tag:theconversation.com,2011:/fr/topics/cyber-security-strategy-26849/articlesCyber Security Strategy – The Conversation2023-11-22T03:42:35Ztag:theconversation.com,2011:article/2181172023-11-22T03:42:35Z2023-11-22T03:42:35ZAn expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways<p>After lengthy deliberation, the Australian government has released its <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy">2023–2030 Cyber Security Strategy</a>, which aims to make Australia one of the most cyber-secure nations in the world by 2030. It’s a worthy goal, considering Australia was ranked as the fifth-most powerful cyber nation in a <a href="https://www.belfercenter.org/sites/default/files/files/publication/CyberProject_National%20Cyber%20Power%20Index%202022_v3_220922.pdf">2022 report</a> by Harvard University’s Kennedy School. </p>
<p>The strategy outlines a range of ways Australia can protect its people, businesses and organisations into the next decade. Importantly, it has come at a time when the country is reeling from a series of major cyber incidents, including the <a href="https://theconversation.com/a-new-cyber-taskforce-will-supposedly-hack-the-hackers-behind-the-medibank-breach-it-could-put-a-target-on-australias-back-194532">Medibank</a> and <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus</a> data breaches last year, a nationwide Optus blackout earlier this month, and the more recent <a href="https://theconversation.com/major-cyberattack-on-australian-ports-suggests-sabotage-by-a-foreign-state-actor-217530">closure of ports</a> across the country due to a cyber breach. </p>
<h2>Key takeaways</h2>
<p>Among other things, the strategy aims to:</p>
<ul>
<li>protect critical infrastructure</li>
<li>provide businesses and organisations with tools to bolster their cyber resilience, especially against ransomware attacks</li>
<li>ensure businesses secure products and services to protect customers</li>
<li>attract skilled migrants to establish a diverse cyber security workforce</li>
<li>prioritise critical threats from the most sophisticated actors</li>
<li>engage international partners to share threat intelligence and develop new capabilities</li>
<li>expand cyber awareness programs to educate the public.</li>
</ul>
<p>The government has dedicated $586.9 million to achieving these goals, on top of $2.3 billion committed to existing cyber initiatives, including the <a href="https://www.asd.gov.au/about/what-we-do/redspice">REDSPICE program</a> aimed at enhancing the intelligence and cyber capabilities of the Australian Signals Directorate.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/budget-2022-9-9-billion-towards-cyber-security-aims-to-make-australia-a-key-offensive-cyber-player-180321">Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player</a>
</strong>
</em>
</p>
<hr>
<p>The most significant investment of $290.8 million will go towards protecting businesses and citizens. A further $143.6 million will be invested in strengthening critical infrastructure, including major telecommunications infrastructure. </p>
<p>By comparison, $9.4 million will be used to build a cyber threat sharing platform for the health sector, and only $4.8 million will go to establishing consumer standards for smart devices and software.</p>
<p>The strategy will also expand the <a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Digital ID program</a>, to “reduce the need for people to share sensitive personal information with the government and businesses to access services online” – but details on this were scant.</p>
<h2>Plans to ‘break the ransomware business model’</h2>
<p>The strategy notes ransomware is “one of the most disruptive cyber threats” in the world – and costs Australia’s economy up to $3 billion in damages each year. The government will make a “ransomware playbook” to help businesses respond to and bounce back from cyber extortion. </p>
<p>It will also work with industry to co-design a mandatory no-fault ransomware reporting scheme to encouraging reporting on ransom incidents. We know, based on past experiences with the <a href="https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-notifiable-data-breach#">Notifiable Data Breaches</a> scheme, that businesses <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023">sometimes won’t report</a> breaches for fear of public backlash. A no-liability reporting scheme could change this, and provide important data that will further bolster our defences against ransom attacks. </p>
<p>The strategy also “strongly discourages” making ransom payments. This makes sense, as these payments inevitably fuel the ransomware economy and fund criminals’ future attacks. </p>
<p>Controversially, however, Minister for Cyber Security Clare O’Neil has considered introducing a blanket ban on such payments at some time <a href="https://australiancybersecuritymagazine.com.au/cyber-security-minister-eyes-blanket-ransomware-ban-in-two-years/">in the next few years</a>.</p>
<p>This could have negative impacts. For instance, a business that legally can’t pay a ransom may not be able to recover stolen data, resulting in permanent data and financial loss. Attackers may also release the stolen data online out of spite. We saw this happen after last year’s <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus data breach</a>. </p>
<p>There’s also a risk that announcing an impending ban could make Australia more attractive to criminals in the short term, as they may scramble to carry out as many attacks as possible before payments are made illegal. The impact of this would be lessened if businesses adopt a disciplined approach to regular data backups.</p>
<h2>Smart devices and apps</h2>
<p>Another strategic initiative will involve working with industry to establish a mandatory cyber security standard (in line with international standards) for consumer-grade smart devices sold in Australia.</p>
<p>The government will also introduce a voluntary cyber security labelling scheme for smart devices. Ideally, such a scheme would keep the public informed about the level of security on the many different devices they own. However, given it’s voluntary, it’s hard to say whether it will have a substantial impact. </p>
<p>Another voluntary code of practice will be introduced for app stores and app developers.</p>
<h2>What are the challenges?</h2>
<p>If it’s implemented well, the strategy could result in a substantial decrease in cyber crime, greater safety for the public and a thriving cyber sector. </p>
<p>Currently, businesses and individuals struggle with a lack of cyber awareness and skills. They don’t have the resources, nor the incentive, to invest in cyber security. This strategy could change that. </p>
<p>The greatest challenge is the complexity and diversity of cyber threats, which are constantly evolving. Today’s threats may not have crossed anyone’s mind a few year ago. This inherent unpredictability may render some of the assumptions in the strategy redundant in the coming years.</p>
