The government should prepare Australia for the next decade in cybersecurity by implementing a multi-pronged national cyber security strategy that combines multi-sector information sharing, development of state-based cybersecurity training hubs and other initiatives to bolster our national protective capabilities, networking giant Cisco Systems has argued in a formal response to the first-ever Australian Government Cyber Security Review.
That review, which is the first concrete deliverable from the new Australian Cyber Security Centre (ACSC), warned of an “undeniable” and “unrelenting” cyber threat facing Australian organisations and urged the implementation of cybersecurity measures “to make Australia a harder target, increase the confidence of Australians when they are online, and maximise the benefits of the Internet for Australian organisations.”
“Ultimately,” the report concluded, “this will see organisations and their users taking greater responsibility for the security of their networks and information.”
While there is still much work to be done in laying down concrete steps for improving Australia's cyber-security capabilities, the ACSC report has been an important first step that reflects the current government's concrete efforts to address the issue, director of Cisco cybersecurity initiatives Gary Hale told CSO Australia.
“What stood out for me was the pace of digitisation of government agencies,” he explained, referring to the mandate of the new Digital Transformation Office to push government agencies into digital service delivery.
“If you look at these sort of transformations, you know we're getting to a point where we're really pushing the boundaries of IT and quickly. This government has been proactive in setting this up and creating the strongest, and possibly the best, interaction I've seen in the industry. I've seen an absolute commitment from the government to play this out, and soon we'll see the execution plan around it.”
Bolstering Australia's cyber-security capabilities will be a long-term effort, however, with Hale positioning it as a “campaign that's going to run over 10 to 20 years” that requires fundamental cultural shifts in areas such as education of students in cybersecurity issues – including better maths education, to support research in areas such as cryptography.
Cisco's response to the government manifesto has framed the need for cybersecurity intervention in financial terms, warning that “cyber insecurity is taxing Australia's economic growth” and urging partnerships between government, public and private entities in a number of areas.
“The threats to a connected society are outpacing the defences, and GDP growth is being eroded every day,” the Cisco response warns, noting that cyber-security threats are matching or outpacing the technology development cycle “which, in turn, is moving much faster than the currently complex compliance and policy vehicles.”
The rapid pace of change in cyber-security threats was a key theme of Cisco's recently-released Midyear Security Report, which noted strong fluctuations in APAC spam volumes and warned that 'combination attacks' such as Angler, Rombertik, Adware MultiPlug and Dridex were layering attack methods to stay ahead of technology defences.
“Initiatives that address these differences through simplicity and scale are critical if the Internet and IT systems in general, are to deliver maximum benefit”, Cisco's ACSC report response advised.
Foremost among Cisco's recommendations is the creation of a National Cyber Security Strategy, which will position the issue as being of strategic importance “for both national security and national prosperity,” the response says, recommending the creation of a multi-year strategy that builds the capacity, talent, and workforce to support the cyber-security initiatives.
The response envisions making Australia “the safest online place to do business”, measured in terms of metrics such as malware infection rates; strong penalties for cyber-crime activity; accountability and education for board members and CEOs on cyber-security issues; and minimal disruption to essential citizen services due to cyber-security related vulnerabilities.
“Virtualisation” of the ACSC would extend its reach to state-based cyber-security centres on the ground, allowing for more engagement with Australian organisations on the ground and widening access to skilled personnel.
The response also recommends a concerted focus on building cybersecurity skills, with a 25-year outlook developed to promote the funding of relevant cadetships, PhD positions, TAFE-delivered training, promotion of opportunities for women in IT and cyber security, and “a pedagogical view that cyber security should be treated no differently to Maths or English in that it will be a fundamental skill for future generations”.
The ACSC report “was a pretty critical statement in the maturity of where they're going and where they want to be,” Hale said. “As we look across Australia, innovating and driving collaboration through the islands of expertise that we have, has been difficult because we've never created a critical mass. But you need that mass to drive things forward, and the ACSC has been a critical step in doing that.