The Cyber Security Strategy is only a small step in the right direction

Prime Minister Malcolm Turnbull today released the government’s Cyber Security Strategy. A total of A$230 million will be spent over the next four years to “enhance Australia’s cyber security capability and deliver new initiatives”.

The initiatives generally involve improving Australia’s general awareness and capabilities to defend against cybersecurity attacks, and potentially launch its own cyberattacks.

More specifically, they involve partnering with the private sector in setting the “strategic agenda through annual Cyber Security meetings”.

This partnership will extend to participation in the Australian Cyber Security Centre, which will be moved to a new facility. It will also involve sharing more information between security agencies and the private sector.

There will be increased funding of research into the economic costs of cyberattacks in order to allow organisations to manage investment in cybersecurity defences.

The Computer Emergency Response Team (CERT) will be bolstered, along with extra funding for the Australian Signals Directorate (ASD), Australian Crime Commission (ACC) and Australian Federal Police (AFP) for increased expertise and improved ability to detect and defend against cybersecurity vulnerabilities.

Another element of the strategy is to expand Australia’s ability to grow its own cybersecurity industry through increased funding for research and development in this area. A Cyber Security Growth Centre will be established to add to the existing Industry Growth Centres.

Data61 will receive more funding to focus on cybersecurity innovation, and universities will also receive funding for training, research and education of undergraduate and postgraduates in the area of cybersecurity.

Reading between the lines

Although this new investment in cybersecurity will be generally welcomed, there are already questions about whether it is going to be enough to do the job.

The US this year announced a US$5 billion increase in funding for cybersecurity to US$19 billion, and the UK last year pledged £1.9 billion to the same cause.

Another question in response to the strategy is what exactly is meant by championing an “open, free and secure internet”. The definition of “open and free” likely depends on your particular point of view.

The government’s strategy calls for an “Australian Cyber Ambassador” to lead national efforts to ensure the internet is free from censorship, but also to support privacy and the rule of law.

But would upholding privacy extend to stopping the government from surveillance activities on its own citizens? Clearly, this would be at odds with the government’s metadata retention legislation.

“Open and free” may also not extend to any radical changes in the application of shutting down access to pirate sites distributing illegal or pirated content.

Safe havens

Another interesting question is what’s meant by the desire to shut down cyber criminal “safe havens”.

The report mentions that attacks often originate from overseas, but it is not clear how a country would go about shutting down attacks originating from China, for example.

One intriguing possibility is that an anonymised network like Tor could potentially be shut down. Tor has long been recognised as a haven for cybercriminals and, increasingly, the starting point for cyberattacks.

Security researchers have already stepped up calls for businesses to block Tor traffic as a protective measure.

The cybersecurity strategy also hints at the fact that Australia has, or is in the process of developing, a cyber offensive capability. This is the first time this capability has been publicly alluded to.

The increased focus on cybersecurity is a much needed initiative. The threat of cyberattacks affects individuals and organisations alike. And, like other threats to our environment, if left unchecked, they could significantly hinder society’s ability to function normally and to continue growing.

Our reliance on technology is now a given and cybersecurity is as important a consideration as protecting our health, food and water sources and general environment. From that perspective, the cybersecurity strategy is a welcome but very small step in the right direction.