Strategic pillars of change: Analysis of the Cyber Security Strategy
By Tony Campbell
On the 21st April, the Federal Government’s long-awaited Cyber Security Strategy was launched from Sydney’s Australian Technology Park. Needless to say, the InfoSec community has been hungry for change for some time and the anticipation in the room was palpable. Nevertheless, Prime Minister Turnbull didn’t disappoint. The new strategy does, on the surface of it, seems to deliver on all the strategic pillars of change needed to provide the economic stimulus we need for innovation and development of our national cyber capability.
Turnbull pledged $230mn over the next four four years, to be spent on five key themes of action. This may well seem like a trivial investment, given the billion-dollar price tags associated with security investment elsewhere, however, it’s a start and should at least start to help develop the three-way government, industry and citizen step-change we need to succeed. The cash will be allocated to 33 separate initiatives that will instill the five top-level narratives into governments, enterprises, SMBs and our personal lives.
One of the most important and possibly overlooked outcomes that I think will really help make this strategy a reality is the creation of two new roles within government. This was a pleasant surprise, showing us all the strategic importance of cyber security with the Prime Minister and is testament to his understanding of the problem space; he’s actually serious. The government needs dedicated leadership and advocacy in cyber security, so the first of the new appointees, taking on the role of Special Advisor on Cyber Security to the Prime Minister, was handed to Children’s E-Safety Commissioner Alastair MacGibbon. This is great news for the community since Alistair is well respected and a true advocate on the cyber security’s importance to our everyday lives. The second role will be appointed over the next few months by Foreign Minister, Julie Bishop, as Cyber Ambassador to champion a “secure, open and free Internet,” here in Australia, representing our cyber security interests overseas.
A National Cyber Partnership
“We will also sponsor research to better understand the costs of malicious cyber activity to the Australian economy”
The first of the five themes of action is called the National Cyber Partnership. This involves national business leaders, security researchers and government getting together every year to work with the Prime Minister on implementation of the strategy and to help drive its implementation across all of Australia’s states and territories. One of the outcomes of the initial setup of the National Cyber Partnership is to streamline security governance in Commonwealth Government agencies and ensure everyone knows who is responsible and what they are responsible for. The disjointed and overly complicated delegation of authority in the Protective Security Policy Framework (PSPF) will hopefully be replaced by something less onerous and eminently more usable, especially for the smaller agencies where it’s not appropriate to have a massively hierarchical and overly distributed set of functions. Turnbull also committed funding to relocate the Australian Cyber Security Centre (ACSC) from its current location in Canberra’s Ben Chifley Building another, as yet unannounced facility to make it more accessible to industry. This is smart as it aligns with what’s already been demonstrated as effective elsewhere, such as in the UK, where the government invested in their new National Cyber Security Centre (https://www.cesg.gov.uk/news/NCSC) to be located in London rather than in the inaccessible headquarters of GCHQ in Cheltenham.
The costs of malicious cyber activity will also be monitored and reported through this partnership, passing the information onto business leaders and state governments so that decision makers can understand the extent of the threat and invest in appropriate countermeasures to protect their information.
Strong Cyber Defences
“Governments, businesses and the research community will co-design national voluntary cyber security guidelines to promote good practice that all organisations can use.”
The sharing of threat intelligence and information related to new and emerging attacks was at the heart of this strategic initiative. The Prime Minister specifically referred to CERT Australia’s role being enhanced in the fight against cybercrime, promising new capacity to help them do a better job of interfacing with the business community of Australia. He also said they will improve the capabilities of the Australian Signals Directorate to detect security vulnerabilities, aligning these changes with the wider Defence initiatives outlines in the recently published Defence White Paper. The government has said that it will increase the number of specialist cyber security roles on its own payroll who undertake threat detection and awareness, technical analysis, and forensic assessments of cybercrime in both the Australian Crime Commission and the Australian Federal Police.