<p>Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation and regulation. For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks. </p>
<p>We’ll need to innovate in the cyber security domain to stay ahead of criminals. But as we’ve seen in other areas of the tech sector, innovation that outruns regulation is often more harmful than helpful. Striking the balance is difficult. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/openais-board-is-facing-backlash-for-firing-ceo-sam-altman-but-its-good-it-had-the-power-to-218154">OpenAI’s board is facing backlash for firing CEO Sam Altman – but it’s good it had the power to</a>
</strong>
</em>
</p>
<hr>
<p>Moreover, there’s a noticeable lack of detail in many of the initiatives outlined
in the strategy. This could make it difficult to measure its progress and impact as a high-level strategic document.</p>
<p>Success will depend on voluntary action and cooperation from stakeholders, which may not be enough to ensure compliance and accountability from some businesses and individuals.</p>
<p>Any shortcomings could be managed by making the strategy inclusive and consultative. If it caters to the needs of all, it may indeed become a successful seven-year plan.</p><img src="https://counter.theconversation.com/content/218117/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia could become one of the world’s strongest cyber nations – but the success of the new strategy will come down to the details.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2078012023-09-26T12:24:57Z2023-09-26T12:24:57ZRemote workers are more aware of cybersecurity risks than in-office employees: new study<figure><img src="https://images.theconversation.com/files/549154/original/file-20230919-4851-ll13sr.jpg?ixlib=rb-1.1.0&rect=170%2C51%2C5520%2C3745&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Remote workers lack the same institutional cyber protection as their in-office colleagues.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/mid-adult-woman-holding-mobile-phone-while-using-royalty-free-image/734166095?phrase=remote%20worker%20from%20home">Maskot/Getty Images</a></span></figcaption></figure><p>Workers who telecommute tend to be more aware of cybersecurity threats than those who spend most of their time in a physical office and are more likely to take action to ward them off, according to <a href="https://doi.org/10.1016/j.cose.2023.103266">our new peer-reviewed study</a>. </p>
<p>Our findings are based on <a href="https://www.mturk.com/">Amazon Mechanical Turk</a> survey data collected from 203 participants who recently switched to full-time remote work, as well as from 147 in-office workers, across multiple organizations within the United States. We didn’t collect data on hybrid workers. </p>
<p>We asked employees the same series of questions about their work arrangements as well as their understanding of <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories">cybersecurity threats</a>, and the actions they’ve taken to defend against them. </p>
<p>To account for other factors likely to influence how an employee responds to perceived cybersecurity threats and risks, we controlled for key participant characteristics and various factors, including age, gender, industry type, company size, job position and the duration of remote work. In addition, we tried to ensure the robustness of our data by conferring with other experts and using various statistical techniques.</p>
<p>We found that remote workers, on average, were more mindful of cybersecurity threats and could better recognize safe cybersecurity practices and protection measures compared with office-based employees. Similarly, our data showed that remote workers were more likely to take cybersecurity precautionary measures than their in-office counterparts. </p>
<p>Why might this be the case?</p>
<p>When employees work from the office, they generally expect their organization to provide and deploy security countermeasures to deal with cyber threats and risks. As a result, in-office workers may become complacent about cybersecurity awareness. This could account for in-office workers taking fewer steps to shore up their cybersecurity.</p>
<p>In contrast, the lack of an institutional cybersecurity framework forces remote workers to become more mindful of the risks they may be exposed to. </p>
<h2>Why it matters</h2>
<p><a href="https://theconversation.com/what-are-passkeys-a-cybersecurity-researcher-explains-how-you-can-use-your-phone-to-make-passwords-a-thing-of-the-past-196643">Employees are the first line</a> of defense against cybersecurity attacks, which <a href="https://www.crowdstrike.com/cybersecurity-101/attack-surface/">have been on the rise</a>. Cyber attacks around the world <a href="https://www.securitymagazine.com/articles/98810-global-cyberattacks-increased-38-in-2022#:%7E:text=New%20data%20on%20cyberattack%20trends,according%20to%20Check%20Point%20Research.">increased 38% in 2022</a>, according to Check Point Research, which provides cyber threat intelligence. </p>
<p>And <a href="https://www.shrm.org/hr-today/news/all-things-work/pages/the-weakest-link-in-cybersecurity.aspx">one of the main ways hackers manage</a> to worm their way into corporate computer networks is via employees – <a href="https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804">for example, with a phishing email</a>. </p>
<p>During the early days of the COVID-19 pandemic when much of the workforce was sent home due to lockdowns, <a href="https://www.peoplemanagement.co.uk/article/1743115/half-of-firms-worried-remote-working-has-increased-cybersecurity-threat-poll-finds">cybersecurity was a big concern</a>. In cybersecurity jargon, it increased the “<a href="https://www.crowdstrike.com/cybersecurity-101/attack-surface">attack surface</a>,” or the sum of all ways an organization’s network is exposed to potential security risks. <a href="https://zipdo.co/statistics/remote-work-cybersecurity/#:%7E:text=70%25%20of%20employers%20consider%20cybersecurity,the%20adoption%20of%20remote%20work.">Companies worried</a> whether employees working remotely would take cybersecurity seriously. </p>
<p>With remote work becoming increasingly the norm for many companies, our research suggests that this risk isn’t as great as once feared. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/YFRK_sImKkQ?wmode=transparent&start=1037" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Cybersecurity training video for workers.</span></figcaption>
</figure>
<h2>What still isn’t known</h2>
<p>We still need to determine whether heightened cybersecurity awareness and precautionary behavior among remote workers will diminish over time. Research suggests that cybersecurity awareness acquired through training and knowledge programs <a href="https://www.usenix.org/system/files/soups2020-reinheimer_0.pdf">tends to dissipate over time</a>. </p>
<p>As remote working arrangements become more mainstream, does security complacency set in for these workers? It is important to know how long the increased cybersecurity awareness will enable precaution-taking behavior and how remote workers can renew and sustain this vigilance. </p>
