Australia would be cyber risk insouciante, or carefree. They are spending $50bn on French submarines to better deal with Indo-Pacific military and maritime geopolitical risks, but they would not be spending enough to deal “properly” with cyber security risks. They would not understand cyber risks enough to prioritise them appropriately for the sake of the nation. Instead, the Australian Government would supposedly expose the nation to foreign state threats and “Cyber Pearl Harbour” risks as severe as “government overthrowing”. To fix the problem, Australia should reportedly “spend more” on cyber security.

The above introduction is my summary of a recent article published by the Australian Financial Review (AFR): Cyber experts say government must spend more on security or risk attack. The article reports that experts would have advised the federal government to “put aside budget deficit concerns” and “invest in upgrading aging computer systems vulnerable to a damaging attack from a foreign state.”. The article also refers to an expert saying that “it was imperative the federal government boost its spend on cyber security”.

Is the AFR article fuelling an exagerated Fear, Uncertainty & Doubt (FUD) approach to lobbying for further funding in cyber security, or is it on the mark?

What is the Australian nation cyber risk?

According to the AFR article, the risk of not managing the cyber risks “properly” would be that we can’t trust the results of whatever it is we’re doing – from tax, human services to elections”. We would be vulnerable to damaging attack from a foreign state“. To support the severity of the suggested level of risk, the article refers to the following examples as they would be qualified by the “US government and security experts” under the header Cyber Pearl Harbour:

  • The alleged activities of Russian hackers in the US DNC email server hack having supposedly influenced the outcome of the 2016 US Presidential elections (i.e. the Russian would have allegedly interfered with the US elections, with their hackers, to get Donald Trump elected). I will comment that those allegations are clearly debated in the cyber security expert community and I can only recommend the only sensible and logical report I’ve come across on the subject to date, from Brian Krebs’s blog: The Download of the DNC Hack. I am, along with other cyber security experts, sceptical of the allegations made. I also wonder how secure the DNC’s email server was, and to the point of this blog post I would ask whether their administrators were also cyber risk insouciants?
  • The alleged activities of the (supposedly) same Russian hackers in attacking three different electricity utilities in Ukraine which led to blackouts.

The AFR article quotes a second expert further qualifying a possible risk of “overthrowing government”,  and that “hackers could target a country’s biggest telecommunication’s company.” from where they “could potentially gain access to other companies, say an electricity utility, oil company, media group or bank…”.

While the AFR article is mainly supported by references of alleged, and debatable, Russian attributed state sponsored cyber activities, which I would suggest to be biased and clearly disproportionate in view of other countries’ known and alleged cyber offensive activities, I would certainly concur with the importance of the cyber risk in Australia, and for the need to better manage the risk with an investment put in perspective with other key nation risks. I think the AFR article falls short of putting the cyber risk in perspective and may unfortunately offer an incomplete view of the subject.

What is the Government doing about it?

The Australian Government isn’t doing enough about it, and should “spend more” on it according to the report of the AFR article.

The AFR article quotes: “It’s [Cyber Security] about comprehensive risk management and understanding the risks you’re facing. It’s no longer good enough that government is dealing with ridiculous computer legacy systems propped up for the past 30 years.”. 

The AFR article refers to the Australian Government prioritising its defence investment with a new French submarine fleet ($50bn), which was “challenged by some security experts who noted the internet remains the new frontier for military and industrial warfare and that Australia should be investing there rather than buying new submarines given the risk of a ‘cyber Pearl Harbour’…”.

The AFR article infers that the cyber risk “isn’t understood(when compared to physical threats – hence big investment only with a new submarine fleet) and that the Australian Government cyber-defence experts from the Australian Signals Directorate (ASD) are not given the support and the mandate that they should to raise the bar on cyber risk management and drive efficiencies with government spending on cyber security”

The AFR article also quotes “the biggest challenge for Australia remained a “she’ll be right” attitude”, and “Our famous easy-going attitude has completely put us in the cross hairs.”.

