Industry Advisory Panel Report - Australia's 2020 Cyber Security Strategy - Home Affairs

Page created by Clarence Hogan

Society

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Industry Advisory Panel Report - Australia's 2020 Cyber Security Strategy - Home Affairs

Australia’s 2020
       Cyber Security Strategy

Industry Advisory Panel Report

© Commonwealth of Australia 2020
With the exception of the Commonwealth Coat of Arms, all material
presented in this publication is provided under a Creative Commons
Attribution 4.0 International license at:
https://creativecommons.org/licenses/by/4.0/legalcode.
This means this license only applies to material as set out in
this document.

The details of the relevant license conditions are available on the
Creative Commons website at:
https://creativecommons.org/ as is the full legal code for the CC BY 4.0
license at https://creativecommons.org/licenses/by/4.0/legalcode.

Contact us
Enquiries regarding the licence and any use of this document
are welcome at:
Cyber, Digital and Technology Policy Division
Department of Home Affairs
4 National Circuit Barton ACT 2600
cybersecuritystrategy@homeaffairs.gov.au

P - 20-02329

Australia’s 2020
      Cyber Security Strategy

Industry Advisory Panel Report
             July 2020

Table of Contents

Executive Summary                                      4

List of Recommendations                                9

Process15

Our vision, framework and recommended outcomes        18

Issues and Conclusions                                24

Appendix 1: Industry Advisory Panel Terms of Reference46

Appendix 2: About the Panel48

Appendix 3: Problem Statements50

Executive Summary

Technology now sits at the very heart of the lives      The scope and timing of that ambition is well
of most Australians and increasingly shapes our         placed. As we enter the 2020s the world is on
economy, our society and our future. It is fast         the exciting cusp of a fourth industrial revolution
changing how we live, learn and work as well as         driven by connectivity and digital technologies.
creating incredible new opportunities, efficiencies
                                                        Artificial intelligence, sensors, autonomous
and benefits - from remote working to digitised
                                                        machines and systems, edge compute,
global supply chains, from tele-health to e-commerce.
                                                        augmented reality and 5G will combine
The Federal Government is clear-eyed about              to create incredible new products and
the opportunities:                                      services, infuse the physical world with digital,
                                                        revolutionise business operations, elevate
     “Our Government’s goal is for                      human work, and serve customers and citizens
     Australia to be a leading digital                  in many new ways.

     economy by 2030. Our degree                        All of this was true before the emergence of
     of success will be critical                        the COVID pandemic which has only further
                                                        underlined the importance of the digital
     to income growth and job                           economy in Australia. In responding to COVID,
     creation over the next decade                      mandatory social distancing and self-isolation
     and beyond. Our extensive                          means healthcare, education, work and
     policy agenda encompasses                          commerce and even staying in touch with
                                                        friends and family are largely being done online.
     digital access, connectivity,
                                                        Looking beyond this crisis, technology and our
     consumer data and                                  ability and willingness to embrace the digital
     competition policy, government                     world has now emerged as central to a rapid
     service delivery and skills                        economic recovery.

     development, trade and global                      With so much at stake, robust and effective
     e-commerce governance, as                          cyber security has never been more important
                                                        and the 2020 Cyber Security Strategy Industry
     well as the necessary focus on
                                                        Advisory Panel welcomed the opportunity to
     security and privacy concerns.”                    contribute to that outcome.

     Prime Minister Scott Morrison
     BCA annual dinner keynote
     21 November 2019

4                                                                 Australia’s 2020 Cyber Security Strategy

The Panel were engaged in late 2019 at a           On 30 June 2020, Prime Minister Scott Morrison
time when the Federal Government were              pointed to the urgency of the issue:
reviewing the progress of the landmark 2016        “The Federal Government’s top priority is
Cyber Security Strategy. This work led to the      protecting our nation’s economy, national
establishment of the Joint Cyber Security          security and sovereignty. Malicious cyber activity
Centres, creation of cyber.gov.au as a             undermines that.”
one-stop-shop for cyber security advice and
                                                   Australia’s ability to prosper as a digital
the establishment of key leadership positions
                                                   economy can be enhanced if we increase our
including the Ambassador for Cyber Affairs.
                                                   investment in our cyber defences. We must move
Despite these achievements the Government          to comprehensively protect ourselves and our
acknowledged that significant and ongoing          businesses from cybercrime, protect our national
changes in the scope, scale and sophistication     infrastructure and improve the security of our
of cyber threats required an evolution in our      institutions – including our democratic electoral
approach to cyber security as a nation.            processes, which have been the subject of
                                                   malicious cyber-attack in other parts of the
Minister for Home Affairs, Peter Dutton,
                                                   world. It is crucial we act quickly and decisively.
has described how meeting the evolving
cyber challenge is key to Australia’s              The 2020 Cyber Security Strategy Industry
economic prosperity and national security.         Advisory Panel was formed in November 2019
In September 2019 he said: “Cyber security         and asked to provide advice from an industry
has never been more important to Australia’s       perspective on best practices in cyber security
economic prosperity and national security.         and related fields; emerging cyber security
In 2016, the Australian Government delivered       trends and threats; key strategic priorities for
its landmark Cyber Security Strategy, which        the 2020 Cyber Security Strategy; significant
invested $230 million to foster a safer internet   obstacles and barriers for the delivery of the
for all Australians. Despite making strong         2020 Cyber Security Strategy; and the effect of
progress against the goals set in 2016,            proposed initiatives on different elements of the
the threat environment has changed                 economy, both domestic and international.
significantly and we need to adapt our
                                                   The Panel met 13 times between November 2019
approach to improve the security of
                                                   and July 2020, including two meetings with
business and the community.”
                                                   Minister Dutton and formal briefings, including
“Cyber criminals are more abundant and better      some classified, from the Department of
resourced, state actors have become more           Home Affairs, the Australian Signals Directorate,
sophisticated and emboldened, and more             the Attorney-General’s Department, the
of our economy is connecting online. Cyber         Department of the Treasury, the Australian
security incidents have been estimated to cost     Competition and Consumer Commission,
Australian businesses up to $29 billion per year   the then Department of Communications
and cybercrime affected almost one in three        and the Arts, the eSafety Commissioner, the
Australian adults in 2018.”                        Australian Federal Police, the Australian Security
                                                   Intelligence Organisation, the Cyber Security
This escalation in malicious cyber activity
                                                   Cooperative Research Centre and AustCyber.
has only increased during COVID as we have
been forced to work, learn and connect from        After broad consultation and careful
home, outside of some of our usual security        deliberation, the 2020 Cyber Security
frameworks. We are seeing malicious actors         Strategy Industry Advisory Panel has
including criminals and state based actors         developed a series of recommendations that
exploiting this opportunity to their own           we believe strike the right balance between
advantage, to the significant risk and detriment   increasing our cyber defences, promoting
of Australian citizens.                            the development of a digital economy and
                                                   countering threats to our economy, safety,
                                                   sovereignty and national security.