<p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take on interesting academic work.</em></p><img src="https://counter.theconversation.com/content/207801/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A survey of remote and office workers found that people working from home were more likely to take steps to protect themselves against cybersecurity threats.Joseph K. Nwankpa, Associate Professor of Information Systems & Analytics, Miami UniversityPratim Milton Datta, Professor of Information Systems & Cybersecurity, Kent State University Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1374032020-07-14T03:26:02Z2020-07-14T03:26:02ZOur cybersecurity isn’t just under attack from foreign states. There are holes in the government’s approach<p>Prime Minister Scott Morrison revealed last month Australia is <a href="https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119">actively being attacked</a> by hostile foreign governments. </p>
<p>An <a href="https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks">advisory note</a> posted on the government’s Australian Cyber Security Centre website said the attackers were targeting various vulnerable networks and systems, potentially trying to damage or disable them. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/chinas-disinformation-threat-is-real-we-need-better-defences-against-state-based-cyber-campaigns-141044">China's disinformation threat is real. We need better defences against state-based cyber campaigns</a>
</strong>
</em>
</p>
<hr>
<p>Governments – along with individuals and the private sector – have an important role in addressing cyber risks that threaten our national security. At some point this year, the federal government’s new cybersecurity strategy is set to be announced. </p>
<p>Many in the industry hope it will be comprehensive and backed by significantly more investment than the previous one, to address what is a growing threat. Currently, a cybercrime incident is reported every <a href="https://www.cyber.gov.au/sites/default/files/2019-12/Cybercrime%20in%20Australia%20%E2%80%93%20July%20to%20September%202019%20%28December%202019%29.pdf">ten minutes</a> in Australia. </p>
<p>However, due to the unexpected <a href="https://joshfrydenberg.com.au/latest-news/ministerial-statement-on-the-economy-parliament-house-canberra-12-may-2020/">budget impacts of the coronavirus pandemic</a>, there may simply not be enough money to invest in the programs we need to stay protected from large-scale cyberattacks.</p>
<h2>An underwhelming delivery</h2>
<p>We know governments <a href="https://www.theatlantic.com/ideas/archive/2018/07/the-us-has-a-long-history-of-election-meddling/565538/">test each other’s cyber defences</a> in the interest of their own national security. </p>
<p><a href="https://www.aljazeera.com/news/2020/04/senate-panel-confirms-russian-interference-2016-election-200421162844869.html">Information warfare</a> (such as through disinformation campaigns) between governments has taken place for many years.</p>
<p>In 2016, then prime minister Malcolm Turnbull released Australia’s first <a href="https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security">cybersecurity strategy</a>. It involved investments of more than A$230m across four years for five “themes of action” including including stronger cyber defences, and growth and innovation in the sector.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/bushfires-bots-and-arson-claims-australia-flung-in-the-global-disinformation-spotlight-129556">Bushfires, bots and arson claims: Australia flung in the global disinformation spotlight</a>
</strong>
</em>
</p>
<hr>
<p>The strategy envisioned making Australia a “cyber smart nation”, by ensuring we had the skills and knowledge needed to thrive in the digital age, while staying cyber safe. </p>
<p>But overall, the strategy was poorly implemented. </p>
<p>For instance, improving cybersecurity requires close collaboration between government, industry, academia and community. To this end, <a href="https://www.cyber.gov.au/acsc/view-all-content/programs/joint-cyber-security-centres">Joint Cyber Security Centres</a> were announced so various parties could share knowledge. </p>
<p>However, prior to COVID-19, plans were in motion to align these centres with the Australian Signals Directorate’s higher security classification. This would hinder a collaborative environment by restricting movement within, and access to, the centres.</p>
<p>Moreover, only <a href="https://www.aisa.org.au/common/Uploaded%20files/PDF/Submissions/AISA%202020%20Cyber%20Security%20Strategy%20Final%20update%202.pdf">32% of cybersecurity professionals</a> have visited a centre, highlighting the government’s failure to engage with the sector. </p>
<p>Four years on from the initial strategy’s release, the “smart nation” vision seems lost. The cybersecurity sector faces <a href="https://www.austcyber.com/resources/sector-competitiveness-plan/chapter3#:%7E:text=The%20first%20Sector%20Competitiveness%20Plan,%2Das%2Dusual%20demand">skills shortages</a>, and the public and businesses remain largely unaware of how to <a href="https://theconversation.com/2-5-billion-lost-over-a-decade-nigerian-princes-lose-their-sheen-but-scams-are-on-the-rise-141289">protect themselves</a>. </p>
<p>It’s clear a cybersecurity reset is required. </p>
<h2>We need a targeted, forward-thinking strategy</h2>
<p>The release of the Morrison government’s new strategy has been delayed due to COVID-19, but we have some idea of what to expect. </p>
<p>The government <a href="https://www.abc.net.au/news/2020-06-29/cyber-security-investment-link-attacks-scott-morrison/12404468">has announced</a> it will redirect existing defence funding to the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) to employ up to 500 additional staff to tackle cybercrime.</p>
<p>But how this will work in a market with skills shortages is unclear. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/morrison-announces-repurposing-of-defence-money-to-fight-increasing-cyber-threats-141629">Morrison announces repurposing of defence money to fight increasing cyber threats</a>
</strong>
</em>
</p>
<hr>
<p>Also, redirecting existing funding into cybersecurity is positive, but it is only one part of the solution. What’s missing from the conversation is strategic, long-term investment.</p>
<h2>A holistic, interdisciplinary approach</h2>
<p>Effective cybersecurity is about more than technology – it’s about people (from a range of backgrounds), user behaviour, business processes, problem solving capability, regulations, industry <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-90.pdf">standards</a> and policy.</p>
<p>I’ve read <a href="https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020">156</a> submissions to the upcoming cybersecurity strategy, which was open to <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-security-strategy-2020-discussion-paper.pdf">public comment</a>. I also have knowledge of confidential submissions not made public. </p>
