To achieve our goal, the Government will:
- establish a layered approach for sharing real time public-private cyber threat information through joint cyber threat sharing centres, initially piloted in a capital city, and an online cyber threat sharing portal.
- co-design national voluntary Cyber Security Guidelines with the private sector to specify good practice.
- update the Strategies to Mitigate Targeted Cyber Intrusions, published by the Australian Signals Directorate.
- introduce national voluntary Cyber Security Governance ‘health checks’ to enable boards and senior management to better understand their cyber security status.
- support small businesses to have their cyber security tested.
- boost the capacity of the Australian Cyber Security Centre to respond to cyber security threats and cybercrime.
- update and align our cyber incident management arrangements with international partners and jointly exercise responses to malicious cyber activity with the private sector.
- support Government agencies to improve their cyber security, including guidance for Government agencies to manage supply chain security risks for ICT equipment and services.
Connected systems are complex and only as secure as the weakest link. This means that all Australians must work together to make sure our systems and information are among the hardest to compromise and that we have the best possible defences.
To better detect, deter and respond to malicious cyber activities, cyber threat information should be shared in real time between and within Australia’s public and private sectors. Both have unique information to contribute to the threat picture. It is only by combining our knowledge that we can comprehensively understand cyber security threats to Australia and how to counter them.
It is equally important to deter malicious cyber activities by better understanding the threat and bringing the perpetrators to justice. Due to the global nature of malicious online activities, tackling cybercrime will involve both increasing the numbers and improving the criminal intelligence capacity and skillsets of law enforcement officers at home, as well as partnering with law enforcement and other agencies abroad.
Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack. Any measure used by Australia in deterring and responding to malicious cyber activities would be consistent with our support for the international rules-based order and our obligations under international law.
- Actions So FarThe Australian Cyber Security Centre, opened in 2014, brings together cyber security capabilities across the Australian Government to collaborate and share threat information.
- Under the National Plan to Combat Cybercrime, Australian governments committed to taking concrete steps to tackle cybercrime in six priority areas, including community education.
- The Australian Cybercrime Online Reporting Network (ACORN) provides advice on how to recognise and avoid cybercrime. ACORN allows individuals to report cybercrimes that breach Australian law.
- The Australian Signals Directorate maintains world-leading cyber security advice in its Strategies to Mitigate Targeted Cyber Intrusions. The strategies are based on the Directorate’s analysis of reported security incidents and identified vulnerabilities.
- The Australian Media and Communications Authority facilitates the Australian Internet Security Initiative, a voluntary public-private partnership helping to reduce malicious software and service vulnerabilities occurring on Australian internet protocol (IP) address ranges.
Recognising the particular importance of secure telecommunications networks, the Government is working with telecommunications companies to manage supply chain risks by providing advice on protecting their networks and the information stored and carried across them. This includes work the Government is doing on Telecommunications Sector Security Reform to establish more formal and comprehensive arrangements to better manage national security risks of espionage, sabotage and interference.
Detect, deter and respondCyber adversaries are aggressive and persistent in their efforts to compromise Australian networks and information. They are constantly improving their methods in an attempt to defeat our network defences and exploit new technologies. Cyber adversaries will target the weakest link if the network security of their primary target is robust.
Strong cyber security ensures organisations can better detect malicious cyber activity. It can also be an effective deterrent by increasing the effort necessary for an attacker to succeed. Further, it can ensure that when malicious activity does occur, the consequences are reduced and the extent of the activity is contained effectively.
Businesses own and operate most of the infrastructure in cyberspace. They have information about malicious cyber activities on their networks and systems that is not readily available to Government agencies. On the other hand, the Government has access to intelligence and other restricted information about cyber security threats that is not readily available to businesses. Equally, businesses want to share information with each other using the Government as the honest broker.
Organisations, public and private, must work together to build a collective understanding of cyber threats and risks through a layered approach to cyber threat sharing. By securely sharing sensitive information and working together—in real time where possible—we can build a stronger collective understanding and ability to analyse and predict cyber security threats. This includes detection of patterns of malicious cyber activity and implementing adaptive and behavioural analysis to enable an epidemiological approach to responding to cyber threats. Pooling our resources is also more efficient and will help develop quicker responses to compromises and build national resilience. We can draw from the positive lessons learned from other successful cyber security partnerships, such as AusCERT.
AusCERT has helped its members prevent, detect and respond to cyber attacks since 1993. As a membership based, independent, self-funded, not-for-profit security team based at The University of Queensland, AusCERT has a national focus across industry and government and a national and global reach. AusCERT maintains a large network of trusted contacts with computer emergency response teams in Australia and overseas, including CERT Australia, Australia’s national CERT. AusCERT contributes to initiatives to help improve cyber security through its services to members, assistance to international CERTs, partnerships, submissions to government and participation in Australian and international cyber security forums.