Industry Advisory Panel Report                                                                         5

The Panel’s recommendations are structured around a framework
    with five key pillars:
    — Deterrence: deterring malicious actors from targeting Australia.
    — Prevention: preventing people and sectors in Australia from being compromised online.
    — Detection: identifying and responding quickly to cyber security threats.
    — Resilience: minimising the impact of cyber security incidents.
    — Investment: investing in essential cyber security enablers.

On deterrence, we recommend that the                    security best practice and Australian governments
Government establish clear consequences for             have some way to go in achieving this aspiration.
those targeting Australia and people living in
                                                        On detection, recommendations include that
Australia. A key priority is increasing transparency
                                                        Government establish automated, real-time
on Government investigative activity with more
                                                        and bi-directional threat sharing mechanisms
frequent attribution and consequences applied
                                                        between industry and Government, beginning
where appropriate. Strengthening the Australian
                                                        with critical infrastructure sectors. Government
Cyber Security Centre’s ability to disrupt cyber
                                                        should also empower industry to automatically
criminals by targeting the proceeds of cybercrime
                                                        block a greater proportion of known cyber
derived both domestically and internationally is
                                                        security threats in real-time including initiatives
a priority.
                                                        such as ‘cleaner pipes’.
On prevention, the recommendations include
                                                        On resilience, recommendations include the
the pursuit of initiatives that make businesses
                                                        development of proactive mitigation strategies
and citizens in Australia harder to compromise
                                                        and strengthening of systems essential for
online. This includes a clear definition for
                                                        end-to-end resilience. Government should
critical infrastructure and systems of national
                                                        strengthen the incident response and victim
significance with a view to capturing all essential
                                                        support options already in place. Speed is key
services and functions in the public and private
                                                        when it comes to recovering from cyber incidents
sectors; consistent, principles-based regulatory
                                                        and Government should hold regular large
requirements to implement reasonable protection
                                                        scale and cross-sectoral cyber security incident
against cyber threats for owners and operators
                                                        response exercises to improve the readiness of
of critical infrastructure and systems of national
                                                        interdependent critical infrastructure providers
significance; measures to build trust in technology
                                                        and government agencies.
markets through transparency such as product
labelling; and the extension of existing legislative    Resilience includes both the ability to recover
and regulatory frameworks relevant in the physical      from a cyber-attack as well as the redundancy
world to the online world. Ultimately cybercrime is     designed-in to systems and processes. In other
just crime, cyber espionage is just espionage and       words, a key factor influencing the ability to
hacktivism is just activism online.                     recover is the level of redundancy present in
                                                        systems in the first place.
All levels of Government should take steps to
better protect public sector networks from              It is important to also call out that a number of
cyber security threats. Government agencies             recommendations to build resilience relate to
should be required to achieve the same or               the role of the individual, in particular around
higher levels of protection as privately-owned          building cyber awareness. In this regard there is
critical infrastructure operators. Different levels     an important distinction between cyber security
of government should collaborate to share               (which means protecting data and information
best practices and lessons learned. Ultimately          networks and critical infrastructure functions) and
Governments should be exemplars of cyber                cyber safety (which means protecting users from

6                                                                   Australia’s 2020 Cyber Security Strategy

harmful online content). The fundamental ability to We encourage the Australian Government to
participate safely online is the difference between establish formal mechanisms to ensure ongoing
enjoying the internet’s abundant information engagement with all levels of government.
resources and opportunities, and being a
potential victim of a cybercrime.
Clear roles and
On investment, recommendations support the
ongoing development of highly specialised and responsibilities
effective capabilities exemplified by the Australian Cyber threats continue to shift and evolve and, as
Cyber Security Centre and the state-based Joint the threats evolve, so must our response.
Cyber Security Centres. This existing capability The recommendations we propose are built
should be substantially increased and enhanced around creating robust and adaptable defences
through significant investment and a more as threats emerge and technologies and
integrated governance structure that maintains opportunities change.
an industry leadership role. It is going to be a
critical enabler to the success of the 2020 Cyber It is important to recognise that effective cyber
Security Strategy. defences involve more than just investment
dollars. Our report highlights that an effective
The Panel is also of the view that it is important
response includes fundamentally organising and
for Government and industry to continue to
governing differently to ensure more efficient and
invest in cyber skills development and security
effective use of resources and aligning cyber
risk management in Australia. Good enterprise
security imperatives across Australia.
security management includes all aspects of
securing people, property and technology. This requires clearly defined roles, responsibilities
This skills investment is recommended at both and authorities to be established and the Federal
a professional and specialist skills level and Government’s role in leading and coordinating
also more broadly, and should include primary, the national effort is therefore critical. Ultimately
secondary and tertiary courses (including the Government is in a unique position with
programs that focus on all aspects of enterprise access to information and tools which mean that
security risk management, particularly cyber skills in particular circumstances it is the appropriate
uplift). Importantly many of these skills should party to lead our cyber defence. This is not only
be built as foundational requirements in science, about the Federal Government but effective
maths, engineering and technology. Although coordination with other tiers of Government.
the cyber skills and awareness of directors on the Government also plays an important role
boards of Australia’s listed companies has been partnering with industry, as well as broadening
developed in recent years, there is opportunity for community awareness and skills in adequately
further development and support. addressing cyber issues.
Within this framework of 60 recommendations sit If Australia’s cyber security is well organised and
25 high priority and 35 other recommendations well governed then the application of all resources
that address the full spectrum of cyber security - public, private, people, infrastructure and capital
threats – from the ‘routine’ threats that target investment – will achieve far more efficient and
vulnerable people in Australia every day to effective results. This was an important learning
sophisticated ‘state actor’ cyber-attacks that from the 2016 Cyber Strategy.
threaten our economy, safety, sovereignty and
national security. The Panel recommends that The only way to look at cyber security is as a
threats to critical infrastructure, digital supply team. Large enterprises, small and medium
chains and systems of national significance should businesses and Government all have shared
be addressed first. platforms, common customers, and all are
the target of attacks. We all therefore play a
State, territory and local governments should also
role, and share an accountability, in keeping
be considered key implementation partners for all
Australians safe.
elements of the Strategy.

