Panel spotlights need to accelerate adoption of cyber security

Difficult to overstate the importance of securing Australia’s digital supply chains, says Telstra boss.

David Swan

4 min read

4:02PMJuly 21, 2020

Telstra CEO Andy Penn working from home in times of COVID-19. Picture: Aaron Francis

A cyber security industry panel chaired by Telstra boss Andy Penn has handed down 60 recommendations to government, as Australia continues to weather a sustained campaign of cyber attacks from a foreign nation state, presumed to be China.

Amid rising tensions with Beijing, and growing calls to ban Chinese government-linked apps including TikTok, the panel called for Australia’s digital supply chain to be better secured as a matter of urgency.

Huawei for example has been barred from building Australia‘s 5G network amid concerns the Chinese government could infiltrate the country’s telecommunications infrastructure, and the US and the UK have followed suit.

The panel said the first priority for government should be to work with industry to accelerate the adoption of cyber security standards in Australia.

“It is difficult to overstate the importance of securing Australia’s digital supply chains,” Telstra boss Andy Penn said.

“Government and industry need to work more closely together, and with their international peers, on standards, research and development, transparency, and assurance measures. It would be a costly mistake to ignore this problem.

“We are seeing increased levels of malicious cyber activity, both state-based and criminal. Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is co-ordinated, integrated and capable.”

The government is readying its four-year 2020 Cyber Security Strategy, and in late 2019 tasked the panel with providing key recommendations.

The panel called on the government to increase its transparency on investigative activity and more frequently attribute cyber attacks and consequences, following criticism that it often keeps sensitive threat information to itself.

“Improving situational awareness of cyber security threats to organisations of all kinds should be a national priority. There is clear appetite from industry for real-time sharing of threat information,” the panel said in its report.

“The panel was surprised to learn that technical limitations currently prevent the Australian Cyber Security Centre from meeting these requests. These limitations are surmountable and should be addressed as a priority.”

The panel said more awareness around cyber threats, by both business and individuals, is another crucial step in helping maintain Australia‘s cyber defences. The panel praised the recent press conference from Prime Minister Scott Morrison for helping draw attention to the ongoing cyber threats presented by other nation states.

Multiple messages

“Government awareness raising programs need to be dramatically scaled up to reach more Australians,” Vocus chairman and panel member Robert Mansfield said.

“Existing programs also need to be better co-ordinated so that Australians aren’t confused by multiple messages from different government departments.”

The panel called for the local technology industry to better ensure its digital products and services are secure in order to protect Australians from cyber danger, and that senior leaders in both private and public sector organisations should take ultimate accountability for cyber security risk.

“Within a company, cyber security is everyone’s job. The board must do their part in ensuring the cyber risk is managed just as it does with all other key corporate risks,” Tesla chair and panel board member Robyn Denholm said.

Tesla chair and panel board member Robyn Denholm. Picture: Bloomberg

The panel also wants increased funding to the Australian Cyber Security Centre, as well as the establishment of a national cyber security board in partnership with industry, states and territories.

“We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat,” the panel said in its report.

“As a result, it is recommended that the government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector.

“Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.”

The industry group chaired by Mr Penn includes Tesla chair Robyn Denholm, former US secretary of homeland security Kirstjen Nielsen, Vocus chair Robert Mansfield, NBN Co chief security officer Darren Kane and others.

The government is yet to respond to the recommendations.

Shane Bell, Partner at McGrathNicol Advisory, welcomed the report.

“The Panel’s recommendations demonstrate a significant evolution of thought from an Australian strategy perspective, particularly as it relates to mitigating the impact of cyberattacks, and capitalising on the work that has been done in the last couple of years to educate businesses and society about cyber,” he said.

“The recommendations in the report strongly align to what we’ve been seeing with our clients in the last 12 months. In the last three months, the majority of incidences we have seen have involved attackers specifically targeting commercial or personal information, with business disruption being the secondary objective and consequence.

“This changed priority is reflected in the Panel’s recommendations and what Australian cyber experts are seeking to protect through the new strategy.”

Minister for Home Affairs Peter Dutton thanked the panel in a statement.

“Feedback from business, the community and the Industry Advisory Panel will inform the development of the 2020 Cyber Security Strategy,” he said.

“The government will carefully consider the report’s recommendations before releasing the 2020 Cyber Security Strategy in the coming months. The Panel has played a key advisory role for Government, meeting 13 times since established in November 2019.

“There is no doubt the cyber threat landscape is evolving and it’s more critical than ever that government, business and the broader community work together to protect Australian’s online.”