Can Australia afford an ineffective Cybersecurity Strategy 2020-2024?
The Australian Government is developing the nation’s next Cyber Security Strategy as a successor to the $230 million Cyber Security Strategy announced by then Prime Minister Malcolm Turnbull.
ORIGINAL ARTICLE BY CHRIS CUBBAGE, EXECUTIVE EDITOR – AUSTRALIAN CYBERSECURITY MAGAZINE – sourced here.
The 2016 strategy set to appoint Australia’s first Cyber Ambassador, as well as designating a Minister Assisting the Prime Minister on cyber security and appointing a Special Adviser on Cyber Security in the Prime Minister’s Department. Only the Ambassador of Cyber Affairs survives in his post today.
The majority of the $230 million budget was used to swell the ranks within government departments, such as ASD, as well as to move the ACSC into new accommodation. As Tony Campbell wrote in 2017 for the Australian Security Magazine, “the investment left to improve our nation’s defences and create a “Cyber Secure Nation” is at the outset somewhat unimpressive.”
As the 2016 strategy was released, it was also the confirmation by the government that the attack on the Bureau of Meteorology was indeed the target of a cyber attack and demonstrated compelling evidence that the government needed to make a fundamental shift in their overall security strategies.
Yet, during the tenure of the current strategy, there was the Census 2016 debacle and by early 2019 Australia experienced its first official National Cyber Crisis with the Parliamentary breach. There are too many more cases to mention here but you get the picture.
With the introduction of the Notifiable Data Breach legislation and the OAIC releasing NDB statistics, it is clear that since the 2016 Cyber Security Strategy, there has been significant changes to the government ecosystem but the threat landscape is certainly no better.
In 2018 MacGibbon provided a top level view at the ACSC Conference in Canberra, then warning of the increased sophistication in tools and tradecraft, increased infiltration and exploitation of third parties, such as global ISPs and exploitation against routers to compromise networks. “We expect more nation states to enter this field”, said MacGibbon, “and the weaponization of malware is expected to increase.” Cyber espionage is alive and well and in March the USA formally accused Russia of cyber-attacks against the US energy sector since 2016.
At the time, industry welcomed the strategy but it was clearly never going to be enough. Then CEO of the Australian Information Security Association, Mr Arno Brok stated “The strategy announced by the Prime Minister will help to address an apparent lack of cyber security professionals in Australia. However, the Government’s announcement to provide support for some 5,000 small businesses does not go far enough. AISA recognises that there are around 200,000 small-to-medium sized businesses (SMBs) in Australia that need assistance to protect themselves against large-scale cyber-attack from cyber criminals. Cyber security needs to be brought to the forefront of their business strategies.”
And you only need to look to the NIST (United States) and warnings from the numerous 2020 Predictions Reports being released this week to understand how critical cybersecurity has become.
NIST wrote this week, releasing its latest special publication, the Developing Cyber Resilient Systems: A Systems Engineering Approach “The United States (and Australia!) continues to have complete dependence on information technology deployed in critical systems and applications in both the public and private sectors. From the electric grid to voting systems to the vast “Internet of Things,” the Nation remains highly vulnerable to sophisticated cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals. Advanced adversaries, collectively referred to as the Advanced Persistent Threat (APT), have the capability to breach our critical systems, establish an often undetected presence within those systems, and inflict immediate and long-term damage on the economic and national security interests of the Nation.”
Industry Advisory Panel
On 25 November 2019 the Minister for Home Affairs announced the membership of the 2020 Cyber Security Strategy Industry Advisory Panel. The Panel comprises representatives from three telecommunication companies and two US companies in technology and defence, tasked with providing strategic advice on the development of the 2020 Strategy. Representatives are:
- Mr Andrew Penn (Chair), Chief Executive Officer and Managing Director, Telstra
- Mr Darren Kane, Chief Security Officer, NBN Co
- Mr Robert Mansfield AO, Chair, Vocus Group
- Ms Robyn Denholm, Board Chair, Tesla
- Mr Chris Deeble AO CSC, Chief Executive, Northrop Grumman Australia
The panel has access to 213 submissions in response to the Australia’s 2020 Cyber Security Strategy discussion paper which happens to include submissions from a competing Telecommunications company, Huawei, which wrote:
“In order to improve the security of business and communities and, at the same time, ensure Australia’s future prosperity, the Australian Government should:
- Reduce the risk of national dependency on any one supplier, regardless its country of origin, to improve 5G and fibre networks resilience.
- Ensure more competitive, sustainable and diverse Telecoms supply chain, to drive higher quality, innovation, and incentivise more investments in Cybersecurity.
- Define network security and resilience requirements on 5G and fibre networks; contribute to unified standards; identify toolbox of appropriate, effective risk management measures; and enforce tailored and risk-based certification schemes.
- Ensure that there are conformance programmes and independent product testing/certification in place for equipment, systems and software, and support specific evaluation arrangements. (The assessment and evaluation of products from different vendors shall be the same, as their supply chain has the same level of risk.)
- Develop Australian industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc., looking at end-to-end cybersecurity system assurance; new architecture and business models; tools for risk mitigation and transparency, and greater interoperability and more open interfaces; and share results, in closed loop (3.)
Huawei takes this opportunity to show its interest to collaborate with the Australian Government, ASIO, ASD and other relevant public and private organizations to embed trust in all business processes, Telecoms supply chain, and enhance cybersecurity through research and innovation in Australia.”
Or as a slap in the face to the Joint Cyber Security Centres, the WA Department of Transport (DOT) submitted, “DOT would like to see increased collaboration between State and Federal agencies cyber-solutions for mitigating, managing, threats/threat vectors and federal/state help in implementing and setting priorities, developing strategies and plans. Currently, alerts are received from multiple sources creating an overload of similar information and in some instances not timely; a single source would be a great improvement.
Amongst Austcyber’s comprehensive submission and many recommendations: “Identify the United States’ National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework’s utility as a standard for skilling and workforce development as well as the benefits of it providing a baseline for skills mobility; and “Return the position of a Minister for Cyber Security to the Ministry of the Parliament of Australia.”
As we move into 2020, the Cyber Security Strategy 2020 – 2024 will be a critical national document on how Australia intends to face a highly sophisticated and broad threat landscape. Stay tuned!