The topic “Risk, Resilience and Responsibility” is particularly apt given both the importance of the internet in our social and economic lives and the fact that the internet is largely uncontrolled and has grown organically at an exponential rate.
The internet provides government and business alike with opportunities to operate more efficiently. Its exponential growth has fundamentally changed the way we work and interact socially, and will continue to do so.
But increased reliance on networked devices comes with additional risks, which is why cyber security is a national security priority for the government.
Of all the trans-national security challenges we face, malicious cyber activity is likely to be the most persistent.
Offensive cyber attacks are a direct threat to the Australian Defence Force’s warfighting ability given the ADF’s reliance on information networks.
Cyber threats also have impacts well beyond Defence, with the potential to attack other government agencies, vulnerable sectors of Australia’s economy, critical infrastructure as well as individuals.
State and non-state actors now have access to highly capable and technologically advanced tools to target others through internet-connected systems and we are seeing greater use of offensive cyber operations. This trend is likely to continue.[pullquote] “Cyber security is not just an issue for governments … also an issue for industry and individual citizens.” [/pullquote]
The first priority of this government is the safety and security of its citizens.
For us, this is not just a catch phrase or a throw away line — as Minister for Defence, when I say that, I mean it.
As a demonstration of this, planning for future national security interests is a fundamental responsibility of the Australian government.
Part of this is being flexible in the face of new threats and new technologies, technologies which can lead to new opportunities, but which can also create new weaknesses and accentuate old vulnerabilities.
But cyber security is not just an issue for governments. Cyber security is also an issue for industry and individual citizens.
This issue is one that could impact adversely upon our economic interests and national well-being, not just our national security interests.
How government is Planning to Respond to Cyber Challenges
Defence White Paper
The government is, and will continue to respond to these cyber challenges.
I can assure you that cyber security is given close attention as part of Defence’s strategic planning.
To set out the government’s vision for Australia’s defence strategy over the next two decades, we will release a new Defence White Paper in the second half of this year.
The 2015 Defence White Paper will present an affordable and long-term plan that aligns strategy, capability, and resources.[pullquote] “While technologies can lead to new opportunities for Defence, they can also create new weaknesses.” [/pullquote]
It will focus on Defence’s role as an element of a broader national approach to addressing Australia’s future challenges, and take account of complementary work such as the whole‑of‑government Cyber Security Review.
Through the White Paper, the government will clearly define the tasks it expects Defence to perform. It will give substance to the principle that the primary purpose of the ADF and Defence is to defend Australia and our national interests.
The White Paper will provide the resources required to achieve those tasks. It will deliver on the government’s commitment to grow Defence funding to 2% of GDP by 2023-24.
In support of the White Paper, a fully-costed Force Structure Review is designing a more capable and agile ADF that is equipped to respond to a wide range of potential contingencies.
The White Paper will set out Australia’s planned capability acquisitions for the coming decades as well as investment in supporting infrastructure, personnel and information technology systems.
Over the 20-year horizon of the White Paper, the government will substantially enhance Defence’s cyber capabilities, as well as invest in other enablers of the joint force such as intelligence, surveillance, communications, infrastructure and training.
I am particularly mindful of our increasing dependence on cyber capabilities for military effectiveness. As is the case more broadly, while technologies can lead to new opportunities for Defence, they can also create new weaknesses.
Defence’s future cyber capability will therefore focus on ensuring our sensitive information, systems and platforms are adequately protected.
The government recognises that a high priority will need to be placed on growing the specialist cyber workforce we need to keep pace with technological advances and protect against future global cyber threats.
The White Paper will set out how Defence will achieve this growth, including through targeted recruitment and retention.
There are opportunities here which the government, through the Defence White Paper, will explore more fully.
The White Paper will also address the role Australia can play in supporting a rules-based approach to cyber issues internationally.
Having recently returned from the Shangri-La Dialogue in Singapore, there is an appetite amongst like minded nations to follow a rules-based approach.
Our interest in the maintenance of a rules-based international order extends beyond maritime trade routes and includes cyber, space and other domains.
As most cyber incidents fall below the threshold of armed attack and armed conflict, we think it is important for the international community to give consideration to the development of peacetime norms.
It is clear that Australia’s security environment is becoming more challenging and over the next 20 years will be shaped by complex non-geographic threats, such as those in the cyber domain.
As a non-geographically bounded technology, cyber is a good example of the inadequacy of taking a narrow security approach focussed on geographic regions.[pullquote] “In 2014 the Australian Signals Directorate responded to 940 cyber security incidents involving government agencies.” [/pullquote]
To respond to these challenges, our armed forces must be prepared for a diverse range of possible operational requirements.
