radiofree.asia

Category: cyber security

  • Govt gives IT resellers $7M for SME cyber support

    A cohort of “trusted” companies will share in $6.9 million in federal government grants to support SME cyber awareness and resilience, with nearly 40 per cent of the money going to channel partners.

    Charities, a university and the peak caravanning group also received funding to help SMEs build cyber awareness and “promote action”.

    But more than $2.7 million of the grants will go to IT Connexion, Loyal IT Solutions, CyberCX, Real World Technology Solutions, First Focus IT and Concept Data, to develop various cyber awareness and support training initiatives.

    Two of the biggest grants went to cyber services providers CyberCX and Real World Technology Solutions, which each received the maximum $750,000 on offer.

    city data
    The government has provided $6.9 million in grants to support SMEs cyber awareness and reillience.

    CyberCX is the private sector venture of former head of the Australian Cyber Security Centre and Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon. It has received funding for a ‘Cyber123 for SME’ program.

    Real World Technology Solutions is an IT services provider for SMEs and not-for-profits. Its grant will be used to support cyber security resilience within small-to-medium, charity & indigenous businesses.

    Business support charity the Murray Hume Business Enterprise Centre also received the maximum $750,000, while the Queensland Chamber Of Commerce And Industry received $738,500 for its cyber security accreditation program.

    The grants are part of the Cyber Security Business Connect and Protect Program, which provides funding to trusted organisations that give business advice to SMEs to raise their cyber risk awareness, promote action to address the risks, and support SME uplift to best cyber practices.

    Applications closed in November last year with successful applicants revealed last week and announced Tuesday by the government.

    “SMEs make up 99 per cent of all Australian businesses and employ about half our workforce, so it is essential to our economy and national security that SMEs continue to expand and improve their digital capabilities in a secure way,” Industry Minister Christian Porter said.

    “The assistance provided through this grant program will support businesses in recognising cyber risks and opportunities, particularly in the wake of the strong digital uptake during the COVID-19 pandemic.”

    Business support groups and consultants in the Hunter Region, Wodonga, Brisbane and Darwin will also get funding.

    The Western Sydney University will receive $754,920 to develop its Oz Cybersecurity Aid Centre and online call line in conjunction four New South Wales cybersecurity companies.

    Caravan Industry Association Of Australia received $364,500 for cyber awareness training in Australia’s caravan and camping industry.

    The 14 successful applicants and their funding are:

    • IT Connexion – $250,000 for Cyber Security Awareness Training
    • Loyal I.T. Solutions – $456,258 for Cyber Secure Central Coast!
    • CyberCX – $750,000 for Cyber123 for SME
    • Real World Technology Solutions – $750,000 for Cyber Security resilience within SMB, Charity & Indigenous Businesses
    • First Focus IT – $339,780 to Develop & deliver a cyber security education package for SME C-suite
    • Concept Data – $188,721 for a South Australian Business Cyber Security Advisory Service
    • Murray Hume Business Enterprise Centre Limited – $750,000 for a Business Enterprise Cyber Secure initiative.
    • Hunter Business Centre – $349,40 for a Cyber Security Culture Program for Regional SMEs
    • Queensland Chamber Of Commerce And Industry – $738,500 for a Cyber Security Accreditation Program
    • Business Enterprise Centre (Darwin Region) – $219,596 for its CyberSafe program
    • Belmont Business Enterprise Centre – $274,900 for cyber security training and mentoring
    • The Project Lab – $641,434.00 for CyberUP for SMEs
    • Western Sydney University – $745,920 for its Oz Cybersecurity Aid Centre
    • Caravan Industry Association Of Australia – $364,500 for cyber awareness training in the camping and caravan industry

    The post Govt gives IT resellers $7M for SME cyber support appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • What the EH Holden can teach us about cybersecurity

    The World Economic Forum recently pointed out that cyberattacks rank first among global human-caused risks and this year, it’s expected cybercrime will cost the world US $11.4 million each minute. Let that sink in for one moment.

    It’s no wonder cybersecurity has emerged as one of the hottest topics for Australian boardrooms – especially in the context of accelerated digitisation and prolific cybercriminal activity driven by Covid-19.

    At the same time, geo-political pressures on Australia to adopt internationally recognised cybersecurity standards and build safer critical infrastructure are growing.

    An increase in cybersecurity is needed. Yet, no matter what we do, the stats keep showing more successful attacks, more data breaches, and more system compromises.

    roads interchange connections
    Road to nowhere: What the big selling EH Holden can tell us about cybersecurity

    What are we missing?

    To quote the immortal words of Albert Einstein, “the definition of insanity is doing the same thing over and over again and expecting different results.”

    For years we’ve been adding more security layers on top of each other, and on top of systems not organically designed to be secure, in the hope that one day we’ll reduce our vulnerabilities. Yet, the issue gets bigger each day.

    Those security layers, while needed, only help us keep up with the rising complexity of the threat landscape, not get on top – or ahead – of it.

    Something else needs to be done to drive a different outcome. It won’t happen overnight, but it is critical we change what we’re doing, as well as our overall cybersecurity thinking.

    Are we repeating the same mistakes over again?

    As a nation we understand the importance of ramping up cybersecurity however, on the whole, we still have a relatively passive posture towards it.

    What we’ve done so far is much like car safety before the 1970s; investing resources in making driving safer by insisting people pass driving tests, fining drivers for bad behaviour, while also adding road speed limits, stop signs, and traffic lights.

    When it comes to cyber, we’ve continuously focused on user awareness, user access control, traffic monitoring, protecting endpoint devices, data networks and computing infrastructure.

    While those have their place, just like driver training and licensing plays a role in road safety today, they do not shift the cyber-incident needle materially. Governments, organisations and people are still having more fatal accidents – in a cyber sense.

    In the same way car safety needed to go deeper in the 60s, so too does our cybersecurity approach.

    Embedded safety learnings from the EH Holden days

    Auto industry lessons from the past may teach us how to fundamentally improve safety and remove the roadblocks from our current ineffective cybersecurity approach.

    Prior to the 1970s, there was a direct correlation between the number of cars registered and the number of road fatalities. This was despite safety features being available on many vehicles as premium options, mandatory licensing of drivers, and investment in better road signage and infrastructure, which is very similar to what we’re seeing in cybersecurity today.

    Then something changed. Car ownership exploded in Australia – a large part of it driven by the EH Holden which would become one of the most successful cars Holden ever built – very much like today’s accelerated digitisation of our economy.

    In just a few years every family owned a car (Holden produced more than 256,959 EH models in 18 months), the road toll proportionally rose, and it became apparent a change was needed to improve auto safety.

    It took years, but government and manufacturers finally realised that safety needed to be embedded into every car if they were to reduce the community cost and reputational damage of car related deaths.

    From the late 1960s until today, we’ve seen both the legislative and industrial embedding of safety features into the vehicles themselves.

    Starting with mandates on the likes of seat belts, collapsible steering columns, and airbags, to later manufacturers proactively embedding advanced safety features such as ESC, adaptive cruise control, and anti-collision systems (manufacturers came to realise it was good for business).

    This took safety out of the hands of the drivers and road conditions.

    Embedded security lessons for cyber

    We need a new approach that doesn’t expect every person who attends cybersecurity awareness training to be the cybersecurity equivalent of Lewis Hamilton.

    Often when it comes to digital systems, it’s the data itself we are trying to protect from accidental or deliberate damage to its confidentiality, integrity or availability.

    Some data-dependent organisations today – very (very) few though – have recognised the need for embedding security and have invested in digital systems that are fundamentally different in their approach. These systems codify security using data encryption, anonymisation, and access controls. They no longer rely solely on user behaviour or computing infrastructure.

    If we want to protect our digital economy we need to stop thinking of cybersecurity as a user problem, or as something that can be fixed through infrastructure. We need to start embedding it in digital business processes and systems.

    Just like the EH Holden had the potential to be much safer, all the tools for embedding safety into digital systems and data platform already exist – the missing piece is the realisation and will by industry and government to re-think, re-frame our cybersecurity strategy: it’s time to embed, not add on.

    Brian Grant is ANZ Director for Digital Security at Thales

    The post What the EH Holden can teach us about cybersecurity appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • DFAT cyber engagement strategy launched

    Australia has pledged $37.5 million to its regional neighbours to sure up their cyber defences and will seek to establish a new global agreement on responsible cyber behaviour, as part of a new international engagement strategy launched Wednesday by the government.

    Labor has criticised the plan for being months behind schedule, failing to support local institutions, and lacking “real action”.

    Developed by DFAT last year but only launched on Wednesday due to Foreign Affairs Minister Marise Payne’s “scheduling” issues, the International Cyber and Critical Technology Engagement Strategy outlines Australia’s plans to use cyber and critical technology in a “more dynamic and contested regional environment”.

    Marise Payne has launched Australia’s  International Cyber and Critical Technology Engagement Strategy, originally scheduled to be released last year.

    The original 2017 cyber engagement strategy has been expanded to include “critical technologies”, defined as technologies that have the capacity to significantly enhance or threaten national interests. They include things like AI, 5G IoT, quantum computing and synthetic biology as well as cyber security, according to the strategy.

    “Countries and companies at the cutting edge of innovation in these critical technologies often promote values that are at odds with our own,” Minister Payne writes in the new document’s forward.

    The three pillars of the strategy are values, security, and prosperity. Australia will pursue, support, and oppose efforts to undermine them, according to the plan.

    The strategy will be used to guide Australia’s international engagement “across cyber and critical technology issues” in the hopes of leveraging technological innovation while avoiding the risks it creates.

    As part of the strategy, the government announced a package of measures to support regional neighbours to build and maintain their own cyber resilience.

    Australia will co-sponsor a proposal to establish a new United Nations Program of Action for Responsible State Behaviour in Cyberspace. All UN members already agree the Charter of the UN in its entirety is applicable in cyberspace, but the Australian government will push for a new dedicated cyber behaviour program.

    Australia’s flagship Cyber Cooperation Program, established in 2016 to support the cyber resilience of countries in Southeast Asia and Pacific, has also been rebranded Cyber and Critical Tech Cooperation Program and will receive an “additional $20.5 million” in funding.

    But the program will drop pacific nations, which will now receive cyber support separately, including $17 million announced Wednesday to strengthen their capabilities and resilience.

    The government said it will also support partnerships between Australian and Indian universities through an Australia-India Cyber and Critical Technology Partnership program.

    “The Strategy’s aims, to strengthen national security, protect our democracy and sovereignty, promote economic growth, and pursue international peace and stability, are founded in Australia’s national interests,” Foreign Affairs Minister Marise Payne said in a statement.

    The Opposition have questioned the plan, however, saying it fails to support Australian institutions or show “real leadership”.

    A joint statement from Shadow Minister for Foreign Affairs Penny Wong and Shadow Assistant Minister for Cybersecurity Tim Watts said, “Many of Australia’s most significant social and economic opportunities, as well as geostrategic and security challenges, are currently unfolding through the prism of cyber and critical technologies.

    “Yet Australian industries and institutions have been left to go it alone. The strategy does not propose any new actions by the Morrison Government to tackle the billion-dollar wave of ransomware attacks Australian business are facing from international cybercrime groups.”

    Mr Watts last month told Parliament a lack of leadership on cybersecurity from the Morrison Government, including declining to attribute or seriously address major attacks publicly was putting Australians at risk.

    Labor has also released its own ransomware strategy which includes calls for diplomatic cooperation on practical measures to address global cybercrime. The party also wants democratic institutions considered critical infrastructure.

    In the joint statement, Mr Watts and Ms Wong said the latest engagement strategy represented more risky rhetoric and lacked practical measures.

    “In her speech launching the strategy, the Foreign Minister referenced cyber-attacks on the Australian Parliament and political parties, declaring that ‘attacks on democracy cannot go unchallenged’.

    “But the Morrison Government has never taken any action to challenge those responsible for the 2019 cyber-attacks on the Australian Parliament, nor has it publicly attributed responsibility — despite all its tough talk.”

    The post DFAT cyber engagement strategy launched appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Australia blames Russia for SolarWinds attack

    Australia has officially attributed the SolarWinds cyber attack to Russia and has committed to helping the US in holding the nation “to account” for the incident.

    Overnight US President Joe Biden signed an Executive Order declaring a national emergency to deal with the threat of Russia’s foreign interference, including “malicious cyber-enabled activities”.

    In a joint statement released late Thursday, Foreign Affairs Minister Marise Payne, Defence Minister Peter Dutton and Home Affairs Minister Karen Andrews condemned Moscow for a “harmful cyber campaign” against US firm SolarWinds.

    “Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security and public safety. Australia condemns such behaviour,” the Ministers said.

    “Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector.”

    Marise Payne joined the Defence and Home Affairs Ministers in attributing the SolarWinds attack to Russia. Image: Ron Przysucha/United States Department of State.

    SolarWinds is a major IT firm that provides software to large companies and governments. A massive cybersecurity attack on the company spread to its clients last year and is believed to have exposed sensitive information held by the US government, including data of the US military and White House.

    Hackers from Russia were suspected almost immediately when the attack was first reported by Reuters in December last year. US security agencies first accused the Russian government of orchestrating the SolarWinds attack in January.

    But the attack was not officially attributed to the state actor until Thursday in a joint advisory from US intelligence firms that named Russian Foreign Intelligence Service actors APT29, Cozy Bear, and The Dukes as being supported by the Kremlin.

