People key as updated Australian cyber strategy targets ‘existential threats’

Whereas the Australian government’s previous Cyber Security Strategy 2016 was primarily focused on crystallising the domestic industry, the newly released 2020 edition is pivoting towards “some of the big existential threats to Australian society”, a senior public servant has noted as updated figures confirm Australian businesses are continuing to suffer data breaches as regularly as always.

Released after months of consultation with industry and other stakeholders, the new Cyber Security Strategy 2020 draws on 215 submissions—156 of which are publicly available online—outlining a broad range of perspectives around the issues raised in a previous discussion paper.

The ongoing cyber security threat to Australia—outlined by Prime Minister Scott Morrison in an impromptu press conference in June—“is broad, ranging across multiple levels of the Australian economy, at the individual and up to the critical infrastructure level,” Hamish Hansford, first assistant secretary within the Department of Home Affairs’ Cyber, Digital and Technology Policy division, told a recent webinar audience.

The new cyber security strategy in detail

The new strategy is a “crisp articulation of the threat posed by cyber security, and of the challenges that governments and individuals face in looking at these challenges,” Hansford said, noting that it “will take all of us to have a focus on cyber security from different levels, to make this cyber security strategy actually make a difference.”

Backed by $1.7 billion in new investment over the next decade, the new strategy targets a range of cyber weak spots, including exposure around critical infrastructure; more-proactive efforts to trace and shut down compromises of sensitive data on dark websites; stronger defences for government networks and data; improved situational awareness; stronger industry partners; and other initiatives, including 24×7 support for small businesses and families.

An investment in training hundreds of new cyber security specialists will create a de facto cyber army that will be tasked to proactively assert Australia’s sovereignty online, including using offensive cyber capabilities in a way that, the report says, is “consistent with international law”.

Human error, not crime, are the growing cause of data breaches

The new strategy’s evolution has been closely monitored throughout the COVID-19 pandemic, which has spawned a rising tide of cyber security attacks, scams and successful compromises of industry leaders like logistics giant Toll Group.

The latest data-breach statistics, released by the Office of the Australian Information Commissioner (OAIC) and covering the first half of 2020, found that the volume of data breaches had continued more or less consistently throughout the pandemic compared with the second half of 2019.

Yet while some 518 new breaches were reported during the period—down just 3 per cent from the previous reporting period and up 16 per cent year-on-year—the proportion due to malicious or criminal attack dropped by 7 per cent.

By contrast, the proportion attributable to human error rose by the same amount—seemingly validating the new Cyber Security Strategy’s positioning of individual responsibility as one its three key pillars.

There is, Hansford said, “a responsibility for every Australian to have a good knowledge, at some level, of cyber security and cyber security threats. You only need open your email or SMS these days and you can see the real-world impact of some forms of cyber crime.”

Security Industry welcomes the new strategy’s cyber partnerships

Given companies’ reliance on the security of home workers and the “unprecedented cyber threat landscape” as the COVID-19 pandemic expanded in the first half of the year, FortiGuard Labs chief of security insights and global threat alliances Derek Manky said, “there has never been a clearer picture than now, of why organisations need to adjust their defence strategies. … It is critical for organisations to take measures to protect their remote workers and help them secure their devices and home networks for the long term.”

Australian cyber security leaders welcomed the new strategy’s release, with Verizon Business Group Asia-Pacific regional vice president Robert Le Busque calling it “an important development in bringing together the cyber security industry” and welcoming its explicit support for small and medium businesses “that are often a primary target for cyber attacks. … Key to the success of these initiatives will be our ability to understand the threat landscape and to ensure vigilance on the reporting of cyber incidents across the economy.”

Ian Yip, CEO of security consultancy Avertro, welcomed many of the strategy’s allocations but noted that its focus on funding government agencies meant that only about a third of the overall funding “will ultimately flow to the ecosystem outside of the federal government”.

While bolstering Australia’s front-line defences is “great for national security,” he said, “the need for more collaboration, which the government has also been promoting, requires a more balanced allocation of funds across the ecosystem. … Precision, clarity of execution, and metrics need to be better articulated for the strategy to make the desired impact.”