Australian Govt to rethink cyber security strategy

The Australian Government will soon seek advice from industry on a proposed update to the nation’s cyber security strategy, giving in to calls to review the ageing policy in light of a vastly different technological landscape.

The existing cyber security strategy [pdf] was written in 2008 and introduced by the former Labor Government in late 2009. It aimed to increase the country’s awareness of and reaction to cybercrime incidents, and ensure government and local businesses used secure and resilient IT infrastructure.

It resulted in the formation of the local Computer Emergency Response team (CERT Australia) and the Cyber Security Operations Centre - now the Australian Cyber Security Centre.

The Labor Government commissioned a follow-up cyber security white paper in mid 2011, but abandoned it a year and a half later in favour of a "broader" discussion around the digital economy.

Given the rapidly changing threat environment and increased scrutiny of online security issues, industry participants have in recent years called for the policy to be refreshed.

The calls have been heard by the office of the Prime Minister and Cabinet, which today announced a review of the strategy.

The Government is expected to complete the review in six months, with the help of a specialist panel including Telstra CISO Mike Burgess, Australian Strategic Policy Institute international cyber policy director Tobias Feakin, Cisco US chief security officer John Stewart, and Business Council of Australia CEO Jennifer Westacott.

The review panel will look at how to make public and private sector systems more resilient to attack, how government and industry together can reduce the risk of online attacks, and how to be proactive in preventing attacks on government networks and infrastructure.

Australia is currently lagging behind its international counterparts in terms of the relevance of its cyber security strategy - the US, UK, New Zealand, Germany and France all updated their policies in 2011, while Japan and Singapore released refreshed strategies just last year.

Former Australian Government cyber security advisor and Fortian principal consultant Marcus Wong said the review was a positive development on the dated policy.

"The online environment, including the threats that we face, has changed significantly since then," he told iTnews.

"However, it is important that any new strategy must be backed by a serious commitment to invest money and resources where areas for improvement are identified.

"In addition, genuine, widespread consultation as part of the review is essential. Cyber security is a societal issue that goes beyond government. It affects the private sector and large parts of the community. Ensuring that these stakeholders are consulted and have a say is crucial in ensuring the best outcome for the nation."

The Commonwealth Bank recently joined the ranks of those calling for a review of the six-year old strategy, imploring the Government to ensure Australia kept up to date with not only evolving technological threats but also the pace of international peers.

CommBank cyber security general manager Ben Heyes today told iTnews the bank was looking forward to working with the Government on making Australia a "hard target" for attackers.

"The longer term projection view for the cyber environment is negative - the threats are increasing, the capability of the people posing those threats is increasing and evolving, and at the same time there’s been lots of media reporting about surveillance programs, and they have an adverse impact on online trust. Those factors have the threat to undermine the development of the digital economy," Heyes said.

"We’re looking forward to working closely with the Government on this review, on a number of areas like public and private sector collaboration, information sharing, and crisis planning in particular, and also making sure we make Australia a hard target - strengthening and hardening our cyber resiliency and increasing cyber literacy in the broader population."

The FSI Inquiry panel also gave its tentative support to an upgrade of the policy in its interim report, and asked whether a private-public sector discussion form would help cohesion and co-ordination of cyber security strategy.

“Cyber attacks are no longer only a potential threat; they are occurring on an increasingly frequent basis. For example, recent figures show a 21 per cent rise in cyber threats to Australian Government networks between 2012 and 2013,” the panel reported.

“Although managing cyber security risks creates costs for industry and Government, there are also costs from failing to take action. For example, in 2013 cyber crime affected five million Australians at an estimated cost of $1.06 billion [according to Symantec figures].

“Cyber crime may erode consumer and business trust and confidence in the financial system. Increasingly, cyber crime is also being identified as a potential source of systemic risk.”