Rob Brooks: Welcome to 'Progress? Where Are We Heading?' a mini series from the UNSW Centre for Ideas, where we'll explore the ideas shaping our future. In this episode, we're heading to the digital realm to tackle one of the most pressing issues of our time, cybersecurity. As the threat of cyber attack grows, so does the need for a new generation of skilled defenders. Today, we're joined by Matt O'Kane, an expert in cyber security, who's advocating for a rethink of how we train young people to defend against digital threats. Matt, welcome. 

Matt O’Kane: Thanks, Rob, I appreciate it. 

Rob Brooks: Your journey into the world of cyber security is really unique, and it's clear that we need to radically change how we approach training the next generation of cyber defenders. To start with, can you give us a bit of an overview as to why you think our current cybersecurity education isn't working as well as it should, and what we might need to do to make it different? 

Matt O’Kane: That's a great question. I think for me, I have the privilege of being able to educate a lot of people going through the UNSW Canberra campus, the UNSW Sydney campus, and outside through community and commercial arrangements. And so, I see, and I work... My background is this, I work about 80% of my time as a real cyber investigator, where I do digital forensics investigations or I do emergency breach response, and I try and bring that knowledge from my practice and try and share it, because I have a genuine belief that we are not rising to the challenge. So, 20% of my time I work with UNSW and other groups. And so, you're saying, what is the big challenge here? What I'm finding is there's a mismatch between what I'm seeing in practice and what the students are coming out with, and we need to sort of rethink and make it so we're ready for the challenge. 

Rob Brooks: So, a student comes out of a cybersecurity degree at any university, we won't be particular here, but how long does it take from there to get them to the point where they're actually, in a way, operating in the world as it is, rather than as they might have been taught it is? 

Matt O’Kane: I think that's a good question. I think we've got to be fair about what universities can realistically achieve. So, this is not a TAFE. We've got to introduce people a love of knowledge of the particular field they're in. And if we can get that and we get that curiosity really sparked, it's an absolute win. I don't think there's a real expectation that once a university student leaves a degree, they're immediately going to be the top of their game. They need to work to that, right. But I think that what we can do is we can spark more interest. Spark more joy. We can have less restrictions on the way we educate, and less restrictions on the way that we let students play with equipment and really learn how it actually works. Get them really curious. 

Rob Brooks: In your talk for UNSOMNIA, you talk about the fact that we're training young people for calm digital seas, and what they really need are the skills in order to navigate more treacherous waters. Can you explain a little bit more about what you mean by that? 

Matt O’Kane: Sure. So, let's think about the difference between what a teenager or a young person might be learning in a school or a university versus what a criminal gang is teaching. If we think about the difference between the two approaches, there's no restrictions on the dark side of that equation. And there's also a vast number of people. Sometimes we forget, if we think about the developed world, we are incredibly privileged and we have this massive amount of income per person, a massive amount of assets per person, as compared to the rest of the world. So, we have the rest of the world looking at it going, this is a path to help me change my life. I'm going to really work hard on this. And so, we have this massive potential workforce on the dark side, and they have few restrictions, if any, and they're playing with things and they're learning about things and they're trying pirated software to learn about how things work. And on the other side, we have a very structured approach, and we're probably not having an honest and open conversation with our students about, this is how far we're gonna take you. But to really get to the point of readiness, you're gonna have to do your experiments. You're gonna have to play with the things. The way I think about it is, think of a great mechanic. The computer is a machine and a car is machine. A great mechanic is the person who's always tinkering with the car and they're always curious about the car, and they live and sleep cars and everyone else goes, stop talking about the damn cars. We want to instil that interest in cybersecurity students. And we're not seeing that. We're seeing people who are joining it because they read that this is a great income, and that's great. There's job demand and that's great. But what we wanna do is we wanna find those students with that spark, that interest, that curiosity, really fan it because we really need the elite leaders to come through. 

Rob Brooks: Were you that guy? Did you have that spark when you started?  

Laughter 

Matt O’Kane: I think so, I think that I always have. To be fair, I've always had, and I didn't realise this as a young person, I always had an overwhelming interest in technology and computers. And as you know, from my talk, I learned programming from an unusually young age. And so, I always had that interest. And I carried that into my regular IT career, where I was a programmer for a number of years, and lead programmers, and then I switched over to cybersecurity in about 2016, 2017, 2018, when I saw there was a market need for more technically focused cyber digital forensics investigators. At that point, most of the investigators were coming from... They were good investigators, but they were coming from police and military, and they bring a different perspective than someone who's got hands on, has rebuilt a server that's crashed and knows how everything fits together, only because it's been hard won knowledge learned through tears and pain. So, yeah, it's a very different perspective, that I bring. 

