Article by Nick Abrahams, Michael Tooma and Sam Witton
On Monday 23 November 2009 the Attorney-General announced the launch of the new national Cyber Security Strategy (the Strategy) and the formation of two new agencies to support Australia's defences against the burgeoning threat of cyber crime and terrorism. This major policy development is important to organisations with critical infrastructure such as transport, financial institutions, utilities and essential services. These organisations need to be alert to the risks associated with cyber security and to introduce appropriate systems and policies to protect against cyber crime and cyber terrorism.
The Prime Minister has indicated that cyber security is one of the nation's top national security priorities. While financial loss from cyber crime is hard to estimate due to underreporting, conservative estimates from the Australian Institute of Criminology place loss for the 2006-07 financial year at between $595 to $649 million,1. As information and communication technologies have grown and diversified, so too have the threats to security. The Federal Government sees Australia's national security, economic prosperity and social wellbeing as critically dependent upon the availability, integrity and confidentially of the information communications systems which Australians utilise.
The stated aim of the Strategy is:
"The maintenance of a secure, resilient and trusted electronic operating environment that supports Australia's national security and maximises the benefits of the digital economy"2
The Strategy intends to protect three key elements- individuals, business and government and articulates the Strategy through: Guiding Principles; Objectives; and Strategic Priorities.
The Guiding Principles aim to combine national leadership with shared responsibilities, business partnerships and active international engagement.
The objectives of the Strategy aim to ensure that:
- all Australians are aware of cyber risks, secure their computer and take steps to protect their identities, privacy and finances online
- Australian businesses operate secure and resilient information communication technologies to protect the integrity of their own operations and the identity and privacy of their customers, and
- the Australian Government ensures its information and communications technologies are secure and resilient.
The Attorney-General has stated that in order to achieve the objectives the Australian Government will give all Australians the practical tools they need to be secure online and will work with businesses to create a culture of security on the internet.
Integral to the Strategy are two new mutually supporting organisations: CERT Australia; and the Cyber Operations Centre (CSOC).
CERT Australia brings together Australia's national computer emergency response arrangements and is intended to be the national coordination point for providing security information and advice to all Australians. In addition, it is intended that CERT Australia will be the first point of contact for international agencies to contact Australia about cyber security issues. It is intended that CERT Australia will begin initial operations in January 2010 and be fully operational by July 2010.
CSOC has been established as an initiative of the Defence White Paper which was published in May 2009. It is intended that CSOC will provide the Government with enhanced situational awareness about cyber security, will indentify and analyse sophisticated cyber attacks and will assist in responses to cyber events across government and critical private sector systems and infrastructure. CSOC will draw staff from the Attorney General's department, ASIO and the AFP.
Part of the creation of a safe and secure online environment for all Australians will be the maintenance of an effective legal framework coupled with enforcement capabilities to target and prosecute cyber crime. The Strategy outlines that a number of steps will be taken to provide additional resources for law enforcement agencies to tackle cyber crime and ensure partnerships are in place to tackle crime through information sharing and intelligence.
The Government recognises that the Strategy must promote cultural change, requiring an education and empowerment of all Australians. Whilst the Strategy imposes requirements on businesses to protect customer's information and provide a secure online environment it also provides substantial opportunities for businesses to engage in best practice and partner with government to find solutions to the ever changing threat of cyber crime.
Organisations, especially those with critical infrastructure such as transport, financial institutions, utilities and essential services need to be alert to the risks associated with cyber security and to introduce appropriate systems and policies to protect against cyber crime and cyber terrorism. These policies must be constantly monitored and reviewed to ensure their effectiveness.
1 K Richards, The Australian business assessment of computer user security: a national survey, Australian Institute of Criminology, 2009
2 Commonwealth of Australia, Cyber Security Strategy, 2009, p5
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.