When the Prime Minister of Australia Tony Abbott musters the nation’s very top business leaders to an urgent round table summit on tackling cyber security, it’s usually a fair bet that some sort of statement, action plan or communique will emerge to show progress.
Or maybe not.
After a meeting that is understood to have included Business Council of Australia head Jennifer Westacott, Australian Securities Exchange chief executive Elmer Funke Kupper, Telstra’s chairwoman Catherine Livingstone and Commonwealth Bank chief information officer David Whiteing (to name a few) it now appears the government is, for the time being, leaving it to the business community to spell out the national game plan on its plans to tackle Team Australia’s online enemies.
Held on Wednesday in Sydney and — according to the Department of Prime Minister and Cabinet (PM&C) — hosted by the BCA, what had been anticipated to be a major update on the progress of the top level cyber security review now appears to be staying behind closed doors for the time being.
According to PM&C, the latest event focussed on “the importance of leadership” and how “cyber security is an issue for executives and Boards, not just an IT issue for technical experts”.
“The Summit also discussed some of the ideas for practical improvement to Australia’s cyber security. This included the Government and businesses working together to improve cyber threat sharing, address Australia’s cyber security skills shortages and increase opportunities for Australia’s businesses online, including growing Australia’s cyber security industry,” PM&C said, rather conspicuously lacking a direct quote from Mr Abbott.
The big question that many in business and government are now asking is whether the report from the Cyber Security Review announced in November 2014 by Mr Abbott is running significantly late, given it was slated to take just six months.
Mandated to “explore how industry and the government can work together to make our online systems more resilient against attacks” the key document is being assisted by an expert panel that includes the BCA’s Ms Westacott, John Stewart Cisco Systems’ Chief Security and Trust Officer in the United States, Telstra’s Chief Information Security Officer Mike Burgess, and Dr Tobias Feakin, the Director of the International Cyber Policy Centre at the Australian Strategic Policy Institute.
Heading the review is the former director of the United Kingdom’s Government Communications Headquarters (GCHQ) Sir Iain Lobban KCMG CB.
One issue that surfaced almost immediately after the Cyber Security Review’s announcement was that many in the technology industry and some in parts of government held private concerns that the latest probe initially appeared to focus largely on physical network dynamics rather than vulnerabilities in software and applications where many successful attacks find an entry point.
Also adding complexity is the rise of highly effective online recruitment techniques by terrorist organisations including ISIS that are being used successfully not just to attract foreign fighters from Australia to go overseas, but to radicalise and motivate onshore sympathisers to commit violent acts and atrocities here.
The successful exploitation of online channels and social media by groups like ISIS is has required substantial extra technology resources for security agencies authorities try to keep tabs on both the levels of influence of radicalised groups while keeping tabs on their activities overseas.
The 2015 Budget allocated $131 million to reimburse the telecommunications industry for metadata retention, a figure many in industry believe is only around half of what is needed.
That money was bookended by $22 million to counter extremist propaganda and online recruitment.
Not all parts of the business community are impressed by funding levels industry support for national security related cyber initiatives, especially the telecommunications sector which has warned extensively of the cost burdens associated with the retention of customer metadata.
Meanwhile, Australia’s biggest companies have become increasingly vocal about the need for a cohesive and effective national cyber strategy.
“Australia’s national cyber security strategy has not been updated since 2009, in an environment characterised by increased cyber threats and more sophisticated cyber-adversaries,” the CBA warned in its submission to the Financial Systems Inquiry in March 2014.
The same document recommended “an update of Australia’s cyber security strategy” and “reviewing the scope, breadth and distribution of Australian cyber security investment in the context of the critical role it plays in the Australian digital economy.”
The CBA has also called on the government to “formalise roles, responsibilities and protocols in the event of a cyber-crisis,” saying that “private sector owners of critical infrastructure will be responsible for defending their own systems in the first instance, until an attack exceeds the pre-defined levels or norms.”
As the wait for the government’s new Cyber Security Review drags on, the CBA on Wednesday lauded the personal attendance of Mr Abbott at the Cyber Summit and its collaborative approach with business. But the bank also made it clear there is an urgent need for real progress to be made.
“The Prime Minister’s attention to this issue highlights its national importance and we welcome the commitment to strengthening the partnership between Government and the private sector on cyber security,” CBA Group Executive of Enterprise Services and Chief Information Officer David Whiteing said.
“The summit addressed a number of important themes including improved sharing of information between public and private sector to improve cyber defences, increasing the number of cyber security professionals, and realising the economic opportunity presented by cyber security innovation.
“As more and more business is transacted online, cyber security will continue to be an issue of fundamental national importance. We look forward to continued progress and discussion on this vital issue across business, government, academia, and the broader population,” Mr Whiteing said.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter
>Cyber security is an issue for executives and Boards, not just an IT issue for technical experts
With all due respect, it’s disappointing to see a Cyber Security Review with *no* Cyber Security experts in the room. Even the CIO mentioned, David Whiteing, has no programming or software engineering experience.
I hope one of their action items from this meeting is:
– “include Cyber Security experts with real hands-on experience in programming.”