Australia has slipped two places in a survey of regional cyber maturity, prompting calls for agencies to rethink their security strategies and for a strong whole-of-government approach similar to other top-tier countries
The co-author of the Australian Strategic Policy Institute’s second survey of cyber maturity in the Asia-Pacific region, Dr Tobias Feakin, says Australia has lost ground relative to progress made in Japan, South Korea and Singapore.
“Those countries have implemented stronger government approaches to cyber issues, and focused on invigorating innovative digital business and start-ups,” Feakin said.
“Due to more rapid implementation of cyber policies in other countries, Australia’s rank has dropped from three to five, despite improving on its overall 2014 score. Strong implementation of the renewed cyber strategy is required to keep up with the rapidly increasing maturity of cyber policy approaches in the region.”
The new cyber scorecard comes as the Australian government is preparing a major report on cybersecurity, co-ordinated by the Department of the Prime Minister and Cabinet and led by first assistant secretary (cyber policy and intelligence) Lynwen Connick. And the latest State of the Internet security report, from Akamai Technologies, confirms the scale of the security problem is growing every year, as is the sophistication of attacks.“Cybercrime in the Asia-Pacific region accounts for a significant proportion of global cybercrime …”
Its report found the number of mega attacks has doubled in one year, setting a record for the number of attacks observed. The Australian Signals Directorate responded to more than 1000 incidents impacting government networks last year, while CERT Australia responded to more than 11,000 incidents in Australian businesses.
Although a global problem — online crime and a lack of harmonised legal structures and capacity are shared challenges — there remains significant differences between countries in both their ability and capacity to address cybercrime through cyber-focused policies, legislation and regulatory frameworks.
“Cybercrime in the Asia-Pacific region accounts for a significant proportion of global cybercrime yet the diversity between countries can be significant,” said John Ellis, chief security strategist across Asia-Pacific for Akamai, an American firm that is the world leader in content delivery networks. “The gaps I see, both in business and government, are mostly around education, people and organisational constructs.”
CDNs cache data to speedily and efficiently shift content — images, formatting files, audio and video — between servers all over the world by reducing the number of legs a file must travel across before it reaches its destination.
Akamai’s network carries 15-30% of global web traffic each day — some 2 trillion transactions. The sheer scale of this produces massive amounts of data on many metrics related to broadband connectivity, mobile access, cloud security and media delivery. This in turn provides formidable intelligence and insight on cyber attacks.
A rethink on internet security
The company’s quarterly State of the Internet program was built to leverage that data to better enable businesses and governments to make intelligent, strategic decisions. But Ellis warns that with the media announcing some form of a breach almost every day, news about cyber-attacks is at risk of becoming white noise.
“The frequency of these security incidents can tempt many government agencies and businesses to put the breaks on cloud adoption, and in some cases, the use of shared services is frowned upon. This creates a significant disadvantage for those organisations,” he said.
“With the increased awareness of cyber-attacks, why are businesses and public agencies still struggling to prevent or even detect a security incident until way after the fact? How well are you able to weave together security point products from multiple vendors to create an effective and adaptable cybersecurity framework?
“For me, the answer requires a rethink in how security is viewed. Certainly, it is an admirable goal to avoid being breached at all, but it’s an unrealistic one. We need to focus on cyber resilience and move away from viewing investment in security systems and solutions as insurance.”
The need to maintain a fresh approach to security was also promoted by former ASIO director-general David Irvine, who told the audience at the launch of the cyber maturity survey that the answer to “the dark side of the cyber moon” was not to turn it off:
“We should recognise our vulnerability and employ the same creativity used to build the internet and the IT culture to address and mitigate its malicious bi-products.”
Ellis notes the biggest day-to-day threats faced by companies and government agencies come from crooks and spooks hoping to steal financial data and trade secrets. And all too often breaches are caused by simple blunders, such as failing to separate systems containing sensitive data from those that do not need access to them.
“Companies and governments need to get better at anticipating where attacks may be coming from and adapt their defences swiftly in response to new threats. Technology can help, as can industry initiatives that allow firms to share intelligence about risks with each other,” he said.
It is in the latter area that Australian organisations and governments need improving. ASPI researchers noted:
“While the Australian government is engaging with the private sector during the review process, it’s yet to be seen what the review will deliver and what changes will be implemented as a result.”
Dialogue on cybersecurity issues between the Department of Defence and agencies beyond traditional “intelligence” partners needs to improve, as does dialogue between the public and private sector. At the moment, sustained two-way interaction between government and business is focused squarely on key sectors in banking, telecommunications and operators of critical infrastructure. ASPI urges:
“The effort could be both deepened and widened to incorporate more sectors.”
Reviewing Australia’s capability
This point has emerged as one of the primary areas of focus for the government’s cyber review. Connick told delegates at the recent Australian Information and Security Association national conference that building resilience across Australia’s networks and systems will require “sustained and close government-private sector co-operation”:
“This includes thorough sharing of information about threats, working together to develop responses and exercising our responses so we are prepared for significant attacks. The need to share more information on threats was one of the most frequently raised issues during our review consultations.”
Australia’s growing digital economy and our rapid integration into the wider Asian economy means a broader approach to risk and associated protections is required. Ellis, for example, notes the substantial numbers of first-time users coming online in the Asia–Pacific, many via their mobile phones. This creates whole new opportunities for data and identify theft.
According to the ASPI cyber maturity research, South Korea, Singapore and Japan are noteworthy for the breadth of their cyber policy governance frameworks and the effectiveness of their implementation. Its report states:
“Those countries and others such as Australia, New Zealand and the United States are increasingly centralising the administration of their cyber policy and security under leading departments of government.”
This has recently occurred in Canberra, where much of the Australian government’s digital functions have been brought into the Prime Minister’s Department. There has also been the appointment of a Minister assisting the Prime Minister for Digital Government, Senator Mitch Fifield.
ASPI also noted the government had launched the Digital Transformation Office in 2015 to drive online service delivery:
“Australia’s score could improve with faster and more readily available internet services and a pronounced effort to foster and support domestic digital innovation, which is often lost to offshore economies.”
The coming year is expected to see a major acceleration of government digital programs spearheaded by the DTO, which has already committed to a new beta business registration site and a new Medicare application site by March next year.
The rapid impovement in public sector digital capacity should see Australia remain competitive in comparison to its regional colleagues, but in turn also requires an enhanced performance and protection regime. With citizens being increasingly reliant on digital channels to interact with government it is imperative agencies have a sophisticated protection plan that is able to adapt to the fast-changing threat environment.