Industry Advisory Panel Report 7

Implementation                                       The Chair of the Panel, Andy Penn, describes
                                                     the opportunity and the challenge ahead:
The 2020 Strategy will be largely measured
                                                     “The beginning of the 2020s has been marked
based on how well it is implemented and whether
                                                     by a period of profound disruption for Australia
it meets or exceeds objective and bold metrics.
                                                     with the devastating bushfires and the COVID
During consultation, some stakeholders viewed
                                                     virus. At the same time and as we progress
implementation of the 2016 Cyber Security
                                                     further into the decade we will also experience
Strategy as being limited by regular changes in
                                                     an extraordinary new era of technology
governance arrangements, lack of clarity about
                                                     innovation. As an optimist I am convinced we
the roles of different government departments
                                                     will adapt and technology will help to solve
and inconsistent public communication.
                                                     some of society’s biggest challenges and
We encourage the Government to create                realise some of its biggest opportunities.
strong governance and evaluation mechanisms
                                                     But at the same time, this period of working
around the 2020 Strategy. Data collection and
                                                     and studying from home and the accelerated
evaluation, based on a maturity framework,
                                                     trend to a digital economy are exposing us to a
should be afforded a high priority.
                                                     more vulnerable environment of cyber threats.
A standing industry advisory panel could             We are seeing increased levels of malicious
be established to advise the Minister for            cyber activity both state based and criminal.
Home Affairs on cyber security matters and           Successfully meeting this challenge requires
implementation of the 2020 Strategy on an            upgrading Australia’s cyber defences to be
ongoing basis strengthening the important link       strong, adaptive and built around a strategic
between Government and industry. Such a panel        framework that is coordinated, integrated and
should have appropriate representation from          capable. The 2020 Cyber Security Strategy
across business, academia and the community.         has an opportunity to be all of those things
                                                     and provide an enormous – and never more
State and territory governments should be
                                                     important - contribution to a safer, more
closely involved in implementation of the
                                                     prosperous Australia.”
Strategy. It would be appropriate for state
and territories to be represented on the public      The Panel appreciate the opportunity to have
service committee responsible for implementing       worked with the Australian Government to build
the Strategy.                                        Australia’s cyber defences through the 2020
                                                     Cyber Security Strategy and look forward to

Never a more                                         the key initiatives emanating from this work -
                                                     they could not arrive at a more important time.
important time
The Australian Government deserves real
credit for the leadership it has shown on cyber
security, including through the development of
Australia’s 2020 Cyber Security Strategy and
the announcement of a $1.35 billion investment
(Cyber Enhanced Situational Awareness
and Response package) over the next 10
years which will support a number of the key
recommendations set out in this report. With
robust cyber security critical for our economic
prosperity, international competitiveness and
national security, this work will only become more
important as Australia continues to digitise in
the future.

8                                                              Australia’s 2020 Cyber Security Strategy

List of Recommendations

Objective 1: There are                             5   Work with industry to better inform threat
                                                       visibility and Government attribution
clear consequences for                                 activities where appropriate.

targeting Australians                              6   The Australian Government should openly
                                                       describe and advocate the actions it
In considering how Australia can increase
                                                       may take in response to a serious cyber
the consequences of malicious cyber activity
                                                       security incident to deter malicious cyber
for nation states and cyber criminals, the
                                                       actors from targeting Australia.
2020 Cyber Security Strategy should as an
immediate priority:                                7   Promote international law and continue
                                                       to embed norms of responsible state
 1   Target the growing volume of cybercrime
                                                       behaviour online, in particular those
     by increasing operational-level
                                                       that relate to the protection of critical
     cooperation with states, territories, and
                                                       infrastructure serving the public and
     international partners leveraging the
                                                       deterring malicious cyber activity
     Australian Cyber Security Centre and
                                                       including intellectual property theft and
     Joint Cyber Security Centres.
                                                       ransomware attacks.
 2   Increase the Australian Cyber Security
     Centre’s ability to disrupt cyber criminals
     on the Dark Web and to target the
     proceeds of cybercrime.

 3   Leverage existing cybercrime awareness
     raising campaigns to better inform
     businesses and individuals about new
     and emerging cybercrime threats
     to them.

 4   Hold malicious actors accountable via
     enhanced law enforcement, diplomatic
     means, and economic sanctions or
     otherwise as appropriate.

Industry Advisory Panel Report                                                                     9

Objective 2: Cyber                                  Objective 3: Australians
risks are owned by                                  practise safe
those best placed to                                behaviours at
manage them                                         home and at work
In considering how Australia can improve            In considering how Australia can reduce
cyber security risk management across the           human risk factors in cyber security,
economy and for critical infrastructure,            the 2020 Cyber Security Strategy should
the 2020 Cyber Security Strategy should             as an immediate priority:
as an immediate priority:
                                                    12   Unify all Government messaging on online
 8   Review the Australian Government’s                  safety and cyber security awareness
     definition for critical infrastructure with         raising, noting that existing campaigns
     a view to capturing all essential systems           run by different Government agencies
     and functions in the public and private             share a common audience who do not
     sectors and supply chains, including                distinguish between different online
     digital infrastructure such as data centres,        issues. Government should speak with
     that address all systems of national                one voice. Campaigns should be age
     significance.                                       and sector appropriate.

 9   Introduce consistent, principles-based         13   Increase assistance to small and medium
     requirements to implement reasonable                businesses and the community through
     protection against cyber threats (where             cyber security toolkits, trusted advice and
     needed) for owners and operators                    practical assistance.
     of critical infrastructure (regardless
     of whether owned or operated
     by Government or private), with                We further recommend that the 2020
     measurement based on a fit-for-purpose         Cyber Security Strategy should:
     cyber maturity-based framework.
                                                    14   Partner with industry to increase the
     In alignment with international best
                                                         scale, reach and impact/effectiveness
     practice, this should leverage rather than
                                                         of cyber security awareness raising
     duplicate existing sectoral regulations
                                                         campaigns, including through co-design
     and minimise regulatory burden.
                                                         and co-funding where appropriate.

