The Australian government’s announcement that it will “tear up” the past government’s 10-year $1.7 billion cybersecurity plan is important good news. It reflects the critical need to address the increasingly sophisticated and often state-sponsored cyber threats.
These threats are evidenced by the continuing harmful successes of today’s ransomware and other malware global attacks and zero-day exploits – highlighting too many cybersecurity solutions are simply not fit for purpose.
It’s no longer good enough for businesses and government departments to consider cybersecurity solutions as simply an add-on, nor as ‘check the box’ items when planning business systems. It must be considered as a core element of any organisation’s information technology infrastructure.
The ACSC (Australian Cyber Security Centre) reported in 2021 that on average Australia experiences a cyber-attack every eight minutes. Self-reported losses alone during a 12-month period totalled $33 billion!
Sovereign Australian cybersecurity solutions are trusted around the world. We have world-class and in many cases world-leading advanced cybersecurity technologies. The government’s plan for a new federal cybersecurity plan, starting with a clean slate, provides an opportunity to achieve three important objectives. The new plan must avoid what many have described as the ‘motherhood’ statements of the old. It must be specific and mandate responsibilities for cybersecurity.
Firstly, an effective single legislative framework drawing upon best practices with teeth, such as Europe’s GDPR (General Data Protection Regulation) and the recent US Quantum resilience mandate.
It is essential to consolidate the various cybersecurity responsibilities of both the commercial and government sectors. It must address the need for a strong penalty regime for organisations and their decision makers who do not take sufficient action to protect citizens’ privacy, sovereign intellectual property, government secrets and our critical national infrastructure. Events like breaches of unencrypted sensitive information should not be tolerated.
Secondly, the plan must leverage Australia’s sovereign ‘home-grown’ and advanced cybersecurity solutions. Similarly, it should support the sector’s continuing R&D investments. This must include our universities as the number one step for cyber resilience. We need to ensure that students are given the opportunity to be trained in, and then develop, skills in cyber security that can be utilised commercially and most importantly form the backbone of a national cyber skill resource.
Thirdly, the plan must address future threats and the necessary readiness planning required by both government and commercial sectors. The US president’s recent cybersecurity memorandum mandating Quantum resilience among the government and commercial sectors is an example and addresses what is the greatest threat to cybersecurity in history. A new national cybersecurity plan provides an important opportunity to mandate national cybersecurity standards and regulations within a single legislative framework. In a world where bad actors are often highly resourced and backed by nation-states, bold steps in reforming our cybersecurity are essential to protecting the Australian economy, business intellectual property and government secrets.
Cyberwarfare is no longer just a future threat, but a reality that has been weaponised to destabilise our international partners, disrupt our industries, and to threaten our critical national infrastructure and defence capabilities.
Telstra chief executive Andrew Penn’s comments at the National Press Club this week about the pervasiveness of ransomware is prescient but the only way to address the issue is both education of the public and mandatory disclosure of breaches by organisations holding public data. Both, at once, are necessary.
And the defences against zero-day attacks exist. Technology known as CDR can protect against zero-day attacks. Senetas, an Australian cyber security company, has invested over four years and tens of millions of dollars in developing this technology and it is now used worldwide by leading enterprises and government institutions.
The government’s announcement highlights how we must act decisively and begin to make cybersecurity a national priority including the need to become quantum resilient.
Australia is fortunate to have some of the world’s best sovereign cybersecurity developers that are trusted around the world. We now have an opportunity to leverage this capability locally.