|Canberra is trying to recalibrate its cybersecurity strategy in he face of increased PRC hacking.|
Australia has issued a new Cyber Security Strategy that replaces its 2016 strategy and proposes to change incrementally how the nation would approach cybersecurity and data protection paired with more funding for these activities. Notably, the government of Prime Minister Scott Morrison seems to be proposing a set of binding cybersecurity standards on certain sectors of critical infrastructure and a program of offensive cyber operations as a means of fending off threats from malicious nation state and criminal actions. The government in Canberra is also floating a voluntary code of conduct for the manufacturers and developers of Internet of Things (IoT) and a rewrite of privacy and data protection laws. In preparation for this strategy, Australia released a call for views in September 2019 on a discussion paper and received more than 200 comments.
Cybersecurity has been much on the minds of the government in Australia. Last fall, the Australian government leaked word that People’s Republic of China (PRC) hackers had penetrated the Parliament’s systems in Canberra even though the Morrison government declined to publicly accuse the PRC. According to media accounts, the Australian Signals Directorate determined that the PRC’s Ministry of State Security attacked Australia’s Parliament and hacked into both parties. In June 2020, Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the PRC, especially after Canberra all but publicly named the PRC as the entity that hacked into Parliament.
The Department of Home Affairs (Department) stated that “[t]his Strategy will invest $1.67 billion AUD over 10 years to achieve our vision…[and] [t]his includes:
- Protecting and actively defending the critical infrastructure that all Australians rely on, including cyber security obligations for owners and operators.
- New ways to investigate and shut down cyber crime, including on the dark web.
- Stronger defences for Government networks and data.
- Greater collaboration to build Australia’s cyber skills pipeline.
- Increased situational awareness and improved sharing of threat information.
- Stronger partnerships with industry through the Joint Cyber Security Centre program.
- Advice for small and medium enterprises to increase their cyber resilience.
- Clear guidance for businesses and consumers about securing Internet of Things devices.
- 24/7 cyber security advice hotline for SMEs and families.
- Improved community awareness of cyber security threats.
The Department addressed encryption at a high level even though Australia’s 2018 legislation, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, creates the first process for potentially ordering technology companies to decrypt encrypted systems and communications. The Department continued to emphasize the threats created by criminals using encrypted communications, particularly in crimes against children or sex crimes. The Five Eyes nations have increasingly turned to this tactic with the United States government hitting this theme hard whenever encryption policy is discussed. The Department claimed
- Encryption is an important way of protecting consumer and business data, but the increasing use of the dark web and encryption technologies that allow people to remain anonymous online is challenging law enforcement agencies’ ability to protect our community. The dark web enables cyber criminals to broadcast child sexual exploitation and abuse, trade in stolen identities, traffic drugs and rearms, and plan terror attacks. These platforms make committing serious crimes at volume, and across borders, easier than ever before.
- The Telecommunications and Other Legislation Amendment (Assistance and Access) Act introduced in 2018 has helped Australia’s law enforcement and security agencies, working with industry, tackle online criminal and terrorist threats. Through this Strategy, the Australian Government will ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymising technology and the dark web.
The Department explained generally the legislative changes that may result in greater regulation of certain critical infrastructure owners and operators:
The Australian Government will also work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. This consultation will consider multiple reform options, including:
- the role of privacy, consumer and data protection laws
- duties for company directors and other business entities
- obligations on manufacturers of internet connected devices.
This consultation will examine ways to simplify and reduce the cost of meeting any future minimum baseline.
The Department stated “Australia’s enhanced critical infrastructure security regulatory framework will clarify what infrastructure owners need to do to meet our minimum expectations of cyber security,” including:
- an enforceable positive security obligation for designated critical infrastructure entities;
- enhanced cyber security obligations for those entities most important to the nation
- Australian Government assistance for businesses in response to the most significant cyber attacks to Australian systems
- voluntary measures to strengthen engagement with businesses in relation to risk, and support an entity’s security uplift.
The Department added that “[t]his enhanced regulatory framework will be delivered through amendments to the Security of Critical Infrastructure Act 2018.”