Rob Brooks: Are you still a tinkerer and experimenter? 

Matt O’Kane: I am, I'm still hands on code. I was writing code this morning for an investigation I was running. So, I'm still hands on code. I'm still hands on data, and I have a curious mind that wants to get in and really find out what's going on. I still love it. Still trying to develop my game, still trying to lift my technical skills. 

Rob Brooks: And you have a team, a bunch of... 

Matt O’Kane: Yes, I do. We have a group of contractors that come in and help. The way that I think about it is, if we have a particular job, and let's say that the breach has been a particular type of technology, for example, Amazon Web Services is a very commonly used technology, I've got a couple of specialists that really specialise in that. But you can't be good at everything. But still, even though I've got people that specialise in it, I feel this drive to know everything that's going on. I think that that's what helps me get curious. And that's the kind of thing I want to instil in students. So, I want to say to them, look, this is the assignment, and that's great. This might be my digital forensic students. You can look up how to find out about this particular digital forensics artefact on the web, and that's great. But you have a huge responsibility as a forensics investigator. What you do matters in the justice system. What you do matters in policy, so you have to be right. You have to always look for how to improve your game. So, don't just take what the web says. Get into a lab, do the experiments to find out how the data comes out when a particular event happens. And that's the kind of curiosity we really need in the next generation, is really curious. Get in there and really enjoy it. 

Rob Brooks: I imagine that the incentives are there because people are being hit all the time by new and intellectually interesting attacks. Is that the case that this is a fertile place for people to kindle their curiosity and get paid to do it? 

Matt O’Kane: I guess so. I think that if you've got a curious mind and you really always want to challenge yourself, I think it's a great career to look at, especially... And a good test, when I'm interviewing person, a good test of this is, are you the person in the family that they call when the printer stops working? Are you the person in the family that they call when they forget their password? Is that you? And would you like to spend a few hours on trying to resolve that because you've just got this drive, this curiosity, to find out what's going on? And if that's you, then you're probably in the right place. I'm not saying we don't need non-technical cyber people, because we do. We need people that can help manage people. We need people who can manage risks and document them and explain them to other people. We absolutely need those people. But my argument in my talk was, we need much more technical people and we need to really fan that curiosity flame. We need to really just let them go. And, within reason, we need to give them trust. I talked about my three Ts. So, one of them is trust. We need to teach them to be trustworthy, but we also need to trust them that they'll do the right thing. 

Rob Brooks: So, what are the other two T's? 

Matt O’Kane: We've got teach, train, and trust is the three T's I talked about in my talk. Teach is about, we've got to teach people what's really going on. So, I don't think we've had a really honest conversation with the Australian public about the scale of the crime wave and the devastation of it. To a certain extent, we blame victims a little bit in cyber. We've moved past that with other crimes, which is nice. But in cyber, we blame victims. And it's not as simple because there is some things that companies and governments and big organisations can do to provide more protection. And I accept that. But part of it is for teachers. We need to come out and we need to be honest. This is what's going on. This is the consequences, then we've got to train. Cyber can be done well if it's real, if it ties to a real case. I get a lot of engagement from students when I take a carefully anonymized case and I say, here's my case, here's the details from it, this is what you can do to protect against it. And there's much more engagement because it's a real case. Or we do an experiment, say, look, phishing is bad. That's a boring lesson. But what's a more interesting lesson is, alright, we're gonna teach you how to do phishing, which is tricking someone into providing false information or tricking someone into revealing a secret, is phishing. That's a much more engaging lesson. And the lesson that emerges from that is much more long lasting, right? The students go, right, I'm a bit more alert to this now. What I'm saying is teach, being honest, and telling people what's really going on. Train. Make it real. Tie it to real things. Don't talk about theory. And trust. It's about trusting our students with information, but also teaching them to be highly trustworthy as well. 

Rob Brooks: So, trust is obviously a really big one. You've spoken about the need for digital playgrounds where students can go tinker, find out, not cause too much damage, I suppose. 

Matt O’Kane: That's right. 

Rob Brooks: What's your vision for that? How do we do that? 

