22 July 2020

Australian Cyber Security Strategy

The Industry Advisory Panel on the  Australia’s 2020 Cyber Security Strategy appears to be underwhelmed by the Commonwealth government's approach. It its report this week it comments
 Technology now sits at the very heart of the lives of most Australians and increasingly shapes our economy, our society and our future. It is fast changing how we live, learn and work as well as creating incredible new opportunities, efficiencies and benefits - from remote working to digitised global supply chains, from tele-health to e-commerce. The Federal Government is clear-eyed about the opportunities:
“Our Government’s goal is for Australia to be a leading digital economy by 2030. Our degree of success will be critical to income growth and job creation over the next decade and beyond. Our extensive policy agenda encompasses digital access, connectivity, consumer data and competition policy, government service delivery and skills development, trade and global e-commerce governance, as well as the necessary focus on security and privacy concerns.” Prime Minister Scott Morrison BCA annual dinner keynote 21 November 2019
The scope and timing of that ambition is well placed. As we enter the 2020s the world is on the exciting cusp of a fourth industrial revolution driven by connectivity and digital technologies. Artificial intelligence, sensors, autonomous machines and systems, edge compute, augmented reality and 5G will combine to create incredible new products and services, infuse the physical world with digital, revolutionise business operations, elevate human work, and serve customers and citizens in many new ways. 
All of this was true before the emergence of the COVID pandemic which has only further underlined the importance of the digital economy in Australia. In responding to COVID, mandatory social distancing and self-isolation means healthcare, education, work and commerce and even staying in touch with friends and family are largely being done online. Looking beyond this crisis, technology and our ability and willingness to embrace the digital world has now emerged as central to a rapid economic recovery. 
With so much at stake, robust and effective cyber security has never been more important and the 2020 Cyber Security Strategy Industry Advisory Panel welcomed the opportunity to contribute to that outcome. 
Australia’s 2020 Cyber Security Strategy 
The Panel were engaged in late 2019 at a time when the Federal Government were reviewing the progress of the landmark 2016 Cyber Security Strategy. This work led to the establishment of the Joint Cyber Security Centres, creation of cyber.gov.au as a one-stop-shop for cyber security advice and the establishment of key leadership positions including the Ambassador for Cyber Affairs. 
Despite these achievements the Government acknowledged that significant and ongoing changes in the scope, scale and sophistication of cyber threats required an evolution in our approach to cyber security as a nation. Minister for Home Affairs, Peter Dutton, has described how meeting the evolving cyber challenge is key to Australia’s economic prosperity and national security. In September 2019 he said:
“Cyber security has never been more important to Australia’s economic prosperity and national security. In 2016, the Australian Government delivered its landmark Cyber Security Strategy, which invested $230 million to foster a safer internet for all Australians. Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community.” “Cyber criminals are more abundant and better resourced, state actors have become more sophisticated and emboldened, and more of our economy is connecting online. Cyber security incidents have been estimated to cost Australian businesses up to $29 billion per year and cybercrime affected almost one in three Australian adults in 2018.” 
This escalation in malicious cyber activity has only increased during COVID as we have been forced to work, learn and connect from home, outside of some of our usual security frameworks. We are seeing malicious actors including criminals and state based actors exploiting this opportunity to their own advantage, to the significant risk and detriment of Australian citizens. 
On 30 June 2020, Prime Minister Scott Morrison pointed to the urgency of the issue: “The Federal Government’s top priority is protecting our nation’s economy, national security and sovereignty. Malicious cyber activity undermines that.” Australia’s ability to prosper as a digital economy can be enhanced if we increase our investment in our cyber defences. We must move to comprehensively protect ourselves and our businesses from cybercrime, protect our national infrastructure and improve the security of our institutions – including our democratic electoral processes, which have been the subject of malicious cyber-attack in other parts of the world. It is crucial we act quickly and decisively. 
The 2020 Cyber Security Strategy Industry Advisory Panel was formed in November 2019 and asked to provide advice from an industry perspective on best practices in cyber security and related fields; emerging cyber security trends and threats; key strategic priorities for the 2020 Cyber Security Strategy; significant obstacles and barriers for the delivery of the 2020 Cyber Security Strategy; and the effect of proposed initiatives on different elements of the economy, both domestic and international. 
