PM needs to take reins on cybersecurity

PM needs to take reins on cybersecurity

Summary: Australia's lacklustre cybersecurity plans are set to fail unless they are given oversight by the Prime Minister and long-term strategies are developed by top-level federal ministers and bureaucrats, according to a report into the nation's cybersecurity strategies.

SHARE:

update Australia's lacklustre cybersecurity plans are set to fail unless they are given oversight by the Prime Minister and long-term strategies are developed by top-level federal ministers and bureaucrats, according to a report into the nation's cybersecurity strategies.

Retired deputy chief of the Royal Australian Air Force John Blackburn and industry veteran Dr Gary Waters authored a report stating that the Prime Minister and Cabinet and the Office of the National Security Adviser must take the lead in developing national long-term strategies to avert an otherwise inevitable network-based attack against Australia's critical infrastructure.

This means that the Attorney-General's Department, which forges relationships between government and industry, may need to "relinquish" control of cybersecurity coordination to top federal ministers if strong policy is to be developed.

This means that the Attorney-General's Department ... may need to 'relinquish' control of cybersecurity coordination to top federal ministers

Yet the authors of the Kokoda Foundation report are confident that the government is taking cybersecurity seriously, despite the fact that the precise budget flow is unknown.

They praised the success of defensive efforts by the Attorney-General's Department, such as the Trusted Information Sharing Network, which established security talks between banks, utilities and government, and the Department of Defence's CERT Australia, which warns industry of emerging security threats.

But Blackburn and Waters said other current strategies are short-sighted, and are "not keeping pace" with security threats.

"The actions taken to date have helped highlight the scale of the problem and underscored that more needs to be done in order to address the challenge," the report said.

The government will need to "develop a whole-of-nation, government-led integrated long-term National Cyber Strategy and Cyber Capability Plan, as a subset of the National Security Strategy, with defined responsibilities, identified priorities and dedicated resources", according to the report.

Cybersecurity approached in a national manner and not via a single agency, nor should the government create a cyber tsar as was done in the United States, according to the report. This will avoid what former US presidential cybersecurity advisor Richard Clarke sees as departmental power struggles over control of cyber defence.

The report states that a national cyber strategy must mirror that used for the prevention of physical threats and stretch as long as a decade, despite the fact that the security industry is reactive and on the back foot to emerging threats.

Such a strategy should include "process and structural change" to reduce vulnerabilities and develop "a credible counter-attack capability", according to the report.

The strategy must also build new technology, affect culture change and build ties with "key allies".

Blackburn and Waters proposed in the government and industry-backed report that awareness of cyber threats be extended to all Australians through the creation of a "National Security Innovation Centre", a "virtual Cyber Academy", a "Cyber Test Range" and a "cyber Cooperative Research Centre".

Australia could also gain an edge by copying the Department of Defence's Rapid Prototyping, Development and Evaluation program, which draws on top brains from government departments and industry to develop military capabilities.

Industry jitters regarding intellectual property and a swathe of other problems have already been addressed within the Defence program, the authors said.

These initiatives should be created despite budget cutbacks and growing financial pressures.

"If we do not increase our focus on cyberspace, the threat will grow faster than our response and the cost of addressing the growing threat gap in the future will increase, possibly exponentially," the report said.

Current strategies are short-sighted, and are 'not keeping pace' with security threats

The report's authors also called for antivirus and firewall installations to be mandatory for consumer purchases and suggested a "Slip, Slop, Slap"-type campaign to alert the public of online security threats.

Waters said elements of the industry-created voluntary iCode — which requires internet providers to take responsibility for user security — should be made mandatory.

"There needs to be more thought given to mandating security best practice," he said.

About 70 senior government officials and industry representatives participated in the workshops on which the report is based.

The government welcomed the publication of the report and will consider it when it is published on 4 February.

The Attorney-General's Department said that cybersecurity is a top national security priority and pointed out that the government had invested significantly in Australia's cybersecurity capabilities.

It referred to the government's cybersecurity strategy released in November 2009, leading to CERT Australia, the Cyber Security Operations Centre and the creation of a cyber policy coordinator within the Department of Prime Minister and Cabinet to coordinate cybersecurity activities.

Carousel image credit: House of Representatives

Updated at 8:04pm, 4 January 2011: added comment from the Attorney-General's Department.

Topics: Government, Government AU, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Concern over National Security was discussed at length during the talk of breaking up of Telstra and ceding its network to the likes of NBN Co who will, most probably, entrust our National Security to the array of its Service Providers.

    It's laughable to read the highlight above.

    " This means that the Attorney-General's Department ... may need to 'relinquish' control of cybersecurity coordination to top federal ministers"

    So far, it seems the Minister has launched a $136K cyber-safety button for child protection!
    Vasso Massonic
  • Wow. Talk about flogging a dead horse. Not once in this article did I see mention of the word NBN. Stop using using this site as your own personal soap box. Between you and various others (both for the for and against sides) no-one can get any other word in..

    In any event, would it not be better for the infrastructure to be owned by a GBE to allow for standard and quick deployments, also from a policy implementation point of view than it would be from private enterprise..?
    Smithe-13f2c
  • Plenty of room on the soap box, so be ZDNET's guest. NBN plays a centric role in the scheme of things and in my wider view of this medium item, it rates an important mention.

    I invite your attention to the following associated web link.

    http://www.theaustralian.com.au/national-affairs/national-broadband-network-at-risk-from-spies-and-hackers/story-fn59niix-1225981280336
    Vasso Massonic
  • @DarrenPauli,

    Is it possible to seek permission to receive this paper for peer review prior to 4 February?
    cmlh