{"id":37308,"date":"2023-10-20T14:49:20","date_gmt":"2023-10-20T14:49:20","guid":{"rendered":"http:\/\/startupsmart.test\/2023\/10\/20\/will-the-governments-cyber-security-strategy-be-successful-startupsmart\/"},"modified":"2023-10-20T14:49:20","modified_gmt":"2023-10-20T14:49:20","slug":"will-the-governments-cyber-security-strategy-be-successful-startupsmart","status":"publish","type":"post","link":"https:\/\/www.startupsmart.com.au\/uncategorized\/will-the-governments-cyber-security-strategy-be-successful-startupsmart\/","title":{"rendered":"Will the government&#8217;s Cyber Security Strategy be successful? &#8211; StartupSmart"},"content":{"rendered":"<div class=\"td-post-featured-image\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"332\" itemprop=\"image\" class=\"entry-thumb\" src=\"\/wp-content\/uploads\/2016\/03\/turnbull-640x332.jpg\" alt=\"\" title=\"turnbull\"\/><\/div>\n<p><em>By\u00a0Robert Merkel<\/em><\/p>\n<p>The <a href=\"https:\/\/cybersecuritystrategy.dpmc.gov.au\/\" target=\"_blank\" rel=\"noopener\">Cyber Security Strategy<\/a> announced\u00a0by Prime Minister Malcolm Turnbull clearly places a high priority on protecting Australian government systems from foreign powers.<\/p>\n<p>But when it comes to protecting citizens&#8217; personal information, it appears to be rather a mixed bag.<\/p>\n<p>While very short on specifics, it does announce several potentially useful initiatives that may help protect Australians against cybercrime. But notably absent is any pressure on the private sector to improve its cybersecurity efforts.<\/p>\n<p>First, it commits the government to increasing the number and training of cybersecurity specialists in the Australian Federal Police and <a href=\"https:\/\/crimecommission.gov.au\/\" target=\"_blank\" rel=\"noopener\">Austral<\/a>i<a href=\"https:\/\/crimecommission.gov.au\/\" target=\"_blank\" rel=\"noopener\">an Crime Commission<\/a>.<\/p>\n<p>The government also wants to get its own house in order, in part by conducting additional independent security assessments of internal federal government IT infrastructure.<\/p>\n<p>This is an interesting move given Turnbull has confirmed both the Bureau of Meteorology and the Department of Parliamentary Services had been the victim of recent cyberattacks.<\/p>\n<p>But if more externally focused departments, such as the Australian Tax Office, Centrelink and Medicare, are also thoroughly audited, it would reduce the risk of those organisations&#8217; large collections of personal data being compromised by criminals.<\/p>\n<p>The strategy talks about sponsoring research to better understand the cost of malicious cyberactivity to the Australian economy. It says figures vary, with some putting the cost of cybercrime in Australia at about $1 billion a year, but other estimates put it as high as $17 billion.<\/p>\n<p>But perhaps the most useful contributions to cybersecurity for the broader public come from two measures:<\/p>\n<ul>\n<li>Increasing the number, and skills, of graduates with cybersecurity expertise in both the university and TAFE sector, and<\/li>\n<li>Partner with a range of organisations to \u201cdeliver a sustained, national awareness raising campaign, encompassing a range of activities, which enables all Australians to be secure online\u201d.<\/li>\n<\/ul>\n<p>The effectiveness of both of these policies depends on how they are actually implemented.<\/p>\n<p>In tertiary education, it\u2019s easy enough to devote a couple of lectures and an exam question to the topic, to tick an auditing body\u2019s box marked \u201ccybersecurity\u201d.<\/p>\n<p>Making sure that our students actually know how to design, build and operate secure systems is a much tougher challenge. It\u2019s one that my colleagues and I at Monash University, and our counterparts at universities around Australia, are working hard on.<\/p>\n<h3>Is it enough?<\/h3>\n<p>The biggest cybersecurity threat to individuals remains the unauthorised use of their personal information to commit a variety of financial crimes. It is here that the Cyber Security Strategy seems to lack focus.<\/p>\n<p>Prevention is usually better than cure, and in the case of cybercrime committed across national boundaries, law enforcement is often ineffective. It will likely remain so, despite the worthy rhetoric in the strategy about international cooperation.<\/p>\n<p>Therefore, the primary defence we have is making sure the organisations that hold our personal data are taking sufficient measures to prevent cybercriminals from gaining access. Many of these organisations are in the private sector.<\/p>\n<p>But the government is relying on hints and a bit of assistance to get the private sector to improve its efforts in this area. This is perhaps unsurprising, given the antipathy to \u201cred tape\u201d of the current government.