Our cybersecurity isn't just under attack from foreign states. There are holes in the government's approach

Prime Minister Scott Morrison revealed last month Australia is actively being attacked by hostile foreign governments.

An advisory note posted on the government’s Australian Cyber Security Centre website said the attackers were targeting various vulnerable networks and systems, potentially trying to damage or disable them.

Read more: China's disinformation threat is real. We need better defences against state-based cyber campaigns

Governments – along with individuals and the private sector – have an important role in addressing cyber risks that threaten our national security. At some point this year, the federal government’s new cybersecurity strategy is set to be announced.

Many in the industry hope it will be comprehensive and backed by significantly more investment than the previous one, to address what is a growing threat. Currently, a cybercrime incident is reported every ten minutes in Australia.

However, due to the unexpected budget impacts of the coronavirus pandemic, there may simply not be enough money to invest in the programs we need to stay protected from large-scale cyberattacks.

An underwhelming delivery

We know governments test each other’s cyber defences in the interest of their own national security.

Information warfare (such as through disinformation campaigns) between governments has taken place for many years.

In 2016, then prime minister Malcolm Turnbull released Australia’s first cybersecurity strategy. It involved investments of more than A$230m across four years for five “themes of action” including including stronger cyber defences, and growth and innovation in the sector.

Read more: Bushfires, bots and arson claims: Australia flung in the global disinformation spotlight

The strategy envisioned making Australia a “cyber smart nation”, by ensuring we had the skills and knowledge needed to thrive in the digital age, while staying cyber safe.

But overall, the strategy was poorly implemented.

For instance, improving cybersecurity requires close collaboration between government, industry, academia and community. To this end, Joint Cyber Security Centres were announced so various parties could share knowledge.

However, prior to COVID-19, plans were in motion to align these centres with the Australian Signals Directorate’s higher security classification. This would hinder a collaborative environment by restricting movement within, and access to, the centres.

Moreover, only 32% of cybersecurity professionals have visited a centre, highlighting the government’s failure to engage with the sector.

Four years on from the initial strategy’s release, the “smart nation” vision seems lost. The cybersecurity sector faces skills shortages, and the public and businesses remain largely unaware of how to protect themselves.

It’s clear a cybersecurity reset is required.

We need a targeted, forward-thinking strategy

The release of the Morrison government’s new strategy has been delayed due to COVID-19, but we have some idea of what to expect.

The government has announced it will redirect existing defence funding to the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) to employ up to 500 additional staff to tackle cybercrime.

But how this will work in a market with skills shortages is unclear.

Read more: Morrison announces repurposing of defence money to fight increasing cyber threats

Also, redirecting existing funding into cybersecurity is positive, but it is only one part of the solution. What’s missing from the conversation is strategic, long-term investment.

A holistic, interdisciplinary approach

Effective cybersecurity is about more than technology – it’s about people (from a range of backgrounds), user behaviour, business processes, problem solving capability, regulations, industry standards and policy.

I’ve read 156 submissions to the upcoming cybersecurity strategy, which was open to public comment. I also have knowledge of confidential submissions not made public.

Drawing on these views, and my own expertise, here are five elements I believe the upcoming strategy should contain:

1. Educate to drive behavioural change

The “Slip, slop, slap” health awareness campaign was one of the most successful we’ve ever had.

It drove real social behavioural change in Australia. A similar change is required to help make Australians more knowledgeable about cybersecurity issues, and how technology can be exploited.

This isn’t a quick fix, and will likely be a long-term effort.

2. Build resilience in critical infrastructure

COVID-19 has demonstrated how easily societies can be disrupted, particularly key supply chains and systems.

We need improved processes, regulation and standards to ensure the infrastructure we rely on is cyber-resilient. When breaches occur, organisations must be prepared to resolve them and restore services.

Banks are a good example, as they rely on thousands of suppliers. On this front, the Australian Prudential Regulation Authority last year introduced a prudential standard called CPS234, aimed at improving resilience against information security incidents (including cyberattacks).

3. Help small businesses

More grants and tax incentives for small businesses will enable them to access technology and talent to improve their cybersecurity capabilities.

A coordinated approach is needed through all levels of government to raise awareness of the adverse impacts cyberattacks have on businesses. This includes the consequences of customer data and privacy breaches.

It’s also crucial businesses know where to independently seek clear and concise advice when required.

4. Nurture the talent pipeline

Almost every day I hear about the industry’s cybersecurity skills shortage. I also hear from students how tough it can be to get a job in cybersecurity, even with any number of certifications.

It’s easy for businesses to poach existing talent from other organisation rather than hire graduates or interns. To break this cycle, we need improved educational courses focused on the skills employers want.

There should also be incentives for businesses to employ interns and graduates.

5. Cut the bureaucratic red tape

The federal government needs to do more to address Australia’s cybersecurity problem holistically – not just with additional legislation and funding for existing government agencies.

Hierarchies and dealings within the sector are currently overly complex.

Simplification and common sense are required.

Protecting Australians from outside parties intent on exploiting the technology we use isn’t something we can achieve overnight.

The digital cybersecurity strategy to be delivered by the Morrison Government needs to not only be impactful, but also built with future governments in mind. In such volatile times, it has never been more important to protect Australians.