The Australian Cyber Security Centre already shares threat information with the private sector and is improving its links to critical infrastructure providers. To share sensitive information quickly with a broader range of businesses, the Government will establish joint cyber threat sharing centres, co-designed with the private sector, in key capital cities to co‑locate businesses and the research community together with State, Territory and Commonwealth agencies.
The joint cyber threat sharing centres will produce advice that organisations can use to take practical steps to improve their cyber security. The first step will be piloting the operating model for centres. Business and government partners will co‑design principles on how information is shared. Based on the outcomes of the pilot, further centres will be opened in key capital cities.
The ACSC, opened in 2014, is a world-leading collaborative initiative. The ACSC brings together the Australian Government’s operational cyber security capabilities in one location to share threat information and combat sophisticated cyber security threats. The ACSC’s partner agencies include:
Australian Crime Commission
Australian Federal Police
Australian Security Intelligence Organisation
Australian Signals Directorate
Computer Emergency Response Team (CERT) Australia
Defence Intelligence Organisation
In July 2015, the ACSC released its first public Cyber Security Threat Report outlining the range of cyber adversaries targeting Australian networks, their motivations, the nature of the attacks and their impact. This was an important first step in sharing more information on cyber security threats. These reports will be updated and published at least annually as part of the approach to cyber threat sharing. The ACSC also provides advice on how organisations can defend themselves online and undertakes customer surveys to assess the maturity of cyber security practices.
To meet the needs of an even broader set of businesses and organisations, including small to medium businesses, the Government will also co-design with the private sector an online cyber threat sharing portal. It will enable participants in joint cyber threat sharing centres to quickly publish threat information and practical advice that Australian organisations can use to strengthen their cyber defences. Members of the portal will be able to collaborate online and share threat information and response options.
As part of the co-design of the cyber threat sharing model, linkages to global cyber security threat sharing initiatives and incentives for businesses to share information and improve cyber security will also be explored. This includes examining legislative impediments to sharing.
A layered approach to cyber threat sharing
The Government is committed to equipping the Australian Cyber Security Centre with the resources and tools it needs to fight the rising tide of malicious cyber activity and keep our cyberspace safe. The Government will boost the capacity of the ACSC agencies to tackle cyber security threats by:
- increasing the capacity of the national Computer Emergency Response Team (CERT) Australia to scale up their work with Australian businesses, in particular those providing critical services. The additional capacity will also improve CERT Australia’s technical capability to support businesses and to partner internationally to prevent and shut down malicious cyber activity; and
- funding new specialist officers for the Australian Crime Commission and the Australian Federal Police to tackle cybercrime. There will also be new training, including new modules in entry colleges and eLearning for existing personnel, which will boost the digital investigation skills of specialist officers to create a cyber smart law enforcement and criminal intelligence workforce.
The Government will also explore with States and Territories how best to ensure that law enforcement officers receive the training they need to fight cybercrime across the nation.
The technical environment is becoming more complex. Technologies that underpin and are used within cyberspace rapidly evolve and more traditional technologies are being used for new purposes. For example, as encryption technology becomes cheaper and more widely available, there is an opportunity for all users to access this technology to secure information and improve their cyber security. However, there is also a growing trend for groups and individuals to use encryption to hide illegal activity and motivate others to join their cause.
The Government supports the use of encryption to protect sensitive personal, commercial and government information. However, encryption presents challenges for Australian law enforcement and security agencies in continuing to access data essential for investigations to keep all Australians safe and secure. Government agencies are working to address these challenges.
While new cyber security vulnerabilities are emerging every day, many are becoming increasingly difficult to identify. The Government will increase the capacity of the Australian Signals Directorate to identify new and emerging threats to Australia’s cyber security and improve intrusion analysis capabilities. Through the 2016 Defence White Paper, the Government is also boosting Defence’s cyber security capacity and capability—this includes new resources to strengthen Defence’s cyber capabilities to protect itself and other critical Australian government systems from malicious cyber intrusion and disruption.
Businesses are encouraged to contact the Computer Emergency Response Team (CERT) Australia through the Australian Cyber Security Centre if they think they have been the target of a malicious cyber intrusion, particularly if there has been a threat to infrastructure. Faster identification may help to minimise the extent of potential damage. In time, the layered approach to threat sharing will help streamline reporting of incidents and build a more detailed picture of cyber threats to Australia.
