Labor asks for the whereabouts of Australia's overdue cybersecurity strategy

The Australian government in September announced it was going to update the nation's cybersecurity strategy, making it more relevant to the current cyber threat climate.

The document would supersede the country's current cybersecurity strategy, which was launched in April 2016 with a AU$230 million kitty.

Shadow Assistant Minister for Cyber Security Tim Watts on Wednesday night highlighted the government's new four-year Cyber Security Strategy was now two months overdue.

"Despite growing threats, Home Affairs Minister Peter Dutton has left cybersecurity at the bottom of his in-tray," Watts said during an adjournment debate. "It's been 10 months since the Morrison government began consultations on the new Cyber Security Strategy. Given how quickly things change in cybersecurity, a virtual millennia in hacker years has passed without action."

Watts said Labor hopes the new cybersecurity strategy is released very soon, and that his party also hopes it shows the "substance and imagination that our national cyber-resilience deserves".

As the Minister for Home Affairs, Dutton has oversight of the Australian Border Force and independent statutory agencies including the Australian Federal Police, the Australian Criminal Intelligence Commission, the Australian Security Intelligence Organisation, and the Australian Transaction Reports and Analysis Centre. 

And as Minister for Communications, Cyber Safety and the Arts, Paul Fletcher has his name attached to many cyber-related press releases, but his portfolio is more about consumer safety in relation to things such as inappropriate online content, online scams, and cyberbullying.

Unlike the previous cybersecurity plan, Watts said the new one should include measurable benchmarks and a minister to with accountability for delivering on change.

Multiple public submissions to the review of the nation's Cyber Security Strategy 2020 called for the reinstatement of the position of Minister for Cybersecurity.

"We believe consideration should be given to re-establishing a separate Cybersecurity portfolio within government," wrote Peter Coroneos, international vice president of the Cybersecurity and Cybercrime Advisors Network (CyAN) in November.

"This would send a strong signal to business and the public that the issues our members contend with on a daily basis are receiving the focus and attention they deserve."

"There's no longer a dedicated role for cybersecurity in the executive, which means there's a diffusion of responsibility for cybersecurity throughout multiple departments," Watts added.

Highlighting the influx in ransomware, pointing to Toll, BlueScope, and most recently Lion, just in Australia and only in 2020, Watts said that while the US has so far attracted the highest percentage of attacks, ransomware is an international industry and Australia "isn't heeding the warning".

Watts said he asked the Parliamentary Library to compare the number of documents submitted to both the Australian Securities Exchange (ASX) and the US Securities and Exchange Commission (SEC) that contained the term "ransomware" in the calendar year 2019.

He said of the 108,334 documents submitted to the ASX, just 24 contained a reference to ransomware.

"That's 0.2%," he said.

"Of the 113,937 documents filed with the SEC, 1,139 contained the term, which is only 0.99% but still magnitudes greater than in Australia.

"Ransomware doesn't seem to be appearing to be on the radar of Australian companies. It's only a matter of time before we see the kinds of groups hit in the US being targeted here, and the unprepared are in for a rude shock."

According to Watts, the government must assume some responsibility in the cybersecurity of the nation.

"We need a similar public health mindset for cybersecurity, one that engages at-risk groups and lifts the baseline of cyber-resilience," he said.

"Contingency planning cannot just occur inside Defence or government silos. We've got a long way to go to realise this and ransomware is far from the only cyber threat. Yet, in the face of these evolving threats, Australian cybersecurity policy lacks political leadership."

Last month, during a hearing held by the Joint Committee on Public Accounts and Audit, Watt poked holes in the current reporting requirements of Commonwealth entities and highlighted a lack of accountability when they come up short.

He said the entities in question are still being asked to "mark their own homework" with little external oversight. 

Questioning the Australian National Audit Office (ANAO), the committee raised the concept of "naming and shaming" those consistently performing poorly, a way to light a fire underneath them to lift their posture.

There isn't a way, ANAO said, that the committee could name and shame under the current arrangements, however.

"When something is everyone's responsibility, it tends to become nobody's responsibility. With this government you can't find a fixed point of accountability," Watts added on Wednesday night. "Trying to pin them down on this is like wrestling with a column of smoke."

SEE ALSO

• Cybersecurity the responsibility of agencies, not us, AGD and ASD say
• Labor wants to name and shame poor Commonwealth entity cyber posture
• Potential data breaches make up 14% of Commonwealth incidents reported to ACSC
• How the B-Team watches over Australia's encryption laws and cybersecurity
• Cyber Security Strategy 2020: Civil society experts slam 'national security' agenda
• Labor wonders how Australia would handle a cyber-corona outbreak