Based on some of the work previously undertaken by ASD (such as the Top 4 and Top 35 mitigation strategies), this strategic theme will ensure that these guidelines will become more accessible and within the reach and budgets of SMBs and citizens. Guidelines for undertaking voluntary health checks will also be generated, somewhat aligned with some of the themes the UK government introduced through the Cyber Essentials (https://www.cyberstreetwise.com/cyberessentials/) scheme.
Global Responsibility and Influence
“Australia will work with its international partners to champion an open, free and secure Internet.”
This was very much a running theme throughout the Prime Ministers speech, continually reinforcing Australia’s ambitions on the global stage as an influencer, innovator and economic force to be reckoned with. This is where the role of the Cyber Ambassador comes in, working under the guidance of the Minister of Foreign Affairs, where we’ll finally have a voice in the discussions of international law, intelligence, cyber warfare and the issues related to cross-jurisdictional policing that are plaguing law-enforcement agencies all over the world today.
Growth and Innovation
“Australia will position itself as a location for cyber security innovation”
The Prime Minister predicted that by 2030 the digital business economy of the Asia Pacific region could be worth as much as $625 billion, or 12% of the region’s total GDP. That’s a big number, however, the fact that annual global cybercrime is predicted to be topping $2.1 trillion dollars by 2019 means the threat of cyber-attack is the single biggest threat to our economic growth over the next few decades. The Cyber Security Strategy sets out a roadmap for research and development in cyber-related technologies and risk mitigations that will lead to more jobs for the Australian market, while improving our cyber resilience in the process.
The mechanism for achieving this is a Cyber Security Growth Centre, aligned with the National Innovation and Science Agenda (http://www.innovation.gov.au/page/agenda). This requires the creation of a national network of research and innovation hubs to be located in each of Australia’s capital cities that will work with start-ups, businesses, governments and the local research and education community. The Cyber Security Growth Centre will coordinate this network both here in Australia and also act as the conduit to overseas organisations performing a similar role. This is amazing news for the business and start-up community since this will provide a potential route to new markets that would otherwise have been difficult to tap into. Mr. Turnbull also pledged funding to boost the capacity of Data61 (CSIRO’s digital research department) to really drive this innovation agenda. This is great news for the economy, which will start to pay off in two to four years if similar initiatives overseas are used as a benchmark, such as Innovate UK (https://www.gov.uk/government/organisations/innovate-uk).
A Cyber Smart Nation
“The Government will also further improve national cyber security awareness and work to ensure all Australians understand the risks and benefits of the Internet and how to protect themselves online.”
This is a drum that I have been personally beating for the last four years, so it’s fantastic (and somewhat of a watershed moment) when the Prime Minister acknowledges the global skills shortage and what it means to the rest of his Cyber Security Strategy. Without our addressing the imminent skills shortage in Australia, the strategy will be simply impossible to deliver on. Back in 2015 (ISC)2 issued their bi-annual Frost and Sullivan Global Information Security Workforce report, suggesting that the scale of the global problem was close to 1.5 million skilled and experienced cyber security professionals would be needed to be brought into the industry, in addition to those they already expect to hire. In the UK, they acknowledged that they generally have a retiring workforce and with fewer and fewer people coming into security, the threat is real and truly imminent.
Turnbull said that the government will tackle this here in Australia by working at all levels of education and training, with the private sector, with universities, and with TAFE colleges to ensure we can channel new blood into the industry. The government will also co-design a model that establishes academic centres of cyber security excellence in universities to ensure graduates leave their time at college with relevant, practical and usable skills when they emerge into industry. Centres of excellence will also establish strong links with the Cyber Security Growth Centre to ensure innovations and ideas percolate through the Australian-wide network of national innovation centres.
The Government acknowledged that filling the cyber security pipeline with new blood will not be an easy task, which is why they will work closely with industry, schools and colleges to demonstrate to school children that this is a valid and exciting career path, one that they can prepare for with relevant subjects even from a secondary education level.
The final piece of the strategic puzzle is related to citizen security and heralds a truly new level of cyber security awareness training for Australia: one that will target every single citizen.
