The public and private sectors need to work together to improve cyber resilience through sharing insights, intelligence, expertise, facilities, and personnel.
The latest political spill in the Australian Government has had an unanticipated impact on the nation’s cyber security strategy. New Prime Minister, Scott Morrison, has dropped the role of Minister for Cybersecurity that was created under the 2016 national cyber security strategy. Instead, the Minister for Home Affairs, Peter Dutton, will oversee Australia’s cyber security.
This comes weeks after former Minister of Cyber Security, Angus Taylor, called for a revitalised agenda for the national strategy for cyber security that is characterised by an “economy wide” view and a “defence in depth” approach.
If this national strategy is going to meet its objectives, it is crucial the new-look government facilitates purposeful, effective, and meaningful collaboration between public and private organisations to achieve aligned outcomes and takes a “no industry left behind” approach.
The latest report from the Office of the Australian Information Commissioner confirms the need for such an approach, with health, legal, finance and education sectors all significantly impacted by data breaches this year.
Intersections between public and private required for change
Forward-thinking organisations realise that there’s no one resource or organisation that can solely mitigate the risks posed by cyber threats. The public and private sectors need to work together to improve cyber resilience through sharing insights, intelligence, expertise, facilities, and personnel.
In order to protect nationally critical assets and infrastructure, a collaborative approach will ensure organisations are able to manage cyber risks in a way that is cross-industry in perspective, while being focused on things that are relevant to themselves as opposed to the siloed approach that has been the norm.
For the national strategy to achieve its goals, guidelines, standards, frameworks, infrastructure, personnel, and an effective operating model for public-private cooperation should be put in place. These form the foundation for ensuring that combating and responding to cyber threats be coordinated, informed and effective.
Key to the success of collaboration efforts is the government’s role in establishing an environment that steers participants towards shared goals while retaining accountability, oversight, governance and ownership of major activities and outcomes.
Policymakers and private sector sharing a national responsibility
Initiatives such as the government-funded Joint Cyber Security Centres in Sydney, Perth, Brisbane, Melbourne, and shortly in Adelaide, that facilitate partnerships between more than 150 organisations across private and public sectors, are good examples of how the government is currently helping to facilitate a collaborative approach. So too is the Cyber Security Cooperative Research Centre to which the government provided another $56 million to the $84.4 million worth of contributions made by 25 industry, state government, university and research participants.
At state level, the NSW Government is bringing major universities together to boost cyber security research and development, the Queensland Government has appointed a strategic advisor to assist the local defence sector in developing cyber security projects, and the South Australian Government have developed a three-year security crackdown focused on tougher screening and training processes for bureaucrats.
While targeted, discrete initiatives are useful, government departments must continue to increase inter-agency collaboration, information sharing, and alignment of standards, capabilities and outcomes at and across local, state and federal lines. Otherwise, we risk missing opportunities in being able to use and share existing capabilities, and learning from the vast amount of experience that already exists across agencies. Doing so helps to ensure best practices are adopted on a wider scale – not just in isolation.
The private sector’s role in all this must not be forgotten. Without active participation and a willingness to contribute in a meaningful way to the national strategy and the government’s efforts, the private sector cannot expect to achieve outcomes that are mutually beneficial.
Barriers to effective collaboration
The private sector typically prioritises the use of its resources for activities that contribute to business and revenue targets. But cyber threats are a societal problem that affect us all. As such, it is important that organisations in the private sector actively seek a balance that allows for the sharing of capabilities and resources that will contribute to the collective cyber defensive capabilities of the nation.
One only has to look at the $29 billion per year that Australian businesses could lose at the hands of cybersecurity incidents to see the value in sharing capabilities, as the end result of doing so is to mitigate the threats that cause such losses.
Collaboration in cyber security has some additional challenges that need to be acknowledged before we can really solve the issue.
A soon-to-be-released study conducted by McAfee found the main barriers to collaborating effectively include: lack of trust, lack of leadership, privacy concerns, protection of intellectual property, agreeing on roles and responsibilities, having too many parties involved, lack of standards or guidelines, and selecting the right partners to collaborate with.
Working towards being better together
Acknowledging that the barriers outlined exist forms the basis of a starting point to work from. What is clear is that collaboration, while easy to talk about, poses several challenges that we need to overcome before we can solve the problem holistically. Doing so requires that some traditional ways of doing things have to change. For example, we need to go from a protectionist culture in some areas to being comfortable sharing information that may have once been deemed to be proprietary.
Finally, we need to ensure that “no industry gets left behind”. Some organisations within particular industries may be more susceptible to compromise because of their risk profile but not have the cybersecurity budgets to sufficiently combat cyber threats in a way that is aligned with their risk tolerance. But we’re all in it together. Public and private sector must work collaboratively to ensure the ecosystem as a whole is as cyber resilient as we can make it.
Ian Yip is chief technology officer, Asia Pacific with McAfee.