Fortifying Australia’s cybersecurity resilience
The complexity, density and distribution of digital products and networks is rapidly growing. As it does so too will the spread, frequency and severity of malicious cyber activity. We have moved far beyond the relatively innocuous spam of yesteryear to threats which are far more serious.
The 2017 CISCO Cybersecurity Report expressed concerns about the accelerating pace of change and sophistication in the global cyber threat landscape.1 The World Economic Forum’s (WEF) Global Risks Report 2017 ranked cyberattacks as the 6th most impactful global risk in the next decade.2 Australia has been labelled as a ‘hotbed’ for cybercrime3, vulnerable to cyberattack4 and there have been 122,528 reports of cybercrime registered with the Australian Cybercrime Online Reporting Network (ACORN) between January 2015 and September 2017.5
Frequent cybersecurity incidents serve as a stark reminder to us all of the price of progress. Not so long ago the concept of security was intrinsically linked to perimeters, physical barriers and defences which were tangible and well understood. Attacks, crimes and breaches often spurred thoughts of destruction, violence and even death. But times are changing – while there have been no reported deaths from cyber-attacks and little physical ‘destruction’6 in the way many of us would perceive the term, the world is beginning to realise the disruptive capabilities of malicious cyber activity – and with good reason. CSIRO’s Data61 has several key focus areas around cybersecurity, summarised at Cybersecurity at CSIRO’s Data61.
The impacts of cyberattacks
In 2015 a major cyberattack in Turkey affected networks used by the country’s banks, media and government.7 Around the same time Ukraine’s power distribution systems were attacked, cutting electricity to 225,000 residents and disabling phone systems in large parts of the country.8 In 2016 the ABS website for the Australian census was subject to four Denial of Service attacks,9 while the 2017 United States Presidential Election was marred by incursions in voter databases and software systems across almost 40 states.10 Earlier that year Italy’s top bank, UniCredit, experienced a severe security breach which saw data from approximately 400,000 accounts stolen.11 By 2019 the global cost of data breaches is estimated to reach USD$2.1 trillion.12
It can be no surprise that governments, companies and citizens are concerned about the invasive and crippling nature of cyberattacks. Unfortunately these concerns are matched by a tendency to misunderstand how to manage the emerging, evolving risks associated with an increasingly digitised society.6
As people lose trust in digital mediums they lose confidence to trade, buy, sell and undertake commerce in the digital world.13 The Honourable Philip Dalidakis – Victorian Minister for Small Business, Innovation and Trade – suggested this is ‘one of the quickest ways we have to ensure that society starts to regress rather than progress’.13 Addressing cyber risks will therefore be critical to ensuring future growth in Australia’s digital economy.14
The Global Cybersecurity Index (GCI) shows Australia’s efforts to combat cybersecurity threats. The GCI measures a nations commitment to cybersecurity; in the 2017 GCI report Australia ranked 7th of 134 Member States.15 The GCI is closely linked with the International Telecommunication Unions’ (ITU) Global Cybersecurity Agenda (CGA) which is built on five strategic pillars: legal measures, technical and procedural measures, organizational structures, capacity building and international cooperation.16
Australia’s Digital Pulse, a 2017 report initiated by Deloitte and the Australian Computer Society, concluded that a greater focus in cybersecurity would ‘unlock potentially valuable investments in digital innovation, boosting most businesses, particularly those in banking, health, education and defence’.13 Under this scenario by 2030 there was an uplift of 5.5 percent in business investment, a 2 percent increase in wages and an additional 60,000 people employed.13 So what are the key areas of focus moving forward?
Building a deeper talent pool of cybersecurity skills and expertise
The global cybersecurity workforce gap is set to hit 1.8 million by 202217 and is one of the few occupations with zero unemployment in Australia.18 Craig Davies, the CEO of the Australian Cyber Security Network (ACSGN), stated the demand for skills in the sector is outpacing anyone’s ability to produce skilled candidates.18 Chris McDonald who is the managing director in Australia and New Zealand for global job site Indeed expects a long-term shortage in the market after employer demand for cybersecurity professionals was 3 times higher than supply for the first period of 2017.19
Organisations must strive to uncover risks
Exponential increases in the production and adoption of new digital technologies, such as the internet of things (IoT), is creating widespread cybersecurity vulnerabilities.6 Critical to building resilience will be a concerted effort in organisations and within society more generally to uncover and manage the risks of novel technologies. The global State of Information Security Survey uncovered that just 34 percent of organisations intend to asses IoT risks across their business ecosystem and those that do are unsure as to whose responsibility within the organisation it would be to manage such risks.20
Using transparency as a first step to mitigate cyber risk
Transparency refers to the disclosure of the scale and nature of cyberattacks to key stakeholders – for example board members, clients, investors, suppliers, regulators and authorities.21 The benefits of transparency should not be underestimated in this instance as it allows stakeholders to observe and make visible the true state of cybersecurity, and increase awareness around existing cyber threats. This facilitates targeted actions which improve detection capabilities and directly combat any potential threats. In 2017 the Privacy Amendment Bill was enacted in Australia which forces organisations to publicly disclose data breaches22,23 and in May of 2018 Europe’s General Data Protection Regulation will come into force and ensure companies doing business within Europe disclose any data breaches to authorities and to the public.24
Collaboration between and within government and industry
Public and private information sharing is a useful tool for combating cyberattacks.25 Increasing connectivity and digital dependency means the sharing of timely and actionable cyber information among institutions and regulators is a manageable first-step toward building cyber resilience within industry.21
Developing Cybersecurity Knowledge Hubs
These venues become focal points for collaborative knowledge exchange where cutting edge innovation and technology can be refined to help companies build effective cyber defense strategies.21 The National Cybersecurity Mega-hub opened in Melbourne in 2016 and represents the sort of investment which is critical toward cyber resilience.26
The ongoing technological arms race between those trying to protect the cyber realm and those trying to attack it will likely continue well into the future. Developing resilience does not hinge on any one technology but rather a shift in mindset toward enterprise-wide cyber risk management strategies centred on transparency and collaboration both within industry and government.