<p>Drawing on these views, and my own expertise, here are five elements I believe the upcoming strategy should contain:</p>
<hr>
<h2>1. Educate to drive behavioural change</h2>
<p>The “Slip, slop, slap” <a href="https://www.sunsmart.com.au/downloads/about-sunsmart/sunsmart-20-years-on.pdf">health awareness campaign</a> was one of the most successful we’ve ever had. </p>
<p>It drove real <strong>social behavioural change</strong> in Australia. A similar change is required to help make Australians <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-182.pdf">more knowledgeable</a> about cybersecurity issues, and how technology can be exploited. </p>
<p>This isn’t a quick fix, and will likely be a long-term effort.</p>
<h2>2. Build resilience in critical infrastructure</h2>
<p>COVID-19 has demonstrated how easily societies can be disrupted, particularly key supply chains and systems. </p>
<p>We need <strong>improved processes, regulation and standards</strong> to ensure the <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-26.pdf">infrastructure</a> <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-191.pdf">we rely on</a> is cyber-resilient. When breaches occur, organisations must be prepared to resolve them and restore services. </p>
<p>Banks are a good example, as they rely on thousands of suppliers. On this front, the Australian Prudential Regulation Authority last year introduced a prudential standard called <a href="https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf">CPS234</a>, aimed at improving resilience against information security incidents (including cyberattacks).</p>
<h2>3. Help small businesses</h2>
<p>More <strong>grants and tax incentives</strong> for <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-121.pdf">small businesses</a> will enable them to access technology and talent to improve their cybersecurity capabilities. </p>
<p>A coordinated approach is needed through all levels of government to raise awareness of the adverse impacts cyberattacks have on businesses. This includes the consequences of customer data and privacy breaches. </p>
<p>It’s also crucial businesses know where to independently seek <strong>clear and concise advice</strong> when required. </p>
<h2>4. Nurture the talent pipeline</h2>
<p>Almost every day I hear about the industry’s cybersecurity <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-182.pdf">skills</a> <a href="https://www.aisa.org.au/Public/Training_Pages/Research/AISA%20Cyber%20security%20skills%20shortage%20research.aspx?New_ContentCollectionOrganizerCommon=2">shortage</a>. I also hear from students how tough it can be to get a job in cybersecurity, even with any number of <a href="https://i.redd.it/yo33xlys53141.png">certifications</a>.</p>
<p>It’s easy for businesses to poach existing talent from other organisation rather than hire graduates or interns. To break this cycle, we need <strong>improved educational courses</strong> focused on the skills employers want. </p>
<p>There should also be incentives for businesses to employ interns and graduates.</p>
<h2>5. Cut the bureaucratic red tape</h2>
<p>The federal government needs to do more to address Australia’s cybersecurity problem holistically – not just with additional legislation and funding for existing government agencies. </p>
<p>Hierarchies and dealings within the sector are currently <a href="https://www.patrickfair.com/australian-cyber-infrastructure-cha">overly complex</a>. </p>
<p><strong>Simplification</strong> and common sense are required. </p>
<hr>
<p>Protecting Australians from outside parties intent on exploiting the technology we use isn’t something we can achieve overnight. </p>
<p>The digital cybersecurity strategy to be delivered by the Morrison Government needs to not only be impactful, but also built with future governments in mind. In such volatile times, it has never been more important to protect Australians.</p><img src="https://counter.theconversation.com/content/137403/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Damien Manuel is affiliated with AISA (Australian Information Security Association) as the chair, Oceania Cyber Security Centre (OCSC) as a director (representing Deakin University), mentor for CyRise founders (representing Deakin University), CompTIA as an exam writer and on the CompTIA Executive Advisory Committee in the USA and as an expert on the Standards Australia Committee for Information Security (IT-012).</span></em></p>Legislation expected to be put to Parliament later this year may very well fall short due to COVID-19’s budget impacts. But until we strengthen our cyber defences, we’re all at risk.Damien Manuel, Director, Centre for Cyber Security Research & Innovation (CSRI), Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1416922020-06-30T05:25:20Z2020-06-30T05:25:20ZMorrison’s $1.3 billion for more ‘cyber spies’ is an incremental response to a radical problem<figure><img src="https://images.theconversation.com/files/344704/original/file-20200630-103677-m78qp.jpg?ixlib=rb-1.1.0&rect=58%2C83%2C5501%2C3600&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Mick Tsikas/AAP</span></span></figcaption></figure><p>The federal government <a href="https://www.abc.net.au/news/2020-06-29/cyber-security-investment-link-attacks-scott-morrison/12404468">has announced</a> it will spend more than a billion dollars over the next ten years to boost Australia’s cyber defences. </p>
<p>This comes barely a week after <a href="https://www.sbs.com.au/news/all-eyes-on-china-as-it-s-revealed-australia-was-targeted-in-a-sophisticated-cyber-attack">Prime Minister Scott Morrison warned</a> the country was in the grip of a “sophisticated” cyber attack by a “state-based” actor, widely <a href="https://www.abc.net.au/news/2020-06-20/why-australia-acted-on-china-hacking-cyber-attack-scott-morrison/12376700">reported to be China</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/morrison-announces-repurposing-of-defence-money-to-fight-increasing-cyber-threats-141629">Morrison announces repurposing of defence money to fight increasing cyber threats</a>
</strong>
</em>
</p>
<hr>
<p>The announcement can be seen as a mix of the right stuff and political window dressing - deflecting attention away from Australia’s underlying weaknesses when it comes to cyber security. </p>
<h2>What is the funding for?</h2>
<p>Morrison’s <a href="https://www.pm.gov.au/media/nations-largest-ever-investment-cyber-security">cyber announcement</a> includes a package of measures totalling $1.35 billion over ten years. </p>
<p>This includes funding to disrupt offshore cyber crime, intelligence sharing between government and industry, new research labs and more than 500 “<a href="https://www.smh.com.au/politics/federal/offensive-capability-1-3b-for-new-cyber-spies-to-go-after-hackers-20200629-p557bk.html">cyber spy</a>” jobs.</p>
<p>As Morrison explained</p>
<blockquote>
<p>This … will mean that we can identify more cyber threats, disrupt more foreign cyber criminals, build more partnerships with industry and government and protect more Australians.</p>