    US President Joe Biden also signed an Executive Order on Thursday condemning the Russian government’s foreign interference, including meddling in US elections and the facilitation of “malicious cyber-enabled activities against the United States and its allies and partners”.

    President Biden’s order includes a host of sanctions against Russia, escalating tensions between the superpowers.

    “The United States is not ready to come to terms with the objective reality that there is a multipolar world that excludes American hegemony,” a Russian government spokeswoman said.

    “We have repeatedly warned the United States about the consequences of its hostile steps, which dangerously increase the degree of confrontation between our countries.

    “A response to sanctions is inevitable.”

    The Australian government joined international partners in supporting the US to combat the SolarWinds incident in its joint statement on attack.

    “Australia welcomes private sector and government responders’ efforts around the world to expose and mitigate this threat and uphold the international norms of responsible behaviour in cyberspace,” the statement said.

    The post Australia blames Russia for SolarWinds attack appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Funding-starved National Archives struggles with cyber resilience

    The National Archives of Australia is struggling to maintain cyber resilience as the agency battles budget and staff cuts that are also putting important records at risk and slowing the work of researchers.

    But the government has rejected the idea the agency is under resourced, as it mulls major reforms recommend in a damming internal review of the National Archives handed to it more than a year ago.

    Significant vulnerabilities were identified by the ANAO in its 2018 review of the National Archives’ cyber resilience, which triggered the development of a cyber resilience framework and supporting plan.

    A subsequent, wider review of the agency in 2020 found implementation of the cyber strategy had been slowed by “funding pressures” and more resources were needed.

    The National Archives has warned it is struggling with cyber resilience

    The National Archives has lost between five and nine million dollars in funding each year for the last five years through government savings measures and increases to “efficiency dividends”.

    During Senate Estimates on Wednesday, National Archives director-general David Fricker answered questions about the review, which the government is yet to respond to despite receiving it more than a year ago.

    Mr Fricker confirmed  the agency was struggling with resourcing pressures which forced two rounds of redundancies since 2014 and limited upgrades of technology.

    The pressures are manifesting in three immediate areas of concern, according to the Archives director general.

    “The [three] areas where we are feeling the most pressure at the moment are maintaining our cyber resilience – so investments in our cyber security capability – [and] the preservation of records at risk … and keeping up with the demand for declassification of records,” Mr Fricker said.

    Mr Fricker explained there are many unique records at risk because of the format they are stored on. He said the agency needs to invest tens of millions of dollars more in technology and staffing to safely migrate and protect the records, which include indigenous cultural artefacts.

    Losing the records would constitute a breach of the Archives Act, a key concern raised by the internal review.

    Mr Fricker said resourcing pressures were also contributing to delays in assessing and releasing archives to researchers with a backlog now sitting at more than 20,000 applications.

    Despite the evidence presented, Assistant Minister to the Attorney-General Amanda Stoker rejected questions from Labor Senator Raff Ciccone about resourcing pressures compromising the National Archives, which is mandated to preserve records.

    “I don’t accept that they are in breach of the [Archives] Act. If there is evidence of that I will be interested in it. But I don’t accept the premise that the Archives are being starved [of funding],” Senator Stoker said.

    “They receive a considerable amount of resources annually for their important work.”

    Senator Stoker said the delay on a government response to the 2020 review was due to the significant changes it proposes for the National Archives. She said implementing “some version” of the recommendations would cost more than $200 million.

    She declined to set a date for the government’s response but said it can be expected by the end of the year.

    The post Funding-starved National Archives struggles with cyber resilience appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt signs Five Eyes ransomware pledge

    In anticipation of international borders reopening , Australia has recommitted to collaborating with its Five Eyes counterparts on migration, foreign interference, child exploitation and cybercrime – including the growing threat of ransomware which received a new dedicated agreement.

    In one of her first major moves as Home Affairs Minister, Karen Andrew’s met virtually with her Ministerial counterparts from the US, UK, New Zealand and Canada last week.

    “Cooperation with our trusted partners is critical to keeping Australians safe, particularly in the face of the ongoing COVID-19 pandemic,” Mrs Andrews said in a statement on Friday.

    “By working together and leveraging our collective knowledge and experiences we can better respond to threats here at home.”

    Karen Andrews
    Karen Andrews and Five Eyes countries pledge to work together on global challenges.

    The countries signed a new communiqué which includes commitments to share best practices on “innovative and effective border and migration measures” in response to the pandemic, countering foreign interference in academia and research and development, a global approach to combatting cybercrime and ransomware, and a feasibility study on a shared dataset for law enforcement agencies combatting child exploitation.

    “The whole world is eager to open up again, but it’s essential that we do it in a way that’s safe and sustainable,” Mrs Andrews said.

    “The development of international standards and best practice will be critical to ensure the resumption of large-scale international travel in the future.”

    A dedicated statement was issued for how the countries expect to tackle the growing threat of ransomware which was noted as a criminal threat but also a risk to national security, critical infrastructure and governments.

    Five Eyes countries committed to sharing lessons on ransomware and, where possible, aligning national policies, public messaging and industry engagement.

    The group also pledged to address the “underlying factors” of the issue, including reducing the public’s exposure to ransomware.

    Australia has identified the threat of ransomware most recently in a government advisory group report which urges Australian businesses to implement basic cybersecurity practices but includes no recommendations for governments or policies.

    The Opposition criticised the report and released its own paper calling for the government to develop a National Ransomware Strategy and take actions to reduce the attractiveness of Australian businesses for hackers.

    The final commitment in the Five Eyes agreement is to continue the global fight against child exploitation and abuse. The pandemic and new technologies are compounding the problem, the group said in the agreement which includes committing to a new feasibility study on a “specific combined dataset for use by our law enforcement agencies”.

    Five Eyes countries are also asking for more from the tech companies which provide the digital services perpetrators routinely exploit. While the agreement supports “strong encryption” and a collaborative approach between government and industry, Australia’s representative attacked social media companies and their encrypted services.

    “We all have a role to play in tackling this horrific behaviour, including technology companies who are neglecting their social responsibility to protect children online. Their use of end-to-end encryption is putting children’s safety at risk and precludes lawful access to data,” Ms Andrews said in her statement.

    “Our Government will continue to work with our trusted partners to pressure technology companies to address public safety challenges by building their systems and platforms with safety front of mind.”

    The post Govt signs Five Eyes ransomware pledge appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Procurement policy holds cyber startups back

    Australia’s cybersecurity startups have matured to a point where many have global potential. But a lack of support from the federal government in both policy and procurement is holding the sector back, according to a Melbourne cyber accelerator.

    CyRise chief executive Scott Handsaker says beyond the government’s AustCyber growth centre there is little in the way of support for early stage cyber companies.

    “Outside of that [AustCyber], the strategy from the Australian Government in not really focused on entrepreneurship,” Mr Handsaker told InnovationAus.

    “They don’t really see it as critical, which I think is wrong.”

    Cyber security industry policy
    Government procurement policy is getting in the way of startup growth

    The Australian government’s $1.7 billion cybersecurity strategy unveiled last year has been criticised for its lack of support for local industry.

    The vast majority of funding for the strategy had already been announced and is re-appropriated from the Defence budget. It provides little attention to the local cyber sector including no incentives for startups and tech companies.

    Experts have also pushed for a less fragmented approach to Australia’s cyber policies that sees cybersecurity as a national interest rather than a national security issue.

    CyRise was founded in 2017 through a partnership between Deakin University and global tech service firm NTT. The accelerator provides funding and support to cyber statups in exchange for a small equity stake, and has typically focused on early stage Australian companies in its four previous cohorts.

    Mr Handsaker, whose accelerator received support from the Victorian government to get started but now operates independently, says it is critical to support local cyber companies early on as their first customer is typically the hardest to get.

    A risk averse culture from the federal government, however, means large cyber multinationals get most of the work, leaving the procurement lever unpulled, according to Mr Handsaker.

    “From a government’s perspective, typically, they’re going to go with a really large company — often that’s a multinational company — so that they can feel confident and safe their services are going to be delivered. And that’s not always the case.”

    “… There’s enormous opportunity to drive innovation by using a procurement lever. At the moment, federally, whatever they’re doing it’s not working.”

    There is a similar challenge for cyber startups trying to work with risk averse large corporates in Australia, according to Mr Handsaker, who says big companies are typically more open to smaller partners in the UK, Israel and the UK.

    CyRise seeks to address the reluctance through the network partnerships it provides its cohorts, including the latest round announced this week.

    The accelerator is taking on board five companies ranging from drone security to developer skills in its fifth and latest cohort. CyRise invests $50,000 into each team and provides a 14 week program. The companies are:

    • Dronesec: a cyber-uav firm providing security and threat intelligence for drones and drone operations.
    • Safestack: The startup’s academy trains developers, testers, analysts and architects in security skills to design, build and deploy secure, high quality software at speed.
    • Cyamast: an Australian cybersecurity technology and analytics company that has developed a new approach to asset visibility and anomaly detection for connected devices.
    • Byte25: a network monitoring solution providing comprehensive visibility of network security, performance and end user experience.
    • Traild: an AI-driven security product that patrols the payment workflow to protect businesses from business email compromise, insider fraud, supplier fraud and other threats.

    “The quality of the teams just continues to rise,” said Mr Handsaker.

    “100 per cent of the teams coming into the program have existing revenue, with more than half having customers spread across multiple countries.”

    The post Procurement policy holds cyber startups back appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt’s global cyber strategy delayed by ‘busy’ parliament

    The government is still yet to publish Australia’s 2020 international cyber engagement strategy, four months past its scheduled release and three and a half years on from the inaugural strategy.

    The strategy is currently with the government for consideration, but has apparently been accepted and is already informing Australia’s international cyber relations. Its absence has prompted renewed concerns from the Opposition about the “disarray” of Australia’s cybersecurity policies.

    The International Cyber Engagement Strategy was developed and launched by the Department of Foreign Affairs and Trade in 2017 along with the appointment of Dr Tobias Feakin as the Ambassador for Cyber Affairs and Critical Technology.

    The strategy is intended to guide global and regional engagement across the full range of Australia’s interests in cyber affairs and is scheduled to be revisited every three years to adjust its settings.

    2020 Cybersecurity strategy
    An international engagement strategy for Australia’s cyber affairs remains unpublished months after its scheduled release.

    A new 2020 strategy has been with government for consideration since last year and was scheduled to be launched at the end of the final Parliament sitting week in December.

    During Senate Estimates last month, Dr Feakin said the new strategy is already informing a range of ongoing work by DFAT but a “particularly busy parliamentary activity week” last year meant a “short postponement” to the official launch was necessary.

    “We’re in discussions about a suitable date,” Dr Feakin told the Estimates hearing.

    Foreign Affairs Minister Marise Payne said that she had delayed the launch because of “timing and the scheduling issues”.

    A DFAT spokesperson confirmed the updated strategy is now in use but did not respond to questions on when it will be launched or when it was first provided to government.

    “The International Cyber and Critical Technology Engagement Strategy continues to inform DFAT’s active program of international engagement in pursuit of a safe, secure and prosperous Australia, Indo-Pacific and world,” the spokesperson told InnovationAus.

    The work influenced by the unpublished strategy includes the recent launch of a Quad Critical and Emerging Technology Working Group, following a March meeting of the US, Japan, Australia and India, as well as DFAT’s ongoing work to “build the cyber resilience of regional partners”, according to the spokesperson.

    Shadow Assistant Minister for Cyber Security Tim Watts said the response from the department official and the Minister for Foreign Affairs during Estimates last month highlighted the “the disarray that is cybersecurity policy in the Morrison Government”.

    “It seems incredible that an important government strategy has been sitting in a drawer gathering dust for four months because the Minister is too ‘busy’ to launch it,” Mr Watts told InnovationAus.

    “Australians deserve better than these excuses when it comes to an issue as critical as cyber security.”

    First developed in 2017, Australia’s International Cyber Engagement Strategy was broadened to include critical technology in the 2020 update.

    Public submissions for to the 2020 strategy closed in June 2020 and included stakeholder input from academics, civil society groups, Big Tech and cyber companies among 31 submissions. DFAT also engaged with 18 Commonwealth departments on the new strategy, which supersedes the 2017 plan.

    Since the strategy was originally scheduled to be released last year, a series of high profile international cyber attacks have occurred, including the Microsoft Exchange exploit which led to a breach of Western Australia’s parliamentary email network and a SolarWinds software exploit which provided attackers access to US government networks.

    While China and Russia have been the respective suspects of the two incidents, Australia has yet to attribute either cyber attack. Dr Feakin told Estimates DFAT’s increasing preference is to make attributions in partnership with allies, but the department was yet to go through any multilateral attribution processes.

    The post Govt’s global cyber strategy delayed by ‘busy’ parliament appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt’s global cyber strategy delayed by ‘busy’ parliament

    The government is still yet to publish Australia’s 2020 international cyber engagement strategy, four months past its scheduled release and three and a half years on from the inaugural strategy.

    The strategy is currently with the government for consideration, but has apparently been accepted and is already informing Australia’s international cyber relations. Its absence has prompted renewed concerns from the Opposition about the “disarray” of Australia’s cybersecurity policies.

    The International Cyber Engagement Strategy was developed and launched by the Department of Foreign Affairs and Trade in 2017 along with the appointment of Dr Tobias Feakin as the Ambassador for Cyber Affairs and Critical Technology.

    The strategy is intended to guide global and regional engagement across the full range of Australia’s interests in cyber affairs and is scheduled to be revisited every three years to adjust its settings.

