective for a lot of government entities. And we've had one famous instance down here in Australia that went horribly wrong. It was called robodebt. That was a tool that was used to recover perceived debts from Social Security recipients amongst others. And that didn't go well. I won't go into it now if anyone's interested, just google Australia robodebt and you can get all the details. But I think starting with things that are heavily mandraulic and maybe sort of boring mundane type activities and putting some technology around that is really good.
0:22:54.6 Max Havey: To change gears here just slightly as we're heading toward the end of this conversation here. How much of a role can/should governments play when private organizations are really on the front lines of cyber attacks? And how would you recommend going about?
0:23:08.2 Marcus Thompson: Yeah, well there's no easy answer to this, but I am firmly of the belief that everyone has a responsibility to play in cyber security and government can't do everything and government should not be expected to do everything. So keep all the really high end break glass in event of catastrophe capabilities, keep that for government and everyone's got a responsibility to uplift their own cyber security. Over the past couple of years here in Australia we've had some important legislative changes that have quite frankly cemented that, especially for the... For those sectors of the Australian economy that are classified as critical infrastructure. They're now legislatively obliged to uplift and address their cyber security. And we've had a couple of prosecutions just to back all of that up and support that. I think that's really good. And then because criminal activity is criminal activity is criminal activity. Right. And I think it behoves all of us to be thinking about how to survive and continue to operate in an environment where like I was saying earlier, the crims have just got a bigger opportunity and more and more involved.
0:24:08.6 Max Havey: Certainly. And it's kind of that legislative level of accountability for the people that are really being faced with these threats and making sure that they are in fact doing their part, that they are in fact making those changes and keeping cybersecurity and their cyber hygiene where it needs to be.
0:24:21.9 Marcus Thompson: Yeah, dead right. And protecting their customers, data and PII and all of that sort of stuff. And for then those companies who contribute to our national critical infrastructure that we might classify as systems of national significance. Well, you've got a responsibility to the nation to be protecting and defending those systems.
0:24:37.6 Max Havey: Definitely. And I can see our producer waving at me that we're running up on time here. But I have one more question for you here. Pulling from your military experience, what's a piece of advice that you would give to civilian security leaders?
0:24:50.2 Marcus Thompson: Yeah, Max, this is a question I'm frequently asked and I give the same set of answers every time. And it starts with accepting that there is a threat, that the threat is real, it is active and it wishes you harm, it wishes your organization harm, it wishes your family harm, it wishes your friends harm, it wishes you harm as an individual. It has no moral compass. And recognizing that that's the environment in which we now all work, I think there are some basic things that any organization can do. I mentioned the Essential Eight, but seriously, even just patching, updating systems, and having some sort of robust multi-factor authentication, again, in all likelihood puts you comfortably midfield. But having a... Having an attitude, an approach, and a culture that says that it's not if we get attacked, it's when. And so having a robust, well thought out, well rehearsed and frequently practiced incident response plan, business continuity plan, a crisis management plan. I don't care what it's called as long as we know what we're talking about. And I think they're the sort of lessons that I knew from my military days and they are just as relevant in a civilian context today.
0:24:58.7 Max Havey: Yeah, I love that. It's the kind of thing that's bringing us all together and making sure that we're all singing from the same hymnal, so to speak.
0:26:05.0 Marcus Thompson: Dead right. Dead right.
0:26:06.6 Max Havey: Well, excellent. Marcus, thank you so much for chatting here today. This was such an interesting conversation digging into your background and just talking broad cybersecurity stuff. This is... This was so good. Thank you so much for taking the time.
0:26:18.8 Marcus Thompson: My pleasure. Max, great to see you. I really enjoyed the chat.
0:26:22.2 Max Havey: Absolutely. And with that, you've been listening to the Security Visionaries podcast. I've been your host, Max Havey, and if you've enjoyed this episode, share it with a friend and subscribe to Security Visionaries on your favorite podcast platform. There you can listen to our back catalog of episodes and keep an eye out for new ones dropping every month, hosted either by me or my co-hosts, Emily Wearmouth and Bailey Harmon. And with that, we will catch you on the next episode.