Team Australia approach needed to win the cyber war

Aidan Tudehope

This article appeared in the Canberra Times on 20 November 2023.

The Albanese Government has just released its much-anticipated Australian Cyber Security Strategy 2023-30 (the Strategy), a new national roadmap to put Australia on a path to becoming the most cyber secure nation in the world.

In the Strategy, the Government lays out its ‘Six Cyber Shields’ designed to uplift Australia’s cyber security posture right across our society. One of the shields focuses on greater collaboration and intelligence sharing between government and industry. Having been an industry partner to many government agencies at both federal and state levels for nearly two decades, this is how I believe industry and government can work together to help achieve the goals laid out in the Strategy.

As it stands, the majority of collaboration between government, industry and intelligence happens within what I would term the regulatory compliance vertical, owing to the legal ramifications organisations can face when cyber events happen.

However, what we need is much greater collaboration between intelligence operators within both government and enterprises – typically CISOs, CIOs and CTOs – and their counterparts in the Australian Signals Directorate (ASD).

The ASD paints a picture for the nation on the current threat environment and how cybercriminals are trying to exploit Australian people and businesses. Because that picture is ever changing, it’s vital to have open and consistent communications between organisational intelligence providers and the ASD so our Federal Government can accurately advise Australia’s businesses and institutions in near real time, helping thwart cyberattacks before they can cause real harm.

Consistent, quality intelligence sharing is central to helping the ASD offensively attack and disrupt cybercriminals, an ability it is planning to uplift as it doubles its size and triples its capabilities as part of the REDSPICE program.

One Strategy to rule them all.

To ensure greater collaboration, and for the Strategy to be successful, it needs to become the pre-eminent Strategy to which people, industry, and governments (including relevant legislative and policy regimes) align.

The current legislative landscape concerning cyber security and privacy has evolved considerably in recent years, in the process becoming fragmented across the Commonwealth, states and territories.

Therefore, the Strategy must establish cyber security as a unifying nationwide endeavour, led by the Federal Government as the exemplar, but delivered in synchronicity with all tiers of government, the private sector, and the wider economy.

This won’t come without friction as it means making other tiers of government – including the States, many of which have their cyber security strategies – subordinate to the national strategy. But this is a nationwide pursuit that requires a nationwide approach to succeed.

What this means in practice is a major uplift of the cyber aware culture across Australian organisations, particularly among Australia’s small and medium-sized enterprises (SMEs). Many SMEs will require support, even if only for cyber training and awareness, to reach higher levels of cyber maturity.

Currently, SMEs – companies under $3M revenue – are exempt from Australian privacy laws and many data protection, deletion, and governance requirements to which larger organisations are subject.

But SMEs make up about 95 per cent of all organisations in Australia, and many are part of Government and critical infrastructure supply chains, sharing data and digitally interacting with organisations crucial to Australia’s economy and national resilience.

Organisations which have an immature understanding of cyber and privacy measures – of which there are many as highlighted in ASIC’s recent cyber pulse report – could be inadvertently creating risk for other, potentially more critical organisations For SMEs which fall into this category, the Government could consider additional, targeted support to help them meet the expectations of the Strategy.

There are other initiatives and frameworks in place that could provide the seeds for this great national cyber uplift. For instance, the Essential Eight (E8) framework features different maturity levels organisations can adhere to and mature through over time. Federal Government agencies are mandated to meet maturity level Two, and many other governments and organisations see the framework as a North Star to direct their level of security.

Meanwhile, the Security of Critical Infrastructure (SOCI) Act is having a positive effect on organisations from 11 sectors including communications, data storage and processing, defence, energy, and space, bolstering their cyber security capabilities. The intent of the SOCI legislation is to mitigate cyberattacks so as to protect the nation from the potentially devastating consequences such attacks could have on the critical infrastructure and systems of national significance these sectors represent.

To achieve the goal of being the world’s most secure nation by 2030, and to build even beyond that – cyber threats aren’t static, after all – the Strategy’s rollout must focus on uplifting everyone.

Doing so will see the collaboration we need become part and parcel of our cyber ecosystem and have the added effect of raising the cybersecurity awareness and literacy of every single Australian resident and organisation. We’ll know the enemy better and be more confident in confronting it.

Aidan Tudehope is Managing Director for Macquarie Government and co-founder of Macquarie Technology Group (ASX:MAQ).