    2020 Cybersecurity strategy
    An international engagement strategy for Australia’s cyber affairs remains unpublished months after its scheduled release.

    A new 2020 strategy has been with government for consideration since last year and was scheduled to be launched at the end of the final Parliament sitting week in December.

    During Senate Estimates last month, Dr Feakin said the new strategy is already informing a range of ongoing work by DFAT but a “particularly busy parliamentary activity week” last year meant a “short postponement” to the official launch was necessary.

    “We’re in discussions about a suitable date,” Dr Feakin told the Estimates hearing.

    Foreign Affairs Minister Marise Payne said that she had delayed the launch because of “timing and the scheduling issues”.

    A DFAT spokesperson confirmed the updated strategy is now in use but did not respond to questions on when it will be launched or when it was first provided to government.

    “The International Cyber and Critical Technology Engagement Strategy continues to inform DFAT’s active program of international engagement in pursuit of a safe, secure and prosperous Australia, Indo-Pacific and world,” the spokesperson told InnovationAus.

    The work influenced by the unpublished strategy includes the recent launch of a Quad Critical and Emerging Technology Working Group, following a March meeting of the US, Japan, Australia and India, as well as DFAT’s ongoing work to “build the cyber resilience of regional partners”, according to the spokesperson.

    Shadow Assistant Minister for Cyber Security Tim Watts said the response from the department official and the Minister for Foreign Affairs during Estimates last month highlighted the “the disarray that is cybersecurity policy in the Morrison Government”.

    “It seems incredible that an important government strategy has been sitting in a drawer gathering dust for four months because the Minister is too ‘busy’ to launch it,” Mr Watts told InnovationAus.

    “Australians deserve better than these excuses when it comes to an issue as critical as cyber security.”

    First developed in 2017, Australia’s International Cyber Engagement Strategy was broadened to include critical technology in the 2020 update.

    Public submissions for to the 2020 strategy closed in June 2020 and included stakeholder input from academics, civil society groups, Big Tech and cyber companies among 31 submissions. DFAT also engaged with 18 Commonwealth departments on the new strategy, which supersedes the 2017 plan.

    Since the strategy was originally scheduled to be released last year, a series of high profile international cyber attacks have occurred, including the Microsoft Exchange exploit which led to a breach of Western Australia’s parliamentary email network and a SolarWinds software exploit which provided attackers access to US government networks.

    While China and Russia have been the respective suspects of the two incidents, Australia has yet to attribute either cyber attack. Dr Feakin told Estimates DFAT’s increasing preference is to make attributions in partnership with allies, but the department was yet to go through any multilateral attribution processes.

    The post Govt’s global cyber strategy delayed by ‘busy’ parliament appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Danger lurks in organisations’ hunger for data

    Organisations across the board are slow to recognise that the data that is now fundamental to their operations has also opened them up to huge risks and vulnerabilities.

    As a result, companies are failing to factor in basic data protection and cyber security infrastructure into their decision making at the highest levels.

    The costly consequences of organisations’ appetite for data without implementing adequate safeguards have been evident in legislative penalties imposed by various governments on some of the world’s biggest corporations for failing to protect customer data and privacy.

    Mike Trovato, James Riley, Thomas Fikentscher
    Bridging the Cyber Divide: Mike Trovato, James Riley, Thomas Fikentscher

    In the Navigating Privacy and Law episode of the Bridging the Cyber Divide series, Mike Trovato, managing director of Information Integrity Solutions and lead security advisor and Internal Consulting Group’s global practice leader for cybersecurity, said the past year had seen Google fined €50m by the French regulator, and the UK regulator fined British Airways £183m and Marriott International £99m.

    “It was good to see regulation having some teeth,” he said. “It got everyone’s attention and is getting people to take this more seriously, and to take important actions with respect to privacy and security.”

    Meanwhile, competitive pressures and opportunities are driving organisations to gather more and more data. Thomas Fikentscher, regional director ANZ, at CyberArk, said organisations were struggling to put in place the policies and procedures needed to handle the data being collected to serve business initiatives.

    “Organisations need to find a way to shift their revenues online, but that comes with risk. They must collect a lot of data, and not just personal data. The problem is that they can only use that data for certain purposes, for example can they share it with their supply chain?

    “That part of the equation is not properly set into policies and measured against certain standards around privacy, data security and data access. It’s an area where we need to have a lot more discussion; where there are many more risks that need to be measured and need to be managed.”

    Mr Trovato said compliance with data regulations was now one of the biggest challenges facing businesses – the danger has gone beyond simply a failure of compliance to represent an existential threat to organisations.

    “The compliance issue is multifaceted and complex – it’s difficult to overlay it onto an organisation,” he said. “And there is a broad set of issues around shared risk – where what I do in my organisation can impact your organisation, and so forth. We’re really looking at an entire ecosystem.”

    He said consumers had a right to expect businesses to do more to protect their personal data. “We have the expectation of safe vehicles and safe aeroplanes and so forth. But for some reason, in the area of information technology (IT), we expect the consumer to take a significant responsibility in managing the safety of our products. I think the world of IT has to do better.”

    Mr Fikentscher said organisations had been slow to implement security commensurate with the risks created by their hunger for data.

    “We’re still in catch up mode,” he said. “Organisations want to move ahead, because of the business opportunity.

    “Retail organisations, for example, collect a huge amount of data – they’re giving out loyalty cards, trying to understand who you are, what are your preferences, and monitoring your behaviour when they offer you certain things. They’re collecting all this information because it’s all about creating new digital experiences.”

    He said that by doing that, and by being more reliant on the technology, they are creating an increasing amount of risk for their businesses, because a single breach – that gives someone access to that data – can severely disrupt them.

    According to Mr Fikentscher, the data security and liability should be standing items on every company’s monthly board meeting.

    “Security considerations should be part of digital transformation initiatives from the beginning, but it is still not front of mind for most people. Revenue is the driving factor, but revenue could be severely compromised if they don’t get cyber security right.”

    Mike Trovato meanwhile said his own investigations had revealed many examples of very poor data security.

    “I’ve gone into organisations and tried to see if they are leaking personal information, or if I can obtain it through an attack. Almost every organisation fails both those tests. We need to do a much, much better job to protect information.”

    There are some signs of progress, according to Mr Trovato. “We are seeing organisations that are a bit more forward thinking and doing some good privacy-by-design work, leveraging legislation. For example, the legislation around the Commonwealth COVID app is probably the strongest privacy legislation in the world.”

    A key pillar to Australia developing a robust cyber security industry is the mechanisms used to rigorously protect citizen data and information, both at a public and private level.

    The increased reporting and disclosure of data breaches and identifiable information, locally and globally, has kept a focus on data privacy but there’s a lot more work that needs to be done.

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post Danger lurks in organisations’ hunger for data appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • NSW readies state overhaul of cyber defences

    A NSW parliamentary inquiry has recommended an overhaul of the state government’s cybersecurity strategy and a review of its cyber policies in the wake of a serious data breach that resulted from cyber risks being ignored.

    Nearly a year after a cyberattack on Service NSW that allowed hackers to access millions of internal documents, the incident is yet to be fully addressed.

    Risky data practices have continued and thousands of NSW citizens whose data was involved were not notified. The breach is expected to cost the service agency at least $30 million.

    The incident may have been prevented had the agency addressed the cyber risks it identified a year earlier, according to a NSW Upper House inquiry that has now called for structural changes.

    NSW Parliament
    NSW Parliament: An inquiry has made recommendations about cyber defences

    Recommendations include strengthening the mandate and resourcing of Cybersecurity NSW, including moving the function from the Department of Customer Service to the Department of Premier and Cabinet.

    Doing so would provide much needed independence from the state’s service providers, the inquiry found.

    Of “urgent” importance is the establishment of a mandatory data breach notification scheme applicable to all NSW agencies and its contracted service providers, and a formal process for assisting people affected by a data breach, the committee said.

    Currently neither measure exists in the state, an absence that contributed to enablement and poor handling of the Service NSW data breach that sparked the inquiry.

    “The committee found that this attack was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” Committee Chair Tara Moriarty wrote in the report foreword.

    “Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”

    A targeted phishing attack on the service agency in March and April last year compromised data of more than 100,000 people when attackers gained access to Service NSW employee email accounts.

    It took Service NSW three weeks to verify the incident and notify the minister. It took months more to notify users of Service NSW whose data had been exposed. And nearly a year after the incident, 20 per cent to 30 per cent of those affected had still not been notified.

    A review of the incident by the NSW Auditor General in December found it was “unclear” why Service NSW had not effectively mitigated the risk prior to the breach.

    Service NSW identified risks including a lack of multifactor authentication a year prior to the breach and had committed to addressing them in 2019 but failed to do so until after major incident in 2020.

    “Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the Auditor General concluded. “It continues to use business processes that pose a risk to the privacy of personal information.”

    Service NSW chief executive Damon Rees told the parliamentary inquiry in February the agency has continued to use at least one high risk practice – sending personal information via email – as it worked on more secure alternative. But he insisted many of the risks have now been mitigated.

    Other recommendations from the inquiry include a review of the “responsibility and resourcing” of the NSW privacy watchdog; more work from the government with industry to develop a cybersecurity skills framework; more clarity on cyber standards including mandatory ones for government agencies; investigating ways to improve the security of IoT devices; a strategy for improving the cyber safety of citizens; and more support to local councils to enhance their cyber capabilities.

    The Committee also recommended the NSW government develop a strategy to enhance sovereign cyber security capability by building the local industry and establishing principles for procuring services onshore.

    The post NSW readies state overhaul of cyber defences appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • A cyber-savvy nation through reskilling

    So great is the shortage of cybersecurity skills in Australia that organisations have no hope of recruiting the people they need and must instead resort to casting a wider net and training suitable candidates with the skills needed to combat the growing threats they now face.

    That’s the view of Professor Richard Buckland, professor in cybercrime cyberwar and cyberterror at the School of Computer Science and Engineering at the University of New South Wales (UNSW) and director of SECedu, the Australian Cybersecurity Education Network.

    In Scaling Cyber Skills, an episode of the Bridging the Cyber Divide video series produced as a partnership between InnovationAus and CyberArk, Prof Buckland said there were 600 students undertaking cybersecurity training at UNSW – a twelvefold increase in five years – and all already had jobs to go to.

    CyberArk
    Nationwide reskilling: Bruce Nixon, James Riley and Richard Buckland on cyber skills

    “I get people all the time saying, ‘Can you give me your best students, I’ve got buckets of money,’ and I have to say, ‘I can’t even give you my worst students – they’re already gobbled up even before they graduate’,” he said.

    A report published last month by RMIT and Deloitte Access Economics estimated that 87 per cent of jobs in Australia required digital skills, and the country needed 156,000 new technology workers to keep pace with the rapid transformation of businesses.

    An even greater shortage was identified by AlphaBeta in a study commissioned by AWS. It estimated Australia would need an additional 6.5 million newly skilled and reskilled digital workers by 2025, a 79 per cent increase.

    A more precise measure of the shortage of cybersecurity skills, by both skill and location, is provided by CyberSeek, a tool created by cybersecurity company CyberCX and the Australian Cyber Security Growth Network, AustCyber. It has developed a heatmap that show cybersecurity job openings in Australia by location and specialisation.

    It says from October 2019 to September 2020 there were 4,500 openings for IT security specialists, but only 4,100 workers currently employed in those positions, “an annual talent shortfall of 400 workers for cybersecurity’s largest job”, and that there were “11,700 additional openings requesting cybersecurity-related skills, and employers struggling to find workers who possess them”.

    Train up to fill cyber positions

    Prof Buckland recommended employers should seek to meet their cybersecurity skill needs by training up suitable employees. He said graduates from cybersecurity courses were not necessarily ideal cybersecurity employees: “There is a lot we can teach them theoretically, but cybersecurity is a discipline, a profession. There is no better way of becoming finished than being trained by someone who is an expert in the field under a sort of apprenticeship model.”

    Bruce Nixon, partner manager lead, Australia and New Zealand with privileged access management company CyberArk, agreed. He said organisations had to resort to identifying and training suitable candidates, and technology could enable those people to become more effective quicker.

    “You have to think outside the square in terms of how you’re going to actually establish the skill set,” he said.

    “You need to incorporate a training mentality – you might not necessarily find that perfect person in the industry – and we can provide enablement tools that will make it easier to find someone with domain expertise and evolve them into having those very specialist skills.”

    Subsidy for cyber training proposed

    However, Mr Nixon acknowledged that this approach would not work for smaller enterprises that did not have the domain expertise, the budget, or the need for full-time IT people. He canvassed the idea of the government “providing cybersecurity training free-of-charge to the mid-market and to small enterprises to allow them to consume high-quality training”.

    He is not alone. The Australian Government recently announced the Cyber Security Skills Partnership Innovation Fund, with grants of between A$250,000 and $3 million, “to improve the quality and availability of cyber security professionals through training”.

    This prompted a call for a program that would subsidise training for SMEs, which would raise the general level of cybersecurity understanding among the wider workforce.

    Prof Buckland said digital technology was now so pervasive that everyone needed some level of competence in cybersecurity, and UNSW had several initiatives towards this goal.

    “We’re teaching our law students cyber, and lawyers are teaching some of our cyber students about cyber law,” he said. “We’ve created our courses so that everyone can take them, and insert them into their degrees within UNSW. We also run free courses in basic cyber literacy.”

