Following the launch of the cyber security strategy last year, Canberra has published a fresh industry consultation paper, setting the stage to change the government's legislative and regulatory landscape in its aim to make Australia one of the most secure nations in the world.
The paper rightly focuses on the human element - protecting, training, and securing devices used by people. People are both targets and a likely cause or contributor to cyber criminal activity, sometimes through malice, but more likely error.
One important proposed change is the introduction of a Cyber Incident Review Board (CIRB) and, even more importantly, the no-fault principle the government guiding the board. Taking a leaf from other industry boards such as the Australian Transport Safety Bureau (ATSB), the CIRB will not find fault or attribute blame in post-cyber-event analyses.
With major breaches such as those that plagued Australia in 2022, too often we jump straight to victim blaming. Naturally, there is a huge emphasis on the individual victims whose data has been stolen or compromised, but we often forget organisations that are breached are victims of a crime themselves.
The CIRB will instead focus on finding the cause of a breach, including technical details, actions taken, and impact to provide best practice learnings - for both the victim and broader community.
Given the need for technical expertise to analyse these events, it's important the CIRB is made up of people with varied skillsets.
Government panels are often made up of business leaders, whose skills will be useful in post-cyber-event review, but will lack the technical expertise and understanding of what goes on in the deep dark corners of the internet where cyber criminal activity festers. Cyber criminals are usually technical experts themselves; we need to match up to that.
I also believe, given it should be made up of some of the best cyber minds in the country, that the scope of the CIRB could be expanded to include a live command centre function, where the board's experts could advise on live breaches with a major impact on people, national critical infrastructure, and the Australian Public Service. This would help to mitigate the impact and enable faster resolution of those cyber incidents that pose the greatest risk to Australian people, government, and industry.
Beyond the CIRB, the government's latest consultation paper also calls for greater law enforcement in Australia's cyber response, which is desperately needed.
Canberra has already demonstrated its capabilities and willingness in this regard through the breakthrough disruption of LockBit, the world's most prolific ransomware group. This followed first-of-their-kind sanctions imposed on a Russian individual responsible for the Medibank cyber attack.
We all have a responsibility to be vigilant and defend against cybercrime. But it is crime, and law enforcement is essential to deter and defeat cyber criminals.
One of the major callouts in the paper is mandating a secure-by-design standard for consumer-grade IoT devices (e.g., smartphones, wearable technology, and cameras) to help prevent cyber attacks on Australian consumers.
This should reduce the risk of these devices becoming a vector of attack or harnessed in large bot attacks such as distributed-denial-of-service (DDoS). Last year, it was reported a pro-Russian hacking group carried out a series of DDoS attacks on Australian government websites in response to a decision to provide Ukraine with Australian counter-drone technology.
Consumer-grade IoT devices are present not only in homes but also in businesses and even critical infrastructure networks. Therefore, the scope could be expanded to include industrial IoT (IIoT) devices where there's an increasing risk.
We're seeing more wireless tools vital to work done in factories, oil and gas fields, and electric utilities, but there are only government guidelines, not minimum standards, in place to keep devices secure. Changing our legislative landscape to address the cyber security strategy represents a real opportunity to bolster protection in these vital industries.
These legislative changes give us the opportunity to change the equation on cyber protection. Government can lead through its own policies, creating and enforcing laws, and taking action on those who have or wish to cause us harm.
This is a different kind of defence and offence. We can't succeed with higher walls, bigger moats, or more guards alone. These are initiatives that can be undone by criminal inventiveness, which is always evolving.
We need to reduce the attractiveness of being a cyber criminal by raising the stakes and the costs for the hackers, putting the right expertise in place, and ensuring everyone is trained and ready to do their part.
- Anthony Stitt is regional senior director with operational technology and IoT cyber security company Nozomi Networks.
