Commenting on the Government's announcement of its cyber security strategy, Aidan Tudehope, managing director, Macquarie Government said: “With COVID-19, we are facing the greatest economic crisis in 100 years, and the cyber security sector is a key sector to provide the jobs of the future.”
”The various government agencies responsible for implementing the strategy need to use it to help address the mass levels of unemployment being experienced across Australia.
“We can’t afford to wait two-to-three years when it will be too late to innovate our way out of this crisis.”
In further comment on the strategy, Tudehope stressed that
- The strategy, tellingly announced from the very top, is not isolated. Alongside new government cloud security guidelines from the Australian Cyber Security Centre and the Digital Transformation Agency, and Minister Stuart Robert’s planned data sovereignty policy, the government’s direction is unequivocal. Security, skills and sovereignty – right now and developed here in Australia.
- Recent tensions with China have highlighted the importance of data, its sovereignty, and the infrastructure and personnel that hold and access it. Many providers in Australia are subject to the laws of foreign jurisdictions, which extend to the data they hold. In tandem, there are Australian providers with operations and infrastructure abroad. Government is clear that they want sensitive data to be held in Australia by AU providers so that foreign jurisdictions don’t apply. This direction has the added benefit of supporting local jobs when we need them most.
- Further, the new strategy recognises data centres as critical infrastructure, which reflects the digital world we live in while affording this technical real estate the national protection it has earned.
- While federally led, it’s important this strategy extends to state and territory governments, procurement and other pillars to set a strong cybersecurity benchmark and ensure government as a whole is an exemplar of best practice.
The Government's strategy has also attracted comment from a number of other companies in the Australian business community.
The head of Cyber at professional services firm KPMG Australia, Gordon Archibald, said that one in three adults had been affected by cyber crime, and estimates were the cost of cyber crime could rise by “as much as $29 billion per year in Australia alone”.
He said the creation of the Joint Cyber Security Centres within Australian states following the 2016 strategy was a welcome move, and “further investment into these capabilities will go some way to further explain the cybersecurity threat we face, and what we can do about it”.
“For years, we have heard so much more about cyber hacks and incidents than proactive cybersecurity protection strategies. The shift to be more active on addressing cyber security announced today is positive and business and personal focus will shift to be more proactive.
“The strategy announces a $1.67 billion investment over 10 years, the largest ever financial commitment to cyber security in Australia recognising the importance of the internet for our prosperity and way of life but often challenged by ubiquitous nature of threats from cyber criminals.
“A key focus for the future will be improved security by design, more ability for government to help business and an increased focus on national critical infrastructure.
“The spectrum of cyber security offerings ranges from architecture, design, engineering, build, operations, support and compliance checking. This range of skills is not dissimilar to the house building process, sequential and monitored at each step. However, it’s fair to say cyber security experts are often used far too late in the build of commercial and government systems, often as an afterthought to achieve a compliance tick.
“Oftentimes, security 'bolt-ons' are applied to attempt to shore up gaps in security. Hopefully, we’ll see increased use of cyber security professionals earlier in the lifecycle of projects, to build security into designs.
“Given the importance of the cyber domain especially during COVID-19, we hope to see early realisation of the promises to share threat information 'situational awareness', improved education, preparation for cyber incidents, and cyber protection approaches for individuals, businesses and government.”
Sarah Sloan, head of Government Affairs and Public Policy, ANZ, Palo Alto Networks, said “Palo Alto Networks congratulates Australia on the delivery of its 2020 Cyber Security Strategy, which outlines key initiatives to help improve cybersecurity awareness, enhance cyber security resilience across the economy and disrupt cyber crime.
“ We appreciate Australia’s record financial investment and commitment to partnering with industry to make the strategy a collective effort. We look forward to helping Australia achieve its cyber security goals.
“The government has made it clear in the strategy that it is determined to disrupt the serious criminal activity saturating the dark Web. The strategy cites recent estimates suggesting that cyber incidents cost the Australian economy up to $29 billion – that’s a staggering 1.9% of Australia’s GDP.
“To address this, the government has signalled that it will introduce legislation to bolster the powers of law enforcement and criminal intelligence agencies to identify and disrupt individuals engaging in serious criminal activity online.
