Improving cyber resilience a nationwide effort
Improving Australia’s cyber preparedness and resilience is a pressing issue that requires a whole-of-society response, according to Department of Home Affairs Secretary Michael Pezzullo.
The public sector veteran used a video address to the 2020 Edith Cowan and Home Affairs Cyber Security Forum to call for closer collaboration between government, industry and academia on managing Australia’s cyber risks.
“Governments cannot do this on their own. Yes, in days past a lot of security threats were managed in great secrecy and by governments taking the lead,” Pezzullo said in a video message.
“Government had all the information typically, and government had most of the response options and tools in their inventory. This is no longer the case, and especially so in cyber. Frankly, everyone is on the front line.”
Pezzullo had been expected to deliver the keynote address for the Forum, which was convened to explore the key findings of last year’s consultation on the 2020 Cyber Security Strategy, but was unable to attend in person because his department is dealing with a number of issues related to bushfires and biosecurity risks.
Developing a strong cybersecurity strategy will require improving cyber resilience, Pezzullo said. This will in turn require partnerships between governments and industry, between state and federal agencies, and with “society at large”.
One area where such partnerships can play a role is in cyber preparedness, he said. Such a vital area cannot be left to CIOs of organisations or to government agencies to manage alone.
“Preparedness is something that has to be thought about on that whole-of-society basis,” Pezzullo said.
“Our universities play a great role in adding to our store of knowledge, research and thinking, as do cooperative bodies such as the CRCs, as do large corporations, as does the business sector at large, as do citizens themselves.”
But at the same time, the government needs to lead these efforts, particularly in aspects to do with standards, trusted marketplaces and cyber awareness, Pezzullo said. Exploring the latest techniques and approaches is an important aspect of the preparatory work for designing the 2020 Cyber Security Strategy.
Other important considerations for the strategy involve incident management and response. Cybersecurity planning in the modern era requires considering a hack to be inevitable, which means a response will be required, Pezzullo said.
“If we accept the proposition that incidents are going to occur — no matter how we minimise their incidence or their severity — if incidents are going to occur, what are the best response strategies?” Pezzullo asked.
“What are the right protocols? How do we get emergency help particularly to those who are affected most egregiously? And indeed how do we as a nation and a people and a society respond, particularly to those most grievous hacks which are societal-wide and which have repercussions that spread beyond our IT usage?”
Finally, developing a fit-for-purpose security strategy will require answering important questions about recovery and resilience, Fletcher said.
“How do we recover essential services quickly? And is this really just an issue in terms of our IT response? If data is being frozen, if essential services have gone offline, if other societal functions have been impaired, how do we respond societally? How do we respond with resilience, much in the same way as we do with disaster risk or climate risk or indeed biosecurity risk?” he said.
“It’s these common society-wide risks that need to be mitigated and responded to that my department particularly is charged with thinking about society-wide impacts. That’s why, as I’ve said already in this address, thinking about it on a whole-of-nation basis is absolutely imperative.”
Findings from the conference will be used to help shape the advice the department is preparing for the government in terms of the 2020 Cyber Security Strategy, Pezzullo concluded.
He said the government is seeking to determine what parts of the existing strategy — which was developed in 2016 — remain fit for purpose and should be retained, and what parts should be replaced.
The Australian Cyber Security Centre and Australian Information Commissioner are urging...
AusCERT helps members prevent, detect, respond to and mitigate cyber and internet-based attacks.
The UK's Information Commissioner's Office (ICO) has called on the UK Government to...