Some of Australia’s largest institutions have called on the federal government to improve threat intelligence data-sharing to combat nation-state cyber attacks.
Multiple submissions from big four banks and Australia’s large universities to the government on its 2020 Cyber Security Strategy discussion paper raised concerns with long delays in information sharing on major cyber vulnerabilities and risks, with calls for more transparent and efficient processes.
Many submittors also pointed to the ANU’s recent report on its own cyber breach as evidence of the effectiveness of transparency and a way to share information on threats without creating more vulnerabilities.
There is “much room for improvement” in the government’s sharing of threat intelligence, ANZ said in its submission, with the big bank receiving “far more” information from overseas agencies than Australian entities.
“Government could play a greater role in facilitating threat intelligence sharing between and within industry sectors, in a manner that allows rapid ingestion and automated response, through the development of a secure threat intelligence sharing platform,” the ANZ submission said.
The Commonwealth Bank said in its submission it is “imperative” that there was improved cooperation and data sharing between the government and private sector.
“We need to create an environment that not only supports high standards of cybersecurity, but also encourages an organisation to share intelligence on compromises or ‘near misses’ it has suffered, without undue fear of criticism and scrutiny,” the submission said.
“This would remove barriers to effective intelligence sharing and align to the global shift in understanding that even a well defended organisation can suffer a cyber attack, and should be measured against how quickly and transparently it responds.”
The bank also urged government to increase funding to the Australian Cyber Security Centre to enable it to better produce and disseminate “actionable threat intelligence” and play an active role as a “central repository for the collection and dissemination of cyber threat intelligence sourced from trusted industry partners”.
This should involve the creation of a secure digital exchange platform for this information to be shared, the submission said.
“To facilitate greater sharing of intelligence between industry and government, the establishment of secure channels for exchange of information is an important foundational step to facilitating the ACSC as a hub for public and private sector cooperation on cybersecurity,” it said.
The Queensland University of Technology called for a “well-defined set of protocols to facilitate the exchange of highly-sensitive threat data” when attacks from nation-states are in progress.
“Nation-state actors often use new attack methods that are not easily identified by individual organisations,” the QUT submission said.
“Often these methods have been previously identified by the Australian government intelligence agencies, but not necessarily publicly released until investigations are completed,” it said.
“This means that in some circumstances the Australian government agencies will be aware of compromises of national significance, but are unable to share information securely with other industry partners that have not yet been targeted.”
The University of Melbourne also backed these recommendations in its own submission, urging the government to better disclose vulnerabilities.
“The defence against malicious attacks would be strengthened by better disclosure of vulnerabilities. The Australian government should commit to its agencies responsibly disclosing identified software or system vulnerabilities to vendors and thereafter to the broader community,” it said.
“This will help to reduce the number of vulnerabilities present on software and minimise the potential for development of exploits for these vulnerabilities.”
The government should also consider legislation that would force organisation that are notified of a vulnerability in their systems to respond in a prompt manner, the university said.
“This would not involve organisations being required to divulge sensitive information but would make them responsible for taking action on identified vulnerabilities,” it said.
“Making businesses and other organisations more accountable for the robustness of their cybersecurity arrangements will make for an environment less conducive to cyber attack,” the University of Melbourne submission said.