</blockquote>
<p>They key aim is to help the country’s cyber intelligence agency, the Australian Signals Directorate (ASD), to know as soon as possible who is attacking Australia, with what, and how the attack can best be stopped. </p>
<h2>Australia’s cyber deficiencies</h2>
<p>Australia certainly needs to do more to defend itself against cyber attacks. </p>
<p>Intelligence specialists like top public servant Nick Warner have been advocating for more attention for cyber threats <a href="https://www.itnews.com.au/news/spy-chief-intel-gathering-a-challenge-in-infosec-landscape-309224">for years</a>. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=443&fit=crop&dpr=1 600w, https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=443&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=443&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=557&fit=crop&dpr=1 754w, https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=557&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/344707/original/file-20200630-103673-1slvly0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=557&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Concerns about Australia’s cyber defences have been raised for years.</span>
<span class="attribution"><span class="source">www.shutterstock.com</span></span>
</figcaption>
</figure>
<p>The government is also acknowledging publicly that the threats are increasing. </p>
<p>Earlier this month, Morrison held an unusual <a href="https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks">press conference to announce</a> that Australia was under cyber attack. </p>
<p>While he did not specify who by, government statements made plain it was the same malicious actor (a foreign government) using the same tools as an attack reported <a href="https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors">in May this year</a>.</p>
<p>Related attacks on Australia using similar <a href="https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485">malware</a> were also <a href="https://www.cyber.gov.au/acsc/view-all-content/alerts/2019-126-vulnerable-version-telerik-ui-being-actively-exploited-apt-actor">identified</a> in May 2019. </p>
<p>This type of threat is called an “advanced persistent threat” because it is hard to get it out of a system, even if you know it is there. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119">Australia is under sustained cyber attack, warns the government. What's going on, and what should businesses do?</a>
</strong>
</em>
</p>
<hr>
<p>All countries face enormous difficulties in cyber defence, and Australia is arguably among the top states in cyber security world-wide. Yet after a decade of incremental reforms, the government has been unable to organise all of its own departments to implement more than basic mitigation strategies. </p>
<h2>New jobs in cyber security</h2>
<p>The biggest slice of the $1.35 billion is a “$470 million investment to expand our cyber security workforce”. </p>
<p>This is by any measure an essential underpinning and is to be applauded. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=316&fit=crop&dpr=1 600w, https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=316&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=316&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=398&fit=crop&dpr=1 754w, https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=398&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/344705/original/file-20200630-103640-14x5rt1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=398&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The Morrison government wants to recruit more than 500 new ASD employees.</span>
<span class="attribution"><span class="source">www.shutterstock.com</span></span>
</figcaption>
</figure>
<p>But it is not yet clear how “new” these new jobs are. </p>
<p>The 2016 Defence White Paper announced a ten year workforce expansion of 1,700 jobs in intelligence and cyber security. This included a 900-person joint cyber unit in the Australian Defence Force, <a href="https://www.abc.net.au/news/2017-06-30/cyber-warfare-unit-to-be-launched-by-australian-defence-forces/8665230">announced in 2017</a>. </p>
<p>The newly mooted expansion for ASD will also need to be undertaken gradually. It will be impossible to find hundreds of additional staff with the right skills straight away. </p>
<p>The skills needed cut across many sub-disciplines of cyber operations, and must be fine-tuned across various roles. ASD <a href="https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/commonwealth-cyber-security-posture-2019">has identified</a> four career streams (analysis, systems architecture, operations and testing) but these do not reflect the diversity of talents needed.</p>
<p>It’s clear Australian universities do not currently train people at the advanced levels needed by ASD, so advanced on-the-job training is essential. </p>
<h2>Political window dressing</h2>
<p>The government is promoting its announcement as the “nation’s largest ever investment in cyber security”. But the seemingly generous $1.35 billion cyber initiative does not involve new money. </p>
<p>The package is also a pre-announcement of part of the government’s upcoming 2020 Cyber Security Strategy, expected within weeks. </p>
<p>This will update the <a href="https://cybersecuritystrategy.homeaffairs.gov.au">2016 strategy</a> released under former prime minister Malcolm Turnbull and cyber elements of the 2016 Defence White Paper. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-facing-a-looming-cyber-emergency-and-we-dont-have-the-high-tech-workforce-to-counter-it-124776">Australia is facing a looming cyber emergency, and we don't have the high-tech workforce to counter it</a>
</strong>
</em>
</p>
<hr>
<p>The new cyber strategy has been the subject of country-wide consultations through 2019, but few observers expect significant new funding injections. </p>
<p>The main exceptions which may receive a funding boost compared with 2016 are likely to be in education funding (as opposed to research), and community awareness.</p>
<p>With the release of the new cyber strategy understood to be imminent, it is unclear why the government chose this particular week to make the pre-announcement. It obviously will have kept some big news for the strategy release when it happens. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/344710/original/file-20200630-103683-zt9vwy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The federal government is expected to release a new cyber security strategy within weeks.</span>
<span class="attribution"><span class="source">www.shutterstock.com</span></span>
</figcaption>
</figure>
<p>The government’s claim that an additional $135 million per year is the “largest ever investment in cyber security” is true in a sense. But this is the case in many areas of government expenditure. </p>
<p>The government has obviously cut pre-planned expenses in some unrevealed areas of Defence. </p>
