The evolving cyber-security threat landscape
In 2016, the Australian Government proposed an overhaul of the cyber-security strategy (2016 Cyber Strategy) which was the first update to the nation’s cyber-security since 2009. The 2016 Cyber Strategy emphasised heavy reliance on assistance from Australian businesses to share data to prepare rapid responses to security threats. In essence, the 2016 Cyber Strategy emphasised a ‘light touch’ to regulation of cyber security with a focus on helping businesses develop their cyber-security capabilities.
In the last four years, the landscape of cyber security threats in Australia has grown at an alarming rate. Between July 2015 and June 2016, CERT Australia (the national Computer Emergency Response Team) responded to 14,804 cyber-security incidents affecting Australian businesses, 418 of which involved systems of national interest and critical infrastructure.1 Between 1 July 2016 and 30 June 2017, the Australian Signals Directorate (ASD) responded to 671 cyber-security incidents considered serious enough to trigger operational responses.2 In 2017, cyber criminals stole $2.3 billion from Australian consumers3. Between April 2018 and March 2019, there were 964 data breaches notified under the Notifiable Data Breaches scheme, 60% of which were the result of malicious or criminal attacks.4
In response to the changing threat landscape, the Department of Home Affairs released a discussion paper entitled “A Call for Views” inviting submissions from all organisations (from small businesses to large corporations) to provide their views on how Australia can create a more secure cyberspace for all stakeholders (Consultation Process). The Department received 156 public submissions in response to the discussion paper.
The Minister for Home Affairs also established an Industry Advisory Panel, comprising key executives of major telecommunications providers and former members of government in order to provide strategic advice for the development of a new Cyber Security Strategy in 2020. The Industry Advisory Panel met 13 times between November 2019 and July 2020 and provided its final report on 21 July 2020 with recommendations centred around five key pillars.
On 6 August 2020, the Department of Home Affairs released its new Cyber Security Strategy (2020 Cyber Strategy) incorporating feedback from the public submissions as well as the recommendations of the Panel.
In this update, we explore the common themes, which arose during the consultation process and the findings of the Industry Advisory Panel, as well as provide a brief overview of the 2020 Cyber Strategy and its primary goals. Finally, we will explore how the strategy will protect Australia’s critical infrastructure and the key points of the ‘Action Plan’ in the 2020 Cyber Strategy, which outlines the actions to be taken by government, businesses and the community.
Themes from the Consultation Process
As part of the Consultation Process, the Australian Government received more than 215 submissions from individuals and organisations, 156 of which are public. The Government also met with more than 1,400 people across the nation in face-to-face consultations, including workshops, roundtables and bilateral meetings. A number of general themes emerged from the Consultation Process, including the worsening threat environment and the need for businesses to sure up their defences.
However, some more specific themes arose that were of particular interest to the discussion. The overarching concept was that of role defining, and identifying the strengths and weaknesses in stakeholder sectors (with the idea of developing a strategy that will allow these stakeholders to ‘talk to one another’ better). These include:
- The fact that human error is almost always part of the problem;
- Small business are particularly vulnerable;
- Partnering government and industry;
- That the ability to respond to cyber threats is sometimes being outstripped by rapidly advancing threats; and
- The need to clearly define the roles and responsibilities of stakeholders in the rapidly evolving cyber space.
Findings of the Industry Advisory Panel
The Industry Advisory Panel (Panel) was formed in November 2019 to advise the Government on key strategic priorities for the 2020 Cyber Strategy and any barriers to the delivery of the strategy.
On 21 July 2020, the Panel released its final report, which outlined its recommendations for the 2020 Cyber Strategy. The recommendations are structured around a framework of five key pillars5:
- Deterrence (deterring malicious actors from targeting Australia)
- Prevention (preventing people and sectors in Australia from being compromised online)
- Detection (identifying and responding quickly to cyber security threats)
- Resilience (minimising the impact of cyber security incidents)
- Investment (investing in essential cyber-security enablers)
With regard to deterrence, the Panel recommended increased transparency of Government investigative activity and strengthening the ability of the Australian Cyber Security Centre (ACSC) to disrupt by targeting the proceeds of cybercrime.
On prevention, the Panel recommended pursuing initiatives that make businesses and citizens in Australia harder to compromise online, including a clear definition of critical infrastructure and systems of national significance. The Panel also recommended that all levels of Government should take measures to protect public sector networks from cyber-security threats.
Regarding detection, the Panel recommended the establishment of automated, real-time and bi-directional threat sharing mechanisms between industry and Government, starting with implementation of these mechanisms in critical infrastructure sectors.
On resilience, the Panel recommended developing proactive mitigation strategies and strengthening incident response and victim support systems. The Panel also recommended that the Government should regularly hold large scale and cross-sectoral cyber-security incident response exercises to improve the preparedness of government agencies and critical infrastructure providers.
In relation to investment, the Panel recommended ongoing development of specialised capabilities, in the ACSC and state-based Joint Cyber Security Centres (JCSCs). The Panel also recommended that the Government and industry continue to invest in cyber-skills development at both a professional level as well as education and training at primary, secondary and tertiary level.
Clear Roles and Responsibilities
The Panel agreed that it was very important to clearly define the roles and responsibilities of the various stakeholders. The Panel recognised the need for the Government to change the way that it organises its resources to effectively fight cyber-security threats across Australia. However, the Panel also stated that cyber-security was not only the responsibility of Federal Government and that it would require effective co-ordination with other tiers of Government as well as collaborating with industry and broadening community awareness of cyber issues.