As mentioned, the Department touched on how Canberra would address the cybersecurity of IoT:
- To support businesses in taking action to protect themselves and their customers, the Australian Government will release the voluntary Code of Practice: Securing the Internet of Things for Consumers, to inform businesses about the cyber security features expected of internet-connected devices available in Australia. The 13 principles in the voluntary Code of Practice will signal to manufacturers the importance of protecting consumers. Adoption of the Code of Practice, together with associated guidance material produced by the ACSC, will benefit Australians and SMEs by increasing the number of secure products available for purchase. The Australian Government will provide consumers with information about what to take into consideration when purchasing Internet of Things devices.
- Similar to steps taken in the United Kingdom, the Australian Government will co-design supply chain principles for decision makers and suppliers, to encourage security-by-design; transparency; and autonomy and integrity in investment, procurement and security. The Australian Government will build these principles into decision-making practices, supporting competition and diversity in the
- market. To keep guidance up to date as technology and threats continue to evolve, the Australian Government will continue to monitor and build on existing government initiatives that promote innovation in sovereign cyber security research and development. AustCyber is well placed to assure continued commercialisation and scaling of cyber security capabilities that support our nation’s needs.
The Department is accepting comment on its Protecting Critical Infrastructure and Systems of National Significance Consultation Paper and explained
- We want to explore with you how Australia can position itself to meet cyber threats, now and into the future. In forming a view, we will need to consider whether responsibilities are appropriately assigned in keeping everyone safe. This will require a thoughtful discussion about how Government, businesses and individuals can share responsibility for cyber security in the future to get the best outcome for everyone.
- For the Strategy to be successful, we need to develop and deliver it in partnership with the Australian community. This discussion paper seeks views from all Australians about how to grow Australia’s cyber security and future prosperity. Cyber security affects us all and we are seeking views from small, medium and large businesses, industry bodies, academia, advocacy groups, not for pro ts, government agencies, community groups and members of the public. We have posed a series of questions you may wish to answer as you offer your thoughts.
- By working together, governments, academia, industry and the community can strengthen our nation’s cyber resilience across the economy to ensure we prosper as a nation and protect our interests online.
Last month, Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.” The body was convened by the Minister for Home Affairs. The panel “recommendations are structured around a framework of five key pillars:
- Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
- Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
- Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
- Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
- Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.
Additionally, the Ministry of Defence issued its 2020 Force Structure Plan that promised even more investment in cybersecurity in the military realm. The planning document discussed the “Information and Cyber Domain” first among the traditional domains (e.g. Maritime), placing greater emphasis on the importance of cyberspace operations to the Australian government. The Ministry offered this summary of its plans:
- 3.1 Defence is becoming more reliant on fast, reliable and secure internet-based communications. But the threat to this connectivity from malicious actors is also growing. There has been a marked increase in cyber-attacks against Australia by foreign actors and criminals.
- 3.2 Secure and resilient information systems are essential to Defence’s ability to conduct operations. The Government’s plans for investments in Defence’s information warfare capabilities in the Information and Cyber domain are critical to ensure information can be securely and reliably shared across Defence, with other Government agencies, and with international partners. Future planned investments will protect Defence in cyberspace and enable operations against adversary systems. These plans include investments in offensive cyber and operational cyberspace capabilities for deployed forces.
- 3.3 In addition to cyber capabilities, the Government plans to make additional investments in enhanced information and electronic warfare systems, and in improved joint command, control and communications systems to strengthen Defence’s warfighting capability. Proposed investments would improve network security and resilience, and the capacity to share information with international partners. Furthermore, Defence intelligence capability will be bolstered with funding to integrate intelligence, surveillance and reconnaissance programs and data, and continued investment in signals intelligence capabilities. Funding will be set aside to ensure Defence remains competitive in the future as emerging technologies, such as artificial intelligence, arise in this domain.
- 3.4 The total program of investment in strengthened Information and Cyber domain capabilities is expected to comprise approximately $15 billion over the next decade.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.