Australian executives don’t understand the risks they’re facing, and they currently under estimate that their companies could be taken out by cyber-attackers, says the director, cyber security of the Australian Competition and Consumer Commission (ACCC).
Robert Deakin offered a sobering wakeup call for Australian executives, comparing them to Montezuma II, the Aztec emperor of Mexico who was swiftly defeated by the Spanish conqueror, Hernán Cortés, in the 16th century. According to Deakin, today’s generation of Australian business leaders are “like Montezuma — totally unaware that Cortés is coming”.
Mr Deakin was in a conversation on the topic of securing a digital economy with Thomas Fikentscher, CyberArk’s regional director for Australia and New Zealand as part of the podcast series on Bridging the Cyber Divide.
Mr Deakin pointed out that the definition of the digital economy has transformed dramatically in the past decade.
“There’s an exponential change in what data means,” he said. That change is mostly due to the increase in smartphone use and its impact on e-commerce, which he sees as comparable to the development of transport infrastructure.
“Since the release of smartphones people have realised there’s a whole ecosystem around the transport network. In this next phase we’re entering, it’s not about what car or plane you’re in, but why you’re going to where you’re going,” said Deakin.
The opinion of the ACCC’s cybersecurity director is important right now, given the Australian federal government’s focus on digital economy and its $1.7 billion cybersecurity strategy. The federal government unveiled its 2020 Cyber Security Strategy in August to better protect critical infrastructure, and is looking to broaden existing regulations to operations outside of classical critical infrastructure.
The recent 2020 federal budget begs the question whether Australia has the right regulations, technology and skills to succeed in the next decade.
CyberArk’s Mr Fikentscher believes Australia’s skills shortage could be undermining its ambition to be a global leader in cybersecurity.
The China Cyber Policy Initiative of the Harvard Kennedy School’s Belfer Center for Science and International Affairs recently ranked Australia as the 10th most comprehensive cyber power in the world based on intent and capabilities. However, Australia’s intent was ranked far higher than its capabilities due to a shortage of relevant skills.
“There is a divide between what we want to do and what we can do. When you look at the cyber capabilities, the problem that needs addressing is whether there are enough people with the skills in this country?” said Mr Fikentscher.
“Do we have a domestic cybersecurity industry that can support and surround the whole digital transformation requirements? And do we have the ability to commercialise those ideas here in Australia, and send them to foreign markets, and to then create a business out of that cyber security skillset? There are big issues that need to be tackled. The intent is good and very positive, but our capabilities are questionable at this stage.”
However, according to the ACCC’s Mr Deakin, Australia is well positioned, though he admits there are some serious weaknesses from an engineering perspective.
“Australia is in a brilliant position if we can harness the will and the capability,” he said. “But it’s also important to look at other nations like Israel or Estonia, who’ve had existential pressure on them, and have adapted and built strong digital economies. Israel, for example, has developed a robust and strong export economy in cybersecurity skills and services.”
Australia has a GDP of approximately $1.7 trillion, and the government has a budget of about $470 billion, but Mr Deakin points out that spending on cybersecurity is relatively small.
“We spend about $34 billion on defence, but we’re spending considerably less on cyber,” Mr Deakin commented.
The national cybersecurity budget for 2020 amounted to only $200 million for the Department of Home Affairs, the agency Deakin served at as a cybersecurity expert between 2017 and 2018.
“It’s really small when you compare it with the economy overall. And do we need to be investing in areas where future economic value is to be generated?”
For instance, the federal government generates about $220 billion a year from Australian taxpayers while businesses contribute about $90 billion a year to the Australian Tax Office.
“Is that investment being returned to the individuals, in terms of protecting them from a cyber security perspective in the digital world? As for businesses, are they seeing that investment from the government to protect them as they build a digital economy?”
On the other hand, computers and sensors are changing the face of industries — even seemingly antiquated ones, such as construction where computers and sensors are now taking over functions that used to be handled by people.
“People believe the construction industry is still a hands-on bricks and mortar business,” said Mr Fikentscher. “But that has changed a lot. If you look at progressive organisations in Australia and overseas, they’re building a lot of digital twins before they start to build a physical building. When you walk into high-rise buildings, for example, it’s been made virtually on a computer first.”
“Within the building, everything is full of sensors, facial recognition systems are in meeting rooms that recognise your identity because of a camera, and with that comes access to a screen that displays certain information.”
So how should Australia proceed with its digital identity plans, such as the myGovID system for accessing online government services? How can it be expanded to non-government services? What are the privacy risks for users?
Identity is a fundamental part of accessing any service. Can it be done in a way that preserves the privacy of users while expanding online services?
“There are so many different types of identity,” said Mr Deakin. For example, when a customer goes to a coffee shop, the barista might not know the customer’s name but recognises the customer’s face. Then there is the personal identity captured on a device.
The issue isn’t the complexity, according to Mr Deakin. The problem is the complacency and the adjustment of people to the change.
“No one is attacking us specifically at the moment with kinetic weapons but pensioners on the Gold Coast are being attacked with romance scams and ransomware,” he said.
“Have we got the balance right in relation to where we are putting our effort, and have we got the balance right in relation to identity? My perspective is that people have already traded away their privacy and identity for convenience.
“We have a hope in Australia that we could provide the convenience with the appropriate checks and balances, which isn’t being offered in nations where identity and privacy has been taken away by authoritarian states that offer no choice.
“The complexity, identity and security can be solved but the issue is the cost. With techno-authoritarian nations, if [these instruments] were used with more virtue, they could be of great benefit. But they need strong institutions so people can trust them.”