                                                    15   Incentivise large businesses to provide
We further recommend that the 2020                       cyber security support to small and
Cyber Security Strategy should:                          medium businesses in their supply chain
                                                         and customer base.
10   Review Australia’s legislative environment
     for cyber security to ensure that suppliers
     of digital products and services have
     appropriate obligations to protect their
     customers.

11   Strongly encourage major vendors
     to sign-up to a voluntary ‘secure by
     design’ charter to leverage international
     best practice.

10                                                           Australia’s 2020 Cyber Security Strategy

Objective 4:                                         Objective 5: Trusted
Government is a cyber                                goods, services and
security exemplar                                    supply chains
In considering how the Australian Government         In considering how Australia can encourage the
can improve trust in the cyber security of its own   development of a digital technology market
systems and networks, the 2020 Cyber Security        where security is built-in across the supply
Strategy should as an immediate priority:            chain, the 2020 Cyber Security Strategy should
                                                     as an immediate priority:
 16    Make Australian governments exemplars
       of enterprise security risk management,       23   Increase investment in cyber security
       including cyber security, physical security        research and development, including
       and personnel security.                            basic sciences, and coordinate state and
                                                          territory-led research and development
 17.   Require Government agencies providing
                                                          at the national level. This will enable
       essential services to meet the same cyber
                                                          Government to maximise economic
       security standards as privately owned
                                                          opportunities and drive national security
       critical infrastructure, with increased
                                                          outcomes.
       accountability and oversight.
                                                     24   Work with industry to increase Australia’s
 18    Prioritise the decommissioning or
                                                          role in shaping international cyber
       hardening of vulnerable legacy systems as
                                                          security standards.
       part of an accelerated shift towards secure
       cloud based services.                         25   Work with industry and likeminded
                                                          nations to encourage diversity,
                                                          transparency and competition in digital
We further recommend that the 2020                        supply chains.
Cyber Security Strategy should:

 19    Better coordinate digital procurement         We further recommend that the 2020
       decisions across Government, with a view      Cyber Security Strategy should:
       to negotiating best practice outcomes
       and where appropriate cost savings with       26   Develop a program to identify and
       common vendors.                                    assess emerging threats and emerging
                                                          technologies that could introduce new
 20    Leverage Government procurement
                                                          vulnerabilities leveraging Australia’s
       processes to improve cyber security
                                                          global leadership in policy development
       through purchasing products and services
                                                          related to cyber risks. The CSIRO and
       with higher standards.
                                                          Defence Science and Technology are two
 21    Require larger, more capable Government            existing national agencies that could be
       departments to provide cyber security              leveraged to support the development of
       services to smaller agencies on a basis            this program.
       that is uniform, consistent and risk based.
                                                     27   Obtain industry consensus around
 22    Fund the Australian Cyber Security Centre          what cyber security standards should
       (ACSC) to continue its rolling program             be used in Australia and accelerate the
       of cyber security improvements (but not            adoption of these standards to ensure
       audits) for other Australian Government            digital products and services are ‘secure
       agencies. Given the ACSC essentially               by design’.
       provides a second line of defence role in
                                                     28   Require increased recognition and
       risk management terminology, audit should
                                                          adoption of specific cyber security
       be undertaken by a separate agency.
                                                          standards in Australia.

Industry Advisory Panel Report                                                                        11

29   Implement a dynamic accreditation             35. Consider the development of ‘safe
      or mandatory cyber security labelling             harbour’ legislative provisions that give
      scheme so that consumers can make                 industry certainty about the information
      informed choices about their own cyber            it can voluntarily share with other
      security (recognising that accreditations         organisations to prevent or respond to
      and product labelling will need to take           cyber security threats.
      account of changes in technology).
                                                    36. Resume the publication of annual reports
 30   Work with the emerging cyber insurance            on the state of cyber security threats
      industry to improve access to reliable            to Australia.
      actuarial data and develop best practice
      approaches to nudging the cyber security
      hygiene of policy holders.                    Objective 7: Effective
 31   Build transparency into critical and          incident response
      emerging technology supply chains to          options and victim
      enable consumers to trust the cyber
      security of their devices.                    support
 32   Consider mandatory requirements               In considering how Government and industry
      or certification of supply chains for         can create and sustain a high level of
      software and hardware supporting              preparedness for incidents and improve
      critical infrastructure.                      support to victims, the 2020 Cyber Security
                                                    Strategy should as an immediate priority:

Objective 6:                                        37   Map in partnership with industry, the
                                                         resilience of critical infrastructure
Comprehensive                                            networks, with a view to increasing

situational awareness                                    maturity levels over time.

enables action                                      38   Identify and assess in partnership with
                                                         industry interdependencies, single points
In considering how the Government and                    of failure and consolidation risk to enable
industry can improve the timeliness and                  better understanding of cyber risk.
quality of threat information sharing to
                                                    39   Work with industry to agree a unique
better anticipate and respond to threats,
                                                         set of circumstances in relation to
 the 2020 Cyber Security Strategy should
                                                         critical infrastructure and systems of
as an immediate priority:
                                                         national significance where it would be
 33   Establish automated, real-time                     necessary for Government to provide
      and bi-directional threat sharing                  reasonable assistance to Australian
      mechanisms between Government                      businesses during a cyber security
      and industry, beginning with critical              emergency, and define suitable oversight
      infrastructure sectors.                            and thresholds for action.

                                                    40 Provide additional funding to
We further recommend that the 2020 Cyber               not-for-profit organisations that support
Security Strategy should:                              victims of cybercrime and communicate
                                                       their role and existence to the community.
 34   Empower industry to automatically block
      a greater proportion of known cyber
      security threats in real-time, including by
      providing legislative certainty.

12                                                           Australia’s 2020 Cyber Security Strategy

We further recommend that the 2020 Cyber              46   Dedicate additional JCSC resources to
Security Strategy should:                                  engage with local governments.

