Australia’s new cybersecurity strategy was needed “yesterday”, with the government’s recent cyber warning stoke fear and uncertainty around the country, a number of industry experts have said.
The Coalition had planned to unveil the 2020 Cyber Security Strategy earlier this year before the federal budget, but the COVID-19 pandemic put a halt to this, and the sector is still waiting for the new set of policies and spending.
Mr Morrison flagged that the strategy would be released soon and would include significant new spending in the space.
The new strategy is long overdue, RMIT University associate dean of mathematical sciences Professor Asha Rao said.
“It should’ve been yesterday, or last year or the year before. It should have already been done – the earlier the better,” Professor Rao told InnovationAus.
The new strategy is an update to the 2016 iteration and is expected to mark a significant policy shift. The Department of Home Affairs has been working on it for several months and received more than 200 submissions by the end of November from the private sector.
Late last week Prime Minister Scott Morrison fronted a hastily called press conference to warn that Australian governments and businesses had been targeted by a “sophisticated state-based cyber actor” over recent months.
The announcement was light on detail, with subsequent guidance revealing that the attacks were using known vulnerabilities with readily available fixes. The government advised businesses to install these patches and implement multi-factor authentication.
A spokesperson for Home Affairs said the strategy would be released “in the coming months”.
“The government is continuing to develop the 2020 Cyber Security Strategy and will consider advice from the Industry Advisory Panel prior to finalisation. The 2020 Cyber Security Strategy will build on the strong foundations established by its predecessor and will take into account the evolving cybersecurity landscape, including the impact of COVID-19,” the Home Affairs department spokesperson told InnovationAus.
The announcement of the apparent state-based attacks unnecessarily raised concerns in the cybersecurity industry and the general public, Enex TestLab managing director Matt Tett said.
“This gets it on the agenda, but there’s a question as to why it was happening at that point in time and what the real intent behind it was. All it did was spread fear and uncertainty and doubt in the community. It gave us more work that we didn’t necessarily want. It could’ve been made far more clear and to the point,” Mr Tett told InnovationAus.
“We had a whole lot of clients ringing us asking if they were under attack and if they would be targeted, and we had exactly the same questions. It could have been delivered far more clearly, succinctly and to the point by saying, ‘if there’s a vulnerability you need to patch it, and you need to be aware of it’.
“I think cybersecurity needs to be on the public’s radar, but spreading fear like that like we’re under immediate attack and then not providing specific details certainly sent our industry into a spin.”
The government needs to ensure that the new strategy is clearly measurable and has targets in place, a major shortcoming of the 2016 effort, Mr Tett said.
“The strategy is important, providing it’s correct. The 2016 strategy was well architected but over time it wasn’t well executed, and I don’t think that’s about the money. At the end of the day there weren’t measurements or data to show success,” he said.
“Any strategy which is released needs to be accountable and measurable and really show the value that’s being delivered. It’s all well and good for government to pump money into projects but we want to see the outcome and the success of those programs.”
The strategy must also make a real effort to improve cyber resilience within the public sector, Professor Rao said.
“It’s time that governments especially are held to account and audited. They’re the ones holding most of our information. That’s what worries me about things like e-health and having health records online, we’re not really sure about their strategies,” she said.
Do you know more? Contact James Riley via Email.
The strategy will be garbage, just like its predecessor. They measured nothing at all – not a single bit of any kind of efficacy, then had the gall to produce a discussion paper that flat-out lied about the “effectiveness” of the 2016 strategy, and totally overlooked their hundreds of failures.
At the public sessions, they offered to share their analysis of our feedback and submissions, which they never did. The lead author admitted he was not a cyber expert, but merely a policy guy. When pressed to discover if he read the submissions, he eventually admitted he did not – but only after intense questioning on the content of them, when it became apparent he did not know.
When asked if it can include anything to compel government to abide by their own rules (e.g. penalties for non-compliance), he admitted that it would never do that, “because it was tried once at a state level, and was too hard”.
This entire government cyber space has been hijacked by professional scammers who have realized they can build their mini do-nothing empires with impunity: nobody understands cyber, and nobody measures anything, and it all just keeps getting worse – so they can ask for ever increasing budgets without fear of ever having to explain themselves and no fear of getting found out (they’re immune to FoI and never let you know anything they’re doing, because, “security/privacy”).
I feel sorry for the PM, Media, and others who have no means to understand just how *much* “nothing” they’re all really doing.
Here are my notes about their shameful discussion paper (hover over the comment markers): http://chrisdrake.com/for_gai/Cyber-Security-Strategy-2020-discussion-paper_with_notes_by_Chris_Drake.pdf
And a few more notes on the original paper: http://chrisdrake.com/for_gai/Cyber-Security-Strategy-2016-with_notes_by_Chris_Drake.pdf