The federal government should take the lead to fund a Clean Pipes cyber security strategy to ensure individuals and SMEs are better protected online, a new report by the Australian Strategic Policy Institute says.
Clean Pipes, an analogy of water utilities providing clean drinking water, is the concept that internet service providers (ISPs) offer better levels of default security for customers, both individuals and businesses, to compensate for the fact that most don’t have the expertise or resources to do it themselves.
A new report written by Tom Uren, a senior analyst at the Australian Strategic Policy Institute’s International Cyber Policy Centre, said the federal government should implement a Clean Pipes policy, through incentives for ISPs to improve default cyber security, and potential new laws requiring them to do so.
This would mean ISPs would automatically block dangerous sites and share information among themselves. The ASPI report recommended that it be implemented by the federal government as an opt-out scheme for consumers, with the Commonwealth taking a leadership position and providing funding for Clean Pipes.
Currently Telstra is the only Australian ISP that provides extensive security protections to their customers, Mr Uren said, leaving many individuals and small-to-medium businesses vulnerable to cyberattack, and unable to protect themselves.
“The entirety of online Australia is subject to attack, but the sad truth is that only a minority of Australian people and organisations are able to defend themselves. When cyber security is viewed as an economy-wide challenge, there are significant sectors of the economy that do not, and probably never will, have the ability to successfully defend themselves,” Mr Uren wrote.
“Unfortunately, the motivation, capability and resources to provide robust cyber security are not aligned within the Australian internet ecosystem. Currently, too few businesses in Australia are motivated and capable of providing for their own security.”
Due to these vulnerabilities and an inability for many individuals and SMEs to build their own cyber-resilience, there should be a focus on default protections and “invisible” security at the ISP-level, the report found.
“The Australian government should drive greatly expanded adoption of Clean Pipes to provide more effective protection across more ISPs – protecting more Australians more effectively. The key advantage of this approach is that it provides advanced scalable protection for the millions of Australians who cannot provide for their own online security,” the report said.
“Without an injection of government funds and leadership, it’s likely that the status quo will continue. Clean Pipes is an idea whose time has come. Everyone involved in delivering services on the internet needs to accept an obligation to protect their users.”
Such a Clean Pipes policy should be included in the upcoming 2020 Cyber Security Strategy, the ASPI report recommended, and the federal government does appear to be set to implement a version of the scheme.
Late last month Prime Minister Scott Morrision announced a funding commitment to “prevent malicious cyber activity from ever reaching millions of Australians across the country by blocking known malicious websites and computer viruses at speed”.
The government’s Industry Advisory Panel also recommended that the government should “empower industry to automatically block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’”.
The policy will also likely be supported by the Opposition, with shadow assistant minister for cyber security saying it is an example of the “active cyber defence” advocated for by Labor in a recent cyber security discussion paper.
Such a policy would mark a significant policy switch from the current “hands off” approach where the onus for cyber security generally falls on the individual people or businesses.
The scheme should include a clear focus on threat filtering, exclusively based on cyber security threats, the report found, and should be transparent and opt-out.
To assist, the federal government should facilitate technical workshops for ISPs, provide incentives for them to implement improved default security, conduct closed door consultations with the companies, require the ISPs to produce transparent reports and more comprehensively quantify the overall cost of cybercrime, Mr Uren wrote.
The ISPs should also work with the government to centralise and expand on the existing industry-wide efforts in collaboration, intelligence sharing and coordinated action, Mr Uren said.
The ISPs are well placed to implement these risk-mitigation strategies, the report found, with many already having the capabilities and legal ability to do so.
“Our ISPs are well placed to implement similar initiatives that improve the security of millions of Australians without their needing to be cyber security experts. So this is not a case of building an entirely new system to protect Australians,” the report said.
“Until now there’s been no widespread belief – among either ISPs or their customers – that providing enhanced default security to customers was an ISP’s job, and nor has any obligation or regulation been imposed by government. In the absence of any expectation or obligation, the investments needed to provide a more secure service hasn’t been made.”