Production Perig - stock.adobe.c

What should be in Australia’s next cyber security strategy

The Australian government is reviewing the nation’s cyber security strategy, but is it looking at the right issues?

The Australian government is charting its next cyber security strategy following an earlier A$230m blueprint laid out in 2016 to foster a safer cyber space for Australians.

In a discussion paper on Australia’s 2020 cyber security strategy, which is being led by an industry panel, minister for home affairs Peter Dutton said despite making strong progress against the goals set in 2016, the threat environment has changed significantly.

“We need to adapt our approach to improve the security of business and the community,” he said, noting that cyber security incidents have been estimated to cost Australian businesses up to A$29bn per year, while cyber crime affected nearly one in three Australian adults in 2018.

To shore up Australia’s cyber security resilience, several areas have been thrown up for discussion. Among them is the balance of responsibilities among individuals, businesses and government, building a market of high-quality security professionals and instilling greater trust in ICT supply chains.

Computer Weekly approached organisations to comment on the government’s discussion paper, but most were reluctant to discuss the review process or their views of the direction that should be taken – beyond any written submissions they had made to the home affairs department.

Peter Sandilands, an advisor at analyst firm IBRS, drew attention to the make-up of the industry panel. Noting that they are all “highly competent,” he said all but one of them is in or has held a senior role at Telstra, mostly in finance, operations or some other area outside of security.

Sandilands is particularly concerned about the lack of representation of the consumer and small business communities, but he would also have preferred a panel made up of people from a broader range of industries.

Varying levels of cyber security awareness

On the state of cyber security preparedness in Australia, Sandilands said there is a clear hierarchy of security awareness and capability across organisations in different industries.

At the top are the large banks and insurance companies, which have extensive IT and cyber security teams of at least 200 people at some of the top firms. “These guys have high competency in this space,” he observed.

Other large organisations generally have extensive IT teams but fewer security staff, while those in the third tier have at least one person who has security as part of their formal duty.

Then, there are the vast majority with no staff with cyber security expertise, which means they have to rely on external guidance. Importantly, they may not even realise they have this capability gap.

Nigel Phair, director of UNSW Canberra Cyber and managing director of the Centre for Internet Safety at the University of Canberra, among other appointments, said businesses, non-profits and other organisations are being constantly hit by attacks including business email compromise and phishing.

These organisations need direct assistance and handholding, beyond attending seminars, he said, adding that a grant programme to help small businesses with cyber security launched in 2018 as part of the 2016 cyber security strategy was a waste of time.

Phair said the programme was too cumbersome, and the maximum $2,100 grant, which recipients had to match, was too small. To his knowledge, only a handful of grants were awarded, but the department of industry, science, energy and resources told Computer Weekly that 33 such grants were dished out.

Phair called for Australia to follow the UK’s example, which had an upper limit of around $40,000. He also pointed to the UK’s National Cyber Security Centre’s Cyber Essentials certification for businesses, which costs around $600.

More questions than answers

Sandilands called the discussion paper “a pre-judged survey” that is mostly looking for answers. He also questioned if the resulting recommendations would be published for review and commentary: “Is this window dressing, or are they going to do something out of this?”

He also singled out the discussion questions that could imply greater government control over data flows, such as how to reduce high-volume, low-sophistication malicious activity targeting Australia, and what the government can do to create a hostile environment for malicious cyber actors.

Such proposals, he said, could affect, among other things, service discovery and the self-healing nature of the internet. Furthermore, the move towards encrypting everything makes it hard to inspect traffic without breaking security.

Sandilands also called for improvements in information sharing between government and industry about threats. He said while the government does provide certain information to selected individuals at selected organisations to help them shape their defences, wider disclosure would be helpful even if it was not linked to a specific threat.

As for information flows in the opposite direction, organisations are often reluctant to tell government agencies everything they have discovered, because that would reveal gaps in their practices that could lead to regulatory or other action, he said.

Basic steps to better security

Sandiland’s view, which appeared to align with that of the Australian Signals Directorate (ASD), is that most security threats can be addressed by simply improving operational practices. His analogy is: “You lock your door when you leave your house. You don’t think about security, you just know that’s what you should do, and you do it.”

When it comes to IT, Phair and Sandilands agreed that steps such as regular backups, keeping a current inventory of systems to enable prompt patching, and adhering to the principle of least privilege should be part of basic operational strategies.

Read more about cyber security in Australia

These and other measures are part of the ASD’s Essential Eight, which will help organisations guard against 85% of attacks. “That’s a significant impact,” said Sandilands, noting that implementing the Essential Eight isn’t as easy as it sounds, though.

Phair said education efforts need to be around how to run IT operations properly, as opposed to viewing security as separate from running an organisation with separate or multiple security departments, each with its own responsibilities. There is no technical silver bullet, said Phair, so organisations need to get the basics right.

Government moving in the right direction

Notwithstanding, Phair said the government has shown interest in getting the nation’s cyber security right, but the amount of new money attached to the 2020 cyber security strategy will show how serious it is.

Responsibility for thought leadership in this area lies with the government, he said, and the government needs to safeguard the national economy as well as national security.

Read more on Hackers and cybercrime prevention

Data Center
Data Management