AISA responds to Cyber Security Strategy 2020

We have a plan now, but execution crucial to success

THE long-awaited Federal Government 2020 Cyber Security Strategy has been unveiled, and while it appears to be well thought out, considered and a comprehensive plan for the future, it remains too early to determine whether the proposed strategy will deliver the right outcomes for Australian organisations and individuals until more details are released and the strategy is executed, according to AISA, the nation’s peak membership body for cyber-security professionals.

The Australian Information Security Association board said it was pleasing to see the $1.67 billion strategy’s focus on key priorities, including:

  • Professional standards in the cyber-security industry
  • Greater cyber awareness and training for SMEs
  • Sharing government capability, knowledge and help with businesses
  • Hardening defences and increasing the resolve against state and other criminal attackers
  • Better protections for consumers of connected devices (IoT)

“Broadly speaking, the 2020 Strategy aligns with the AISA submission into the Strategy development process, which will please our members nationwide who we surveyed extensively for its preparation,” the board said. However, the success of the Strategy will depend heavily on the execution of the Strategy.

Financial incentives

In one deviation from the AISA submission to what was released by the Government yesterday (August 6), AISA members strongly felt that tax breaks or other financial encouragements for businesses was a powerful means to improve their cyber-security posture. This recommendation appears to be largely missing from the Strategy. It should also be noted that since COVID-19, support for professional standards of cyber-security professionals has declined.

“In the Minister’s Foreword to the Strategy, there is mention of the Government seeking to ‘incentivise industry to protect themselves and their customers’ but that’s the only mention of incentives,” the board said.

“AISA believes that offering a carrot will be far more beneficial than wielding a stick when it comes to ensuring industry plays a more proactive part in their own cyber defence.”

Enough money?

The Strategy cites expert analysis from a number of submissions that cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29 billion a year, or 1.9 per cent of Australia’s gross domestic product (GDP).

“Given the size of the potential financial impact at $29 billion a year, there are reasonable questions that may be asked as to whether $1.67 billion worth of funding over 10 years that is allocated for the 2020 Strategy is commensurate to the problem. Particularly when $1.35 billion was allocated to ASD and ACSC (announced June 30), leaving $320 million over 10 years to address the challenge with industry and the community.”

The Strategy also flagged that “other critical sectors” would be included under the ‘Telecommunications Sector Security Reforms and Security of Critical Infrastructure Act 2018’ and that there would be new obligations for those sectors covered.

“We do need greater clarity in relation to whether the new obligations are reasonable and whether the Government will attempt to stretch the definition of a critical sector to be able to impose the obligations on a wider group of businesses.”

Diversity needed

A standing Industry Advisory Committee will be formed as part of the 2020 Strategy and AISA is calling on the Government to include peak industry and professional bodies such as AISA, academia and businesses, as well as representation from other sectors such as healthcare, retail, utilities (power, water, gas), manufacturing and supply chains.