There are concerns the government’s rumoured plans to mandate cybersecurity standards in the private sector could lead to SMEs being punished and difficulties around enforcement.
Cybersecurity experts and the Opposition also pointed to the government’s existing inability to get its own departments and agencies to follow basic mandatory cyber guidelines as further evidence in the difficulties of implementing such schemes.
And while it is important to improve the cybersecurity posture of Australian business, especially SMEs, a big stick approach won’t fix the problem, many industry figures said.
It was reported earlier this week in the Australian Financial Review that “industry sources” had indicated that the federal government’s upcoming 2020 Cyber Security Strategy will include mandatory minimum standards of cyber security for the private sector, with potentially a new regulator to help enforce this.
Under the plan, the government would reportedly set cyber standards industry-by-industry, with a code of conduct governing what’s required. It also aims to encourage or force businesses to increase spending on cybersecurity.
A spokesperson for the Home Affairs department declined to comment on whether the rules will be part of the upcoming cybersecurity strategy, which will be released “in the coming months”.
Many in the cyber sector say that such a “big stick” move will unfairly impact smaller businesses and do little to improve the security of the private sector.
There’s a clear need to uplift cybersecurity in Australian businesses, but a punitive approach isn’t ended, Enex TestLab managing director Matt Tett said.
“It would be very useful, but a pretty heavy-handed approach in starting to police and regulate stuff, if you’re looking to invest money into this there are probably other areas to invest money in to help small-to-medium business owners rather than putting another cost or impose on them,” Mr Tett told InnovationAus.
“Everyone needs security but you’ve got to be reasonable. In reality it’s too big of a bite to take – you can’t make a leap from nothing to something where people will be penalised. The carrot and stick approach is probably better, where you incentivise businesses and reward them for demonstrating good security practices.”
Melbourne-based startup Cynch Security focuses on SME cyber resilience, and its CEO and co-founder Susie Jones said instead focus on ensuring there was enough funding and information for companies on the issues.
“Whilst regulatory requirements can act as a strong motivator, it’s important to remember that not all businesses have the same resources available to them to act on the new requirements,” Ms Jones told InnovationAus.
“Micro and small businesses have little time, money or expertise, so expecting them to invest significant amounts of any of these things into cybersecurity is not just unrealistic, it’s not reasonable.
“Before introducing a new stick, we would like to see the government introduce a few new carrots. Funding support for cybersecurity solutions is entirely missing, as is contextualised advice that goes beyond basic cyber awareness.”
And it is important that if implemented, such a scheme doesn’t end up being just a tick-box exercise, Retrospect Labs co-founder Ryan Janosevic said.
“The threats we face from malicious cyber adversaries simply cannot be solved by ticking a box and demonstrating compliance with frameworks – remember that as we improve our cyber posture, the bad guys continue to find new ways of attacking us,” Mr Janosevic told InnovationAus.
“These are good starting places, but organisations need to own their cyber risk and continually invest to improve their cybersecurity capability, in order for Australia to significantly improve its defensive readiness.
There are already cybersecurity standards for the public sector, with Commonwealth entities required to have implemented the ASD’s Essential Eight cyber baselines. But audit after audit by the ANAO has revealed that compliance is “uneven” at best, with only four of 14 audited entities meeting the requirements.
Shadow cybersecurity spokesperson Tim Watts said it would be “ironic” if the government introduced mandatory rules for the private sector when its own departments and agencies aren’t following existing rules.
Mr Watts said the entities that had not implemented the basic cyber protections were now vulnerable to the attacks Prime Minister Scott Morrison referenced late last week.
“That would be entities controlled by the government that is now seeking to impose cybersecurity standards and accountability on business,” Mr Watts tweeted earlier this week.
The NSW government recently announced plans to lead the way on the development of cyber standards, forming a taskforce featuring members from AustCyber, Standards Australia and a number of industry experts. The taskforce will focus on harmonising baseline standards and clarifying sector-specific guidance and greater interoperability with other industries and regions.
“We know that the current plethora of different security standards make it difficult for government and industry to know what they’re buying when it comes to cybersecurity,” NSW customer service minister Victor Dominello.
“By bringing together industry to identify relevant standards and provide other practical guidance, we aim to make government more secure, whilst providing direction for industry to build their cyber resilience.”
Do you know more? Contact James Riley via Email.
Once upon a time – in the USA – for Federal Govt IT purchasing there was the “C2 by ’92” and even more important the “B2 by ’95” suggestions – well, they were propagated but the latter “B2” (Orange Book) one was just ignored and was never made mandatory anyway. In ordinary “space” there is no problem with us accepting mandatory seat belts in cars (and using them) and so on and cyberspace is really no different except that now “Cyber security IS national security”.
BUT – what about cybersecurity education at TAFE/undergraduate-postgraduate university levels? Little available it seems!!
AND that is what is needed to “harden” our Australian cyberspace in both the ppublic and private sectors.
The Government should not be allowed to make laws that it is itself exempt from. Already, according to ASD figures, there are more successful break-ins to Government systems than every other kind of system combined.
The public do not get a choice about which government they feel comfortable sharing their data with, so the Government should not get a choice about whether or not it decides to comply with the ISM and all mitigation strategies.