Matt O’Kane: Well, that's a good question. Let's start with the easy stuff and then move up. The easy things to do is to replicate what's already happening, to a certain extent, in some parts of industry. And what we have there is we have these contests, and we call them capture the flag contests. What happens in these kind of contests is we have a group of people who put together a bit of a challenge, and that might be, can you get access to this particular device or system. Or they might do another challenge, which might be a forensics challenge. It might be, here's a forensics extract of a telephone. Can you piece together the clues from the case? And so, the capture the flag contest there is we have all these people who are all from around the world, or they might be in the same room, and they try and solve a challenge first. And we don't really offer that to young people. We don't offer that to teenagers. And the point when they're teenagers is the point of maximum curiosity, I think, a lot of the time for these kinds of people, or at least it was for me. But my experience is, my exposure to this is that there's this huge unmet curiosity in the teenage world. And because we're not providing those kind of safe spaces, we're losing them to things like online gaming.

Online gaming, it's great fun. We have safe spaces. For a lot of online games, they're well managed. Let people do a lot of playing around. If anyone misbehaves, there's mechanisms to deal with that. Surely, we can apply the same concept. So, we've got the capture the flag, it was sort of the easier end of a scale. And then we've got things like here at UNSW. We have a cyber lab, a cyber range, rather. And a cyber range has all of these individually configured devices that students can use to try and understand how they work, try and really get intimate with them and really understand what's the data going in, what's the data going out, how do they function, what does it teach me about it? We can do things like that for teenagers and young people who aren't necessarily cyber students, and give them a bit of a space and teach them the skills that a more experienced cyber person might have about setting up what we call virtualisation labs, where they can run their own experiments and make it a bit easier for them and really fan that flame of curiosity before we lose them to gaming or something else. 

Rob Brooks: How bad is the reflex that folks have, especially people maybe who have teenagers, don't completely trust them, etc, this reflex that maybe all we're doing here is equipping the enemy with all the knowledge about what we know. And maybe we're just training the next generation of bad guys. What would you say to someone who felt that way? 

Matt O’Kane: Well, I think that's a legitimate concern. But there's a couple of things I want to address, to allay that concern a little bit. One of the concepts I talk about is the infinite machine fallacy. And what I'm talking about there is we have this romanticised view of cyber, where there's an infinite range of goodness. I guess what I'm getting at is, if you have team A, and team B is somehow better than team A, they can always outcompete team B. And the assumption that that lies on is the computer is this infinitely complex thing. And the reality is that it's not. Its just a machine. And like any machine, it stops. It has a boundary, it stops at a particular boundary. And so, what I say with this is that we can teach people about a computer, but it doesn't make them infinitely powerful, right? We can't train them to be better than everyone else. We're training them how the machine works, and I think that's a useful skill to have.

I'm not saying there should be no secrets, because of course, we need to protect ongoing investigations. We need to protect certain types of investigatory techniques. We need to protect national secrets and corporate secrets. There should be secrets. But I think that the information, at least that's publicly available, that is well known, well understood, we should be encouraging our students to do that. Another analogy I could think of is martial arts. We teach kids martial arts. We have cadets at school. These two things lead somewhere, right? But what we're trying to do in teaching those combat activities is we're saying, we're teaching you this, but you have a responsibility, and we're teaching you this because we want to teach you because you're responsible, it's the martial arts, your responsibility is to protect others and protect yourself. We can instil those same values in our students. Is it going to be universally successful? No, but I think there's a point where we've gone too far away. And I think that that's driven by this approach that we're training up a future criminal. But what we want is we want a curious mind. 

Rob Brooks: I guess, perhaps, my generation and I think your generation, maybe a little bit, and certainly the generation of people who are sitting at the top of society at the moment are perhaps a little bit scarred by the old Matthew Broderick War Games' movie where he logs into the nuclear weapons with the... With an old dial up modem. Not based on reality. 

Matt O’Kane: Hopefully, there's no nuclear weapons directly connected to the internet. 

Rob Brooks: Yeah, I think once they figured out what the internet was, they switched that stuff off. 

Matt O’Kane: But in seriousness, you're right. There's a romanticised view of the public that there's this infinite spectrum of skills, but there really isn't. There is kind of a ceiling in how the computer operates, and it is a speciality, you can drive down to a subspecialty, but it's not infinite. 

