The Optus data breach and Australia’s recent lacklustre cyber security placing of 31 (out of 63 countries) in the latest World Digital Competitiveness Ranking (WDCR), highlights that we cannot afford to be complacent about cyber security. Aided by cyber hack toolkits obtained from the dark web, there is a rising tide of bad actors who constantly re-invent ways to obtain corporate, industrial and government data, which is then sold on the dark web and used to commit further crimes.
Figure 1: Australia's WDCR rankings out of 63 countries
In the future readiness breakdown (Figure 2), Australia rates highly for ease of starting a business, internet retailing and controls over pirated software.
Australia rated poorly on cyber security generally, public-private partnerships and attitudes towards globalisation.
Figure 2: Future readiness factors breakdown - strengths and weaknesses
Australia clearly needs to invest in acquiring top talent, boosting cyber security education and training, as well as producing more STEM graduates to establish a thriving R&D culture.
Notwithstanding the growing urgency, finding the money to invest in these strategic areas is easier said than done.
There are a few practical ideas that could be implemented to remedy the shortfalls in Australia’s cyber security capability, including the following:
Tech-savvy Board members
It is not uncommon for Boards of Directors to have a conspicuous lack of members with technical and engineering skills. When governance decisions are made, there needs to be multiple strong, informed voices putting forward the strategic case for proper investment in cyber security.
Boards must be convinced of the need to invest in first-rate cyber security and its enablers, including hiring talent, implementing the latest AI-enabled tools and utilising cyber-intelligence. These come at a price, but making targeted investments in cyber-security reduces the risk of a large-scale Optus-like data breach and the resulting blow to corporate reputation and disruption of operations, not to mention damage to the bottom line and stock price.
Making company directors personally accountable for cyber breaches would have a highly motivating effect on bringing more technical talent onto Boards and the development of proactive cyber security strategies more broadly.
This has already happened in relation to critical infrastructure. Amendments to the Security of Critical Infrastructure Act 2018 make company directors personally accountable for a cyber breach. On the 2nd of December 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 was passed and came into effect.
Interestingly for Optus, telecommunications are now included in the expanded definition of critical infrastructure, along with data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transport, space technology and the defence industry sector.
There is also a conspicuous lack of engineers and technologists among our lawmakers. As with Boards of Directors, when decisions are made around how to allocate resources, there needs to be similarly strong, informed voices advocating for investment in talent acquisition, training, STEM education, and R&D. With sufficient political will, all things become possible.
It is no understatement that Australia’s economic future is, to a large degree, dependent on our technological readiness across all of the WDCR dimensions listed in Figure 2 above. Australia is an integral part of the global economy and must compete with countries not so fortunately endowed with mineral resources.
This is a call to all those engineers and technologists who might be considering a career in politics – your country needs you.
Law reform: finding the sweet-spot
There is a dynamic tension between the exponential rate of change in the technology domain and the deliberate, fine-grained process of law reform.
The gap is widening between the lawless ‘wild west’ of cybercrime and the slow process of law reform, which operates in reactive mode. While it is vital that any law reform must go through a thorough and proper process, in the area of cyber security legislation will need to become more agile and proactive to keep up with the fast pace of technological change. The aim is to find the ‘sweet spot’ between too fast and too slow.
The Optus breach has led to renewed calls for law reform in relation to increased protection of people’s privacy. In Australia, it is the Privacy Act (1988), which includes the Australian Privacy Principles, that is primarily concerned with privacy protection. The act has undergone many amendments over the past 34 years, trying to keep pace with the evolving threats to privacy brought about by internet technology.
In October 2021, the Attorney-General released a draft of an amendment to the Privacy Act called The Online Privacy Bill that proposes an enforceable online privacy code and stronger penalties for breaches of the code. This is the latest of many amendments to the Act, and certainly a step in the right direction. Responding to cyber threats, both in the regulatory and corporate landscape, is akin to a game of ‘whack-a-mole’, where no sooner do we knock one problem on the head but another pops up somewhere else.