ACSC: What is Australia's National Cyber Security Mission?
NATIONAL CONVENTION CENTRE, CANBERRA
WEDNESDAY, 12 APRIL 2018
Two summers ago, I was walking along Broulee beach with my husband when we noticed a woman diving into the surf with her two teenage children. From where we stood it was obvious they were heading straight into a rip.
They were 500 metres from the flags. Close enough to have walked there with ease. Far enough away to drown before help arrived.
The mother managed to keep her feet and grab her daughter. Her son was carried away from the beach. She followed him in to the water.
To my horror, my husband ran across the beach and followed them into the water. I stood and watched as all three were swiftly washed away from the shore.
Luckily the boy and his mother could both swim but they were fighting against the water. My husband was calling for them both to swim across the beach and away from the rip. Fortunately they did, so this story has a happy ending. Everyone survived, but it could have ended in tragedy.
My memory of that day was the feeling of absolute, unmitigated rage. As they emerged from the surf, I pointed down the beach and roared at the mother shouting,
“Swim between the flags. You could have drowned. My husband could have drowned trying to save you and your children because you chose to ignore this warning.”
Australians know the surf as their playground – a source of tremendous enjoyment. But bitter experience has taught us it can be deadly.
Because of that we have developed a unique national mission: volunteers across the nation have banded together around the country to patrol the beaches and keep us safe.
If you swim between the flags in Australia, the chance you will drown is remote.
Test the waters outside the flags, and the risk of drowning rises exponentially.
In my view we need to have the same attitude to cyber security.
We need to develop the same culture of safety, that same sense of collective action, that we impose on the beach.
We need to have a national mission, a unique national mission, that ensures all of us are kept safe online – and through that, our nation is kept safe online, our nation prospers online.
We need to collectively define our national mission and we need to collectively sign up to it.
Over the past five years there has been a lot of activity on the cyber security front.
Lots of strategies.
Lots of action plans.
Lots of frameworks.
Lots of dialogues.
Lots of agreements.
And that is all great work. You are doing great work.
But I don’t get the sense we are all pulling together towards a common goal.
An agreed common goal. A defined common goal.
To swim between the flags.
To slip, slop, slap.
To stop, revive, survive.
To realise a unique national mission.
We know that Estonia has a clear national mission. What is ours?
What is Australia’s national mission when it comes to cyber security?
So over the next two days I encourage you to think about that mission – to define that mission, to clarify the values and principles that are driving that mission, the milestones that indicate we are achieving that mission, so industry, government, Parliament, businesses small and large and individual Australian are all clear on where we are going and what we are trying to achieve in cyber security for our nation.
Like so much in the national security space, cyber security is largely a bipartisan issue. That said, it does not mean the Opposition will not hold the Government to account on its performance.
That’s why opportunities to hear from both major parties at conferences such as these are so useful. And again, I thank for the ACSC for including me in this conversation.
It is important for testing whether the Government is on track.
For testing whether we, as an Opposition, are on track.
For working out how we can create a safe and secure cyber environment for individuals, for businesses large and small, for government agencies, for critical infrastructure and for our nation.
According to the current cyber security rock star, Alexander Klimburg, and I’m sure many in this room have read his work:
“[The] Internet’s core attributes [in the early days] – such as lack of security and a consistent emphasis on trust – were not really conducive to its role as a tool of global power. Nonetheless, despite – or perhaps because of this utopian DNA, the Internet shot to fame with new users, products, and services. As it enters middle age, however, the Internet’s preferences and circumstances are changing.”
Now the challenge before us all is to keep pace with this change, to ensure that as cyberspace evolves, the protections, the securities, the unimagined possibilities evolve with it.
The virtual world of cyberspace is an immense ecosystem, with countless communities mimicking the real world. It is an ecosystem that has generated prosperity, opportunity and profound benefits to millions.
However, it’s also an ecosystem that has spawned new threats to individuals, to businesses, our critical infrastructure, our national security and our democratic systems.
It’s an ecosystem that continues to grow rapidly.
Each and every day.
It’s an ecosystem that is inhabited by millions of Australians.
Both the Government and Opposition understand that cyber security is everyone’s responsibility. The challenges of cyberspace are as much, if not more, human, than technical.
That’s why we need to mobilise and empower Australians to manage and mitigate the threats, so they feel safe in cyberspace, so they feel confident in navigating the risks – not just for themselves, but for the security of the nation.
And we need to address the range of challenges that still prevail in our ecosystem.
And that begins with government.
Cyber resilience of government agencies
I’ve been calling on the Government to take the cyber security of government agencies seriously since the release of the 2014 audit of cyber resilience report, where no agencies were found to be compliant.
In its follow up audits, only four government agencies were found by the Australian National Audit Office to be compliant with mandated security standards.
Government agencies should be the standard by which others in the community measure themselves.
Frankly, we’ve got to do better.
We need to get our own house in order.
We also need to be better at the cyber security of our critical infrastructure.
These are the facilities, supply chains and technologies that keep our lights on. Our water running and clean and safe. Our economy powering along. Our hospitals operating. Our homes heated. Our communities safe.
We have to do better at ensuring these assets – which are so vital to our social cohesion, economic stability and national security – are well protected from threats of foreign espionage, sabotage and coercion in an ever-evolving threat environment, particularly when it comes to protecting “the crown jewels”.
When it comes to the cyber security of the wider community, to the small and medium businesses which make up the bulk of the Australian business community, the sophistication of threats at this level are low but the quantity is high.
We have to do better at improving whole-of-nation cyber resilience and recovery by empowering Australians through an education campaign on basic cyber hygiene.
Patch and back up. Patch and back up.
That vital message that we learned from WannaCry that people just weren’t following.
An experience that highlighted we have no clear communication about where to go in the event of major breaches and security threats.
That’s why we need a single point of truth on cyber security, along the lines of the NCSC in the UK.
The shortage of cyber security professionals is having a significant impact on our ability to address these challenges as industry and government all compete for limited talent.
It’s forecast that by next year there will be 6 million jobs in cyber security globally, and only 4.5 million people with the skills to fill them.
That’s one and a half million jobs that will need filling globally in the next few years –19,000 here in Australia in the next year.
While Australia’s cyber security education is still in its infancy, now is the time to put in place initiatives that will improve educational outcomes that will deliver jobs to address this shortage.
They need to be holistic initiatives that acknowledge the diverse requirements of industry, that are based on skills maps, and that are inclusive.
We also need to do better at defining our KPIs and deadlines.
How do we know we’ve succeeded in this space?
And where are the assurance mechanisms when it comes to products, expertise, supply chains, qualifications?
Intelligence sharing and bringing cyber security to the forefront of conversations was the first step, we need to take the next.
We need to get industry and government working together on addressing these issues.
Swim between the flags
There is an immense collective wisdom and experience in this room and these challenges and more will be discussed at this conference.
And in your discussions over the next two days I also encourage you to keep asking yourself:
How can I be assured a product, an expert, a business is cyber secure?
Why are we doing what we are doing?
How will we know we’ve achieved our goal?
What are we trying to preserve and protect?
For our families?
For our communities?
For our way of life?
For our values?
For who we are as Australians?
For our nation?
For our very way of life?
How will we be able to experience the joy, the exhilaration, the power of catching that wave in the surf over summer, knowing we are safe because we are swimming between the flags?