lolloj - Fotolia
Australia’s Cyber Security Strategy, unveiled in April 2016, acknowledges the nation has a problem but perhaps underestimates the scale and urgency of the problem, analysts have warned.
The AUD 230m four-year plan, which was funded in the May 2016 budget, introduced 33 new initiatives.
There are questions, however, as to whether Australia has yet done enough around cyber security – as well as warnings that the momentum kicked off by the strategy cannot be allowed to wane through a lengthy election period.
One key decision was the creation of a cyber ambassador, which is a diplomatic role to liaise with other nations on cyber security issues. The appointment – which will cost AUD 2.7m over four years – is to be announced by foreign minister Julie Bishop. But ahead of the federal election and with the government now in caretaker mode, that seems set to wait until at least July 2016.
Similarly, the appointment of a minister assisting the prime minister on cyber security issues can’t take place until after the election.
James Turner, an advisor with Intelligent Business Research Services, acknowledged the challenge the election hiatus represents, but said he was delighted the strategy had received bipartisan support and did not appear to be at risk of becoming an “election piñata”.
However, Greg Austin, visiting professor at the Australian Centre for Cyber Security, pointed out that the UK and US have recently announced much bigger initiatives.
“The UK and US have announced similar packages in the months preceding [Australia's announcement]. But the US’ is 400 times bigger and the UK’s 10 times bigger,” he said, noting that the US had declared a national emergency in cyber space.
“The rhetoric in Australia is completely different. There is no sense of crisis,” added Austin.
While he broadly welcomed Australia’s AUD 230m cyber security strategy, Austin said most of the funding had been shifted from other programmes rather than representing a truly fresh start.
“There have been important initiatives even if there is not much money,” he admitted. “But there is a lack of urgency, and the rhetoric is very different to other key markets.”
Greg Austin, Australian Centre for Cyber Security
Australia's view on cyber security has shifted, however. For example, WatchGuard Technologies Asia-Pacific technical director Rob Collins claimed the government had come clean about its own security breaches. Reports that the Bureau of Meteorology had been compromised – which emerged in 2015 – were confirmed following the announcement of the security strategy.
“The admission that the Bureau of Meteorology was compromised is a welcome change to the usual veil of secrecy around breaches of government networks,” said Collins. “Especially when there is an expectation that businesses should be forced to admit their breaches.
“Acknowledging that cyber security is a problem for Australia won’t come as a surprise for the many businesses that have been struck by ransomware and financial fraud attacks, which have really ramped up in the past 18 months,” he added.
“IT security professionals understand that cyber warfare can be just as dangerous as a real war, with power stations, water treatment facilities and uranium purification processes all vulnerable to attack.”
Mossack Fonseca breach not a one-off
“We live in a rough neighbourhood and everything is up for grabs,” Austin added.
Corporate Australia need to understand that data breaches such as that experienced by Mossack Fonseca – which spawned the Panama Papers exposé regarding the tax practices of many of the world’s high net worth individuals – was not going to prove an isolated incident, he continued.
“You need more than a firewall, network detection and virus protection,” said Austin. “You need systems that put hardware and software under the same regime and communicate through very secure protocols, and also quarantine certain information.
“At the moment we collate all the information about one person in one file,” he continued. “It should be held by systems where the names and dates of birth are held in lower security, but health data is high security.”
“The [US] Department of Homeland Security has made highly secure computing a top priority. We’re not there, though the government is investing in quantum computing and that’s the hope for the future.”
Business can’t wait for the fruits of quantum computing experiments to ripen, however, with commercial products potentially a decade away.
Sharing information on cyber threats
IBRS’ James Turner also noted that while the Australia's strategy plans to increase the number of cyber security-trained graduates over the next 10 years was “fantastic”, he added: “We’ve got hackers here right now.”
BDO risk advisory partner Leon Fouche claimed that to protect themselves businesses need to work together to share information about cyber threats and the defensive steps taken.
“The federal government’s call for joint cyber threat-sharing centres, and an online cyber threat-sharing portal is a positive first step towards sharing timely and actionable cyber threat information,” he said.
Other initiatives unveiled in the strategy included voluntary cyber health checks for the 100 largest listed businesses, and a AUD 21m financial kicker for a Computer Emergency Response Team (CERT).
Read more about cyber security in Australia
- Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply
- The costs associated with a security breach can mount up and it is difficult to put a number on it, but organisations are increasingly trying to do this as attacks increase
- Australian bank and university work together to train the next generation of cyber security experts
- Canberra is strengthening its cyber security response, but there is conflicting evidence about where the main threat is coming from
Austin was also hopeful that the strategy’s support for a cyber security growth centre would lead to stronger industry university partnerships, and a general uptick in the skills available to combat the problem.
He also said that defence-related cyber security spending could have follow-on effects on the private sector.
“The hidden new money is in the defence budget and in the detail of the documents attached to the whitepaper,” said Austin, which he reckoned suggested an 86% hike in defence-related investment in cyber by 2025.
“[Prime minister Malcolm] Turnbull made a big shift and is the first prime minister to recognise the importance of information systems and the importance of cyber security,” he added.
But Austin warned that recognition had to filter to all levels of industry and commerce. The recommendation that Australia’s leading listed companies be subject to cyber security tests was important, he said, as it “raises the bar on community awareness and board-level engagement”.
Reviewing cyber security
Austin added, however, that there were still pockets of security professionals trained in the 1990s and 2000s whose skills were outdated, and that “the cyber threats today are qualitatively different”.
According to Turner, it's essential private sector organisations reviewed their cyber security strategy and asked what it meant for them, and what steps they could take to better protect themselves from all types of attack. He highlighted ransomware in particular, which he said represented a “straight conversion of criminal activity into cash” that could be used to fund the drug or sex trade.
“This strategy is not going to stop all cyber crime. That was never the intention,” said Turner. Instead, he added, it should encourage business to implement processes to better detect, deter and respond to cyber crime – while organisations also need to recognise they are only as well protected as their weakest link.
Macquarie Telecom managing director of hosting and government Aidan Tudehope said that although the Cyber Security Strategy was a roadmap for improvement, the risk of back-door entry is ever-present.
“In the interconnected economy, all the good work done by an individual enterprise can come unstuck through one partner who has not got the cyber security message,” he said.
“Unfortunately, that message is sometimes still not being received, and sometimes still not being acted on quickly enough, especially by medium-sized businesses and government entities.”