Rob Brooks: Fair enough. Now, I'm getting the vibe here that you've got a vision you've very modestly put forward, but it's basically a complete cultural shift in the way that we approach cybersecurity. But perhaps, cybersecurity is security now, isn't it? What are the most important steps that we take to make this shift? 

Matt O’Kane: As I said, I always like starting with the easy things and then moving up to the hard things. The easy things is that we should include, I know that there's some government groups that run Capture the Flag contests, but they're restricted to over 18s. Super easy solution. Remove the restriction. It takes about ten minutes of work. The next easy thing is to be very clear. There's new legislation, the SAMS rules. Now, it's well-meaning legislation. And it's basically trying to protect national secrets and national military secrets, but it does cause pause, if you have to talk to the Department of Defence before you teach certain types of cybersecurity skills, especially at the higher end of the technology spectrum. And I think that we can be clearer about that. Now, that might clear up in time, because that's only new rules. And as time progresses, there might be more clarity about how it works. But while there's uncertainty, it can cause unnecessary anxiety.

If you're a teacher at a public school, you might look at that and go, you know what? Too hard. I can't afford to get a lawyer to figure this out, and I might just park it and worry about it down the track. There's some things we can do that are easy and be very clear about what's allowed and what's not allowed, and we can include more teenagers in this. Longer term things is to think about how we can incorporate this in schools and how we can look at university curriculums with a critical eye and say, yes, we need non-technical cyber people. Absolutely. But what can we do to really drive the technical side of things, to really identify those students who've got the aptitude to it, who are really engaged and interested? Like what we have with mathematics. Think about this. At universities and schools, we stream mathematics into regular mathematics and higher mathematics. We can apply the same things at potentially universities. You can have regular cyber security and we can have higher cybersecurity. That's one idea, but there's a million ideas that we can apply. All of those things take time, but the things we could do straight away are the two things I've already mentioned. 

Rob Brooks: That's cool. I'd love to have some simple starting places. I think that it also broadens the conversation and then other minds come in and can help with, and here's some further ways we can elaborate this. 

Matt O’Kane: I think that's a good way. We can copy models from the United States and the UK and Estonia. There's a few models. We don't have to start from scratch. We can copy other countries, and I think that's a really good way to get started. 

Rob Brooks: Cyber crime, it's rapidly evolving. You've spoken about the fact that there are a near infinite number of people out there who could improve their life just with some fairly, almost trivial levels of cyber crime. 

Matt O’Kane: That's right. 

Rob Brooks: The laws and policies around cybersecurity education struggle to keep up. You've spoken a little bit about legislation in terms of training. Are there other areas of legislation that we can change or modify in order to ensure that we're doing our students, and obviously, our students' future clients, the maximum amount of good? 

Matt O’Kane: I think that's a good question. I think there's a policy that's led by the Department of Home Affairs. It's called the Cyber Security 2030, and it's got a number of pillars. And I think some of them are really good. So, the one which I'm the most excited about, and I think the one that's going to have potentially a huge amount of impact, is the concept of the Cyber Incident Review Board. And I think the remit of the board is going to be similar to what you might see in air traffic investigations. So, we have this open board who can call witnesses and call evidence and piece together what caused the cybersecurity incident and publish that information for the benefit of society. And we're already seeing that. There's already a similar board that operates like that in the United States. It's called the Cyber Safety Review Board. And we're already seeing some great results out of that that's driving industry change in the United States. And I think that the proposal is, and it's just been introduced into Parliament, let's see if it gets through, but the proposal is that that's a great idea. The parts where it's a little bit more controversial are to do with the ransomware payments.

Now, on the government side and large business side, the argument is that we need some sort of shield and some sort of protection in order to report ransom payments to the government. And the government says, we actually don't know what the scale of ransom payments are. On the opposite side of that equation, on the side which me and some of my frontline colleagues are on is, sure. Is there some points when a ransom is called for? Sure there is. Under the current legislation, it says you cannot fund terrorism or criminal activity, serious penalties for that. That's already in there. But there is a provision for this kind of thing called the duress defence. And the duress defence is well, look, let's say someone was kidnapped. Let's say you were kidnapped, Rob, by some unknown entity and they said, $10 or Rob's gonna lose his life. There's no jury in Australia that's going to convict me for paying $10 for that. That's the defence of duress. It is a reasonable response to the threat that's been raised? So, that's already existed. And I think that's a sensible thing. Is there going to be some arguable situations when a ransom should be paid? Sure. Maybe a hospital shutting down. I'm talking theoretically here, like a hospital shutting down or a small business that really didn't understand what they were doing.

