Cyber security threats ‘need very real action’ following overhaul
With cyber crime reports on the rise, the Labor government has revealed an overhaul of the previous cyber security strategy, focusing on increased education and tougher penalties.
Home Affairs Minister and Minister for Cyber Security Clare O’Neil has ordered her department to “recast the cyber security strategy”, which was rushed out during the COVID-19 pandemic by former prime minister Scott Morrison in mid-2020.
In the last financial year, the Australian Cyber Security Centre (ACSC) received more than 67,500 cyber crime reports, which equates to one incident every eight minutes, from governments, large companies, critical infrastructure operators, small businesses, families and individuals.
As reported by The Australian, Ms O’Neil outlined that the new strategy will be designed to focus on building closer links with Quad partners, the US, Japan and India, to accelerate the shift from reliance on China for critical technologies, amid concerns about Beijing’s global supply chain dominance.
“It will be grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber SMEs.
“It will build resiliency, with real engagement and industry alliances to deal with cyber shocks in an assured, not anxious way,” Ms O’Neil said.
“It will be truly strategic, in how it contributes to Australia’s economic growth and as part of our national security posture, including securing supply chains.”
Following the announcement, Lawyers Weekly spoke to three partners and picked their brains on the new strategy. Jason Symons, cyber risk and insurance partner at Mills Oakley, said that the “elevation of cyber security in ministerial government is a huge positive”.
“It is going to be very interesting though to see whether Labor’s new strategy is an ‘overhaul’ of the 2020 strategy or ‘builds on’ the measures of the strategy,” he said.
“Minister O’Neil refers to it as a ‘recast’, so the detail will be key (as always). I am also very hopeful that the new strategy will include strategies that encourage more young Australians to enter the cyber workforce and the reskilling of mature-aged workers. Greater cyber education and training opportunities cannot come soon enough."
The new strategy should be welcomed for a number of reasons, said Lander & Rogers partner Melissa Tan, for a number of reasons — as it recognises that cyber risks have no geographical boundaries and that an effective response requires international co-operation with Australia’s allies.
“This is in contrast to the 2020 strategy, which had a more inward-looking focus of increasing funding to the Australian Signals Directorate and the Department of Defence to identify cyber threats, disrupt foreign cyber criminals and increase partnerships with industry and other governments within Australia.
“The 2020 strategy was primarily focussed on Australia’s offensive and defensive strategy, including improving intelligence and law enforcement agency powers and capabilities. However, stronger enforcement powers and intelligence-sharing only form part of an effective national cybersecurity strategy. Governmental support to build sovereign capability and to support the growth of Australia’s cybersecurity sector is also critical if Australia is to innovate and lead in the cybersecurity space globally. A thriving local cybersecurity industry is critical to the economic future and resilience of Australia,” she said.
“The Labor government’s focus on rapidly growing the cyber workforce on all fronts — reskilling mature-aged workers, educating children in cybersecurity across all school ages, and improving pathways for young Australians to enter the cyber workforce — is an important strategy to ensure that Australia’s cyber resilience is sustainable and able to continue into the future.”
Telstra chief executive and government cyber security adviser Andy Penn made a statement to the press on the matter on Tuesday (23 August) — and said that in the last 12 months alone, Telstra had blocked more than 1 billion “malicious” emails and 200 million scam calls — in addition to blocking 1,500 malicious and scam texts every minute.
“The bottom line is, that at exactly the time we’ve become more dependant than ever on doing things digitally — and that dynamic is only going to increase — the platforms and digital infrastructure on which we rely are at the most risk. At risk [from] cyber threat, at risk from our ability to access critical technologies where the supply chain has become a geopolitical dynamic and at risk from bifurcating technology standards that will threaten the interoperability of technologies that today we just take for granted,” he said.
“Over the last 12 months the global cyber threat environment has intensified significantly — and make no mistake, Australia is an attractive target for malicious actors and cyber criminals. New technologies and the move to more time online has created more opportunities for cyber criminals to do us harm. It also created an increase in the attack surface for them to target.”
These cyber threats are present in a number of areas; ransomware attacks on businesses were up 45 per cent in 2021 on the previous year — and in 2020, more than $18 billion was made in ransomware payments. Despite this, only a third of data stolen in ransomware attacks is ever recovered.
