Increased investment and a series of new initiatives and policy reforms are urgently needed to combat the growing cyber threat and improve resilience across the economy, the federal government’s cyber advisory panel has concluded.
Critical infrastructure, digital supply chains and public sector cyber resilience should be addressed as high priority issues, while the government should also look to enforce clear consequences for malicious cyber actors found to be targeting Australia, the panel said in its 56-page report, which includes 60 recommendations to government.
The Industry Advisory Panel was established late last year to provide advice on the development of the 2020 Cyber Security Strategy, which is now expected to be unveiled before October.
The telco-dominated panel, whose members include Telstra chief executive Andrew Penn, Tesla board chair Robyn Denholm and former US Secretary of Homeland Security Kristjen Nielsen, met 13 times over the last six months, including two meetings with Home Affairs Minister Peter Dutton and a series of classified briefings.
The panel has previously been criticised for being dominated by large telcos and corporate players, and for not including any members from smaller cyber companies or startups.
Its recommendations centre on five “key pillars”: deterrence, prevention, detection, resilience and investment.
Of the 60 recommendations, 25 are immediate priorities while the remaining are long-term in nature.
“The panel’s recommendations are designed to create robust and adaptable defences able to evolve as threats evolve and technologies change. We are seeing increased levels of malicious cyber activity, both state-based and criminal,” Mr Penn, the panel’s chair, said.
“Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptable and built around a strategic framework that is coordinated, integrated and capable,” he said.
“The 2020 Cyber Security Strategy has an opportunity to be all of those things and provide an enormous – and never more important – contribution to a safer, more prosperous Australia.”
There should be clearer consequences for malicious actors found to be targeting Australian businesses and governments, and there should be more of a willingness to publicly attribute these attacks, the panel recommended.
These consequences could include via enhanced law enforcement, diplomatic means and economic sanctions.
Last month Prime Minister Scott Morrison fronted a press conference to warn that Australian governments and businesses had been targeted by a “sophisticated state-based cyber actor”, widely believed to be China, over recent months.
The report focuses significantly on digital supply chains and sovereignty, with a series of recommendations on critical infrastructure.
These include for the definition of critical infrastructure to be revisited to ensure it captures all essential systems and functions like data centres, and for the introduction of requirements on owners to implement reasonable protections against cyber threats.
The government should also urgently map the resilience of these networks, and agree to define situations where it may be necessary to provide assistance to businesses during a cyber emergency.
Government departments and agencies should be made to meet these requirements imposed on critical infrastructure operators, with much more needed to be done to force these entities to introduce baseline cyber protections, the panel said.
“All levels of government should take steps to better protect public sector networks from cyber security threats. Government agencies should be required to achieve the same or higher levels of protection as privately-owned critical infrastructure operators,” the report said.
“Ultimately, governments should be exemplars of cyber security best practice and Australian governments have some way to go in achieving this aspiration.”
Larger departments should also be made to assist smaller entities to meet these cyber baselines, the panel said, signalling a shift away from the current stance, where individual agencies are responsible for implementing and auditing their own cyber resilience, which has been shown to be continually inaccurate.
The panel also called for the immediate launch of an automated, real-time and bi-directional threat-sharing mechanism between the government and private sector. Such a platform had previously been promised in the 2016 strategy, and was renounced with a bigger budget and new capabilities by the government earlier this month.
“Improving situational awareness of cyber security threats to organisations of all kinds should be a national priority. There is clear appetite from industry for real-time sharing of threat information,” the panel said.
“The panel was surprised to learn that technical limitations currently prevent the Australian Cyber Security Centre from meeting these requests. These limitations are surmountable and should be addressed as a priority.”
The local offices of the ACSC, the Joint Cyber Security Centres, should play a prominent role in implementing the new strategy, and should have their funding “substantially increased”, the panel recommended, while a new national board for the centres should be established.
The government should focus on securing Australia’s digital supply chains and incentivising large businesses to help SMEs to improve the cyber resilience of their supply chains and customers, the report said.
Existing laws should also be reviewed to ensure that suppliers have appropriate obligations to protect their customers.
The upcoming strategy is an overhaul of the 2016 iteration, which has been widely criticised for not including adequate measurable outcomes and data collection. To combat this, the new strategy should come with an investment in data collection, research and analysis to underpin subsequent evaluation of its effectiveness, the panel said.
Another advisory panel should be launched to advise the government on an ongoing basis and publish an annual progress report, while the strategy should be updated every two to four years.
Another criticism of the rollout of the 2016 strategy was of the convoluted structure around cyber security in government, and the lack of a cyber security minister. While the panel did not directly recommend the reestablishment of the ministerial position, it did recommend there to be clearly defined roles, responsibilities and authorities at the federal level.
“Our report highlights that an effective response includes fundamentally organising and governing differently to ensure more efficient and effective use of resources and aligning cyber security imperatives across Australia,” the report said.
“If Australia’s cyber security is well organised and well governed then the application of all resources – public, private, people, infrastructure and capital investment – will achieve far more efficient and effective results. This was an important learning from the 2016 cyber strategy.”
Do you know more? Contact James Riley via Email.
Who wants to bet that the #1 issue causing the most financial loss to Australians right now (scam SMS and phone calls) will be met by absolutely no recommendations that any Telcos take any action, and no penalties whatsoever will be leveled at Telcos, no matter how much they facilitate these escalating crimes.
Who also wants to bet that the #1 cause of cyber-breakins in Australia (failure to implement mandatory and recommended controls inside government agencies) will also carry no penalties or repercussions whatsoever for anyone who is causing that.
Go read the submissions – almost every single one that came from a Government source made mention of their own department refusing to implement security. If you do read them – you’ll be the only one. I tested the lead author in his second-last public appearance, he eventually admitted that he did not read these (after claiming the opposite, but then exhibiting no knowledge of what was in them before changing his tune and confessing to only skimming a few).
I can’t wait to see what kind of “strategy” they come up with, after not actually listening to any experts who submitted suggestions, and actively refusing to engage in anything they feel might be “too hard” – like actual *penalties* for public-service non-compliance.