Breaking cyber’s endless loop
Cyber's endless loop

Written by

Lesley Seebeck

New ideas, structural reform are needed – not just more money.

The 2023-2030 Australian Government cyber strategy looks likely to be announced soon. It’s unlikely to be backed by substantial new funding. Across the board, in the defence and national security space, the government is in something of a holding pattern, with decisions deferred awaiting the completion of a multiplicity of reviews and government’s responses to them. 

Industry seems stuck in a similar pattern—after all, their investment and risk decisions in good part depend on government policy settings. Having attended cyber events now for perhaps a decade, I am struck by their repetitiveness. Invariably, there are calls for more—more focus, money, staff with up-to-date skills, sharing of intelligence, diversity, attention at the top-table, help for small businesses.

There is no lack of enthusiasm, earnestness, and genuine concern amongst the participants or industry more generally. Practitioners face real problems in their workaday lives, and those problems continue to expand, outstripping available budgets, staffing and executive attention spans, while both attacks and the breadth of their responsibilities increase. Little wonder that the average tenure of a Chief Information Security Officer is between 18 and 24 months, and cybersecurity teams experience stress and fatigue.

The money problem

Take, for example, the effort to needed to compete for resources. That can be wearing. Even as ransomware attacks increase, as the geopolitical environment heats up, and as society is increasingly dependent on digital technologies, more funding is rarely forthcoming. When it is, Peter is often robbed to pay Paul, transferring risk internally and often lessening overall resilience.

Nevertheless, given increasing geopolitical uncertainty, its likely some additional funding will be directed to the national security community: the government will want to keep its intelligence and military capabilities sharp.  

Still, simply throwing money at the problem is of itself not a good answer. Too often, it’s a short-term fix and can exacerbate existing dark patterns. 

For example, an influx of funding can draw unscrupulous vendors, feeding on the fear, uncertainty, and doubt so destructive in the cyber industry. 

Paying increasing remuneration to attract staff can, after a certain point, set up a vicious cycle of escalating salaries without resolving the underlying issue of supply, organisational capabilities, and resilience. 

Tying funding—or penalties—to compliance can lead to short-term efforts to outsource risk, whether to managed service providers or vulnerable groups, those least able to manage their own security, or to hold organisations to account, as in Robodebt.

The need for structural reform and new ideas

All of which will likely place the Minister for Home Affairs and for Cyber Security, Clare O’Neil, in something of an invidious situation. The Minister has raised expectations—the ‘need to do something’ in the wake of the Optus and Medibank breaches. That has to be more than broad statements, bureaucratic rearrangement, and legislative change, which can risk lag effects, increased regulatory burden, and unintended consequences. The six shields described by the Minister in September usefully knitted together a policy narrative; more is needed to grapple with structural practicalities or resolve causal vulnerabilities.

Breaking the cyber loop needs breakthrough ideas: here are two suggestions, one with more a technical focus, the other societal.

A cyber safety review board

One means of generating practical structural reform is through a cyber safety review board (CSRB), modelled on the US initiative implemented in 2022.

The key benefit of a CSRB is the non-attributable investigation and analytical reporting of cyber incidents, with recommendations for improved practices. That’s critical for building capability, national resilience, and public trust of both government and industry. It would help mitigate the destructive victim blaming redolent of public reaction to cyber-attacks while informing decision-makers of the nature of the threats faced and countered by their teams every day.

Thus far, there has been little by way of reporting lessons learned from any major Australian attack; exceptions are few. The Australian National University, for example, issued a report on its breach in 2019; the phishing emails it set out were an eye-opener to many senior executives in Canberra. The US CSRB has produced two reports thus far, on the log4j vulnerability and on the Lapsus$ ransomware group, both highly recommended; a third is underway on cloud security

The key attributes of the US CSRB, essential for its trust, integrity and effectiveness include:

  • ethics—the US CSRB has a strong ethical requirement, including around purpose and conflicts of interest;
  • capability—members are expected to bring their personal cyber expertise, not the equities of current or past employers;
  • confidentiality—security clearances and non-disclosure agreements are required, and reports and related materials are protected under Presidential Communications Privileges;
  • impartiality—appointments are made regardless of political affiliation; and,
  • practicality—with a focus on understanding what happened during incidents and generating pragmatic recommendations for improving cybersecurity.  

Hopefully, a CSRB may already be within government sights as it’s clear that the government is taking notice of Biden Administration cyber initiatives. However, such an American construct will translate imperfectly to an Australian setting. It’s not simply filling a 20-person board, a CSRB must be supported by a knowledgeable, industry-versed, and cyber-savvy secretariat. Australian mechanisms and capability are arguably more limited than its American contemporary.

Moreover, any government reluctance to protect fully the confidentiality of material presented to a CSRB may compromise companies’ willingness to participate. And the government itself must be willing to have its own performance critiqued, to build industry trust and improve overall national capability.

Digital democracy 

A second front for change is overhauling the underlying premise of Australian digital society, economy, and governance.  As argued elsewhere, and most prominently by Victor Dominello, Australia would benefit from drawing on the experience of Estonia—notably, also the home of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). 

Estonia’s successful digitalisation is underpinned by a series of principles including,

  • a citizen’s visibility and control of their own information, with privacy protection a core tenet;
  • government as steward of the technology that supports and protects, rather than ‘owner’ of, personal data;
  • fundamental support for end-to-end encryption as the basis for trust in a digital society;
  • build versus buy, so developing the X-road, a secure, interoperable, data exchange ‘backbone’; and
  • a rigorous determination to reduce complexity and bureaucratic burden, eliminating legacy IT, and minimising the unnecessary duplication of personal data.

The benefits to improving cyber resilience are considerable. An effective digital identity helps limit the proliferation of personal data, and so means of attack. Individuals are readily able to understand, check and act when their own data is accessed, and there are legal sanctions against unauthorised access, including by officials. The distributed, modular architecture is better able to be protected, when attacked, limit damage and recover.

The Estonian approach helps to bolster democratic institutions, including privacy, even as those are encroached by governments, companies, and foreign adversaries. And it has redefined the nature of the state to one not simply defined by territory, but by its data, and to a ‘country-as-a-service’.

However, the Estonian model is unlikely to translate to Australia in its entirety. Most objections to it are based on the different political systems, or the cost of overhauling existing IT and data stacks. Australian national security agencies have issues with end-to-end encryption.

Public distrust of big government data, especially in the wake of Robodebt, may well impede efforts at change, without commensurate steps to strengthen privacy, transparency, and individual control of personal data. It’s also unlikely that the creative, enthusiastic ’mission mystique’ of the Estonians could be replicated in Australian circumstances.

Meeting the challenge

The challenge in realising a CSRB and a strengthened digital democracy is substantial—for both government and industry. Both are ‘policy hard’ yet offer the opportunity for real benefit.

A CSRB would help establish a flywheel for change and could be undertaken at a reasonable cost; implementing its recommendations will be harder, and care will be needed to manage equities and cost and risk transfer.

A fully digital democracy will be a tough road. But as Dominello has shown in NSW, progress can be made. And there’re good reasons to try: without a trusted, disciplined, citizen-centric approach to digital, cybersecurity will almost certainly remain sub-par.

Cyber needs breakthrough ideas. Implementing both these in a new strategy, Minister O’Neil can avoid the trap of the endless loop, instead setting a new direction, creating the flywheel and a path for the future.