Canberra doubles down on cybersecurity

Government agencies should anticipate a renewed focus on cybersecurity policy and scrutiny of their security practices in the wake of the newly launched federal Cyber Security Strategy (CSS), which has taken the reins of Australia’s government-security complex with a five-pronged strategy designed to guide both public and private development through 2020.

The culmination of 18 months of consultation with industry, government and academia, the CSS (read it here) had become particularly highly anticipated after Prime Minister Malcolm Turnbull sent an early draft back to its authors late in 2015, reportedly because he felt it lacked teeth and funding.

The new policy — which Turnbull has backed with a 33-point, $230m funding commitment in addition to $400m for cybersecurity initiatives previously outlined in the 2016 Defence White Paper — draws on many themes common to its predecessor, a previous cybersecurity strategy authored in 2009. That policy was aligned around seven strategic priorities including threat awareness and response, cultural change, business-government partnerships, government systems, international engagement, legal and law enforcement, and knowledge, skills and innovation.

Key CSS themes include a national cyber partnership between government, researchers and business; strong cyber defences to better detect, deter and respond to threats; global responsibility and influence to advocate for a “secure, open and free internet” while proactively taking on cybercriminals on their own turf; a growth and innovation policy built around helping Australian security industry businesses develop new business models and markets; and education from school through university to develop a new generation of cybersecurity professionals.

The structure of the policy promises to dramatically change the preparedness of Australian government agencies to deal with a broad range of cybersecurity threats, Robert Parker, Asia-Pacific head of security solutions with Verizon Enterprise Solutions, told GTR.

“In the past the preparedness of a country and its military readiness were measured by how many warships and active personnel it had,” Parker said.

“In the digital world, preparedness for the digital economy is now a big consideration for businesses as well as consumers. The level of preparedness to respond and react at a national level is a key component in the new digital economy. Turnbull has taken a very mature approach to the release of the cyber strategy that positions Australia well in the future.”

Although the climate of investment championed by the CSS will take many forms, the most immediately relevant element of the policy for government agencies relates to the policy’s commitment to strengthen Australia’s networks and systems.

Specific initiatives include the establishment of a layered, nationwide ecosystem for sharing cybersecurity threat information in real life and online; a public-private collaboration to co-design voluntary Cyber Security Guidelines; an update to the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions; and guidance for government agencies to manage supply chain security risks for ICT equipment and services.

With these themes now being actively promoted throughout the government, agencies will need to get more proactive about their cybersecurity planning as well as engaging with other departments to share information about threats and strategies for dealing with them.

“To better detect, deter and respond to malicious cyber activities, cyber threat information should be shared in real time between and within Australia’s public and private sectors,” the policy states. “Both have unique information to contribute to the threat picture. It is only by combining our knowledge that we can comprehensively understand cybersecurity threats to Australia and how to counter them.”

The support of key industry bodies suggests that the government policy has addressed enough key areas to unify the Australian industry around its overall direction. Garry Barnes, an Australian who is currently serving as international vice president with global security industry body ISACA, helped author one of the 190 submissions lodged to the investigatory commission and was broadly positive about the CSS as outlined in the final policy.

“The five pillars reflect similar strategies that we’re seeing elsewhere,” he told GTR. “ISACA has supported where the Australian government is headed with this strategy, and we are quite confident that it will mix and change over time.”

Telecommunications industry body Communications Alliance CEO John Stanton welcomed the strategy as being “responsive to industry’s call for better access, better coordination and less duplication of responsibility in the Australian cybersphere,” noting with pleasure the appointment of security industry stalwart Alastair MacGibbon as the PM’s special advisor on cybersecurity.

Sam Ghebranious, ANZ regional director with security firm CyberArk, said it was about time the policy lit a fire under government agencies that too often “have simply failed when it comes to the basics of passing Security 101, including patching servers, implementing regular system updates and tightening controls around privileged accounts and administrator credentials.

“To be successful at warding off future cyber attacks,” he said, “Australian government departments and agencies need to design their security strategies from the inside out, taking the view that attackers may have already found their way into the IT infrastructure By taking this proactive, inside-out approach, departments and agencies can be more confident about mitigating the risk of a devastating breach that could potentially bring everyday operations to a grinding halt.”

John Stewart, Cisco Systems senior vice president and chief security and trust officer, one of five experts chosen by the PM’s department to consult on the development of the CSS, helped author the company’s official response and noted the policy’s importance in the context of the government’s extensive push towards digital transformation.

“Digitisation continues to be a driver of Australia’s economic transition,” he said, “causing industry and government leaders to focus on managing risk, creating opportunities to differentiate, cultivating an IT service base that is globally competitive and building trust. Cybersecurity can be that differentiator and business advantage.”

Image courtesy Eduardo M.C. under CC