April 19, 2017 |
In today’s Australian the Prime Minister has an opinion piece, Towards a safer online world for Australians at every level, dealing with the Government’s cyber security strategy. It marks the first anniversary of the launch of Australia’s Cyber Security Strategy. The article is positive, optimistic and overall self congratulatory. The question is whether those sentiments are warranted.
The strategy is a Canberra special; glossy, professional green colouring, big headings and lots of boxes setting out objectives and actions, a few appendices. That said it is a better document that many on the subject. The nub of the strategy is set out in the media release last year:
The Cyber Security Strategy will deliver improved cyber security for the nation through 33 new initiatives, supported by over $230 million in Australian Government funding directly resulting in more than 100 new jobs to boost the Government’s cyber security capacity and capabilities. This investment complements the $400 million over the next decade – and roughly 800 specialist jobs -the Government has committed to improve Defence’s cyber and intelligence capabilities through the 2016 Defence White Paper.
We will do this though:
- A national cyber partnership between government, researchers and business, including regular meetings to strengthen leadership and tackle emerging issues.
- Strong cyber defences to better detect, deter and respond to threats and anticipate risks.
- Global responsibility and influence including working with our international partners through our new Cyber Ambassador and other channels to champion a secure, open and free Internet while building regional cyber capacity to crack down on cyber criminals and shut safe havens for cybercrime.
- Growth and innovation including by helping Australian cyber security businesses to grow and prosper, nurturing our home-grown expertise to generate jobs and growth.
- A cyber smart nation by creating more Australian cyber security professionals by establishing Academic Centres of Cyber Security Excellence in universities and fostering skills throughout the education system.
The evidence of improvement is there, if one looks hard. In the last year there have been a few developments, such as a the Australian Stock Exchange and ASIC iniatiating a program as part of the strategy to have 100 of the top firms on the ASX undertake a cyber health check. That said on 19 March 2015 ASIC put out Report 429 Cyber resilience: Health Check requiring the companies to be cyber reslient. So there has been an element of reheating of older iniatives.
There are howvever real concerns that the strategy is falling far short of its aims. A report by the Australian National Audit Office titled Cyber security Follow up Audit, published on 15 March 2017, makes for somber reading. As part of its summary it stated:
6. The objective for this audit was to assess whether the Australian Taxation Office, the Department of Human Services, and the Department of Immigration and Border Protection are compliant with the Top Four mitigation strategies in the Australian Government Information Security Manual. The audit also examined entities’ cyber resilience, which includes establishing a sound ICT general controls framework5 and effectively implementing the Top Four mitigation strategies.
7.?To form a conclusion against the audit objective, the ANAO adopted the following high level assessment criteria:
- do the entities comply with the Top Four mitigation strategies; and
- are entities cyber resilient?
8.?The ANAO assessed that of the three entities only the Department of Human Services was compliant with the Top Four mitigation strategies. The Department of Human Services also accurately self-assessed compliance against the Top Four mitigation strategies and met its commitment to the Joint Committee of Public Accounts and Audit of achieving compliance during 2016.
9.?Of the three entities, only the Department of Human Services was cyber resilient. Cyber resilience is the ability to continue providing services while deterring and responding to cyber attacks. Cyber resilience also reduces the likelihood of successful cyber attacks. To progress to being cyber resilient, the Australian Taxation Office and the Department of Immigration and Border Protection need to improve their governance arrangements and prioritise cybersecurity.
Cyber security is an ongoing challenge for any organisation and agency with a cyber presence. Most cyber attacks are successful because of poor training of staff and lack of maintenance of organisations. Most attacks can be thwarted. The privacy culture in Australia is dreadful. That is to a large part due to a poor legislative and regulatory structure and a correspondingly ineffective approach taken by the regulator, the Privacy Commissioner. The incumbent is better than his predecssors but is still tentative and determinably reluctant to take enforcement action. As a result there is a culture of impunity by many organisations.
The Australian article provides:
A year ago the Turnbull government set out Australia’s first cybersecurity strategy. It recognised that as we become more dependent on the internet, we need to ensure that in every respect Australians, their assets and their privacy are safe online.
