There needs to be a rethinking of cybersecurity policy in Australia with a focus on national resilience and community-based efforts, according to shadow assistant minister for cybersecurity Tim Watts.
Mr Watts, along with shadow home affairs minister Kristina Keneally, released a policy discussion paper last week on Australia’s national cyber resilience, and held a stakeholder roundtable on the issue.
The paper warned that Australia is vulnerable to a large-scale cyber incident along similar lines to the recent wannacry and NotPetya malware attacks, and calls for a policy rethink and the launch of a “cyber CFA” – like the bushfire resposive Country Fire Authority – as well as the expansion of the cyber reserves.
There needed to be a shift at a federal level, Mr Watts said, away from a solitary focus on the “cyber Pearl Harbour” type attacks and towards building cyber resilience across the entire population, with a particular focus on small businesses and the public sector.
“We think that cybersecurity policy in Australia needs to be reconceptualised – a big change of thinking is required to shift away from a focus on a defence mindset with cyber and a move towards a public health-style mindset,” Mr Watts told InnovationAus.
“We need to spend more time thinking about building population-level health and resilience on cybersecurity. By doing that we can harden up and build the resilience of the entire ecosystem.”
With Australia now re-evaluating national resilience in the wake of the ongoing COVID-19 pandemic, now is the time to look at this in terms of cyber, Mr Watts said.
“The thing the pandemic has highlighted is if you have a global disaster, you start to have these cascading impacts globally and that can affect your ability to respond domestically to these crises,” he said.
“In the same way that COVID-19 has caused global shortages of personal protective equipment and respirators, a global computer COVID would see similar shortages of human capital like incident responders, and potentially hardware too.
“The reason we launched it now is there’s a renewed focus and attention on what goes into national resilience. We think Australia has a bit of work there to build that resilience to protect from the risks of those systemic cyber incidents.
The 20-page discussion paper makes a handful of policy recommendations, including the establishment of an active cyber defence and civilian cyber corps to improve the security of SMEs and government departments and agencies.
The paper criticises the federal government’s previous policies in the space, which it said were focused on protecting from the most sophisticated threats to the most sensitive organisations – the “cyber Pearl Harbour scenario”, rather than other threats.
It said government efforts to engage businesses with improving cybersecurity have “failed to gain traction”, and the policies from the 2016 cyber strategy have “fallen by the wayside”.
The Coalition’s 2016 cybersecurity strategy has been unsuccessful with bringing the community, especially SMEs, on board, with many government departments and agencies also vulnerable, Mr Watts said.
“The interesting thing about Australia’s cybersecurity posture is it’s highly varied. There are pockets of very high capability within the ASD and big banks, but when you look at the broad Australian society you see a different picture,” he said.
“Commonwealth entities are highly varied. Six years of ANAO reports show some pretty disturbing results about how organised Commonwealth entities are in fulfilling cyber resilience. COVID-19 has highlighted the systemic weakness that creates.
“There were some areas of the strategy that were not successful. Most obvious was the ability of government cybersecurity agencies to engage with people beyond the defence and security communities.”
The policy discussion paper comes ahead of the expected release of the federal government’s 2020 cybersecurity strategy, which has been in the works for a year.
The paper makes a number of policy proposals based on successful initiatives in other countries, to help prepare for a potential major cyber incident.
It outlines the potential establishment of an active cyber defence, which would include a range of automated tools designed to protect government vulnerabilities that could be exploited by cyber criminals, such as takedown service, mail check, web check and protective domain name system.
The Australian Cyber Security Centre already undertakes some of these activities, but there is “significant potential” to expand these within a “coordinated framework for automated, scalable interventions targeting commodity cyber-attacks”.
The paper also proposed the establishment of a civilian cyber corps, similar to the CFA or SES, which would be a volunteer-driven organisation aiming to improve the collective cyber safety of the community. It would see experienced cyber professionals build the capability of people outside the sector and augment government efforts in the space.
“That would be a community-based organisation that performs functions in the cybersecurity space that are pretty analogous to what we see from the CFA, RFS or SES – professional organisations that are volunteer-driven,” Mr Watts said.
“Community-based that does community-engagement, prevention work and preparation in the community to harden up defences and offer surge capacity for responding to large-scale incidents.”
The government should also look to expand its cyber reserves, with the Australian Defence Force so far only filing 77 cyber reservists positions out of 110 designated roles, with no targets in place.
“Cyber Reserve forces sit within the existing branches of the defence forces and comprise part-time personnel trained to engage in cyber operations with these organisations,” the paper said.
This could provide a low-cost avenue for skills development and surge capacity to deal with major cyber crises.
There also needs to be significant efforts to grow the pipeline of Australians studying cybersecurity, and to address the gender imbalance in the sector, the paper outlined.
“When 89 per cent of your human capital is being drawn from one gender, you’re effectively fighting with one hand tied behind your back. Creating more mid-career pathways for general IT professionals, developers and systems administrators, to transition to cybersecurity roles will also be crucial,” it said.
Mr Watts now plans to consult on the paper and the policy proposals, which will likely feature in Labor’s agenda in the lead-up to the next election.
“We want to see renewed focus on national resilience post-COVID-19 as a way of focusing attention on the cyber resilience of Australia,” he said.
“We’re going out to stakeholders both in the cybersecurity community and in the broader community in small businesses to talk about these ideas and see what works, what might need changing and that’ll be part of our policy development in the lead up to the next election.”