Strengthening Australia's cybersecurity ecosystem

A better incident reporting scheme would be one way of reinforcing Australia’s cybersecurity posture.

As cyber attacks become more prevalent and ever more harmful, governments at all levels are taking action to beef up their capabilities — and those of the private sector — to tackle the threat. As part of its efforts to improve Australia’s cybersecurity posture, the federal government recently released its 2020 Cyber Security Strategy Industry Advisory Panel report, which has received overall widespread support.

The report recommends more transparency about government investigative activity, more protection for critical infrastructure, better real-time blocking of attacks, and strengthened incident response and victim support programs.

But is this enough, or are there still gaps that need to be filled? How can and should the public and private sectors work together in the cause of cyber defence? And what actions need to be taken once a cyber attack occurs?

To find out more about what can be done, we spoke with cyber researcher Dr Lennon Chang* from Monash University’s School of Social Sciences.

Dr Lennon Chang

********************

Is the federal government doing enough to strengthen cybersecurity, both for itself and for the wider community?

Over the past few years, the Australian Government has put extensive resources into strengthening cybersecurity. We saw the launch of the Cyber Security Strategy in 2016 and the establishment of Australian Cyber Security Centre. These all show the government’s determination to contribute to a secure cyber space in Australia.

And as cybersecurity and cybercrime are not limited by borders, the government launched its International Cyber Engagement Strategy to help developing countries, especially countries in our neighbourhood (the Indo–Pacific region), to strengthen their cyber capacity and cybersecurity.

These are all good approaches but they will never be enough, as new technologies keep providing new opportunities for cybercriminals to create new types of cyber threats.

How does Australia compare with other countries when it comes to national cybersecurity?

In my opinion, Australia is doing well. It is good to see the Prime Minister being willing to stand in front of the media and talk about cyber attacks on government agencies. It is a good change of attitude as it tells the public that agencies under attack are victims and shouldn’t be blamed. This might encourage corporations and other victims to not hide the fact that they have had a cyber attack.

What should the government do to improve protection of critical infrastructure?

It is important for the government to have a good plan to not only protect critical infrastructure but also to build resilience. Based on my research, this includes a better incident reporting scheme that takes into consideration fears of reputational damage and further auditing requirements as well as providing incentives to encourage reporting.

Sharing knowledge and experience is essential to alert other companies and organisations of the risk and to encourage vigilance and cooperative responses. It is so important that I would argue that the government should consider a compulsory reporting system. Currently we have a voluntary reporting system and anyone can report an incident to ACSC, but they don’t have to.

The ASD has the authority to take offensive action against foreign cyber attackers. Should Australia go harder on this?

First of all, not all cyber attacks come from state-backed entities. Some are lone wolf attacks and others are from criminals or groups supporting a particular cause. There is little, if any, risk in fighting back in these circumstances.

Taking offensive action against a state-backed foreign cyber attack might not be ideal if it results in an escalation, and possibly even a full-scale cyber war. It is important to know your enemy before taking offensive action, but often we may suspect who the enemy is but we don’t know for sure. However, it is important that the Australian Government has the capacity to do this when needed. It might contribute to a cyber war, but just having the capacity for retaliatory action might also be a way to prevent a cyber war from happening. At the very least Australia needs to maintain an advanced capacity to defend itself from cyber attacks/cyber war and be prepared to use it.

You’ve said that Australia needs a better incident reporting mechanism. What would this look like?

The US has long had a Federal Information Management Act which guides computer incident reporting. Taiwan and China have similar schemes. Although we have Cyber Incident Management Arrangements guiding incident reporting, they are not comprehensive enough as recommended in the Industry Advisory Panel Report. It is important to include industry in the scheme, especially industries related to critical infrastructure.

Also, while designing the scheme, it is important to embed ‘safe harbour clauses’ and ways to promote reporting. As mentioned in my research, the current reporting scheme used by the aviation industry to report near misses would be a good model to consider when we design an incident reporting scheme for cyber attacks.

Does the 2020 Cyber Security Strategy Industry Advisory Panel report go far enough?

The report has several important messages, such as the need for incident reporting and cybersecurity awareness. The current focus on cybersecurity has mainly been on technology, not on human factors. However, human error has been the main factor enabling cyber attacks and cybercrime. It is important to raise the general public’s cybersecurity awareness — how to design an effective way to do that will be something that the government will need to consider.

Take the issue of virtual kidnapping of international students, for example. It is obvious that the message from the police about preventing virtual kidnapping has not gotten through to international students, with a spike in kidnappings after two to three years of warnings.

With regards to cyberskills, I would suggest that the government invest not only on the science side of cybersecurity but also include professionals from disciplines such as criminology, law, psychology and human behaviour in the Joint Cyber Security Centres to encourage the development of strategies and responses that are both feasible and effective.

Are current penalties sufficient incentive for making systems more secure, or do they need to be tougher?

An approach to combating cyber attacks that relies solely on punitive measures will not be successful. And it is important that the government not exaggerate the problem as this can lead to denial, apathy and fatalism. It is also important that messaging around cybersecurity be connected to values other than security alone — values such as the economic benefits of secure infrastructure and online payment systems, for example.

The most important point is that cybersecurity is everyone’s responsibility — government, private sector, NGOs and individuals. Cybersecurity is not just a matter for the ASD and the police; it is also about human error and the need for changes to online behaviour.

*Dr Lennon Chang is a Senior Lecturer in Criminology in the School of Social Sciences at Monash University, and Vice-Chairman and co-founder of the Asia Pacific Association of Technology and Society.

Top image credit: ©stock.adobe.com/au/Aliaksandra