The Panel met 13 times between November 2019 and July 2020, including two meetings with Minister Dutton and formal briefings, including some classified, from the Department of Home Affairs, the Australian Signals Directorate, the Attorney-General’s Department, the Department of the Treasury, the Australian Competition and Consumer Commission, the then Department of Communications and the Arts, the eSafety Commissioner, the Australian Federal Police, the Australian Security Intelligence Organisation, the Cyber Security Cooperative Research Centre and AustCyber. 
After broad consultation and careful deliberation, the 2020 Cyber Security Strategy Industry Advisory Panel has developed a series of recommendations that we believe strike the right balance between increasing our cyber defences, promoting the development of a digital economy and countering threats to our economy, safety, sovereignty and national security. 
The Panel’s recommendations are structured around a framework with five key pillars:
  • Deterrence: deterring malicious actors from targeting Australia. 
  • Prevention: preventing people and sectors in Australia from being compromised online. 
  • Detection: identifying and responding quickly to cyber security threats. 
  • Resilience: minimising the impact of cyber security incidents. 
  • Investment: investing in essential cyber security enablers.
On deterrence, we recommend that the Government establish clear consequences for those targeting Australia and people living in Australia. A key priority is increasing transparency on Government investigative activity with more frequent attribution and consequences applied where appropriate. Strengthening the Australian Cyber Security Centre’s ability to disrupt cyber criminals by targeting the proceeds of cybercrime derived both domestically and internationally is a priority. 
On prevention, the recommendations include the pursuit of initiatives that make businesses and citizens in Australia harder to compromise online. This includes a clear definition for critical infrastructure and systems of national significance with a view to capturing all essential services and functions in the public and private sectors; consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for owners and operators of critical infrastructure and systems of national significance; measures to build trust in technology markets through transparency such as product labelling; and the extension of existing legislative and regulatory frameworks relevant in the physical world to the online world. Ultimately cybercrime is just crime, cyber espionage is just espionage and hacktivism is just activism online. 
All levels of Government should take steps to better protect public sector networks from cyber security threats. Government agencies should be required to achieve the same or higher levels of protection as privately-owned critical infrastructure operators. Different levels of government should collaborate to share best practices and lessons learned. Ultimately Governments should be exemplars of cyber security best practice and Australian governments have some way to go in achieving this aspiration. 
On detection, recommendations include that Government establish automated, real-time and bi-directional threat sharing mechanisms between industry and Government, beginning with critical infrastructure sectors. Government should also empower industry to automatically block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’. 
On resilience, recommendations include the development of proactive mitigation strategies and strengthening of systems essential for end-to-end resilience. Government should strengthen the incident response and victim support options already in place. Speed is key when it comes to recovering from cyber incidents and Government should hold regular large scale and cross-sectoral cyber security incident response exercises to improve the readiness of interdependent critical infrastructure providers and government agencies. 
Resilience includes both the ability to recover from a cyber-attack as well as the redundancy designed-in to systems and processes. In other words, a key factor influencing the ability to recover is the level of redundancy present in systems in the first place. It is important to also call out that a number of recommendations to build resilience relate to the role of the individual, in particular around building cyber awareness. In this regard there is an important distinction between cyber security (which means protecting data and information networks and critical infrastructure functions) and cyber safety (which means protecting users from harmful online content). The fundamental ability to participate safely online is the difference between enjoying the internet’s abundant information resources and opportunities, and being a potential victim of a cybercrime. 
On investment, recommendations support the ongoing development of highly specialised and effective capabilities exemplified by the Australian Cyber Security Centre and the state-based Joint Cyber Security Centres. This existing capability should be substantially increased and enhanced through significant investment and a more integrated governance structure that maintains an industry leadership role. It is going to be a critical enabler to the success of the 2020 Cyber Security Strategy. 