The Government must also be ready to respond to incidents when they occur. Cyber incidents do not necessarily need a cyber response and the Government can draw on a range of options, including law enforcement, diplomatic, economic or even—as a last resort—military measures to a cyber attack. In order to ensure we are prepared to respond to a significant cyber security event and to improve our existing exercise practices, the Government will work with other governments, businesses and international partners to expand our existing cyber incident management arrangements and exercise program to ensure we can operate together in a crisis.
CyberStorm is an international cyber security exercise program led by the United States. Each successive CyberStorm has grown in size and complexity, with over 1000 players participating globally in CyberStorm V in 2016. Participating in CyberStorm allows Australia to assess its own capabilities using real world scenarios. It also strengthens our relations with international peers and tests these operational relationships in real time. Cyber security exercises are one of the most effective tools businesses can employ to demonstrate potential whole-of-business impacts of a cyber attack.
Raise the barWhile detecting and responding to cyber intrusions is important, even more important is to harden our networks and systems and make them less vulnerable to intrusions. In this case, prevention is definitely better than the cure.
Although some organisations may be implementing international cyber security standards that all organisations can achieve, others are not doing so. In our interconnected world, a solid baseline of cyber security practice is critical to achieving confidence online.
Self-regulation and a national set of simple, voluntary guidelines co-designed with the private sector will help organisations improve their cyber security resilience. As suggested by the private sector, these guidelines will be based on the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions. These strategies will continue to be updated to keep pace with evolving technologies and innovative responses to cyber security challenges. While in its infancy in Australia, the rapidly growing cyber insurance market may help enforce improved cyber security performance.
ASX 100 listed businesses will have the opportunity to improve their cyber security governance by participating in voluntary governance ‘health checks’. The governance ‘health checks’ will enable boards and senior management to better understand their cyber security status and how they compare to similar organisations. In time, these ‘health checks’ (similar to the United Kingdom’s FTSE 350 governance health checks) will be available for public and private organisations, tailored to size and sector.
Small businesses often find it challenging to allocate resources to do cyber security well. Without adequate cyber security they can become the soft underbelly or back door into connected organisations. The Government will provide support for small businesses to have their cyber security tested by certified practitioners.
The Government will also support the Council of Registered Ethical Security Testers (CREST) Australia and New Zealand to expand its certification of information security testing services.
The Council of Registered Ethical Security Testers (CREST) Australia New Zealand is a not-for-profit cyber security standards organisation where member companies become CREST Approved if they meet appropriate governance standards. CREST Australia New Zealand then provides accreditation and certification for employees and contractors of CREST Approved Member Companies through practical exams in penetration testing and soon other in-demand areas of cyber security. CREST certified practitioners, while being attached to CREST Approved Companies with good governance, give businesses in Australia and the region the confidence that testing of the cyber security of their networks and systems is done by skilled cyber security professionals.
Cyber espionage activities target Australian Government networks almost daily and as a result Government systems have been compromised. In 2013, the Australian National Audit Office completed an audit of seven agencies’ compliance with the Government’s cyber security policies and found most fell well short. These Government agencies are responding to the audit in order to continue to improve security.
To take action to better protect itself, the Government will:
- undertake a rolling program of independent assessments of Government agencies implementation of the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions;
- fund independent cyber security assessments of Government agencies’ at higher risk of malicious cyber activity and develop a framework that helps those agencies address findings; and
- increase the capacity of the Australian Signals Directorate to conduct vulnerability assessments of Government agencies and provide technical security advice on emerging technologies and vulnerabilities.
These assessments will help ensure appropriate action is being taken to manage cyber risks and that agencies have the right measures in place to respond to malicious cyber activity. The results from these assessments will inform further action to ensure all Government agencies are a harder target for cyber attack. The work on emerging technologies will also help inform the Australian Cyber Security Centre’s advice to the public and private sectors.
ICT supply chains have evolved with a diversity of ICT products and services being provided by a broad range of vendors. Products are routinely deployed and serviced globally. This has increased competition and lowered costs. As a nation with limited local ICT manufacturing, Australia has little control over the manufacture of these products and relies on services from a range of domestic and international organisations. A diverse and global supply chain can introduce risk.
The Government will develop guidance for its agencies to consistently manage supply chain security risks for ICT equipment and services. In time, this work will be used to help inform the private sector.
Fighting cyber threats needs shared action so decision-makers in governments, businesses and the community broadly have the information they need to protect themselves and our country.Jennifer Westacott, Chief Executive of the Business Council of Australia and member of the Cyber Security Review’s Independent Panel of Experts Read more