Turnbull advisor offers peek at cybersecurity strategy

A key advisor to Prime Minister Malcolm Turnbull has foreshadowed what will be involved in the government's impending cyber security strategy, revealing a focus on education, guidelines and international partnerships.

The comments were made by the first assistant secretary of cyber policy and intelligence at the Department of Prime Minister and Cabinet, Lynwen Connick, at the AISA national conference in Melbourne this morning. 

Connick is also a key author of the national cybersecurity strategy, which is due to be released later this month. 

The review of the national cyber security guidelines was initiated by the Abbott government late last year, and undertaken by a panel that included Australian Strategic Policy Institute international cyber policy director Tobias Feakin. 

During her speech, Connick said Australian businesses would not be able to fully benefit from new, disruptive technologies such as the internet of things without a strong focus on cybersecurity. 

"During our review, we heard if we improve cybersecurity, that will support innovation in cyberspace more generally, and enable innovation more generally [in the economy]," Connick said. 

"We all know malicious entities pose risks to Australians and Australian businesses. Information security is a cornerstone of business security, protecting client, financial and inventory data, and that should be a high priority of us all." 

Network effects and guidelines 

Compromising one organisation's systems will affect all others, Connick said, and therefore it was important to take a co-ordinated appraoch to online security across the economy. 

"One in 10 Australian businesses have reported losses due to cybercrime of more than $1 million per year since 2010, and the direct cost to the Australian economy is conservatively estimated at $1 billion per year," Connick said. 

Connick argued commonwealth, state and territory governments, as well as the the private sector, would have to cooperate on online security. 

"It's not a problem we in government can tackle alone, and we recognise that. It needs to be a priority at all levels of organisations, in particular senior leadership." 

One way the federal government intends to help private sector organisations is through the creation of guidelines that can be applied to any organsiation. 

These guidelines will emphasise basic cyber hygiene, including threat detection, monitoring administrator privileges and avoiding malware.  

They will also stress organisations need multiple layers of protection, including good security practices, training and education, having up-to-date documentation and constantly monitoring for internal and external threats, Connick said.

"Those we've consulted have told us we need to promote [basic cyber hygiene] in practices and guidelines that all organisations can easily apply. This will ensure everyone we connect to have reasonable ICT security and these connections won't increase our vulnerabilities," she said. 

Global help

Connick said there was an important international aspect to the discussions of Australian cybersecurity. 

While global partnerships are important because many threats originate outside Australia's borders, she said, there were also global business opportunities in the export of cybersecurity products and services. 

"At a more global level, cybersecurity opens up opportunities internationally, as long as countries support access to the internet. This is not universally the case," Connick said. 

"Australia is working hard to counter these views... and a key way to achieve this is by helping to build confidence in the internet and capacity in cybersecurity, both globally and close to home. 

"We're taking the lead, but we probably need to do more." 

Education 

Another key focus area for the cybersecurity strategy will be education, Connick said.

She said governments needed to do more to develop skills at all levels of the education system and get more students interested in cybersecurity careers.  

"A key issue raised regularly is the need to increase cybersecurity skills in Australia. This is a worldwide problem, but we need to act locally," Connick said. 

"One of the best ways to do this is to encourage [high school students] to take the right subjects to enable them. We need appropriately targeted and tailored courses at university." 

The strategy will aim to encourage more diversity in Australia's cybersecurity workforce, and in particular attract more women to the sector. 

"In addition to increasing the skills of our cybersecurity workforce, we also need to raise awareness about cybersecurity. Surveys show Australians are more likely than people in other similar countries click malicious links or run malicious software," Connick said.

"We have a number of initiatives, but people have told us we need to be joined up in the approach we use."