Australia’s cybersecurity has never been more important to our economic prosperity and national security.
At the same time, there are more cyber criminals and they are better resourced, and state actors have become more sophisticated and emboldened. Australia has been fortunate to avoid a catastrophic national cybersecurity incident so far, but the threat to essential services, the economy and potentially even human life remains very real.
Real threats need real action. Some 65% of Australian businesses have been interrupted by a security breach in the past year, with half of these costing between $1 million and $4.9 million. It’s particularly difficult for small and medium businesses to know how to defend against insidious threats like ransomware. Indeed, we know that around half of Australian victims pay the ransom, desperate to get their livelihoods back.
The 2017 ‘WannaCry’ ransomware attack severely impacted the UK National Health Service and many other global organisations. In 2018, the ‘NotPetya’ malware spread from Ukraine to the Cadbury factory in Tasmania.
Online data breaches are now so common that many in our community treat them as a non-event. But one of the consequences of those data breaches is identity crime, which has impacted one in four of us. The clean-up is usually messy and traumatic, with most identity crime victims reporting a psychological impact.
We cannot be blind to the hostile forces intent on using technological change to exploit our businesses, vulnerable community members and our children, and ultimately undermine our way of life.
It’s time to stop, step back and look at this problem with fresh eyes.
Our landmark cybersecurity strategy in 2016 invested $230 million to foster a safer internet for all Australians. But as the cyber threat evolves, so must we. As a nation and a community, we’re less prepared than we need to be. That is why the government has committed to delivering a new cybersecurity strategy in 2020.
Government doesn’t have all the answers. The complex, intertwined digital world means we need the whole community to provide their views. So we put out a nationwide call for views through a discussion paper, and the responses have overwhelmingly been clear, consistent and compelling.
Your calls for action have been heard. You’ve asked for more leadership from government.
We need to start by looking at roles and responsibilities, such as the role that balanced regulation and standards can play in improving the baseline cybersecurity of systems that are most critical to the economy and community. Equally, the many views on improving information sharing, supporting small and medium businesses at scale, changing behaviour through awareness, and recognising the importance of cybersecurity skills will shape the new strategy.
The formal call for submissions might have closed, but the conversation is really just beginning.
Cybersecurity has been, and will always be, a collective responsibility between governments, industry and the community. And we need to make sure there aren’t gaps or barriers stopping us from working together—legal, technical or otherwise.
Unlike the transport, water and power sectors, the internet is fundamentally shaped by the private sector—not governments. The private sector provides most digital services and holds most of the data.
Government’s limited role online means more responsibility for cybersecurity is borne by the private sector. Many digital providers are doing the right thing, and I’ve seen countless examples of Australian businesses addressing the threat in innovative and creative ways. The next generation of technological solutions are being developed by Australia’s world-class cyber industry.
However, when the risk isn’t managed appropriately, everyone pays—businesses, governments and the community. Right now we’re paying too much, and we’re too vulnerable.
Too often ordinary Australians are expected to be their own cyber experts. In addition, the private sector is left to defend our most vital systems from the highest-end threats by themselves. In many cases, government wouldn’t know if industry was under attack until after the fact. How many of us are comfortable with this status quo?
While cyberattacks are automated, most of our defences are human. We’re fighting a 21st-century problem with a 20th-century mindset.
The way the internet has evolved makes it difficult to tackle cybercrime: anonymity is easy and effective, Australian Federal Police investigations often hit dead ends in international safe havens, and hacking tools are cheap and widely available on the dark web.
The internet has made our lives richer and easier, and businesses more efficient. Australians don’t want to turn back the clock. However, they have a right to expect a level of cybersecurity that gives them confidence online.
We’ve solved problems like this many times before. Australians trust the cars they drive, the water they drink and the medicines they consume. This is because everyone involved in providing these goods and services is accountable for managing risk and consumers understand what they need to do. It’s a national priority that we get to the same mature state in the digital world and make necessary changes to protect all Australians—particularly the most vulnerable.