At the same time, Defence will need to continue to contribute to national cyber efforts to protect Australia and its critical systems, including by resisting attempts at coercion through cyber means.
It is important that we recognise the invaluable work undertaken by the Australian Signals Directorate and the Australian Cyber Security Centre in this regard.
In 2014 the Australian Signals Directorate responded to 940 cyber security incidents involving government agencies, a 37% increase on the previous year.
Defence also contributes to whole-of-government efforts to support the development of cyber rules and norms, in concert with the United States and our other international partners.
What the Government is Doing Now
Cyber Security Review
As I have indicated, the Australian government is very aware of the threats and opportunities that cyberspace affords. That is why the Prime Minister has ministerial responsibility for cyber security, with his department is taking the lead for cyber policy.
Last November Prime Minister Abbott announced a Cyber Security Review to assess Australia’s risk in cyberspace, and to ensure we are optimally working together to become more resilient against those who would do us harm.
The Review will:
- update the government’s cyber security priorities;
- provide a view on the cyber threats and risks Australia faces;
- clarify the government’s role in cyber security for Australia, including how this contributes to the protection of critical infrastructure;
- describe how government and industry can best team up to defend ourselves jointly from those who want to harm us in cyber space;
- outline an improved approach on Australia’s engagement with international cyber security forums, to further Australia’s interests and cement our leadership on cyber security; and,
- recommend practical initiatives to improve Australia’s cyber security, for government consideration.
The government expects to consider the Cyber Security Review’s recommendations shortly.
Australian Cyber Security Centre
It is important to recognise that the Cyber Security Review is not taking place in isolation. The government continues to strengthen its cyber security posture through a number of measures including the Australian Cyber Security Centre.
It has now been just over six months since the opening of the Australian Cyber Security Centre. The Centre sees the co‑location of cyber security capabilities from across a number of government agencies. The Centre is an important government initiative to ensure that Australia’s information networks are amongst the hardest in the world to compromise.
The Centre is responsible for developing a comprehensive understanding of, and then dealing with, the threat to Australian government networks and systems of national interest.
The Centre now allows the opportunity to leverage the skills, information streams and resources of multiple government agencies and also makes it easier for industry and government to engage with each other.
It is important to recognise that government does not have all the answers. A key priority of the Centre is to partner with industry. That includes infrastructure providers, telcos and ISPs, sectors that are targeted by cyber actions, and cyber security vendors.
Partnering with industry will allow close engagement on everything from information sharing to the development of effective response strategies.
The Centre’s Board has already endorsed seven telcos and ISPs to be invited to join the Centre and is now looking to include representatives from those industries and companies most targeted by malicious cyber actors.
The Centre also recognises the importance of cyber security service providers and will continue to collaborate with them.
Working with our partners
The government is also working closely with our international partners on cyber security.
Australia’s annual Ministerial Consultations with both the United States and the United Kingdom have recognised the need to work together to address mutual threats and challenges emerging in and from cyberspace.
The government is also leading regional cyber confidence building programs for example through the ASEAN regional forum. We also conduct open regional cyber dialogues with New Zealand, China, Republic of Korea and Japan.
All countries are at risk from cyber threats, and it is important that regional and global security architectures continue to evolve to address these new challenges.
Cyber security is a global challenge, which we can only combat by working together.
Strategies to Mitigate Targeted Cyber Intrusions
Closer to home there are things that we can all do to prevent the vast majority of cyber intrusions.
Last year the Australian Signals Directorate released a revised version of the Strategies to Mitigate Targeted Cyber Intrusions.
This document provides information about comparative mitigation implementation costs and user resistance levels to help organisations select the best set of strategies for their requirements.[pullquote] “Cyber security must be a community effort. We all face the same threats, and we can learn from each others’ experiences.” [/pullquote]
It includes a list of 35 strategies ranked in order of effectiveness to mitigate cyber intrusions. ASD developed the Strategies to bolster the security of Australian government information systems.
While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 strategies remains very high.
At least 85% of the cyber intrusions that ASD responds to involve adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package.
For this reason, the top four of the Strategies have been mandated for implementation across government agencies.
Organisations, whether government or Industry, who do not implement these strategies do so at their own risk. And at Australia’s risk.
The government is committed to strengthening Defence’s capacity to protect itself and other critical government systems from malicious cyber intrusion and disruption.
And we recognise that cyber security must be a community effort. We all face the same threats, and we can learn from each others’ experiences. If we are to effectively combat the scope and scale of the cyber threats government and industry must continue to work together.
This is an edited extract from a speech by Defence Minister Kevin Andrews at the Cyber Security Summit in Canberra on July 17.
Read more at The Mandarin: Government tickles funny bones to promote cyber security