In the most significant speech of his political career, Angus Taylor has outlined a fundamental re-making of Australia’s cyber security strategy through the creation of a ‘cyber defence network’ that is active, interventionist, and heavy on private sector collaboration.
Mr Taylor, the Law Enforcement and Cyber Security Minister, says the threat environment had changed significantly since Australia’s first Cyber Security Strategy was launched in 2016. In his first major speech since taking the portfolio eight months ago, he has outlined structural changes to the way cyber risk is managed across the economy.
Mr Taylor advocates a more interventionist role in the outward-facing ‘Forward Defence’ posture – that is, the tip of the virtual spear – and a dramatically more collaborative defence network across government and the private sector.
This is not a nuanced change; it is dramatic and fundamental. It’s a good speech, and worth reading if you work in tech. It doesn’t get to specifics, but it puts down markers on philosophical and doctrinal changes of direction.
First of all, Mr Taylor effectively draws a line through the nominal debate about the merits of Fortress Australia vs Forward Defence thinking in relation to cyber. It’s not about defending perimeters.
It also ends the simplistic notion that private sector infrastructure is some kind of passive asset that governments must protect. This critical infrastructure – like telecommunications networks, data centres and other cloud infrastructure, financial services companies – must be active collaborators in economy-wide cyber defence.
“Australia’s national cyber defence must be one of Forward Defence,” Mr Taylor told the Tech in Gov conference in Canberra on Tuesday. “We cannot expect to hide behind our fire walls and our gateways in some kind of glorious isolation and hope the threat will pass.”
“We must build a system that is active, interventionist and collaborative. Collaborative with our allies, our partners and of course most importantly with our private sector,” he said.
“For too long government has viewed the private sector as a service provider or as a piece of infrastructure that must be protected.”
Mr Taylor has promised to roll-out further details of the strategy over the next six or eight months, with a formal upgrading of the 2016 Cyber Security Strategy expected to be published as a document in the first quarter 2019 (the outline promises significant resourcing – meaning the strategy would need to be considered in the context of the 2019 budget process.)
Internally, the government is already well advanced in its thinking on cyber. It is currently circulating a new draft version of the Information Security Manual (ISM) that better reflects a risk management approach to cyber.
And on the changes that have enabled Microsoft to achieve Protected-level accreditation for its Azure and Office365 products (albeit with caveats), it is not difficult to see the new Cyber Security Minister’s fingerprints.
Mr Taylor paints a picture of a more devolved responsibility for cyber in government – where departments and agencies must take specific responsibility for their own role in the cyber defence network – and that must include “a new dynamic of engagement with the private sector.”
In getting the government’s cyber house in order, “we must reach a space quickly where (the Australian Signals Directorate) is not the answer to every question. And to do that we must utilise our private and public partners more efficiently than ever before.”
This likely means enhanced and expanded data sharing arrangements between the key players across the digital economy, including an expanded role and additional resources for the Australian Cyber Security Centre and its network of Joint Cyber Security Centres across the country.
Of course the most fascinating component of a cyber defence is in the spooky offensive capabilities of defence and intelligence agencies working at the tip of the virtual spear. But the broader economy-wide defence capability that sits alongside is at least as interesting.
This will not be non-controversial. Mr Taylor outlined the importance and achievability of ‘threat blocking’ through the collaboration of government and the private sector – and in the next breath assured the audience that “we are not talking about an internet filter”. Which is, of course, the first thing that comes to mind.
“To effectively implement threat blocking we must know who is a threat to our economy and who to go after. This is fundamentally important to our National Cyber Defence program,” Mr Taylor said.
“This threat picture – if it will truly work – must be a coordinated process between Defence, law enforcement, government agencies and the private sector. It must be open and relevant to all partners to work,” he said.
“Under this concept we would have a common threat picture, a known target list and a set of priorities that best meet the particular capabilities of each member.
“Law enforcement targets the criminality, Defence conducts national security, telcos actively block threats and everyone works to raise the default security posture of their customers.”