The new US national cyber strategy is shifting burdens and liabilities away from end users towards vendors and manufacturers. An expert cyber advisor to the Biden Administration says there are lessons for Australia and its new national plan, which should ditch its proposal to ban ransomware payments.
Off the back of Australia’s most high-profile data breaches, the Albanese government is developing a national cyber security strategy to become world’s most cyber-secure country by 2030.
The early proposals – through a government advisory group – suggests harmonising legislation, treating customer data and ‘systems’ as critical infrastructure, and prohibiting ransoms to cyber criminals.
But the early paper does not address the more fundamental changes the US has begun grappling with. These should be addressed in Australia as well, according to Chris Novak the co-founder and managing director of the Verizon Threat Research Advisory Center.
Mr Novak, who was in Australia for cyber talks in Canberra last month, said the US national strategy launched this month marks important shifts in cybersecurity policy.
Not least of which is the US plan to begin dismantling the vendor indemnification.
Through what has become known as “shrink-wrap licensing”, complex legal terms and licence agreements have protected companies like Microsoft and Adobe from legal consequences for damages arising from their products, even if they are found to be insecure or faulty.
The new US cyber plan signals the Biden Administration will work with Congress and the industry to remove the legal shields in a bid to encourage safer and more secure products.
Mr Novak says it was an unexpected “game changer” in the new US strategy that will have a ripple effect across the cyber industry.
“I think it will be interesting to observe how that changes the way a lot of your tech companies produce products, and how security is looked at as part of that development lifecycle,” he told InnovationAus.com.
“So I think myself and many others in the industry are really actually happy to see that, I’m sure some of the tech companies maybe are not.”
The details about the extent of the liability and vendor obligations aren’t yet clear and will face a challenge from part of the industry. But it likely ends with vendors — starting with the biggest and most resourced — having to have good security “baked in” and an “ongoing part” of the product lifecycle, Mr Novak said.
The end of “shrink-wrap licensing” is just one of several parts in the US national strategy that show the tide is turning away from end users’ responsibility for cybersecurity, Mr Novak said.
“Ultimately, the shift that is going on is trying to move the burden and responsibility more towards the entities and organisations that are probably best educated and in positions to be able to act on it.”
The approach would be a valuable addition to Australia’s upcoming cyber strategy, Mr Novak said. He is also recommending a strong focus on coordination and information sharing between federal, state and territory governments as well as the private sector.
“There’s a lot of things that the private sector sees that the public sector might not because of the nature of the private sectors business. And so as a result, there’s a huge opportunity for that to be almost like a giant intelligence collector to understand what the threat landscape looks like, and for the government then to be able to protect itself against those threats.”
Australia has a national threat sharing platform run by the Australian Cyber Security Centre, with much of the operation outsourced to consultants at a cost of nearly $60,000 every day. It has recently moved to allow the private sector to share threats with the cyber agencies, but it remains overwhelmingly one way traffic.
Mr Novak, who advises the US government on cyber significant cyber incidents, backs a genuine bi-directional system to encourage participation and threat sharing with government.
“Otherwise, what you’re going to find is the private sector is going to slowly over time, kind of recoil away because they’re not going to see a lot of value,” he said.
Australia’s new strategy is being developed by the Department of Home Affairs under Cybersecurity minister Claire O’Neil, who has criticised existing legislation and a lack of coordination for hampering the government response to cyber attacks.
Ms O’Neil has already committed to a National Office for Cyber Security, led by a coordinator for cyber security, within the Department of Home Affairs to coordinate the government’s cyber security responsibilities and responses.
The coordinator will be part of a new group within Home Affairs that brings together cyber security and infrastructure policy, response and coordination and regulation.
Coordination is critical in incident response, Mr Novak said, but is often hampered by data classification.
“Information might be desired to be shared, but there’s complexities and sharing from agency A to agency B, or it’s classified here and this agency can’t obtain it. It’s nuances like that, but they’re real and they create delays and issues with people obtaining the information they need to react and respond properly.”
The Albanese government had to amend regulations in the wake of the Optus data breach to allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents.
Another mooted cyber policy for Australia is prohibiting the payments of ransoms demanded from a cybersecurity incident, with the government currently seeking input on what impact a “strict prohibition of payment” would have.
Mr Novak said ransomware victims should not pay attackers, but outlawing the payments would be a mistake.
There is a precedent for ransom payments more generally not being illegal, and making it so, cyber incidents will be difficult to implement and police, he said, and many victims would pay the attackers regardless.
“It wouldn’t be the solution and wouldn’t make it go away. It wouldn’t make people stop paying it,” Mr Novak said.
“And if it just creates an underground economy, then the government also loses sight of how many of these [ransomware attacks] are even happening because no one’s going to talk about it if it’s illegal. No one’s going to share data with the government. No one’s going to ever call law enforcement.”
Do you know more? Contact James Riley via Email.