“These are very real threats and, of course, they need very real action. And the environment therefore underscores the work that has been done under the 2020 Australian cybersecurity strategy to date,” Mr Penn added.
“Since its launch in 2020, the cybersecurity strategy has established a solid framework and progress has been made in a number of areas, including establishing cybersecurity minimum standards and new information sharing obligations for operators of critical infrastructure; in enhancing incident response procedures across governments; in developing the cyber enhance situational awareness response package to support the activities of the Australian signals director and their cyber capabilities.”
Cameron Whittfield, partner at Herbert Smith Freehills, said that as the cyber landscape continues to move at an accelerating pace, “a strategy refresh is entirely appropriate” and referenced Mr Penn’s recent address.
“The pace needs to remain high and lawyers have to remain very agile as we advise in this space. With the appointment of a dedicated minister, it is clear that confronting the cyber threat will be a government priority and through various statements from the minister last week, and the address by Andy Penn at the Press Club, we are starting to see some of the themes. We can certainly expect a focus on sovereign capability and skills uplift,” he said.
“Mr Penn also called out the need for government itself to be a cyber role model in its own operations, emphasised the need for industry engagement as the regulatory regime is developed and called on the need to meaningfully assess our current maturity (critical if we are to make informed investment decisions). He also noted the need to better threat sharing arrangements. Importantly, he called out the adequacy of current legislation and the need to ensure we have a ‘best practice’ legislative regime in place.”
Announced in the March budget for the Australian Signals Directorate and the ACSC, the Morrison government’s $9.9 billion package was aimed at responding to rising cyber attacks emanating from China, Russia, eastern Europe, Iran and North Korea.
Based on Labor’s election policies, the new cyber security strategy will also focus on tougher penalties for cyber criminals and protecting Australians from scams and online fraud. A UK-style national anti-scam centre is also set to be established to bolster national defences by bringing together security agencies, banks, telecommunications providers and consumer advocates.
“The focus on tougher penalties for cyber criminals and protecting Australians from scam and online fraud is a clear recognition by the government that one of the most widespread types of cybercrime facing Australians currently is online fraud and scams, and that more needs to be done to assist the victims of scams and better protect consumers and businesses online,” Ms Tan explained.
“With cyber threats constantly evolving, cybersecurity requires constant improvement in approaches and solutions. This overhaul of the national cybersecurity strategy following the change in government is no surprise. Lawyers advising clients on cyber issues and strategies will need to constantly be at the forefront of government policy changes and regulatory changes in relation to cybersecurity, and maintain a level of flexibility.”
However, Mr Symons expressed doubt that the tougher penalties will carry any weight — despite still reflecting an overall increased focus on cyber security.
“I am not convinced that tougher penalties for cyber criminals and online fraudsters will have any real ‘teeth’. My understanding is that the NSW and Federal Police cannot keep up with the volume of cyber crime to ever be able to investigate and prosecute cyber criminals to an extent that would detract future crime. I strongly believe that cyber criminals should be prosecuted like ‘normal’ criminals. But the difficulty involved is an inescapable reality. Much more targeted police funding is necessary, but that is more a state government issue,” he said.
“I believe overall the renewed strategy will reflect the rapidly increasing focus of government on cyber security. The Turnbull government brought it into the light, the Morrison government took it up a level, and now the Albanese government wants to cement its importance.
“What I am telling clients about the announcement at the moment is that it emphasises that cyber risk and cyber resilience must be on the board’s agenda. The government is increasingly recognising its importance, and we will keep them informed of how the renewed strategy may impact them.”
And moving forward, Mr Whittfield said lawyers working in this space need to be abreast with the changes in order to properly advise clients.
“Too much of my day is spent helping clients understand and navigate the legislative complexity when the focus should be on cyber resilience, uplift and awareness. I believe this is where lawyers are going to be able to add the most value, moving beyond ‘compliance’ to a role where we provide more strategic input. We are often at the coalface of any attack or threat … so we have the ability to see trends early.
“Reform does not mean we need more laws, in fact, I hope the government looks to simplify current laws and provide more guidance on how businesses, government and the community can uplift cyber awareness and resilience,” he said.
“Bottom line, there is a clear urgency to further develop our cyber strategy. Time is of the essence. Our cyber threats (and adversaries) are moving at pace. While the time frame remains unclear, we need clarity on government direction and priorities as soon as possible.”
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.