Australia’s Bold Cybersecurity Gamble Decrypted
Cybersecurity is often seen as a weakness, but Australia—with a major Government push—is trying to turn it into a strength.
Recently, the federal government released its 2023-2030 Australian Cyber Security Strategy discussion paper with the ambitious goal of becoming “the most cyber secure nation” in the world by 2030.
For a country that, like many, has experienced many data leakages and hacks, this is quite some aspiration and comes only a week after Australia's digital spy agency said reports of cybercrime are up by 23%, with a report being made to law enforcement every six minutes.
Leading bank NAB welcomed the strategy and said it blocked over 50 million monthly threats on its digital channels.
Last year, the personal details of around one-third of the population, or close to 10 million people, were leaked in the hack at telco Optus, and the personal details of more than 10,000 of these people were then up for sale on the dark web.
At the same time, Australia's defense establishment is highly aware of cyberattacks on government data and critical infrastructure, and this was one of the planks of the recent A$5 billion deal for Microsoft to invest in Australia.
As if there weren’t enough reminders of how vulnerable infrastructure can be, a cyberattack closed down one of the biggest port operators, DP World Australia, for three days in November and crippled the movement of around 40% of the goods flown in and out of the country.
Cyber branding
The Government's goal is to strengthen Australia's cyber protection regimes through regulation and technology so that it becomes a differentiator and the country is recognized "as a leading brand for cyber goods and services."
“This means consumers expect advanced cyber security built-in by design, sold at a reasonable price, designed and manufactured by a workforce with world-leading cyber skills under fair working conditions,” the strategy says.
"We must make Australia the hardest and least lucrative country in the world for cybercriminals to attack."
That sounds laudable, but can the Government and the AUD568 million it plans to spend on the strategy actually deliver?
This is on top of AUD2.3 billion already committed to existing cyber initiatives, including the REDSPICE program to enhance the capabilities of the Australian Signals Directorate, the government agency at the heart of the defense establishment.
From that AUD568 million figure, AUD290 million will protect businesses and citizens, with another AUD143 million going to infrastructure protection.
The Government also plans to expand its Digital ID program and limit the amount of sensitive information that must be shared to enable verification.
The strategy notes ransomware is "one of the most disruptive cyber threats" in the world – and costs the Australian economy as much as AUD3 billion each year.
The Government will create a "ransomware playbook" to help businesses respond to and bounce back from cyber extortion and work with the industry on a mandatory no-fault ransomware reporting scheme.
The most controversial point is the announcement that the Government is considering outlawing the payment of ransoms sometime in the next few years.
While ransomware payments encourage criminal behavior, banning payments would make it difficult for businesses to recover stolen data and incentivize thieves to release it, as happened with the Optus hack.
Another initiative is establishing a mandatory cyber security standard, in line with international standards, for consumer-grade smart devices sold in Australia.
Zero Trust
Research firm Forrester, which contributed to the discussion paper that informed the strategy, welcomed the goal of developing a whole-of-government Zero Trust structure.
“While defining and implementing a Zero Trust 'culture' will require some nuanced work, the Government's in-principle focus on instilling culture is admirable,” said Forrester vice president and principal analyst Jinan Budge.
“The strategy also adopts a human-centered approach to cyber security. While the last decade has seen significant increased attention on cyber security, the proposed solutions, capabilities and skills have largely centered around technology. The strategy recognizes that cyber is no longer a technical topic, but a whole-of-nation effort.”
Forrester also gives the Government points for understanding that successful cybersecurity requires a trained and supported workforce and not shying away from the issue of attracting women into the cybersecurity workforce.
It also promises to accelerate Australia's local cyber industry research and innovation by promoting the growth of innovative start-ups by establishing a Cyber Security Challenge program.
The Government’s goal is to ensure that Australian organizations are well protected and that the nation is home to a workforce and eco-system of technology companies in demand at home and around the world.
The strategy says cybersecurity can be paralleled with washing your hands and putting on seatbelts. It is a necessary first step before doing anything confidently in the digital world.
Unsurprisingly, the political Opposition was skeptical of the strategy, calling it empty and full of spin.
The NAB statement pointed out that there was no "silver bullet" and that Australia will always be an attractive target in an advanced digital economy.
"We must make Australia the hardest and least lucrative country in the world for cybercriminals to attack," said NAB group executive Patrick Wright.
The Government, at the very least, is stating its aspiration. Come 2030 it can be judged on how it has delivered.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their business models. You can reach him at [email protected].
Image credit: iStockphoto/AlexLMX
