Softly, Softly: Why The Australian Cybersecurity Strategy Is A Missed Opportunity To Alter The Status Quo
Posted: Thursday, Nov 23

i 3 Table of Contents

Softly, Softly: Why The Australian Cybersecurity Strategy Is A Missed Opportunity To Alter The Status Quo

It’s fair to say that, for the past couple of years, we have seen regular changes to cybersecurity policy across most Western governments. The United States has been exceptionally proactive, spurred on by the fallout of large-scale cyber incidents like the Solar Winds supply chain attack, and the disruptive Colonial Pipeline cyberattack. And on our own soil, we’ve seen Optus and Medibank as examples of where software security issues can cause chaos. While these examples represent the extreme end of successful exploitation, they are symptomatic of a long- standing global disregard for preventative cybersecurity measures.

The United States Cybersecurity & Infrastructure Security Agency (CISA) has led the charge in offering guidelines to assist governments and enterprises in fortifying their digital assets and infrastructure from determined threat actors, most recently in the form of their Secure-by-Design and -Default Guidelines. While not enforceable outside US government departments at this stage, it is a transformative set of recommendations that seek to place responsibility for security best practices back onto software vendors, rather than the onus resting almost exclusively with the end-user.

Australia’s Home Affairs Minister, Clare O’Neil, revealed in September that the 2023 update to the Australian Cybersecurity Strategy would focus on “six cyber shields” to protect citizens and businesses from cyber criminals, including safer technology, supporting Australia’s cyber ecosystem, and threat intelligence sharing. Prime Minister Anthony Albanese also spoke recently about Microsoft’s $5 billion investment in Australia’s “cyber shield,” with specific attention being paid to bolstering our digital infrastructure and supporting home-grown security talent.

While these measures show significant progress since 2020’s Cybersecurity Strategy, a couple of areas still fall agonizingly short of moving the needle for Australia’s ongoing cybersecurity landscape.

The Guidelines Are There, But We’re Still Not Mandating Security By Design Across The Board

As it stands, with the exception of IoT devices, there is no mandate to enforce far-reaching secure-by-design principles for Australian businesses and software vendors, instead opting for a softer, advisory, and voluntary opt-in approach. While the advice to ship software that is secure by design is solid, many businesses are not equipped with the internal infrastructure – in terms of trained security personnel and security-skilled developers – to pull it off without committing to significant changes that require a runway for successful implementation. National Cybersecurity Coordinator Darren Goldie has shown interest in addressing the cyber capability gap for corporate and business leaders, but this is likely to be a long road that still leaves many organisations lacking.

In a world where CISOs are battling budget constraints, cybersecurity talent shortages, and security programs that sideline the role of developers in upholding code-level security best practices, I have doubts that many will comply without a mandated push.

Vague Deadlines for Implementing Meaningful Change

Clare O’Neil must be commended for her spotlight on cybersecurity, and her commitment to raising our overall cybersecurity infrastructure. More recently, she used her platform to call for Australian businesses to patch specific known vulnerabilities to further fortify us from potential serious threats.

However, in terms of the updated National Cybersecurity Strategy, the lack of defined, mandated goals – coupled with fixed deadlines for implementation and compliance – are unlikely to provide the cohesive, upgraded approach to security best practices that we require to truly be a world-class contender for the time being. To make that leap, key goals with a reasonable deadline, for example, compliance with key security-by-design principles by 2027, would be a small hammer helpful in smashing the status quo.

A World-class Cybersecurity Nation By 2030?

Late last year, Clare O’Neil stated, “I want Australia to be the most cyber secure country in the world by 2030, and I believe that’s possible. But we need a reset and we need a pathway to get there.”

This is ambitious, and a strong indicator of prioritising cybersecurity in Australia far more than previous governments. While this new strategy is a step in the right direction, we may be waiting much longer for that global recognition without enforceable policy.

Pieter Danhieux
Pieter Danhieux Co-Founder and Chief Executive Officer at Secure Code Warrior Pieter Danhieux is the Chief Executive Officer, Chairman, and Co-Founder of Secure Code Warrior. He started SCW in 2015 and built this company out to a global cyber security company from Australia with 220+ staff, helping more than 500 Enterprises with building secure coders and software. In 2020, Pieter was recognised as a finalist in the Diversity Champion category for the SC Awards Europe 2020. In 2016, he was No. 80 on the list of Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA – Australian Information Security Association) and is member of the Forbes Technology Council. ‍Pieter has been a Principal instructor for the SANS Institute since 20o7 teaching military, government and private organisations offensive techniques on how to target and assess organisations, systems and individuals for security weaknesses. Before starting his own company, Pieter co-founder NVISO in Belgium, worked at Ernst & Young and BAE Systems. He is also one of the Co-Founders of BruCON, one of the most awesome hacking conferences on this planet. ‍He started his information security career early in life and obtained the Certified Information Systems Security Professional (CISSP) certification in 2004 as one of the youngest persons ever in Belgium. On his way, he collected a whole range of cyber security certificates (CISA, GCFA, GCIH, GPEN, GWAP) and is currently one of the select few people worldwide to hold the top certification GIAC Security Expert.
Share This