Australia’s Cyber Security Strategy, aimed at protecting citizens, companies and critical infrastructure, has made significant headway over the past year, but the jury is still out on its long-term impact.
Backed by A$230m (US$173m) of funding over four years, the strategy, which was first announced in April 2016, has had several achievements under its belt.
Besides the appointment of senior experts such as Dan Tehan, the minister assisting the prime minister for cyber security. and Alastair MacGibbon, the first special adviser to the prime minister on cyber security, it has also underpinned efforts to develop a robust cyber security industry.
These include education and training programmes to bolster the nation’s cyber skills, as well as initiatives to improve the cyber security posture of Australia’s biggest firms.
In November 2016, the Australian Stock Exchange and the Australian Securities and Investment Commission invited the 100 largest listed companies to undergo a cyber health check intended to provide a benchmark for cyber security awareness, capability and preparedness.
Some 76 companies participated. Four out of five expected cyber security issues to worsen, yet only 45% were very confident of their ability to detect, respond and manage a cyber intrusion. Just under a third assess their cyber security culture every year.
More recently in April 2017, the Australian Cyber Security Centre (ACSC) warned that managed service providers had been targeted in a global cyber espionage campaign since at least mid-2016, and that it was working with international peer agencies to assess the impact and risk to Australian organisations.
Over in the public sector, the Joint Committee of Public Accounts and Audit in April 2017 announced an inquiry into cyber security compliance at several federal government agencies that reportedly took flawed approaches to cyber security in recent audits.
Room for improvement
Clearly, there has been a significant amount of activity during the past 12 months, but experts say there is still room for improvement.
“The same problems with cyber crime are still there,” says Professor Jill Slay, a director of the ACSC. “I don’t know if [the Cyber Security Strategy] is doing more than raising the base level of defence, but that is a good thing to do.”
Brian Fletcher, Symantec’s director of government affairs in Asia-Pacific, Japan and Korea, believes the strategy has elevated discussions on cyber security beyond IT, to senior management and boardrooms, but it is still too early to tell if it will be successful in the longer term.
Nick Savvides, a Symantec security expert, notes that while the strategy has recognised that industry, government and companies all need respond to cyber security threats, it remains to be seen if there will be tangible results outside the government sector.
“This is a complicated area and the question is how to co-ordinate interaction between the government, corporations and other parties,” Savvides says. “There will be a long tail before the results flow through.”
Catalyst for change
To be sure, the government, in its one-year review of the Cyber Security Strategy, has outlined the major challenges that organisations still face – even as it declares that the strategy has been a catalyst for change.
Slay, who worries that the strategy is still underfunded, agrees, acknowledging that “there is movement where there was none before”, including evidence of improvements in cyber security.
According to ACSC’s first cyber security survey, 90% of all organisations surveyed – public and private – faced some form of cyber attacks during the 2015-16 financial year.
The good news is awareness of cyber security issues and the need for response is also on the rise. Some 71% of organisations said they had a cyber security incident response plan in 2016, up from 60% in the previous year.
Although the survey’s sample size of 113 organisations is relatively modest, the ACSC says the respondents represent Australia’s major public and private sector bodies.
Indeed, Aidan Tudehope, managing director of IT services company Macquarie Government, says awareness of cyber security in Australia’s boardrooms has “exploded” since the launch of the strategy a year ago.
“The growing understanding that cyber security is a risk – and responsibility – that must be understood and owned by senior management teams of businesses has been perhaps the most important step forward in the past year,” he says.
Bill Taylor, vice-president of LogRhythm in Asia-Pacific and Japan, applauds the leadership position that the Australian government has taken on cyber security.
However, as more of Australia’s metropolises become smart cities, he notes the need for that security focus to be replicated at other levels of government – lest a smart city becomes the nation’s weakest link.
“Modern technology can be used to establish a city-wide nervous system that allows citizens and public sector bodies to share data, knowledge and responsibilities,” Taylor says.
“The result will be more open, connected smart cities, with citizens who are much better equipped to face the challenges and opportunities of the future. However, that modern technology needs to be underpinned by resilient security.”
Read more about cyber security in Australia
- Australia may never be able to create an IT industry like that in the US, but it can lead in cyber security.
- The Australian government is aware it has a cyber security challenge, but might not understand the size of the issue, according to experts.
- Australian enterprises are increasingly investing in security software as the threats to data continue to multiply.
- Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.