Published on the 09/04/2024 | Written by Heather Wright
Australia’s cybersec boss outlines the six shields to protect…
Australia’s threat environment has undergone significant change since the launch just five months ago of the country’s Cybersecurity Strategy, with ‘a major step change in the environment’ according to the Australia’s National Cyber Security Coordinator.
Hamish Hansford, the deputy secretary of Cyber and infrastructure security at the Department of Home Affairs and Australia’s National Cyber Security Coordinator, recently outlined how his team plan to counter the constantly changing threat environment and make Australia a global leader in cybersecurity by 2030 – with a little help from Australian businesses and citizens.
“We have regulations in place that aren’t consistent and there isn’t a single place to report.”
Australia launched its latest Cybersecurity Strategy in November, with six different ‘shields’, providing a layered approach to protect the country and help businesses manage their cyber environments safely.
The strategy is driven by the Australian government’s ambitious goal to become ‘a global leader in cybersecurity by 2030’ – a timeframe Hansford says is ‘not that long’ to achieve the goal.
“We were struck by the challenge: What are the best things the government can do to try and make us that leader by 2030, but equally to try and poke different areas [into action]’.
Hansford says the China-sponsored Volt Typhoon cyber operation of February 2024, which targeted critical infrastructure has been a major step-change for the threat environment in the months since the release of the Cybersecurity Strategy.
The Australian Signals Directorate and the New Zealand National Cyber Security Centre were among global agencies who issued a joint advisory on Volt Typhoon activity, providing guidance for network defenders, including threat hunters, to mitigate identified gaps and detect and hunt for ‘living off the land’ activity.
The FBI called Volt Typhoon, which rather than stealing secrets was designed to ‘pre-position’ for future sabotage acts, ‘the defining threat of our generation’
“We have to think about what that might mean for Australia,” Hansford says.
The Cybersecurity Strategy’s six shields – business and community; safe technology; world-class threat sharing and blocking; protected critical infrastructure; sovereign capabilities; and resilient region and global leadership – each provide an additional layer of defence.
A year’s consultation resulted in 333 submissions which Hansford describes as ‘the most articulate submissions we have ever seen’.
Among the key ambitions in the first layer of business and community is a goal to have a ‘harmonised set of laws’ and single reporting place for cyber incidents.
“One of the key things we heard from business is that we have regulations in place that aren’t consistent and there isn’t a single place to report.
“Our ambition is by 2030 we have a harmonised set of laws where people can report once to multiple regulators and the first stage of that is to [have] regulations that apply across the economy at the Commonwealth level. Then we are going to build on it year by year.”
Aligned with that is creating a cyber incident review board that builds transparency into cyber security and provides ‘no fault’ reporting, to provide a better understanding of the root cause of cyber incidents.
Hansford says collaboration and co-design will underpin all the changes.
A cross-industry Executive Cyber Council has been established to provide leadership across sectors. Its 20 members include industry bodies such as the Australian Banking Association and Australian Chamber of Commerce and Industry, as well as companies such as Coles, Linfox, Qantas, Telstra and Toll, along with tech providers.
“The worst case scenario is the government comes up with an idea and consults industry. We wanted to turn that on its head by having the best case scenario,” Hansford says of the creation of the council.
“We are actually co-designing problem sets and using the power of the Executive Cyber Council to try and respond to what is a pretty dynamic environment.”
The strategy also sees a firm focus on safer technologies with an aim of regulating ‘at the highest level possible so you’re not creating a burden on the economy’.
Hansford called out IoT as one area of concern saying work is being done to create ‘baseline fundamental’ technology standards.
The third shield of threat sharing and blocking will see interventions around funding areas of the economy which are less mature, such as the health sector, Hansford says. Machine to machine level sharing of information across the economy, with the ASD’s cyber threat intelligence sharing platform at the heart, but having a federated set of information sharing particularly between sector groups for industry sharing, will also be a focus, though human curatorship will remain needed.
He says a program focused on health care and sharing of information will be made public ‘in the coming months’.
Telcos and banks will also be a focus under shield three, as part of plans to improve threat blocking, particularly with a view of taking some of the volumetric phishing scams out of action.
Critical infrastructure and government – which he says are ‘inextricably entwined’ via their supply chains – will also be a ‘defining feature’ of work for the next couple of years.
“The big challenge for government is how do we start to be exemplars and how do we actually use our processes to try and get that investment in place?”
Critical infrastructure was a focus of the previous Cybersecurity strategy and Hansford says the rollout of the program for the sector is ‘not fundamentally changing’ but is being expanded on.
Expanding sovereign capabilities is another focus area.
Hansford says industry feedback also saw a call for an ‘ethical framework’ for the cybersecurity sector, particularly for incident response firms.
“Our market intervention there is how do we create a framework to make sure there are ethical standards for the cybersecurity industry, how do we think about the standards that exist, the accreditation that exists – not trying to duplicate anything but actually creating much more understanding about what types of standards there are out there in the economy, because there are a lot.”
Creating coherence around the sector and the ‘trying to work out how we prod and poke for all the skills the industry and government’ needs in cybersecurity professionals will be key, he says – and a key problem set for the Executive Cyber Council who are tasked with helping to address skills shortages.
The final shield provides an international component to the strategy, including the recent creation a cyber team to help Pacific Island neighbours during cyber incidents.
Hansford called on security teams and organisations to get ‘craftier’ in the way they think about cybersecurity investment and not to be afraid to be ruthless and simplify if they have too many systems to manage.
“That is going to be a huge challenge for us all to get our minds around and how we influence, how we think about digital investment in the future. Not just prioritising customer interface, but thinking about security by design is going to be a challenge for us and something I’d encourage everyone to work on,” he says, adding that he too would commit to doing just that at Home Affairs.