What does it all mean?
As the Minister for Home Affairs clearly calls out “ Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030“
No arguments from me there Minster. This is the key item that we need to address – end voluntary measures.
However there is a sneak preview of what I see as the other key omission, by government, in the introduction by the Expert Advisory Board.
” Any successful strategy must be national in scope, enduring, affordable, achievable, and allow for flexibility to account for changes in the dynamic cyber environment out to 2030“
I have highlighted an interesting word – affordable. Keep that in mind while we look at the discussion paper.
I will put my own response to the Cyber Security strategy in this blog entry.
Moving forward this should not be about questions but rather about setting expectations. Meeting the expectation that citizens have around the security of their information, expectations that governments and organisations will meet an acceptable level of cyber security.
Opportunity
This is an opportunity, once AGAIN, the Government has the opportunity to make it better. Those of us in the industry have known and have argued for many years that things are getting worse. Now we see that trend getting worse with increasingly regular and increasingly spectacular levels of failures that – the average punter is learning it too. They are the ones with their personal data being made available to the anyone on the internet.
We do want a world where “Australians engage in cyberspace with confidence and assurance“. It is very clear that if we keep doing what we have always done we will not solve the problem.
The problem is, that while “Customers expect cyber secure technologies in the same way they expect a car to be sold with a seatbelt“, there are absolutely no laws that say you must implement the cyber equivalent of a seatbelt in any IT system.
- There are no laws that say you must implement multifactor authentication or you can not run an hospital.
- There are no laws that say you must patch your systems or you can’t run a business that collects and/or stores personal information.
- There is a law that says if you build a car it must have a seat belt or you can’t drive it on the road.
There are not even punishable laws that say government has to patch systems. Less than half of government departments are currently meeting the basic essentials of patching [ Auditor-General Report No.32 2021-22 Figure 1.3 ]
Despite knowing this there seems to be some genuine surprise by our leaders that these breaches keep happening.
So what about the strategy now open for comment? Is the government asking the right questions? Are they focusing on the right areas?
Priorities for 2023-2030
Let me look at the core policy areas that have been proposed and provide a brief comment or two.
Enhancing and harmonising regulatory frameworks
“.. it is clear .. that more explicit specification of obligations, including some form of best practice cyber security standards, is required“
As I have already shown there are compulsory requirements in other industries dealing with safety however there are none around cyber security. Laws need to be created because business will always act in the best interests of its shareholder, they are about maximising profits. If something costs money and there is no legal requirement for a business to do it – they will not do it.
This would suggest that there must be mandatory requirements implemented in the propose Cyber Security Act.
These must be mandatory requirements (laws) that all businesses must meet if they are allowed/required to collect and store sensitive information. This should not be seen as an extra burden on businesses but rather a paradigm shift in how businesses work.
Remember the word “affordable”? This is the shift we need. Stop saying that this has to be “affordable”. Stop asking “who will fund this”. Everyone needs to accept the idea that this is a cost of doing business.
Taxis must keep their cars in a roadworthy state. The law says they can’t neglect safety and drive on bald tires.
Food manufactures must meet food quality requirements. The laws says they must meet food standards and cant serve contaminated products.
If your business can not meet the requirements to provide services in a safe and secure way then you should not be in business.
Government and private entities alike must meet minimum standards in cyber security.
Strengthening Australia’s international strategy on cyber security
1. How Australia can elevate the existing level of engagement with international partners through concrete steps to promote cyber resilience?
This is a long game play – you need to establish international rules around collaboration. Cyber does not understand the concept of regions.
2. What opportunities are there to better support the development of international technology standards, particularly in relation to cyber security?
We already have a number of technology standards relating to cyber. The problem is that you are not implementing them. https://xkcd.com/927/
3. How can government and industry partner to uplift cyber resilience and secure access to the digital economy, especially in Southeast Asia and the Pacific?
There certainly are nations that do not have laws to control cyber criminals or rather methods/resources/will power to respond to cyber-criminal activity.
This is also a long game piece.
Securing government systems
” Only 11% of entities in the Cyber Posture Report reached Overall Maturity Level 2“
Along with the terrible results in the Auditor-General Report No.32 2021-22. How we can still be at such a low level of maturity when the minimum requirements for Federal Government departments is very clearly prescribed?
The government should be leading by example, at all levels, federal, state and local. Currently, the cyber posture of government is just as bad as some of the private entities that politicians are criticising.
I have already explored the need for government to improve its own capabilities and cyber posture when talking about the Essential Eight
Dear Government – you need to Lift – Your – Game!
Areas for Potential Action by 2030
Improving public-private mechanisms for cyber threat sharing and blocking
Sharing intelligence is good. But there needs to be transparency and a robust and responsive conflict resolution process.
Supporting Australia’s cyber security workforce and skills pipeline
Yes – much work is required here – there is a clear skills shortage. However we do need to remember that IT as an industry is (a) really only about 30 years old (b) very immature as an industry and (c) evolving at an exponential rate. This is a worldwide problem.
National frameworks to respond to major cyber incidents
A single agency that acts as the funnel between all involved agencies and the compromised entity. The ability to cache responses and provide it to authorised departments would reduce the workload on a business entity. If there is one lesson that the Optus and Medibank incidents showed, it is that having 10 government agencies demanding information while you are dealing with an major incident can be very counterproductive.
I do feel that we need be careful about the scope of any such agency. The private industry already have a number of firms capable of providing advisory/forensic services to companies. Any attempt to give a government agency authority over a private entity while not a allocating any accountability for that agencies actions would be fraught with danger.
Community awareness and victim support
There will be a natural increasing awareness that will happen as the population evolves and cyber is a part of everyone’s lives as they age. As an adult I know not to eat food that is spoilt. In another 30 years most people will know not to give their credit card details to someone calling from “Microsoft”
I have not given much thought around how we do victim support – I think this needs to also include a broader question around what constitutes a form of ID and what its purpose is. Consider something like a passport. Its purpose is to identify me when I travel overseas. So there is no reason these cannot be issued as one time tickets. Valid for the purpose of a trip with a onetime number. If compromised it is invalidated and a new one issued.
How do you reduce the requirement for organisation to hold data about the individual? Including the rights of individuals to not supply data that goes beyond what is required.
Investing in the cyber security ecosystem
“There are a range of potential measures which could be explored to promote trade and investment in this space, with clear opportunities for collaboration between federal, state, and territory governments.”
We sadly lack behind a lot of countries when it comes to research investment by both government and industry. The steady erosion of funding to facilities such as University’s, TAFE, CSIRO etc by government has exacerbated or current position.
Designing and sustaining security in new technologies
“There are a number of emerging Technologies .. which will significantly impact, and be impacted by, cyber security“
Let us not “promote security-by-design in new technologies” but mandate it.
Implementation governance and ongoing evaluation
“How should Government measure its impact in uplifting national cyber resilience?“
It is easy to measure the number of reportable data breaches each year. That number should be going down.