Cyber-attack prevention is better than a cure

Among spiralling cost of living pressures, and the threat of kinetic warfare in our region, millions of us have already been impacted by a silent and insidious form of attack: cyber.

The unwavering onslaught to our personal privacy and information is unprecedented in its ferocity. With attacks on government agencies and businesses that we use every day, those that would do us harm know that data and online access is at the heart of our economic ecosystems.

According to the Australian Signals Directorate, on average, one cybercrime is reported every six minutes — with ransomware and breaches causing billions of dollars worth of damage to our economy every year. In recent months, we have witnessed severe disruptions to our national economy and significant risk posed to our privacy through cyber attacks. We’ve heard of the high-profile attacks like DP World, Optus, Medibank and Telstra — yet hundreds go unreported.

Rogue nations, groups and individuals are intent on testing Australia’s defence capabilities, to cause widespread disruption, chaos and economic devastation. Our critical infrastructure is constantly being probed, and so are we: every Australian is in the scope of hackers, both directly and through disruptions to the services we rely on.

As threats become increasingly sophisticated it is no longer adequate to just patch software, buy off-the-shelf detection software and switch on two-factor authentication — we’re under attack, and an urgent uplift to our security infrastructure and standards are needed. A vulnerability to one is often a risk to us all. Government and industry leaders must urgently elevate our organisations’ cybersecurity postures to protect every Australian. Our organisations must lead in the requirement to adopt zero trust architecture if we are to become one of the world’s leading cyber countries by 2030.

The consequences if we lag are dire: businesses will stumble and often fold, trust in government institutions will deteriorate, our personal security and wellbeing will be affected and our society will be compromised. The economic impact from cybercrime is expected to increase almost 300% to US$23.8 trillion by 2027 representing about 28% of global GDP, which is a direct loss of wealth, services and investment for important projects.

There are significant economic advantages that may stem from our AUKUS agreement with the United Kingdom and United States. As a key enabler for our defence capabilities, Australia is preparing for an unprecedented sharing of technologies and knowledge between allied nations. For this to be a success, any transfer must be shielded by a high level of trust and confidence that Australians will be good custodians of this sensitive information.

While we are firming up our standards across critical infrastructure like electricity, water and telecommunications, we cannot shy away from the need to adopt higher standards across other recognised vulnerabilities, such as Defence’s supply chain partners — often made up of small businesses that lack the resources to protect themselves.

However, more broadly, who is looking out for the millions of Australians who are currently exposed?

Given what is at stake, the actions by government and large industry have been unable to stem the tide. Primarily focusing on detection and remediation initiatives that are designed to react rather than defend are proving to be inadequate.

Equally, changing habits and behaviours through education programs is worthwhile, but governments cannot outsource the problem to those that lack the knowledge and resources to solve the growing issue.

A belief that it is OK to compromise security for perceived convenience is counterintuitive. There are few things more inconvenient than having to rebuild a person’s identity or try to run a hospital or airport without the systems on which we now depend. Governments must invest resources to roll out defence-grade preventive mechanisms and build the cybersecurity infrastructures that underpin zero trust networks. Indeed, it is widely accepted that identity-centric security is the bedrock to zero trust architecture.

It is important to acknowledge the release of the Australian Government’s Cyber Strategy and efforts to uplift critical infrastructure standards, as well as to progress the coordination of a country-wide digital identity framework. I also welcome the ambitious target to embed a zero trust culture across the Australian Public Service to become a global cyber leader by 2030.

It is also intended to achieve a consistency in cybersecurity standards across government, industry and jurisdictions. I commend the Australian Government for taking the initial steps to strengthen legislation and mandate the reporting of incidents. The Strategy provides much needed focus on weaknesses, especially educating businesses on the inherent risks.

However, to achieve the zero trust outcome, urgency is required on implementing measures that deliver non-repudiable identity verification online for everyone and greater focus on standards to protect remote access and privileged access management.

Simple actions now can lead to significant and enduring benefits across Australian communities, such as:

• Setting and policing rigorous cybersecurity standards across government and the private sector, and making these standards a prerequisite for doing business with government.
• Establishing a robust baseline for cybersecurity infrastructure that the whole country must comply with.
• Re-focusing government grants and investments to incubation programs within government agencies that focus on sovereign solutions to provide an overall uplift to Australian capability.
   

I applaud the Albanese government’s ambitious plan to boost domestic manufacturing and progress to a ‘Future Made in Australia’. The immediate priority must be building sovereign capabilities that reinforce our national security including cyber-attack prevention. Preference must be given to innovative solutions made locally through pilot programs and meaningful contracts. This is a model that has worked with tangible results in countries such as Estonia, France, the United Kingdom and the United States.

It’s clear that the government agencies tasked with protecting us are challenged by the increasingly sophisticated threat environment. Adversaries’ attacks are buoyed by AI and the development of quantum technologies and an increasing intent to inflict damage on Australia’s economy and communities, and we’re seeing the rate and sophistication of attacks continue to escalate.

The economics and current trends are irrefutable, so corporate and political decision-makers must carry the responsibility to invest in areas that effectively do a better job of protecting Australians online and our future economic prosperity. Adopting Defence-certified preventive solutions across the country is achievable and affordable. There are Australian owned and manufactured options — and we should use them.

If Australia is to achieve its ambition to be a cybersecurity world leader by 2030, it must move now to implement policy and funding changes that enable local capabilities to foster and transition away from legacy systems with improved confidence in the security of using the cloud and connected networks. Until we do, cybercriminals will continue to view Australia as an attractive target — and why wouldn’t they when it continues to be a low-cost and high-payoff activity? Much smaller nations than Australia have shown us how an efficient and targeted use of resources combined with the political will can deliver effective uplifts to cybersecurity capability and solutions.

Now is the time for our political and industry leaders to step up and use world-leading Australian solutions to achieve everyone’s objective of being more secure online.

Image credit: iStock.com/LeoWolfert