The Australian government is planning to invest AUS$230 million in a new cyber security strategy, but while ambitious in scope, the plan's outlines don't take the full picture of how to thwart and prevent cyber attacks into consideration. First, here are the key details of Australia's plans, as reported by the Australian Broadcasting Corporation:
The five-tiered plan will: continue to build a national partnership between government and business; strengthen defences; appoint an ambassador to push for an open, free and secure internet; drive innovation through an industry-led growth centre; and raise awareness and develop centres of excellence.
Cyber security breaches are rarely confirmed by government but it is understood there is an active debate over whether to change that approach, as there is an increasing call for businesses to be more transparent about attacks on their systems.
In a clear sign there has been a change of thinking under Malcolm Turnbull, the Commonwealth has let it be known the capacity to attack is part of its array of defences.
Buried on page 21 of the Cyber Security Strategy Mr Turnbull launched today is: "Australia's defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack."
It is the first time the Government has made the admission and the ABC has been told it is a reflection of Mr Turnbull's deep interest in the cyber strategy and that he is trying to break down the risk-averse attitude of the bureaucracy.
Australian authorities also confirmed reports that the government's Meterology Bureau, which is linked with the country's defense department, suffered a serious, system-wide cyber attack last year. The government rarely confirms whether cyber attacks have taken place, but the ABC reports there are discussions around adopting a more transparent policy, given pressure on businesses to alert the public to attacks that affect their own systems.
Analysis: Australia's Cyber Security Plans Should Take a Broader View of the Problem
"It's a relatively strong investment by the Australian government and further proof that it is taking a genuine interest in safeguarding the digital economy," says Constellation Research VP and principal analyst Steve Wilson. "My main reservation about the announcements is they focus on the quasi military. Attack and counter-attack are the more sensational aspects of cyber security. We saw the same sort of focus last year at President Obama's cyber security summit, where the emphasis was mostly on intelligence sharing. That's important but it's only a minor part of the problem." [Read Wilson's in-depth analysis of Obama's cyber summit here and here.]
"What is the main problem? It's two fold, and interrelated: Complexity and the precarious state of software," Wilson adds. "We have too much spaghetti code, written or maintained too hastily, and mistakes are becoming catastrophic." Just look at the Heartbleed and Goto Fail bugs, to name but two, Wilson notes.
"And we have systems that are too complex and fragile to be safely operated by humans," Wilson adds. In recent years, Australia has suffered a number of high-profile, embarrassing and dangerous instances of this type of human failure. In one case, government staff unwittingly clicked Reply All and disclosed passport details of visiting VIPs.
Hyper-connected, always-on systems that hold massive amounts of personal data are disasters just waiting to happen, and the prescription is more rigorous archiving of rarely accessed information, Wilson says.
Make no mistake: Australia's announced plans are welcome, but more must be done, he adds.
"I just urge the cyber security leadership to balance their attack and counter attack activities with other research into software quality, software development practices, code validation and the like," Wilson says. "This research need not be at the fundamental level; I am not talking about Formal Methods and such rocket science, but more about development practices, meaningful review gates, timeline pressures, and attention to detail."
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.