- Cisco. 2017. Cisco 2017 Annual Cybersecurity Report.Cisco Systems Inc. San Jose, United States.
- WEF. 2017. The global risks report 2017. Forum World Economic: Geneva, Switzerland.
- ABC. Australia is a ‘hotbed’ for economic crime: PwC. [Internet]. 2016 Available from: Australia a ‘hotbed’ for economic crime, as one-in-10 organisations report losses over $1m
- Deloitte. 2016. Asia-Pacific Defense Outlook 2016: Defense in Four Domains. LLC Deloitte Tohmatsu Consulting Deloitte Touche Tohmatsu Limited. Tokyo, Japan.
- ACORN. 2017. ACORN Snapshot Canberra, Australia.
- Castelli C. 2017. Strengthening Digital Society Against Cyber Shocks: key findings from the global State of Information Security Survey 2018.Security Global State of Information PricewaterhouseCoopers. Washington D.C., United States.
- Sezer C T, Ebru;. Turkish banks fend off cyberattacks, some transactions hit. [Internet]. 2015 Available from.
- ICS. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid.Center Electricity Information sharing and Analysis Industrial Control Systems.Washington D.C., United States.
- Australia P o. 2016. 2016 Census: Issues of Trust.Australian Government. Canberra, Australia.
- Riley M R, Jordan;. Russian Cyber Hacks on U.S. electroal System Far Wider Than Previously Known. [Internet]. 2017 Available from.
- Sirletti S R, Edward;. Hackers Breach 400,000 UniCredit Bank Accounts for Data. [Internet]. 2017 Available from.
- Juniper. 2015. Cybercrime and the Internet of Threats. Juniper Research Ltd. Hampshire, United Kingdom.
- O’Mahony J R, David; Ma, Sara; Sarma, Neal; Hull, Nick;. 2017. Australia’s Digital Pulse: Policy priorities to fuel Australia’s digital workforce boom. Economics Deloitte Access Australian Computer Society and Deloitte. Sydney, New South Wales.
- PM&C. 2017. New program to build Australia’s frontline cyber security workforce. Cabinet Department of the Prume Minister and Australian Government.Canberra, Australia.
- ITU. 2017. Global Cybersecurity Index (GCI) 2017. International Telecommuncation Union. Geneva, Switzerland.
- ITU. Global Cybersecurity Agenda. Available from: Global Cybersecurity Agenda (GCA): About GCA .
- Sullivan F. 2017. 2017 Global Information Security Workforce Study. Education Center for Cyber Safety and Frost & Sullivan.San Antonio, United States.
- Borys S. Cyber security specialist shortages could leave Australian vulnerable to attack, experts say. [Internet]. 2017 Available from.
- AFR. Australia faces cyber security skills crisis as challenges mount. [Internet]. 2017 Available from.
- PwC. 2017. The Global State of Information Security Survey 2018. Privacy Cybersecurity and PricewaterhouseCoopers. London, United Kingdom.
- Hedrich W W, Gerald; Yeo, Jaclyn;. 2017. Cyber Risk in Asia-Pacific: the case for greater transparency. Center Asia Pacific Risk Marsh & McLennan Companies. Singapore.
- Leigslation F R o. 2017. Privacy Amendment (Notifiable Data Breaches) Act 2017. Australian Government. Canberra, Australia.
- OAIC. 2017. Notifable Data Breaches Scheme. Commissioner Office of the Australian Information Australian Government. Canberra, Australia.
- EUGDPR. GDPR Portal: Site Overview. Available from: GDPR Portal: Site Overview .
- WEF. 2017. Guidance on Public-Private Information Sharing Against Cybercrime. C World Economic Forum. Cologny, Switzerland.
- Victoria I. 2016. Cyber Security in Melbourne. Victoria State Government. Melbourne, Victoria.