“The government will invest over $88 million to bolster the Australian Federal Police’s capabilities to investigate and prosecute cyber criminals and create a fund to co-invest in counter-cybercrime capabilities with the states and territories.
“Strengthening public-private partnerships and threat information sharing have also been identified as a key pillar for action for the government.”
Sloan said: “In our increasingly interconnected world, improving the security and resilience of critical infrastructure entities is crucial to protecting Australia’s economy and national security.
"The government has outlined the introduction of an enhanced security regulatory framework to bolster the nation’s resilience and ensure Australia can act quickly in an emergency.
“The framework includes security obligations for critical infrastructure providers and government assistance to industry in response to immediate and serious cyberattacks on Australia’s most critical systems.
“The package will also provide over $66 million to assist Australia’s major critical infrastructure providers in assessing their networks for vulnerabilities and collaborating to enhance their cyber security posture.
“Finally, the government notes the importance of working with industry to promote security by design – encouraging Internet service providers to deliver secure Internet services and noting the release of a 'Voluntary Internet of Things Code of Practice' to help consumers understand the security and privacy implications of IoT devices they purchase.
“Australia has been lucky to avoid a catastrophic cyber security incident against its businesses to date. It is widely acknowledged that the loss of an essential service could have devastating impacts across Australia. These measures are important in improving security and resilience in critical infrastructure sectors.”
The Australian Industry Information Association welcomed the government's announcement.
AIIA chief executive Ron Gauci said: "We know that critical infrastructure is increasingly becoming a target for cyber crime. Operational technology used in critical infrastructure, manufacturing, sensors or building controllers traditionally operate on separate networks with different protocols. In recent years we have seen the line blurred with these devices becoming IP-enabled or connected to IoT-type devices.
"We appreciate that the prime minister has listened and understands the need to continue investment and support with cyber security - as evident by the Cyber Security Review, which was led by the Department of the Prime Minister and Cabinet, which highlighted that cyber crime is costing the Australian economy in excess of $1 billion annually in direct costs alone.
"While the cyber security industry has long suffered a shortage of skills, there is an even bigger lack of experts who understand the traditionally engineering-focused domain of operational technology and cyber security.
"Australia is short of 2300 cyber security workers, with an expected demand of at least 17,600 additional professionals required by 2026. We hope this investment and focus goes some way to addressing the gap,"
Thomas Fikentscher, regional director at information security firm CyberArk ANZ, said: “Australia’s 2020 cyber security strategy is a valiant effort to bring together existing business and community initiatives with actions driven by government agencies.
"In particular, the idea of building a better partnership with the industry through the Joint Cyber Security Centre is critically important to secure digital transformation programs resulting in new digital business models. Receiving guidance for securing critical elements of these programs, such as IoT devices, will be highly beneficial and should be complemented by technology leaders.
"A voluntary code of practice is a good start for leaders to set security expectations for connected devices. However, accountability needs to be enhanced and enforced across all industry sectors to establish the necessary trust related to consuming digital services.
"By managing identities and providing secure access for everyone within a digital society, we will be able to contribute with our expertise in building a more secure online world for all Australians.”
Jason Duerden, managing director, BlackBerry Spark ANZ, said: “The government’s new strategy and corresponding investment in cyber security is a welcome and much-needed step forward in lifting our game as a nation to protect against online threats.
"It's pleasing to see the concept of prevention has finally made its way into the vernacular and guidance. The next step is to recognise that unknown threats, such as the WannaCry attacks in 2017, can also be identified and stopped before they have a devastating impact on Australians.
"Next-generation, predictive endpoint security solutions that block both known and unknown threats have been available for some time now. However the market has been slow to catch up and adopt a preventive, risk management approach to cyber security. The speed of adoption remains a key concern, as procurement processes – particularly within the public sector – often lag months behind the rate that new cyber threats emerge.
“Now we have the over-arching vision, industry will be keen to see new guidance and processes that help to remove barriers to rapid adoption. The escalation and prevalence of ransomware attacks against Australian organisations in critical industries this year alone demonstrates the need for a swift response to this national security and safety issue.
"In addition to more details around the delivery of this new strategy, we also look forward to understanding how success will be measured. It is well past time to put words into action.”
