Forward Defence? The realpolitik behind Taylor's big new cyber bargain

There are some mighty big leaps of faith when it comes to Cyber Security Minister Angus Taylor’s newly stated doctrine of ‘Forward Defence’.

Delivering with effect across both business and government is chief amongst them.

Taylor's statement is a much anticipated, and needed, reset of the initial cyber security policy launched by Malcolm Turnbull in 2016; but let’s hope it’s still a work in progress on a couple of fronts.

(And let’s drop ‘stop the bots’ while we’re at it. Even Tony Abbott would cringe, with cheesy grin, at that one.)

At the heart of Taylor’s big new cyber bargain is a tacit assumption that major corporations and small business will logically link arms with the government and be guided by our security agencies to create “a new dynamic of engagement with the private sector.”

The problem is there’s already a new dynamic with the business community  - and most of the engagement is coming from regulators tasked with cleaning up some conspicuous corporate governance failures, not least around financial services and energy markets.

In the cyber security game, the status quo so far has been for business and government to publicly agree to work together on common goals to protect Australia’s vital national interests.

But under this well maintained façade, there’s a perilously delicate balance of interests at play that can conflict with other policy settings – like getting major corporations to seriously clean-up their act when it comes to protecting consumers and shareholders.

“Active, interventionist and collaborative,” are Taylor’s preferred words for the collegiate approach to counter cyber adversaries, but the signals outside the cyber realm aren’t exactly reassuring.

Let’s start with the bedrock of cyber miscreancy, online payments fraud. Because whatever the vector, it’s almost always about the money.

Taylor last week backslapped federal agencies here for helping to wind-up a fraud racket dubbed Fin7 that plundered accounts across the globe and produced the “arrest of cyber criminals targeting Australia.”

To steal a phrase from The Wire it was “dope on the table”.

What Taylor omitted to mention was that online payments fraud in Australia or against Australians has been climbing steadily for years and is now nudging $500 million a year.

And that’s just on credit cards.

Who wears the cost of that fraud is profoundly unclear – more on that in just a moment – but as the Productivity Commission observed, there’s a case to be made for the Australian Securities and Investments Commission to revisit the liability regime around online transactions.

They have a point.

One of the biggest misconceptions going around is that because consumers are protected by banks and card schemes through a ‘zero liability’ for regime for online fraud, the financial services industry is soaking up the cost. If only.

In reality it’s merchants – that’s shops or service providers selling online – who are picking up the tab via an opaque mix of service agreements that differ across bank, card brand and business type.

This is where the whole cyber security bargain gets very murky indeed.

Banks and card schemes have for at least a decade foisted much of the liability for fraudulent online purchases back to their commercial customers, a wholesale liability shift that simply doesn’t occur in the bricks and mortar world.

There are two profoundly perverse outcomes created by this distorted liability regime.

Firstly, it negates any financial penalty to spur banks to improve usable transaction security –because they just don’t feel the sting. Worse still, it allows payments schemes to deliver clunky duds like PCI-DSS that can cost more than the fraud perpetrated to deploy.

Secondly, it perpetuates a damaging misconception among the public and many policymakers that the financial services industry, both in Australia and globally, is doing their level best to fight fraud when in reality they’re more likely just passing through the cost.

There’s also a plausible argument that the lack of a uniform and definitive fraud liability regime to protect merchants acts as a hidden subsidy to the financial services sector, thus inhibiting product and security innovation.

This is where Taylor’s vision splendid of a collaborative security bargain gets rather messy, especially the notion that “the Forward Defence of Cyber must deliver an economy wide view of cyber security.”

Under the “integrated strategy” of a “new national cyber agenda” Taylor lists some outwardly logical but practically vexed solutions.

Threat blocking and targeting, increased data sharing and “a framework for strong attribution and response to cyber threats” is all logical enough – but would this include individual banks publicly declaring what online fraud they have copped? Not if they can help it.

The real doozey in Taylor’s mix is the notion of cyber insurance.

In his speech Taylor calls out the creation of “an insurance market that recognises investment in security, and the data necessary to support this” as an element of the new national cyber defence posture.

Who and what would be covered – along with how policies would be underwritten – are the most obvious questions.

The pertinent sleeper question is whether the creation of such a cyber insurance market would merely act to exacerbate the current highly questionable liability shift from service providers like banks onto their commercial customers.

Why, for example, should an online business that uses a bank-operated merchant payments acceptance facility, running on bank infrastructure and accepting bank-issued credit cards have to pay a premium for the privilege of not being robbed?

That used to be why you used a bank.

There’s also the question of who would regulate the quality of insurances issued and determine contested claims.

Would policy holders be covered in the event malicious cyber activity was attributed to a nation state? War and civil unrest come to mind.

What effect would insurance cover have on potential liability arising from defective or vulnerable software? How would rent seeking lawyers be controlled?

Perhaps an interim solution on the road to a national cyber agenda would be to expose where current online fraud liabilities fall to a good dose of sunlight.

This could be backed by facilitating the use of standardised, interoperable, opt-in digital identity credentials by banks, as well as government. There wasn’t even a mention of digital identity in Taylor’s speech.

If you can’t manage what you can’t measure, cyber insurance will surely be graded at junk level alongside novelties like dental cover for dogs.