If there was an overarching theme to the Australian government’s Cyber Security Strategy it was the renewed sense of empathy it showed toward Australian businesses, which are caught on the frontline of the cyber fight, often without the support needed to win it.
As the Australian Signals Directorate reported in its Cyber Threat Report 2022-23, Australian businesses are subject to a cyber attack every six minutes, and yet each week it seems more and more obligations are piled on them.
When they fail, as Optus did last year, they are pilloried in the public square.
And yet very little is done to support them, or in some cases even guide them, as to what their obligations are.
Ask yourself this: when was the last time you read about a cyber attacker being charged with an offence, much less caught and convicted of one?
Yes, I know; it’s not that simple. Cybercriminals are invariably based offshore, usually in opaque jurisdictions where law enforcement cooperation is challenging if not impossible.
But that’s cold comfort to a business that’s just suffered the equivalent of a street mugging only to be told the police can’t see the point in helping them.
It’s why a ban on ransomware payments is, for now, a bad idea.
Businesses that get hit with a ransomware attack are the victims of a crime. The fact that they’re listed on the ASX doesn’t change that.
Paying the ransom, abhorrent as it may seem, may be the only way to remediate the damage done to their systems. For some businesses, particularly SMEs, that can be the difference between trading and not trading,
In other words, it’s an existential choice.
To remove that choice without first putting in place greater support and protection for businesses on the front line of this problem, is to put industry in an impossible and unreasonable position,
Home Affairs Minister Clare O’Neil obviously gets this.
By forestalling a legal ban on ransomware payments while at the same time acknowledging one is inevitable, she sends an important market signal.
For business the implications of that signal are obvious: tool up your cyber defences now because buying your way out of trouble won’t be an option for much longer.
Again, it’s smart policy that demonstrates empathy for the challenges industry faces in dealing with this threat.
This brings me to what was one of the most overlooked elements of the Cyber Strategy: the renewed focus on data security and the support the Strategy proposes in helping industry to manage it.
To continue with the ransomware example: Ransomware only works when the data that’s been stolen is worth buying back.
Buried amid the commentary about ransomware, mandatory reporting requirements and the usual focus on critical infrastructure, was the announcement that the government would work with industry to develop a voluntary data classification model.
It’s part of a larger piece of work the government is doing around data retention laws. Laws that require businesses to retain data for a certain period of time, are all well and good, but for business they’re a liability.
They also paint a target on your back.
The more data you have the more that can be stolen.
A review into data retention arrangements - a key part of the Strategy - therefore makes a lot of sense.
All the indications are the government’s review will start with a first-principles approach to data management, namely, by classifying it.
Governments, obviously, already do this well.
Official classification systems grade information according to its sensitivity and apply corresponding security measures.
Anything secret or above is restricted to specialist networks or, in extreme cases, air gapped completely.
The uniformity of this standard means information can be safely exchanged across governments for the obvious reason that every agency that receives it knows the proper handling requirements.
It also confers an efficiency benefit. By triaging information agencies can save money by storing unclassified data cheaply while reserving the more expensive data security options for their most sensitive holdings.
No such system exists in the private sector even though the vast majority of sensitive public data is held by private companies.
As the Cyber Strategy notes, “There is…no common methodology by which the private sector can assess and communicate the value of data in a standardised way. Many businesses have voiced concerns that they are required to store substantial data records for excessive periods of time, which can often be high-value targets for malicious cyber attacks. Some organisations take proactive steps to protect their data holdings, but this is often done in isolation, leading to inconsistent application of security controls and creating practical barriers to data sharing.’’
The Strategy goes on to say that the government would identify the most sensitive and critical data sets across the economy, and take steps to protect them.
The vast bulk of customer data can usually be stored cheaply or deleted entirely. But sensitive data sets, like identity details, credit card numbers, health records and so on, will need to be stored securely.
For business that will mean the equivalent of high side environments.
Specifically, it will mean sensitive data stored on-premises in private-cloud environments.
The globalisation of the data market - another issue of concern raised in the Cyber Strategy - will make offshoring data an increasingly risky bet.
It’s a bet corporations can no longer afford to take.
Part of the fallout from the Optus hack has been to spread the professional and legal risk across the C-Suite.
It’s not just the board and CEO on the hook for data breaches anymore.
Senior information executives are increasingly sharing the liability.
It’s a lesson the private sector must heed if they want to avoid becoming the next Optus or Medibank.
After all, empathy only goes so far.