The telecommunications industry lobby group, Communications Alliance, said the cyber security strategy was an important step toward strengthening Australia's cyber security and online resilience across government, small and large businesses, and the community at large.
"We commend the government for the planned measures to enhance existing collaboration between critical infrastructure sectors, by improving the sharing of threat data", said Communications Alliance chief executive John Stanton.
"We will engage with stakeholders to develop a clearer understanding of the details of the Strategy, such as the definitional aspects around "systems of national significance" and "critical infrastructure entities.
"Equally important is transparency around what government intends where the strategy refers to potential 'direct action' by government to protect networks and systems in times of cyber crisis.
"Our industry is uniquely placed to understand the technical challenges and intricacies of our networks. Government needs to consult collaboratively with industry on these aspects, to ensure that the infrastructure our industry owns and operates so successfully remains actively and passively protected from cyber interference.
"It is important that any proposed new measures are built around principles-based outcomes, and are proportionate to the risks and circumstances in each sector, as outlined in the strategy. Given the criticality of any actions taken, we must ensure that appropriate checks and balances are in place, to avoid unintended consequences.
"We will only be able to significantly lift our game if our workforce in all sectors has the skills to effectively address the challenges that lie ahead. We have previously highlighted this issue and are pleased that it has been recognised by government as an area of focus.".
He said the strategy required careful implementation and a major effort would be needed to translate the high-level action plan into practical, efficient and effective measures.
"We are keen to work closely with government and other relevant stakeholders to understand what this Strategy means for a mature industry such as telecommunications, which is relatively advanced in the protection of its critical infrastructure and the regulation associated with this," Stanton added.
Robert Le Busque, regional vice-president Asia Pacific, Verizon Business Group, said: “The launch of Australia’s Cyber Security Strategy 2020 report heralds an important development in bringing together the cyber security industry.
"Building on the reforms from 2018, the report underscores the ongoing importance of securing our critical and essential services, including telecommunications, which in these current times, play such a vital role in supporting the community, business and government sectors.
"Additionally, we welcome the ongoing investment in the Joint Cyber Security Centre, with the expansion of programs to better align industry and government, including the support for small and medium businesses that are often a primary target for cyber attacks.
"Key to the success of these initiatives will be our ability to understand the threat landscape and to ensure vigilance on the reporting of cyber incidents across the economy.”
Garrett O’Hara, principal technical consultant of email security provider Mimecast, said: “Mimecast applauds the government’s commitment to strengthen support for small and medium businesses to upgrade their cyber security strategies. Most SMBs want the best cyber security possible, but it’s not always affordable, easy to implement or easy to access.
“Many SMBs operate in supply chains and interact closely with each other, meaning those that aren’t secure or resilient, become ‘weak links’ that proliferate bigger problems across society. Providing these companies support to access mature technologies and raising their awareness of the risks, the ‘gotchas’, and the change in behaviour required to ensure all staff are ‘levelling-up’ from a security perspective, will improve the security posture for all businesses and make a huge impact on the resilience of the nation as a whole.
“Mimecast looks forward to seeing how the government will provide this support and we recommend there’s a strong opportunity to do so via financial incentives. For example, lowering cyber insurance premiums for a business if it’s provided access to leading security technology, so it can save on the reactive side of security to invest more heavily in the preventative side.”
Terry Burgess, vice-president for identity and access management software vendor Sailpoint in the Asia-Pacific and Japan, said: "The current COVID-19 landscape has placed a huge strain on existing systems and infrastructures. The government’s move to legislate cyber standards on operators of critical infrastructure means organisations — whether telco, financial services or healthcare — must now shore up their cyber security strategy.
"However, this is not easy. Organisations must balance being compliant to regulation on data access and management (from GDPR to CCPA and The Privacy Act), while also enabling government access to intelligence about malicious cyber activity.
"A robust, agile and scalable data governance program is crucial to meeting these challenges and complying with this new legislation. By shifting away from security approaches centred around perimeter defences, and towards those that elevate the role of identity, organisations can achieve clear visibility over data risks embedded within their infrastructure, while also ensuring data insights are actioned against cyber criminals."
“The report states that 98 per cent of Australian businesses are SMEs and 39% of SMEs don't use multifactor authentication and 32 per cent do not make daily data backups yet the recommendation to address this is to provide "cyber security toolkits, trusted advice and practical assistance,” said Mark Sinclair – ANZ Regional Director, WatchGuard Technologies.