 41   Hold a large scale and cross-sectoral
      cyber security incident response exercise      Enabler 2: Cyber
      at least every two years to improve
      national coordination and incident
                                                     security skills
      response readiness of interdependent           In considering how Government, industry
      critical infrastructure providers and          and academia improve risk postures by
      government agencies. Exercises should          strengthening the pipeline of skilled cyber
      include links to international activities      security professionals, the 2020 Cyber Security
      where appropriate.                             Strategy should:

 42. Include industry in Australia’s formal           47   Position the Australian Government to take
     incident response plans by amending the               a national leadership role in addressing
     national Cyber Incident Management                    Australia’s cyber security skills shortage.
     Arrangements.
                                                      48   Work with professional bodies and
                                                           academia to include cyber security
Enabler 1: The Australian                                  education in adjunct technical fields
                                                           such as engineering and data science
Signals Directorate’s                                      and extend cyber skills training to
Joint Cyber Security                                       company directors.

Centres (JCSCs)                                       49   Consider creating an internationally
                                                           aligned accreditation scheme to recognise
Recognising the JCSCs are the local offices of the         the skills, experience and qualifications
Australian Cyber Security Centre, the 2020 Cyber           of cyber security professionals in both
Security Strategy should as an immediate priority:         technical and management roles. This
 43   Establish a national board chaired by                should including mapping the equivalency
      ASD (with industry co-chair) and including           of existing qualifications.
      industry representation to strengthen the       50   Adopt a national framework that defines
      strategic leadership of the Joint Cyber              the roles that make up the cyber security
      Security Centres, underpinned by a                   profession. Use this framework to develop
      charter outlining the JCSCs’ scope and
                                                           a national workforce planning program for
      deliverables.
                                                           the cyber security profession.
 44   Fund ASD to provide enhanced technical
                                                      51   Consider additional incentives to attract
      and consulting cyber services to industry
                                                           and retain Government cyber security
      through the JCSC Program, including a
                                                           specialists.
      greater focus on information sharing.
                                                      52   Strengthen voluntary professional
                                                           accreditation of university cyber security
We further recommend that the 2020 Cyber                   courses, to provide greater assurance to
Security Strategy should:                                  students and employers that courses are
                                                           meeting contemporary industry demands.
 45   Create a staff exchange program between
      the ACSC, academia and industry to              53   Develop targeted cyber security programs
      enable cross-sectoral collaboration                  in primary and high school to inspire
      and information sharing. The CSIRO and               young people to take up a career in
      Defence Science and Technology could                 cyber security, and build foundational
      be leveraged to support the engagement               skills in science, maths, engineering and
      between academia and industry.                       technology.

Industry Advisory Panel Report                                                                         13

54   Undertake a regular survey across              We further recommend that the 2020 Cyber
      Government and business to better              Security Strategy should:
      understand the size of cyber security
      skills shortage in Australia and evaluate       56   Appoint an industry advisory panel to
      new programs under the 2020 Cyber                    advise the Government on cyber security
      Security Strategy.                                   on an ongoing basis, including on the
                                                           implementation of the 2020 Cyber
                                                           Security Strategy. The panel should
Enabler 3: Intelligence                                    work with the accountable Government

and Assessment                                             agency or department responsible
                                                           for implementing the Strategy, while
The Panel recognises the importance of                     reporting to the Minister for Home Affairs.
intelligence-led efforts to combat malicious
                                                      57   Task the industry advisory panel to
cyber activity and acknowledges that this is
                                                           publish an annual progress report on
primarily a matter for Government. The Panel
                                                           implementation of the 2020 Cyber
is of the view that successful implementation
                                                           Security Strategy and emerging cyber
of the recommendations above relating to
                                                           security threats and priorities for Australia
Objective 1 (Clear consequences for targeting
                                                           from an industry perspective.
Australia and Australians), Objective 6
(Comprehensive situational awareness enables
action) and Enabler 1 (The Australian Signals        Enabler 5: Evidence
Directorate’s Joint Cyber Security Centres) will
support Government to enhance the delivery of        and Evaluation
this enabler.                                        In considering the best practice approaches
The Panel encourages the Government to be            to evidence collection and evaluation that can
open and transparent about its knowledge             inform implementation of the Strategy and
of the threat environment wherever possible,         future policy making, the 2020 Cyber Security
including by declassifying information when          Strategy should:
appropriate, increasing proactive cyber threat        58   Adopt a maturity model approach to
briefings to security cleared industry personnel           evidence and evaluation.
with a need to know, and sponsoring greater
numbers of industry representatives to obtain         59   Invest in improved data collection,
security clearances.                                       research and analysis to underpin
                                                           evaluation of the performance against
                                                           the metrics of the 2020 Cyber Security
Enabler 4: Governance                                      Strategy. This should include periodic
                                                           surveys of the cyber security maturity of
In considering how Government should manage
                                                           public and private sector organisations.
implementation of the Strategy, including
oversight arrangements, ongoing industry              60   Publish regular updates on implementation
consultation and reporting mechanisms, the                 of the 2020 Cyber Security Strategy
2020 Cyber Security Strategy should as an                  and periodically review and refresh the
immediate priority:                                        Strategy every 2 or 4 years.

 55   Include state and territory Governments
      in development, implementation and
      monitoring of all relevant initiatives under
      the 2020 Cyber Security Strategy.

14                                                             Australia’s 2020 Cyber Security Strategy

Process

On 6 September 2019, the Australian              The Panel’s Terms of Reference are at
Government announced that it would develop       Appendix 1. The Panel were advised that the
a 2020 Cyber Security Strategy as part of its    2020 Cyber Security Strategy will seek to:
commitment to protect Australians from cyber     —   protect and secure nationally significant
security threats.                                    infrastructure, systems and data;
On 25 November 2019, the Minister for Home       —   ensure cyber-risk is managed
Affairs announced the establishment of the           appropriately in the economy
Industry Advisory Panel to provide strategic         and community;
advice to support the development of             —   improve assistance and support to
Australia’s 2020 Cyber Security Strategy.            individuals, families and small businesses;
The role of the Panel was advisory only and
                                                 —   build a mature and trusted domestic
comprised:
                                                     market for secure technologies, products,
—   Mr Andrew Penn, CEO and Managing                 services and professionals;
    Director, Telstra (Chair);
                                                 —   create new ways for businesses and
—   Secretary Kirstjen Nielsen, former US            individuals to prosper in the digital age;
    Secretary of Homeland Security (appointed        and
    18 December 2019 to provide the Panel with
                                                 —   strengthen our cyber security capability.
    international expertise and perspectives);
—   Mr Robert Mansfield AO, Chair of             The Panel were asked to provide advice on:
    Vocus Group;                                 —   best practices in cyber security and
—   Ms Robyn Denholm, Chair of Tesla;                related fields;

—   Mr Chris Deeble AO CSC, Chief Executive of   —   emerging cyber security trends
    Northrop Grumman Australia; and                  and threats;

—   Mr Darren Kane, Chief Security Officer       —   key strategic priorities for the 2020
    NBN Co.                                          Cyber Security Strategy;
                                                 —   significant obstacles and barriers for
Further details on the Panel members are at
                                                     the delivery of the 2020 Cyber Security
Appendix 2.
                                                     Strategy; and
                                                 —   the effect of proposed initiatives on
                                                     different elements of the economy,
                                                     both domestic and international.

