The current Australian Cyber Security Strategy was released by the Commonwealth in April 2016.
A lot has happened since then, principally the formation of the Australian Cyber Security Centre, falling under the Australian Signals Directorate (as a statutory authority) and AustCyber (the Australian Cyber Security Growth Network) was established in 2017 as an independent, not-for-profit organisation.
Legislatively, the Enhancing Online Safety for Children Act 2015, was amended in June 2017 to be the Enhancing Online Safety Act 2015 (as a more comprehensive mandate for the Office of the eSafety Commissioner); the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was introduced in December 2018; and the Notifiable Data Breach regime introduced in February 2018 via the Privacy Amendment (Notifiable Data Breaches) Act 2017.
All very important organisational and legislative movements but cyber-crime against businesses and individuals continues to soar.
The reporting of these matters continues to increase yet we don’t have an accurate picture of the problem due to unknown levels of under-reporting.
Rather than analyse the successes and failures of the past, it is time to look to the future.
Australia’s future prosperity depends on how we harness information technology.
Such success can only be achieved if we also secure this technology, the data which resides on it and the people who access it.
Cyber-attacks are growing more frequent, sophisticated and can be very damaging when they succeed.
Government has a clear role to lead the effort to protect Australia’s critical infrastructure, but how do we address the issues facing mainstream corporate Australia such as business email compromise and ransomware? Let alone the stream of consumer issues like scams, spam and phishing?
Having a broad strategic four-year plan is fine but getting corporate Australia to take ownership of detecting and deterring (often advanced) cyber-attackers targeting their organisations is where the rubber needs to hit the road.
We can talk about skills shortages, incident response, international partnerships and innovation all we like, but the biggest challenge is to get organisations to undertake basic risk management processes and understanding what technology means to them.
The second step is their preparedness to invest in mitigating cyber threats, preferably by doing the simple things first, like having strong user authentication, reducing administrative privileges and backing up data.
Too many organisations and people want the good from technology without understanding they need to invest in the bad.
As a nation we want to encourage innovation and enhance productivity through internet-enabled devices.
The next Australian cyber security strategy needs to tactically focus on helping organisations help themselves and getting end-users to become competent digital citizens.
Nigel Phair is Director, UNSW Canberra Cyber.