To me, the AFR article indicates that the Australian Government priority of the matter (incl. budget) would be inadequate, because they wouldn’t understand the cyber risk, and would then consequently expose the nation to an unacceptable level of cyber risks. Is it so and why? Are “cyber security experts” not doing a good enough job in advising the Government on the subject? Or is the Government ignoring them? I would be curious to read an official Government statement in response to the AFR article, which also reported that “The Australian Federal Police and Alastair MacGibbon, the Prime Minister’s special adviser on cyber security, were not available for comment”. I think it would be important to put the Australian cyber risk in perspective to start with.

Putting the cyber risk in perspective

The World Economic Forum (WEF)’s Global Risk Report provides a very good reference to appreciate the importance of cyber risks to Australia and other countries. The report provides a relevant perspective on Government priorities (incl. budget) with the nation risk management. My key take-outs from the 2016 WEF Global Risk Report include:

  • Cyberattacks are itemised as a key global risk on its own right, and it is a risk that is strongly linked to other key global risks such as ‘Data fraud or theft’, ‘Critical information infrastructure breakdown’, ‘Adverse consequences of technological advances’, ‘Failure of critical infrastructure’ and ‘Terrorist acts’ for the strongest risk links reported.
  • Cyberattacks are not directly reported in the top 10 global risks for likelihood or impact, and they are not strongly linked to any of the top 10 global risks for impact.
  • Cyberattacks are not reported as a top-3 likely risk for East Asia & Pacific (incl.  Australia), where the key risks include ‘Natural catastrophes’, ‘Extreme weather events’ and ‘Failure of national governance’. The risk of an ‘Asset bubble’ also ranks top for Australia (along with 6 other countries). Cyberattacks, and its close risk ‘Data fraud or theft’, only appears in the top-3 in North America, and in no other reported regions’ top-3.

The cyber risk in Australia would understandably not top the list of our Government risk management priorities. Still, I agree that more should be done to better manage the cyber risk in Australia, based on my cyber security professional experience in the country. I also certainly appreciate the increasing dependency on cyber (subject to cyber risk) for many aspects of our lives. The cyber risk will keep increasing as we further connect, interconnect and automate, as many things as we can.

However, I can’t comment on whether further expenditure would be actually required and what for. The AFR article, and the expert sources referred to, also don’t provide any clarity on the subject of how much more expenditure would be required and what for. To get an informed view on the subject, I would have first a list of follow-on questions.

Follow-on questions

The AFR article got me really curious about some follow-on questions, which include:

  1. How much is the Australian Government currently spending on managing the nation cyber risk? (~$100M AUD per year according to my research)
  2. What risk reduction outcomes are being curently delivered through the Government expenditure, and how?
  3. How much “more” should the Government eventually spend to make any residual cyber risk acceptable for Australia? Why and how? @FinancialReview, you say the Government should “spend more” – your answer here would be appreciated.
  4. While I tend to be sceptical about the value of benchmarking: How does Australia currently compare with other countries sharing the same level of cyber risks (residual risk, expenditure, ratio of cyber sec expenditure vs Defence budget, vs GDP, strategy, etc.)?
  5. What is the best possible governance model for Australia to best manage the nation cyber risk across public and private sectors?
  6. Last, but not least: How to get the cyber risk understood well enough by the Australian Government and the Australian citizens to support due and adequate funding?

I will dig into the above questions and would also greatly appreciate any input, pointers, corrections or comments that you may provide. Please have a say.

Advertisements

2 thoughts on “The Australian Cyber Risk Insouciance

  1. Hi Gui,
    First, on a more general note – ‘risks’ are hard to quantify; and anticipated risk-management benefits are even harder. It is ironic, that better security leads to reduced losses and costs; which becomes evident ‘a posteriori’. Therefore, the ongoing challenges for security professionals are (1) to justify the spend and (2) to monetise their efforts.
    In my view, these challenges will persist within existing siloed approaches to IT+security+accounting_pracices.

    Now, before you dig into the six (6) questions raised in your article, the accountabilities of the Australian Government should be identified first, i.e.:
    1. What are the [current] accountabilities of the Government? – at the high level
    2. How are these accountabilities fulfilled? – Process + Assets
    3. What assets/processes do belong to the Government? Which ones are outsourced?
    4. How are the assets accounted for? and processes controlled?
    5. What are the threats to all key the assets and processes?
    6. What risks are being considered? And what management actions have been taken already?
    7. What are the gaps?
    8. How can these gaps be addressed?

    HIH

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s