Overview and primary goals of the 2020 Cyber Strategy
Following on from the themes identified during the Consultation Process, the 2020 Cyber Strategy appears to have been very much targeted at a complementary, ‘help me help you’ approach to Australia’s cyber security. Where potential shortcomings have been identified, it is intended that the three key stakeholder groups – Government, Business and Individuals - have a clearer idea of how resources can best be shared and utilised.
Broadly speaking, these three key stakeholders will interrelate and support each other as follows:
The Strategy aims to foster and build trust in the online world by supporting businesses’ and individuals’ cyber resilience, by setting clear expectations of roles, sharing threat information, and strengthening partnerships.
Focus on critical infrastructure
In the wake of a sophisticated state-based cyber-attack on Australia’s critical infrastructure providers (announced by the Government on 19 June 2020), the Government has identified particular risks around cyber-attacks on essential service providers including healthcare, education, banking and water. Accordingly, the Government has prioritised protection of critical infrastructure from future attacks given the potentially adverse ramifications of such attacks on the economy. The 2020 Cyber Strategy cites the 2015 cyber-attacks on power facilities in the Ukraine and the 2017 Triton (malware) attacks on Saudi petrochemical facilities as examples of cyber-attacks that can cause significant disruption to economic prosperity and way of life.6 The 2020 Cyber Strategy intends to protect Australia’s critical infrastructure on two fronts – actions by government and actions by business.
The Australian Government will protect Australia’s critical infrastructure providers from cyber threats using three methods; legislative reform, development of new powers and investment7:
- Legislation: the Government will introduce legislation in relation to critical infrastructure and systems of national significance. We expect that it will impose minimum standards of cyber security on critical infrastructure providers;
- Development of new powers: In consultation with critical infrastructure providers, the Australian Government will develop new powers proportionate to the consequences of a sophisticated cyber-attack, accompanied by appropriate safeguards and oversight mechanisms. In the event of a sophisticated attack on critical infrastructure, depending on the circumstances, the Government will provide critical infrastructure operators with expert advice, direct assistance or use of classified software to minimise the potential downtime of essential services; and
- Investment: The 2020 Cyber Strategy will invest $118 million to expand the data science capabilities of the Australian Signals Directorate. The Government will invest a further $66.5 million to assist major critical infrastructure providers to assess their own vulnerabilities to shore up their cyber-security posture. The Government will invest an additional $20.2 million into cutting-edge research to understand threats to technologies that underpin Australia’s critical infrastructure.
The Government is developing an enhanced regulatory framework that will uplift security in critical infrastructure sectors, with a focus on preventing incidents wherever possible. Due to the interconnected nature of critical infrastructure sectors, the framework will be built around principle-based outcomes and underpinned by guidance and advice proportionate to the risks and circumstances in each sector. The framework will also clarify the Government’s minimum expectations of cyber security and will include8;
- an enforceable positive security obligation for designated critical infrastructure entities;
- enhanced cyber-security obligations for entities deemed most important to the nation;
- Government assistance for businesses in response to cyber-attacks; and
- voluntary measures to strengthen engagement with businesses in relation to risk.
The enhanced regulatory framework will be introduced by amendments to the Security of Critical Infrastructure Act 2018 (Cth).
Action Plan of the 2020 Cyber Strategy
The complementary, tri-pronged approach proposed in the 2020 Cyber Strategy will be bolstered by $1.67 billion funding over 10 years, and supplemented by various initiatives such as:
- Investment in critical infrastructure, nation-state threat defence and new and emerging threats including on the dark web;
- Additional funding towards JCSCs to foster partnerships between state and territory governments and industry;
- A 24/7 cyber security advice hotline for SMEs and families; and
- Government-run education programs (most likely in consultation with expert cyber security vendors) for SMEs and individuals to increase cyber resilience.
The specifics of the proposed new laws to enforce the key tenets of Australia’s new cyber-security strategy remain relatively unknown. It is unlikely that we will see any legislative changes take effect for some time. As a first step, the Commonwealth Government intends to consult with Australian businesses in order to “consider legislative changes that set a minimum cyber-security baseline across the economy”.
The consultation will consider reform options including9:
- Expanding the offshore powers of the ACSC;
- The role of privacy, consumer and data protection laws;
- Duties for company directors and other business entities; and
- Obligations on manufacturers of internet connected devices.
The 2020 Cyber Strategy is also committed to creating a more secure ‘Internet of Things’ (IoT) for Australian consumers and businesses. The IoT refers to physical devices that can connect to the Internet and/or to each other. As part of this initiative, the Government will release a voluntary Code of Practice containing 13 principles to inform businesses about the cyber security features expected for IoT devices, such as smartwatches, fridges, baby monitors and pacemakers. The Government will also provide guidance for consumers to consider when purchasing IoT devices.
The 2020 Cyber Strategy is timely, given the significant increase cyber-incidents in Australia across multiple sectors. The policy represents a recognition by government of the significant economic and security impacts of cyber-attacks in a changing world and that more coordination is required to ensure cyber-resilience.
The message to businesses is also clear – they will be expected to prioritise cyber-security not only in relation to their own systems but also in respect of the products they provide.
While the 2020 Cyber Strategy makes it clear that cyber security is not only the responsibility of government, it does appear to signal a move towards more regulation and the development of national minimum standards. This is particularly so for critical infrastructure sectors, where there will be a particular focus to ensure acceptable standards of cyber security practices are adhered to.