Published on the 04/12/2019 | Written by Heather Wright
Australia calls for greater govt involvement in cybersecurity, NZ govt cops another big data breach…
While a number of Australian organisations weigh in on what government involvement is needed in cybersecurity, New Zealand’s government has been left red-faced after another data breach – this one exposing the details of firearms owners.
The Kiwi breach saw data on the site established for the government firearms buyback scheme exposed. Contact details for owners along with details about their firearms and bank account information for more than 37,000 gun owners was compromised in the breach.
The site was shut down after the breach was revealed by the Council of Licenced Firearms Owners.
“We receive far more information from the international FS-ISAC than from Australian intelligence sharing arrangements.”
The breach has been blamed on a unauthorised update by SAP, which claims only 66 gun dealers would have been able to access gunners details.
Meanwhile, across the Tasman, a number of the country’s big name organisations are calling for the government to step up facilitation of cyber security development and information sharing.
Deloitte Australia, ANZ and Queensland University are among the organisations calling on the government to help with improved sharing of threat intelligence, with calls for the reinstatement of a Minister for Cyber Security also featuring highly.
The calls come in submissions to the 2020 Cyber Security Strategy. More than 210 submissions were received in response to the discussion paper, including one from Telstra which includes the suggestion that a ground-up national stocktake, covering end users, small businesses and large companies, is required.
Telstra is also among the companies urging greater information sharing.
“Challenges continue to face operational information sharing in Australia, due to a reliance on individual relationship-based sharing rather than more resilient operationalised arrangements,” the telco says.
ANZ bank says government could play a greater role in facilitating threat intelligence sharing between and within industry sectors ‘in a manner that allows rapid ingestion and automated response’.
The bank, which says it receives ‘far more information from the international Financial Services Information Sharing and Analysis Centre than it does from any Australian intelligence sharing arrangements, suggests the development of a secure threat intelligence sharing platform, potentially learning from international examples such as EUROPOL.
“We need to create an environment that not only supports high standards of cyber security, but also encourages an organisation to share intelligence on compromises or ‘near-misses’ it has suffered without undue fear of criticism and scrutiny,” notes the Commonwealth Bank of Australia in its submission.
“This would remove barrier to effective intelligence sharing and align to the global shift in understanding that even a well defended organisation can suffer a cyber attack, and should be measured against how quickly and transparently it responds.”
PwC, Deakin University, The Australian Industry Group and Peter Coroneos, international vice president of the Cybersecurity and Cybercrime Advisors Network (CyAN), meanwhile, are among those calling for the reinstatement of a Minister of Cyber Security.
The Australian Industry Group says the role it says is ‘critical’ in addressing issues including confusion around the roles of multiple government agencies involved in cyber security ‘in some shape or form’ and limited awareness of the government’s role.
“This type of minister should be reinstated that can take a holistic view, have full responsibility for managing cybersecurity policy and can operate across relevant departments,” the industry group says.
Coroneos says the role would ‘send a strong signal to business and the public that the issues our members contend with on a daily basis are receiving the focus and attention they deserve’.
Australia briefly had a dedicated ministerial role for cyber security before a reshuffle in 2018 saw the role abolished after less than a year.
Microsoft, in its submission, suggests five critical functions – policy and planning, outreach and partnership, communications, operations and regulatory – should be spread across the Australian Cyber Security Centre, DHA and Department of Foreign Affairs and Trade.
Swinburne University of Technology, meanwhile, says the government needs to be focusing on ‘novel predictive methods based on the analysis of very large amounts of data to yield predictive countermeasures and conducing prediction’.
“Research and innovation in the area of using data-driven methodologies to detect and prevent cyber threats should be supported and promoted,” the university says. It’s also calling for greater university involvement to ensure research-informed policy and practice – and better aligned education and training.