In the past year, a number of Australian organisations, from Lion Beverage Company, Toll Transport and Nine Entertainment, have been impacted by cyber attacks. More concerning, in recent months Australia’s government and institutions have been targeted by ongoing sophisticated state-based cyber attacks. Some of the attacks have been on local government departments, hospitals and state-owned utilities — all of which hold sensitive economic and personal data. The increasing number of attacks has, for the first time, seen the Australian Government enter the top five industry sectors to notify data breaches.
In response to the spike in continued large-scale cyber attacks, the Australian Government recently released the Australian Cyber Security Strategy 2020. The strategy highlights new initiatives and a $1.67bn funding boost to be used over the next decade, to achieve their “vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend”.
Australia is not alone and governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources. However, as we move through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors and compliance requirements that are part of an ever-changing landscape.
Much of our daily life is powered by software, even if it’s not highly visible. This month a cyber attack forced the temporary shutdown of one of the US’s largest pipelines, highlighting already heightened concerns over vulnerabilities in the nation’s critical infrastructure. The attack comes amid rising concerns over the cybersecurity vulnerabilities in the States’ critical infrastructure and after the Biden administration launched an effort to beef up cybersecurity in the nation’s power grid, with a call to install technologies that can thwart attacks on electricity supply.
Closer to home, healthcare provider UnitingCare Queensland recently experienced a cyber attack. The attack impacted all operational systems including internal staff email and patient operation booking, forcing staff to revert to paper-based operations for the foreseeable future. However, it turns out the hackers behind the attack were identified as the same group responsible for past attacks against major targets including Apple and Donald Trump. The new government strategy does call out the importance of hardening our critical infrastructure against cyber threat actors.
However, what’s next? We need bold statements and bold actions like in the States. To prevent costly and damaging cyber attacks, such as the recent Service NSW data breach or NSW Labor Party ransom, it's important to assess and validate the suppliers we use and the software these suppliers write for the Australian Government and for businesses across Australia.
It is clear from the Australian Government’s push to get serious about cybersecurity that it has been identified as a key risk area on a national level, but is their strategy reaching far enough? Here’s where we could be doing more:
The case for a dedicated cybersecurity cabinet role
Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. What we need is something similar to Biden's recent multi-billion-dollar cybersecurity support plan, as well as the appointment of key members of the cabinet to cybersecurity and cyber defence. It would be a huge win for our online safety, as well as support the local cybersecurity industry, and a clear signal that it is a serious consideration as we move forward as a future-focused nation.
Therefore, it is troubling that we still don’t have a dedicated cabinet role for cybersecurity in Australia and as such, even with funding, it is easy to be ‘out of sight, out of mind’. In the wake of nation-state cyber attacks and unprecedented access to our sensitive information if a data breach is successful, this lax approach that maintains a status quo has been ineffective to date.
Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial — not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.
The job is too big to be tacked on to a multi-service cabinet role, and appointing a person with an innate understanding of the impact of meticulous cyber defence would be ideal as we produce software at cracking pace in every industry.
Further investment to train and build cyber skills
At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. From July to December 2020, 38% of all data breaches were caused by human error — namely security misconfigurations — which are usually relatively simple, code-level fixes. If training is made a priority, in conjunction with building company-wide security awareness, there might just be fewer CISOs signing off on breach notifications to thousands of compromised customers.
In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This foundational learning is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.
The NSW Government has announced, as part of its 2021 Cyber Security Strategy, to clarify minimum cybersecurity requirements in government procurement processes and aim to enhance the capability of the state’s central cyber office, ensuring it can provide support to smaller agencies and local council.
What’s more, the NSW Government will establish a ‘Cyber Hub’ to grow the cybersecurity industry and talent pool within the state and build a workforce capable of operating with fluidity. It’s a step in the right direction, but more needs to be done at both the state and federal levels to support Australian cybersecurity start-ups succeeding at a global level. Access to seed funding and even CISOs who are willing to try solutions new to the market and help them mature is an excellent starting point.
For the industry itself, the key thing here is to focus on the root cause of the problem and to focus on how can we prevent cyber attacks happening in the future — that’s mainly around creating skilled people who can respond to these types of attacks, but also making sure that mistakes in software development don’t happen in the first place.
There is an enormous opportunity here for our government to create a national security skills baseline certification, or regulation, and the Australian Cyber Security Strategy alludes to this as a way to work with finite resources. For now, our beacon of hope lies in the development teams within each organisation, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organisation.
Efforts to create strong policy frameworks, build better and advance Australia’s infrastructure is a foundational step that we must take to confront cyber threats that could compromise our most critical systems that are essential to our national prosperity and economic security.