The corporate and bigtech sectors, which have the right scale and the best knowledge of their own networks, not only have greater responsibility for managing cyber risks but must also play a bigger role in protecting the population from these risks, says federal cybersecurity Minister Clare O’Neil.
O’Neil, speaking at the Australian Strategic Policy Institute (ASPI) in Sydney this week, said that while securing everyday digital activities should remain a high priority for all Australians, these bigger entities, due to their scale, must step up to play a substantially greater role.
“What success may look like is where, although every single one of us can and should be part of the solution to harden our digital lives to cyber threats, the core responsibility for managing cyber risks rests with those who have the scale and reach to achieve it,” the Minister said.
“This is especially true in the corporate and bigtech sectors who know their networks, their data and, critically, their vulnerabilities, and must take responsibility for securing them to protect our population.”
Corporates, including technology and services providers, can achieve this by furthering their investments in uplifting and embedding security within their systems and services, building stronger relationships with regulators, including rigorous application of co-designed Risk Management Programs and machine-to-machine threat sharing. Additionally, she said, corporates must work in partnership with the Australian Cyber Security Centre in Australian Signals Directorate (ASD).
The Minister also announced the rollout of the ‘national cyber exercise’ series, where the Federal Government will “systematically and frequently exercise with entities covered under SOCI [Security of Critical Infrastructure Act] on a sectoral and cross-sectoral basis supported by the Cyber and Infrastructure Security Group” which sits within Minister O’Neil’s Department. The series will be led by the National Cyber Coordinator and in partnership with critical infrastructure providers.
“I’ve said Australia is waking up from the cyber slumber, but now we need to hit the gym,” O’Neil said.
“This exercise series will build muscle memory in how to deal with a cyber attack – and importantly cover the types of incidents we have not yet experienced on a national scale – such as a lock-up of critical infrastructure or integrity attacks on critical data.
“Critically, it will look at how to work with governments, including dealing with the consequences of a crisis that inevitably will not impact just one company but potentially millions of Australians.”
“This initiative is something that has been raised with me in a number of cybersecurity consultations and, while there have been some great examples of targeted exercising, we need to move faster and in a more integrated way. This is something that should not wait for the Strategy to be completed to get started.”
According to the Minister, a key reason why she was “pushing government hard on the creation of a 2030 Cyber Strategy” was the fact that the conversation about cyber threats was “too much in the here and now”.
“And those of you here know that what we are facing is changing and growing by the day. Why do I say this? One reason is how technology is reshaping cybercrime.
“Today’s cyber challenge has at its heart a simple fact: at present, a clear majority of data breaches can be traced to human error. It’s the theft of credentials, the accidental clicking on a viral link in an email which lets an attacker effectively in the front door. And from there, they can wreak havoc.”
O’Neil added that, ultimately, a failure to patch was not typically an IT failure but often a failure of systems design, of organisational culture, an unwillingness to invest, or other human factors.
“As technology becomes more advanced, this will change,” she said. “There will be more attacks that are purely technological, and that makes them harder to defend against.”
A second major trend, she said, was the shift of everyday life and tools into the online realm, with the Internet of Things seeing billions more devices connected to the internet.
“These two technological trends will combine to produce a new kind of cyber threat by 2030.”
O’Neil added that the technology advantage tended to “flow in both directions” and while technology would enhance the opportunities for cybercrime, it would also enhance the opportunities for cyber defence.
“If anything, today I would say the initiative is with cyber defence – because automation is still favouring detection and blocking rather than penetration and movement, as well as detecting attempts at credential harvesting.
“What I am concerned about in 2030 – the endpoint timeline our Cyber Security Strategy is focused on – is keeping governments and police and the good guys ahead of the game.
“I do not want to be alarmist, because, ultimately, technological shifts are at their core neutral, [but] it is all about how you harness them.
“Let me be clear, I’m not saying the following dystopian future will happen, but if there is one thing I’ve learnt in the cybersecurity portfolio [it’s] that you need to plan for the most consequential scenario and work to stop it.”