Labor has accused government of neglecting cybersecurity despite the heightened risk due to the COVID-19 pandemic and a number of high-profile hacks of large Australian companies, as the industry is left waiting for the new Cyber Security Strategy.
A number of Australian companies have been hit with damaging hacks this year, including Toll, Bluescope and this week, Lion. Earlier this week ASIO boss Mike Burgess said that the ongoing COVID-19 pandemic had increased the risk of cyberattacks in Australia.
“In terms of threats, obviously we’ve seen more people at home, and as they’re at home they’re online and we’ve seen increased chatter in the online world when it comes to the spread of extremist ideology attempting to radicalise people,” Mr Burgess told the Institute of Public Administration podcast.
“We’ve seen more of that just as we’ve seen more criminal behaviour online, cybercrime, which is well reported by other agencies.”
The federal government will release a 2020 Cyber Security Strategy this year, a complete rework of the 2016 strategy launched by then-Prime Minister Malcolm Turnbull.
This strategy was originally meant to be updated yearly, but this was only done once before the government decided instead that a new version was required.
Consultation for the strategy began nearly a year ago, with submissions closing last November. An advisory panel was also established that month.
But there has been little word on the strategy since, and both the government and Home Affairs Minister Peter Dutton, the responsible minister for cybersecurity, have been largely silent on the issue.
It is still unclear when the new strategy will be unveiled. The 2016 version was launched in April and meant to be in place for four years, meaning the new version is now two months late.
A dedicated Twitter account for the new strategy, set up by the Department, has not posted since 24 March.
Shadow assistant minister for cybersecurity Tim Watts said the government is neglecting the cybersecurity space and putting Australians at risk.
“This week, the ASIO boss warned that the pandemic has made Australia less safe – and spies, terrorists and cyber crooks are exploiting fear online – and there was another major cyber attack on an Australian company. That is the third such attack in a month, that we know of,” Mr Watts told InnovationAus.
“Yet the Morrison government’s new Cyber Security Strategy is now seven weeks overdue. Despite growing threats, Home Affairs minister Peter Dutton has left cyber security at the bottom of his in-tray.
“It’s been 10 months since the Morrison government began consultations on a new Cyber Security Strategy. Given the pace of change in cyber security, a virtual millennia in hacker years has passed without action.
“Foreign mischief is increasing, and global crime syndicates are accelerating their attacks on Australian business. Given this, the policy drift on cyber security is a strong argument for having a single member of the executive dedicated to the issue – just as the now-expired Cyber Security Strategy recommended.”
The Department of Home Affairs did not respond to questions on when the new cyber strategy would launch. Earlier this year it did say that the strategy would “take into account the rapidly evolving cybersecurity landscape including the impact of COVID-19”.
The government has received more than 200 submissions through consultations that closed in November, with a number of public hearings and sessions held around the country.
The strategy is likely to mark a policy pivot towards more public-private collaboration on critical infrastructure and a more centralised architecture for cyber protection, shifting the responsibility onto the industry rather than end-users.
Labor has been more vocal in this space this year, led by Mr Watts. Last month he and shadow home affairs minister Kristina Keneally launched a discussion paper on national cyber resilience which called for a “reconceptualisation” of cybersecurity policy.
The paper said the government needed to shift its focus away from a “cyber Pearl Harbour” type attack and towards cyber resilience across the board, especially in SMEs. It also discussed the possibility of launching a “Cyber CFA” and an expansion of the cyber reserves.
Do you know more? Contact James Riley via Email.
I submitted to the Cyber Security Strategy and attended one of the the sessions. The lead-author did not read the submissions (He claimed otherwise, then when I asked in private, he admitted he had merely “skimmed some”). He is also not a cyber expert (by his own admission – he’s a policy guy), but despite that, he took offence when expert members of the audience pulled him up on the large number of security misconceptions he kept discussing.
He admitted that his work is going to be “watered down and ineffective” because all the controls that might make a real difference are “too hard” – one example was introducing penalties for government non-compliance. Right now, nobody in government follows cyber rules, and there’s nothing anyone can do that changes that (even the ASD publicly complains about that same problem!).
The #1 problem with the Cyber Security Strategy is that they are not measuring anything – they did a pile of things that made no difference, they don’t have any data to confirm it made no difference, so they’re now going to keep doing the same things which aren’t working because nobody who actually knows cyber is at the wheel.