Govt urged to act to bolster Australia's cyber defence
The government’s Cybersecurity Industry Advisory Panel (IAP) has urged government and industry to collaborate to improve Australia’s cyber defences. The panel’s final report contains 60 recommendations for actions that can be taken, including 25 priority recommendations.
The panel, chaired by Telstra CEO Andy Penn, was convened in November to provide advice from an industry perspective on best practices in cybersecurity and related fields, as well as guidance on emerging cybersecurity trends and threats.
The panel also consisted of Vocus Group Chair Robert Mansfield, Tesla Chair Robyn Denholm, Northrop Grumman Australia CEO Chris Deeble, NBN Co CSO Darren Kane and former US Secretary of Homeland Security Kirstjen Nielsen.
The panel has delivered its recommendations around five key pillars — deterrence, prevention, detection, resilience and investment.
Deterrence is based on the concept that the government should establish clear consequences for those targeting businesses and Australians. One of the key recommendations is that the government more freely attribute attacks by suspected state sponsored attackers.
Recommendations around prevention are based on the principles that cyber risks should be owned by those best placed to manage them, and that government should be a cybersecurity exemplar.
As part of these efforts, the panel is advising the government to review its definition of critical infrastructure with a view to capturing all essential systems and functions in the public and private sectors. The report suggests that data centres and other digital infrastructure should be added to the list.
Once these critical infrastructure assets are identified, the report recommends government work with industry to protect these critical assets, including by mapping the resilience of critical networks and assessing single points of failure and vulnerabilities.
Meanwhile, all levels of government should be required to meet the same cybersecurity standards as privately owned critical infrastructure providers. The report also recommends government prioritise the decommissioning or hardening of vulnerable legacy systems and accelerate its transition to cloud services.
For detection, the report states there is a clear need for the development of a mechanism between industry and government for real-time sharing of threat information, beginning with critical infrastructure operators. The report also recommends government consider implementing a national scheme similar to Telstra’s Cleaner Pipes DNS filtering initiative.
For resilience, the report urges government to strengthen the incident response and victim support options already in place. Specific activities recommended include conducting regular cybersecurity exercises in partnership with the private sector.
Finally, the investment pillar comprises recommendations including increasing the resources for the Joint Cyber Security Centre (JCSC) program and appointing an industry advisory panel to advise the government on cybersecurity on an ongoing basis, including by preparing an annual progress report on the implementation of the 2020 strategy.
“The panel’s recommendations are designed to create robust and adaptable defences able to evolve as threats evolve and technologies change,” Telstra’s Penn said.
“Acceleration in the digital economy exposes us to a greater risk of cyber threats. We are seeing increased levels of malicious cyber activity, both state based and criminal. Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable.”
Local cybersecurity experts have generally endorsed the panel’s recommendations. “While it would have been nice to see better industry and sector balance across the panel participants, the recommendations make sense and very few industry professionals would disagree with them,” commented Ian Yip, CEO of cybersecurity strategy company Averto.
But he said the local start-up sector would like to see an acknowledgement that local Australian cybersecurity capabilities and innovation can play a real part in helping solve the overarching problem.
Likewise, the Australian Information Security Association (AISA), while welcoming the report, urged the government to ensure the recommended standing advisory panel represents a wider range of interests.
“We would encourage the government to widen its membership to include peak bodies such as AISA, academia and businesses from other sectors such as health care, retail, utilities (power, water, gas), manufacturing and supply chains,” AISA’s Operations Manager, Megan Spielvogel, said.
Meanwhile, FirstWave Cloud Technology Strategy Director Roger Carvosso said the report is a good framework to address cybercrime, which has emerged as the greatest business threat of the modern era.
“Most small businesses that get financially compromised by cybercrime like phishing and ransomware attacks find it very hard to survive. And, with the financial stress they are under now from this pandemic, it is a double blow,” he said.
“The biggest challenge now for many SMEs is getting rubber on the road as we are now in the worst cybercrime spree the world has seen.”
Macquarie Government Managing Director Aidan Tudehope said some of the most critical areas to address among the recommendations in the report are those focused on improving Australia’s sovereign capabilities and skills in cybersecurity.
“These skills can’t be offshored, particularly when state actors play an ever-increasing role in cybercrime, [but] can help us hold our ground and ultimately win the war on cybercrime,” he said.
Mimecast ANZ Country Manager Nick Lennon said the release of the report is particularly timely in light of the major data breach recently disclosed by WA Health.
“The importance of cybersecurity goes beyond the performance of our national technology infrastructure, into our absolute dependence on critical infrastructure, businesses keeping their doors open and the livelihood of our citizens,” he said.
“We strongly agree with the IAP’s ‘Deterrence’ pillar, which calls for the establishment of clear consequences for those targeting businesses and Australians, [as well as the] ‘Prevention’ pillar, which calls for Australians to be supported with advice on how to practice safe behaviours at home and work.”
Verizon Business Group Regional VP Robert La Busque added that the company is particularly pleased with the recommendations in the report around greater collaboration between industry and government, including the proposed adoption of real-time threat sharing.
“The lack of a common-language structured framework for data breach reporting, in addition to tactical engagements with the wider industry, has often been an Achilles heel for the cybersecurity community,” he said.
“As such, greater threat intelligence and a closer working partnership across all sectors will allow for better situational awareness, and fewer shortcuts and assumptions in terms of compliance and understanding the threat landscape, and enable all organisations to better measure and manage security risk.”
CyberArk ANZ Regional Director Thomas Fikentscher underscored the fact that now is the time for both government and industry to invest in strengthening Australia’s cybersecurity defences.
“No matter what the future holds, the actions taken by government and organisations today will inform what our collective tomorrow looks like, especially as we become increasingly reliant on the digital economy,” he said.
Finally, BlackBerry Spark ANZ Managing Director Jason Duerden added that when implementing the strategy it will be important for the government to be willing to more rapidly adopt new approaches to cyber risk management.
“The reality is that the cybersecurity landscape can evolve exponentially in a period of six months. Confining agencies to a list of checkbox compliance items is also a huge challenge in effectively addressing cyber risk,” he said.
Reported data breaches grew 16% year-on-year in the six months ending in June as ransomware...
Eclypsium has revealed details of a bootloader vulnerability affecting nearly all installations...
RMIT University has launched a cybersecurity research centre that will take "an...