Today connected technology sits at the very heart of the lives of most Australians and is increasingly pivotal in shaping our economy, our society and our future. It is changing and shaping how we live, work and learn, and our ability and willingness to embrace a digital future will be central to our post-COVID-19 recovery and long-term competitiveness.
But shadowing the acceleration of Australia’s digital economy is an equally rapid acceleration in cyber threats. Malicious cyber activity is steadily increasing, from more abundant and better resourced cyber-criminals to state actors both have become more sophisticated and emboldened. Australia and many Australians are quite literally under cyber-attack every day, every hour, every minute, every second and cyber security incidents are estimated to cost Australian businesses up to $29 billion per year. Cybercrime affected almost one in three Australian adults in 2018.
Successfully meeting this challenge requires Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable. The Federal Government is currently developing this framework as the 2020 Cyber Security Strategy and, with so much at stake, late last year engaged an expert Industry Advisory Panel (IAP) to provide strategic advice.
The Panel’s recommendations are structured around a framework of five key pillars:
- Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
- Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
- Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
- Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
- Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.
The Panel’s recommendations are designed to strike the balance between increasing cyber defences while promoting the development of a digital economy and countering threats to the economy, safety, sovereignty and national security.
Never a more important time
As we enter the 2020s the world is on the exciting cusp of a fourth industrial revolution driven by connectivity and digital technologies. Artificial intelligence, sensors, autonomous machines and systems, edge computing, augmented reality and 5G will combine to create incredible new products and services, infuse the physical world with digital, revolutionise business operations, elevate human work, and serve customers and citizens in many new ways.
All of that was true before COVID but mandatory social distancing and self-isolation have meant healthcare, education, work and commerce and even staying in touch with friends and family have had to be done largely online. Looking beyond the crisis, technology and our ability and willingness to embrace digital has now emerged as central to a rapid economic recovery.
With so much at stake, robust and effective cyber security has never been more important to a safer, more prosperous Australia. The risks in cyber space from adaptable and capable state and non-state adversaries are many but they must be met – our economy, our society and our future depends on it.
Read the full copy of the report available here.
The 2020 Cyber Security Strategy Industry Advisory Panel was established in November 2019 to provide advice from an industry perspective on best practices in cyber security and related fields; emerging cyber security trends and threats; key strategic priorities for the 2020 Cyber Security Strategy; significant obstacles and barriers for the delivery of the 2020 Cyber Security Strategy; and the effect of proposed initiatives on different elements of the economy, both domestic and international.
The Panel met 13 times between November 2019 and July 2020, including two meetings with Home Affairs Minister Peter Dutton and formal briefings, including some classified, from the Department of Home Affairs, the Australian Signals Directorate, the Attorney-General’s Department, the Department of the Treasury, the Australian Competition and Consumer Commission, the Department of Communications and the Arts, the eSafety Commissioner, the Australian Federal Police, and the Australian Security Intelligence Organisation.
The panel was chaired by Andrew Penn, CEO of Telstra; with Robert Mansfield, Chair of Vocus Group; Robyn Denholm, Chair of Tesla; Chris Deeble, CEO of Northrop Grumman Australia; Darren Kane, Chief Security Officer NBN Co and Kirstjen Nielsen, formerly U.S. Secretary of Homeland Security from 2017-2019 as members.