The strategy outlined our commitment to build protective cybersecurity capacity, and events over the last year have demonstrated how important it is to maintain high levels of cyber vigilance and security.
The census was taken offline on census night because basic protections had not been put in place. The Russian hacking that sought to interfere in the recent US election again took place because security at various political servers had been inadequate.
More and more sophisticated attempts to penetrate our computer networks and systems are being perpetrated all the time.
The genius of the internet is that it is open — potentially connecting every person on the planet to every other: every student to every library, every government to every citizen, every device to every device. But at the same time this openness makes it vulnerable to those who wish to do us harm. We cannot eliminate all online risks but we can mitigate them and, by raising awareness, collaborating with industry and using commonsense security practices, we can be much safer online.
Don’t open attachments on emails unless you are very confident they are from a trusted source; change your passwords regularly; use two-factor verification wherever it is available; and, if you are running a business, make sure your system administrator is well known to you and thoroughly trusted.
After all, while cyber vulnerabilities are often found in flaws in software or hardware, the weakest point is generally the “warmware” — the human beings who, whether through carelessness or malicious intent, allow security to be compromised.
In the cyber game, we must be ahead of the pack.
We need to build our national cyber capacity, not just at a government level but across the economy, from the largest corporation to the smallest small business, to the netizens we all are on our smartphones, at home, at school, on the train. That is why the government is pleased with the progress that has been made during the past 12 months.
Since the launch of the cybersecurity strategy, the national conversation about cyber has shifted. There is a much higher level of awareness about cybersecurity among technical experts and the growing band of entrepreneurs that is seeking to leverage this industry’s growth. But almost all of us now, one way or the other, are doing business online, using cloud services and expecting our government to do more to keep us safe online.
No Australian government has done more to protect our interests in cyberspace. We are determined to build a credible cybersecurity shield, and provide the tools to ensure families and businesses have confidence in the security of their online transactions.
In just a year we are well on the way to implementing all recommendations of Australia’s cybersecurity strategy. Importantly, we have created momentum. Our $230 million commitment is well targeted and well spent.
We have opened the first joint cybersecurity centre in Brisbane and will open centres in Sydney, Melbourne and Perth this year. We are developing the next wave of homegrown cyber enterprises through the Australian Cyber Security Growth Network and academic centres of cybersecurity excellence.
We have brought together government and business to share their cyber experiences and to work together to better protect the nation from the threat of online criminals. This is the focus of the new joint cybersecurity centres, where the Australian Criminal Intelligence Commission, Australian Federal Police, state police and affected businesses can tackle common cyber threats in one location.
An unprecedented number of business leaders and company directors understand the imperative to ensure the enterprises they lead have strong systems in place to protect their customers from malicious attacks. Of the 113 companies surveyed in the Australian Cyber Security Centre report released today, 71 per cent have a cybersecurity response plan in place compared with 60 per cent in 2015. They also understand the strong economic dividends that will flow from being resilient to cyber threats.
Just last week Deloitte released modelling that showed a handsome pay-off if we get the investment settings right and unleash a new generation of cyber entrepreneurs. By 2030 this cyber investment could lead to a 5.5 per cent lift in business investment, contribute to 2 per cent wages growth and generate 60,000 jobs.
Australia is well placed to become a global cyber leader.
In its 2017 cybersecurity sector competitiveness plan, the Australian Cyber Security Growth Network forecasts the Australian cybersecurity industry has the potential to almost triple in size across the next decade, with revenues soaring to $6 billion by 2026, from just more than $2bn today.
These are impressive statistics and highlight why my government is placing such a premium on promoting cyber growth.
And it’s why we were the first to put cybersecurity on the national agenda of the Council of Australian Governments.
In 2017 we know much more about the opportunities and threats posed by cybersecurity than we did a year ago. No one could have anticipated just how fast the industry has accelerated.
The biggest priority is to protect the nation’s security and we are determined to ensure our cyber defences remain first class.
We need to be agile and willing to back a cyber sector that must not be risk averse but instead prepared to accept change. If we continue to do that — get the settings and investment right — we can be confident of building a world-class cybersecurity industry generating more investment and more jobs in this fast moving digital era.