<p>Meanwhile, the issues this funding is supposed to address are so complex, that $1.35 billion over ten years can best be seen as an incremental response to a radical threat. </p>
<h2>Australia needs to do much more</h2>
<p>According to authoritative sources, including the federal government-funded AustCyber <a href="https://www.austcyber.com/resource/australias-cyber-security-sector-competitiveness-plan-2019">in 2019</a>, there are a number of underlying deficiencies in Australia’s industrial and economic response to cyber security. </p>
<p>These can only be improved if federal government departments adopt stricter approaches, if state governments follow suit, and if the private sector makes appropriate adjustments.</p>
<p>Above all, the leading players need to shift their planning to better accommodate the organisational and management aspects of cyber security delivery. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-vulnerable-to-a-catastrophic-cyber-attack-but-the-coalition-has-a-poor-cyber-security-track-record-113470">Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record</a>
</strong>
</em>
</p>
<hr>
<p>Yes, we need to up our technical game, but our social response is also essential. </p>
<p>CEOs and departmental secretaries should be legally obliged to attest every year that they have sound cyber security practices and their entire organisations are properly trained.</p>
<p>Without better corporate management, Australia’s cyber defences will remain fragmented and inadequate.</p><img src="https://counter.theconversation.com/content/141692/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Austin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The Coalition has announced a new package to boost cyber security. But this is not new money and much more needs to be done to ward off cyber threats.Greg Austin, Professor UNSW Canberra Cyber, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/577192016-04-25T02:22:03Z2016-04-25T02:22:03ZAustralia still doesn’t see a cyber attack as the menace our allies fear<p>Though mature and nuanced, the <a href="https://cybersecuritystrategy.dpmc.gov.au/assets/pdfs/dpmc-cyber-strategy.pdf">cyber security strategy</a> delivered by Prime Minister Malcolm Turnbull last week matches neither the spending plan or the language of our closest cyber allies. </p>
<p>The plan promises to redress important deficiencies in the country’s posture, but apart from mentions of terrorism, it does not openly discuss key sources of malicious activity, such as China and Russia. The strategy does not have a spending plan adequate to address the pace and scale of emerging threats to the digital economy and national security.</p>
<p>The core problem could be that we simply don’t see the menace of cybercrime with the same sense of urgency as our allies do.</p>
<p>In Turnbull’s preface to the strategy, he acknowledges: </p>
<blockquote>
<p>The scale and reach of malicious cyber activity … is unprecedented. The rate of compromise is increasing and the methods used by malicious actors are rapidly evolving.</p>
</blockquote>
<p>The report says Australia needs to prepare for a “significant cyber event”, with the scale of the effect unspecified.</p>
<p>And in 2015, the <a href="https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf">Australian Cyber Security Centre reported</a> that “Australia has not yet been subjected to any activities that could be considered a cyber attack” (defined as an attack “seriously compromising national security, stability or prosperity”.)</p>
<p>We can compare this persistently anodyne Australian script with <a href="https://www.whitehouse.gov/the-press-office/2016/03/29/letter-cyber-enabled-activities-emergency-continuation">the language of President Obama in March this year</a>: </p>
<blockquote>
<p>“Significant malicious cyber-enabled activities” from outside the country continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. </p>
</blockquote>
<p>He made this statement in formally declaring the continuance of a national security emergency in cyberspace that he had declared for the first time one year earlier. This is his admission that the most powerful country on the planet has consistently failed to secure its main cyberspace assets in the face of specific rampaging and escalating threats.</p>
<p>This discrepancy on threat presentation between Australia and the United States could be defended on the grounds that the Australian government has chosen to pursue a more diplomatic style in public, or that it prefers to keep a lower profile on cyber threat issues, while sharing identical perceptions of the threat with key allies.</p>
<p>Yet there are some strong indicators that this not the case.</p>
<p>One such indicator is the matching discrepancy between the new resources devoted to current and emerging threats by Australia compared with its allies. </p>
<p>In the Turnbull blueprint, the new funding commitment for the civil sector is A$230 million over four years. This compares with a recent <a href="https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan">US government commitment</a> of A$24 billion (US$19 billion) under an emergency package of new cyber security measures largely for the civil sector just for FY 2017. </p>
<p>The <a href="https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security">UK has recently announced</a> a supplementary five-year spend of A$3 billion (£1.9 billion) on cyber security measures. On an annualised basis and rough approximation, these two packages are, respectively, 400 times higher and 10 times higher than the newest Australian supplementary commitments (to the extent that they can be compared).</p>
<h2>Measuring success</h2>
<p>The strategy’s eight-page action plan, along with its indicators of success, is ambitious in its scope. Novel measures include joint public-private threat assessment centres in the states and a series of new appointments, including an Assistant Minister, a Special Adviser (both reporting to the PM) and an ambassador for cyber affairs. There are radical commitments to widen the services of the Australian Signals Directorate in the Department of Defence to meet private sector customer needs.</p>
<p>But many of the new commitments are fairly generalised and lack granularity, such as the intent to increase numbers for cyber security graduates, women in the profession, and school kids “in the know”.</p>
<p>In the absence of quantification of such commitments, the good news is the government will report annually on its success.</p>
<p>In one year’s time, we will want to know from the government how many more cyber graduates we have compared with this year. In the medium term, we will need the government to provide some metrics on how many graduates in the field we actually need. We also need to see the baseline statistics for this year.</p>
<p>We might ask the government fairly promptly for some elaboration on just what levers it intends to use, in partnership with universities and the corporate sector, to pursue the cohort goals in cyber security and what sort of money it is prepared to put into it.</p>
