In Brief | Cyber Security

We rely on secure online access and modes of interaction when we are in the digital world. Securing networked systems and online services is vital in today's global threat environment where data breaches, malicious intrusions and foreign interference activities are increasingly prevalent. This In Brief will introduce you to developments in government policy in relation to cyber security, including cyber security in the public sector.

Feedback welcome here!                            

INTRODUCTION

The internet is where we all conduct our business and social lives - using the web to bank, pay bills, buy and sell goods, and stay connected. Cyber security is the practice of protecting systems, networks, and programs from cyber crime or computer-oriented crime. These cyber attacks are usually aimed at: gathering intelligence in support of state-sponsored activities; accessing, changing, or destroying sensitive information and infrastructure; extorting money from users; or interrupting normal business processes. See this video from CISCO which shows a cyber attack unfold.

Information security (Infosec) is related to cyber security and refers to the processes and tools designed to protect sensitive business information from modification, disruption, destruction and inspection. Infosec includes application security, cloud security, cryptography, infrastructure security, incident response and vulnerability management. While both infosec and cybersecurity offer protection against information and data being stolen, accessed or changed, information doesn’t have to be on a computer to be in need of an information security system.

AUSTRALIA AS A TARGET

Cyber crime tends to "follow the money" and Australia is an attractive target because of its wealth and widespread internet connectivity. According to a 2018 Microsoft study, cyber security-related incidents are costing Australian businesses up to $29 billion per year, with up to 55% of organisations experiencing a cyber security incident during the period of the study. ZDNet has a link to what it considers to be the scariest hacks and vulnerabilities of 2019.

Australia is increasingly targeted by a range of actors who conduct cyber operations that pose significant threats to national security and prosperity. These cyber attacks deliberately target intellectual property, personal information and Australian Goverrnment and Defence information. Cyber attacks which crash a bank's computer systems while trying to steal money would be considered to be acting for themselves, even if they come from a rival nation. But state-backed hackers doing the same thing to destabilise a rival state's economy might well be considered to be conducting cyber warfare.

ROLE OF GOVERNMENT

The role of government in cyber security was traditionally limited to protecting government networks, enforcing the law and offering advice - that is protecting the integrity of the internet as a common good. End--users carried a significant portion of the risk, and Government had a limited role in protecting a large number of critical systems. Increasingly governments are concerned about cyber warfare, which is challenging concepts of how to fight future conflict – from the conduct of cyber operations in a new warfighting domain to the impact cyberspace has on the traditional physical warfighting domains. There is some concern among net freedom' activitists that the framing of national cyber  strategy

Concerns about Australia’s cyber resilience were initially raised in the Howard Government’s 2000 Defence White Paper, Defence 2000: Our Future Defence Force. A number of initiatives flowed from this policy, including cooperation among key national security agencies to assess and deal with emerging threats. In the 2009 Defence White Paper, Defending Australia in the Asia Pacific Century: Force 2030, the Rudd Government elevated investment in cyber capabilities to a national security priority, and in 2010, established the Cyber Security Operations Centre (CSOC).

The 2016 Defence White Paper recognised the risk of cyber attacks on Australia's warfighting ability, highlighting "complex geographic threats' in cyberspace and space and how military capabilities can be adversly affected. The Australia – United States alliance also acknowledged the seriousness of these threats during ministerial talks in 2011 (AUSMIN) where it was agreed that the ANZUS Treaty could be invoked in response to a cyber attack. Cybersecurity has featured in each AUSMIN discussion since.

COMMONWEALTH CYBER AGENCIES

Also in 2016, the Turnbull Government released a revised Cyber Security Strategy and established the positions of Australian Ambassador for Cyber Affairs and Special Advisor to the Prime Minister on Cyber Security.  The latter position has since been subsumed by the Minister for Home Affairs under the Morrison Government. The National Cyber Security Advisor also heads the Australian Cyber Security Centre (ACSC) which evolved out of the CSOC and which "drives cyber resilience across the whole of the economy, including critical infrastructure and systems of national interest, federal, state and local governments, small and medium business, academia, the not-for-profit sector and the Australian community". In July 2018 the ACSC became part of the Australian Signals Directorate (ASD) which in turn became a statutory agency within the Defence portfolio (as recommended by the 2017 Independent Intelligence Review).

The ACSC produces the Australian Government Information Security Manual, which outlines a cyber security framework that organisations can apply, using their risk management framework to protect their information and systems from cyber threats. The manual now includes inter alia a series of cyber security principles, grouped around governance, protection, detection and response to cyber threats as well as the Cyber Incident Management Arrangements for Australian Governments.

The ASD has also developed The Essential Eight mitigation strategies to help technical cyber security professionals in all public sector organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions (e.g. executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, business email compromise and industrial control system (ICS) security. The guidance is informed by ASD's experience responding to cyber security incidents, performing vulnerability assessments and penetration testing Australian government organisations.