The Panel is also of the view that it is important for Government and industry to continue to invest in cyber skills development and security risk management in Australia. Good enterprise security management includes all aspects of securing people, property and technology. This skills investment is recommended at both a professional and specialist skills level and also more broadly, and should include primary, secondary and tertiary courses (including programs that focus on all aspects of enterprise security risk management, particularly cyber skills uplift). Importantly many of these skills should be built as foundational requirements in science, maths, engineering and technology. Although the cyber skills and awareness of directors on the boards of Australia’s listed companies has been developed in recent years, there is opportunity for further development and support. 
Within this framework of 60 recommendations sit 25 high priority and 35 other recommendations that address the full spectrum of cyber security threats – from the ‘routine’ threats that target vulnerable people in Australia every day to sophisticated ‘state actor’ cyber-attacks that threaten our economy, safety, sovereignty and national security. The Panel recommends that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first. 
State, territory and local governments should also be considered key implementation partners for all elements of the Strategy. We encourage the Australian Government to establish formal mechanisms to ensure ongoing engagement with all levels of government. 
Clear roles and responsibilities 
Cyber threats continue to shift and evolve and, as the threats evolve, so must our response. The recommendations we propose are built around creating robust and adaptable defences as threats emerge and technologies and opportunities change. 
It is important to recognise that effective cyber defences involve more than just investment dollars. Our report highlights that an effective response includes fundamentally organising and governing differently to ensure more efficient and effective use of resources and aligning cyber security imperatives across Australia. This requires clearly defined roles, responsibilities and authorities to be established and the Federal Government’s role in leading and coordinating the national effort is therefore critical. Ultimately the Government is in a unique position with access to information and tools which mean that in particular circumstances it is the appropriate party to lead our cyber defence. This is not only about the Federal Government but effective coordination with other tiers of Government. Government also plays an important role partnering with industry, as well as broadening community awareness and skills in adequately addressing cyber issues. 
If Australia’s cyber security is well organised and well governed then the application of all resources - public, private, people, infrastructure and capital investment – will achieve far more efficient and effective results. This was an important learning from the 2016 Cyber Strategy. 
The only way to look at cyber security is as a team. Large enterprises, small and medium businesses and Government all have shared platforms, common customers, and all are the target of attacks. We all therefore play a role, and share an accountability, in keeping Australians safe. 
Implementation 
The 2020 Strategy will be largely measured based on how well it is implemented and whether it meets or exceeds objective and bold metrics. During consultation, some stakeholders viewed implementation of the 2016 Cyber Security Strategy as being limited by regular changes in governance arrangements, lack of clarity about the roles of different government departments and inconsistent public communication. We encourage the Government to create strong governance and evaluation mechanisms around the 2020 Strategy. Data collection and evaluation, based on a maturity framework, should be afforded a high priority. A standing industry advisory panel could be established to advise the Minister for Home Affairs on cyber security matters and implementation of the 2020 Strategy on an ongoing basis strengthening the important link between Government and industry. Such a panel should have appropriate representation from across business, academia and the community. State and territory governments should be closely involved in implementation of the Strategy. It would be appropriate for state and territories to be represented on the public service committee responsible for implementing the Strategy. 
Never a more important time 
The Australian Government deserves real credit for the leadership it has shown on cyber security, including through the development of Australia’s 2020 Cyber Security Strategy and the announcement of a $1.35 billion investment (Cyber Enhanced Situational Awareness and Response package) over the next 10 years which will support a number of the key recommendations set out in this report. With robust cyber security critical for our economic prosperity, international competitiveness and national security, this work will only become more important as Australia continues to digitise in the future. The Chair of the Panel, Andy Penn, describes the opportunity and the challenge ahead:
“The beginning of the 2020s has been marked by a period of profound disruption for Australia with the devastating bushfires and the COVID virus. At the same time and as we progress further into the decade we will also experience an extraordinary new era of technology innovation. As an optimist I am convinced we will adapt and technology will help to solve some of society’s biggest challenges and realise some of its biggest opportunities. But at the same time, this period of working and studying from home and the accelerated trend to a digital economy are exposing us to a more vulnerable environment of cyber threats. We are seeing increased levels of malicious cyber activity both state based and criminal. Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable. The 2020 Cyber Security Strategy has an opportunity to be all of those things and provide an enormous – and never more important - contribution to a safer, more prosperous Australia.”
