Australia has set a stretch cyber security target, but local industry players are concerned about funds and a lack of clarity around messaging.
Last November, Home Affairs and Cyber Security Minister Clare O’Neil set an ambitious target for Australia to become the world’s most cyber secure nation by 2030.
Audacious as it is imperative, the target, if achieved, would pave the way for Australia to not only prevent and respond to cyber threats, but to harness the billions of dollars expected to be generated by the industry over the next decade.
Australians are considered a soft target for cyber criminals owing to our comparatively relaxed attitude, relatively high wealth, and low cybersecurity acumen.
That’s reflected by the high number of attacks we face, with one reported every six minutes in 2022-23.
Ransomware – just one option in a cyber criminal’s ever-expanding toolbox – accounted for $3 billion in losses to the Australian economy, according to the Australian Signals Directorate 2022-23 report.
The report found the cost of cybercrime on Australian businesses was also growing, by up to 14 per cent annually.
Numbers like that have changed the conversation in recent years. Whereas cybersecurity was once a relatively obscure concern restricted to small IT departments, it is now a feature of boardroom discussions across the country, as a recent KPMG survey found.
The Keeping Us Up at Night survey, which polled 319 top executives and board members from some of Australia’s largest private companies, found 43 per cent of respondents saw cybersecurity as the top issue for the year ahead.
About 35 per cent listed it as their main concern for the next three to five years, overtaking skills shortages as the top issue in the survey.
Speaking on the report, KPMG Australia chief executive Andrew Yates said several high-profile attacks and outages over the past few years had reinforced the importance of cybersecurity in boardrooms.
“The COVID pandemic accelerated our shift to digital channels and brought issues relating to data and its associated infrastructure into sharp focus,” he said.
“As global economies and supply chains were disrupted, organisations had to rethink their dependencies on goods, services and the digital infrastructure that underpins them.
“Cybersecurity is now the golden thread at the heart of every business.”
And it’s not just private businesses taking cyber seriously, with the Massachusetts Institute of Technology cyber defence index 2022-23 putting the Australian government in top spot.
That’s not to say Australia has already achieved its 2030 goals, with the report measuring the degree to which the top 20 economies have adapted technology practices that advance resilience to cyberattacks, and how well governments and policy frameworks promote secure digital transactions.
Contrary view
Despite this finding, Centre for Securing Digital Futures director Andrew Woodward has a drastically different take. He said failure to adequately fund the sector risked Australia missing its 2030 goal and falling behind international counterparts.
“When we’re talking about this 2023-30 strategy, underfunding cybersecurity research, it effectively says, ‘refer to existing national grant program’,” Professor Woodward said.
“And at the end of this year, the Cybersecurity Cooperative Research Centre finishes up; it’s the end of their seven years of funding.
“The centre funds around ninety per cent of cybersecurity research at Australian universities, so when that concludes at the end of this year it’s going to leave a vacuum in terms of funding.”
Cecily Rawlinson presenting at the CyberWest Summit 2024. Photo: David Broadway
Professor Woodward said he would like to see a federal funding mechanism to support cybersecurity research at Australian institutions to replace the CCRC.
A tightening of consequences for companies that don’t adequately protect data was another idea he supported.
There are provisions for the strengthening of cybersecurity obligations in the 2023-30 strategy, but by and large they refer to critical industries such as aviation and maritime.
Professor Woodward believes introducing liability for directors in cases of preventable cyber breaches would help accelerate cybersecurity development and improve protection of sensitive personal data.
“If you think of the equivalent in the real world, if you fail to undertake an action that results in injury then there are consequences,” he said.
“And yet in cyberspace, companies just throw their hands in the air and say ‘Oh, it’s not our fault, we did all we could’.
“Obviously it’d be fairly hard to prove cyber negligence, but having those safeguards in place would at least encourage these companies to take data protection seriously.”
Toughen up
WA Cyber Security Innovation Hub director Cecily Rawlinson said while there had been an increase in reporting of cybercrime by Australian businesses, more stringent measures were needed to achieve the 2030 goal.
“Cybercrime is taking on the global drug trade. It’s a multi-billion-dollar industry,” she said.
“We’re not dealing with teenagers playing around anymore. We’re dealing with large, organised crime syndicates,” she said.
