The Australian Government released its much anticipated Australian Cyber Security Strategy on 21 April 2016 (“Strategy”). The Strategy, which was commissioned in 2014, takes a top-down approach to cyber-security, with an emphasis on arming the Government and business leaders with the knowledge and tools needed to improve cyber security across the board. The Strategy’s aim is to improve information, education and standards in order to create an ‘open, free and secure’ Internet.
The Cost of Cyber Insecurity
Growing connectivity means that cyber breaches will become more frequent and their consequences more widespread and drastic. The Internet economy is growing at double the speed of the rest of the economy and in 2014 constituted 5.1% of Australia’s GDP. Without security assurance the full potential of cyberspace cannot be harnessed.
In 2015, cyber breaches cost Australians over $1 billion. They also caused a loss of 1% of GDP, which equates to an additional $17 billion lost. The cost of cyber insecurity is therefore extremely high, leading CISCO to call it a ‘tax on growth’. In this Strategy, the Government has pledged $230 million over four years towards improving cyber security. Labor has thrown its support behind this plan to crack down on cyber-attacks. But considering the huge cost of breaches, it is questionable whether this is a proportionate response.
The Strategy aims to encourage cooperation between the private and public sectors, in order to remove weak links at all levels, making security more robust and foolproof. This involves the establishment of public-private sector ‘threat sharing centres’ in capital cities, where industry players can share information about security threats and responses as well as a Cyber Security Growth Centre to coordinate a national cyber security innovation network. The Government will also establish corresponding online portals if the pilot operation is successful.
Companies within the ASX100 will also be able to submit to cyber security governance health checks, which will diagnose any security issues and begin to implement across the board security standards. The emphasis is mainly on larger firms although the Strategy does promise to “provide support for small businesses to have their cyber security tested”.
Overall the Strategy places emphasis on sharing information and advice. Cyber security is presented as a threat to one and all, which will only be combatted through cooperation. This is partly because breaches within one firm can provide an entry point for hackers into other connected organisations. There is an emphasis on good practice, which will be encouraged through the establishment of the national voluntary Cyber Security Guidelines against which company standards can be measured. These are to be formulated by Government and business leaders at the annual cyber security meetings, which will also set the strategic cyber security agenda and drive the Strategy’s implementation.
The Government will appoint the first ever Cyber Ambassador who will lead Australia’s international cyber security effort and identify opportunities for international cooperation. Cyber breaches pose not only an economic threat but also a threat to international security, which mandates international cooperation. Developing norms surrounding Internet use and cyber security globally will have a widespread positive effect.
Established in 2014, this inter-agency is well situated to address threats at every stage. The Government will improve funding to the different elements of this initiative, such as the Computer Emergency Response Team (CERT), which businesses are encouraged to report security breaches to, and the Australian Signals Directorate which has, in the past, been pivotal in threat detection.
EDUCATION AND TRAINING:
The other emphasis of the Strategy is to improve ‘cyber security skills’. The Government hopes to not only improve education at the university level but also to inject these skills into the workforce starting at the executive level. This corresponds with the Government’s top-down approach, which emphasises that it is not just the job of the ICT department to tackle cyber security, but that it is central to business operation and board responsibility.
For the Government’s Strategy to be successful it is essential that businesses work with the Government to set and abide by guidelines, educate staff, and report breaches. While it is undeniable that this Strategy says the right things, time will demonstrate whether there is a wholesale improvement in cyber security.