The Panel appreciate the opportunity to have worked with the Australian Government to build Australia’s cyber defences through the 2020 Cyber Security Strategy and look forward to the key initiatives emanating from this work - they could not arrive at a more important time. 
List of Recommendations 
Objective 1: There are clear consequences for targeting Australians 
In considering how Australia can increase the consequences of malicious cyber activity for nation states and cyber criminals, the 2020 Cyber Security Strategy should as an immediate priority:
1 Target the growing volume of cybercrime by increasing operational-level cooperation with states, territories, and international partners leveraging the Australian Cyber Security Centre and Joint Cyber Security Centres. 
2 Increase the Australian Cyber Security Centre’s ability to disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime. 
3 Leverage existing cybercrime awareness raising campaigns to better inform businesses and individuals about new and emerging cybercrime threats to them. 
4 Hold malicious actors accountable via enhanced law enforcement, diplomatic means, and economic sanctions or otherwise as appropriate. 
5 Work with industry to better inform threat visibility and Government attribution activities where appropriate. 
6 The Australian Government should openly describe and advocate the actions it may take in response to a serious cyber security incident to deter malicious cyber actors from targeting Australia. 
7 Promote international law and continue to embed norms of responsible state behaviour online, in particular those that relate to the protection of critical infrastructure serving the public and deterring malicious cyber activity including intellectual property theft and ransomware attacks.
Objective 2: Cyber risks are owned by those best placed to manage them 
In considering how Australia can improve cyber security risk management across the economy and for critical infrastructure, the 2020 Cyber Security Strategy should as an immediate priority:
8 Review the Australian Government’s definition for critical infrastructure with a view to capturing all essential systems and functions in the public and private sectors and supply chains, including digital infrastructure such as data centres, that address all systems of national significance. 
9 Introduce consistent, principles-based requirements to implement reasonable protection against cyber threats (where needed) for owners and operators of critical infrastructure (regardless of whether owned or operated by Government or private), with measurement based on a fit-for-purpose cyber maturity-based framework. In alignment with international best practice, this should leverage rather than duplicate existing sectoral regulations and minimise regulatory burden. We further recommend that the 2020 Cyber Security Strategy should:
 We further recommend that the 2020 Cyber Security Strategy should:
10 Review Australia’s legislative environment for cyber security to ensure that suppliers of digital products and services have appropriate obligations to protect their customers.  
11 Strongly encourage major vendors to sign-up to a voluntary ‘secure by design’ charter to leverage international best practice. 
Objective 3: Australians practise safe behaviours at home and at work 
In considering how Australia can reduce human risk factors in cyber security, the 2020 Cyber Security Strategy should as an immediate priority:
12 Unify all Government messaging on online safety and cyber security awareness raising, noting that existing campaigns run by different Government agencies share a common audience who do not distinguish between different online issues. Government should speak with one voice. Campaigns should be age and sector appropriate. 
13 Increase assistance to small and medium businesses and the community through cyber security toolkits, trusted advice and practical assistance.
14 Partner with industry to increase the scale, reach and impact/effectiveness of cyber security awareness raising campaigns, including through co-design and co-funding where appropriate. 
15 Incentivise large businesses to provide cyber security support to small and medium businesses in their supply chain and customer base. 
Objective 4: Government is a cyber security exemplar 
In considering how the Australian Government can improve trust in the cyber security of its own systems and networks, the 2020 Cyber Security Strategy should as an immediate priority:
16 Make Australian governments exemplars of enterprise security risk management, including cyber security, physical security and personnel security. 
17. Require Government agencies providing essential services to meet the same cyber security standards as privately owned critical infrastructure, with increased accountability and oversight. 
18 Prioritise the decommissioning or hardening of vulnerable legacy systems as part of an accelerated shift towards secure cloud based services.
 We further recommend that the 2020 Cyber Security Strategy should:
19 Better coordinate digital procurement decisions across Government, with a view to negotiating best practice outcomes and where appropriate cost savings with common vendors. 
20 Leverage Government procurement processes to improve cyber security through purchasing products and services with higher standards. 
