Australian Cyber Security Strategy 2020 – legislation looms
The new Australian Cyber Security Strategy 2020 lays down some interesting plans for the coming years relating to how the Federal Government will enhance its own cyber capability, while introducing legislation that affects all companies.
Where the $1.67 billion will go
The government commits to spending $1.67 billion over the next 10 years, which includes improvements in the defences of critical infrastructure, based on a set of obligations to be imposed on owners and operators. The majority of the government’s investment will bolster the cyber resources in the Australian Cyber Security Centre (ACSC), with additional staff to be hired in the Australian Federal Police, the Australian Signals Directorate and a strengthening of the capabilities at each of the Joint Cyber Security Centres (JCSCs).
New powers will also be introduced through legislative changes, affording new ways for law enforcement to investigate and shut down cybercrime – including ways of tacking encrypted network services, such as those making up the infrastructure the dark web runs on (like TOR).
New legislation – Business must prioritise cyber security
The Australian Government has made it clear that its investment is inwardly focused, while businesses will be expected to pick up the tab for meeting new legislation that requires them to embed adequate security in products and services. This approach will certainly lead to a new focus on cyber security controls within organisations, especially where they operate in the context of critical infrastructure and systems of national significance.
Focus on Critical Infrastructure
The strategy document itself does not define ‘systems of national significance’; the consultation paper published shortly after the strategy details the extent of the anticipated legislation changes. Even the definition of critical infrastructure may come as a surprise to some vendors and service providers. Protecting Critical Infrastructure and Systems of National Significance (published in August 2020) labels the following sectors as Critical Infrastructure: banking and finance, communications, data and cloud, defence industry, education, research & innovation, energy, food and grocery, health, space, transport, water.
Critical Infrastructure sectors as defined in the Australian Cyber Security Strategy 2020
Clearly the consultation paper is the beginning of this process and the legislation changes may be some way off, so organisations have time to prepare to meet these new obligations when the laws comes into effect. It’s time to prioritise cyber security as a core tenet of doing business, whether as an owner or operator of critical infrastructure, or as a vendor or service provider working in that sector. Security now needs to be considered in every aspect of your business, both within your organisation itself and within the products and services supplied to customers. Even if your organisation is not directly working in Critical Infrastructure, if you are somewhere in the supply chain you may fall under the new legislation, so it’s worth planning to uplift your cyber security to meet these new demands.
For businesses not working in Critical Infrastructure, the government expects businesses to adhere to their voluntary Code of Practice: Securing the Internet of Things for Consumers, which contains 13 principles that manufacturers should adopt in their production of goods and services.
If adoption of this voluntary Code of Practice isn’t as widespread as the government hopes then, as the strategy states:
If voluntary advice and guidance like the Code of Practice is not enough to drive change, then additional steps may need to be considered.
This means, if we don’t, as a complete economy, step up and start taking cyber security seriously, harsher legislative changes may force organisations rather than encourage them to include security in their products and services.
Next steps for Business
Introducing rigour in cyber security, especially if it’s not something your organisation has considered before, can be daunting. To assist organisations, the ACSC has released guidance aimed at helping to improve cyber security posture through the introduction of eight relatively straightforward technical controls. This guidance is known as the Essential Eight: Strategies to Mitigate Cyber Security Incidents and offers a prioritised list of security controls that help protect against a broad range of cyberattacks.
Each of these controls (shown in Figure 1) can be customised to fit in with your specific risk profile, and implementation can be tailored based on protecting your most valuable systems and data.
Figure 1 Eight simple controls organisations can adopt to boost their security posture
Ongoing measurement of security control effectiveness
One of the most common issues faced by organisations when first adopting the Essential Eight comes about twelve months after the implementation project completes. A recommendation, when adopting any compliance framework, is that it is periodically reviewed to ensure it remains effective.
Unlike process assurance such as under the ISO 9001 standard for quality management, security controls can quickly be rendered ineffective through changing technical components within your organisation or vulnerabilities that are undiscovered by your technical support team.
Essential Eight compliance measurement
Huntsman Security encountered this issue when working with government customers trying to develop cyber maturity against the Essential Eight. In response to this, two products were created to provide real-time Essential Eight compliance measurement (no more waiting for the annual audit to show a weakness) – the Essential 8 Scorecard and Essential 8 Auditor.
Essential 8 Scorecard
The Essential 8 Scorecard enables vendors and service providers to continuously measure security control efficacy. The product provides an objective, ongoing, quantitative measure of security control performance, which means that security managers and IT support teams can quickly detect and respond to issues adversely affecting their security posture.
Essential 8 Auditor
The Essential 8 Auditor offers an immediate, point-in-time, way of assessing security control effectiveness against the Essential Eight, with the added bonus that it doesn’t need to be deployed into your environment, rather it works to extract the evidence needed for the audit and exports results for remote analysis.
The Essential 8 Auditor’s Security Control Performance Summary is shown in Figure 2.
Figure 2 Essential 8 Auditor – Dashboard showing Security Control Performance Summary
Build your cyber resilience for future success
The Australian Government’s Cyber Security Strategy 2020 poses a number of questions that remain unanswered. However, one thing is clear, the Government intends to spend a large sum of money on itself, while reforms within our legislative framework will require businesses to uplift their security posture and bolster the cyber security controls built into their products and services.
Changes are coming; our recommendation is that you get ahead of the game by planning and investing in building a security roadmap that helps you comply with legislation when it is enforced.