Whistleblowers, like the ones Malcolm Turnbull defended in the Spycatcher case, or people using encryption, like, um, the Prime Minister, are some of the reasons we need to spend $230 million on new cybersecurity measures.
Yesterday, surrounded by the who’s who of the IT security and finance industries, Turnbull laid out his grand plan for cybersecurity with the release of the cybersecurity strategy. The strategy was being re-written during Tony Abbott’s prime ministership, and although there had been rumours that Turnbull had ordered another re-write of the document, the Department of Prime Minister and Cabinet stated last year that Turnbull had not asked for “a substantial” re-write.
Still, the Prime Minister’s mark was over the document, as he announced over $230 million across 33 new initiatives to improve cybersecurity, including funding more than 100 security experts, in a move to combat the Australian Crime Commission’s estimate that cybercrime costs Australia about $1 billion per year — though the government tends to use the inflated estimate of $17 billion in total costs. Several new jobs were created with the word “cyber” in them, including a minister assisting the Prime Minister on cybersecurity, a special adviser on cybersecurity in the Department of Prime Minister and Cabinet, and a new cyber ambassador.
The new minister and ambassador have not been announced, possibly due to the closeness of the election, but the special adviser will be Alastair Macgibbon, who has been serving as the children’s e-safety commissioner but will now move into a role much more suited for his skills and experience.
The largest slice of money will go to Attorney-General’s Department for a “joint cyber threat sharing centre” as well as the Australian Cyber Security Centre for partnering with the private sector to help them determine what vulnerabilities they have. The centre has already been developing partnerships with industry and responds to about 1000 attacks on national or critical infrastructure. The government’s cybersecurity response team, CERT Australia, will also get $21.5 million to improve its capabilities. Some $30.5 million will go to establish a Cyber Security Growth Centre within the Department of Industry, Innovation and Science, and CSIRO’s Data61 will get $7.5 million for its cybersecurity projects.
A total of $10 million will be spent on “cybersecurity awareness” campaigns to make sure people are aware of the risks posed by the internet, and $15 million has been set aside for small business grants to improve cybersecurity.
Funding to the tune of $11 million will be spent for the government to identify its own vulnerabilities. In announcing this, Turnbull confirmed major data breaches for the Bureau of Meteorology and the Department of Parliamentary Services, and he indicated Australian Signals Directorate would be capable of responding, “subject to stringent legal oversight”.
The attacks were not confirmed at the time, citing security reasons, but those can clearly be overlooked when it comes to announcing funding before an election. As Stilgherrian noted on ZDNet, the timing was interesting, coming so soon after Turnbull had visited China. Although the PM would not talk about the origins of the attack, it was sending a clear message to China that if it persisted in attacking government agencies, Australia could and would respond.
Turnbull’s speech and subsequent press conference provided an interesting case of “do as I say, not as I do” for the Prime Minister, as he warned that some of the biggest challenges faced in cybersecurity were insider threats and encryption.
“Authorised working relationships between government and certain private sector partners were unfortunately damaged in the release of stolen documents by Edward Snowden, and we recently saw in the exchanges between Apple and the FBI, the difficulty that modern encryption poses for law enforcement.”
Turnbull repeated that Snowden was the most “celebrated” example of the inside job.
How quickly the Prime Minister’s views have changed since he made a name for himself in the Spycatcher case, or more recently admitted to using encryption apps to have secure communications with his colleagues.
Bizarrely, at one point, Turnbull was asked whether the government would force companies to disclose data breaches — as is outlined in legislation he is set to introduce in the winter sitting period — and Turnbull didn’t mention it at all:
“If we work together, business, individuals, consumers if you like, households, and governments, if we share more and if the telcos share more too, then as we learn more about the vulnerabilities and the vectors which malicious actors use, then we become more secure and we all learn from each other.”
Overall, the announcement was widely welcomed by not only the technology industry, but also the telecommunications industry, even though the government still has national security legislation before Parliament that would require network operators to give the government greater information and control over their private networks, all in the name of national security.
And awkwardly, for a policy warning about cyber threats, the contents of the strategy were leaked to a technology website 10 days before it was released.