Australia’s two most high profile cyber incidents that exposed millions of people’s personal information are only the “tip of the iceberg”, Cybersecurity minister Clare O’Neil said on Tuesday, warning of an unprecedented threat landscape while laying out the emerging themes of a new national cyber plan.
She revealed four broad themes have formed in the early preparation of Australia’s next cybersecurity strategy, a plans she says will make the nation the “most secure” in the world.
“We’ve got to be a hard target; We’ve got to fight back against the threat; We’ve got to bounce back quickly when we get hit,” Ms O’Neil said.
“And to do all this, we need a really strong, powerful cybersecurity ecosystem for Australia.”
The massive data breaches at Optus and Medibank that compromised the sensitive information of millions of people moved changes to the national strategy from a revamp to overhaul.
But the two incidents are the “tip of the iceberg”, Ms O’Neil said in a virtual address to the Australian Strategic Policy Institute’s Sydney Dialogue event.
“Part of waking up from the cyber slumber is waking up to this reality,” she told the government and defence industry funded thinktank’s annual event.
“The harm and inconvenience wrought by huge data leaks through the exploitation of basic vulnerabilities from actors ranging from the proverbial teenager in a faded black hoodie in mum and dad’s basement to high end threats is a big national problem.
“But the truth is, we face a scale and intensity in the threat landscape that far outstrips the recent cases we have seen.”
Last week, Latitude revealed a data breach had compromised 14 million of its records.
“When you add the three major incidents together – Optus, Medibank and Latitude – probably almost every Australian family – has had their data privacy breached in some way.”
The upcoming national cyber strategy will seek to minimise the risks by making Australia a “hard target”.
Ms O’Neil said the government needed to lead by example and criticised the former government’s reliance on voluntary measures which had failed to drive a significant uptick in basic cybersecurity.
She added government could do more to support an innovative sovereign cybersecurity ecosystem through procurement, and strike the right balance on incentives and regulation.
“What success may look like is where, although every single one of us can and should be part of the solution to harden our digital lives to cyber threats, the core responsibility for managing cyber risks rests with those who have the scale and reach to achieve it.”
The transfer of cyber burdens to those best place to carry them – government, large corporates and technology organisations – is one of the key tenets of the US cyber strategy revealed earlier this year.
Resilience will be built in the corporate sector in Australia with a national cyber exercise series for companies covered by critical infrastructure laws.
Meanwhile, consequence management has emerged as a key theme in the strategy development to ensure Australia can “bounce back” from incidents, Ms O’Neil said.
Potential actions include the new national digital identity scheme and a reduction in the need to collect data. The government has also moved to better coordinate its cyber capabilities with a new Coordinator for Cyber Security.
On “fighting back”, the government has turned offensive, launching a ‘Hack the Hackers’ campaign to proactively target ransomware operations and deter the gangs from targeting Australia.
The changing environment also presents an opportunity to grow the local cyber sector and build sovereign capabilities, Ms O’Neil said. She pointed to the $15 billion industry development fund, a world-class research and education system and Australia’s leadership position in certain areas of cyber.
“We’ve come a long way as a nation in less than a year,” Ms O’Neil said.
“If this is what we can do in a year, think about where we could be in five years. There is a real chance for Australia to be a leader when it comes to cyber security and the jobs, industries and growth that comes from that.”
Do you know more? Contact James Riley via Email.
There’s jobs, industries and growth that come from – making everyone afraid, telling them the risk is massive, you’re throwing their money at it while it gets massiver, and that you are keeping everyone “safe” while telling them they are never safe (don’t mind the cognitive dissonance). If only we can find all the things to be afraid of we won’t need to be afraid. But wait – there’s always more, there’s always new, there’s always extra, there’s always another. Clare can tell us the next thing to be afraid of. What’s it this month Clare? Hackers, ransomware, gangs, cyber threats, cyber risks, threat “landscapes, scale and intensity”? Come on. You can do better than that. Make me really really scared … I want to be Sovereign Scared …. (your personal data equals national security and the Australian Barcode is essential – get it? me neither)