It’s fair to say that, for the past couple of years, we have seen regular changes to cybersecurity policy across most Western governments. The United States has been exceptionally proactive, spurred on by the fallout of large-scale cyber incidents like the Solar Winds supply chain attack, and the disruptive Colonial Pipeline cyberattack. And on our own soil, we’ve seen Optus and Medibank as examples of where software security issues can cause chaos. While these examples represent the extreme end of successful exploitation, they are symptomatic of a long- standing global disregard for preventative cybersecurity measures.
The United States Cybersecurity & Infrastructure Security Agency (CISA) has led the charge in offering guidelines to assist governments and enterprises in fortifying their digital assets and infrastructure from determined threat actors, most recently in the form of their Secure-by-Design and -Default Guidelines. While not enforceable outside US government departments at this stage, it is a transformative set of recommendations that seek to place responsibility for security best practices back onto software vendors, rather than the onus resting almost exclusively with the end-user.
Australia’s Home Affairs Minister, Clare O’Neil, revealed in September that the 2023 update to the Australian Cybersecurity Strategy would focus on “six cyber shields” to protect citizens and businesses from cyber criminals, including safer technology, supporting Australia’s cyber ecosystem, and threat intelligence sharing. Prime Minister Anthony Albanese also spoke recently about Microsoft’s $5 billion investment in Australia’s “cyber shield,” with specific attention being paid to bolstering our digital infrastructure and supporting home-grown security talent.
While these measures show significant progress since 2020’s Cybersecurity Strategy, a couple of areas still fall agonizingly short of moving the needle for Australia’s ongoing cybersecurity landscape.
The Guidelines Are There, But We’re Still Not Mandating Security By Design Across The Board
As it stands, with the exception of IoT devices, there is no mandate to enforce far-reaching secure-by-design principles for Australian businesses and software vendors, instead opting for a softer, advisory, and voluntary opt-in approach. While the advice to ship software that is secure by design is solid, many businesses are not equipped with the internal infrastructure – in terms of trained security personnel and security-skilled developers – to pull it off without committing to significant changes that require a runway for successful implementation. National Cybersecurity Coordinator Darren Goldie has shown interest in addressing the cyber capability gap for corporate and business leaders, but this is likely to be a long road that still leaves many organisations lacking.
In a world where CISOs are battling budget constraints, cybersecurity talent shortages, and security programs that sideline the role of developers in upholding code-level security best practices, I have doubts that many will comply without a mandated push.
Vague Deadlines for Implementing Meaningful Change
Clare O’Neil must be commended for her spotlight on cybersecurity, and her commitment to raising our overall cybersecurity infrastructure. More recently, she used her platform to call for Australian businesses to patch specific known vulnerabilities to further fortify us from potential serious threats.
However, in terms of the updated National Cybersecurity Strategy, the lack of defined, mandated goals – coupled with fixed deadlines for implementation and compliance – are unlikely to provide the cohesive, upgraded approach to security best practices that we require to truly be a world-class contender for the time being. To make that leap, key goals with a reasonable deadline, for example, compliance with key security-by-design principles by 2027, would be a small hammer helpful in smashing the status quo.
A World-class Cybersecurity Nation By 2030?
Late last year, Clare O’Neil stated, “I want Australia to be the most cyber secure country in the world by 2030, and I believe that’s possible. But we need a reset and we need a pathway to get there.”
This is ambitious, and a strong indicator of prioritising cybersecurity in Australia far more than previous governments. While this new strategy is a step in the right direction, we may be waiting much longer for that global recognition without enforceable policy.