Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
Australia’s cybersecurity: The $1.67 billion dollar question
In July 2021, the Five Eyes, EU and NATO nations issued an unprecedented joint statement on cybersecurity.
Explicitly naming China as a state actor for the first time, they described an environment in which state-sponsored cyberattacks have gone beyond espionage and theft of commercial information to theft for the financial gain of individuals. Effectively, state actors and cybercriminals have joined forces to undermine our national security, intellectual property and economy – while holding individuals and businesses at ransom or perpetrating financial fraud.
So how can we protect our national interests in this extraordinary state of international affairs? Here’s a brief overview of the Australian Government’s cybersecurity strategy to date, with policy initiatives we can expect in the near future.
Leading from the top
In 2016, for the first time since 2009, the Federal Government issued a comprehensive new Cyber Security Strategy (CSS). Its key initiatives were:
A National Cyber Partnership, calling for governments, business and the research community to collaborate on advancing cybersecurity – as well as better understanding the costs of malicious cyber activity.
A Cyber Smart Nation policy to increase cybersecurity education and address significant skills shortages in both government and business.
International engagement through Global Responsibility and Influence – with the appointment of a cybersecurity ambassador to work with other governments to “actively promote an open, free and secure cyberspace”.
The $230 million investment included establishment of an Australian Cyber Security Centre (ACSC), along with Joint Cyber Security Centres (JCSCs) to engage state governments and industry.
The newest CSS, the 2020 Cyber Security Strategy, has significantly upped the ante, with $1.67 billion spending pledged over 10 years. This includes development of a Cyber and Critical Technology International Engagement Strategy.
Ground-level programs are now seen as essential – something we at Mimecast have long recognised and supported with our cybersecurity training programs. Initiatives to better inform and educate smaller businesses, sole traders and consumers to combat cyber threats include $58 million in engagement and $12 million to extend the 24/7 cyber security helpdesk.
Up the food chain, the ACSC will receive $66.5 million to assist Australia’s major critical infrastructure providers in assessing their networks for vulnerabilities and enhancing their security posture. A $62.3 million investment in national situational awareness capability will better enable the ACSC to understand and respond to cyber threats on a national scale.
New blood in cybercrime prevention
In recent years, the efforts of our national security authorities and the Australian Federal Police have increasingly focused on cybercrime and international cyber threats. The 2020 CSS acknowledges this with $165 million budgeted for strengthening Australia’s counter-cybercrime capability.
But perhaps the greatest indication of this transition from offline to online is represented by the background of ASIO’s new Director-General. After 20 years in the Australian Signals’ Directorate, including its top post, Mike Burgess has a strong technology background. His business credentials are also impeccable – including CISO at Telstra and independent cybersecurity consulting work.
Since his appointment in 2019, Mr Burgess has taken a leading role in Australia’s cybersecurity debate – speaking publicly and issuing regular statements. He has vowed his intention of making ASIO more open and transparent. A far cry from previous ASIO chiefs, many of whose identities were never revealed!
Placing responsibility where it belongs
Calling out state actors in the cybersecurity war is all part of warning the business community of its need for a strong security posture, and collaborative programs are ‘carrots’ to persuade appropriate vigilance. However, there’s also a need for some ‘sticks’. This might come as a relief to CSOs and security professionals who need to constantly lobby boards for investment in cybersecurity tools and resources.
In 2018 the Notifiable Data Breach Scheme put the onus on businesses and government agencies alike to report the loss or unauthorised disclosure of personal information, however it occurs. While this is partly to protect the individuals concerned, it also acts as a strong deterrent. No business wants to be a ‘statistic’ in the Office of the Australian Information Commissioner’s biannual reports or join the list of cyber victims online.
The responsibility on company directors for cybersecurity is likely to be further beefed up in 2021. According to paragraph 36 of the CSS 2020, “The Australian Government will also work with businesses to consider legislative changes that set a minimum cybersecurity baseline across the economy. This consultation will consider multiple reform options, including “… duties for company directors and other business entities.”
Currently, the 15% of ASX 200 companies regulated by APRA have obligations for implementing controls to protect information assets – with their company boards, senior management and governing bodies held personally responsible. Industry commentators are now flagging the possibility that the Corporations Act will be amended to extend this to all public companies.
This would have significant follow-on effects on private companies doing business with public ones. It will also change the conversation around cybersecurity accountability. Back in the 1980s, it was said, “no-one ever got fired for buying IBM”. Well, in the 2020s leaders can and will get fired, fined and/or struck off for inadequate investment in cybersecurity.
Government itself will also need to lift its game, otherwise industry will remain sceptical. In June 2021 the Australian National Audit Office (ANAO) reported that only one of 18 major departments met the cybersecurity Essential Eight baseline cybersecurity strategies and were addressing their own vulnerabilities. A case of people in glass houses throwing stones? Government leaders need to practice what they preach and lead by example if they want the private and commercial sector to follow suit.
As I wrote in an earlier piece, What CEOs need to know about data sovereignty and data security, cybersecurity is not just the IT’s department’s responsibility; it’s an executive responsibility calling for proactive, informed leaders with skin in the game.