But I think as a society, we want to discourage ransom payments as much as possible, and the current legislation might have unintended consequences of encouraging closer relationships to criminal gangs. Because if you normalise an activity between commercial entities and criminal gangs under a shield of no prosecution, that can have that potentially undesirable effect. It's unknown what's gonna happen. I'm gonna be very fair about it. I have very strong views about it. But being objectively, intellectually fair about it, it's unknown. Potentially, we'll get some great information from it. But I think that the downsides of providing a blanket shield from prosecution for ransom payments, I think that is... Also, I want to be very honest about this. Some people have said, no, there isn't a blanket shield against prosecutions. It's only for the limited purposes of reporting ransomware. But my response to that is, if the Australian government agrees not to prosecute you, what's the other mysterious government that's going to bring a charge against you for paying it? There is no other government that's going to do that. 

Rob Brooks: Is it deep state? 

Laughter 

Matt O’Kane: Look, I could see the motive for it. If you're trying to manage the national cyber situation and you can get information about the scale of ransom payments, I could see that's being attractive. And my counter proposal to that is, well, let's say we do need to collect that information. Let's say I accept that, which I don't, but let's say I do. Let's at least consider a sunset provision. So, let's give companies maybe three years or five years and say, right, you need to get your cyber houses in order. After three to five years, the protection drops away and you're back to the old system of you'll need to defend your actions under the defence of duress. Was it a reasonable response to the threat? I think that's a sensible compromise. I'm making that submission to the committee who's looking at this law later this week. Let's see how it goes. But I'll also be intellectually fair with you. My view is a minority view in the industry. There's a couple of frontline people I know who share the same view, but it is a minority view, and I wanna be honest about that. 

Rob Brooks: Well, your commitment to prevention is admirable, given your bread is buttered. 

Matt O’Kane: That's right. 

Rob Brooks: On the cure side of things. 

Matt O’Kane: Well, that's true, but I deal a lot with victims of crime. If you deal with victims of crime, your heart goes out. 

Rob Brooks: Is there a limited stock of how much of that you can take? 

Matt O’Kane: Oh, look, I think that, and I say this to my students, especially when it comes to digital forensics and incident response, it's a hard job, right? It's a hard job. It's not just the technical side. You have to be able to work with people who are having a very tough time. The honest answer is, within the industry, there is a level of burnout because of that. When they see about cybersecurity, they see all of the glitz and all of the glamour. But it's a hard job. Most jobs are hard, be honest, but the particular challenges here is, let's say a business shut down. Everyone's looking at you. They're all waiting for you, right? Let's say, you've got to make a decision about how to move forward. They're looking for you to make the best decision you can with the information you've got. And the timelines are really tight. I worked over the whole weekend because there was an emergency. That's not unusual for me. The industry, at least at the investigation and the emergency response side, it is pretty full on. And so, you say to me, I'm working to improve prevention. I am. Does it work against my business? Yes, it does. Is it the right thing to do? Absolutely. As a nation, we have to do this. I would be happy if it works. If we can get everyone to protect themselves. People in my office crying after something like this has happened. They're going through some tough times. I'd rather protect them from that. 

Rob Brooks: Excellent. Is teaching students at university something that helps you to manage your burnout? 

Matt O’Kane: Oh, I love it. I get so much great energy from my students, and I just really enjoy the interaction. It really helps centre me. And it really helps me really structure my thoughts. It is one of the most enjoyable parts of my week. I just find it super engaging. 

Rob Brooks: I think that's fascinating, given how many academics are experiencing burnout. I think it's tremendous, what you're doing, and just the level of commitment and thought and honesty and enthusiasm that you bring to them, but also this whole vibe of trusting the students. And so, I think we're very, very lucky to have you here 20% of the time, Matt. Cybersecurity is continuing to grow. It's really clear that the future of cybersecurity rests on how well we prepare our next generation of defenders, and that you are putting such deep thought into it is one very big tick in our column. So, thank you very much, Matt, for joining us on the show. 

Matt O’Kane: I appreciate the chance to talk about this topic. Thank you Rob. Appreciate it. 

Rob Brooks: No worries. For our listeners, as the digital world becomes an even bigger part of our daily lives, it's crucial to rethink about how we educate and empower the next generation. Until next time, keep exploring and stay curious.