To ensure we all help Australia achieve InfoSec greatness over the next decade, each and every one of us needs to be living and breathing the strategy every day. Some of the initiatives are certainly long term plays, such as the innovation strategy driven through the Cyber Security Growth Centre and its national counterparts, however, some of them can start right away. We can all start by trying to address the skills gap. We can be promoting cyber security hygiene (good passwords, patching systems, patching applications, not clicking on dodgy links, etc.) and evangelising the value of properly implemented security awareness programmes – security awareness is not just about a one-off training course (although that is one component part that works well at its heart), instead its measure of success is in cultural change. Training can also extend outside of the workforce and cross into training employees’ families and even their friends on good cyber security practices.
I’d urge every one of us in the professional security community to become a mentor. Help someone who wants to make the career switch into security but doesn’t know where to start. Work with your HR department and hiring managers to help them define what job roles you really need in your business and what the skills and competencies map to those job roles. Adopt a skills framework, such as Skills for the Information Age (http://www.sfia-online.org/en), since this is the one that the Australian Computer Society (ACS) uses for its MySFIA skills manager. This allows everyone to work to the same underpinning definitions of skills and competency levels. Just imagine the value of being independently recognised by ACS or the Australian Information Security Association (AISA) as a practitioner-level Information Security Manager or a Lead Security Architect, where it actually means something to the community, industry and government, and remuneration discussions and hiring decisions are so much fairer.
The Prime Minister discussed some of the cyber-attacks we’ve seen here in Australia over the past year, such as the website attacks on David Jones and Kmart that left thousands of customers exposed to ID theft and online fraud. Turnbull specifically applauded Kmart’s response to the attack, given their rapid disclosure and reporting of the incident to the Privacy Commissioner. We all need to get smarter at handling incidents and admitting when we have been breached. We need to ensure we do the right thing, not the easy thing, especially where someone else’s data is in question. The Prime Minister also commented on the alleged attack on the Bureau of Meteorology, acknowledging it was indeed a real event and one that has been mirrored across other government departments. By acknowledging this, he’s showing that the government is playing by the rules they are setting, which in itself is a big step forward.
The tangible investment that’s been pledged, $230 million over four years, is not enough, that’s obvious, but industry needs to step up and take some accountability for investment too. It can’t all come from government; in the same way it can’t be all about industry or all about universities: this is too big a problem for any one of these groups to tackle alone. I’m hopeful that having Alastair MacGibbon in charge of the cyber security operations of our nation will see him asking for adequate funding to make the vision a reality.
Turnbull announced 100 new specialist cyber security jobs across his defence and intelligence agencies. He’s also announced an increase in the capacity of CERT Australia to work closer with Australian businesses, along with an increase in the capacity of the Australian Federal Police and the Australian Crime Commission to tackle cybercrime. He’s pledged to improve ASD’s capability in detecting vulnerabilities and admitted for the first time that ASD has an offensive capability (not that we didn’t already know that), one that will be managed through a framework of stringent legal oversight both at home and internationally. However, these new roles, along with the relocation of the ACSC and the commissioning of threat intelligence sharing centres and the Cyber Security Growth Centre, won’t come cheap. I’m surprised at the incredibly low budget and $230mn over the next four years won’t last long. I am hoping that the lessons learned from the UK, where the government just pledged another £1.9bn ($3.8bn AUD) to the National Cyber Security Centre will show that underinvesting in this national security measure simply won’t get the job done. For the cost of a quarter of an aircraft carrier, we could do so much more (about $1.5bn).
All in all, things are changing for the better across our InfoSec landscape. There certainly hasn’t been a more exciting time to be part of this industry and the new strategy is cause for genuine excitement, not only amongst us InfoSec geeks, but for the whole nation. The government sees Australia as a true international player on the ecommerce and innovation stage, but to recognize that the only way to achieve this goal is to improve our information security capabilities should be applauded. Not the real work begins.