Australia’s new cybersecurity strategy was needed “yesterday”, with the government’s recent cyber warning stoke fear and uncertainty around the country, a number of industry experts have said.
The Coalition had planned to unveil the 2020 Cyber Security Strategy earlier this year before the federal budget, but the COVID-19 pandemic put a halt to this, and the sector is still waiting for the new set of policies and spending.
Mr Morrison flagged that the strategy would be released soon and would include significant new spending in the space.
The new strategy is long overdue, RMIT University associate dean of mathematical sciences Professor Asha Rao said.
“It should’ve been yesterday, or last year or the year before. It should have already been done – the earlier the better,” Professor Rao told InnovationAus.
The new strategy is an update to the 2016 iteration and is expected to mark a significant policy shift. The Department of Home Affairs has been working on it for several months and received more than 200 submissions by the end of November from the private sector.
Late last week Prime Minister Scott Morrison fronted a hastily called press conference to warn that Australian governments and businesses had been targeted by a “sophisticated state-based cyber actor” over recent months.
The announcement was light on detail, with subsequent guidance revealing that the attacks were using known vulnerabilities with readily available fixes. The government advised businesses to install these patches and implement multi-factor authentication.
A spokesperson for Home Affairs said the strategy would be released “in the coming months”.
“The government is continuing to develop the 2020 Cyber Security Strategy and will consider advice from the Industry Advisory Panel prior to finalisation. The 2020 Cyber Security Strategy will build on the strong foundations established by its predecessor and will take into account the evolving cybersecurity landscape, including the impact of COVID-19,” the Home Affairs department spokesperson told InnovationAus.
The announcement of the apparent state-based attacks unnecessarily raised concerns in the cybersecurity industry and the general public, Enex TestLab managing director Matt Tett said.
“This gets it on the agenda, but there’s a question as to why it was happening at that point in time and what the real intent behind it was. All it did was spread fear and uncertainty and doubt in the community. It gave us more work that we didn’t necessarily want. It could’ve been made far more clear and to the point,” Mr Tett told InnovationAus.
“We had a whole lot of clients ringing us asking if they were under attack and if they would be targeted, and we had exactly the same questions. It could have been delivered far more clearly, succinctly and to the point by saying, ‘if there’s a vulnerability you need to patch it, and you need to be aware of it’.
“I think cybersecurity needs to be on the public’s radar, but spreading fear like that like we’re under immediate attack and then not providing specific details certainly sent our industry into a spin.”
The government needs to ensure that the new strategy is clearly measurable and has targets in place, a major shortcoming of the 2016 effort, Mr Tett said.
“The strategy is important, providing it’s correct. The 2016 strategy was well architected but over time it wasn’t well executed, and I don’t think that’s about the money. At the end of the day there weren’t measurements or data to show success,” he said.
“Any strategy which is released needs to be accountable and measurable and really show the value that’s being delivered. It’s all well and good for government to pump money into projects but we want to see the outcome and the success of those programs.”
The strategy must also make a real effort to improve cyber resilience within the public sector, Professor Rao said.
“It’s time that governments especially are held to account and audited. They’re the ones holding most of our information. That’s what worries me about things like e-health and having health records online, we’re not really sure about their strategies,” she said.