The Australian government has handed down its 2020 Cyber Security Strategy [PDF], with the Commonwealth to develop legislation that would impose cyber standards on operators of critical infrastructure and systems of national significance; consider what laws need to be changed to have a minimum cyber baseline across the economy; and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.
“We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation,” the strategy states in its only use of bold typeface.
“Our actions are lawful and aligned with the values we seek to uphold, and will therefore be proportionate, always contextual, and collaborative.
“We can choose not to respond.”
As well as allowing it to attack networks, the new powers would also help the private sector recover from an attack.
“The nature of this assistance will depend on the circumstances, but could include expert advice [and] direct assistance or the use of classified tools. This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians,” the strategy states.
The government intends to spend AU$62.3 million on a “classified national situational awareness capability” that would allow the government to “understand and respond” to threats on critical infrastructure and high priority networks.
“This will be complemented by increased incident reporting and near-real-time threat information from the most essential pieces of infrastructure as part of future regulatory requirements,” it said.
“To make use of all sources of threat information, the Australian government will deliver an enhanced threat-sharing platform, enabling critical infrastructure operators to share intelligence about malicious cyber activity with government and other providers at machine speed, and block emerging threats as they occur.”
An enforceable “positive security obligation” will be imposed on designated critical infrastructure operators through amendments to the Security of Critical Infrastructure Act 2018.
The government said it would also ensure Australia is not a soft target and continue to publicly call out countries when it is in the nation’s interest. The government would also hand law enforcement powers to target “criminal activity on the dark web”.
“The Australian government will confront illegal activity, including by using our offensive cyber capabilities against offshore criminals, consistent with international law,” it said. “The Australian government will continue to strengthen the defences of its networks, including against threats from sophisticated nation states and state-sponsored actors.”
Continuing to paint encryption as a tool used by criminals, the strategy said the government would “ensure” law enforcement has powers to tackle cyber crime.
“If our law enforcement agencies are to remain effective in reducing cyber crime, their ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced,” it said.
The government has also reversed its stance on leaving government departments responsible for their own cybersecurity, and will instead centralise the management and operations of Commonwealth networks.
“Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks,” the strategy said.
“A centralised model will be designed to promote innovation and agility while still achieving economies of scale.”
The government also said it would work to get agencies to implement the Essential Eight mitigation strategies.
For businesses, the government will introduce a voluntary code of practice for internet-connected devices, as well as getting larger businesses to support smaller ones, as outlined in the industry advisory panel paper released last month.
“The Australian government will work with large businesses and service providers to provide SMEs with cybersecurity information and tools as part of ‘bundles’ of secure services (such as threat blocking, antivirus, and cybersecurity awareness training),” it states.
“Integrating cybersecurity products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cybersecurity staff.”
Should the code of practice fail to “drive change”, the government said it would look at implementing additional steps and also look to draw up a set of supply chain principles.
Per its recommendations, the industry advisory panel will also be morphing into a standing advisory committee.
In June, Australian Prime Minister Scott Morrison stated the country was under cyber attack from a state-based actor, widely tipped to be China.
“The Australian government knows it was a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” the strategy said on the attack.
The strategy also revealed that the Australian Signals Directorate will be used to target COVID-themed phishers, taking down their systems and “blocking their access to stolen information”.
Last month, the government announced the Cyber Enhanced Situational Awareness and Response (CESAR) package which would spend AU$1.35 billion over a decade on the nation’s security agencies. Around AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate.
Beyond CESAR, the strategy put forward another AU$320 million in funding.
The strategy also introduced new cyber analogies.
“Cybersecurity allows families and businesses to prosper from the digital economy, just as pool fences provide peace of mind for households,” it said.
It’s a proven model supported by industry, analysts, and the Labor opposition. It’s even been given token funding. But can the government deliver?
Australia’s prime minister didn’t name China as the source of recent ‘sophisticated’ cyber attacks in Friday’s press conference. He didn’t have to.
Light on detail and refusing to attribute, Scott Morrison says state-based attacks are targeting all levels of government, as well as the private sector.
Labor proposes a public health approach, to cybersecurity, addressing the risk and susceptibility of the whole nation to cyber attack, not just critical infrastructure or ‘big-ticket capabilities’.
Some 91% of businesses reported an increase in cyber attacks with employees working from home, including 93% in Singapore, where 89% and 86% also noted gaps in their business recovery planning and IT operations, respectively, as a result of the global pandemic.
Shadow Assistant Minister for Cyber Security Tim Watts hopes the new strategy shows the ‘substance and imagination that our national cyber-resilience deserves’ and that it’s accompanied by an accountable minister.