Australia’s federal opposition spokespersons on cyber-security, Kristina Keneally and Tim Watts, have presented a constructive direction to help Australia become cyber-secure.
Their statement – “We need policies that bring cyber-security to the community and build cyber resilience throughout the country” – correctly highlights the essential need for cyber-security amongst citizens, businesses and government agencies alike.
Cyber-security is not the exclusive domain of businesses and/or governments. However, successful cyber-security begins with national government leadership through policies and action. To be successful, such an important national government initiative demands a bipartisan approach.
Recent Australian cyber-security history has shown through continuing data breaches and hacking attacks, within business and government sectors that we are a long way from success.
The current COVID-19 pandemic has seen opportunistic cyber-criminals unleash massive cyber-attacks on government and businesses in Australia and around the world.
These attacks highlight how policymakers, businesses, government agencies and citizens share a common failure to protect themselves from cyber-threats and make themselves resilient against what we know to be on-going and relentless.
Why? Unfortunately, it is well known among cyber-security professionals that cyber-security solutions, such as encryption, are often viewed as expensive, difficult and even considered to be only ‘for defence’ – Three Myths.
Like other security, health and safety issues, mythical attitudes must change as history has shown.
Before the 1970’s there was never an Australian culture of protecting car passengers and drivers through compulsory use of car seatbelts; never a thought of alcohol and drug testing of drivers; and never occupational health and safety legislation, until bipartisan political approaches to legislation.
What Australia needs today is a government-led bipartisan cyber-security task force involving government, through the Australian Signals Directorate (ASD), industry and our best research institutions.
It also needs to harness our substantial and best in class private enterprise expertise in cyber-security recognised and exported around the world.
There are many important initiatives that such a cyber-security task force could provide advice to the Australian government about for consideration. These would include:
The urgent need for government to support the growth of cyber-security skills in the private and public sectors
Understanding the problem of ‘cyber-resilience’, which will soon be made more complex through the arrival of quantum computing.
Despite the clear cyber-threats to defence, government, critical national infrastructure, high technology, health and numerous other sectors – with targeted valuable intellectual property, citizen privacy and financial data – security analysts report serious under-investment in cyber-security
Whatever their size or type, large or small, private or public, too many organisations neglect, or underestimate, cyber-security as an important business risk with a high capacity to do serious harm. For example, annual cyber-security reports highlight that just 4 per cent of the world’s breached data is encrypted!
In the 21st century, a strong Australian economy requires global trust that Australian is a safe place in which to do business. That is made more difficult if major national enterprises suffer catastrophic successful attacks.
In the case of Toll Holdings and its ransomware attack, the harm was not just to Toll and its shareholders but flowed through to its customers and the wider national economy.
Australia’s federal and state governments have proven during the COVID-19 pandemic that a bipartisan approach to policy and national threats can be very effective. Whether the threat be to citizen health through a virus; by a foreign enemy; or an invisible malware attack by cyber-terrorists, these are common treats to us all that demand bipartisan policy approaches.
Australia has the cyber-security resources necessary to be self-reliant and resilient. The current COVID-19 virus crisis has shown how nations need to be self-reliant in essential areas of national security – health supplies and cyber-security alike.
Citizens have been awakened to national security – how bipartisan national security policy settings are not limited to defence. Critical national infrastructure such as telecommunications, health, energy, and cyber-security etc. are all essential to national security and national independence.
Support for indigenous, i.e. sovereign Australian cyber-security capabilities (software and hardware) and education are essential. Government leadership requires prioritising Australian cyber-security as essential for preferential procurement.
Mandated Australian content – ‘buy Australian first’ – where the capability exists in Australia is critical to encouraging private investment in developing world-class solutions. It is also essential to ensuring sovereign independence.
Continued bipartisan support for organisations including AustCyber that play important roles bringing Australian cyber-companies together and help develop new export markets for them.
Independent and world-class Australian cyber-resilience demands a federal ministry and cabinet position. We have seen in recent years how cyber-threats range from theft of national defence secrets, harm to critical national infrastructure such as energy supplies, to theft of sovereign intellectual property and interference in democratic elections.
Recognise, support and encourage investment in cyber-security research and innovation by Australian companies within Australia. This support must include simplification of the processes that often inhibit and add costly overheads.
Policy-making departments working with cyber-security developers will require qualified technology staff with technical and public policy expertise.
The Australian federal legislative process needs to be more agile and iterative to enable fast situation and risk responses. Bipartisan policy-making through to legislation is essential for such agility.
Moreover, the sleeping giant we are yet to face is the cyber-threat of quantum computing. This has only been alluded to by governments.
