This article was written by Cheng Lim and Millie Zhong.
The Australian Government’s Cyber Security Strategy (Cyber Security Strategy) was released on 21 April 2016, after 18 months of consultation with more than 190 organisations across business, government and academia, both in Australia and overseas.
In it, the government establishes five themes of action over the next four years to 2020:
- a national cyber partnership;
- strong cyber defences;
- global responsibility and influence;
- growth and innovation; and
- a cyber smart nation.
The executive summary of the Cyber Security Strategy is set out here.
Nature of the Threat
The Cyber Security Strategy itself, and the Prime Minister’s preface, openly recognised that the cybersecurity threat has many dimensions, including from foreign adversaries and state sponsored actors. This reflects the 2016 Defence White Paper which stated
Cyber attacks are a real and present threat to the ADF’s warfighting ability as well as to other government agencies and other sectors of Australia’s economy and critical infrastructure.
Significantly, the Prime Minister, in introducing the Cyber Security Strategy, acknowledged that the Government’s options to respond to cybersecurity threats included an offensive cyber capability housed in the Australian signals directorate. A full transcript of his speech is available here.
Impact on business
The Cyber Security Strategy emphasises the potential damage that malicious cyber activity can cause to business, particularly the theft of intellectual property and other sensitive commercial information. While breaches which result in the compromise of personal information often get headlines and significant media coverage, businesses need to recognise that they can be very significantly adversely affected should their confidential information or trade secrets be compromised by competitors, or should they be the subject of “hacktivist” attacks such as those made against Sony, allegedly by North Korean hackers.
Measures to support business
The Cyber Security Strategy reiterates our key message that cybersecurity is not simply an IT issue, but is a business issue that needs to be driven from the top, in terms of both strategic development and organisational culture.
In line with this ‘top-down’ approach to cybersecurity, the government will introduce a number of measures to assist the private sector. These include
- support to cybersecurity start-ups as part of the National Innovation and Science Agenda (predominantly through CSIRO’s Data61);
- providing small businesses with support to have their cybersecurity tested by security practitioners; and
- assisting businesses to identify and respond to cybersecurity incidents, by increasing the capacity of the national Computer Emergency Response Team (CERT Australia) to work with Australian businesses.
The government also proposes to introduce voluntary cybersecurity governance ‘health checks’ which will initially to be offered to ASX 100 listed businesses, with a view to extending this to other public and private organisations more generally (subject to tailoring for size and industry). The ‘health checks’ are stated to be similar to the UK’s FTSE 350 cyber governance health checks, and differ from the self-assessment recommended in ASIC’s Cyber resilience: Health check (Report 429) in that participants will receive information which enables them to better understand their cybersecurity status and how they compare to similar organisations. In this regard, it appears to enable businesses to benchmark themselves against their peers.
The Government sector
The government will devote significant resources to improving its own cybersecurity governance and capabilities, including increased spending and increased recruitment of cybersecurity specialists across government agencies and departments. Enhancements in intelligence, space and cybersecurity will require around 900 new positions to be filled in the Defence Force alone.
Recognising that cyber attacks are directed at the weakest link, and that primary targets can be accessed through connected networks and equipment, the government will also develop guidance for government agencies to consistently manage supply chain security risks for ICT equipment and services.
While these initiatives may be a tacit acknowledgement from the government that it needs to step up its game, the Australian government’s cybersecurity investment of A$230 million over 4 years under the Cyber Security Strategy is only a fraction of that pledged by its counterparts in the UK (£1.9 billion over 5 years) and the US (US$19 billion for FY2017). It is perhaps not surprising then that information sharing and collaboration with the private sector are a key focus of the Cyber Security Strategy, which will implement initiatives such as:
- real-time information sharing on cybersecurity threats and responses between and within the public and private sectors, including from classified sources;
- establishing links to global sharing initiatives; and
- investigating legislative impediments to sharing.
While businesses will no doubt welcome the availability of government intelligence and inter and intra-sector information, they also face the same dilemma articulated by the Prime Minister’s special cybersecurity advisor, between openness about cybersecurity issues and avoiding further damage and “hanging out [their] crown jewels”. Businesses have been reluctant to openly acknowledge cybersecurity incidents. For example, MailGuard reported that 693,053 Australian businesses experienced a cyber crime in 2014, but only 11,703 reported a cyber incident.
In co-designing the sharing centres, both public and private sector collaborators will need to consider not only the security of the information exchanged, but also the protection of collaborators’ anonymity, as well as mechanisms to guard against guard against free riding.
The need for training and resources
The Cyber Security Strategy leaves wide scope for industry led collaborative development in the regulation and growth of the cybersecurity sector. Private sector organisations will be called on to co-design internationally aligned national voluntary cybersecurity guidelines, and also to participate in the establishment of academic centres of cybersecurity excellence to train the next generation of graduates.
As part of the National Innovation and Science Agenda, the government will also invest over $30 million to establish an industry-led Cyber Security Growth Centre, which will be tasked with developing a national plan to grow Australia’s cybersecurity sector, as well as
- identifying cyber research and technology gaps or priorities for industry, and informing the science and research community of industry needs and commercial opportunities;
- coordinating a national cybersecurity innovation network and linking with existing cybersecurity innovation hubs overseas; and
- acting as the national mechanism for cross-sector collaboration and investment in nationally-significant cybersecurity infrastructure and frameworks.
The opportunities for business
As stated in the government’s Cyber Security Strategy, businesses own and operate most of the key supporting infrastructure for cyberspace. They are highly vulnerable to any cybersecurity risks, and need to be aware of the potential threats and have appropriate mitigation strategies in place. At the same time, they are also best placed to exploit the opportunities in the internet based economy, which in Australia is predicted to grow to A$139 billion by 2020. The collaborative framework set out in the Cyber Security Strategy is the first step in opening new avenues for doing so.
The Turnbull government places has a strong focus on innovation, and it is clear that it sees innovation in cybersecurity as a potential opportunity for Australia in coming years. The expanded tax incentives and venture capital arrangements under the National Science and Science Agenda announced in the recently released budget (available here) will also make investment in innovative sectors such as cybersecurity increasingly attractive. Angel investors investing in innovative, high growth potential start-ups are now able to access the 10 year capital gains tax exemption after a holding period of 12 months (reduced from 3 years), with a cap of A$200,000 per year.