Industry Advisory Panel Report                                                                     15

The Panel met 13 times between November 2019
and July 2020, which included two meetings
                                                  Stakeholder
with the Minister. The Panel structured its       engagement
deliberations around 12 problem statements
                                                  The Panel’s deliberations were informed by
prepared by the secretariat (at Appendix 3)
                                                  two rounds of stakeholder consultation
that reflected the key themes that stakeholders
                                                  conducted by the Department of Home Affairs
raised during the public consultation process.
                                                  between September 2019 and February 2020.
The Panel received formal briefings from the
                                                  The Panel also independently consulted senior
Department of Home Affairs, the Australian
                                                  leaders in small, medium and large businesses,
Signals Directorate, the Attorney-General’s
                                                  government, peak industry groups, and other
Department, the Department of the Treasury,
                                                  interested stakeholders.
the Australian Competition and Consumer
Commission, the then Department of                A public discussion paper posted to the
Communications and the Arts, the eSafety          Department of Home Affairs website on
Commissioner, the Australian Federal Police,      6 September 2019 was downloaded more than
and the Australian Security Intelligence          2,500 times while submissions were open.
Organisation.                                     Home Affairs received a total of 215 submissions,
                                                  156 of which were public and made available to
The Department of Home Affairs provided a
                                                  the Panel. The remainder were confidential and
secretariat function for the Panel.
                                                  were not provided to the Panel. A wide range
                                                  of stakeholders made submissions, including
                                                  cyber security companies; critical infrastructure
                                                  providers; small, medium and large businesses;
                                                  state, territory and local governments; legal
                                                  experts; consumer and other advocacy groups;
                                                  and academia (see Figure 1 below).

Figure 1: Written submissions by sector

                                                                      Academia, Research
                                                                      and Development (42)
                                                                      Individual (30)

                                                                      Technology (28)

                                                                      Cyber Security (25)

                                                                      Government (20)

                                                                      Not For Profit (17)

                       Submissions                                    Professional Services (16)

                                                                      Finance (11)
                        by sector
                                                                      Energy (8)

                                                                      Legal (5)

                                                                      Telecommunications (5)

                                                                      Transport (3)

                                                                      General Business and Retail (2)

                                                                      Water (2)

                                                                      Mining (1)

16                                                          Australia’s 2020 Cyber Security Strategy

More than 1,400 people took part in                While Advanced Persistent Threats can use
consultation events held by Home Affairs in        very sophisticated tools and tradecraft against
each state and territory. These included 19 open   well secured targets they more often than not
forums, six critical infrastructure roundtables,   use basic tradecraft – like sending a phishing
meetings with the industry leadership of the       email – because basic techniques still deliver
Joint Cyber Security Centres, roundtables          results. Many successful compromises continue
with state and territory governments, and          to occur through the use of publicly available
over 50 bilateral meetings. Home Affairs also      tools targeting known vulnerabilities which have
held a range of dedicated forums with small        not been patched or otherwise mitigated by
businesses, large technology companies,            the victim.
academia, local governments and the
                                                   Cybercrime is also a pervasive and endemic
defence industry.
                                                   threat and the most significant threat in terms
Further information on the consultation            of overall volume costing Australians and
process is available from:                         Australian businesses billions of dollars each
www.homeaffairs.gov.au/cybersecurity               year. Cybercriminals have proven themselves to
                                                   be flexible and inventive, and as the complexity,
                                                   sophistication and impact of cybercrime
Current threat                                     continues to evolve, cybercrime activity is likely
environment                                        to increase.

The Australian Signals Directorate provided        Of particular concern are transnational
the Panel with regular updates on the threat       cybercrime syndicates and their affiliates,
environment. Malicious cyber activity against      who develop, share, sell and use increasingly
Australia is increasing in frequency, scale        sophisticated tools and techniques. There’s a
and sophistication with cyber adversaries          booming underground marketplace offering
constantly developing their tools and              cybercrime-as-a-service, or access to
tradecraft to circumvent the ability of            high-end hacking tools that were once only
organisations, including governments,              available to nation states.
to detect and defend against sophisticated         Cybercriminals operate at scale with the
cyber threats.                                     principle of quantity over quality. They usually
Australia continues to be a target of persistent   target individuals and organisations by
and targeted cyber espionage and the               exploiting particular technological vulnerabilities.
number of states who have acquired or are          The ACSC expects to see more business email
acquiring cyber espionage capabilities is          compromises, cryptocurrency mining, credential
increasing. Over the past 12 months, the           harvesting and ransomware. Ransomware
Australian Cyber Security Centre (ACSC) has        is a particularly grave threat because it
responded to activity against all levels of        disrupts the operations of businesses and
government, industry, health, businesses and       governments by encrypting files and demanding
the academic sector.                               a ransom for their return. Recovering from
                                                   such incidents is almost impossible without
Sophisticated state-based actors seek to           comprehensive backups.
compromise networks to obtain economic,
foreign policy, health, defence and security
information for strategic or economic
advantage. These actors are typically the
most sophisticated and persistent form of
adversary, posing a significant threat to
Australia’s economy, safety, sovereignty and
national security.

