Government turns around its Optus cyber debacle
Clare O’Neil’s cyber strategy is a strong first step to raising national standards, tackling plenty of areas where businesses need help, and leaving room for further reform.
A $587 million boost to Australia’s cybersecurity posture is a suitably big number to headline a compendium of patiently compiled and sensible ideas launched by Home Affairs Minister Clare O’Neil on Wednesday.
Her reaction to Optus’ data breach a year ago – the country’s wake-up call – was unhelpfully combative and political, betraying some inexperience in the cyber realm. She has clearly reassessed her approach commendably, and kept realistic and strong business voices, including former Telstra CEO Andy Penn, inside the tent to produce a comprehensive strategy.
Clare O’Neil unveils the cyber strategy in Sydney on Wednesday.
O’Neil’s evisceration of recently departed Optus CEO Kelly Bayer Rosmarin in the aftermath of its big data breach undoubtedly played well with an angry public, but horrified many chief information security officers (CISOs), who saw a government that didn’t understand the complexity of systems and supply chains they are trying to secure.
Throughout the lengthy strategy document – and in the opening remarks of Ms O’Neil’s press conference on Wednesday – an overall acceptance that companies will succumb to future cyberattacks is taken as read. The plan is about making Australia less susceptible, and making sure everyone is playing to the same standards.
Measures to support small and medium-sized businesses, which include free cyber health checks and support in the event of an incident, were badly needed. Not only is a cyberattack a potentially fatal incident for a small business, the knowledge that smaller organisations are sitting ducks often precludes them from winning contracts with larger organisations.
The weakest link in a supply chain effectively becomes the weakest link in all the companies on it, so it is in everyone’s interests for Australia’s soft underbelly to get some steel into its abs.
On that score, a nod to consumer electronics was a good move, with the requirement that internet-connected devices such as baby monitors and home security cameras carry cyber safety ratings.
The rise of internet-connected and AI-enabled devices in our homes is only going to continue, and this should mark the beginning of the end of the Wild West era for cheapo devices with zero safety built in.
Corporate Australia, has typically resented the idea of government interference in its cyberaffairs, and reporting requirements when incidents occur have been so onerous as to encourage organisations to cover up problems.
After its breach, Optus was justifiably aghast at the ludicrous amount of admin involved in reporting to numerous agencies with slightly varying demands, and a new single reporting portal for cyber incidents is a good example of government acting to remove red tape.
There was nothing hugely surprising or controversial in the new cyber strategy, but that is a sign that it has delivered valuable improvements, says James Turner, who runs CISO Lens.
The group regularly convenes meetings of the country’s top CISOs, and Turner says members have told him that the consultation process for the strategy has been “genuine and comprehensive”.
“Doing the right thing is rarely spectacular,” he said after having a read through the strategy.
“I’m struck by how often the strategy commits to co-design and working with industry … I think this strategy captures the idea that government has a unique role to play as a convening power, while also acknowledging that neither private sector, nor government, can adequately build strong capability without the other.”
One area that O’Neil admits is still not ideal is her inability to ban ransom payments to hackers yet. This is probably due to pushback from business, who have found themselves unable to continue operating without doing so.
The demystifying of ransom demands, enforced by new requirements for companies to disclose them, should help get a clearer picture of the extent of the problem. Banning them – an admirable goal – will then be a battle for another day.
Introducing your Newsfeed
Follow the topics, people and companies that matter to you.
Find out moreRead More
Latest In Technology
Fetching latest articles