State-based actors and cyber criminals should face harsher penalties in order to deter malicious cyber activity, a panel of industry experts has told the government.

An industry panel advising the government’s forthcoming 2020 Cyber Security Strategy has said cybercrime is currently “low risk and high reward” and wants to see the government implement stronger deterrence measures.

“It is the panel’s view that cybercrime is crime and therefore a posture consistent with that should be taken across all aspects of the communications of government, industry, individuals and law enforcement agencies,” the report said.

“The relative wealth of Australia makes us a lucrative target for cyber criminals, as demonstrated by the recent high profile attacks.

“Recent incidents demonstrate that sophisticated state actors and their proxies continue to seek access to sensitive information.”

Australia has been pegged as one of the world’s most targeted countries for cyber crooks – an undesirable position that was expanded on last month when Prime Minister Scott Morrison warned Australian organisations and critical infrastructure were being attacked by “a sophisticated state-based cyber actor”.

Since then, the government announced a $1.35 billion spend on cybersecurity to improve Australia’s posture.

But the industry panel advising the government on cybersecurity – which is chaired by Telstra CEO Andrew Penn – wants to see a more front-foot approach from the government to complement its bolstered defense.

“Australia should target the profits of cyber criminals and take a stronger approach to confronting state-based actors,” said panelist and former secretary of US Homeland Security, Kirstjen Nielsen.

“Malicious actors will continue to target Australia until there are real consequences for bad behaviour.”

The panel wants to see government arm law enforcement with betters tools for fighting cybercrime and to create “specialised, cross-jurisdictional and multi-agency teams” specialising in this area of misconduct.

It also recommends the government take a stronger stance on state-based cyber actors, calling for a “more forward leaning posture” when it comes to attribution.

The government has generally been quiet on naming the aggressor when it announces significant cyberattacks.

A hack on Australia’s parliamentary system last year was again the work of an unnamed “sophisticated state actor” – leaving the media and pundits to speculate on who was behind the incident.

Speaking to a media briefing on Tuesday, Nielsen acknowledged that the decision to attribute actions to a specific country is “very complex”.

“There is a right time and right way to do it,” she said.

“The discussions in the panel were about using attribution as a form of deterrent, along with economic and diplomatic sanctions.”

Last week, intelligence agencies from the UK, Canada, and US called out Russia for a recent campaign targeting COVID-19 vaccination research.

The government is still developing its 2020 Cyber Security Strategy and is expecting to hand it down in the coming months.