Tax incentives could work against cyber threats, says Andy Penn – republished by DMG Social
Business leaders and cyber security experts have united in a call for new mechanisms, including a centralised pool of cyber talent and tax incentives to move data to the cloud, to tackle the “profound” level of malicious threats being faced daily and costing upwards of $33 billion a year collectively.
“It’s unrealistic to keep increasing security budgets and hiring security people – this is not sustainable,” Mark Sayer, Accenture’s cyber defence lead, says. “We need to think differently about how we go about securing our networks. We need to pool key talent so that everyone can benefit, from large banks to small businesses.”
Andy Penn, Telstra chief executive and chair of the federal government’s Cyber Security Industry Advisory Committee, says tax incentives could be used for investments in cyber technologies, including moving data and software systems to the cloud where experts can “harden” technology operations and security.
“That could be an interesting area of opportunity,” Penn says.
He also believes the education system should focus on embedding basic cyber security in generic skills so that people emerge from engineering, robotics, software engineering and coding degrees with the ability to build cyber defences into products and services from the beginning.
“It’s much harder when that’s not happening at its core, then you need cyber security specialists to try to work out a way to fix the problem after the event,” Penn says.
Threat landscape shifts
The cyber security threat profile of Australian business has changed in two distinct ways in the last 12 months, according to Sayer.
First, organisations are waking up to how completely dependent on technology they are. The sheer scale and complexity of technology environments has created unprecedented opportunities for cyber criminals.
Second, a new breed of amateur cyber criminal has emerged, drawn into the opportunity to make relatively easy money out of extortion-based cyber crime.
“We’ve seen evidence of new ransomware threat actors who are clearly novices. The lure of easy money is attracting people who have worked as developers, even perhaps security professionals, into cyber crime,” Sayer says.
The rapid digitisation of work, shopping and government services during COVID-19 has been a boon for cyber criminals of every variety, from state-based threat actors to organised crime, hacktivists, and random amateurs.
The Australian Cyber Security Centre received more than 67,000 cybercrime reports in the 12 months to June 30, an increase of nearly 13 per cent on the prior year.
“The volume of malicious activity is just huge,” Penn says.
Telstra alone is blocking 2.5 million malicious websites an hour on average. Last month it blocked 353 million malicious emails, along with 13 million scam calls and over 300 sites linked to malware command control infrastructure at the network level.
Of the total $33 billion in self-reported losses from cyber crime, medium-sized businesses were hit the hardest with an average loss of $33,000 per incident.
This statistic has garnered the government’s attention. As well as beefing up laws around the cyber security obligations of critical infrastructure operators, the government is debating whether existing provisions in corporations, consumer and privacy law are sufficient to deal with cyber threats in the landscape beyond critical infrastructure entities.
The Corporations Act does not talk explicitly about cyber security, for example, but does it need to when the definition of a fiducially responsible director and taking reasonable preventative steps could sufficiently incorporate cyber security?
Labelling for digital products and services that acknowledges the manufacturer’s obligation under consumer law to ensure it cannot be easily hacked has also been tabled as an option.
Rather than more regulation, there is a strong push for industry-specific standards outlining best practice risk management of cyber security.
Prescriptive regulation will not solve the cyber problem, Sayer says. He points to application whitelisting as a case in point.
“Many regulatory frameworks prescribed this as a control to stop malware but the threat actors simply moved their attack tools into scripting languages like Powershell, .NET assemblies and VBScript,” he says.
Others fear prescriptive regulations will have a counterproductive impact, reducing compliance to a box-ticking exercise that loses sight of the overall objective.
Penn believes voluntary industry standards could have a constructive knock-on effect throughout the business community, as directors will implicitly become more attuned to their supply chain responsibilities and whether small and medium business partners have appropriate protections in place.
Collaboration and co-design
There is widespread consensus that knowledge sharing, collaboration and co-design will be critical in meeting the national cyber security challenge. Organisations will need to move up the maturity curve quickly.
“There are some great community initiatives to help share knowledge. Big businesses need to support these and provide greater stewardship to the community,” Sayer says.
“We’re not doing a great job of sharing insights into solutions that work and are effective with the broader community. This is something we could definitely work on improving,” he says.
Models such as the Australian Energy Sector Cyber Security Framework (AESCSF), co-designed with industry and government stakeholders, have been put forward as accelerants.
Penn says the five Joint Cyber Security Centres which sit under the Australian Signals Directorate should be further developed as a priority to facilitate collaboration between industry and government. “This is one of the most important areas for threat sharing,” he says.
Ultimately, the single biggest lever to pull to make a difference in the cyber security wars is awareness.
“You wouldn’t go to a city you’ve never been to before, walk down a dark alley at 2am on your own. How do you know you’re doing that in a cyber security world?” Penn says.
Critical Infrastructure Bill
Fears among executives and boards about new powers which allow the government to take control of critical infrastructure under a cyber attack that threatens national security are unfounded, Penn says.
Business is concerned that it will be left holding the bag on unfulfilled commercial obligations to customers and suppliers because of action taken by the federal government under the Critical Infrastructure Bill, which is being fast-tracked through parliament with bipartisan support.
“There is a lot of paranoia about this,” says Penn, who chairs the industry panel advising the federal government on the implementation of its cyber security strategy.
He says the government is not going to come in and start shutting down corporate networks. But it does have very particular offensive and defensive cyber capabilities that are critically important in a situation where national security is threatened.
“If a port in Australia got attacked by an aggressive nation state with jets and bombers, I don’t think any of us would think twice if the Australian air force went off to intercept and challenge them, notwithstanding the fact that they may be dropping bombs and shooting missiles over a privately owned port. Nobody would complain about that,” Penn says.
Cyber warfare is no different, he says.
Approximately one quarter of reported cyber security incidents affected entities associated with Australia’s critical infrastructure in the year to June 30, according to the Australian Cyber Security Centre’s annual cyber threat report.