Although the Australian government has made great strides in adopting a cybersecurity plan and creating reform to better protect federal assets, experts warn it will be hard to build on recent improvements unless further wide-scale reforms are implemented.
Adopting successful policies from other nations, improving the culture of information sharing within government and tweaking the immigration system are just some of the suggestions put forward to help the government up its digital game.
But while some of these efforts may take several years, federal agencies can still take effective action now on low-cost methods to help further protect themselves.
“I’d like to see a cultural change,” says Akamai chief strategist for cybersecurity AJP (Australia Pacific Japan), John Ellis. “In government and military, the culture right now is “need to know.”
Akamai’s content delivery network handles up to 30% of all internet traffic around the world, and the company also provides critical support to businesses and governments to protect them from distributed denial of service attacks.
“When it comes to information security, it needs to be “need to share. If we’re looking at the cyber-criminal landscape, they share everything, but agencies have been disadvantaged. The ability to share information is low,” says Ellis.
“The challenge is how,” says Ellis.
Stepping up to the skills challenge
Prime Minister Malcolm Turnbull announced in March the government would pursue 33 initiatives to help tackle cybercrime, and in April launched the new cybersecurity strategy.
The strategy includes stronger partnerships between government, research and business to help tackle threats on a joint front, stronger cyber defences, putting more funds into growth and innovation in the cybersecurity sector and efforts to help increase cybersecurity skills in the private workforce.
But Ellis warns that Australia may be at risk of falling further behind, “even with the earmarking of $230 million, along with the $400 from the Defence White Paper” to help shore up cybersecurity technology.
“Very few agencies are big enough and have enough diversity there, and that’s an unfortunate reality. Are agencies paying the right sort of money to attract this talent, and are they providing the right sort of challenges?
Ellis points to the British National Audit Office review of 2013 that identified key skills shortages in government areas of cybersecurity – a similar review in Australia could well come to the same conclusion, he says.
Taxing questions
Secondly, Ellis says tax incentives favouring investment could be utilised to create an improved culture of cybersecurity across both government and business.
“The level the government has at its disposal is to use taxation to incentivise cybersecurity,” he says, noting that corporate tax rates could be reduced for those businesses that implement a range of cybersecurity features.
Michael Smith, APJ Security CTO at Akamai, suggests Australia may consider looking to Singapore for some inspiration for national policy on cybersecurity, particularly Singapore’s policy that aims to help agencies with fewer staff and restricted budgets.
“Information sharing is key,” he says. “One of the things we’ve seen is the Prime Minister of Singapore sign an agreement with the United States’ government around information sharing, mutual incident response, and trading staff back and forth.”
Ellis also agrees both Singapore and the United States have displayed good examples of policy to follow.
“FedRAMP is a certification program for cloud providers in the United States, and it’s done very well,” Ellis says.
The program operates by ensuring any federal agency looking to hire a cloud provider must only hire those on a secured list.
Ellis also says Singapore has made interesting moves, and some could be examples for the Australian government to consider. From next year, Singapore government servants will no longer be able to access the internet from their laptops.
While this is a relatively extreme step, Ellis says, and not one he necessarily recommends, it highlights the need for Australian agencies to think more broadly about cybersecurity within the confines of their own jurisdiction.
Hit the share button
Action on these tasks could take several years, and many smaller federal agencies with slim budgets are struggling to protect themselves now. In these cases, Smith says a shared services model, similar to the approach of the United States government, could make sense.
“You have the Department of Homeland Security, which is given a security mission for all of government. They can do all security testing, all monitoring, and all incident response.
“There’s a good opportunity there for smaller agencies to pool with other small agencies,” he says.
As for funding, Smith says this area needs more attention.
“I’d look at the specific agencies’ IT budgets, how they get that funding, and by extension that funding should fund their security.”
There are still plenty of actions these agencies can take in order to protect themselves, says Troy Hunt, Microsoft regional director and MVP (most valuable professional).
Hunt focuses on two major suggestions: “bug bounties” and staff training with regard to social engineering.
Instead of paying for expensive penetration testing, Hunt says it can be cost-effective in some situations to opt for a public bug bounty.
“You do have to take a long-term strategic view, but they can definitely pay in spades.”
In people we trust
Secondly, Hunt says federal agencies should consider putting more money in training to help employees become more aware of social engineering tactics, through which hackers attempt to gain information through conversation and other “soft” methods rather than through direct digital infiltration.
“Beyond malicious intent, you have hundreds of thousands of people employed with vital information. What happens when just one of them gets infected through malware, even though innocently visiting a website?”
Hunt says isolating digital systems at the same time as agencies creating universal citizen-facing services, such as myGov, can create some tension.
While Ellis says perfecting cybersecurity is impossible, he warns agencies that pursuing cybersecurity vigilance is more of “a state of play”.
“We understand it’s going to be difficult … but we need to get it right.”