21 Require larger, more capable Government departments to provide cyber security services to smaller agencies on a basis that is uniform, consistent and risk based. 
22 Fund the Australian Cyber Security Centre (ACSC) to continue its rolling program of cyber security improvements (but not audits) for other Australian Government agencies. Given the ACSC essentially provides a second line of defence role in risk management terminology, audit should be undertaken by a separate agency.
Objective 5: Trusted goods, services and supply chains 
In considering how Australia can encourage the development of a digital technology market where security is built-in across the supply chain, the 2020 Cyber Security Strategy should as an immediate priority:
23 Increase investment in cyber security research and development, including basic sciences, and coordinate state and territory-led research and development at the national level. This will enable Government to maximise economic opportunities and drive national security outcomes. 
24 Work with industry to increase Australia’s role in shaping international cyber security standards. 
25 Work with industry and likeminded nations to encourage diversity, transparency and competition in digital supply chains.
We further recommend that the 2020 Cyber Security Strategy should:
26 Develop a program to identify and assess emerging threats and emerging technologies that could introduce new vulnerabilities leveraging Australia’s global leadership in policy development related to cyber risks. The CSIRO and Defence Science and Technology are two existing national agencies that could be leveraged to support the development of this program. 
27 Obtain industry consensus around what cyber security standards should be used in Australia and accelerate the adoption of these standards to ensure digital products and services are ‘secure by design’. 
28 Require increased recognition and adoption of specific cyber security standards in Australia. 
29 Implement a dynamic accreditation or mandatory cyber security labelling scheme so that consumers can make informed choices about their own cyber security (recognising that accreditations and product labelling will need to take account of changes in technology). 
30 Work with the emerging cyber insurance industry to improve access to reliable actuarial data and develop best practice approaches to nudging the cyber security hygiene of policy holders. 
31 Build transparency into critical and emerging technology supply chains to enable consumers to trust the cyber security of their devices. 
32 Consider mandatory requirements or certification of supply chains for software and hardware supporting critical infrastructure.
Objective 6: Comprehensive situational awareness enables action 
In considering how the Government and industry can improve the timeliness and quality of threat information sharing to better anticipate and respond to threats, the 2020 Cyber Security Strategy should as an immediate priority:
33 Establish automated, real-time and bi-directional threat sharing mechanisms between Government and industry, beginning with critical infrastructure sectors.
 We further recommend that the 2020 Cyber Security Strategy should:
35. Consider the development of ‘safe harbour’ legislative provisions that give industry certainty about the information it can voluntarily share with other organisations to prevent or respond to cyber security threats. 
36. Resume the publication of annual reports on the state of cyber security threats to Australia.
Objective 7: Effective incident response options and victim support 
In considering how Government and industry can create and sustain a high level of preparedness for incidents and improve support to victims, the 2020 Cyber Security Strategy should as an immediate priority:
34 Empower industry to automatically block a greater proportion of known cyber security threats in real-time, including by providing legislative certainty. 
37 Map in partnership with industry, the resilience of critical infrastructure networks, with a view to increasing maturity levels over time. 
38 Identify and assess in partnership with industry interdependencies, single points of failure and consolidation risk to enable better understanding of cyber risk. 
39 Work with industry to agree a unique set of circumstances in relation to critical infrastructure and systems of national significance where it would be necessary for Government to provide reasonable assistance to Australian businesses during a cyber security emergency, and define suitable oversight and thresholds for action. 
40 Provide additional funding to not-for-profit organisations that support victims of cybercrime and communicate their role and existence to the community.
 We further recommend that the 2020 Cyber Security Strategy should:
41 Hold a large scale and cross-sectoral cyber security incident response exercise at least every two years to improve national coordination and incident response readiness of interdependent critical infrastructure providers and government agencies. Exercises should include links to international activities where appropriate. 
42. Include industry in Australia’s formal incident response plans by amending the national Cyber Incident Management Arrangements.
