Australia is getting a new cybersecurity strategy
The federal government wants an updated strategy to cover the current cyber threat climate, publishing a discussion paper [PDF] that seeks to gain a better understanding of the magnitude of the threats faced by Australian businesses and families, saying that as the threat evolves, so too must government's response.
The Australian government in April 2016 launched the country's current cybersecurity strategy, handing over AU$230 million to the cause.
"Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community," Minister for Home Affairs Peter Dutton is attributed as saying in the discussion paper's foreword.
"Australia must position itself as a world leader in cyber threat detection, prevention and response. This means government and industry will need to work closer together than ever before."
See also: Terrorism, espionage, and cyber: ASIO's omne trium perfectum
At the time, the strategy was said to be aimed at defending the nation's cyber networks from organised criminals and state-sponsored attackers, sitting alongside the AU$400 million provided in the Defence White Paper for cyber activities.
Listing off the efforts made since 2016, the paper says the government has opened the Australian Cyber Security Centre; established Joint Cyber Security Centres in five capital cities; launchedcyber.gov.au; appointed an Ambassador for Cyber Affairs in Dr Tobias Feakin; publicly attributed cyber incidents to nation states; supported domestic industry through the Australian Cyber Security Growth Network (AustCyber), Austrade's Landing Pad Program, and a AU$50 million investment in the Cyber Security Cooperative Research Centre; and invested in skills and education, including through Academic Centres of Cyber Security Excellence at the University of Melbourne and Edith Cowan University.
In the discussion paper, Australia's 2020 Cyber Security Strategy: A call for views,respondents have been asked to provide what their view of the cyber threat environment is, and what threats government should be focusing on.
It asks respondents if they agree with the government's understanding of who is responsible for managing cyber risks in the economy, and also if the way such responsibilities are currently allocated is the best way to do that.
Similarly, the government wants to know whether its role should change to offer greater assistance to Australian businesses to defend against malicious actors, specifically what changes can be made to maintain trust from the Australian community when using its cybersecurity capabilities.
The government is also seeking feedback on what customer protections should apply to the security of cyber goods and services; what role government and industry should play in supporting the cybersecurity of consumers, and how both can "sensibly" increase the security, quality, and effectiveness of cybersecurity and digital offerings; if the regulatory environment for cybersecurity is appropriate; what specific market incentives or regulatory changes government should consider; and whether there are any functions the government currently performs that could be palmed off to the private sector.
Proposing a "trusted marketplace" for security-related products and services to be procured from, the discussion paper asks for guidance on how to approach instilling better trust in IT supply chains and how it can ensure cybersecurity is built-in to digital offerings.
Asking a total of 26 questions, the discussion paper also asked for examples of best-practice behaviour in the cyber realm; what private networks should be considered "critical systems" that need stronger cyber defences; how the government should set up its funding model around cybersecurity; and if there any barriers currently preventing the growth of the cyber insurance market in Australia.
It also wants to know how it can create a hostile environment for malicious cyber actors.
Consultation closes 1 November 2019.
According to the paper, AU$2.3 billion was stolen by cyber criminals from Australian consumers in 2017; while 53,474 reports were received by the Australian Cybercrime Online Reporting Network (ACORN) in the 2017-18 financial year, and another 64,528 in 2018-19.
964 data breach notifications were also made under the Notifiable Data Breaches scheme from April 2018 to March 2019, 60% of which were malicious or criminal attacks.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Info Manual updates
The ACSC this week released updates to the Australian Government Information Security Manual (ISM) that it says helps organisations set the strategic framework for protecting their systems and information from cyber threats.
The ISM [PDF] is based on a set of foundational cybersecurity principles, covering: Govern, protect, detect, and respond.
The ISM also contains 22 cybersecurity guidelines covering governance, physical security, personnel security, and information and communications technology security.
"These guidelines assist and empower organisations to identify cybersecurity risks and select appropriate security controls to effectively manage these risks," the government says. "The guidelines also support organisations to be more flexible, enabling them to innovate and deliver creative, yet secure, online services for the Australian public."
The updated manual comes after a 12-month body of work to transition it from a compliance-based information security manual to a principles-based cybersecurity framework.
Moving forward, it will be updated monthly, the government said.
RELATED COVERAGE
- CISOs given cyber leadership role in Australia's new Information Security Manual
- Australian government, spooks, and industry all on different cyber pages
- ACSC tightens access controls for Australian government systems
- ASD reveals rules for keeping vulnerabilities secret
- Australia needs more cyber in the middle
- 5 ways to enforce company security (TechRepublic)