The government wants to protect Australia from online threats by building six “cyber shields” around the country as part of its upcoming 2023-2030 Cyber Security strategy.
Strong citizens and businesses, safe technology, threat sharing, protecting critical infrastructure, sovereign capability, and global coordination are the six shields that will make up the strategy when it is released later this year.
Speaking at the Australian Financial Review’s inaugural Cyber Summit at the Sofitel Wentworth in Sydney on Monday, Minister for Home Affairs and Cyber Security Clare O’Neil said Australia faces the most challenging circumstances since the Second World War.
“We live in a region of strategic competition and cyber will be integral to how the events of the coming decade play out,” she said.
“We have an urgent economic and security imperative to make a steep change with cyber issues.”
Earlier this year, the government’s cyber security advisory board released a discussion paper about the upcoming strategy with a view of fixing what O’Neil described at the time as “a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented in the digital age”.
Following the high profile Optus and Medibank data breaches last year, the government had no choice but to confront increasingly public cyber threats.
At Monday’s summit, O’Neil discussed reforms the government implemented over the year, including the appointment of a National Cyber Security Coordinator, and the ‘hack the hackers’ collaboration between the Australian Federal Police and the cyber guns in the Australian Signals Directorate.
“We’ve transformed the way the government interacts with companies which are undergoing cyber attacks as a consequence,” she said.
Next is the release of the new cyber strategy which O’Neil described as a cohesive response built to protect Australians.
“By 2030, what we want is citizens and businesses to understand the cyber threat; undertake actions to protect themselves with proper support in place, so they’re able to get back up quickly.”
O’Neil said cyber security is the number one issue in board room discussion, particularly for small business who are hurting.
“They’re panicked and they lie awake at night, worried if tomorrow will bring a cyber attack,” she said.
“They’re saying, do I risk bankruptcy or jail If I pay ransomware? A cyber attack is distressing; for small business, it could be fatal.”
Another issue was the importance of bringing in skilled people.
“Businesses are desperate for more skilled people. Part of the strategy will be to ease the migration processes to bring in skilled workers.”
Private sector must address third party risk
Chair of the Australian Securities and Investments Commission (ASIC), Joe Longo told the Summit that global cybercrime damage costs are predicted to grow by 15 per cent annually over the next three years.
“Ransomware attacks alone are predicted to exceed US$265 billion by 2031, more than 13 times the costs in 2021; the equivalent of an attack every two seconds,” he said.
Longo addressed the risk of third party providers.
He gave examples of the Latitude Financial and Perpetual breaches which were brought on by third party suppliers.
“This should be a concern for any organisation. Look to your third party suppliers and evaluate your cyber risk. Starting with good governance and risk assessment can successfully set the right tone.”
Longo said ASIC expects directors to ensure their organisation's risk management framework adequately addresses cyber security risk and resilience, and that controls are implemented to protect key assets. Failure to do so could mean failing to meet regulatory obligations.
“If boards don’t give cyber security sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based not acting with reasonable care and diligence,” he said.
In 2020, ASIC took financial advice company RI Group to court for failing to maintain “a reasonable standard” of cyber security.