The 2020 Cyber Security Strategy Industry Advisory Panel Report – The Findings

On Thursday 6th August, the Australian Federal Government shared their 2020 Cyber Security Strategy for government agencies, business and the general public. A number of individuals and businesses were apart of the consultation process to help shape the strategy document we see today. Part of this group included an industry panel, who put together a comprehensive report of their findings and recommendations to the federal government. In this blog, Dane Meah takes a closer look at their findings.

The Cyber Security Strategy Industry Advisory Panel was formed at the end of November 2019. The aim was to provide an industry perspective of cyber security to inform the government’s revised security strategy. Supported by submissions from a large group of industries covering a complete cross-section of the Australian economy, from technology and cyber security to mining and transport. Over eight months, the team has had formal briefings with various government stakeholders, gaining lots of valuable feedback to produce what is a well-considered document.

THE AIM OF THE INDUSTRY ADVISORY PANEL REPORT

The panel was put together to help inform the government as it looks to create a revised cyber security strategy this year. The panel worked on compiling a series of recommendations on best practices in cyber security. This involved taking existing and emerging security trends and threats into account, such as nation-state attacks. The key strategic priorities for the strategy were aimed not just at the government but also at enterprises. The idea being that the recommendations would help overcome the obstacles and barriers for the delivery of the strategy and account for the effect of any proposed initiatives on the economy. After all, while new regulations may be necessary to manage the potential threats, they can’t be so rigid that they have a detrimental commercial impact.

PRINCIPAL TAKE-AWAYS FROM THE REPORT

The report dives into a lot of detailed recommendations, which are certainly worth reading through. While many areas may be familiar, there are some new and poignant recommendations that could make a significant difference to Australia’s security strategy. Some of the pivotal recommendations that the panel makes include:

• Establishing clear consequences – cybercrime shouldn’t be allowed to go unpunished. The government should be empowered to go after the proceeds of the crime so criminals can’t defraud people without consequence.
• Implementing better risk management – this is a call out to both the government and private sector to identify risks and then apply the controls and strategies to mitigate them. The panel highlighted the need for better risk management within our businesses to address cyber security holistically.
• Leading by example – the government should be a shining beacon for what good looks like within cyber security. They need to demonstrate how programs can be implemented to manage the complexities of big legacy infrastructures and systems. And larger government departments should help the smaller ones.
• Building better security awareness – while awareness has improved since the original cyber security strategy in 2016, there isn’t a rounded approach. Instead of organisations having isolated strategies, they should work together to account for different demographics and users.
• Increasing threat sharing – the panel suggests that intelligence should be applied so that threats can be stopped at higher levels than an individual’s endpoint security. (E.g. at a Telco level potentially blocking sites that are known to be malicious, meaning that individuals will not be able to access them from their home computers) The report looks globally, stating that other countries have implemented similar approaches with some success.
• Identifying key incidents that can occur – there should be well documented and rehearsed playbooks around what can happen in an enterprise during a cyber incident. Large-scale cyber response simulations should look at what happens if critical infrastructure goes down.
  

There is certainly a lot to cover in the report, 60 recommendations in total, but these are some of the key points. The panel recommends that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first, but the report addresses the full spectrum of cyber security threats that the country is facing.

HOW CAN YOU MAKE A DIFFERENCE?

The Australian government has a goal for the country to be a leading digital economy by 2030. To achieve that, there is an urgent need to step up cyber defences. The government needs to address highly sophisticated threats that target critical infrastructure, but also smaller activities which target vulnerable groups.

Ultimately, the only way to look at cyber security is as a team. Whether you work within the government, own a large enterprise or small to medium-sized business, you have a role to play. We all have shared platforms, common customers, and, unfortunately, can all be a target of attacks. By sharing accountability and working together, we have a better chance of keeping Australians safe and delivering the security settings we need to grow and prosper.

‍