    The speed with which the cyber security landscape is changing has put constant pressure on the availability of skilled cyber professionals. With borders now closed to skilled migration and any boost to the experienced employees not likely to come from overseas in the next 12 months at least, how does Australia find the skills required for the future of work and addressing the current shortage of skills?

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post A cyber-savvy nation through reskilling appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt fails to meet own cyber standards: ANAO

    None of the government entities recently examined by an Australian National Audit Office review have fully implemented the mandatory cyber security risk mitigation strategies developed eight years ago to safeguard the information they hold.

    The mandatory mitigation strategies are basic: application whitelisting, patching applications, restricting administrative privileges, and patching operating systems.

    Two of the entities that had self-assessed full implementation for one or more of the mandatory mitigation strategies – the Department of the Prime Minister and Cabinet and the Attorney-General’s department – did so inaccurately in the 2018/19 financial year.

    The Prime Minister’s department claimed full implementation of the four strategies at the time, but the audit office has discovered it had not fully implemented the mitigation strategy for restricting administrative privileges.

    Parliament
    Massive problem: Auditor General says government failed to meet its own cybersecurity standards

    The opposition says the report is damming and reveals the exposure of sensitive information across government agencies.

    The Australian National Audit Office (ANAO) late on Friday afternoon released its findings from an audit of nine government entities, including the three with responsibilities for the whole-of-government cyber security policy and support.

    The Attorney-General’s Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all examined.

    The Department of Home Affairs and the Australian Signals Directorate were also included in the review, but their cyber mitigation strategies were not assessed.

    All the entities examined by the Auditor General have agreed to its recommendations to improve cyber resilience.

    But those with the most responsibility – the ASD, Home Affairs and the AGD – have only “noted” the recommendation to introduce more accountability for implementation of cyber security requirements, arguing that is a task for the government and regulators.

    The findings reveal a failure to accurately self-assess the implementation of critical mitigation strategies in some entities and a majority reporting “Ad hoc” or “Developing” maturity levels of cyber mitigation.

    None of the three entities examined for cyber resilience – the PM&C, AGD and the Future Fund – were considered either cyber secure or cyber resilient by the Auditor General.

    Since 2013 the Australian government has mandated the implementation of at least the “Top Four” cyber mitigation strategies by non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF) and its revised Policy 10.

    Only 24 per cent of non-corporate Commonwealth entities were compliant with the mandatory Top Four mitigation strategies in ANAO performance audits since 2014.

    There are a further four that are strongly encouraged, making up the “Essential Eight” mitigation strategies.

    But several audits have revealed low levels of compliance with even the mandatory four, leading to the Auditor General being asked to conduct another audit on the effectiveness of the PSPF self-assessment and reporting requirements, as well as the responsible agencies’ role in improving compliance.

    According to an audit released on latest review, “The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective and did not fully meet the mandatory requirements of PSPF Policy 10”.

    The poor levels of compliance come despite warnings from Australian cyber and spy agencies that malicious cyberattacks are increasing in frequency, scale and sophistication.

    In the last financial year Australian government entities reported 436 cyber security incidents to the Australian Signals Directorate.

    In December a government-led parliamentary committee called for annual reviews to be conducted into the cyber resilience of Commonwealth entities flagging the same lack of compliance highlighted by the Auditor General.

    Shadow assistant minister for communications and cybersecurity Tim Watts said the report showed the Morrison government is failing to “do the basics” on cybersecurity.

    “How can the Morrison Government claim any credibility on cyber security when it can’t even implement its own cyber security standards across government?” Mr Watts told InnovationAus.

    “These are some of our most sensitive government departments. It’s not good enough that they are left exposed.

    “Once again we see the Morrison Government loves a cyber security media event, but isn’t there for the delivery.”

    The post Govt fails to meet own cyber standards: ANAO appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Hastie urges unity to combat rising cyber threats

    Assistant Defence Minister Andrew Hastie and the head of the Australian Cyber Security Centre (ACSC) have called on Australia’s cybersecurity community to unite against growing threats as more people go online, including criminals and state-based actors.

    The ACSC is increasingly turning to industry partners to mitigate cyber risks as it deals with more than 60,000 reports of cybercrime each year, and acknowledges more upgrades are needed to improve its “already stretched” support service.

    Speaking at the Australian Information Security Association (AISA) conference in Canberra on Tuesday, Mr Hastie said Australia’s sovereignty depended on its ability to thwart cyber-attacks, and it required government, industry and academia working “hand in glove”.

    Parliament
    Cyber alerts: Andrew Hastie has called for industry to come together to address threats

    “Cyber is the new battlefield, and whether we like it or not, we’re all joined in an online contest to preserve our personal security but also our digital sovereignty as a country.

    “And we cannot be complacent. It is essential we consider cyber security when we talk about Australia’s national security, our innovation and prosperity. And a major cyber-attack would have a devastating impact on our economy, our security and our sovereignty.”

    Mr Hastie told delegates it is also important to adopt proper cyber hygiene, including the current push to “mainstream” risk mitigation strategies like multifactor authentication.

    The Australian government consulted with 1,400 cyber stakeholders through its business led industry advisory panel in 2019. The recommendations informed a $1.67 billion 2020 Cyber Security Strategy to be delivered over 10 years.

    A subsequent Industry Advisory Committee, also led by big business, has been tasked with guiding the implementation of the strategy. The committee’s first report into ransomware and the basic steps business can take to mitigate risks was criticised by the opposition as a “missed opportunity” that lacked government policy and instead put pressure on the business community.

    The debate around Australia’s approach comes as cyberattacks increase in frequency, scale and sophistication.

    According to Mr Hastie, cyber criminals and state-based actors are focused on the “irresistible targets” of digital supply chains, with Australian cyber agencies now receiving more than 60,000 cybercrime reports a year.

    “We must combine our knowledge and our expertise as well as our unique insights and capabilities to detect and respond to this broad and evolving threat landscape,” Mr Hastie said.

    Head of the ACSC, Abigail Bradshaw, said her organisation is working to increase industry partnerships, and the size of its partnership program has more than doubled since she arrived in March last year.

    The increased collaboration is evolving the way the ACSC delivers advice to Australians, according to Ms Bradshaw, who noted the current approach is encountering hurdles as the organisation deals with a cybercrime report on average once every eight minutes.

    We’re preparing to initiate new call centre arrangements to expand our already stretched 24 hour watch force to enhance cybersecurity assistance the ACSC provides to all Australians, and with a specific focus on some of those most vulnerable to the small to medium enterprise sector.

    The cyber organisation is also currently working on a “significant evolution” to its cyber threat sharing platform. An updated “bidirectional” platform will be able to share emerging threats between the ACSC and Australian public and private organisations at “machine speed and scale”.

    The post Hastie urges unity to combat rising cyber threats appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Vic privacy breach of vulnerable youth data

    A youth case worker stood down from a Victorian health department service provider on suspicion of accessing child pornography continued to access sensitive information about clients for months afterwards, according to a data breach inquiry into the incident.

    Failings in the department’s privacy protections meant the man – who was also subject to a separate investigation into an alleged child sex offence – had unauthorised access to the personal information of dozens of vulnerable people for more than a year, according to the report which found “serious” contraventions of Victorian privacy principals by the department.

    Details of the incident, which occurred between 2017 and 2018, have been revealed in a report into the data breach by the Victorian Information Commissioner, which held back the report due to separate police investigations and a trial of the former case worker.

    Parliament House Melbourne, VIC
    Spring Street: Melbourne rocked by privacy breach of vulnerable youth data

    The man, named as ‘B’ in the report, was employed by a service provider contracted by Victoria’s Department of Health and Human Services (DHHS), now known as Department of Fairness, Families and Housing.

    B worked for over a year for the service provider, which was administering the DHHS’s Finding Solutions program, a Victorian government early intervention initiative to keep young people and families out of the child protection and out-of-home care systems.

    In that role B had access to the DHHS maintained Client Relationship Information System for Service Providers (CRISSP). Records held in CRISSP include names, addresses, DOBs, relationships, case notes, and any history of sexual abuse or exploitation.

    The man ceased working for the service provider around September 2017 but his access to CRISSP was not revoked despite formal procedures requiring so.

    About five months later police found child pornography on a laptop owned by B but could not prove it belong to him because of multiple user accounts on the computer. Police told the DHHS that they had “serious concerns about B’s access to vulnerable and at-risk children”, according to the report into the data breach.

    By then B was working for another youth service provider, also managed by the DHHS but via a separate division. The DHHS notified the provider of B’s suspected access to child pornography and he was stood down.

    However, the DHHS did not discuss B’s access to the CRISSP system as he had not required it in the new role. He was able to continue accessing the records until October 2018 when a staff members from two service providers noticed B had accessed their clients’ files.

    When notified, the DHHS revoked B’s access, more than a year after it should have been when he left the original service provider. By then, though, B had had accessed CRISSP 260 times

    involving 27 clients. B also conducted 150 searches of the client record system, on each occasion accessing the personal and sometimes sensitive information of vulnerable people.

    On Thursday Victoria’s information commissioner released his report into the data breach, finding both the DHHS and the service provider that initially provided B access to the CRISSP had failed to take reasonable steps to protect personal information in the records system.

    “The [Privacy and Data] Deputy Commissioner found that both DHHS and the [contracted service provider] contravened the [Information Privacy Principles] and issued a compliance notice against DHHS,” Victorian Information Commissioner Sven Bluemmel wrote in the report.

    The service provider has already implemented the privacy watchdog’s recommendations while the DHHS is on schedule to complete all the specified actions required by the compliance notice.

    Under the compliance notice the DHHS must:
    • Implement a risk tiering framework for contracted service providers delivering the Finding Solutions program
    • Update and simplify its contractual framework and guidance material for CRISSP
    • develop training that is specifically directed at the information security and privacy obligations of systems administrators and organisation authorities
    • implement a procedure to periodically check the currency of user lists for CRISSP

    Commissioner Bluemmel said the finding shows public sector organisations can’t outsource their privacy responsibilities.

    “Outsourcing arrangements cannot be ‘set and forget’.”

    “When a government agency shares personal information and system access with its contractors, the agency retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses. Government organisations can outsource the management of a program, but they cannot outsource this responsibility.”

    The post Vic privacy breach of vulnerable youth data appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Ransomware report a ‘missed opportunity’: Watts

    A government advisory group’s report on ransomware calling on Australian businesses to implement basic cybersecurity practices to mitigate risks is a “missed opportunity”.

    The Cyber Security Strategy Industry Advisory Committee, formed late last year and dominated by big business, released a report on Wednesday outlining the threat posed by ransomware, and the basic steps businesses can take to mitigate the risks.

    In contrast to a paper on the ransomware scourge released by the Opposition last month, the government’s expert committee does not include any recommendations for government or any calls for new policies. Rather, it focuses on what businesses should be doing, such as implementing the Essential Eight baseline features.

    Cyber threats: A government expert panel has no recommendations for ransomware policy

    The recommendations include basic steps such as multi-factor authentication, regularly updating software, training staff in cybersecurity, data lifecycle management, backing up data and built-in security features.

    The report has been backed by Home Affairs minister Peter Dutton, who is responsible for cybersecurity, saying businesses should move to implement the recommendations quickly.

    “Cyber criminals continue to see Australian businesses as an attractive target and ransomware is a particularly disruptive form of cyber-attack that can have devastating impacts,” Mr Dutton said.

    “The good news is that many ransomware attacks can be avoided by implementing basic cybersecurity controls and I urge businesses to take the time to review the advisory committee’s advice.

    The Labor discussion paper, released by shadow assistant minister for cybersecurity Tim Watts, instead calls on the government to develop a National Ransomware Strategy and take actions to reduce the attractiveness of Australian businesses for hackers.

    The advisory committee’s ransomware report “falls short of acknowledging the scale of the $1 billion problem”, Mr Watts said.

    “Instead of using the opportunity to launch a debate about the role government can play in shaping the calculus of ransomware gangs sizing up Australian organisations, the Morrison government continues its approach of playing the blame game,” Mr Watts said.

    “It’s not good enough to tell businesses to defend themselves by ‘locking their doors’ to cyber-criminal gangs. The Morrison government must do more to actively tackle the ransomware threat and develop a National Ransomware Strategy.”

    The committee, which originally offered recommendations on the development of the 2020 cybersecurity strategy, has been criticised for being dominated by big business interests, although representatives from some smaller cyber firms have since been added.

    The committee is chaired by Telstra chief executive Andrew Penn, and includes representatives from NBN Co, Northrop Grumman Australia, PwC and Macquarie Group. It also includes AUCloud chair Cathie Reid and FibreSense chair Bevan Slattery.

    The 14-page paper warned ransomware is one of the “most immediate, highest-impact cyber threats to Australia”, and said that Australian businesses can’t be complacent, and must take action and understand their legal and regulatory obligations around the issue.

    Along with the Essential Eight mitigation strategies, the committee also called for companies to ensure boards are aware of the risk and actively addressing it, and that cyber insurance isn’t relied upon as a strategy in itself.

    “Ransomware is one of Australia’s fastest growing threats as business spends more and more time participating in the digital economy,” Mr Penn said.

    “There are countless businesses that are attacked every day in Australia, and, in some cases, those victims could have prevented or minimised the financial loss and emotional impact they faced through the use of simple cybersecurity controls and employee education.

    “This paper is an important contribution to helping Australian businesses understand the risks of ransomware and prepare accordingly by drawing from the committee’s diverse experience.”

    Mr Watts’ ransomware paper instead focused on what actions the federal government could take to mitigate the risk and make Australia a less attractive target for malicious cyber actors.

