Prime Minister Scott Morrison revealed last month Australia is actively being attacked by hostile foreign governments.
An advisory note posted on the government’s Australian Cyber Security Centre website said the attackers were targeting various vulnerable networks and systems, potentially trying to damage or disable them.
Governments – along with individuals and the private sector – have an important role in addressing cyber risks that threaten our national security. At some point this year, the federal government’s new cybersecurity strategy is set to be announced.
Many in the industry hope it will be comprehensive and backed by significantly more investment than the previous one, to address what is a growing threat. Currently, a cybercrime incident is reported every ten minutes in Australia.
However, due to the unexpected budget impacts of the coronavirus pandemic, there may simply not be enough money to invest in the programs we need to stay protected from large-scale cyberattacks.
An underwhelming delivery
We know governments test each other’s cyber defences in the interest of their own national security.
Information warfare (such as through disinformation campaigns) between governments has taken place for many years.
Last year, US Attorney General William Barr testified before a senate judiciary committee hearing on the investigation into Russia’s meddling with the 2016 presidential election. The disinformation campaign was one of the most notable large-scale information warfare attempts of recent years. Clodagh Kilcoyne/Reuters
In 2016, then prime minister Malcolm Turnbull released Australia’s first cybersecurity strategy. It involved investments of more than A$230m across four years for five “themes of action” including including stronger cyber defences, and growth and innovation in the sector.
The strategy envisioned making Australia a “cyber smart nation”, by ensuring we had the skills and knowledge needed to thrive in the digital age, while staying cyber safe.
But overall, the strategy was poorly implemented.
For instance, improving cybersecurity requires close collaboration between government, industry, academia and community. To this end, Joint Cyber Security Centres were announced so various parties could share knowledge.
However, prior to COVID-19, plans were in motion to align these centres with the Australian Signals Directorate’s higher security classification. This would hinder a collaborative environment by restricting movement within, and access to, the centres.
Moreover, only 32% of cybersecurity professionals have visited a centre, highlighting the government’s failure to engage with the sector.
Four years on from the initial strategy’s release, the “smart nation” vision seems lost. The cybersecurity sector faces skills shortages, and the public and businesses remain largely unaware of how to protect themselves.
It’s clear a cybersecurity reset is required.
Then Minister for Defence Christopher Pyne at the official 2018 opening of Adelaide’s Joint Cyber Security Centre. Sam Wundke/AAP
We need a targeted, forward-thinking strategy
The release of the Morrison government’s new strategy has been delayed due to COVID-19, but we have some idea of what to expect.
The government has announced it will redirect existing defence funding to the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) to employ up to 500 additional staff to tackle cybercrime.
But how this will work in a market with skills shortages is unclear.
Also, redirecting existing funding into cybersecurity is positive, but it is only one part of the solution. What’s missing from the conversation is strategic, long-term investment.
Former Prime Minister Malcolm Turnbull at the August 2018 opening of the Australian Cyber Security Centre in Canberra. MICK TSIKAS/AAP
A holistic, interdisciplinary approach
Effective cybersecurity is about more than technology – it’s about people (from a range of backgrounds), user behaviour, business processes, problem solving capability, regulations, industry standards and policy.
Drawing on these views, and my own expertise, here are five elements I believe the upcoming strategy should contain:
1. Educate to drive behavioural change
The “Slip, slop, slap” health awareness campaign was one of the most successful we’ve ever had.
It drove real social behavioural change in Australia. A similar change is required to help make Australians more knowledgeable about cybersecurity issues, and how technology can be exploited.
This isn’t a quick fix, and will likely be a long-term effort.
2. Build resilience in critical infrastructure
COVID-19 has demonstrated how easily societies can be disrupted, particularly key supply chains and systems.
We need improved processes, regulation and standards to ensure the infrastructure we rely on is cyber-resilient. When breaches occur, organisations must be prepared to resolve them and restore services.
Banks are a good example, as they rely on thousands of suppliers. On this front, the Australian Prudential Regulation Authority last year introduced a prudential standard called CPS234, aimed at improving resilience against information security incidents (including cyberattacks).
3. Help small businesses
More grants and tax incentives for small businesses will enable them to access technology and talent to improve their cybersecurity capabilities.
A coordinated approach is needed through all levels of government to raise awareness of the adverse impacts cyberattacks have on businesses. This includes the consequences of customer data and privacy breaches.
It’s also crucial businesses know where to independently seek clear and concise advice when required.
4. Nurture the talent pipeline
It’s easy for businesses to poach existing talent from other organisation rather than hire graduates or interns. To break this cycle, we need improved educational courses focused on the skills employers want.
There should also be incentives for businesses to employ interns and graduates.
5. Cut the bureaucratic red tape
The federal government needs to do more to address Australia’s cybersecurity problem holistically – not just with additional legislation and funding for existing government agencies.
Hierarchies and dealings within the sector are currently overly complex.
Simplification and common sense are required.
Protecting Australians from outside parties intent on exploiting the technology we use isn’t something we can achieve overnight.
The digital cybersecurity strategy to be delivered by the Morrison Government needs to not only be impactful, but also built with future governments in mind. In such volatile times, it has never been more important to protect Australians.