“The help offered via this strategy for small and medium businesses is woefully inadequate. Australian businesses are cutting spending on cyber security just to stay afloat in these challenging economic times. To make matters worse, most businesses now have many more staff working from home where their cyber security posture is much lower than being physically connected to an office network. If anything, businesses need to be spending more on securing their remote workforce, not less. Toolkits and trusted advice can only go so far.
“The government has clearly missed the mark for supporting small and medium business. They should be offering financial assistance directly to Australian businesses to help them invest in technology to bolster their cyber defences and to engage companies to deliver security awareness training to their staff. It would even have the added benefit of creating more jobs in the local cyber security services industry.”
Simon Howe, Vice President Sales – APAC, LogRhythm said: “The Australian Government 2020 Cyber Security Strategy report is a timely reminder of the need for urgent cyber hygiene among both enterprises and Australian households. The high number of malicious attacks as reported in the latest OAIC Notifiable Data Breaches Report for the first of half of 2020 suggest that many IT security teams might not have a good idea of what sensitive personal data the organisation is processing and what is “normal” use of it, making the prospect of a data breach even more frightening. At the same time, with troves of data are being generated, no security teams will ever be large enough to analyse them.
“While security automation technology can streamline the process to allow security teams to focus only on the most suspicious activities and everyone would like to believe they’re secure, the reality is that a motivated attacker will almost always find a way onto your network. One point of defence is to ensure that organisations have the capability of monitoring all user and system activity, then analysing and correlating that meta-data to define normal and identify suspicious or malicious behaviour. CISOs can also go a step further and conduct threat hunting through their log sources, allowing organisations to investigate with an open mind and find adversaries and assets where they might not have thought to look before.
“The report reinforcesthe need to encourage good security habits and for organisations to train employees on best practices and how to spot common attacks. After all, It only takes one person to click on a phishing link to give the foothold needed on a network. At the same time, it will now be important for the Australian Government to set out how cyber security performance metrics will be measured and how it intends to report on any funding allocation.”
Glen Maloney, ANZ Regional Sales Manager, ExtraHop said:“The report would suggest that malicious attacks are far from dead and buried and that perpetrators remain as resourceful as ever they were. Unlike large enterprise organisations that can throw substantial resources towards network and data protection, Australia’s medium-sized businesses are more constrained, yet they face some of the most demanding security challenges due to the dynamic nature of their supply chain.
“At the same time, what with remote and mobile workers today being the front line for many businesses, the key to their productivity and success is having easy to use, highly secure access to critical data, resources and applications. Where data loss is accidental or malicious, IT teams need to ensure that they have insight into the magnitude of a potential data loss problem, identify security gaps, and develop a proactive approach to stop data loss before it happens.
“Indeed, for Australian organisations whose cyber-security strategies haven’t evolved apace, they need an approach that assumes a compromise of one of their systems and equips them to detect attack activity before it causes too much damage.
“Investing in new generation technologies which provide enhanced protection for mission critical systems can pay rich dividends for enterprises which value business continuity and data integrity.”
“Ping Identity welcomes the Federal Government's Cybersecurity Strategy 2020, but cautions that it may not be detailed enough to give certainty to consumers and businesses. Cybersecurity threats, identity theft and data breaches are increasing year on year,” said Mark Perry, APAC, CTO Ping Identity.
“Consumers and businesses would benefit from definitive timelines for a minimum cybersecurity baseline across the economy, beyond the consideration of future consultation and obligations discussed in the strategy.
“Ping believes that common industry cybersecurity best practices, including the encryption of Personally Identifiable Information (PII) and Two-Factor Authentication, two examples highlighted in the government's Identity Advisory Panel Report of July this year, should be made mandatory for businesses over a certain size, beyond those involved in critical infrastructure. A formal roadmap for the implementation of these, and other minimum cybersecurity controls, be published.
“Many cybersecurity controls are now mainstream, cost-effective and easily implemented. And yet their takeup remains piecemeal, especially in the SMB market. Government direction, in the form of a defined timeline for implementation, is needed to influence Australia's cybersecurity direction sooner rather than later.”