Individuals not the priority in the Cyber Security Strategy


This article is by Robert Merkel, Lecturer in Software Engineering, Monash University. It originally appeared on The Conversation.

opinion/analysis The Cyber Security Strategy announced yesterday by Prime Minister Malcolm Turnbull clearly places a high priority on protecting Australian government systems from foreign powers.

But when it comes to protecting citizens’ personal information, it appears to be rather a mixed bag.

While very short on specifics, it does announce several potentially useful initiatives that may help protect Australians against cybercrime. But notably absent is any pressure on the private sector to improve its cybersecurity efforts.

First, it commits the government to increasing the number and training of cybersecurity specialists in the Australian Federal Police and Australian Crime Commission.

The government also wants to get its own house in order, in part by conducting additional independent security assessments of internal federal government IT infrastructure.

This is an interesting move given Turnbull today confirmed both the Bureau of Meteorology and the Department of Parliamentary Services had been the victim of recent cyberattacks.

But if more externally focused departments, such as the Australian Tax Office, Centrelink and Medicare, are also thoroughly audited, it would reduce the risk of those organisations’ large collections of personal data being compromised by criminals.

The strategy talks about sponsoring research to better understand the cost of malicious cyberactivity to the Australian economy. It says figures vary, with some putting the cost of cybercrime in Australia at about A$1 billion a year, but other estimates put it as high as A$17 billion.

But perhaps the most useful contributions to cybersecurity for the broader public come from two measures:

  • Increasing the number, and skills, of graduates with cybersecurity expertise in both the university and TAFE sector, and

  • Partner with a range of organisations to “deliver a sustained, national awareness raising campaign, encompassing a range of activities, which enables all Australians to be secure online”.

The effectiveness of both of these policies depends on how they are actually implemented.

In tertiary education, it’s easy enough to devote a couple of lectures and an exam question to the topic, to tick an auditing body’s box marked “cybersecurity”.

Making sure that our students actually know how to design, build and operate secure systems is a much tougher challenge. It’s one that my colleagues and I at Monash University, and our counterparts at universities around Australia, are working hard on.

Is it enough?

The biggest cybersecurity threat to individuals remains the unauthorised use of their personal information to commit a variety of financial crimes. It is here that the Cyber Security Strategy seems to lack focus.

Prevention is usually better than cure, and in the case of cybercrime committed across national boundaries, law enforcement is often ineffective. It will likely remain so, despite the worthy rhetoric in the strategy about international cooperation.

Therefore, the primary defence we have is making sure the organisations that hold our personal data are taking sufficient measures to prevent cybercriminals from gaining access. Many of these organisations are in the private sector.

But the government is relying on hints and a bit of assistance to get the private sector to improve its efforts in this area. This is perhaps unsurprising, given the antipathy to “red tape” of the current government.

For example, when the strategy mentions raising the bar, it says:

Self-regulation and a national set of simple, voluntary guidelines co-designed with the private sector will help organisations improve their cyber security resilience.

One might have thought our largest businesses would already have the financial means to hire external consultants to assess their security strategies. But ASX 100 listed businesses are to be offered voluntary “health checks”:

The governance ‘health checks’ will enable boards and senior management to better understand their cyber security status and how they compare to similar organisations.

As for small business, the strategy acknowledges they might not allocate enough resources to cybersecurity and they could become a “soft underbelly or back door into connected organisations”.

To deal with that, the government plans to offer tests of what cybersecurity measures small businesses have in place by certified practitioners.

Flogging business with a wet lettuce leaf

But there’s no shortage of information security guidelines available to organisations already. In far too many cases, what is lacking is the will to implement them.

Unfortunately, in practice, the consequences for security breaches seem extraordinarily limited. The breaches of the Privacy Act to date result in financial penalties that are trivial for large organisations.

For instance, Telstra was fined a grand total of A$11,000 for a breach involving thousands of customers.

Further, companies aren’t even obligated to inform their customers of a breach, unlike in the United States and European Union.

While all this has gone unmentioned in the strategy, the government has been working on a “mandatory data breach” notification law for some time. But it seems in no hurry to actually make it law.

A draft bill was released for comment in late 2015. As of today it still hasn’t been introduced into parliament, and the draft exempts organisations with annual turnover of less than A$3 million.

Cybersecurity breaches in private sector companies sometimes do have negative consequences for those companies. But they also inflict significant and often larger consequences on the people whose personal data is stolen.

And it’s the role of governments to step in with some kind of regulation when an action creates significant negative impacts on citizens.

But the current government seems to have decided that the costs to business of forcing them to take cybersecurity seriously outweigh the benefits.

Robert Merkel, Lecturer in Software Engineering, Monash University This article was originally published on The Conversation. Read the original article.


  1. Agreed. Corporates will not protect our data, unless there is a monetised reason to do so.

    • I’m split on this. On one hand, corporations generally only care for themselves while on the other hand, every bit of information relevant to the problem is stored somewhere.

      Data gets hacked, its their business that suffers as users go elsewhere. So they DO have a financial interest in keeping it safe.

  2. I agree on the lack of corporation’s willingness to protect us, but if monetisation is the answer how the hell do we get Government to take it more seriously? They don’t have any incentive and can hide any breach they like by claiming security or financial implications.

Comments are closed.