“The question is how open a government can be about cyber security without causing further damage and without hanging out all the government’s crown jewels,” he told The Australian Financial Review.
The comments come after Prime Minister Malcolm Turnbull gave Australia’s cyber security arsenal a $230 million leg up on Thursday, pledging to make Australia a world leader in the field. In his speech at the announcement of the strategy the Prime Minister confirmed that the Bureau of Meteorology had been the victim of a cyber attack last year, and commended Kmart Australia for being open about its own data breach.
IMPOSING COSTS ON PERPETRATORS
“Only by acknowledging, explaining and analysing the problem can we hope to impose costs on perpetrators and empower our private citizens and government agencies and businesses to take effective security measures,” Mr Turnbull said.
Cyber security leaders commended the Prime Minister on lifting the veil on the BoM attack, with MailGuard chief executive Craig McDonald saying the acknowledgement of such attacks was long overdue. “Businesses are reluctant to talk about their experience with cyber security incidents. In 2014, 693,053 Australian businesses experienced a cyber crime but only 11,703 reported a cyber incident,” he said.
“It’s long overdue that the Government and the business community acknowledge the extent of what is a rapidly escalating problem.”
Big business and cyber security firms broadly applauded the Prime Minster’s suite of policies, believing it represented an appropriate level of investment in the issue and supported the emphasis on collaboration between industry and government.
Initiatives to be implemented under the cyber security strategy include free cyber security health checks for ASX100 companies and 5000 small businesses will be able to have their cyber defenses tested by practitioners.
The government has also pledged to establish Joint Cyber Threat Centres to enable organisations to share sensitive information and work with industry to co-design a model for Academic Centres of Cyber Security Excellence in universities.
“There are some very good initiatives there and I’m looking forward to seeing more detail on some of these items so we can fully understand how they will come together,” said Chris Gatford, director of cyber security testing consultant HackLabs.
But experts said for the strategies to be effective, continued investment in education and policies to attract more talent would be crucial.
PwC cyber partner Richard Bergman said Australia was not producing enough cyber security graduates to fulfil the number of jobs the industry would have.
“It’s not just because the government is increasing numbers. We’re going from 100 people to 300-400 in our team alone,” he said.
“The investments the government is also making in STEM skills are crucial.” Commonwealth Bank chief information security and trust officer, Ben Heyes, agreed, saying the government would likely have to look at introducing visas to attract overseas talent.
The government also acknowledged openly for the first time that it had cyber security offensive tactics, as well as defensive skills, and that this admission was necessary to deter future attacks.
Former CIA chief technology officer Bob Flores, now a partner in US-based cybersecurity firm Cognitio, said hackers’ ability to shut down key infrastructure facilities such as water and electricity posed a real threat and could cause civil unrest affecting millions of people.
“Think about having no electricity to cook or have lights for a couple of days. Now shut off the water,” he said. “After a while there would be real panic that could affect millions.”
But IBRS cyber security advisor James Turner said no one should be surprised that Australia has its own offensive capabilities.
“We need the ability to protect ourselves. I don’t think anyone is surprised by that,” he said. “The Snowden leaks revealed the Five Eyes have had a very advanced capability for some time.”