The Australian Information Industry Association (AIIA) has welcomed the federal government’s Cyber Security Review, saying that there is no whole-of-government approach to cyber security and a potential for gaps in messaging, communication and action.
The review is looking at how government and industry can work together to improve the security of online systems. Outcomes of the review will be presented in May.
“Responsibility for cyber security reporting, intelligence detection, cyber policy development, regulatory requirements, compliance and education programs sit across a range of agencies,” states the AIIA’s submission. Those agencies include the Department of Communications, the Attorney-General, Defence, the Department of Prime Minister and Cabinet, and Finance.
“Notwithstanding the role of the Australian Signals Directorate [ASD] in developing and executing government security policy, the level of expertise agencies have to identify and mitigate cyber intrusions in an increasingly dynamic digital environment is unclear,” states the submission.
“The ramifications of these weaknesses raise obvious concern for citizens who entrust government with their personal information and for the organisations and businesses that transact with government.”
The AIIA has called for greater clarity in the roles, responsibilities and accountabilities of the government’s cyber security infrastructure, a consolidation of resources to ensure investment in cyber security resilience is targeted correctly and two cyber security reporting points, one for individuals and one for business and government agencies.
According to the AIIA’s submission, the government’s role is to:
• Develop and maintain a set of ‘voluntary’ guidelines for best practice; and
• Develop and implement an education and communication strategy for all stakeholder groups on how to identify, protect against, deter, respond and recover from a cyber-attack.
The submission added that information needs to be easily accessible and should promote the use of best practice. For example, information should describe the protection that is both required as a minimum and recommended to ensure the likelihood of a breach or incident is minimised.
Turning to industry, the submission said that businesses small and large are targets for both criminally motivated and state sponsored cyberattacks where information is sought for personal gain, economic advantage or espionage.
“As such businesses should be required to use best practice information to inform their risk management, security strategies and implementations. Responsibilities of business should also include the sharing of information and the disclosure of incidents.”
AIIA’s submission follows that of the Communications Alliance which argued that historic developments have left Australia with a large number of government departments and agencies with overlapping cyber security responsibilities.
“A better co-ordination of the current spread of agencies and programs and the creation of a single national point of access to government’s cyber security agencies is likely to increase efficiencies and to deliver a clearer message to all stakeholders," argued Communications Alliance's submission to the review.
Follow Hamish Barwick on Twitter: @HamishBarwick