This is part of a major series called Advancing Australia, in which leading academics examine the key issues facing Australia in the lead-up to the 2019 federal election and beyond. Read the other pieces in the series here.
When it comes to data security, there is an inherent tension between safety and privacy. The government’s job is to balance these priorities with laws that will keep Australians safe, improve the economy and protect personal data from unwarranted surveillance.
This is a delicate line to walk. Recent debate has revolved around whether technology companies should be required to help law enforcement agencies gain access to the encrypted messages of suspected criminals.
While this is undoubtedly an important issue, the enacted legislation – the Telecommunications and Other Legislation Amendment (Assistance and Access) Act – fails on both fronts. Not only is it unlikely to stop criminals, it could make personal communications between everyday people less secure.
Rather than focus on the passage of high-profile legislation that clearly portrays a misunderstanding of the technology in question, the government would do better to invest in a comprehensive cyber security strategy that will actually have an impact.
Achieving the goals set out in the strategy we already have would be a good place to start.
Poor progress on cyber security
The Turnbull government launched Australia’s first Cyber Security Strategy in April 2016. It promised to dramatically improve the online safety of all Australian families and businesses.
In 2017, the government released the first annual update to report on how well it was doing. On the surface some progress had been made, but a lot of items were incomplete – and the promised linkages to businesses and the community were not working well.
Unfortunately, there was never a second update. Prime ministers were toppled, cabinets were reshuffled and it appears the Morrison government lost interest in truly protecting Australians.
So, where did it all go wrong?
A steady erosion of privacy
Few Australians paid much notice when vested interests hijacked technology law reforms. The amendment of the Copyright Act in 2015 forced internet service providers (ISPs) to block access to sites containing pirated content. Movie studios now had their own version of China’s “Great Firewall” to block and control internet content in Australia.
In 2017, the government implemented its data retention laws, which effectively enabled specific government agencies to spy on law-abiding citizens. The digital trail (metadata) people left through phone calls, SMS messages, emails and internet activity was retained by telecommunications carriers and made accessible to law enforcement.
The public was assured only limited agencies would have access to the data to hunt for terrorists. In 2018, we learned that many more agencies were accessing the data than originally promised.
Enter the Assistance and Access legislation. Australia’s technology sector strongly objected to the bill, but the Morrison government’s consultation process was a whitewash. The government ignored advice on the damage the legislation would do to the developing cyber sector outlined in the Cyber Security Strategy – the very sector the Turnbull government had been counting on to help rebuild the economy in this hyper-connected digital world.
While the government focuses on the hunt for terrorists, it neglects the thousands of Australians who fall victim each year to international cybercrime syndicates and foreign governments.
Australians lose money to cybercrime via scam emails and phone calls designed to harvest passwords, banking credentials and other personal information. Losses from some categories of cybercrime have increased by more than 70% in the last 12 months. The impact of cybercrime on Australian business and individuals is estimated at $7 billion a year.
So, where should government focus its attention?
Seven actions that would make Australia safer
If the next government is serious about protecting Australian businesses and families, here are seven concrete actions it should take immediately upon taking office.
1. Review the Cyber Security Strategy
Work with industry associations, the business and financial sectors, telecommunication providers, cyber startups, state government agencies and all levels of the education sector to develop a plan to protect Australians and businesses. The plan must be comprehensive, collaborative and, most importantly, inclusive. It should be adopted at the federal level and by states and territories.
2. Make Australians a harder target for cybercriminals
The United Kingdom’s National Cyber Security Centre is implementing technical and process controls that help people in the UK fight cybercrime in smart, innovative ways. The UK’s Active Cyber Defence program uses top-secret intelligence to prevent cyber attacks and to detect and block malicious email campaigns used by scammers. It also investigates how people actually use technology, with the aim of implementing behavioural change programs to improve public safety.
3. Create a community education campaign
A comprehensive community education program would improve online behaviours and make businesses and families safer. We had the iconic Slip! Slop! Slap! campaign from 1981 to help reduce skin cancer through community education. Where is the equivalent campaign for cyber safety to nudge behavioural change in the community at all levels from kids through to adults?
4. Improve cyber safety education in schools
Build digital literacy into education from primary through to tertiary level so that young Australians understand the consequences of their online behaviours. For example, they should know the risks of sharing personal details and nude selfies online.
5. Streamline industry certifications
Encourage the adoption of existing industry certifications, and stop special interest groups from introducing more. There are already more than 100 industry certifications. Minimum standards for government staff should be defined, including for managers, technologists and software developers.
The United States Defence Department introduced minimum industry certification for people in government who handle data. The Australian government should do the same by picking a number of vendor-agnostic certifications as mandatory in each job category.
6. Work with small and medium businesses
The existing cyber strategy doesn’t do enough to engage with the business sector. Small and medium businesses form a critical part of the larger business supply-chain ecosystem, so the ramifications of a breach could be far-reaching.
The Australian Signals Directorate recommends businesses follow “The Essential Eight” – a list of strategies businesses can adopt to reduce their risk of cyber attack. This is good advice, but it doesn’t address the human side of exploitation, called social engineering, which tricks people into disclosing passwords that protect sensitive or confidential information.
7. Focus on health, legal and tertiary education sectors
The health, legal and tertiary education sectors have a low level of cyber maturity. These are among the top four sectors reporting breaches, according to the Office of the Australian Information Commissioner.
While health sector breaches could lead to personal harm and blackmail, breaches in the legal sector could result in the disclosure of time-sensitive business transactions and personal details. And the tertiary education sector – a powerhouse of intellectual research – is ripe for foreign governments to steal the knowledge underpinning Australia’s future technologies.
A single person doing the wrong thing and making a mistake can cause a major security breach. More than 900,000 people are employed in the Australian health and welfare sector, and the chance of one of these people making a mistake is unfortunately very high.
Authors: Damien Manuel, Director, Centre for Cyber Security Research & Innovation (CSRI), Deakin University