<p>Australia has some way to travel before it graduates to a coherent national cyber security strategy fully informed by global realities and funded accordingly.</p><img src="https://counter.theconversation.com/content/57719/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Austin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia has some way to travel before it graduates to a coherent national cyber security strategy.Greg Austin, Professor, Australian Centre for Cyber Security, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/582062016-04-21T06:41:00Z2016-04-21T06:41:00ZIndividuals not the priority in the Cyber Security Strategy<p>The <a href="https://cybersecuritystrategy.dpmc.gov.au/">Cyber Security Strategy</a> <a href="http://www.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620">announced today</a> by Prime Minister Malcolm Turnbull clearly places a high priority on protecting Australian government systems from foreign powers. </p>
<p>But when it comes to protecting citizens’ personal information, it appears to be rather a mixed bag. </p>
<p>While very short on specifics, it does announce several potentially useful initiatives that may help protect Australians against cybercrime. But notably absent is any pressure on the private sector to improve its cybersecurity efforts.</p>
<p>First, it commits the government to increasing the number and training of cybersecurity specialists in the <a href="http://www.afp.gov.au/">Australian Federal Police</a> and <a href="https://crimecommission.gov.au/">Australian Crime Commission</a>.</p>
<p>The government also wants to get its own house in order, in part by conducting additional independent security assessments of internal federal government IT infrastructure.</p>
<p>This is an interesting move given <a href="http://www.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620">Turnbull today confirmed</a> both the Bureau of Meteorology and the Department of Parliamentary Services had been the <a href="https://theconversation.com/cyber-breach-at-the-bureau-of-meteorology-the-who-what-and-how-of-the-hack-51670">victim of recent cyberattacks</a>. </p>
<p>But if more externally focused departments, such as the Australian Tax Office, Centrelink and Medicare, are also thoroughly audited, it would reduce the risk of those organisations’ large collections of personal data being compromised by criminals.</p>
<p>The strategy talks about sponsoring research to better understand the cost of malicious cyberactivity to the Australian economy. It says figures vary, with some putting the cost of cybercrime in Australia at about A$1 billion a year, but other estimates put it as high as A$17 billion. </p>
<p>But perhaps the most useful contributions to cybersecurity for the broader public come from two measures:</p>
<ul>
<li><p>Increasing the number, and skills, of graduates with cybersecurity expertise in both the university and TAFE sector, and</p></li>
<li><p>Partner with a range of organisations to “deliver a sustained, national awareness raising campaign, encompassing a range of activities, which enables all Australians to be secure online”.</p></li>
</ul>
<p>The effectiveness of both of these policies depends on how they are actually implemented. </p>
<p>In tertiary education, it’s easy enough to devote a couple of lectures and an exam question to the topic, to tick an auditing body’s box marked “cybersecurity”.</p>
<p>Making sure that our students actually know how to design, build and operate secure systems is a much tougher challenge. It’s one that my colleagues and I at Monash University, and our counterparts at universities around Australia, are working hard on.</p>
<h2>Is it enough?</h2>
<p>The biggest cybersecurity threat to individuals remains the unauthorised use of their personal information to commit a variety of financial crimes. It is here that the Cyber Security Strategy seems to lack focus. </p>
<p>Prevention is usually better than cure, and in the case of cybercrime committed across national boundaries, law enforcement is often ineffective. It will likely remain so, despite the worthy rhetoric in the strategy about international cooperation. </p>
<p>Therefore, the primary defence we have is making sure the organisations that hold our personal data are taking sufficient measures to prevent cybercriminals from gaining access. Many of these organisations are in the private sector.</p>
<p>But the government is relying on hints and a bit of assistance to get the private sector to improve its efforts in this area. This is perhaps unsurprising, given the antipathy to “red tape” of the current government.</p>
<p>For example, when the strategy mentions raising the bar, it says:</p>
<blockquote>
<p>Self-regulation and a national set of simple, voluntary guidelines co-designed with the private sector will help organisations improve their cyber security resilience.</p>
</blockquote>
<p>One might have thought our largest businesses would already have the financial means to hire external consultants to assess their security strategies. But ASX 100 listed businesses are to be offered voluntary “health checks”:</p>
<blockquote>
<p>The governance ‘health checks’ will enable boards and senior management to better understand their cyber security status and how they compare to similar organisations.</p>
</blockquote>
<p>As for small business, the strategy acknowledges they might not allocate enough resources to cybersecurity and they could become a “soft underbelly or back door into connected organisations”. </p>
<p>To deal with that, the government plans to offer tests of what cybersecurity measures small businesses have in place by certified practitioners.</p>
<h2>Flogging business with a wet lettuce leaf</h2>
<p>But there’s no shortage of information security guidelines available to organisations already. In far too many cases, what is lacking is the will to implement them. </p>
<p>Unfortunately, in practice, the consequences for security breaches seem extraordinarily limited. The breaches of the Privacy Act to date result in financial penalties that are trivial for large organisations.</p>
<p>For instance, <a href="http://www.abc.net.au/news/2014-03-11/telstra-breaches-privacy-of-15775-customers/5312256">Telstra was fined</a> a grand total of A$11,000 for a breach involving thousands of customers.</p>
<p>Further, companies aren’t even obligated to inform their customers of a breach, unlike in the United States and European Union.</p>
<p>While all this has gone unmentioned in the strategy, the government has been working on a “mandatory data breach” notification law for some time. But it seems in no hurry to actually make it law.</p>
<p>A <a href="https://www.ag.gov.au/Consultations/Pages/serious-data-breach-notification.aspx">draft bill</a> was released for comment in late 2015. As of today it still hasn’t been introduced into parliament, and the draft exempts organisations with annual turnover of less than A$3 million.</p>
<p>Cybersecurity breaches in private sector companies sometimes do have negative consequences for those companies. But they also inflict significant and often larger consequences on the people whose personal data is stolen.</p>
