Les Bell

As we mentioned on Monday, Australia's Minister for Home Affairs and Cyber Security * is expected today to release the Government's long awaited cybersecurity strategy. The strategy adds another $A586.9 million to an existing $A2.3 billion in cybersecurity funding which will run until the year 2030. (See Update, below, for a link to the strategy document.)

Changes for Critical Infrastructure and Telcos

The plan aims to better protect critical infrastructure; following last year's privacy breach at telco Singtel Optus, security regulation of telecommunications providers will be moved from the Telecommunications Act to the Security of Critical Infrastructure Act, "commensurate with the criticality and risk profile of the sector". It seems obvious that virtually all the other sectors of critical infrastructure are dependent on telecommunications - this should have been a no-brainer years ago.

Another likely consequence of the Optus breach is a winding back of laws which require telcos to retain  enormous quantities of customer data. Several breaches have led to affected customers having to obtain new drivers licences and other identity documents because their numbers had been disclosed - but once a new customer has verified their identity, is there any real need to retain the information that was used for that purpose? When it leaks, it weakens the value of such data for verification anyway - so let state and Commonwealth agencies that need to retain that data and provide an API which can be used for verification, then log the fact that verification was provided.

Similarly, the strategy will review Commonwealth data retention requirements and, based upon the outome, will explore options to minimise and simplify data retention requirements. This will doubtless come as a relief to the telcos which have been retaining vast quantities of traffic metadata in response to requirements introduced in 2015.

As we regularly point out, once retained information is no longer of any use, it is no longer an information asset and - from a privacy and risk management perspective - can turn into an information liability.

The healthcare sector is also being prioritized, and will benefit from a new $A9.4 million platform for the sharing of threat intelligence, in a program that could be rolled out to other sectors. Table-top "wargaming" exercises will also be expanded to include the aviation, finance and telco sectors.

Protecting Individuals

In part to reduce the amount of personal information an individual has to disclose in order to verify their identity, the government is aiming to expand its Digital ID program - a smartphone app which, as far as I can tell, seems to use exactly the types of API I posit above to provide an on-device verification of personal identity, based upon government documents like drivers licence, Medicare card and passport, along with email address, data of birth and a photo ID.

There are also plans for new cyber awareness programs to better educate the public, presumably with the goal of reducing personal losses to online scams.

Small and Medium Businesses

However, perhaps the public can be best served by improving the posture of business. The strategy allocates $A290.8 million for this area, via awareness programs, along with the development of an incident response playbook for ransomware, along with a mandatory no-fault reporting scheme for ransomware attacks and payments. Concerns that some businesses were failing to disclose breaches for fear of a backlash from regulators, not to mention customers (think class action) has also led the government to consider the establishment of "safe harbour" legislation to ensure that such disclosures to a reporting scheme could not be used for other purposes.

This approach has worked well in aviation safety for decades, encouraging pilots, other crew and maintenance engineers to come forward with useful information about incidents which fortunately did not result in accidents. As long as such a program provided actionable information - rather than simply telling us what we already know - it could prove useful; perhaps the best use would be providing psychologists and behavioural specialists with insights as to why boards and senior management do not take cybersecurity seriously enough.

Small businesses will also get a new "resilience service" to assist with recovery in the aftermath of an attack, and - as mentioned on Monday - there will be a "cyber health-check" program to offer free, tailored security assessments to business owners. I seriously doubt that this will have much real impact, other than on the bank balances of those providing the "free" assessments.

There are already excellent new technologies available to businesses of all sizes in order to better protect both themselves and their customers - particularly phishing resistant authentication schemes like U2F security keys and FIDO2 authentication via passkeys. What we should be doing is assisting business to adopt them (perhaps via open-source development), rather than relying on long-deprecated techniques like SMS'ed verification codes. Hopefully, this will form part of the new strategy.

Growing the Workforce

As is usual for such strategies, a lot is made of the "skills gap" and a supposed workforce shortage. The government proposes to address this via more education in addition to prioritizing immigration for highly skilled cybersecurity professionals. Based on my conversations with security professionals around the world, this seems likely to miss the mark; bootcamp-style programs and certifications to rapidly train people with no experience are not producing workers of any actual use, while experienced security professionals are reporting that they are being passed over for relatively unskilled candidates seeking much lower salaries. If anything, cybersecurity is suffering something of a 'brain drain' as the necessary skills and experience are undervalued.

Finally - and we've heard this refrain before - the strategy aims to make Australia a "world leader" in cybersecurity by 2030: "We will advance the global frontier of cyber security. We will lead the development of emerging cyber technologies". Doubtless some of the submissions are by companies which dream of a future in which government funding will help them take their products to the next level and export them to an admiring world. Consumers who have had their personal information disclosed in a never-ending stream of breaches might, perhaps, have a more realistic view of Australia's security capabilities.

Grattan, Michelle, New cyber policy to harden defences against our ‘fastest growing threat’, The Conversation, 21 November 2023. Available online at https://theconversation.com/new-cyber-policy-to-harden-defences-against-our-fastest-growing-threat-218255.

Knott, Matthew, Hackers’ honeypot: customer data storage laws set to be wound back, Sydney Morning Herald, 21 November 2023. Available online at https://www.smh.com.au/politics/federal/hackers-honeypot-customer-data-storage-laws-set-to-be-wound-back-20231114-p5ejwt.html.

Manfield, Evelyn, Australian Cyber Security Strategy outlines how government plans to tackle cyber crime, ABC News, 21 November 2023. Available online at https://www.abc.net.au/news/2023-11-21/federal-government-cyber-safety-framework/103132226.

* That really should be "Cybersecurity" - there is no such thing as a "cyber", nor is "cyber" an adjective. The word derives from the ancient Greek κυβερνήτης (kubernetes or kybernetes), which referred to the steersman or pilot of a galley. The same word is the root of "governor" and "governance", but comes to us through the 1947 coinage of "cybernetics" by MIT mathematician Norbert Wiener to refer to the field of control and communication, both in the animal and the machine. So now you know better. Please don't "cyber all the things".

Update

The Strategy document has now been released, and is available at https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.