We summarised the Federal Government’s Cyber Security Strategy in our last edition. We provide the following brief update on developments since then in the Government’s implementation of that strategy.
Australia’s first ever cyber security minister
On 18 July 2016, Prime Minister Malcolm Turnbull announced the appointment of Dan Tehan to the new role of Minister Assisting the Prime Minister for Cyber Security. The appointment of Mr Tehan accords with the initiatives that were part of the Government’s Cyber Security Strategy.
Mr Tehan is to work closely with Alastair MacGibbon, the Special Advisor to the Prime Minister on Cyber Security (appointed on 21 April 2016) and the Cyber Ambassador (a role is yet to be appointed by the Minister for Foreign Affairs).
The Department of Prime Minister and Cabinet states that Mr Tehan will “support the Prime Minister in strengthening the partnerships between government, business and academia, to mature Australia’s national approach to cyber security“.
The Prime Minister had announced in April 2016 that Mr MacGibbon is to provide “clear objectives and priorities to operational agencies and oversee their implementation of these priorities” and “lead a cultural change in the way we approach cyber across government, and develop partnerships with the private sector, researchers and our international partners, and engage the media in the evolving debate around cybersecurity“.
Budgetary funding for the Cyber Security Strategy
The Budget Review 2016-17, released in May 2016, includes funding details for the $230 million to be provided for cybersecurity initiatives identified in the Cyber Security Strategy for the next four years.
Such funding is in addition to $300 to $400 million that is to be provided over the next ten years to improve Defence’s cybersecurity capabilities, which was announced in the 2016 Defence White Paper.
In our last edition, we reported that the Cyber Security Strategy had five broad themes. The funding allocation for those themes are as follows:
- $38.8 million toward the national cyber partnership (bringing governments, business and the research community together) – this includes annual Prime Ministerial meetings with industry stakeholders and the relocation of the Australian Cyber Security Centre to Canberra;
- $136.1 million for strong cyber defences (ensuring that Australia’s networks and systems are hard to compromise and resilient to cyber attacks) – including the development of a best practice guide on good cybersecurity, support for the voluntary business cybersecurity governance health check and $15 million to “allow small business to access cybersecurity testing”;
- $6.7 million for global responsibility and influence (promoting an open, free and secure cyberspace by taking global responsibility and exercising international influence) – this includes the establishment of the new Cyber Ambassador and “capacity building with international partners towards greater cyber resilience”;
- $38 million for growth and innovation (allowing Australian businesses to grow and prosper through cyber security innovation) – this includes the establishment of a Cyber Security Growth Centre and continuing research under the CSIRO’s Data61 group; and
- $10 million towards the cyber smart nation (ensuring that Australians have the cyber security skills and knowledge to thrive in the digital age).
First threat sharing centre in Brisbane
One of the initiatives announced in the Cyber Security Strategy was a proposal for joint cyber threat sharing centres and an online cyber threat sharing portal. The rationale behind these initiatives was the Government’s view that by securely sharing sensitive information and working together, in real time where possible, a stronger collective understanding and ability to analyse and predict cyber security threats can be developed.
The Government has recently announced that its first cyber threat sharing centre will open in Brisbane on a pilot basis before the end of the year.
It is reported that the centres will be modelled on the UK’s Cyber-security information Sharing Partnership (CiSP), which is described as “a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business“.
It will be interesting to see how this voluntary threat sharing model develops and whether businesses will be willing to share threat information or will be concerned not to admit to their own vulnerabilities.
Prime Minister’s keynote address at the Australia-US Cyber Security Dialogue
Part of the Government’s agenda as part of the Cyber Security Strategy is to exercise global responsibility and influence by promoting international cooperation on matters of cyber security and working with its international partners to champion an open, free and secure internet.
Along that vein, we have reported previously on the Australia-US Cyber Security Dialogues that were anticipated to be held on a regular basis. An opportunity for such an occasion arose when Prime Minister Turnbull was in New York in September for his visit to the United Nations and he was also able to address the Australia-US Cyber Security Dialogue.
The Prime Minister’s address was wide ranging, touching on many cyber security themes including the threat to national security, critical infrastructure and business profitability presented by cyber risks.
Some of the particularly interesting issues the Prime Minister dealt with included the following:
- Role of government: the internet has, for the most part, remained free of government domination or control, and yet that governments cannot be completely hands off, having a clear role to pay, working together with the private sector, in securing the internet;
- Role of academia and industry: academia and industry were urged to be cooperating with government on good cyber policy;
- Agreed norms and existing rules of behaviour: Australia has decided to adopt a role in “champion[ing] a cyberspace in which State actors, businesses and individuals behave in accordance with agreed norms – because existing rules of behaviour should extend into the cyber world“;
- Transparency: transparency with respect to disclosure of data breaches is to be encouraged as it can grow trust and insulate companies from more serious economic loss. The K-mart data breach last year was cited as a good example of proactive transparency by a company, and the government “intends to lead by example by initiating frank conversations about our success and also about failures“;
- Role of business leaders: the need to “convince leaders, at board level and corporate sector and government levels, that cyber is one of their essential functions” with such people needing to be “cyber ambassadors“;
- Role of security staff: the need for companies to be “listening to the risk mitigation advice of [their] security staff” as a good business practice and “increasing the capacity for security staff to engage in conversations with senior decision makers“, especially when responding to a cyber incident;
- Improving the cyber lexicon: noting the fact that those outside the cyber security world often do not have the requisite degree of understanding of the threats, the Prime Minister “call[ed] on academics to turn their minds to the problem of cyber lexicon” raising the question of how we might clearly communicate with each other and normalise cyber discussions; and
- Large businesses to help others: a particularly innovative suggestion was the call for large enterprises, with more sophisticated cyber security capability, to “help themselves by helping others“, deploying their knowledge and resources to assist small businesses (often connected to larger businesses as suppliers, distributors and contractors) who are “putting a toe in the water of the online world” and who are “far less secure, far less savvy, far less resourced than governments and big business“. Specifically, the Prime Minister suggested that large businesses with an established Information Security Officer could help secure the veracity of the internet by seeking out, and sharing knowledge with, a small or not-for-profit enterprise.
The key take home of the address really was the Prime Minister’s articulation of the respective roles that government and business can play in securing the internet, not only for the benefit of their own respective businesses but for the benefit of the broader economy and society. What will be interesting to see is the extent to which entities will voluntarily behave within “agreed norms” and “existing rules of behaviour” or whether future government will see the need to regulate more proscriptively in this area of risk.
This article was written by Andrew Miers, Partner and Matthew Hunter, Senior Associate.