Australia’s cybersecurity environment is changing rapidly. The federal government’s Cyber Security Strategy 2020 and updates of legislation are beginning to be implemented, but even so, the pace of change is slow.
The cyber threat environment is evolving at break-neck speed, with some experts noting that cyberattacks on small, medium and large Australian businesses can cost the economy up to $29bn per year, or 1.9 per cent of Australia’s GDP.
While we are seeing significant increases in cybersecurity investment from state governments, their initiatives need to continue to grow and accelerate. The unfortunate truth is that, at both the federal and state-level, the government is still under-prepared when it comes to cybersecurity policy and securing critical infrastructure.
While policies like the federal government’s Essential Eight are vital, implementation of these policies is far from uniform. In June 2021 the Australian National Audit Office (ANAO) reported that only one of 18 major departments met the cybersecurity Essential Eight baseline cybersecurity strategies and were addressing their own vulnerabilities.
How Australian states are taking action on infrastructure
The top-five sectors to report ransomware incidents to the ACSC in 2019-20 were health, state and territory government agencies, education and research, transport, and retail. The federal government has proposed new laws to harden Australia’s critical infrastructure, like the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
Under these proposed rules, government departments — and the growing list of sectors deemed ‘critical national infrastructure’ — will be required to scrutinise supply partners and their security protocols. Garrett O'Hara and Jay Hira explore the critical infrastructure bill and its implications in more detail in episode #67 of the Get Cyber Resilient Show podcast, so do give it a listen.
Following in the federal government’s footsteps, state governments are already enacting their own cyber initiatives for infrastructure. The Victorian government, for example, has earmarked more than $300 million in its 2021-22 state budget to improve digital services, uplift cybersecurity and modernise core systems.
And as part of its 2021-22 State Budget, the NSW Government increased the budget of its Digital Restart Fund to $2.1 billion, setting aside funds for cybersecurity projects across the Departments of the Premier and Cabinet, Police, Transport for NSW, and the Ministry of Health, among others.
But given the scale of the cyber risks to infrastructure, cybersecurity budgets are slim. Lack of resources is still a major hurdle to overcome, especially at the local government level. Many municipalities still use outdated technology and have few security measures in place. Not every government body is equipped to suddenly transition to new cybersecurity standards, and the longer the delays, the greater the risk to the communities they serve.
Data sharing is the first step towards infrastructure resilience
The national cabinet recently has signed off on an intergovernmental agreement committing all states and territories to share data between jurisdictions by default. Following the agreement, digital ministers from the Commonwealth, NSW, Victoria, South Australia and ACT governments have agreed to data sharing initiatives across initial priority areas. At this stage, the three initial priority data sharing areas include natural hazards and emergency management, waste management and road safety.
By agreeing to data sharing in principle, we can expect some standardisation of data management practices and cybersecurity across different states soon, especially in terms of infrastructure security.
Every state needs to prioritise infrastructure resilience
Closer cooperation between states is essential if we want to harden Australia’s infrastructure against cyber threats. State governments cannot afford to look at cybersecurity in isolation. Given the interdependencies involved in any critical infrastructure, a single point of vulnerability, in any state, can quickly cascade throughout the network and create a national crisis, just like we saw in the U.S. Colonial pipeline incident.
As I discussed in my earlier piece on the $1.67 billion dollar question of Australia’s cybersecurity, infrastructure resilience is a leadership policy issue as much as it is a technical one. More than ever, we need state and federal leaders to enforce baseline cybersecurity standards across the board. It is the only way we can ensure our critical infrastructure stays resilient in the face of global-level cyber threats.