Australia yet to have "national cyber resilience": former ASIO, ASIS boss

Australia's semi-retired top spy, David Irvine, has issued a blunt warning that stronger partnerships between government and the private sector and better planning are needed to safeguard the country’s future cyber resiliency.

The former head of both the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service has also called out the boards of companies outside the ASX 20 for not taking cyber security seriously enough as attacks and data breaches rise.

Speaking at the Gartner IT Symposium/Xpo this week, Irvine used his address to highlight the ongoing need for more mature partnerships between sectors to create “national cyber resilience”.

He said this whole of economy approach was needed to address the “huge vulnerabilities” that can create problems for critical infrastructure, defence, industry, production, commerce and research.

The government has raised concerns with the role that governments, businesses and the community play in responding to threats and is reconsidering if the “balance of responsibilities” is right as part of the development of Australia’s next cyber security strategy.

“Ultimately, we’re not there and we need, in my view, to have much more effort both by the government and the private sector and individuals into developing what I’ll call national cyber resilience to a far greater level than we have now,” Irvine said.

“And [its] probably not going to stop. We’re just on the cusp of quantum computing. We’re on the cusp of AI.

“We’re on the cusp of all these new developments, so we’ve actually got to do a huge amount of planning to catch up.”

Irvine, who is now chair of both the Australia’s Cyber Security Cooperative Research Centre and the Foreign Investment Review Board, said business understanding about how to actively manage vulnerabilities and defend against cybercrime was still lacking.

He said this was despite the significant progress by governments and the private sector to date, particularly since the creation of the Australian Cyber Security Centre in 2014 and the release of the 2016 cyber security, there was still a way to go.

“As a nation, we’re making progress. We’re beginning to realise the scope of the problem. But there’s still a long journey ahead of us,” Irvine said.

“When I went to ASIO I started talking to business about the problem and I was met, at first, with bemused looks.”

“But subsequently, and today when I talk to business, I think there is an understanding of the problem – there isn’t yet a full understanding about how we actively manage our cybercrime vulnerabilities, how we defend ourselves against those vulnerabilities.”

He said this was particularly apparent when meeting with the boards of companies that don’t rank as Australia’s largest.

“I’m certainly seeing, on the part of boards and CEOs, a greater understanding of the sorts of problems they’re facing. But ... they’re still floundering a bit in terms of solutions,” Irvine said.

“As you go further down the chain from the sort of the top 10, top 20 companies in the country, you ... find that cyber security awareness tails off.”

With the deadline for submission to the development of Australia’s 2020 cyber security strategy fast approaching, Irvine urged the security industry to use the opportunity to address future considerations, particularly in the face of new challenges posed by emerging technologies.

 “We’ve invested in digitising our lives, but we haven’t yet invested sufficiently in protecting our digital lives,” he said.

“Our cyber vulnerabilities are real, they’re immediate and they’re potentially hugely destructive. The security of networks really does matter.”

Justin Hendry travelled to the Gartner IT Symposium/Xpo on the Gold Coast as a guest of Gartner.