<p>And it’s the role of governments to step in with some kind of regulation when an action creates significant negative impacts on citizens. </p>
<p>But the current government seems to have decided that the costs to business of forcing them to take cybersecurity seriously outweigh the benefits.</p><img src="https://counter.theconversation.com/content/58206/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The Australian Government’s Cyber Security Strategy appears to be a mixed bag when it comes to protecting your personal information.Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/582082016-04-21T04:32:58Z2016-04-21T04:32:58ZThe Cyber Security Strategy is only a small step in the right direction<figure><img src="https://images.theconversation.com/files/119580/original/image-20160421-8026-149i5q7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber crime costs the Australian economy millions of dollars a year.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Prime Minister Malcolm Turnbull today released the government’s <a href="https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf">Cyber Security Strategy</a>. A total of A$230 million will be spent over the next four years to “enhance Australia’s cyber security capability and deliver new initiatives”. </p>
<p>The initiatives generally involve improving Australia’s general awareness and capabilities to defend against cybersecurity attacks, and potentially launch its own cyberattacks.</p>
<p>More specifically, they involve partnering with the private sector in setting the “strategic agenda through annual Cyber Security meetings”. </p>
<p>This partnership will extend to participation in the <a href="https://www.acsc.gov.au/">Australian Cyber Security Centre</a>, which will be moved to a new facility. It will also involve sharing more information between security agencies and the private sector.</p>
<p>There will be increased funding of research into the economic costs of cyberattacks in order to allow organisations to manage investment in cybersecurity defences. </p>
<p>The Computer Emergency Response Team (<a href="https://www.cert.gov.au/">CERT</a>) will be bolstered, along with extra funding for the Australian Signals Directorate (<a href="http://www.asd.gov.au/">ASD</a>), Australian Crime Commission (<a href="https://crimecommission.gov.au/">ACC</a>) and Australian Federal Police (<a href="http://www.afp.gov.au/">AFP</a>) for increased expertise and improved ability to detect and defend against cybersecurity vulnerabilities. </p>
<p>Another element of the strategy is to expand Australia’s ability to grow its own cybersecurity industry through increased funding for research and development in this area. A <a href="http://www.innovation.gov.au/page/cyber-security-growth-centre">Cyber Security Growth Centre</a> will be established to add to the existing <a href="http://www.business.gov.au/advice-and-support/IndustryGrowthCentres/Pages/default.aspx">Industry Growth Centres</a>.</p>
<p><a href="http://www.csiro.au/en/Research/D61">Data61</a> will receive more funding to focus on cybersecurity innovation, and universities will also receive funding for training, research and education of undergraduate and postgraduates in the area of cybersecurity. </p>
<h2>Reading between the lines</h2>
<p>Although this new investment in cybersecurity will be generally welcomed, there are <a href="http://www.itnews.com.au/news/revealed-australias-new-cyber-security-strategy-418000">already</a> questions about whether it is going to be enough to do the job. </p>
<p>The US this year announced a <a href="http://www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1">US$5 billion increase in funding for cybersecurity</a> to US$19 billion, and the UK last year pledged <a href="https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security">£1.9 billion</a> to the same cause.</p>
<p>Another question in response to the strategy is what exactly is meant by championing an “open, free and secure internet”. The definition of “open and free” likely depends on your particular point of view. </p>
<p>The government’s strategy calls for an “Australian Cyber Ambassador” to lead national efforts to ensure the internet is free from censorship, but also to support privacy and the rule of law. </p>
<p>But would upholding privacy extend to stopping the government from surveillance activities on its own citizens? Clearly, this would be at odds with the government’s <a href="https://www.ag.gov.au/dataretention">metadata retention legislation</a>. </p>
<p>“Open and free” may also not extend to any radical changes in the application of shutting down access to pirate sites distributing <a href="https://theconversation.com/from-convicts-to-pirates-australias-dubious-legacy-of-illegal-downloading-39912">illegal or pirated content</a>. </p>
<h2>Safe havens</h2>
<p>Another interesting question is what’s meant by the desire to shut down cyber criminal “safe havens”. </p>
<p>The report mentions that attacks often originate from overseas, but it is not clear how a country would go about shutting down attacks originating from China, for example. </p>
<p>One intriguing possibility is that an anonymised network like [Tor](<a href="https://theconversation.com/au/topics/tor">https://www.torproject.org/</a> could potentially be shut down. Tor has long been recognised as a haven for cybercriminals and, increasingly, the starting point for <a href="https://blog.cloudflare.com/the-trouble-with-tor/">cyberattacks</a>. </p>
<p>Security researchers have already <a href="http://www.itnews.com.au/news/close-door-on-tor-or-face-liability-for-threats-researchers-408435">stepped</a> up calls for businesses to block Tor traffic as a protective measure. </p>
<p>The cybersecurity strategy also hints at the fact that Australia has, or is in the process of developing, a cyber offensive capability. This is the first time this capability has been publicly alluded to. </p>
<p>The increased focus on cybersecurity is a much needed initiative. The threat of cyberattacks affects individuals and organisations alike. And, like other threats to our environment, if left unchecked, they could significantly hinder society’s ability to function normally and to continue growing. </p>
<p>Our reliance on technology is now a given and cybersecurity is as important a consideration as protecting our health, food and water sources and general environment. From that perspective, the cybersecurity strategy is a welcome but very small step in the right direction.</p><img src="https://counter.theconversation.com/content/58208/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Glance does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyber security is now a priority for the government, with $230 million committed to its new Cyber Security Strategy. But is it enough?David Glance, Director of UWA Centre for Software Practice, The University of Western AustraliaLicensed as Creative Commons – attribution, no derivatives.