Breach laws to change everything
Rachel Falk: The game-changer for cyber security in Australia is the mandatory data breach laws
Australia’s cyber security scene is will undergo substantial change over the next year with the introduction of mandatory disclosure of data breaches the major driver. The new legislation was passed by the House of Representatives in February and will come into force in February next year.
“Mandatory disclosure is a game changer,” said Rachel Falk, who is director of technology, security and strategy at auDA, the company that administers .au domain names.
“Organisations who suffer data breaches won’t be able to keep it quiet. They have an obligation to notify,” Ms Falk said.
“That means the board will want to know, and that the organisation will need the appropriate processes and infrastructure in place to handle the data breach.”
“People won’t be able to sweep it under the carpet anymore,” said lawyer Nick Abrahams, Partner and APAC Technology Practice Leader at law firm Norton Rose Fulbright.
“One of the big changes will be that people will have to hold all of their suppliers to account. They may have impeccable standards themselves, but that is not enough. Data breaches can occur anywhere in the ecosystem.”
Those comments spoke to the key theme of the event, which was that cyber security is simply not possible without cooperation. Virtually every speaker touched on the issue.
“We can make Australia a better place to live by sharing information about cyber security,” said keynote speaker Steve Ingram, Asia Pacific Cyber Lead for PwC. “If everybody discloses their cyber breaches, and what they are doing to combat them, we will all be better off.
“There is no competitive advantage in keeping these things secret. On the contrary, it is a business necessity that the information is shared. That’s what the criminals do. We can never stop them, but with more sharing of knowledge our prevention systems will get better and they will go elsewhere.”
Prime Minister and Cabinet cyber policy chief lead Sandra Ragg said we need to change the conversation. “Australia needs to look at the problems of cyber security in a different way.
“We do not do cooperation between business, government and academia nearly as well as many other countries,” she said. “No one sector has all the answers, but they need to share skills and knowledge.”
Israeli Avi Schechter, whose consultancy CyberGym is in the process of setting up in Australia, said that he was impressed with what the Australian Government was doing with its cyber security strategy.
“It’s great what the Government. It is more than is happening in many other countries. But effective cyber security must be led by the private sector. The government can help create the right environment, but ultimately it is up to individual organisations to take the lead. And they need to cooperate with each other.”
He gave the example of the power grid in Israel, where the different power companies have cooperated on a secure ‘cyber grid’, promoted by Russia’s cyber attacks on the Ukrainian electricity network.
Sally Ernst, CEO of the Australian Cyber Network, also stressed the virtues of cooperation. “We need to start communicating and collaborating. We talk a lot in this industry about disruption, and about chipping away at incumbents.
“With cyber security we need to realise that we are not competitors, and that it is the criminals we should be disrupting. I am much less insecure if you are also much less insecure.”
She likened it to the ‘herd immunity’ of vaccination. “We don’t operate in isolation. We all influence each other, as individuals and organisations. Large business have many employees who can be influenced, and they have friends and families. We all need to raise our cyber awareness, and eventually we will get to critical mass and join up the dots.
Another key them of the event was cyber skills and how to improve them. Anthony Kitzelmann, Chief Information Security Officer for the Australian Digital Health Agency, called for more training at the grass-roots level, using the example of apprenticeships.
“Our current cyber workforce is underskilled, and there is a lot of concern that we are not getting value for money for the people working in the industry. The skills shortage means that many people are probably being paid too much.
“We need to be asking questions like ‘What do we want the workforce to look like? How can we grow it?’
“We need to start looking for smart young people, in the public service and private industry, and we need to develop their skills and their business acumen.”
He proposed a ‘competency based framework’, where they would spend some time in work and some in study, developing both business and technical skills.
“They need to understand the business context of cyber security. They only way they can grow and become a cyber leader is to have operational experience and develop the skills and competencies and that come with business experience.
“The bad guys have skills. If we could collaborate better we would have an entirely different landscape. Right now we have good technicians, but they are not necessarily good at getting things across the line and on budget.
“We need to treat the development of cyber skills almost like an apprenticeships, developing competencies to justify our investment them. If we all did it, we would lift the bar, and build a pool of experienced people.”