security

Experts bemoan lack of detail in cyber strategy – The Australian Financial Review


“Industry and government will co-design new legislation introducing economy-wide cyber security responsibilities, so in the same way as workplace health and safety is now fully accepted as a board responsibility, soon boards and executives will likely be held accountable for cyber security risk management … A security baseline will drive innovation, stability and profitability.”

Former national security adviser and head of the Australian Cyber Security Centre, Alastair MacGibbon, says new rules for company directors will be significant. Alex Ellinghausen

However, Mr MacGibbon said he believed there was not enough detail about remediating a national shortage in cyber security skills for businesses to access.

Others in the industry complained that the document had to many generic “motherhood statements”, without enough detail on what practical things would change in smaller businesses, and how Australia was going to grow a stronger local sector of tech security companies.

“By my calculations more than 90 per cent of the $1.6 billion is going to the ASD and AFP in one way or another … So really, this is much less of a national cyber strategy, and much more of a warning shot to hostile nation states that Australia is delivering a capability uplift to our signals intelligence and law enforcement capability,” CISO Lens managing director James Turner said.

“It seems odd that there is no declaration of continued investment in [industry growth organisation] AustCyber. It was the key to Australia recouping some of the costs of all our work and investment in this space … If we’re to do so much capability uplift across the nation, then why not commercialise the learnings?”

Mr Turner said he was worried that nothing much would change as a result of the new strategy, with existing intelligence bodies.

“This plan looks like a solid, pedestrian, capability uplift for the ASD, but vision and leadership are missing,” he said. “Consequently, there’s a considerable opportunity cost. The lack of a minister for cyber or an independent cyber adviser to the Prime Minister are both glaring ommissions.”

Head of Australia and New Zealand at internet infrastructure company Cloudflare said the nationwide reflection on cyber security matters was welcome, but he had mixed feelings about the newly published strategy.

He said there were significant gaps and a lack of teeth to ensure companies picked up their game.

“I think the strategy is looking weak in terms of upgrading businesses’ security standards,” he said. “Once again, we are only talking about ‘support’, ‘best practices’ and ‘encouraging’ businesses to act.

“We have seen how this approach is usually ineffective as business leaders stay in a reactive mindset to cyber security. The strategy doesn’t include clear directions for these organisations to protect their own systems, but worse, there are no requirements for them to do anything, especially for the protection of citizens’ data.”

Former Defence Minister Stephen Smith, who is now the chair of Australian cyber security company Sapien Cyber, said he was encouraged by the overall focus on protecting Australian critical infrastructure.

He liked the sentiments expressed about increased co-operation between government bodies and local cyber security companies.

“With the threats to critical infrastructure increasing from well-equipped and persistent state and non-state actors, this is not something which either the Commonwealth or Australian industry can do by itself,” Mr Smith said.

“In this context, growing a capable sovereign domestic Australian cyber security industry, working hand in hand with the Commonwealth, is essential to ensure the ongoing security of Australia’s critical infrastructure.”

Nigel Phair, the director of UNSW Canberra Cyber, described the strategy as a “good first stab” and said the move to introduce legislation to set in stone company directors’ cyber duties was the most significant new idea.

“I think this part is the game changer for business,” he said.

“It is great that government will work with business to get them to properly understand online risk and introduce appropriate controls, but this aspect of the strategy is the only compelling part by spelling out obligations for company directors.

“It will be interesting what the reform agenda is coming out of this.”



READ SOURCE

Leave a Reply