Industry Advisory Panel Report                                                                       17

Our vision, framework and
recommended outcomes

The Panel shares the view that the Minister for                                 Rates of cybercrime are growing because it is
Home Affairs expressed at the first meeting                                     cheap and easy, relative to the potential gains.
of the Panel on 25 November 2019: there is an                                   We now find ourselves in a world where many of
urgent need for Australia to step up its cyber                                  the consequences of cyber risk are shouldered
defences. A changing threat environment and                                     by those in our community that are the least well
the evolving nature of technology means that                                    equipped to deal with them.
there has never been a more important time for
                                                                                Improving cyber security at the personal,
Government and industry to work together to
                                                                                commercial and national level is a complicated
strengthen Australia’s cyber security settings.
                                                                                task. Technological advancement is now so
We need to address both highly sophisticated
                                                                                rapid that it is almost impossible to forecast
threats targeting critical networks and lower
                                                                                what the cyber landscape will look like in the
sophistication activities targeting vulnerable
                                                                                coming years, let alone the coming decades.
groups such as small businesses and families.
                                                                                Cyber threats are a global problem and we
Internet connected devices deliver our power                                    are connected, politically and technologically
and water, help transport people and goods,                                     to the actions of the rest of the world. At the
process our personal information, predict which                                 same time, global supply chain for key strategic
crops will succeed, monitor our health, help our                                technologies such as 5G are becoming
children learn, and keep us entertained and                                     concentrated and dominated by a small
informed. We are now reliant more than ever                                     number of global players and producers.
on the internet to work and study from home                                     Focus on technology supply chain diversification
and make meaningful social connections.                                         and R&D should be a key aim for government,
Unfortunately, many malicious actors have                                       in partnership with industry.
sought to exploit reliance on the internet for their
own financial and strategic benefit.

The briefings we received from Australia’s
national security and law enforcement agencies
made it clear that Australia faces growth in
malicious cybercrime. One in three Australian
adults has been a victim of cybercrime, such as
fraud, identity theft and malware. 1

1    Norton 2019, Norton LifeLock Cyber Security Insights Report 2018 – Australia

18                                                                                        Australia’s 2020 Cyber Security Strategy

Our vision                                                 Our framework
The Panel developed a vision that guided it                Our recommended framework for the 2020
during its deliberations - strong cyber security           Cyber Security Strategy is illustrated at
enables Australians to prosper. In preparing               Figure 2. We intend this framework to be
its framework, suggested outcomes and                      relevant to the full spectrum of cyber security
recommendations, the Panel has endeavoured                 threats – from the ‘routine’ threats that
to strike the balance through this vision between          target vulnerable people in Australia every
realising the opportunities that a cyber safe              day, to sophisticated threats that threaten
and secure economy presents Australia, and                 our economy, safety, sovereignty and
countering threats to our economy, safety,                 national security.
sovereignty and national security.

Figure 2: 2020 Cyber Security Framework

                                             DETERRENCE

                                Australians practice           Government is
            NT

                                                                                               PR
                                safe behaviours at            a cyber security
                                 home and at work                exemplar
         TME

                                                                                                 EVE
                                                                                                    NTIO
    INVES

                                                   VISION
                                                                                                        N
                 Cyber risks are owned                                       Trusted goods,
                 by those best placed            Strong cyber                  services and
                   to manage them              security enables               supply chains
                                                Australians to
                                                    prosper

                        There are clear                                 Comprehensive
                       consequences for                             situational awareness
                     targeting Australians                              enables action

                                               Effective response
                    ES
                  R

                                                                                      N

                                                                                          IO
                                               options and victim
                         I LI                       support                           T
                                EN                                                 EC
                                     CE                                        T
                                                                          DE

Industry Advisory Panel Report                                                                               19

Outcomes For detection:

6 Comprehensive situation awareness
Our recommended outcomes for the
should enable action in response
Strategy are:
to threats.
— Deterrence - deterring malicious actors
from targeting Australia. For resilience:
— Prevention - preventing people
7 Australia should have access to effective
and sectors in Australia from being
response options and victim support.
compromised online.
— Detection - identifying and responding For investment:
quickly to cyber security threats.
8 Government and industry to mature
— Resilience - minimising the impact of cyber
their collaboration through Australian
security incidents.
Signals Directorate’s Joint Cyber
— Investment - investing in essential cyber Security Centres.
security enablers.
9 The pipeline of skilled cyber security
These outcomes broadly align with well-known professionals should be strengthened
technical models for cyber security and and investment made to uplift cyber skills
should be intuitive for many cyber security in Australia.
practitioners. The recommended outcomes also
10 Government to increase investment in
have the advantage of being conceptually
intelligence-led efforts and openly share
comprehensive and enduring, allowing the
threat information with industry.
Strategy to adapt to an evolving threat
environment. 11 Government is encouraged to appoint
an external advisory panel to review the

Objectives implementation of the Strategy led by
the accountable Government agency
We recommend the Government adopt the or department.
following objectives as measurable steps
12 The implementation of the Strategy
towards achieving the proposed outcomes.
should be based on a maturity framework
These objectives are based on the key themes
that assesses performance against
of stakeholder feedback under each outcome.
objective and bold metrics.

For deterrence:

1 There should be clear consequences for Roles and
targeting Australians. Responsibilities
For prevention: The Panel recommends that the 2020 Cyber
Security Strategy clarifies roles for Government,
2 Cyber risks should be owned by those industry and individuals in the community as
best placed to manage them. illustrated at Figure 3.
3 Australians should practice safe The Government’s primary role should be to
behaviours at home and at work. strategically manage the highest consequence
4 Government should be a cyber threats and sophisticated attacks to Australia
security exemplar. using its unique tools and capabilities with a
focus on critical national infrastructure. The
5 Australians should have access to trusted Panel considers that Government also has
goods, services and supply chains. an opportunity to be an exemplar of cyber
security best practice for the private sector by

20 Australia’s 2020 Cyber Security Strategy

strengthening the defences of its own systems           improving real-time understanding of cyber
by meeting the same cyber security best                 security threats so that they can be acted
practice expectations as critical infrastructure        upon by all participants in the cyber security
owners and operators.                                   ecosystem.