    These policy recommendations included increased law enforcement, targeted international sanctions, offensive cyber actions and the regulation of ransom payments.

    “Ransomware is a jobs and investment destroyer at a time when the nation can least afford it. We need a new approach. It’s past time the Morrison government developed a comprehensive national ransomware strategy,” Mr Watts said.

    The post Ransomware report a ‘missed opportunity’: Watts appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • SAFEnet concerned Jakarta’s virtual police unit may create ‘Orwellian state’

    Asia Pacific Report

    The Southeast Asia Freedom of Expression Network (SAFEnet) – an institution concerned with freedom of expression in the digital world – has criticised Indonesia’s newly established virtual police (VP) unit formed under the national police headquarters that is tasked with monitoring the activities of netizens.

    The programme, the brainchild of Indonesian police chief General Listyo Sigit Prabowo, was formed to prevent indictments under the Information and Electronic Transaction Law (UU ITE).

    SAFEnet executive director Damar Juniarto is concerned however that instead of providing a sense of security the virtual police would in fact give rise to new fears.

    The reason being that virtual police officers would intrude too far into the private lives of citizens in the digital sphere.

    “This will instead give rise to new fears, where the police can appear at any time in citizen’s private [digital] space,” said Juniarto when contacted by CNN Indonesia last week.

    Juniarto said that it was if the virtual police were reviving an Orwellian state. The term Orwellian state refers to a system and public situation that is anti-freedom and anti-openness and is taken from a fictional work by author and journalist George Orwell.

    One of the criteria for an Orwellian state is when the state continuously monitors what is being done by its citizens.

    ‘Correcting’ citizens
    In such a situation, continued Juniarto, the state can directly correct citizens who are deemed to be in error. Instead of feeling protected, people will in fact feel threatened and fearful.

    “Even without this direct police presence, people are already afraid of the threat of the UU ITE [being used against them], never mind with methods such as this,” he said.

    Not only that, Juniarto emphasised that the virtual police negate the space for people to defend themselves if a posting on the internet is deemed to be hate speech or violate the ITE Law.

    The virtual police, according to Juniarto, would in fact negate the judicial process so people would only have one option – to obey or be punished.

    Juniarto revealed that the virtual police’s presence have already turned people’s discussions in digital space into something has to be treated or cured. He is also concerned that they would destroy the climate of discussion and debate on digital media.

    “So the VP needs to be corrected so their implementation prioritises education, not appearing as a figure which wants to punish disobedient citizens,” said Juniarto.

    Earlier this week, the police officially launched the virtual police unit to monitor potential violations of the ITE Law on the internet.

    Healthy cyber world
    According to national police spokesperson Inspector General Argo Yuwono, the virtual police’s presence in digital space is a form of maintaining security and public order so that activities in the cyber world can be clean, healthy and productive.

    “Through the virtual police, the police will provide education and notifications if what is written is a criminal violation, request that it not be written again and be deleted,” Yuwono told journalists.

    According to Yuwono, the virtual police had already sent warnings to three accounts recently. One of the accounts had posted a picture with the caption “Don’t forget I’m a thief”.

    “Virtual police alert. Warning 1. The content on your Twitter account uploaded on February 21, 2021, at 3.15 pm local time has the potential to be criminal hate speech.

    “In order to avoid further legal proceedings you are asked to make a correction to the social media content after you have received this message. Salam Presisi [predictability, responsibility, transparency, justice],” said Yuwono reading out the contents of the warning.

    Translated by James Balowski for IndoLeft News. The original title of the article was “SAFEnet Kritik Aksi Virtual Police Terobos Ruang Privat Warga”.

    This post was originally published on Asia Pacific Report.

  • Govt must help business tackle ransomware

    Maksim Yakubets cuts quite the figure driving his custom fluoro camouflage Lamborghini through the streets of Moscow.

    According to indictments filed in the United States, Yakubet could live this lifestyle thanks to his role in the international ransomware gang, ‘Evil Corp’, which is estimated to have extorted about US$100m ($128m) from businesses and individuals around the world.

    The United States sanctions payments of ransoms to Evil Corp, but there is no equivalent restriction in Australia.

    In fact, despite ransomware being described by the Australian Cyber Security Centre as the biggest cyber threat facing Australia, there’s no dedicated government strategy for tackling this rapidly growing crime that brings in big bucks for international criminals at the expense of Australian businesses and consumers.

    Ransom guy: Evil Corp’s Maksim Yakubets on the streets of Moscow Photo credit: UK National Crime Agency

    Australia has recently seen high impact ransomware campaigns against high profile targets like Toll Group, Bluescope Steel, Lion, Spotless, Regis Healthcare, Law in Order, and regional Victorian hospitals.

    The Australian government does not currently collect statistics about the impact of ransomware, but analysis by security firm Emsisoft in 2020 estimated its total annual cost to the nation at a minimum of US$270 million (AU$348 million) and a best estimate of US$1.1 billion (AU$1.4 billion).

    The rapidly growing costs of successful attacks on targeted entities – in downtime, remediation, ransoms and supply chain interruptions – combined with the growing costs to all organisations of defending themselves against these attacks is an unsustainable burden on the nation.

    Ransomware is a jobs and investment destroyer at a time when the nation can least afford it.

    While individual organisations will always have the primary responsibility for taking the necessary steps to protect their IT systems from cyber threats, too often, blaming the victim becomes a cover for government inaction.

    It is past time that the Morrison government developed a dedicated National Ransomware Strategy that actively sought to reduce the number of ransomware attacks targeting Australia.

    The evolution of ransomware gangs into sophisticated, well-resourced organised crime groups presents both a challenge and an opportunity.

    The emergence of so called ‘big game hunting’ ransomware gangs that carefully research and select their targets to maximise the returns of attacks has increased the costs of ransomware.

    But this sophistication has also created the opportunity for new government strategies aimed at deterring these attacks.

    We know from interviews with these gang members and from the advertisements they post seeking affiliates that these gangs are aware of the differences in security practices, regulations and law enforcement practices in different nations. We can use this to our advantage as a nation.

    A National Ransomware Strategy that sought to increase the costs and reduce the returns of ransomware campaigns against Australian organisations, could send a message to ransomware gangs that Australian targets aren’t worth the effort.

    As the United States has done with Evil Corp and Mr Yakubets, one of the policy levers government could use as part of such a strategy is regulating the payment of ransoms.

    Ransom payments are the life blood or ransomware campaigns. More payments beget more attacks. On the other hand, if Australia became known as a jurisdiction where it was hard to get paid, ransomware gangs may choose to select targets elsewhere.

    In recent months, the former Directors of both the US Cybersecurity and Infrastructure Security Agency and the UK National Cyber Security Centre, have each called for the serious consideration of banning ransom payments in their respective countries.

    Australia should have this debate too as part of a broader discussion about the potential tools available to government to convince ransomware gangs that there’s no return on investment from targeting Australian organisations.

    Labor has released a discussion paper that canvases a range of tools government could employ as part of a National Ransomware Strategy to shape the target selection of ransomware gangs and ultimately to reduce the number of attacks targeting Australian organisations.

    None of the potential interventions identified in Labor’s discussion paper are silver bullets. But the threat of ransomware isn’t going anywhere soon and the government cannot leave it to Australian organisations to confront this challenge alone.

    It is time the Morrison Government took this threat seriously and developed a National Ransomware Strategy.

    Tim Watts is Labor’s Shadow Assistant Minister for Cyber Security and the federal Member for Gellibrand.

    The post Govt must help business tackle ransomware appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Cyber CRC backs ‘extraordinary’ AFP hacking powers

    The government-funded cybersecurity research centre has thrown its support behind the proposed “extraordinary” new hacking powers for the Australian Federal Police, its position that is at odds with human rights, civil liberties and digital rights groups, as well as a group of Senators who have all raised significant concerns about the new laws.

    In a submission to government, the Cyber Security Cooperative Research Centre (CSCRC) said the Identify and Disrupt Bill, which hands sweeping new powers to the AFP and the Australian Crime and Intelligence Commission (ACIC) to hack into the devices and networks of suspected criminals, is proportionate, appropriate and safe.

    This is despite the Human Rights Law Centre labelling the powers “absurdly broad” and disproportionate, the NSW Council of Civil Liberties saying they are an “abuse of power” and a group of bipartisan Senators questioning a lack of focus on privacy, no judicial oversight and the potential for innocent people to be impacted.

    Rachel Falk
    Support: Cyber Security CRC chief executive officer Rachael Falk. Photo Credit YouTube

    The Identify and Disrupt Bill was quietly introduced to Parliament late last year and quickly referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry.

    The legislation introduces three new warrants for the AFP and ACIC to “disrupt” the data of suspected criminals, access their devices and networks and take over their accounts covertly.

    While the government says its focus is on “online serious crimes” including child abuse and terrorism, the warrants will also be accessible for any crime carrying a three-year jail sentence, which include theft, fraud, tax evasion and forgery.

    In a submission to the PJCIS inquiry, CSCRC chief executive Rachael Falk offered full support for the new hacking powers.

    “While the powers authorised under the bill are undoubtedly extraordinary, the CSCRC submits they are proportionate and appropriate in relation to the threats posed,” Ms Falk said in the submission.

    “Furthermore, to ensure such extraordinary powers are not misused, exploited or subject to ‘legislative creep’, the bill contains a number of key safeguards and protections,” she said.

    “It presents a clear opportunity for Australia to ensure domestic laws are properly aligned with digital perpetrated activities, allowing lawful access to data and devices where it is appropriate to do so.”

    Ms Falk did however say that the government needs to better define and refine the crimes the new powers will apply to.

    “Under the Crimes Act such a threshold does cover a wide range of offences, so consideration should be given within the legislation to clearly specify types of crime to which the mechanisms set out in the bill could apply,” she said.

    “The CSCRC submits that if offences that would and would not be captured under the regime were clearly carved out, it would serve to allay fears of misuse of the warrants for less serious crimes and perceptions of legislative creep.”

    Ms Falk also rejected the arguments that the new powers would jeopardise the privacy of Australians.

    “An absolute right to privacy can never exist and there must always be exceptions, especially when it comes to maintaining the common good. There is no doubt that the criminal activities the bill is designed to capture all fall under such an exception,” she said.

    “The CSCRC contends that while privacy is valuable it must have limitations and these limitations must correlate with the social contract all members of the community enter into, upon which modern democracies like Australia’s are built.”

    Ms Falk has previously supported the government’s controversial COVIDSafe contact tracing app, arguing that Australians readily hand over more significant data to the likes of Facebook than what was required by the trouble-plagued app.

    The CSCRC chief has also staunchly supported the federal government’s moves to undermine encryption and assist intelligence and law enforcement authorities in accessing encrypted communications.

    In its submission, the Human Rights Law Centre painted a very different picture of the proposed powers, saying they have a “disproportionate scope” that do not have adequate safeguards.

    “Australia lacks a robust human rights framework that would provide adequate protection against the abuse of the powers contained in this bill. In the absence of those safeguards, the HRLC cannot endorse the expansion of the already-considerable powers possessed by the AFP and ACIC to intrude on the privacy of Australians,” the HRLC submission said.

    The law centre said the proposed network activity warrants, which would allow authorities to hack into the networks of suspected offenders without even needing to know their identities, needed to be “substantially redrafted” in order to “prevent their application to individuals that have no involvement in the commission or facilitation of a relevant offence”.

    The current legislation defines an “electronically linked group of individuals” as two or more people using the same electronic service or communicating electronically.

    This could lead to a situation where a relevant offence being committed on a messaging service like WhatsApp making every user of the service around the world a member of a “criminal network of individuals” under the new powers.

    “On a broad, but not unreasonable, interpretation of these definitions, the effect is that a person who visits the same website as a person engaging in conduct facilitating or constituting a relevant offence is in a ‘criminal network of individuals’,” the submission said.

    “This is regardless of whether the website or communication bears any relation to the offence, or whether the individuals have any knowledge of, involvement in, or connection to the offence.”

    The proposed powers are “absurdly broad”, the HRLC said.

    “It effectively means that, where a person engages in a relevant offence, every other user of any website they access or app that is installed on their phone could potentially have their data accessed, changed or deleted, without their knowledge, consent or opportunity to object,” it said.

    “Not only does this seriously impact the privacy and freedom of expression of individuals with little or no connection to the offending conduct or target individual, it opens up vast swathes of online activity to monitoring by law enforcement without sufficient safeguards to prevent abuse. Even on a narrower interpretation, these provisions still offer expansive scope.”

    The NSWCCL said that the new powers are “next in an accelerating wave, strengthening the powers of the state without any humility about the cumulative erosion of democratic freedoms they entail”.

    “This bill builds on this ominous trend and takes it to a new level, providing unprecedented new powers for law enforcement to interfere and ‘disrupt’ communications of citizens without effective restraint. The abuse of power this bill enables will happen. Enough is enough,” the NSWCCL submission said.

    A coalition of digital rights and civil liberties organisations said that the powers amount to “state-authorised hacking”.

    A bipartisan group of Senators have also raised a number of concerns with the legislation, particularly in regard to a lack of privacy safeguards and judicial oversight and the potential for innocent people to also be impacted by them.

    The post Cyber CRC backs ‘extraordinary’ AFP hacking powers appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • IoT Alliance to launch first-ever security guides

    The Internet of Things Alliance Australia (IoTAA) will unveil Australia’s first ever IoT Security Awareness Guides during a special webinar event on Wednesday morning covering the trinity of security, safety and privacy.