<\/p>\n<p>For example, when the strategy mentions raising the bar, it says:<\/p>\n<blockquote class=\"td_quote_box td_box_center\">\n<p>Self-regulation and a national set of simple, voluntary guidelines co-designed with the private sector will help organisations improve their cyber security resilience.<\/p>\n<\/blockquote>\n<p>One might have thought our largest businesses would already have the financial means to hire external consultants to assess their security strategies. But ASX 100 listed businesses are to be offered voluntary \u201chealth checks\u201d:<\/p>\n<blockquote class=\"td_quote_box td_box_center\">\n<p>The governance \u2018health checks\u2019 will enable boards and senior management to better understand their cyber security status and how they compare to similar organisations.<\/p>\n<\/blockquote>\n<p>As for small business, the strategy acknowledges they might not allocate enough resources to cybersecurity and they could become a \u201csoft underbelly or back door into connected organisations\u201d.<\/p>\n<p>To deal with that, the government plans to offer tests of what cybersecurity measures small businesses have in place by certified practitioners.<\/p>\n<h3>Flogging business with a wet lettuce leaf<\/h3>\n<p>But there\u2019s no shortage of information security guidelines available to organisations already. In far too many cases, what is lacking is the will to implement them.<\/p>\n<p>Unfortunately, in practice, the consequences for security breaches seem extraordinarily limited. The breaches of the Privacy Act to date result in financial penalties that are trivial for large organisations.<\/p>\n<p>For instance, Telstra was fined a grand total of $11,000 for a breach involving thousands of customers.<\/p>\n<p>Further, companies aren\u2019t even obligated to inform their customers of a breach, unlike in the United States and European Union.<\/p>\n<p>While all this has gone unmentioned in the strategy, the government has been working on a \u201cmandatory data breach\u201d notification law for some time. But it seems in no hurry to actually make it law.<\/p>\n<p>A <a href=\"https:\/\/www.ag.gov.au\/Consultations\/Pages\/serious-data-breach-notification.aspx\" target=\"_blank\" rel=\"noopener\">draft bill<\/a> was released for comment in late 2015. As of today it still hasn\u2019t been introduced into parliament, and the draft exempts organisations with annual turnover of less than A$3 million.<\/p>\n<p>Cybersecurity breaches in private sector companies sometimes do have negative consequences for those companies. But they also inflict significant and often larger consequences on the people whose personal data is stolen.<\/p>\n<p>And it\u2019s the role of governments to step in with some kind of regulation when an action creates significant negative impacts on citizens.<\/p>\n<p>But the current government seems to have decided that the costs to business of forcing them to take cybersecurity seriously outweigh the benefits.<\/p>\n<p><em>Robert Merkel is a lecturer in software engineering at Monash University.<\/em><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/counter.theconversation.edu.au\/content\/58206\/count.gif\" alt=\"The Conversation\" width=\"1\" height=\"1\" \/><\/p>\n<p><em>This article was originally published on <a href=\"http:\/\/theconversation.com\" target=\"_blank\" rel=\"noopener\">The Conversation<\/a>. Read the <a href=\"https:\/\/theconversation.com\/individuals-not-the-priority-in-the-cyber-security-strategy-58206\" target=\"_blank\" rel=\"noopener\">original article<\/a>.<\/em><\/p>\n<p><em>Follow StartupSmart on <a href=\"https:\/\/www.facebook.com\/StartUpSmart\/\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>,\u00a0<a href=\"https:\/\/twitter.com\/StartupSmartnow\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>,<a href=\"https:\/\/www.linkedin.com\/company\/startupsmart\" target=\"_blank\" rel=\"noopener\">LinkedIn<\/a>\u00a0and\u00a0<a href=\"https:\/\/soundcloud.com\/startupsmart\" target=\"_blank\" rel=\"noopener\">SoundCloud<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By\u00a0Robert Merkel The Cyber Security Strategy announced\u00a0by Prime Minister Malcolm Turnbull clearly places a high priority on protecting Australian government<\/p>\n","protected":false},"author":2,"featured_media":61949,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/posts\/37308"}],"collection":[{"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/comments?post=37308"}],"version-history":[{"count":0,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/posts\/37308\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/media\/61949"}],"wp:attachment":[{"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/media?parent=37308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/categories?post=37308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.startupsmart.com.au\/wp-json\/wp\/v2\/tags?post=37308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}