On 21 April 2016, the Federal Government launched its long-awaited new Cyber Security Strategy, following 18 months of public consultation and review. Prime Minister Malcolm Turnbull’s foreword to the Cyber Security Strategy states that the strategy gives cyber security “the attention it requires in an age where cyber opportunities and threats must be considered together and must be addressed proactively”.
This is a sentiment with which our Corrs Cyber experts strongly agree. Leaving aside issues of national security, we often see first-hand the financial and reputational cost of cyber security incidents, particularly data security breaches. The absence of cyber resilience, and accompanying effective regulation has serious implications for the public and private sectors, and individuals.
BALANCING INNOVATION AND PROTECTION
The Cyber Security Strategy (an update to the inaugural strategy released in 2009) aims to balance the need for Australia to innovate in the online environment against the “real and growing” cyber security threats. It outlines the Government’s plan to develop national cyber resilience, for the public and private sectors, and as individuals, with a view to “unlocking” Australia’s digital potential.
It also includes a significant investment by the Federal Government in cyber security: $230 million over four years, in addition to the separate defence-related investment in cyber security announced in the 2016 Defence White Paper. These funds are to be applied to improving cyber capability and to deliver new initiatives, with over $30 million to be invested in an industry-led Cyber Security Growth Centre. This is positive news for innovative and disruptive Australian companies with products or services aimed at addressing cyber threats or improve cyber resilience within the public and private sectors.
THE 5 KEY COMPONENTS OF THE CYBER SECURITY “ACTION PLAN”
- National cyber partnership between government, research and business
- Engagement by the Federal Government with business and research leaders on cyber security strategy.
- Boosting of funding of research into the cost of malicious cyber activity.
- A Minister Assisting the Prime Minister on cyber security will also be appointed.
Strong cyber defences
- Improved sharing of information (including classified information) between government and the private sector on cyber threats and responses. The Strategy refers to an online cyber threat sharing portal, but no further detail is provided at this stage as to access and operation of this portal.
- Investment in the Australian Cyber Security Centre.
- Boosting cyber security capability within the Australian Crime Commission and the Australian Federal Police.
- Raising the bar on cyber security performance. This includes co-design of national voluntary cyber security guidelines to promote good practice.
Global responsibility and influence
- Championing an open, free and secure internet.
- Co-operation with international law enforcement and other agencies on cyber crime.
- Building cyber capacity to prevent and shut-down safe havens for cyber criminals.
Growth and innovation
- Investment of $30 million to establish industry-led Cyber Security Growth Centre.
- Support and promote Australian cyber security products and services.
- Suggestion of regulatory reform (but limited detail in the Strategy).
Developing a cyber smart nation
- Support for cyber security professionals
- Establishment of the Academic Centre of Cyber Security Excellence
- Fostering STEM participation in schools.
RAISING THE BAR ON CYBER SECURITY PERFORMANCE
There is general acceptance among the business community that a cyber incident will affect every organisation at some point. As recognised in the Cyber Security Strategy, being cyber resilient is not “an IT issue”. It is also more than a compliance issue: it “belongs at the centre of business strategy for organisations across the public and private sectors”. Cyber security is a real business risk to be prioritised, managed and funded by both public and private sector organisations.
A key component of the Cyber Security Strategy is to raise the bar on cyber security performance. This includes a plan to co-design national voluntary cyber security “good practice” guidelines, aligned with international standards, as well as voluntary “health checks” (for ASX100 listed companies), to help organisations understand their cyber security strengths and gaps. We would expect that these guidelines would include a corporate road-map and other practical tools for preparing and responding to malicious cyber activities, including data security breaches (similar to the Corrs Dealing with Cyber Security Corporate Road-Map).
But, as we see with privacy (or indeed any regulatory) compliance, for guidelines and “health checks” to be effective, they need to be properly implemented and adopted by the organisation through an organisation-wide change program. They also need the support of the Board and senior executives. Hopefully the release of the Cyber Security Strategy will help get cyber security issues, and the need to become cyber resilience, the attention it requires within organisations, particularly at the Board and executive levels.