What to expect from Abbott's national cyber security strategy

The federal government's review of the nation's cyber security strategy is set to be released "imminently", according to the policy's key architect, who revealed it woud centre on voluntary standards, skills and public-private sector collaboration. 

Tobias Feakin

The review of the national cyber security guidelines was initiated by the Abbott government late last year, undertaken by a panel that includes Australian Strategic Policy Institute international cyber policy director Tobias Feakin. 

The review panel is looking at how to make public and private sector systems more resilient to attack, how government and industry together can reduce the risk of online attacks, and how to be proactive in preventing attacks on government networks and infrastructure.

It aims to increase the country’s awareness of and reaction to cybercrime incidents, as well as to ensure government and local businesses use secure IT infrastructure.

On the sidelines of the RSA APJ conference in Singapore, and ahead of the release of the cyber security review, Feakin told iTnews trust relationships with the private sector would be a key feature of the policy. 

"It's always going to be tricky in terms of deciding what that looks like, what information you're going to share and how, but you'll see some good material coming on that front," he said.

"Secondly, [the review will cover] bridging the gap in the skills divide, both in current workforces, but also in university course structures, which build a workforce that you want in five or 10 years time.

"And the third one is looking at voluntary sets of standards. You have a government here that will always be adverse to legislating and regulating, certainly in this area. So there will be quite a lot of work on that side coming up."

According to Feakin, former US National Security Agency employee Edward Snowden's revelations of widespread surveillance have profoundly reshaped the conversation around national security. 

"I think there's some consequences [Snowden] needs to face and he has broken some laws. But, in many respects, we live in liberal democracies, which enable us now to have that conversation... And that, to me, is the value of living in Australia, the UK or the US," Feakin said.

"My bugbear with [Snowden] is he's gone and hidden himself in the two countries that are the two worst human rights infringers on this planet [in China and Russia], and that is a level of hypocrisy that I find hard to stomach." 

An easier path to hacking

In terms of cybersecurity issues facing Australia, Feakin said he was the most concerned that the bar to entry for would-be cybercriminals is lowering.  

"So even an idiot like I could now go into the darknet, download certain malware, and I could conceivably make myself a cybercriminal if I chose to," he said.

"That is the concern, because it was once perceived that it would be only the bastion of those with great knowledge that could do these kinds of things. 

"Now, don't get me wrong, at the sophisticated end of this, that is still the case, and you have sophisticated networks of criminals who will design-to-order more sophisticated pieces of malware, but my concern is it's more of an open market now." 

In light of such threats, Feakin said he was broadly supportive of Australia's mandatory data retention laws, which were passed by Parliament earlier this year. 

"Yes, [metadata] enables agencies to do certain things. For me, as long as that's targeted and done under strict control, and anyone who abuses that is brought to task, then I'm comfortable with that," he said.            

"If it's general metadata of everyone being targeted, then that's not acceptable. And I think where we've got to is there's some pretty good oversight mechanisms now to make sure you or I don't have anything really to consider on that front." 

In the aftermath of the Snowden revelations, Feakin said the threat posed by metadata looms larger in the public imagination than in the reality of law enforcement or police capabilities. 

"If there's anything I've known from working with police and various agencies over the past 15 or 20 years, they simply don't have to resources to do that either," he said. 

"So the Orwellian picture you might conjure on the whole metadata issue is just not possible within the kind of capabilities that agencies have. I think there is that kind of disconnect sometimes between the way policy and national security issues are expressed to the public, and the realities of how you go about these policies." 

Private-public cooperation post-Snowden

The net effect of concerns about metadata collection following the Snowden revelations, Feakin observed, has been a rebalancing of the way the private sector is willing to engage with governments at that level. 

"You don't see it so visibly in Australia, but certainly from the US companies, you can look at the litany of court cases that the likes of Twitter, Facebook, Microsoft are now bringing [against] the US government," he said. 

"[It's] to show push-back; to try to show to their customer base that don't adhere to all of the requests they get and they do care about your privacy. 

"You're looking at five years before governments and the private sector get to a point where there's an easy comfort level again at working together." 

The cooperation of the private sector in surveillance is critical in Feakin's view, as governments cannot respond to all the challenges of cybersecurity alone.  

"Governments, by their very nature, like to be in charge and to say 'yes, we're able to do this well', but they can't do that. It's very much 'we can show partnership and assistance, but we need your help'," he said.

"Governments will always struggle to keep up with the rate of technological change and policy change around that. They find it tough enough to develop policies around multiple different areas. But when you're dealing with something that is as rapidly escalating and morphing as cyber threats are, that's going to be a struggle. 

"So how do you create flexible policy responses that allow you to update them very easily? That's what governments need to think [about]. 

"You can't make heavy-handed policies in this area because it's about being flexible. And the more agile you are, the better placed you'll be in the emerging digital economies." 

Looking to the future, Feakin said the key to successful cybersecurity policy will hinge on "bringing everyone along on the journey".  

"Yes, it's about economic wellbeing. Yes, it's about national security. But it's also about bringing the private sector along in a way that makes sense to them and they can see a value proposition that they can invest in and they feel is being prioritised for them in the same way that it is for government," he said.

"It's about treating the Australian public as an adult. The Australian public are a grown-up bunch and can deal with a mature discussion around security issues. As long as you treat them in that way, that helps creating better, more defined policies." 

Andrew Sadauskas attended he RSA APJ conference in Singapore as a guest of RSA.