If data is the new gold, we need a vault to protect it
Cyber agencies: Australian Signals Directorate and the Australian Cyber Security Centre. Source: Defence Images at images.defence.gov.au.

Image: Cyber agencies: Australian Signals Directorate and the Australian Cyber Security Centre. Source: Defence Images at images.defence.gov.au.

Written by

Michael Shoebridge

It’s hard to see how Australians can keep telling ourselves we’re global leaders in cyber security.

The Optus spill of almost 10 million Australians’ personal identity data was bad. But it’s dwarfed by the far more damaging Medibank Private hack that’s put sensitive medical information about millions of Australians, probably including the Prime Minister, into the hands of criminals. These criminals are drip-feeding chunks of it on to the dark web to punish Medibank for not giving them cash for their crime.

Three big factors are combining to make more damaging hacks and breaches likely. Decades of government counter-terrorism-driven law requiring data retention, failure to provide a clear central digital identity for Australians, and the global phenomenon of thinking of data as “the new gold” – which makes every company and every government department want to grab more of it so they can get rich or powerful.

Yes, the Optus and Medibank hackers are scumbags, as Clare O’Neil tells us, and it’s a good idea to have a taskforce to track and disrupt them. But without confronting these bigger factors, we’ll be left empathising with victims and vowing to hunt down people we know are beyond our reach.

During the counterterrorism era from 2001 successive Australian governments made laws forcing companies to demand and hold personal identity data about their customers. Think about how many times you’ve handed over copies or details of your driver’s licence, passport, birth certificate, citizenship papers, marriage certificates, bank accounts and rates notices to various companies and officials over the past few years.

This made sense when our major security threat was terrorism and before the digital world became so central to our lives. It makes much less sense now terrorism is a continuing but managed problem, while a large, obvious and growing threat in our digital age is theft and misuse of our personal identity data.

The second government-created factor is the passive way the federal government has dealt with digital identity. It’s been a combination of Mao Zedong and Milton Friedman. Instead of creating a secure, government-issued digital identity for Australians, we’ve let a thousand flowers bloom and watched as a digital ID market has started to emerge.

So, in cyber land, we’re left with the worst of both worlds: laws requiring many companies to collect and hold copies and details of key documents and identifiers, along with a proliferation of digital IDs, such as the NSW Digital ID, the federal government’s MyGovID and even Australia Post’s Digital iD. And it’s left to individuals to choose which of this vibrant mix – if any – we sign up for, and to companies to decide which they recognise and use. This is paradise for cyber criminals wanting to get hold of and misuse the personal data of 26 million Australians, because the multiple separate pots of this information held by many different organisations with patchy cyber security maximises their “attack surface”.
Spending $9.9bn on the Australian Signals Directorate, the federal cyber agency that runs the Australian Cyber Security Centre, doesn’t look smart unless we deal with these foundational problems.

What can be done? We can replace the CT-era’s keep-it-all policy mindset on data with one fit for the digital age. A principle that encourages companies only to collect the limited personal data they need – and only hold it for the time they need to use it. And the federal government can get off the nest on digital IDs and realise a single, government-created and run digital ID is the best way to end the proliferation of personal data across Australia’s digital landscape. This will reduce the number of places and entities cyber criminals can obtain this valuable, vulnerable information on us all.

Implementing a single government-issued and protected digital ID will take that rare thing – political courage – to revisit debates we haven’t had seriously since the failed Australia Card in the early 2000s. Those scars are partly why governments are so passive. But this inaction is creating important vulnerabilities that weren’t obvious then, because the digital world wasn’t central to our lives.

The hands-off approach to digital identity is like the approach to government internet gateways in the early 2000s, when policy drift led to more than 200 poorly protected ways into commonwealth systems. Decisive action improved this radically. Now there are just six secure gateways from the internet into commonwealth agencies.

A single government-issued digital ID must be separate to departments’ operational activities and not be about joining up data holdings on citizens. So, government agencies can only have the same access to it as any private company – and use it only for identity verification and validation. It needs to be designed and run by a credible government agency – the Australian Cyber Security Centre is an obvious place. And police will still need the warrants they need now to obtain personal information held by government or private entities.

The remaining thing to change is the corporate world’s speculative mindset that “data is the new gold”. Companies are seeing the rise of digital data firms Google, Amazon and Alibaba as showing they have to grab as much data as they can about their customers, in the hope that magical exploitation of it will make them rich.

But if data is the new gold then, like gold, lots of people want to steal it from those who collect it in large amounts. So as much effort needs to be put into securing this gold as companies put in to collecting it. That’s why banks came into existence – because it turned out that collecting your own large gold holdings got prohibitively difficult to protect with your own vaults, castles and soldiers.

It’s possible for Australia to actually be among the most cyber-secure economies and societies on the planet, but this will take some decisive policy and action from our federal government that goes well beyond hunting Russian cyber criminals.

Michael Shoebridge is director and chief executive of Strategic Analysis Australia.

This article was first published in The Australian on 28 November 2022.