Malcolm Turnbull has urged Australian corporate leaders to appoint cybersecurity expertise to board level positions, and called on business and governments to create a common language for describing cyber incidents.
For the second time this year the Prime Minister highlighted Australia’s offensive cyber capabilities, while also outlining a strategic tightening of Australia’s cyber relationship with the US, jointly building “response structures and mechanisms.”
Speaking at the first Australia-US Cyber Security Dialogue in Washington last week, Mr Turnbull said the role of government in securing the Internet was utterly intertwined with the role of business.
He outlined very specific expectations of business, and called for work to be done on the creation of a common language to describe cyber incidents, and a building of a better communications practices to describe responses.
There were a lot of moving parts in this speech. From national security, to business cooperation, to communication, to industry development, to cyber conflicts between states, this was a sophisticated and comprehensive address. It is certainly worth reading.
The communications challenge is itself fascinating. If the language describing an incident is poorly understood or constructed, the damage to a corporate reputation can be needlessly magnified. But the Prime Minister talks about the problems this poor understanding of language might have in a cyber incidents where nation states are involved.
The creation of the Australia-US Cyber Security Dialogue was first mooted by Mr Turnbull in March with the launch of the Australian Government’s cyber security strategy.
The dialogue aims to promote “norms of state behaviour in cyberspace” and to make clear the precursors for incident response.
He said that without clear understandings between countries, cyber incidents have the potential to quickly escalate into wider conflict. “In April this year, I announced for the first time that Australia possesses an offensive cyber capability – a capacity to respond to state and non-state actors who attack us
“This option of offensive cyber response takes its place alongside options such as: diplomacy, law enforcement action, and sanctions amongst others. As governments, we don’t talk much about what this offensive capacity can do, nor how it can be carried out,” he said.
“Much as we acknowledge we have warships, submarines and fighter jets, we don’t detail their specific technical capabilities. Merely acknowledging their existence forms part of our national deterrence.
“In the short-term, and in the absence of well-developed understandings about how to behave, there is a risk that unexplained cyber incidents could escalate into conflict between states.”
Malcolm Turnbull has signalled more directly cooperative role between business, government and research academia in securing the internet and outlined a framework for a tighter cyber defence and cyber response links with the US.
There is a huge industry development component here, and it is one of the pillars of the Turnbull Government’s policies for tech sector growth in this country.
The launch of the Cyber Security Growth Centre initiative in March covered what had been a glaring omission in Australia’s industry development framework. It is also characteristic of Mr Turnbull’s view that the biggest opportunities exist where we face the biggest challenges.
“Governments and businesses must be focused on the cyber sphere as a catalyst for innovation and growth and security is the key to that,” Mr Turnbull said. “The cyber security sector could grow at faster than 10 per cent each year for at least the next five years — far exceeding expectations of the economy generally.
“My objective is for Australia to become even better placed to use home-grown cyber security expertise to solve challenges and develop new business opportunities of global significance,” he said.
“Already, we’ve established an industry-led Cyber Security Growth Centre. It will build on our expertise, promote greater collaboration and support our local cyber businesses to expand, to commercialise IP and to export innovative products.”
Mr Turnbull said there are obvious reasons to value the Chief Information Security Officer advice at board level. But given the recognised convergence of online and off-line security threats, consideration should probably be given to now replacing the title of CISOs with the more appropriate Chief Security Officer, he said.
And there is an industry development component here also.
“The cost impact of cyber-attacks on companies is complex, and not limited to just a loss of shareholder value although this can be as we’ve seen significant,” the Prime Minister said. “Listening to the risk mitigation advice of your security staff is therefore good business.
“But it is better business to also think broadly about the benefits of information security. Security staff could use their skills to contribute new business models that take a company into new products and markets.
“On that basis, we should unleash security staff to focus on both sides of the risk coin and to increase the value they add to their organisations,” Mr Turnbull said.
Under Malcolm Turnbull, cyber security is not just a concern – it is a business opportunity.