    Enex TestLab managing director and IoTAA Cyber Security Workstream chair Matt Tett said the Alliance would release two guides, the first aimed at users – whether retail consumers or business organisations – and the second aimed a IoT device-makers and software developers.

    “These are very simple guides. They’re not guidelines or frameworks or standards,” Mr Tett told InnovationAus. “It is eight to 10 pages with eight to ten tips on some of the traps and pitfalls that people need to think about in terms of IoT security, safety and privacy.”

    city data
    Plain-talking IoT cyber guides: The IoT Alliance is set to release the first ever awareness guide

    “We’re not trying to put people off from digitising their world, but we certainly do want them to start learning what to look out for before they actually buy a product, and how to better protect themselves before they put into their environment,” he said.

    “[The guide] aims to deliver actionable outcomes without spreading fear, uncertainty and doubt. It’s vendor neutral; we’re not saying go out and buy this thing or that thing.”

    “The tips are all low-cost, easy to apply and takes them to the next rung on the security ladder,” Mr Tett said.

    The guides will be launch through a special webinar event from 11am on Wednesday 24. You can register for the free event here.

    IOTAA chief executive Frank Zeichner says the guides are being released as the proliferation of devices across the network continues to accelerate.

    SecurityToday researchers report that there are 127 new IoT devices connected to the web every second and experts estimate there were approximately 31 billion IoT device installations in 2020,” Mr Zeichner said.

    “The figures were staggering to begin with, and we have seen firsthand how the pandemic has expedited the adoption of IoT devices, by consumers and industry alike.”

    Matt Tett said the second of the guides was aimed at IoT producers, whether they are a small developer or multinational.

    “Again, it’s eight to 10 pages with tips on what they can do to really commence the process of embedding, safety and privacy by design into their IoT,” he said.

    “This is rather than falling into the same pitfalls that ICT is in, where they are always trying to bolt security on retrospectively and continually fall over themselves in exposing consumers to security hazards.”

    IoTAA’s Frank Zeichner and Matt Tett will both make presentation to the webinar. Other speakers include Accenture’s managing director for communications, media and technology Eric Bruzek; Department of Home Affairs assistant secretary for technology policy Jill Ogden; Office of the eSafety Commissioner director Julia Fossi; ACANN chief executive Teresa Corbin; and AustCyber’s WA Innovation Hub director Dr Ian Martinus.

    You can register here for the free Internet of Things Security Awareness Guide launch.

    The post IoT Alliance to launch first-ever security guides appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Security credentials and the remote access challenge

    Artificial intelligence technology could provide a solution to the growing challenge of securing access for remote office workers, without creating unreasonable hurdles to them working effectively and productively.

    With the surge in remote working resulting from the global pandemic, organisations are struggling to maintain security of remote access without placing too many impediments in front of staff and ensuring that measures are not circumvented by workers who just want to get on with their jobs.

    CyberArk’s Australia/New Zealand solutions engineering manager Andrew Slavkovic said the company was looking at how to enable a remote workforce to work efficiently and securely by restricting access privileges to only those needed.

    Bridging the Cyber divide: CyberArk’s Andrew Slavkovic and Enex TestLab’s Matt Tett talk to James Riley from InnovationAus

    “That’s a difficult endeavour,” Mr Slavkovic said. “We want to review the ways that we can use something like AI to determine what level of privilege a user will need and then automatically predicting it, so the employee is not in any way hampered in regard to their performance.”

    Further, he suggested AI could be used to help prevent security breaches. “We want to use AI more in our product set to determine, based on our past experience, a sequence of actions that could result in a malicious or suspicious sequence of activities, and automatically take action to prevent that from escalating.”

    He said a technique for increasing remote access security was to provide users with the minimum level of access privileges required for them to fulfil their role and adjust this in real time.

    “We’re talking about providing ‘just-in-time’ privilege as a mechanism and escalating that privilege access as and when required, then stripping it back to the minimum level when it’s no longer needed.

    “This can be a quite powerful tool, because if that individual account is compromised, what an attacker can do is very limited. They’ll have to discover another account or another identity that is more important to be able to move laterally within the network to obtain whatever target they want.”

    Mr Slavkovic said remote access security had also been boosted through the control framework set out in the Federal Government’s Information Security Manual (ISM). “The ISM control framework has a whole section around remote access. So, in theory, an organisation should have confidence that if they follow the framework, they will have a level of assurance that they’re going to be secure.”

    Mr Slavkovic spoke with InnovationAus’ James Riley, with Matt Tett, chairman and managing director of Enex TestLab, as part of the series, Bridging the Cyber Divide.

    Mr Tett said the government was changing its approach to ensuring security in government organisations – through audits and certification – to ensure organisations had sufficient policies and procedures in place to be secure. However, many breaches occurred because these policies and procedures were not adhered to.

    “Unfortunately, a lot of the incidents that we see occur are because people have circumvented the protocols or the procedures which have been put in in place.

    “If security gets in the way, people will generally find a way of circumventing it; and it’s no different whether you’re working in an organisation, whether you’re in a home environment, or whether you’re in a government department.”

    Mr Tett said the government had shifted the focus from certifying individual products to certifying organisations. The Australian Signals Directorate has recently revamped its Information Security Registered Assessors Program (IRAP) under which it endorses cyber security professionals to help secure industry and government information systems.

    “Having independent IRAP assessors able to go out to agencies and work with the security teams on implementing procedures and policies and standards is very good,” Mr Tett said. “They’re performing due diligence, or an audit, on an organisation to ensure they have sufficient policies, procedures and practices in place.”

    However, Mr Tett said the policies, regulations and standards needed to be measurable if they were to be effective. “You can have standards, you can have regulation, but you really need to make sure they’re measurable and actually working effectively. That’s a critical thing.

    “You want to measure before and after – measure the benefit of implementing policies and procedures, draw a baseline somewhere, and once you have that baseline, you can measure the maturity of those departments’ and agencies’ security models, rather than just measuring them by the number of incidents that they’ve actually had. It’s better to measure the prevention rather than the cure.”

    The Bridging the Cyber Divide podcast series is produced as a partnership between InnovationAus and CyberArk.

    The post Security credentials and the remote access challenge appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Scaling a secure innovative future for the tech sector

    Australia is at a widely analysed strategic crossroads. To accelerate the growth of a secure, resilient and technologically sophisticated economy, we must develop and extend our capability in critical and emerging technologies.

    That means supporting the commercialisation of Australian intellectual property in all areas of emerging technology – from artificial intelligence and automation, to fintech to medtech and biotech to cyber security.

    Cyber security is especially important, because it is a fundamental enabler of trust as well as innovation across emerging technologies and indeed across our entire economy.

    Michelle Price and Alex Scandurra
    AustCyber CEO Michelle Price and Stone & Chalk chief executive Alex Scandurra

    Well reported is the number and type of threat actors – both criminal and state-based – increasing markedly over the last 12 months, and not just for the big end of town. Organisations of all sizes, sectors as well as schools, community groups and homes are in the cross hairs.

    This increased necessity comes at a time of mandatory business transformation and digitisation. The COVID era laid bare the inefficiencies and friction points in business models across the economy, from education and entertainment to banking and retail.

    A more mature understanding of the transaction costs across destabilized supply chains has also emerged.

    Industry leaders are now searching for partners and trailblazers who can transform their business operations rapidly with emerging technologies, in ways that bring inbuilt security and resilience.

    If Australia remains simply an end customer of offshore vendors for emerging and critical technologies, we will be selling ourselves short strategically but also in the retained benefits of jobs and profit when we have competitive domestic offerings.

    Expenditure in business transformation and emerging technologies will be expropriated by global vendors selling off-the-shelf solutions to Australian customers who will gain no competitive advantage and will often be forced to arrange their business operations around the requirements of an existing product that the vendor is offering.

    On the other hand, if we use the infrastructure already built and invested in to nurture the commercialisation of home-grown emerging technologies in sophisticated ways, we can better leverage the strength of our advanced research capability to create intellectual property in industries that plays to Australia’s strengths as well as deliver increased self-reliance.

    The new/ endured normal of the pandemic demonstrates the need for us to be sharper in how we achieve this through trusted partnerships and innovation.

    Right now, across the world, the opportunity for Australia is enormous.

    This is why we, as the leaders of two prominent not-for-profits working in critical and emerging technologies, have merged our organisations to show a better way to leverage the best of previous investment in capability to create capacity to accelerate the growth in industries delivering a more innovative, secure economy.

    To capitalise on the transformative moment that we are in, Australia’s emerging technology companies must be secure by design from day one, before a single line of code is written. Corporates and government organisations seeking digital transformation partners lean heavily towards those that can provide serious security credentials.

    A strategic integration of the peak body for the cyber security industries with the leading commercialisation network for all emerging tech will ensure that our emerging technologies are secure and can increase the security of their customers and partners.

    Our cyber security industry has more than quadrupled in direct value since 2017, from $800 million to $3.6 billion today. Most companies in this sector are young – 40 per cent are less than five years old.

    This is an extraordinary growth story that has occurred under the auspices of AustCyber which has operated as an Industry Growth Centre since 2017. AustCyber will continue to operate as an Industry Growth Centre until mid-2022.

    Emerging technology more broadly has a pivotal role to play in Australia’s new economy. Research has shown that every job in technology created five more across the economy. Companies less than five years old employ nearly one in two Australians and are net job creators whereas legacy companies are net job shedders.

    Australia’s entire business ecosystem will need to leverage emerging technology companies that are innovative, focused and secure to thrive in a post-pandemic world.

    As an organisation that exists at the nexus of emerging technology and business Stone & Chalk is powering the growth of our emerging tech ecosystem and business transformation.

    Full-scale commercialisation support is needed to maintain and extend this growth and tell the next chapter of the story.

    The integration of AustCyber and Stone & Chalk will provide this to our current ecosystems and extend our reach across other emerging technology industries, established and nascent.

    This includes virtual trade missions with potential export markets, bespoke introductions to potential investors with the right portfolio and expertise to provide far more than financial support, access to customers ranging from scaleups and government departments to national and multinational corporates, and a powerful advocacy body advancing the interests of founders at a state and federal level.

    In a world where critical and emerging tech are becoming central to economic growth, resilience and security of national economies, a body like the one we are creating with this merger is no longer optional.

    Our success in the mission of developing and extending Australian industrial capability in critical and emerging technology will underpin the nation’s prosperity and security for decades to come.

    The post Scaling a secure innovative future for the tech sector appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Labor calls for national ransomware strategy

    Federal Labor has called on the government to launch a national ransomware strategy to make Australia a less attractive target for cyberattacks.

    Shadow assistant minister for cybersecurity Tim Watts released a discussion paper detailing potential policies, including increased law enforcement, targeted international sanctions, offensive cyber actions and regulating the payment of ransoms.

    The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and government in the cyber domain, with a total cost of about $1 billion per year. These forms of cyberattacks increased significantly in the last year and have become more sophisticated and more targeted.

    Tim Watts and Clare O'Neil
    Tim Watts: The Cybersecurity strategy has little to support the development of the local industry

    The federal government must play a leading role in making Australia a less attractive target for these ransomware groups, Mr Watts said.

    “The rapidly growing costs of successful attacks on targeted entities – in downtime, remediation, ransoms and supply chains interruptions – combined with the growing costs to all organisations of defending themselves against these attacks is an unsustainable burden on the nation,” Mr Watts said.

    “Ransomware is a jobs and investment destroyer at a time when the nation can least afford it. We need a new approach. It’s past time the Morrison government developed a comprehensive national ransomware strategy.”

    The increasing sophistication and targeting of ransomware presents an opportunity for the government to shift focus away from Australian entities, Mr Watts said.

    “The evolution of ransomware gangs into sophisticated, well-resourced organised crime groups presents both a challenge and an opportunity. The challenge of the emergence of so-called ‘big game hunting’ ransomware gangs that carefully research and select their targets to maximise their returns from attacks has increased the potential costs of these attacks,” he said.

    “But it has also created the potential for new strategies aimed at deterring these attacks. The threat of ransomware isn’t going anywhere soon, and the government cannot just leave it to Australian organisations to confront this challenge alone. It is time the Morrison government actively tackled this threat and developed a national ransomware strategy.”

    The Labor discussion paper proposes policies that could lower the return on investment for ransomware groups going after Australia, and increase their costs for them.

    On the costs side, more effort could be made on law enforcement action against ransomware groups, starting with measuring with current performance and pushing for greater international cooperation to arrest and charge individuals.

    The federal government should also “aggressively” participate in joint international law enforcement operations and cooperate in the region to prevent the emergence of new groups.

    “An activist approach to fighting ransomware would see the Australian government building coalitions of nations to pressure recalcitrant governments to stop ignoring and harbouring transnational ransomware groups, and to develop mutual law enforcement assistance agreements with these states,” the discussion paper said.

    When law enforcement is not possible, the government should look at engaging with like-minded countries to impose travel and asset sanctions on the ransomware gangs and enabling countries, the Opposition said.

    To reduce returns for these groups, the government should look at imposing controls on ransomware payments, crack down on rogue bitcoin exchanges and improve the cybersecurity of public and private organisations, the paper said.

    The Opposition said the government should actively engage with the US Treasury which has already proposed some regulatory actions around ransomware payments made through bitcoin exchanges.

    “If Australian organisations can develop a reputation for being less likely to pay ransoms than targets in other jurisdictions, the return on investment for targeting Australian organisations will fall and so too will targeted ransomware attacks against Australian organisations,” they said.