OTHER GOVERNMENT INITIATIVES AND ORGANISATIONS

There are a number of other federal-government-associated initiatives and activities associated with cyber security including:
  • Data 61 - Australia's main digital research network within the CSIRO - is working in the cyber security sphere to build more trustworthy and resilient systems with military applications, developing knowledge-based risk management, automating cybersecurity and expanding partnering opportunities through initiatives such as SINET61 (security innovation network).
  • The Critical Infrastructure Centre assists owners and operators of critical infrastructure facilities to identify and manage national security risks sch as sabotage, espionage and coercion. The Security of Critical Infrastructure Act 2018 was passed, among other things, to support cyber security efforts.
  • Under the Joint Cyber Security Centre Program a number of Joint Cybersecurity Centres (JSC) are being established across Australia. The first JSC opened in February 2017 with others since opening in Melbourne, Sydney, Perth and Adelaide.
  • The Cyber Security Cooperative Research Centre's mission is to address the major challenge of growing Australia's cyber security sector capabilities by improving collaboration between industry and universities.
  • Defence, Science and Technology (DST) - the ADF's research and development arm, aims to enhance miltary and national security capabilities including cyber. DST is also is responsible for the National Security Science and Technology Centre which includes cybersecurity as one of its national priority areas.
  • Another ADF unit is the Information Warfare Division (IWD) which was formed to combat threats to Australia's national interests in the information environment. A key objective of information warfare is to achieve information superiority over an adversary and therefore gain an advantage which can be exploited in the traditional air, land and sea domains.

CYBER ATTACK RESPONSE - GOVERNMENT

In February 2019 the Morrison government revealed that Parliament was victim to a "sophisticated' cyber attack, most likely carried out by a foreign government, that gained access to Liberal, National and LabourParty networks three months before the Federal Election.  IT News reported that this led to 25 government agencies having their "cyber posture" increased. An October 2019 article from the Sydney Morning Herald asserts that sources with direct knowledge of the report's findings told Reuters the Australian Signals Directorate believes China's Ministry of State Security conducted the attackon the Australian Parliament. The Chinese government has denied it is responsible.

The 2019 budget saw funding for the creation of new teams within the ACSC to “mitigate potential cyber threats through enhanced monitoring and response capabilities”. ASD says these cyber sprint teams have now helped 25 government “improve their Essential Eight maturity and overall cyber security posture”. Once such agency was the Australian Electoral Commission which worked with ACSC to secure the 2019 Federal Election from interference.

Another initiative from ACSC is a new industry code for web-connected devices including smart TVs, watches and home speakers to protect families, businesses and Australia's national security from cyber hackers. This was announced by Minister for Home Affairs Peter Dutton at the 2019 Home Affairs Industry Summit.

CYBER ATTACK RESPONSE - ANU

In May 2019 the Australian National University confirmed that it was subject to an attack on its administrative systems, where the actor was able to "copy and steal an unknown quantity of data" via a spear phishing email.  The university's report on the incident notes that ANU "worked closely with, and reported findings to, the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC), before public notification. During the intervening two weeks between the detection of the breach and the public announcement on Tuesday 4 June 2019, we implemented a range of additional security controls inside ESD and the broader network – many of these activities were to expedite hardening measures already scheduled for implementation."

ANU Vice-Chancellor Dr Brian Schmidt considers the release of the report to be an "act of radical transparency" to make sure he was accountable to the people affected and to encourage a stronger and more open culture around cyber security.

2020 CYBER SECURITY STRATEGY

Australia is developing a successor to the 2016 Cyber Security Strategy to meet the rapidly evolving cyber threat environment and has issued a discussion paper calling for views, asking Australians to contribute to shaping Australia’s future and making our 2020 strategy world-leading. The discussion paper raises the possibility of  transferring responsibility for managing a greater portion of cyber risks away from end-users and onto industry and business and also looks at the current legislative framework and whether or not it is fit for purpose in an age of increasing cyber threats.

In a recent speech to the Gartner IT Symposium, former ASIO and ASIS Chief David Irvine issued a blunt warning that stronger partnerships between government and the private sector and better planning are needed to safeguard the country’s future cyber resiliency. In the speech (as reported by ZDnet), he called for the development of a new Australian cyber security service industry that draws on R&D, supports startups, and has a global commercialisation plan.

It is not all doom and gloom, though. A 2019 report Dimension Data from Australia’s government sector scores 2.92 out of five for cyber maturity, compared to 1.45 for the worldwide public sector, based on mountains of data collected to September 2018. The report also found a lot of cyber-ambition in the Australian public sector, reporting its IT leaders are aiming for a “future state” that would rate a muscular 4 on the same scale, on average.

IPAA RESOURCES

In 2016 IPAA hosted the then Special Advisor on Cyber Security (now Chief Strategy Officer at CyberCX) Alastair MacGibbon to present his reflections on the lessons learned from the eCensus events of 9 August 2016, and the new imperative for Government to embrace cyber security as a core platform for digital transformation. Click here for a video of that presentation and here for his review of the events surrounding the eCensus. McGibbon has been quoted as saying that cybersecurity is the 'greatest existential threat' right now, but that it can be managed.

In October 2019 IPAA ACT hosted Demistifying Cyber Security with Australian Cybersecurity Centre Head, Rachel Noble PSM, Marc Ablong PSM, Deputy Secretary, Department of Home Affairs and Craig Hancock, Global Chief Information Security Officer, Telstra. Resources, including a video of presentations can be found at this link while the Canberra Times report of the event is here [paywall]

Partners

Contact IPAA
IPAA ACT

ABN: 24 656 727 375
Phone: (02) 6154 9800
Unit 4A, 16 National Circuit,
Barton ACT 2600

Postal Address

PO Box 4349
Kingston ACT 2604

Subscribe to IPAA

Subscribe to our mailing list to receive information about upcoming events, initiatives and activities.