No Australian government initiative has yet been discussed. Possibly this is because few really understand it and how it will be a new class of cyber-threat. If any, few governments around the world will be ready to meet the bedlam that will occur when quantum computing is unleashed as a tool for cyber-attacks.
Whilst China is currently at the forefront of quantum computing technology, it has already announced significant investment in research to enhance this capability.
Quantum computing represents a fundamentally different way of harnessing mathematics and physics to perform incredibly complex computations and speeds never imagined before.
Unlike classical computing, quantum computing is a difference in kind not degree and will provide an exponential increase in performance solving computing problems.
Unfortunately, quantum computing’s impact is also that some of the encryption algorithms we rely upon today will be broken in microseconds, rather than in hundreds or even thousands of man-years.
Encrypted data already being stolen and stored today by rogue-states and cyber-criminals for nefarious purposes will be accessible (decrypted) in the short-term future.
A fair analogy may be that quantum is to computing as the A-bomb was to warfare. Nobody really understood the size and impact of the disaster until it happened.
So, what does this mean for us today? We must put in place today the bipartisan cyber-security policies essential for our security tomorrow.
However, effective bipartisan cyber-security policies require Australian federal government leadership – a strong cyber-security regulatory environment; improved enforcement of government agencies’ adoption of data security regulations; and a well-resourced bipartisan ministry dedicated to the tasks and collaboration with our world-class cyber-security companies.
Australia is at the forefront of cyber-resilience. We ‘punch’ well beyond our weight! Our company, Senetas, will soon announce how we will lead in quantum-readiness.
Our leading high-speed network data encryption engineers have already assisted global quantum-readiness by providing the University of Waterloo a software engine for evaluating NIST candidate quantum resistant encryption algorithms.
We need to utilise Australian capabilities with bipartisan government support so that we not only flatten the cyber-threat curve but stay ahead of it!
Francis Galbally is the founder and chairman of ASX-listed cybersecurity company Senetas. Senetas is a global leader in high-performance encryption security hardware and software solutions.
Do you know more? Contact James Riley via Email.
We who invest our own money and risk our livelihoods to develop sovereign cybersecurity capabilities in Australia welcome the comments and calls for action, but we are acutely aware of the government stonewall. But it is built into the system – the government procures its ICT needs from global vendors, global contractors and global consultants – usually recommended by contractors; none of these is seriously interested in a sovereign Australian capability.
The major ICT lobby group’s board is dominated by major vendors and consultants and does not include a single Australian manufacturer of ICT products.
Our products are used in some 27 countries, and we have better access to markets in Europe, Singapore and the USA than Australia.
“Cybersecurity IS national security.” – a statement from at least two prominent USA people, including former Homeland Security Secretary, Janet Napolitano. This means that a nation needs to have the “soldiers” needed for that defence role and that means appropriate levels of education and training – long gone here in Australia at any really significant undergraduate level, particularly at universities. Example – how many non-defence ICT professionals are even familiar with the “Common Criteria” (IS 15408 international standard) for “trusted systems” and Australia’s own AISEP? Any? Which universities/TAFEs teach around that topic?
Yes – simple – no application can be any more secure than the components it uses and the system on which it runs, just as any house can be no more stable than the foundations on which it is built. Even for cars we have the motor vehicle standards Act of the 1980s but nothing equivalent in the critical ICT arena and particularly when it comes to “cloud” (Virtual Machine or VM) systems and services.
Few seem to remember government initiatives to move to absolute requirements for “evaluated systems”, e.g. USA’s “C2 by ’92” or even better “B2 by ’95”!! (Yes – 25 years ago it was recognised that “mandatory access control”, or application/system enforced “profiling” was an essential part of future cybersecurity. What happened! Well – cheap/commodity software won! The USA has tried with its “SELinux” initiative, a high trust form of LINUX aimed particularly at servers, but to little international success it seems.
Problem is simple: cybersecurity is copstly and the objective of any company/public sector board is to MINIMISE costs. Only when recognised cybersecurity becomes legally mandated, with appropriate penalties at board level for non-compliance, will we see cybersecurity fully integrated into the national cyberspace. AND that starts with public sector systems.
We do not need more policy.
We need penalties and enforcement, ESPECIALLY against public servants who point-blank refuse to abide by policies.
There’s no point having rules, when nobody obeys the rules, and there are no consequences for that behavior.
Go and READ all the 2020 strategy public submissions. Look at ALL the ones that have been lodged by government departments and public servants. NEARLY ALL of those are complaining that their own departments never follow the rules.