    More work needs to be done to lift the overall cyber resilience of public and private companies to combat these attacks, the paper said.

    And such a strategy needs to be communicated publicly, with Labor calling on Home Affairs minister Peter Dutton to make a ministerial statement in Parliament about it and for the government to appoint a dedicated member of the executive responsible for cybersecurity.

    “This is an important signal to adversaries indicating that the Australian government takes cybersecurity seriously,” the Labor discussion paper said.

    “Unfortunately, despite the growing threat of ransomware to the nation, Peter Dutton has never used the word ‘ransomware’ in the Parliament.”

    Mr Watts released another discussion paper last year, calling for a rethink of cybersecurity policy in Australia with a focus on national resilience and community-based efforts.

    The federal government unveiled the $1.7 billion 2020 Cyber Security Strategy in August, with initiatives including new laws to protect critical infrastructure, additional powers for authorities to combat crime on the dark web, and some efforts to improve the cyber resilience of small business.

    The post Labor calls for national ransomware strategy appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Stone and Chalk acquires AustCyber growth centre

    Tech incubator Stone and Chalk has acquired the Commonwealth-led cybersecurity Industry Growth Centre known as AustCyber in a boost for both organisations.

    Under arrangements unveiled on Monday, AustCyber becomes a wholly-owned subsidiary of Stone and Chalk, although the CEOs of both organisations say that while the legal structure says ‘acquisition’, the not-for-profit operational reality of the integration makes it a merger.

    AustCyber’s Michelle Price and Stone and Chalk’s Alex Scandurra say the combined resources and individual strengths of each organisation will deliver a scale and sophistication for industry growth programs not previously seen in Australia.

    AustCyber Stone and Chalk
    Scaling-up not-for-profits: The private sector-inspired Stone and Chalk acquires public sector -inspired AustCyber

    Both organisations would operate under their existing brands and run effectively separate accounting for to meet obligations under government funding agreements. But the staff and day-to-day operations across multiple sites and cities will effectively be integrated.

    Under the new structure, AustCyber becomes a wholly-owned subsidiary of Stone and Chalk. The organisations will maintain separate boards, although each will become “cross-fertilised with one board member from each organisation joining the other.

    AustCyber will continue to operate as an Industry Growth Centre under the new ownership arrangements until the end of June 2022 and would continue to receive federal funding under that program. Ms Price said the organisation is committed to meeting all of its obligations under its current funding arrangement.

    The AustCyber-Stone and Chalk tie-up has significant implications for the future of the Industry Growth Centres program. Other growth centres include the Advanced Manufacturing Growth Centre; Food Innovation Australia Limited (FIAL); METS Ignited for the mining engineering, technology and services sector; MTPConnect for the medical technology and pharmaceutical sector; and National Energy Resources Australia (NERA), for the oil, gas and energy sectors.

    The Industry Growth Centres initiative was unveiled by former industry minister Ian Macfarlane in 2014 as part of the Abbott government. The Australian Cyber Security Growth Network (later AustCyber) was added later as a key recommendation of the original 2016 Australian Government Cybersecurity Strategy.

    It was always intended that the growth centres become commercially viable, self-sustaining organisations. Funding for the current growth centres comes to a finish at the end of June 2022.

    It is understood that none of the growth centres have to this point found commercial models that put them on a sustainable revenue trajectory that would allow them to continue to operate independently of government funding beyond than deadline.

    AustCyber is a first mover in getting out in front of that looming funding deadline at the end of the next financial year and will look to secure its future within Stone and Chalk.

    Whether the other growth centres move to restructure operations ahead or choose to run down the clock on the funding timetable or to shutter their organisations remains to be seen.

    “It makes a lot of sense operationally,” AustCyber chief executive Michelle Price told InnovationAus. “Day to day its about growing the scale as well as the sophistication of the programs that the two organisations previously did separately.”

    “There were already a lot of synergies that we were already focusing on,” Ms Price said, with AustCyber and Stone and Chalk having signed a partnership agreement during 2020.

    “AustCyber was focused specifically on cybersecurity, but we were constantly being pulled across into other industries as well – not just because cybersecurity as needed elsewhere, but because of our expertise.”

    “The same was happening with Stone and Chalk,” she said. “The issues and the challenges that we were experience from a delivery point of view – and not having enough scale to respond to the demand – and seeing where the ecosystems were up with the level of sophistication that’s needed in growth programs, it just became really obvious to us that we should pursue a merger.”

    The merged organisations mean that the combined AustCyber and Stone and Chalk operation will operate in 11 locations across the country, as well as AustCyber’s international presence in Washington D.C. in the United States.

    These locations include Stone and Chalk’s innovation hubs in Sydney, Melbourne and Adelaide, and the AustCyber network nodes in Western Australia, South Australia, Canberra, Tasmania and New South Wales, as well as an expected new node in Victoria.

    “In those locations where Stone and Chalk has not had a presence, there is a renewed focus on how we can combine the AustCyber nodes with the Stone and Chalk approach to an innovation hub.

    Stone and Chalk chief executive Alex Scandurra said the organisation, which began life with a spefic focus on building companies in the FinTech sector, would continue to take the frameworks and approaches it uses successfully in FinTech to build companies across other areas of emerging tech.

    “What we saw as the opportunity in AustCyber was quite a lot of depth around the national security piece, as well as giving us additional strength when talking about cyber as a horizontal [sector] across all emerging technologies in a similar way that we saw FinTech in terms of mobilizing money across a whole series of sectors,” Mr Scandurra said.

    AsutCyber’s Ms Price said Minister Karen Andrews’ office had been told of the plan to merge with Stone and Chalk in December, and that the organisation had worked in lockstep with both the minister’s office and the department to reshape its structure.

    A spokesperson for Minister Andrews told InnovationAus: “In October 2020, Minister Andrews asked all Industry Growth Centres to submit a transition plan to the Department of Industry, Science, Energy and Resources, outlining their plan for self-sustainment beyond June 2022,”.

    “The Industry Growth Centres Initiative is an ongoing program. The transition of individual Growth Centres to self-sufficiency once mature was always envisaged under program objectives and highlighted as part of the announcement of their establishment,” the spokesperson said.

    To date, AustCyber has allocated $14.85 million in project funding through its $15 million Industry Growth Centres Project Fund.

    The post Stone and Chalk acquires AustCyber growth centre appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Myanmar’s junta plans draconian cyber-security law to stifle dissent

    Pacific Media Watch newsdesk

    Reporters Without Borders (RSF) has condemned a proposed cyber-security law in Myanmar that would organise online censorship and force social media platforms to share private information about their users when requested by the authorities.

    This would violate the confidentiality of journalists’ data and sources, and the public’s right to reliable information, says the Paris-based media freedom watchdog RSF.

    The draft law, which has just been leaked, is clearly designed to prevent pro-democracy activists from continuing to organise the demonstrations that have been taking place every day in cities across Myanmar in response to the military coup on February 1.

    The State Administration Council – as the new military junta euphemistically calls itself – sent a copy of the proposed law to internet access and online service providers on  February 9.

    And the junta is expected to make it public on February 15.

    The draft law, which RSF has seen, would require online platforms and service providers operating in Myanmar to keep all user data in a place designated by the government for three years.

    ‘Causing hate, destabilisation’
    Article 29 would give the government the right to order an account’s “interception, removal, destruction or cessation” in the event of any content “causing hate or disrupting unity, stabilisation and peace,” any “disinformation,” or any comment going “against any existing law.”

    This extremely vague wording would give the government considerable interpretative leeway and would in practice allow it to ban any content it disliked and to prosecute its author.

    Article 30, on the other hand, is very specific about the data that online service providers must hand over to the government when requested: the user’s name, IP address, phone number, ID card number and physical address.

    Any violation of the law would be punishable by up to three years in prison and a fine of 10 million kyats (6200 euros). Those convicted on more than one count would, of course, serve the corresponding jail terms consecutively.

    RSF submission
    “The provisions of this cyber-security law pose a clear threat to the right of Myanmar’s citizens to reliable information and to the confidentiality of journalists’ and bloggers’ data,” said Daniel Bastard, the head of RSF Asia-Pacific desk.

    “We urge digital actors operating in Myanmar, starting with Facebook, to refuse to comply with this shocking attempt to bring them to heel. This junta has absolutely no democratic legitimacy and it would be highly damaging for platforms to submit too its tyrannical impositions.”

    Facebook has nearly 25 million users in Myanmar – 45 percent of the population. Three days after the February 1 coup, the junta suddenly blocked access to Facebook, Twitter and Instagram.

    But many of the country’s citizens have been using VPNs (virtual private networks) to circumvent the censorship.

    The proposed law’s leak has coincided with social media reports of the arrival of many Chinese technicians tasked with setting up an internet barrier and cybersurveillance system of the kind operating in China, which is an expert in this domain.

    Earlier this week, RSF reported the comments of several journalists who have been trying to cover the protests against the military coup, and who said that press freedom has been set back 10 years in the space of 10 days, back to where it was before the start of the democratisation process.

    Myanmar is ranked 139th out of 180 countries in RSF’s 2020 World Press Freedom Index.

    This post was originally published on Asia Pacific Report.

  • Myanmar’s junta plans draconian cyber-security law to stifle dissent

    Reporters Without Borders (RSF) has condemned a proposed cyber-security law in Myanmar that would organise online censorship and force social media platforms to share private information about their users when requested by the authorities.

    The draft law, which has just been leaked, is clearly designed to prevent pro-democracy activists from continuing to organise the demonstrations that have been taking place every day in cities across Myanmar in response to the military coup on February 1.

    The State Administration Council – as the new military junta euphemistically calls itself – sent a copy of the proposed law to internet access and online service providers on  February 9.

    And the junta is expected to make it public on February 15.

    The draft law, which RSF has seen, would require online platforms and service providers operating in Myanmar to keep all user data in a place designated by the government for three years.

    ‘Causing hate, destabilisation’
    Article 29 would give the government the right to order an account’s “interception, removal, destruction or cessation” in the event of any content “causing hate or disrupting unity, stabilisation and peace,” any “disinformation,” or any comment going “against any existing law.”

    This extremely vague wording would give the government considerable interpretative leeway and would in practice allow it to ban any content it disliked and to prosecute its author.

    Article 30, on the other hand, is very specific about the data that online service providers must hand over to the government when requested: the user’s name, IP address, phone number, ID card number and physical address.

    Any violation of the law would be punishable by up to three years in prison and a fine of 10 million kyats (6200 euros). Those convicted on more than one count would, of course, serve the corresponding jail terms consecutively.

    RSF submission
    “The provisions of this cyber-security law pose a clear threat to the right of Myanmar’s citizens to reliable information and to the confidentiality of journalists’ and bloggers’ data,” said Daniel Bastard, the head of RSF Asia-Pacific desk.

    “We urge digital actors operating in Myanmar, starting with Facebook, to refuse to comply with this shocking attempt to bring them to heel. This junta has absolutely no democratic legitimacy and it would be highly damaging for platforms to submit too its tyrannical impositions.”

    Facebook has nearly 25 million users in Myanmar – 45 percent of the population. Three days after the February 1 coup, the junta suddenly blocked access to Facebook, Twitter and Instagram.

    But many of the country’s citizens have been using VPNs (virtual private networks) to circumvent the censorship.

    The proposed law’s leak has coincided with social media reports of the arrival of many Chinese technicians tasked with setting up an internet barrier and cybersurveillance system of the kind operating in China, which is an expert in this domain.

    Earlier this week, RSF reported the comments of several journalists who have been trying to cover the protests against the military coup, and who said that press freedom has been set back 10 years in the space of 10 days, back to where it was before the start of the democratisation process.

    Myanmar is ranked 139th out of 180 countries in RSF’s 2020 World Press Freedom Index.

    This post was originally published on Radio Free.

  • Critical infrastructure laws impact on cyber

    Government moves to beef up the security of Australia’s critical national infrastructure (CNI), set out in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and introduced into Federal Parliament on 10 December, will impact many companies, institutions and organisations that might not see themselves as being part of critical infrastructure.

    These organisations should prepare for the bill’s impact now, by taking note of how recent moves by the finance industry regulator to strengthen cyber security requirements is playing out.

    In his second reading speech on the bill, Home Affairs Minister Peter Dutton said it would cover “organisations in communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health” – seen as critical to “maintaining basic living standards for the Australian population; sustaining Australia’s wealth and prosperity; Australia’s national security and defence; and the security of large or sensitive data holdings”.

    Nick Lennon
    Nick Lennon: The proposed critical national infrastructure laws will have a broad impact on cyber security

    Entities to which the legislation will apply are required to “adopt and comply with a risk management program that ensures that critical infrastructure assets are protected and safeguarded from all hazards”.

    The introduction of the proposed new legislation is timely. We are already seeing critical infrastructure overseas being attacked with dire consequences, and the threat actors are becoming more sophisticated.

    Phishing emails have long been a favoured threat vector but can generally be thwarted by an alert reader. Now, attackers are gathering information sufficient to create heavily socially engineered attacks that create high levels of trust, making them more difficult to detect.

    How the new critical national infrastructure legislation will work in practice, and whether the goals set for it by the government are achieved remains to be seen.

    The recent imposition of cyber security requirements on financial services industry players provides valuable insights and sets an example for other industries as they gear up to comply with the new cyber security regime.

