Cybercrime has become one of the most serious criminal events over the last decade and its effects are a dangerous threat to governments, businesses, and individuals alike. Over coming years this is only going to increase, so decisive and coordinated action is overdue. It will only be a matter of time before we see major newspaper headlines announcing the first AI developed cyber-attack.
Over the last decade government and businesses have increased their activities to prevent these crimes from creating havoc in Australia’s society and its economy.
With establishing the National Office For Cybersecurity, at least on paper, it now looks that a more coordinated approach will be taken.
Cybersecurity is an ongoing cat and mouse game. What is needed is that national cyber security needs to stay in front of criminals as well as of the effects of an increasingly becoming more dangerous – often ideology-based – geopolitical environment where cyberwarfare has become the latest weapon to attack adversaries, whoever they may be.
All the parties involved will be using the latest technologies to beat the other. Those who are defending themselves requires that all parties are working together according to an agreed national policy.
Back in 2020 I was invited to make a submission for the Government’s Cyber Security Strategy. At that time I argued…” that as with so many policies there is a serious lack of vision from the government and therefore also no clear strategy attached to it. Decisions are made on the fly without proper process. So much of what passes for government cyber-security initiatives are knee-jerk reactions to external events, rushed through with no time for thoughtful inputs from experts in the field. Input from experts should be asked before policies are developed, not afterwards. There has not been any due process in the formulation of the policies. This is serious undermining any trust in the government being able and interested to work with the experts, industry and the community to put a solid policy in place”.
I was already involved in the early industry discussion on the issues back around 2015 this actually led in the following year to a report from the Australian Cyber Security Centre. This report was offered to the then Home Office Minister Peter Dutton. It highlighted issues as mentioned above and offered suggestions on how to address these issues, but for unknown reasons that report was shelfed by the government at the time. Following the inquiry of 2020 yet another report was produced for Minister Dutton.
It looks to me that the now proposed National Office For Cybersecurity is finally a positive step forwards. What might have helped pushing the issue forwards has been the major cyber security attacks that happened last year at Optus and Medibank. The response to the attack came from a myriad of uncoordinated (government) offices all of whom had control over some part of the cyber security pie and their uncoordinated and often confusion response totally overwhelmed the actual investigation process. It clearly showed the weakness of such a silo base structure.
The problem had, in my opinion, at least in parts to do with a turf war between the various agencies. This was a direct result of the range of uncoordinated panic policies that had been developed over the previous period. As a result it was unclear who oversaw what and who had the power to do what.
As I mentioned in my opinion piece in relation to the Optus breach, we all have a role to play, the various levels of government, their agencies, businesses as well as individuals. That being the case it is blatantly obvious that such a strategy requires a coordinated approach. It looks like that these internal issues have been resolved, again as mentioned above, at least on paper. We will have to wait and see how this will be executed.
Having a National Office For Cybersecurity in itself doesn’t solve the problem. What really matters here is who will be in charge and who has the legislative power to operate independently from politicians to execute the strategy. It is highly unlikely that the various agencies (ASIO, Defense, Law Enforcement Agencies, various regulators of critical infrastructure and finance) are going to give up their powers laying down. Unless there is a strong legislative foundation to the new Office doors remain open to party politics which as we all too well know leads to political footballing along the lines as we have seen with the National Broadband and the National Energy policies.
This is a very good first step, but it requires a sound (bipartisan) foundation. It will be interesting to see if that can be achieved and what the next steps will be. Those next steps will give a good indication how serious this new initiative is. Based on history it could also result in the National Office for Cybersecurity just becoming yet another part of the pie, rather than the one that should be in charge of it. So for the sake of national interest let us hope that this will result in a strong, true national strategy.
Paul Budde