Enabler 1: The Australian Signals Directorate’s Joint Cyber Security Centres (JCSCs) 
Recognising the JCSCs are the local offices of the Australian Cyber Security Centre, the 2020 Cyber Security Strategy should as an immediate priority:
43 Establish a national board chaired by ASD (with industry co-chair) and including industry representation to strengthen the strategic leadership of the Joint Cyber Security Centres, underpinned by a charter outlining the JCSCs’ scope and deliverables. 
44 Fund ASD to provide enhanced technical and consulting cyber services to industry through the JCSC Program, including a greater focus on information sharing. 
We further recommend that the 2020 Cyber Security Strategy should:
45 Create a staff exchange program between the ACSC, academia and industry to enable cross-sectoral collaboration and information sharing. The CSIRO and Defence Science and Technology could be leveraged to support the engagement between academia and industry. 
46 Dedicate additional JCSC resources to engage with local governments.
Enabler 2: Cyber security skills 
In considering how Government, industry and academia improve risk postures by strengthening the pipeline of skilled cyber security professionals, the 2020 Cyber Security Strategy should:
47 Position the Australian Government to take a national leadership role in addressing Australia’s cyber security skills shortage. 
48 Work with professional bodies and academia to include cyber security education in adjunct technical fields such as engineering and data science and extend cyber skills training to company directors. 
49 Consider creating an internationally aligned accreditation scheme to recognise the skills, experience and qualifications of cyber security professionals in both technical and management roles. This should including mapping the equivalency of existing qualifications. 
50 Adopt a national framework that defines the roles that make up the cyber security profession. Use this framework to develop a national workforce planning program for the cyber security profession. 
51 Consider additional incentives to attract and retain Government cyber security specialists. 
52 Strengthen voluntary professional accreditation of university cyber security courses, to provide greater assurance to students and employers that courses are meeting contemporary industry demands. 
53 Develop targeted cyber security programs in primary and high school to inspire young people to take up a career in cyber security, and build foundational skills in science, maths, engineering and technology. 
54 Undertake a regular survey across Government and business to better understand the size of cyber security skills shortage in Australia and evaluate new programs under the 2020 Cyber Security Strategy. 
Enabler 3: Intelligence and Assessment 
The Panel recognises the importance of intelligence-led efforts to combat malicious cyber activity and acknowledges that this is primarily a matter for Government. The Panel is of the view that successful implementation of the recommendations above relating to Objective 1 (Clear consequences for targeting Australia and Australians), 
Objective 6 (Comprehensive situational awareness enables action) and Enabler 1 (The Australian Signals Directorate’s Joint Cyber Security Centres) will support Government to enhance the delivery of this enabler. The Panel encourages the Government to be open and transparent about its knowledge of the threat environment wherever possible, including by declassifying information when appropriate, increasing proactive cyber threat briefings to security cleared industry personnel with a need to know, and sponsoring greater numbers of industry representatives to obtain security clearances. 
Enabler 4: Governance 
In considering how Government should manage implementation of the Strategy, including oversight arrangements, ongoing industry consultation and reporting mechanisms, the 2020 Cyber Security Strategy should as an immediate priority:
55 Include state and territory Governments in development, implementation and monitoring of all relevant initiatives under the 2020 Cyber Security Strategy.
We further recommend that the 2020 Cyber Security Strategy should:
56 Appoint an industry advisory panel to advise the Government on cyber security on an ongoing basis, including on the implementation of the 2020 Cyber Security Strategy. The panel should work with the accountable Government agency or department responsible for implementing the Strategy, while reporting to the Minister for Home Affairs. 
57 Task the industry advisory panel to publish an annual progress report on implementation of the 2020 Cyber Security Strategy and emerging cyber security threats and priorities for Australia from an industry perspective. 
Enabler 5: Evidence and Evaluation In considering the best practice approaches to evidence collection and evaluation that can inform implementation of the Strategy and future policy making, the 2020 Cyber Security Strategy should:
58 Adopt a maturity model approach to evidence and evaluation. 
59 Invest in improved data collection, research and analysis to underpin evaluation of the performance against the metrics of the 2020 Cyber Security Strategy. This should include periodic surveys of the cyber security maturity of public and private sector organisations. 
60 Publish regular updates on implementation of the 2020 Cyber Security Strategy and periodically review and refresh the Strategy every 2 or 4 years.