In relation to critical infrastructure and systems      There is a need for Government and industry
of national significance, Government has a              to focus on, and invest in, the development
dual role to govern and lead best practice              and maturity of the cyber security industry
management of risks and vulnerabilities of this         in Australia to leverage the potential of this
network, as well as operating part of it. This          growth industry.
requires an urgent maturity based assessment
                                                        Government is encouraged to increase its
of the security preparedness of each element
                                                        investment (and investment by industry) in
of the network (including Government) and then
                                                        cyber security research and development
focusing initiatives to lift the most vulnerable
                                                        and support the ecosystem of cyber security
components. This also requires Government to
                                                        business, particularly in the startup sector (such
seize the opportunity to elevate the security of
                                                        as further supporting the work of AustCyber
its own systems.
                                                        that was established in 2017 and funded by
Government is taking significant steps towards          the Government pursuant to the 2016 Cyber
meeting its aspiration for Australian to be a           Security Strategy as a key enabler for cyber
leading digital economy by 2030. This has               security research and development, as well
been demonstrated through the initiatives               as innovation). Australia is unlikely to be able
delivered by Services Australia through the             to address key supply chain risks, including
Digital Transformation Strategy and more                concentration risk, alone but can play an
recently with the digital capabilities that were        important role in supporting primary research
promptly deployed to support businesses                 in key basic services and the cyber ecosystem
and people in Australia impacted by                     more generally.
COVID-19 restrictions. The Panel supports the
                                                        The primary role for industry should be to grow
Government’s goal of making all of its services
                                                        its cyber security capabilities so that it can
available digitally by 2025 and demonstrated
                                                        better protect a larger number of businesses
cyber security best practice will be key to
                                                        and households. Providers of digital products
building trust with the community to utilise
                                                        and services should be increasingly responsible
these digital capabilities.
                                                        for ensuring they are cyber safe and secure
As Stuart Robert, Minister for Government               protecting their customers from foreseeable
Services, identified in his address to the              cyber security harm and responsibly participate
Australian Information Industry Association             in a trusted cyber security marketplace.
on 29 November 2019, in “order to transform
                                                        Finally, the community should ultimately be
government service delivery, we must harness
                                                        responsible for keeping themselves safe online
everything that technology and data has to
                                                        and making informed buying decisions which
offer for the benefit of all Australians”. Digital is
                                                        means improving awareness and education of
more than just technology, it “is about applying
                                                        cyber safe behaviours and practice. To support
the best processes, culture, business models
                                                        this Government should focus on awareness
as well as technologies to respond to people’s
                                                        and training such as cyber security skills,
raised expectations”.
                                                        including improving individual awareness of the
In line with the recent Thodey Review of                importance of knowing the value of their own
the Australian Public Service, the Panel                data, where it is and how it is protected.
believes there is an opportunity to clarify
accountabilities and improve consistency
of decision-making on cyber security within
Government. There are also opportunities for
Government to play a more strategic role in

Industry Advisory Panel Report                                                                           21

Figure 3 Cyber Security Roles and Responsibilities

                                                                                                       Protect
                                                                                                    government
                                                                                                    systems and
                                                                                                  critical national
                                                                                                   infrastructure

                                                                               tin   gs
                                                                     y     set
                                                          p      olic                                                          Edu
                                                                                                                                   cat
                                                     de                                                                               et
                                                   wi          ion                                                                      he
                                                 y-         at                                                                                       co                 Re
                                                m         m                                                                                             m
                                                       or                                                                                                          m
                                                   o

                                                    nf

                                                                                                                                                                         po
                                                on

                                                                                                                                                                              rt
                                            ec

                                                                                                                                                                    un
                                              i

                                                                                                                                                                              cy
                                           at

                                                                                                                                                                        ity
                                         et

                                        re

                                                                                                                                                                                 b er
                                     ds

                                                                                                                                                                         on
                                     th

                                                                                                 GOVERNMENT

                                                                                                                                                                                   sec
                                 an

                                                                                                                                                                              go
                                  re

                                                                        The Government should strengthen its
                               ha

                                                                                                                                                                              od

                                                                                                                                                                                       urit
                             ats
                          ly s

                                                                       own systems and protect society from the

                                                                                                                                                                               cyb

                                                                                                                                                                                             y in
                        thre

                                                                        most sophisticated threats by focusing
                                       t i ve

                                                                                                                                                                                                  cide
                                                                                                                                                                                   e
              Counter sophisticated

                                                                                                                                                                                   r sec
                                                                         on critical national infrastructure and
                                      Proac

                                                                                                                                                                                                       nts
                                                                           systems of national significance.

                                                                                                                                                                                     urity practices
                                                                                                    INDUSTRY
                                                                          Large industry to small and medium
                                                                         enterprises providing digital products
                                                                       and services should ensure they are cyber
                                                                        safe and cyber secure, protecting their
                                                                            customers from vulnerabilities.

                                                                                                  COMMUNITY
                                                                               The community should practice
                                                                              safe online behaviours and make
                                                                                                                                                                                                         Educate the
         Secure                                                            informed purchasing decisions, based                                                                                          community
        products                                                              on sound advice and education.                                                                                               to take
       and services                                                                                                                                                                                       personal
                                                                                                                                                                                                        responsibility
                                                       Pr                   Ma
                                                            ot                   ke i                                                 ion
                                                                                                                                            s                     ies
                                                                 ec
                                                                      tc              n   fo rm e                             e cis                  b   i l it
                                                                           ust                       d p u rc h a s i n g d                     e ra
                                                                                                                                            n
                                                                                 om
                                                                                      e rs f                                          vul
                                                                                               ro m k n o w n t h r e a t s a n d

Our recommendations                                                                                               Our recommendations are organised under the
                                                                                                                  objectives of our proposed framework. When
The Panel has carefully considered the                                                                            taken together, our recommendations are a
submissions to the Strategy and endeavoured                                                                       road map to reshaping roles and responsibility
to assimilate different stakeholder                                                                               in cyber security in Australia.
representations along with our own expertise
including in relation to technology, people and
process elements of cyber security. The Panel
also considered domestic and international
impacts and risks of proposed initiatives.

22                                                                                                                                      Australia’s 2020 Cyber Security Strategy

Implementation                                    A standing industry advisory panel could
                                                  be established to advise the Minister for
As noted in the Executive Summary, the 2020       Home Affairs on cyber security matters and
Strategy will be largely measured based on        implementation of the 2020 Strategy on an
how well it is implemented and whether it         ongoing basis strengthening the important link
meets or exceeds objective and bold metrics.      between Government and industry. At the very
The 2016 Cyber Security Strategy made             least a progress report should be provided to
significant achievements in key areas, but some   Cabinet on an annual basis.
stakeholders felt that its overall success was
                                                  State and territory governments should
reduced by inconsistent implementation.
                                                  be closely involved in implementation of
We encourage the Government to create             the Strategy.
strong governance and evaluation mechanisms
around the 2020 Strategy. Data collection and
evaluation, based on a maturity framework,
should be afforded a high priority.

Industry Advisory Panel Report                                                                 23

You can also read