Cliff Notes: Australia 2020 Cyber Security Strategy Industry Advisory Panel Report

The views and opinions expressed in this article are solely of the author and not related to any organisation.

The very recent release of Australia's 2020 Cyber Security Strategy - Industry Advisory Panel Report as located here , offers some great insight into the views as expressed at the top of the town. Namely, big telecommunications, big defence business. The panel contributors benefit from a macro lens often not afforded to those who operate at a less national level, but I would go as far as to say that when you're flying at 10,000 feet above ground - you're not always in the best position to gather insights from the ground.

Having said that, the report offers some really good food for thought. So without any further opinion, here's the parts that I thought were of note:

From the Intro

• Several themes to call that the 2020 Cyber Security Strategy needs to extend on the 2016 version, by being adaptable
• Cyber security incidents cost Australian businesses $29 billion per year
• Malicious cyber activity undermines the country's economy
• Call to action: Australia must increase it's investment in cyber defences, in line with committed budget investment

How they went about it

(page 15-16) The "chosen ones" (the panel participants) met over a 6 month period , and engaged with 215 submissions from industry most of which were public submission from across government and industry. It's a great achievement to see that 1,400 people took part in consultations across the country. (Article author note: I'm sure the report was informed by these 215 submissions as opposed to the leading opinions of the panel)

On the 5 key pillar framework

Deterrence: deter malicious actors from targeting Australia (verbatim)

• a call for better attribution of attacks. (Author note: We clearly aren't there yet - as shown on 19th June with the PM statement here
• a call to strengthen the Australian Cyber Security Centre's proactive authority & capability. (Author note: can't help but ponder on the opinion piece by James Turner located here in terms of it's effectiveness given the shadow of authority cast by ASD)

Prevention: preventing people and sectors in Australia from being compromised online

• must pursue initiatives that make it HARDER for businesses and citizens to be compromised online
• better definitions of critical infrastructure and systems all the way through the supply chain, to better address risk
• Government should be leading the way on cyber security best practice

Detection: identifying and responding quickly to cyber security threats

• real-time and bi-directional threat sharing mechanisms between industry and Government
• empower industry to leverage some sort of 'service' to automatically block a greater proportion of cyber threats

Resilience: minimising the impact of cyber security incidents

• strength incident response and victim support options
• speed of recovery must be balanced with redundancies in place for systems
• cyber security (initiatives to protect data and networks) distinct from cyber safety (measures to protect the individual)

Investment: investing in essential cyber security enablers

• support development of capabilities by Security Centres (Author note: I assume similar to the various Information Security Analysis Centres (ISACs) available internationally)
• Cyber Skills uplift must continue, and needs to be addressed at an education level across primary thru tertiary. I interpret this along the line of my old colleague and friend Pete Herzog's Hacker High School.
• Continue to improve awareness and skills development of company directors

A couple of interesting comments :

1. (page 7) Government needs to do a much better job than today of coordination and governing cyber response, if we're going to make efficient use of resources and achieve the objective of effective cyber defences. (Article author interpretation)
2. Government is in a unique position to lead the national effort on cyber defence, needing better coordination between federal and other tiers of government, as well as industry partnership. This was an important learning from the 2016 strategy, so it's time to get pay attention to this. (Article author interpretation)

List of Recommendations

The report calls out 42 recommendations broadly divided into 7 key objectives.

Objective 1: There are clear consequences for targeting Australians

Objective 2: Cyber risks are owned by those best placed to manage them

Objective 3: Australians practise safe behaviours at home and at work

Objective 4: Government is a cyber security exemplar

Objective 5: Trusted goods, services and supply chains

Objective 6: Comprehensive situational awareness enables action

Objective 7: Effective incident response options and victim support

The report recommends 5 key enablers supported by 17 that the panel propose should play a big part in delivering on the 2020 cyber security strategy:

Enabler 1: The Australian Signal's Directorate's Joint Cyber Security Centres (JCSCs)

Enabler 2: Cyber security skills

Enabler 3: Intelligence and Assessment

Enabler 4: Governance

Enabler 5: Evidence and Evaluation

The Vision and Framework

The vision of "Strong cyber security enables Australians to prosper" is visualised on page 19 and supported by the objectives and enablers above (from page 9 to 14).

There are 12 key objectives within the framework, that can be aligned to the 5 "outcomes" of deterrence, prevention, detection , resilience and investment. These are listed on page 20, and include strong directives for all Australians to practice safe behaviours at home AND work, Government as the examplar for cybersecurity, Australians to have access to effective incident response options and for Government and Industry to collaborate strongly going forward.

While the roles and responsibilities look to be delineated by Government, Industry and Community by defining who-is-who, it can be clear about everyone's responsibility about how they can contribute to the ecosystem being defined.

Issues and Conclusions

Page 24 to 45 are very informative, but I've elected to not "cliff notes" this in the first version of this article, although I might make an inclusion at a future time if it makes sense. They are sage determinations of the issues perceived as impediments to the 7 objectives and 5 enablers defined earlier in the report.

As an example, take for example Objective 1 (There are clear consequences for targeting Australians). The issue section expands on the underlying problem here that has driven this objective. It stems to the sheer volume of activity targeting Australians given our relative wealth (Article author note: I've seen some independent stats show us as 6th most targeted country in the world currently). Our intelligence agencies are both inefficiently coordinated and inefficiently resourced to deal with the 'demand'. These conclusions lead to 4 proposed recommendations:

1. Increase operational-level cooperation between all tiers of government
2. Increase ACSC's capability and authority to interrupt criminals
3. Increase cybercrime awareness in industry
4. Improve diplomatic cooperation outside of our border authority, to hold malicious actors accountable.

The other objectives and enablers have a similar detailing to show not only what informed the creation of that objective, but the proposed solutions at a high level.

Final Article Author's Word

This document is an important artefact for the incoming Australia's Cyber Security Strategy 2020. I think it will be really telling how influential this panel report has been in the final evolution of the 2020 strategy. It's comforting to see that it's being treated quite seriously, and not given lip service (at least, not on the face of it...excuse the pun).

I think it is ironic at some level that there was not a sufficient enough spread of "Community" or "Industry" participation in the panel, which is a call out in the report that we need better collaboration between entities in all 3 of those groups. Perhaps the 2024 Panel Report will be more inclusive of a wider variety of SMEs - not withstanding, I expect the 2020 strategy to be a huge improvement over the 2016 one.

It is well worth the read of this report if you can afford the time. Located again here.