With only one month to go until the Government's scheduled delivery date for its new national cyber security policy, last week was the first time we saw any indication of industry engagement.
The Communications Alliance responded to the Department of Prime Minister and Cabinet’s call for submissions on the cyber security review last Thursday.
The Comms Alliance submission [pdf] is the first we've seen of any consultation with affected parties, which begs the question - is the cyber security review team even close to being ready?
With a policy of this kind, you'd expect views of other industry verticals and stakeholders to be well canvassed and represented.
Critical national infrastructure, the private security industry, professional bodies such as the Australian Computer Society (ACS) and the Australian Information Security Association (AISA), academia and the SMB market should be all be engaged in the process.
Without views from all of these diverse market sectors, as well as a clear understanding of how Australia will play on the global cyber security stage, the review might not deliver the alignment with our friends and allies overseas that it set out to.
That being said, I wholeheartedly agree with much of the sentiment proffered by the Communications Alliance’s submission, especially the headlines concerning coordination, optimisation and efficiencies in using government resources to fight cybercrime.
The first major challenge identified by the submission is that of the shortage of “cyber security specialist resources".
This is not just an Australian problem, it’s a global one that no single nation has managed to successfully tackle.
“As matters stand today, telecommunications industry members have highlighted a shortage of supply of specialist resources in various areas, e.g. in forensics, penetration testing, incident management and risk assessment...” the Comms Alliance wrote.
“Industry urges Government to develop a cyber security strategy that includes a targeted program to develop and retain Australia’s expertise in this area."
The primary question I’d be asking here is whether or not this is the Government’s responsibility or is it the responsibility of the professional body that represents the security profession in Australia (i.e. AISA) to support government and private industry alike.
Maybe the federal government should consider extending and evolving the Information Security Registered Assessors Program (IRAP) to cover more disciplines within the security profession, rather than simply covering risk and audit.
GCHQ has done this successfully in the UK with CESG’s Certified Professional (CCP) scheme. This UK scheme allows security professionals to train and certify via their preferred track, be it academic training, professional training or industry experience, to achieve the right level of experience to get certified into delivering government-grade security.
When individuals decide to get started in the profession, they can choose the career path from a set of nationally recognised roles and work towards their own individual goals, be it a security architect, risk manager, forensics expert, or penetration tester.
To make this work for the UK as a nation, the scheme incorporates a cooperative agreement between the government, the British Computer Society and the UK’s equivalent of AISA, the Institute of Information Security Professionals.
The second opportunity highlighted by the Communications Alliance is that of “cyber security literacy of individual and businesses". I would go as far to say that the Cybersmart program, created by the Australian Communications and Media Authority (ACMA), is world class. What’s missing is the go to market strategy.
If this material was proactively taken into schools and colleges by qualified individuals (maybe certified through AISA) to deliver this to kids, not only does it raise individual awareness and make our kids safer, it also builds a pipeline of interested kids who now see cyber security as a career option.
The final aspect of the Communication Alliance’s submission that needs careful consideration relates to a topic I covered in a previous blog post, that of cooperation and information sharing.
A joined-up approach is certainly getting security vendor focus via the Mitre Corporation’s Structured Threat Information eXpression (STIX) standard.
This allows security technologies to share threat information, meaning you can build an analysis and threat identification service within Government that feeds (in real time) threat intelligence directly to subscriber systems, be them private or government security operations centres.
And while this all sounds like a pipedream, it’s not technology that’s holding us up, it’s getting government to identify who’s responsible for cyber security, then empowering them with skilled people, mature processes and adequate investment to make it work.
The submission from the Communication Alliance is certainly a realistic and considered set of insightful viewpoints and looks not only at what’s wrong but also at the opportunities presented to Australia if they get the review right.
I just hope that other industry verticals take the time to respond, and I urge them to publish their submissions openly so that when the review finally leads to policy revision, we can see if government has actually listened.
[Update 20.4.15: The Department of Premier and Cabinet informed iTnews it has consulted with over 140 organisations globally, and the review is scheduled to be completed midway through this year].