    The Australian Prudential Regulatory Authority (APRA) introduced its Prudential Standard CPS 234 Information Security in July 2019. Its aim was to make sure APRA-regulated entities maintained a security capability sufficient to make them resilient to cyber-attacks.

    Cyber security issues had long been of concern to APRA, but prior to CPS 234 it lacked the power to act on those concerns. CPS 234 gave it that power, and at Mimecast we are seeing the impact. Superannuation funds, credit unions, tier two banks and financial service providers are coming to us to help them meet their obligations.

    However, APRA has already recognised the limitations of CPS 234, and has beefed up its cyber security oversight of the finance sector considerably.

    In August 2020, its Corporate Plan 2020-2024 detailed a new security strategy. In a speech to the Financial Services Assurance Forum, APRA executive board member Geoff Summerhayes, said the new strategy aimed to “extend APRA’s reach beyond our regulated entities to influence the broader eco-system of suppliers and providers they rely upon”.

    There are certain industries that drive innovation, and the finance industry is one. It will play a major role in determining how increased cyber security regulation impacts all industries.

    History shows that regulation tends to hit financial services first, and then spreads into other industries, because investment impacts all industries.

    Director level responses to CPS 234 and to APRA’s new cyber security strategy will set the tone for how boards in other industries respond to the new legislation and execute their new cyber responsibilities.

    Organisations that will be covered by the new CNI legislation can learn from the finance sector’s response to CPS 234 and APRA’s new cyber security strategy and act on that legislation appropriately.

    The greatest challenge for legislators and regulators implementing the new critical national infrastructure legislation – and for industry – will likely be in maintaining adequate cyber security in many small organisations that have the potential to cause severe disruption to national infrastructure if they are compromised.

    I recently asked the CISO of a body with a strong interest in our critical infrastructure what kept him awake at night. His answer: a small FinTech transferring billions of dollars through the payments system.

    The role of that FinTech could at least be identified. Identifying every organisation that could be compromised and exploited to attack critical infrastructure is likely to be much more difficult.

    APRA realises this challenge. At the heart of APRA’s new cyber security strategy, Summerhayes said, is “recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers”.

    APRA directly regulates only 680 of these entities, but a cyber breach of any of these could “have a cascading impact on the whole system”.

    Nick Lennon is the Mimecast Country Manager for Australia.

    The post Critical infrastructure laws impact on cyber appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Senators question new hacking powers for AFP

    A group of senators have raised significant concerns with the federal government’s proposed new hacking powers for the Australian Federal Police, warning that a “wide scope of innocent third parties” could be caught up by the coercive and broad scheme.

    The Standing Committee for the Scrutiny of Bills, a bipartisan committee chaired by Labor, has revealed its thoughts on the Identify and Disrupt Bill, questioning a lack of focus on privacy, no judicial oversight, the potential for innocent people to be impacted and the ability for police to use the hacking powers without obtaining a warrant.

    The government quietly introduced the legislation to Parliament late last year with no consultation and little fanfare. The bill hands sweeping new powers to the AFP and ACIC to hack into the computers and networks of suspected criminals.

    AFP Australian Federal Police
    Hackers?: The Australian Federal Police in line for sweeping new powers to hack

    The bill introduces three new warrants, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks even if they don’t know their identity and actually taking over their accounts covertly.

    While saying the new powers are targeted at combating “online serious crimes”, the powers will apply to any crime carrying a jail time of at least three years, including theft, fraud, tax evasion, illegal gambling, forgery and privacy.

    There was significant backlash to the legislation, with the Law Council of Australia calling for proper oversight and scrutiny of the “extraordinary powers”. The legislation is currently the subject of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry.

    A bipartisan senate committee has now raised serious concerns with the new powers, saying the “coercive” warrants have the “potential to unduly trespass on personal rights and liberties”.

    In its first report of the year, the bipartisan Standing Committee for the Scrutiny of Bills said that home affairs minister Peter Dutton has a lot of explaining to do on the new powers.

    “The committee considers it essential that legislation enabling coercive search powers be tightly controlled, with sufficient safeguards to protect individual rights and liberties,” the committee said in the report.

    Under the powers, the AFP and the Australian Criminal Intelligence Commission (ACIC) will be able to apply for the warrants from eligible judges or a member of the Administrative Appeals Tribunal (AAT). But the senators said that only judges should be vested with this power.

    “The committee has had a long-standing preference that the power to issue warrants authorising the use of coercive or intrusive powers should only be conferred on judicial officers,” it said.

    “In light of the extensive personal information that could be covertly accessed, copied, modified or deleted from an individual’s computer or device, the committee would expect a detailed justification to be given as to the appropriateness of conferring such powers on AAT members, particularly part-time senior members and general members. In this instance, the explanatory memorandum provides no such justification.”

    The committee is also concerned that the warrants will apply for 90 days, with an extension offer too, and a lack of focus on privacy.

    “Noting the significant impact on the privacy of individuals whose information is collected or accessed under these warrants, it is unclear why privacy is a mandatory consideration in relation to account takeover warrants only and should not also apply to data disruption and network activity warrants,” it said in the report.

    “Similarly, it is unclear why issuing authorities must not consider whether the warrant is proportionate having regard to the nature and gravity of the offence and the likely value of information sought to be obtained in relation to all warrants rather than being limited to network activity warrants.”

    The application of the powers to crimes with jail time of three years also raised the eyebrows of the senators.

    “Noting this broad range of offences, the committee considers that an explicit requirement to consider proportionality in relation to issuing each of the warrants is important to ensure that the significant coercive powers authorised under these warrants are only exercised where necessary and appropriate,” the committee said.

    The legislation also allows for the authorities to take these coercive actions and conceal the fact that they did without obtaining a warrant in “emergency circumstances”.

    This will be done through applying to the appropriate authorising officer, who will approve it if they reasonably suspect there is an imminent risk of serious violence to a person or substantial damage to property, and that the powers are immediately necessary.

    “The committee is particularly concerned that such powers only be authorised under a warrant issued by a judicial officer. Allowing a law enforcement agency to authorise its own actions under an emergency authorisation has the potential to unduly trespass on the right to privacy, and as such the committee would expect the explanatory materials to provide a detailed justification for such provisions,” the committee said.

    “In this instance, the statement of compatibility provides no such justification. In effect, it appears that these provisions allow coercive or intrusive actions to be taken which have not been authorised under an existing warrant.”

    Overly “broad” definitions in the legislation means that numerous innocent individuals may be caught up by the network activity warrants, the committee warned.

    “The committee is concerned that, as a result of these broad definitions, there is a potentially unlimited class of persons who may be subject to, or affected as a third party connected to a person who is the subject of, a network activity warrant,” they said.

    The senators put a number of questions to Mr Dutton, including why just judges shouldn’t be able to issue the warrants, why the 90-day time period is necessary and why the value of the information isn’t considered when issuing the warrants.

    Submissions to the PJCIS inquiry into the legislation will close at the end of the week.

    The post Senators question new hacking powers for AFP appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt launches $26.5M cybersecurity skills grants program

    Grants of up to $3 million are on offer for cybersecurity training programs as part of a $26.5 million national cybersecurity strategy initiative officially launched by the federal government this week.

    The first round of the Cyber Security Skills Partnership Innovation Fund was opened on Thursday, with grants of between $250,000 and $3 million on offer for applicants looking to “improve the quality and availability of cybersecurity professionals through training”.

    The grants will fund up to 50 percent of a cyber skills program, which will have to be a joint application from at least two partner organisations which may include universities, high schools, industry associations, state and local governments and businesses.

    Eligible activities for the grants include developing and delivering specialist cybersecurity courses for individuals, retraining programs, professional development, apprenticeships, new internships or cadetships and cyber labs and training facilities.

    There will be $13 million available as part of the first funding round, which will be aimed at building career pathways in the cybersecurity sector as part of Australia’s economic recovery from COVID-19, industry minister Karen Andrews said.

    “The Cyber Security Skills Partnership Innovation Fund will support partnerships between industry, education providers and governments to build the next generation of cybersecurity experts,” Ms Andrews said in a statement.

    “Cybersecurity is essential to our digital economy and needs to be strong in all areas, particularly in small and medium enterprises which comprise 98 percent of all Australian businesses. This fund builds on our commitment to keep Australians secure online, and to support building industry capability.”

    The fund was one of the initiatives included in the Cybersecurity National Workforce Growth Program, one of the deliverables under the Morrison government’s Cyber Security Strategy, unveiled last year.

    The grants will help to build on the other initiatives included in this strategy, home affairs minister Peter Dutton said.

    “Having more people trained in cybersecurity will build on the other measures funded as part of our $1.67 billion strategy to keep Australians safe online and protect against cyber attacks from malicious actors including cyber criminals,” Mr Dutton said.

    The first round will close on 11 March, with a second round expected to open before the end of the year.

    The fund was one of few initiatives in the strategy targeted at the local cybersecurity sector, with little focus on building the burgeoning industry.

    This was criticised by Labor cybersecurity spokesperson Tim Watts.

    “It looks like the government has given up on developing and growing the Australian cybersecurity industry altogether. There was no commitment on industry policy, on local content, on procurement, on SME involvement, or on maximising R&D spend to grow the Australian industry,” Mr Watts said.

    “During a recession, when we are trying to build sustainable, high-wage jobs for the Australian recovery post COVID-19, it is inexplicable that industry development seems to be completely missing from this strategy.”

    The post Govt launches $26.5M cybersecurity skills grants program appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Big Tech clashes with digital rights groups over data

    Big tech and business are warring with digital and civil rights groups over the need to introduce a right of direct action for data breaches as part of the sweeping review of Australia’s privacy laws.

    The Attorney-General’s Department is conducting a sweeping review of the Privacy Act on the back of the Australian Competition and Consumer Commission’s (ACCC) digital platforms inquiry, which recommended a number of legislative changes.

    A key issue the inquiry is looking at is whether a direct right for individuals to bring actions or class actions before the courts to seek compensation for breaches under the Privacy Act should be introduced.

    data
    It’s a jungle: The right to take direct court action over data breaches has spurred a fight

    Presently there is a very limited ability for Australians to seek redress for a privacy breach by a company subject to the Privacy Act, through an injunction or a complaint to the Office of the Australian Information Commissioner (OAIC).

    In its final report, the ACCC called on the government to introduce a right of action in the Federal Court or Federal Circuit Court to seek compensatory damages and aggravated and exemplary damages for financial and non-financial harm as a result of an infringement of the Privacy Act.

    “This would give consumers greater control over their personal information by providing an avenue of redress in court without having to rely on the OAIC alone to take representative action,” the ACCC said in its digital platforms report.

    “This ability will not only empower consumers but may also provide an additional incentive for Australian Privacy Principles entities to ensure they comply with their obligations under the Privacy Act and the APPs.”

    Instead of accepting this recommendation, the federal government opted to consult further on the direct right of action as part of the wider review of the Privacy Act.

    A number of civil and digital rights groups and legal organisations offered strong support for this policy in submissions to the inquiry, while big tech firms and other large businesses unsurprisingly railed against it, instead arguing that the OAIC should be handed a more prominent role in enforcing the Privacy Act.

    But the opposing side argued that the right of action would complement the OAIC’s enforcement role and is critical to ensuring the privacy of Australians is upheld.

    In its submission, Australian tech giant Atlassian said a direct right of action is unnecessary and may “magnify rather than mitigate any concerns about the costs and time for individuals seeking resolutions through the complaints process”.

    “It is difficult to see why the introduction of a direct right of action for individuals to seek compensation for breaches of the Privacy Act is necessary or, indeed, is the most appropriate way to meet these objectives,” the Atlassian submission said.

    “We strongly believe that efforts are better redirected towards improving the efficiency and effectiveness of existing enforcement mechanisms, including by supporting the OAIC to increase its complaint-handling workload and considering other mechanisms to facilitate certainty and consistency of entities’ compliance obligations.”

    US tech firm Adobe also argued against a direct right of action in its submission to the Australian inquiry, saying it would only benefit those who could afford to take legal action.

    “The cost of undertaking litigation is very high, which means that providing a direct right of action will generally benefit only a very few Australians who have sufficient resources to take such action,” the Adobe submission said.

    “Adobe submits that providing greater powers to the OAIC to assist in the resolution of privacy-related complaints is a more effective means by which to empower individuals to exercise control over their personal information.

    “If the OAIC had enhanced powers and the necessary resources to conduct investigations, and provide adequate remedies, this would truly empower individuals who would be able to easily and quickly take action to address privacy harms.”

    Tech titan Google also said that the OAIC’s dispute resolution is “preferable to creating a direct right of action”.

    “If the government is considering introducing a direct right of action, we suggest that a precondition to any direct action is an attempt to resolve a dispute through conciliation by the OAIC or some other administrative body,” Google said in its submission.

    Media giant Nine also argued against the ACCC’s recommendation.

    “The main beneficiaries of having those claims in the courts instead of the OAIC will be lawyers, as many people will choose to be represented. Lawyers will have incentives to increase the quantum and frequency of claims,” the Nine submission said.

    “Those individuals will fare better, and the system will fare better, if their concerns continue to be handled by the professional team which has done so effectively for nearly 20 years at the OAIC. That team should be well funded. It is much better for the current system to be supported than to disrupt it in the way proposed.”

    While also strongly supportive of the OAIC receiving additional funding and resources, several other submissions argued that the direct right of action could work in tandem with the privacy office to uphold the rights of Australians.

    The post Big Tech clashes with digital rights groups over data appeared first on InnovationAus.

    This post was originally published on InnovationAus.