Australia's cybersecurity strategy: Continue the omnishambles

As the UK launches its much-praised active cyber defence plan to integrate protection of the entire .gov.uk domain, Australia chooses to do the exact opposite. Hilarity will ensue.
Written by Stilgherrian , Contributor

Britain's newly-created National Cyber Security Centre (NCSC) released its National Cyber Security Strategy 2016-2021 on Tuesday. ZDNet has already previewed some technical aspects of the strategy, but there's much more.

The UK's strategy, like Australia's Cyber Security Strategy released in April, includes a commitment to developing the domestic cybersecurity industry, the education and training sector, and the potential for export. There's also an increased focus on international cooperation.

The key difference, however, is that the UK's strategy jumps straight into outlining well-argued technical architecture to defend the nation's networks, while Australia's merely sketches out a bureaucratic structure which, it is hoped, will lead to increased cooperation.

This is particularly embarrassing given that the Australian Cyber Security Center (ACSC) has been operational nearly two years, as opposed to the NCSC's single month, although the two organisations do have different missions.

The ACSC is also a multi-agency coordination body, whereas the NCSC is essentially a re-badging of the cybersecurity branch of the UK's Government Communications Headquarters (GCHQ), with a couple of smaller agencies rolled in. NCSC serves just one master.

The UK's strategy also makes some blunt statements about Britain's attitude to cyber attacks.

"We will treat a cyber attack on the UK as seriously as we would an equivalent conventional attack and we will defend ourselves as necessary," the strategy says.

"We will rigorously protect and promote our core values. These include democracy; the rule of law; liberty; open and accountable governments and institutions; human rights; and freedom of expression, [and] we will preserve and protect UK citizens' privacy."

There's also a blunt message to British business: "We will not accept significant risk being posed to the public and the country as a whole as a result of businesses and organisations failing to take the steps needed to manage cyber threats."

The driving force behind the UK's strategy is Dr Ian Levy, the NCSC's technical director. He's explained the thinking behind the strategy in a blog post.

"There's a common complaint from industry to governments about cyber security. It's generally that governments tell them they're not doing enough and must do more, often without really understanding the real-world impacts or commercial implications of their demands," Levy wrote.

"Well, our strategy is to use government as a guinea pig for all the measures we want to see done at national scale. We'll be eating our own dog food to prove the efficacy (or otherwise) of the measures we're asking for, and to prove they scale sensibly before asking anyone else to implement anything."

Yes, NCSC will actually measure that efficacy (or otherwise), and publish the results. Australia's strategy does mention publishing "robust data ... that supports informed decisions", but only to "better understand the cost of malicious cyber activity to the Australian economy".

Contrast the UK's approach to Wednesday's comments by Australia's Minister Assisting the Prime Minister on Cyber Security, Dan Tehan.

A centralised approach to cybersecurity was dangerous, Tehan said. Government agencies should be responsible for themselves. We just need to "remind them" to "take this issue incredibly seriously".

Tehan wants government agencies to "develop ... a culture" so they "have the mechanisms in place" to make sure they're secure.

And yet the very report that Tehan was launching claimed that 15 percent of surveyed agencies had no person responsible for cybersecurity, and 41 percent reckoned their executive teams were clueless -- sorry, had "poor or limited knowledge".

At this point, ladies and gentlemen, I present to you the IT department of Centrelink, the Australian government agency responsible for assessing and distributing welfare entitlements to millions of Australians. As you might imagine, Centrelink needs a serious approach to cybersecurity.

On October 25, Centrelink reportedly disclosed the email addresses of hundreds of its customers by using CC instead of BCC. Centrelink then compounded the error by attempting to "recall" the email, which of course meant that the email addresses were all sent out again, this time flagged as a mistake and therefore worth a closer look.

To add to the hilarity, these emails were part of Centrelink's password-reset process.

So, we have a password-reset process that relies on emails sent manually. We have an enterprise-scale email system that doesn't flinch at sending an email out of the building with hundreds of CC addresses. And we have an employee responsible for bulk emails who doesn't know that mail merge exists, or that "recall" doesn't work -- although I guess they do now.

Imagine the possibilities for some elegant spearphishing attacks, not just outbound to the customers, but inbound to Centrelink's IT staff.

Take a bow, Centrelink.

Centrelink will doubtless blame the presumably junior employee who made this embarrassing mistake. But the real question is why management created the stupid process that made this mistake inevitable.

Tehan's ideal culture of cyber resilience would seem to be lacking at Centrelink.

That culture would also seem to be lacking at the Australian Bureau of Statistics (ABS), given the Censusfail omnishambles. It's lacking also at the Bureau of Meteorology, given their embarrassing data breach.

The contrast between the UK's approach and Australia's couldn't be greater. The UK has released an integrated national-level cybersecurity plan. "Wow, that's good," says the world. Australia has responded to a series of stuff-ups with a "yeah, whatever".

Admittedly the UK's job is easier. The national government has a clear role, and there are no fractious state governments to deal with. Their plan is also being implemented by Levy, a self-proclaimed "dictator".

Australia's federal government, on the other hand, has to deal with a mess.

"When it comes to Australia's critical infrastructure, the states have as key a role to play, if not more of a key role to play," Tehan said on Wednesday.

If the states are indeed more key than key, as Tehan has it, they can also be apportioned more blame when things go wrong. If the states point their fingers back at the federal government, the feds in turn can blame the departments for not developing the right cybersecurity culture. The departments can then claim they did develop the culture -- look here, there's a brochure -- but the employees didn't read it.

Stay tuned for more hilarious finger-pointing Senate inquiries into yet more omnishambles.

Australia may not have an integrated cyber defence strategy, but it does seem to have a strategy for blaming everyone but the leadership. That's the important thing, right?

Editorial standards