Op-Ed: Charting Australia’s cyber security future – Imperatives for the next strategy

As Australia embarks on the journey of crafting its next cyber security strategy, it stands at the crossroads of transformation. Its new strategy offers a unique opportunity to put in place a framework that builds upon established cyber security best practices and state-of-the-art capabilities that strengthen Australia’s cyber resiliency – bolstering the nation’s cyber defences, insulating critical infrastructure, and safeguarding its citizens’ digital lives.

The path ahead is a complex one, but it rests on five foundational pillars that will define the efficacy of Australia’s cyber security posture.

1. Forging cyber resilience through zero trust and attack surface management

Cyber adversaries are adept at exploiting vulnerabilities, and the very concept of trust has become a digital minefield. To counter this, Australia’s next strategy must champion the principles of zero trust and attack surface management (ASM). In a landscape where inherent trust is relinquished in favour of continuous verification, zero-trust policies act as a linchpin in defensive architecture. But fortifying defences isn’t enough; understanding and managing vulnerabilities is equally crucial.

This is where ASM steps in, empowering organisations to proactively identify and mitigate risks. Importantly, ASM capabilities can also be leveraged for near real-time impact monitoring of existing cyber security regulations and help assess the nation’s cyber resiliency.

Both of these concepts have been firmly established within US government policies – only as recently as this month did the US Cybersecurity and Infrastructure Security Agency (CISA) affirm the effectiveness of ASM in its strategic plan for 2024 to 2026, and the US government established a zero-trust strategy in 2022. By promoting the adoption of zero trust and attack surface management across the economy via the cyber security strategy, Australia can transform its cyber posture from reactive to proactive, nullifying threats before they manifest.

2. Pioneer a high-risk vendor and supply chain strategy

The digitised world is a tapestry of interwoven ICT connections and often unknown dependencies. A weak link in the ICT supply chain can unravel even the most fortified defences. Recognising this, Australia’s next strategy should usher in a comprehensive high-risk vendor and supply chain strategy. As the operations of critical infrastructure and many national security and defence platforms are increasingly digitised and connected, compromising underlying ICT supply chains (across both hardware and software) can be an effective technique for cyber adversaries to gain widespread and undetected access to networks, systems and information.

VIEW ALL

The Australian government must move to prioritise ICT supply chain security that focuses not just on where a company is headquartered but also on vendor practices and product integrity. Supply chain security is the backbone of a resilient and trust-based global economy. By ensuring the integrity, confidentiality, and availability of goods and services throughout the supply chain, we can mitigate risks, protect sensitive information, and safeguard the interests of businesses, consumers, and the nation.

3. Strengthening national resilience: Operationalising trusted cyber security partnerships

The notion of a nation-state standing alone against an amorphous, borderless, digital nemesis is as futile as it is outdated. The inherent agility and innovation of cyber adversaries necessitate a symphony of resources, intelligence, and expertise that can be leveraged across jurisdictional boundaries to combat a dynamic adversary. The time has come to not just acknowledge, but truly operationalise public-private partnerships (PPPs) as a cornerstone in our collective cyber defence.

By engaging with trusted cyber security companies that operate globally, Australia can harness real-time insights from different parts of the world, cutting-edge AI-enabled technologies, and collective threat intelligence that far surpasses the capacity of any single entity. Large cyber security companies often possess visibility into the digital labyrinth that rivals that of nation-states and can wield insights that are invaluable in deciphering the shifting patterns of cyber threats and our cyber adversaries. Their vigilance in monitoring emerging vulnerabilities and real-time response and remediation elevates their positioning as key players in shaping the cyber landscape.

A notable instance of the tangible benefits of PPPs in cyber security is the collaboration between the Australian Cyber Security Centre, the US National Security Agency, and Palo Alto Networks to disrupt a campaign from a Chinese-based adversary (Alloy Taurus) targeting governments and critical infrastructure across Europe and Asia – including here in Australia. Through concerted efforts and intelligence sharing, the partnership led to the public release of a report, which detailed the infrastructure used by this group and forced the threat actor to abandon key capabilities and infrastructure.

As part of the cyber security strategy, the Australian government should initiate a proof of concept (PoC) in collaboration with a select group of trusted cyber and technology enterprises to detect, disrupt, and deter cyber adversaries. Insights derived from this PoC can subsequently inform the establishment of more comprehensive cooperation frameworks, facilitating the disruption of cyber adversaries and enhancing the government’s awareness of the evolving threat landscape. By combining the expertise, resources, and intelligence of both sectors, Australia can create a more resilient and secure cyber ecosystem, protecting businesses, individuals, and the nation from cyber attacks.

4. Provide cyber security to all Australians by default

Every Australian, regardless of their digital savviness, deserves a secure cyber landscape. We have long urged everyday Australians to prioritise online cyber security, and while cyber education remains vital, the truth remains: a single click can change everything.

With the advent of AI, cyber security attacks – including phishing campaigns – are anticipated to only increase in volume and sophistication, making it much harder for individuals and small businesses to detect and defend themselves. By providing cyber security to all Australians by default, we can empower individuals and businesses online and collectively work towards a safer and more resilient digital society.

The next strategy must therefore be future-proof and embody a vision of cyber security by default – embedding cyber security principles into every facet of Australia’s digital fabric. As all attacks leverage telecommunication infrastructure, the government must, for example, work with internet service providers (ISPs) to conduct threat blocking at scale based on enterprise-grade security. Given their enormous nationwide reach, ISPs can play an instrumental role in blocking threats at scale by using technologies to automatically detect and stop threats in real time that traverse their networks.

5. Streamline government cyber security regulations and functions

Cyber adversaries can operate anytime, anywhere, and be as agile as they wish, unhampered by complex laws and regulations and using the newest AI-enabled technologies. In order to effectively respond to these threats, it is critical to streamline any overlapping and duplicate regulations to enhance the overall efficacy of the existing regulatory framework and governance.

Within the Australian federal government, there are currently 12 portfolios bearing responsibility for ICT/cyber security policies and operational matters. This has led to a complex web of cyber regulations, which at times can be duplicative and overlapping. To uphold the overarching effectiveness of the existing regulatory framework and maintain Australia’s appeal as a burgeoning cyber market, it becomes imperative to streamline cyber security functions and regulations. In a landscape defined by its dynamism, the agility of cyber security regulations must mirror this characteristic.

An intricate regulatory labyrinth only hampers response times and complicates coordination. By harmonising regulations, the government ensures a seamless, coordinated response that is nimble in the face of ever-evolving threats. This streamlined approach also paves the way for a more efficient collaboration between the public and private sectors.

A resilient digital frontier awaits

As Australia embarks on the journey of crafting its next cyber security strategy, it stands at the crossroads of transformation. The blueprint for a resilient digital frontier is rooted in a strategic fusion of strong public-private partnerships, cyber security for all, the widespread adoption of leading technical policies, streamlined cyber regulations, and a robust ICT supply chain.

By operationalising these imperatives, Australia fortifies its defences, elevates its cyber posture, and lays the groundwork for a future where the digital realm is secure, inclusive, and proactive in the face of adversity. In the symphony of digital innovation and cyber defence, these five pillars harmonise to create a resilient chorus that safeguards the nation’s digital dreams.

Sarah Sloan is the head of government affairs and public policy ANZ at Palo Alto Networks.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.