“I think, so far, we’ve had a carrot approach, but to take Australian cyber to the next level we need a combination of carrot and stick.
“And I think the government is already planning some regulation around this. From my understanding it’s got some teeth, but they haven’t shown themselves yet so we’re not exactly sure what it’ll look like.”
Ms Rawlinson said data retention legislation was one of the measures most needed in the space.
In March of 2023, Fintech company Latitude Financial suffered a breach that led to the theft of more than 7.9 million sets of personal information of customers, past customers and applicants across Australia and New Zealand.
Latitude had, in 2015, transitioned from GE Money, taking on responsibility for many of GE Money’s customers and products and retaining the data.
It meant that when the breach occurred, previous GE Money customers – or anyone who signed up for a retail branded credit card through a store partnered with GE Money – also had their information leaked, despite never having interacted with Latitude.
CyberWest project and engagement lead Emma O’Neil (left), Cecily Rawlinson and Innovation and Digital Economy Minister Stephen Dawson.
Ms Rawlinson was among those caught up in that breach, despite not having lived in Australia for 15 years at that time.
“It was data I had submitted over fifteen years ago, and because driver’s licence numbers stay the same in Australia, it was compromised as part of the breach,” she said.
“I think we need to start having the conversation about what personal identifiable information is needed and, even more critically, what is retained.
“This information is important and it does not need to be kept on file indefinitely. So, I think some legislation around the amount of time this information can and should be kept by companies is critical.”
Losing it
Identity theft due to cyber breaches is on the rise, with Australian Institute of Criminology data showing one in every five Australians has been affected.
To combat this, the federal government is working to develop a digital ID program as part of the 2023 Cyber Security strategy.
The program would allow Australians to verify their identity using a phone application that would result in fewer records of individuals’ ID data and documents being held by commercial and government organisations.
It’s a practice already adopted in many nations around the world, including Estonia, where a digital ID called eID has been in operation for more than 20 years.
Almost every Estonian has created an eID, which allows them to access more than 600 services and 2,400 businesses and enables payments, voting and even filling of prescriptions without another form of ID.
A similar system is in place in Singapore, India, Sweden, Belgium, Denmark and Netherlands.
In 2017, however, Estonia had to suspend the use of the cards after a wide-ranging security flaw was discovered.
Petr Švenda, a researcher on cryptography and security at Masaryk University in the Czech Republic, notified Estonia about the security risk in the ID cards chips.
But there was a larger problem: an algorithmic flaw in the Infineon RSA Library, which meant all private keys generated by the Infineon Library were vulnerable.
Millions of chips used for identity documents produced by the company Infineon were affected worldwide. In Estonia, all the eID cards (800,000) issued since autumn 2014 were at risk.
In theory, every private key could have been calculated from the public one, thus allowing hackers to access sensitive information of the users by stealing their digital identity.
Luckily the flaw was picked up by good-faith actors, but it raised questions over the vulnerabilities posed by a single point of data in the case of a breach.
Australia’s Digital ID System, to which the federal government has committed $145.5 million over four years, will aim to achieve similar capabilities with slightly different technologies.
The Australia digital ID will not be a physical card, nor will it be usable as a form of ID.
Brett Delongville says a national cyber strategy has to be aspirational.
It will instead allow people to verify their ID when interacting online without having to repeatedly provide copies of their most sensitive documents, such as passports, birth certificates and driver’s licences.
It’s a move Professor Woodward said had its merits and pitfalls.
“I’m not sure it would necessarily make anything better,” he said.
“There are significant risks associated with tying a single identification number with a whole range of data sources.
“And from a bad guy’s perspective, that’s probably the pot of gold at the end of the rainbow.”
Despite conflicting arguments for certain technology and legislation, one thing all experts seemed to agree on was the need for a coordinated government and industry response, and a shared responsibility to protect cyber assets.
CyberCX industry lead for utilities and resources, Brett Delongville, said the overarching cyber strategy was encouraging, but that more details were needed to guide future decisions.
“It’s certainly a high-level document. It’s a national strategy, so it’s got to be high level and aspirational,” he said.
“I think there is scope for lower-level policy statements and annual updates to get a clearer idea or an expectation or assessment of how things are going.
“I think the overall message of the strategy – that cyber has got to be part of your technology strategy and you’ve got to invest time and assets into making sure you’re getting things right – is starting to get across.”
