Tuesday’s industry advisory panel input into Australia’s long overdue 2020 Cyber Security Strategy is a grab-bag of ideas, but what jumps out at your correspondent is its support for active cyber defence (ACD).
ACD has been at the centre of the UK government’s cyber defences since 2016. It aims to raise the cost and risk of mounting commodity cyber attacks while reducing the return on investment for criminals.
The National Cyber Security Centre (NCSC) has deployed anti-spam defences across the .gov.uk domains and is monitoring internet routing to stop DDoS attacks and route hijacks.
It’s been remarkably transparent about its progress, and it’s also led to some big wins.
While the NCSC is concerned primarily with government networks, telcos and private-sector organisations are able to plug in.
The UK’s program is “a best practice model for Australia to emulate”, according to Australia’s cyber industry advisory panel.
“The panel strongly supports the increased use of threat blocking for low-sophistication threats,” they wrote.
“Support for blocking threats at scale was the highest among those on the front lines of the battle against cybercrime — particularly financial institutions.”
Telstra’s Cleaner Pipes initiative, which uses DNS filtering to block malware communications across the telco’s network, was cited as an ACD program that could be implemented by industry.
What’s needed from the government, the panel said, was “funding support and legislative certainty where required”.
The Australian Strategic Policy Institute (ASPI) echoed these thoughts on Thursday in a report on ACD, titled Clean Pipes.
“The key advantage of Clean Pipes is that it brings advanced scalable protection to an ISP’s entire customer base, which is particularly important to that majority of customers who don’t have the skills and resources to provide for their own security,” ASPI wrote.
“ISP-level protections could be particularly useful in mitigating the risk from poorly secured IoT [internet of things] devices.”
ASPI says that “government leadership or direction” would probably be needed to change the status quo, however.
“A significant concern may be the controversies over privacy, censorship, and surveillance that have accompanied previous internet initiatives, such as an internet filter proposed in 2012,” they wrote, as well as the metadata retention legislation and Access and Assistance Act.
ASPI says these risks could be mitigated with “a clear focus on threat filtering, with a clear and explicit goal of protecting internet users”; government leadership, but not government implementation, transparency, and opt-out provisions.
Actions should also focus “exclusively on cybersecurity threats rather than falling into mission creep” of addressing online harms, which is already being tackled through other programs.
One example, they said, is child exploitation, which is already handled by the e-Safety Commissioner.
ACD is also a key part of Labor’s cybersecurity discussion paper, released in May. Once more, the UK’s program was cited as the model to emulate.
Money is nice but commitment and cooperation are needed too
In the wake of last month’s declaration that Australia was under cyber attack from an unnamed state actor, Prime Minister Scott Morrison announced a AU$1.35 billion investment in the nation’s cyber defences over the next 10 years.
The Cyber Enhanced Situational Awareness and Response (CESAR) package includes around AU$12 million for “new strategic mitigations and active disruption options”. Clearly that’s an ACD program.
But will the government back up these words with action?
The industry advisory panel wants better cooperation from the government, especially “increasing operational-level cooperation with states, territories, and international partners leveraging the Australian Cyber Security Centre [ACSC] and Joint Cyber Security Centres [JCSCs]”.
See also: Australian Home Affairs thinks its IT is safe because it has a cybermoat
Indeed, the JCSCs copped a blast once you translate it from the diplomatic language of such reports.
“Interim industry steering committees are still operating three years after the program began, which is contributing to uncertainty in strategic direction,” the panel wrote.
“As a first priority, the government should finalise governance arrangements, maintaining a role for industry leadership.”
Yes, some governance would be nice. Decoded, that also means industry would like someone to figure out what the JCSCs are actually meant to do.
“Priority should be given to improving operational capability and delivering services,” the panel wrote.
“This will provide a stronger basis for practical collaboration with industry and will reduce the current reliance on collaboration through events.”
The panel also called for “automated, real-time, and bi-directional threat sharing mechanisms between industry and government, beginning with critical infrastructure sectors”.
Of course, calls for more cooperation from the government are a perennial feature of Australia’s cyber landscape.
Can the government actually deliver on active cyber defence?
Your correspondent sees two potential roadblocks to a successful national ACD program: Priority and leadership.
The ACSC is part of the Australian Signals Directorate, which reports to the Minister for Defence, but cybersecurity policy is managed by the Department of Home Affairs.
So far, Home Affairs has not been a paragon of punctuality.
The last progress report on the 2016 Cyber Security Strategy was in 2017, back when Malcolm Turnbull was still prime minister.
At the time, ASPI was scathing, saying the strategy had been swamped by reality, although there have been successes such as Australia’s cyber diplomacy efforts and the creation of the industry promotion body AustCyber.
The government’s intention to update the strategy was finally announced in September 2019 with a planned completion date of April 2020. But with the industry advisory panel’s report only appearing this week, we’re still waiting.
Sure, the government has been busy with fires, floods, and a global pandemic, but Home Affairs has been a relatively minor player in all of that. Enthusiasm for the cybers has simply been lost somewhere in the sprawling mega-department.
Nor do the cybers seem to figure prominently in the thinking of Home Affairs Minister Peter Dutton. Nor does he give the impression that he would rise to the challenge of mastering the complexities of managing the cyber realm.
Peter Dutton is not the cyber leader we’re looking for.
Tardiness has been observed elsewhere in cyber bureaucracy by Jason Duerden, managing director of BlackBerry Spark ANZ.
The government has been “showing signs” of moving towards a cyber risk mitigation framework, he says, but only signs.
“The appetite is there for rapid change and rapid adoption of new approaches to risk management in cyber, however, appetite is not always coupled with the structure for implementation,” Duerden said.
“We have seen examples of a minimum six-month lead time for an agency to follow process to be able to assess risk, culturally review the advantages of using Australian cloud technology, evaluate the market, and finally get through strict government procurement rules to deployment,” he said.
“The reality is that the cybersecurity landscape can evolve exponentially in a period of six months. Confining agencies to a list of checkbox compliance items is also a huge challenge in effectively addressing cyber risk.”
Finally, it’s worth noting that AU$12 million over 10 years equates to maybe three or four executives or network engineers plus on-costs, and it’s across three federal election cycles. It’s a token commitment at best.