Australia to build six 'cyber shields' to defend its shores
Local corporate regulator warns boards that cyber is totally a directorial duty
Australia will build "six cyber shields around our nation" declared home affairs minister Clare O'Neill yesterday, as part of a national cyber security strategy.
Detailed in a speech before a summit on cyber security, the strategy's six "shields" comprise:
- Education so that businesses and citizens are informed about the threats they face online, how to defend their interests, and the support available after incidents;
- Safe technology, as defined by "clear global standards for digital safety in products that will help us drive the development of security into those products from their very inception." The minister's goal is that "just as you can't go into a car yard and buy a car that will not be safe to use, when you buy a digital product on sale in our country we know that it's safe for you to use";
- Threat-sharing and threat-blocking, so that "threat intelligence can be exchanged between government and business at real-time machine speed and then threats blocked before they cause any harm to the Australian population";
- Critical infrastructure protection, largely through improvement to government digital defenses;
- Sovereign infosec capability, in the form of a "thriving cyber ecosystem where we have the skills we need, where cyber security is a really desirable profession for young people around the country and that we are making sure that we have the system that's adaptable in itself";
- Coordinated global action "and pushing for a more resilient region," by increasing engagement and partnerships to improve security. Assisting Australia's neighbors to improve their security is part of this agenda.
All of the above is scheduled to be in place by 2030, when O'Neill expects Australia to lead the world in all things cyber.
O'Neill wasn't the only senior Australian leader speechifying on Monday. Joe Longo, chair of corporate regulator the Australian Securities and Investments Commission (ASIC), warned the nation's boards to get serious about infosec.
"Cyber security and resilience are not merely technical matters on the fringes of directors' duties," he argued. “ASIC expects directors to ensure their organization's risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience."
Then came the warning: "Failing to do so could mean failing to meet your regulatory obligations."
That's a serious sentence. Failure to carry out directors' duties in Australia can leave board members liable for losses, or subject to civil or even criminal penalties.
- Australian Senate committee recommends bans on Chinese social media apps
- Australia will force social networks to identify trolls, so they can be sued for defamation
- Gandalf chatbot security game counters privacy fireballs
- Oz opposition backs the 'regulatory hallucinogen' of anti-piracy laws
Longo advised directors "never make the mistake of subscribing – consciously or unconsciously – to the 'vaccination theory of cyber security."
"This is the belief that you've done everything you need to do, and you don't need to worry anymore. That just isn't true. It's not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work," he opined.
He also called for boards and directors to develop crisis plans to communicate with customers, regulators, and the market when things go wrong – plus a "clear and comprehensive response and recovery plan."
"It's worth highlighting that any incident response plan, if it is to be truly comprehensive, must include third-party suppliers and vendors," he added, and called for the same inclusive approach to incident response testing so that all participants are drilled in advance. The chair also noted that "nobody guards what they don't have," and cited data from an ASIC survey that found almost half of respondents "indicated they don't identify critical information and business critical systems."
"Just as any country preparing against potential invasion must identify key strategic resources to be protected, so too an organization must identify the most critical information it holds so it can prioritize its protection."
Doing so is "even more essential if a third party is managing critical systems or holding information," he concluded. ®