Cybersecurity threats are having a huge impact on all industries across the public and private sectors – with wide-ranging effects on company trust, the economy, and creating a host of identity and privacy issues. No organisation is impenetrable, but some are better prepared than others.
InnovationAus asked a leading local cybersecurity policy expert if these threats could be what unites public and private sectors to help build a more resilient Australia in an ever-increasing digital world.
“Malicious cyber actors are attacking organisations with impunity and without any regard for what type of sector they represent,” said Australian Cyber Security Cooperative Research Centre (CSCRC) head of strategic policy Stephenie Andal.
Dr Andal spoke with InnovationAus’ James Riley and privileged access management specialist CyberArk’s Australia and New Zealand regional director Thomas Fikentscher as part of the video series Bridging the Cyber Divide.
Private and public bodies are being equally be targeted by cyber attackers, whether they be state-backed actors wanting to harm democracy or gain competitive advantage, or cybercriminals driven by profit or malice. However, nuances in the events – and the interpretation of them – can make creating suitable legislation complicated.
As Australia heads into 2021, the nation is staring down radical legislative changes on all things cyber. There’s the big tech media code targeting Google and Facebook and the Federal Government’s just-released draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The critical infrastructure amendment seeks to encompass retailers, supermarkets, banks, law firms and cloud providers in addition to classical critical infrastructure providers such as ports and energy utilities that were captured by the 2018 Security of Critical Infrastructure Act — Australia’s answer to the US Terrorism Prevention and Critical Infrastructure Protection Act of 2017.
There is certainly a cost to businesses, especially those now captured by the legislation, that potentially do not have the cyber security maturity that is required to bring it up to speed.
Beyond broadening cybersecurity obligations in the private sector, the amendment would establish structures for government agencies to assist private sector firms during a hack. On paper, government assistance in these instances looks great but it’s hugely problematic for cloud providers like Amazon Web Services and Microsoft’s Azure division if a signal intelligence and security agency like the Australian Signals Directorate (ASD) intervenes in a cyber security hack.
It can create serious trust problems for global tech companies that supply essential IT services for government agencies, not just in Australia but across the world. Should Microsoft let an Australian security agency into its network without expecting questions from customers in other jurisdictions?
At the same time, the line between state-sponsored cyber-espionage is blurring with rough-and-ready ransomware. The WannaCry and NotPetya ransomware outbreaks in 2017 initially looked like the work of cybercriminals but Western governments blamed them, respectively, on the governments of North Korea and Russia.
On the other hand, Dr Andal points to Verizon’s recently released 2020-2021 Cyber Espionage Report that found the sectors most affected by cyber espionage include financial services, professional services and the public sector.
“I think what’s really critical to note about these global trends is some of the new sectors that are being encompassed within Australia’s forthcoming legislation,” said Dr Andal.
“There’s a recognition from the Australian Government that malicious cyber activity happens across multiple sectors, across all parts of our economy and we really need to be doing more and taking a more holistic approach to mitigating these threats,” she added.
Evidence of Australia’s public sector response can be seen in the consolidation of government cybersecurity functions across the ASD, the Australian Cybersecurity Center (ACSC), and AustCyber, an independent, non-profit Australian cybersecurity growth network that was set up by the Federal Government in 2017 to support Australia’s sovereign cybersecurity capability, she said.
Dr Andal’s works for the CSCRC, which handles collaboration between industry, government and academia – somewhat emulating Israel’s approach through the Israel Innovation Authority, which has supported its startup tech scene and digital sovereign capabilities since the 1970s.
Digital sovereign capabilities are a big question for Australia. CyberArk’s Mr Fikentscher believes a lack of understanding about ‘digital risk’ is hampering homegrown companies from expanding into overseas markets.
He argues there should be a ‘digital board’ that helps inform company directors and government agencies as to how to bring cybersecurity into the broader discussion about company risk management.
“Digital risk [as an outcome from digital transformation] is something that’s quite new, whereas cybersecurity has long been in that space,” said Mr Fikentscher.
“I believe some organisations, that have always operated internationally and had that exchange to global markets, are a bit more advanced because they have more depth of experience,” he said.
“Whereas domestic organisations, that are trying to expand internationally, run into problems around digital risk because they just don’t know where to start and how to structure and manage the approach to market properly.”
The public-private divide on the digital economy spans questions about how government supports Australian security startups, how boards of large companies manage cybersecurity risks, the regularity framework for cybersecurity, and what instruments the government is building for itself and for the private sector.
The ACSC ensures Australia remains resilient against cyberattacks against government and industry while helping inform citizens and consumers about risks. The ASD got a A$31 million injection as part of the Federal Government’s $1.35 billion Cybersecurity Strategy announced in June. The Government stressed that the investment was to boost ASD’s capabilities to fight hackers offshore before they breached local networks.
But then throw in China and international trade discussions into the equation and new questions arise. There are geopolitical rifts happening between China, Australia, the US and Europe that make the question about public-private partnerships a lot more complicated – in a world where existing global supply chains are being disrupted.
“Really, we’re in a very challenging and fast-moving moment – where, at a global and supranational level, we’re seeing the technological unpicking or decoupling of systems or supply chains as we’ve known it,” said Dr Andal.
“We’re in the thick of trying to grapple with what that means for us from a digital transformation perspective, from a cybersecurity perspective and then all the way down to citizens and how we will benefit or perhaps not from that.
“Many nations are grappling with this, not only Australia.”
However, Australia could be headed down the right path with organisations like the CSCRC, which have a chance to convince larger Australian Government agencies to support early-stage research that could be commercialised, according to Mr Fikentscher.
“You could actually start a research a project at the very early days and bring in one of the big agencies or a private organisation to collaborate as a public-private project,” he said. “This offers the best of both worlds – where the public sector provides the guard rails and the private sector is driving this on the innovation side.
“It starts with collaboration. If we do that, we can find and develop a lot of good talent within this country, and as a result we would be less reliant on bringing people and skills in from offshore into Australia.”
The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.