Industry report calls for ACSC to get offensive and smaller agencies to get cyber help

60 recommendations from report designed to feed into Australia's upcoming cybersecurity strategy.
Written by Chris Duckett, Contributor

The industry advisory panel created to feed into Australia's upcoming 2020 Cyber Security Strategy handed down its report on Tuesday that contained 60 recommendations designed to boost the nation's defences.

Of the recommendations, 25 were deemed as worthy of immediate priority status, while the remainder were suggestions for the strategy itself.

Among the recommendations were calls to increase the ability of the Australian Cyber Security Centre (ACSC) to "disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime" and hold malicious actors accountable through law enforcement, diplomacy, or even economic sanctions.

"The Australian government should openly describe and advocate the actions it may take in response to a serious cybersecurity incident to deter malicious cyber actors from targeting Australia," the report recommended.

The report also called for "larger, more capable" government departments to help out the cyber defences of smaller agencies.

Since 2016, the structure of Commonwealth cyber defences have been reliant on each agency -- from super departments like Home Affairs down to tiny ones like GeoScience Australia -- being responsible for their own defences.

See also: Geoscience Australia to be Top 4 compliant after discovery of unknown rogue file

"My view is we want each individual department and agency to take responsibility themselves, and the best way we can do that is just remind them of the need for them to take this issue incredibly seriously," then Minister Assisting the Prime Minister on Cyber Security Dan Tehan said at the time.

"I think if we go over the top ... sort of a centralised approach, I think that presents dangers. I don't think mandating is the way to go."

Chair of the industry panel and Telstra CEO Andy Penn told ZDNet on Tuesday that this recommendation was not a rebuke of the Tehan approach.

"I think it is a recognition that building cyber defences to the degree you need to given the sophistication of cyber criminals and cyber activity ... it requires a significant investment and requires very significant resources and very deep expertise. It's an acknowledgement that scale plays a role in that," he said.

"It's a recognition of an opportunity that the government has to focus on big departments ... that they can play a role in developing very sophisticated defence capabilities, and that they can then be leveraging the smaller departments, are just a practical consequence of the complexity of the landscape."

The report also said incentives should be made available to allow government to attract and retain cyber specialists, while it also called on government networks to have equivalent or higher protection than private networks.

"Ultimately governments should be exemplars of cybersecurity best practice and Australian governments have some way to go in achieving this aspiration."

Similarly, the report recommended that large businesses receive incentives to support smaller businesses in their supply chain and client base.

"Large corporates in Australia .. are not as well prepared as they need to be, but probably better prepared than small and medium businesses," Penn said.

The report also called for a "dynamic accreditation or mandatory cybersecurity labelling scheme" that would inform consumers, said the government should consider mandatory certification of supply chains for critical infrastructure, and that the strategy should improve access to actuarial data to help out the cyber insurance industry.

Earlier this year, Telstra lifted the lid on its Cleaner Pipes initiative that sees the telco attempt to limit malware and botnet command communications in its network.

The report said industry could be empowered to replicate such schemes, and further said there should be legislation to both back up the process and provide safe harbour provisions to give telcos certainty about the information they share with each other in responding to cyber threats.

It was also recommended the government establish an automated, bi-directional threat sharing system between government and industry, and its first area of focus should be critical infrastructure.

"The Panel recommends that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first," the report said.

"State, territory and local governments should also be considered key implementation partners for all elements of the strategy."

The panel also recommended a similar standing panel be established to advise the Minister of Home Affairs on cyber matters, and the implementation of the upcoming 2020 strategy.

Related Coverage

Scott Morrison cries 'Cyber wolf!' to deniably blame China

Australia's prime minister didn't name China as the source of recent 'sophisticated' cyber attacks in Friday's press conference. He didn't have to.

Prime Minister says Australia is under cyber attack from state-based actor

Light on detail and refusing to attribute, Scott Morrison says state-based attacks are targeting all levels of government, as well as the private sector.

Labor floats active cyber defence and a civilian cyber corps for Australia

Labor proposes a public health approach, to cybersecurity, addressing the risk and susceptibility of the whole nation to cyber attack, not just critical infrastructure or 'big-ticket capabilities'.

Labor asks for the whereabouts of Australia's overdue cybersecurity strategy

Shadow Assistant Minister for Cyber Security Tim Watts hopes the new strategy shows the 'substance and imagination that our national cyber-resilience deserves' and that it's accompanied by an accountable minister.

AustCyber says digital trust required to boost Aussie economy

A globally competitive Australian cybersecurity sector will ultimately underpin the future success of every industry in the national economy, the non-profit's CEO has said.

Editorial standards