Australia’s cyber management 'minimalist', hostage to handful of bureaucrats

Two top cyber security experts at UNSW Canberra, which serves as the academic wing of the Australian Defence Force Academy, have lashed the nation’s cyber defence strategy for its disconnect from the private and educational sectors.

“What exists at the moment is minimalist, and appears hostage to the preferences of a handful of senior officials in Australian Cyber Security Centre (ACSC) and the Department of Home Affairs who may not be in post within several years,” Adam Henry and professor Greg Austin wrote in The Conversation this week.

Instead, they argue, cyber civil defence is the responsibility of the entire community and there should instead be a national standing committee for security management and resilience that is an equal partnership between government, business, and academic specialists.

The strong stand made by Austin, a respected former Defence Intelligence Organisation official, reveals not all quarters of the the national security community are comfortable with the way the current cyber agenda has been formed and is being run, particularly the dominance of the Department of Home Affairs.

Austin and Henry's observations follow the release of the government’s first Cyber Incident Management Arrangements (CIMA) for state, territory and federal governments last week and ongoing controversy over new encryption busting laws.

Austin and Henry argue although CIMA is commendable step towards a national civil cyber defence strategy, far more needs to be done than issuing glossies.

In particular the pair warned that beyond CIMA, “the government needs to better explain to the public the unique threats posed by large scale cyber incidents and, on that basis, engage the private sector and a wider community of experts on addressing those unique threats”.

CIMA’s aim is to reduce the scope, impact and severity of a national cyber incident, which is defined as being of potential national importance, but less severe than a “crisis” that would trigger the Australian Government Crisis Management Framework (AGCMF).

But at only seven pages, the CIMA fails to outline specific operational incident management protocols, which will instead be left to state and territory governments to negotiate with the Commonwealth.

“That means the protocols developed may be subject to competing budget priorities, political appetite, divergent levels of cyber maturity, and, most importantly, staffing requirements.”

Those staffing requirements are the same ones affected by the severe lack of skilled cyber workers in general, and particularly in the case of specialist areas needed for the management of complex cyber incidents.

Speaking from within the sector, Austin and Henry said Australian universities have exacerbated the skills crisis by failing to deliver high-quality education and training programs for these specialist tasks.

“Our universities, for the most part, do not teach – or even research – complex cyber incidents on a scale that could begin to service the national need.

“The federal government must move quickly to strengthen and formalise arrangements for collaboration with key non-governmental partners – particularly the business sector, but also researchers and large non-profit entities.”

They suggested critical infrastructure providers, such as electricity companies, would be ideal businesses to target for collaboration first, due to the scale of the potential fallout should something go wrong.

Healthcare providers and transport operators would also be ideal candidates - the UK’s National Health Service lost $160 million in the Wannacry attacks, and shipping giant Maersk lost half a billion dollars in the weeks it was shut down by NotPetya.

While CIMA outlines the first plans to institutionalise regular cyber incident exercises that address national needs, Austin and Henry said better long-term planning is needed.

“First, the government needs to construct a consistent, credible and durable public narrative around the purpose of its cyber incident policies, and associated exercise programs.”

That’s in opposition to former minister for Cyber Security Dan Tehan and then Prime Minister Malcolm Turnbull warning about cyber storms, and cyber coordinator Alastair McGibbon speaking of a cyber catastrophe as the only existential threat to face Australia.

This political rhetoric failed to properly articulate in the public domain what those ideas actually meant, it's argued.

Possible solutions

Despite CIMA being meant to operate below the level of national cyber crisis, Austin and Henry argue the country is “in dire need of a civil defence strategy for cyber space that addresses both levels of attack”.

“This is a completely new form of civil defence, and it may need a new form of organisation to carry it forward. A new, dedicated arm of an existing agency, such as the State Emergency Services (SES), is another potential solution.”

In 2016 Austin proposed the creation of a new cyber civil corps that would be a disciplined service relying on part-time commit

Austin had previously proposed in 2016 the creation of a new “cyber civil corps” that would help define training needs, contribute national training packages, and function as “disciplined service relying on part-time commitments from the people best trained to respond to national cyber emergencies”.

The second element of Henry and Austin’s strategy is for private enterprise to build their own body of expertise in cyber simulations and exercises.

“Contracting out such responsibilities to consulting companies, or one-off reports, would produce scattershot results. Any “lessons learnt” within firms about contingency management could fail to be consolidated and shared with the wider business community.”

Austin and Henry said it is the task of all stakeholders to mobilise and more actively engage the expanding knowledge base from academia, government and the private sector.