Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, August 12, 2020

A New National Cyber Security Strategy Is Announced But Question Remain.

 Last week the Government unveiled a new cyber security strategy

Govt finally unveils Australia's new cyber security strategy

By Justin Hendry on Aug 6, 2020 1:22PM

Places focus on critical infrastructure.

The federal government has finally unveiled its delayed cyber security strategy but left much of the detail to forthcoming legislation that is yet to be put before parliament.

The 52-page strategy [pdf], released on Thursday, will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade.

Much of the funding is from the previously announced $1.35 billion cyber enhanced situational awareness and response package.

The strategy’s key elements include proposed laws and an “enhanced regulatory framework” to secure critical infrastructure, deemed the “best way to protect Australians at scale”.

The new powers will outline the government’s minimum expectation, including an “enforceable positive security obligation for designated critical infrastructure entities”.

“These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack,” the strategy states.

“The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools. 

“This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.”

The framework, which will be delivered through amendments to the Security of Critical Infrastructure Act, is also expected to extend to systems of national significance 

Further afield, the government is also considering “legislative changes that set a minimum cyber security baseline across the economy”.

While securing critical infrastructure is a major focus of the strategy, the government also plans to assist SMEs to uplift their cyber security capabilities with the help of large businesses. 

One such capability could provide SMEs with ‘bundles’ of secure services such as threat blocking and antivirus, as well as other cyber security awareness training.

“Integrating cyber security products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cyber security staff,” the strategy states.

More here:

https://www.itnews.com.au/news/govt-finally-unveils-australias-new-cyber-security-strategy-551358

There strategy was not an instant success with some.

Experts bemoan lack of detail in cyber strategy

Paul Smith Technology editor

Aug 6, 2020 – 6.17pm

New rules to make company boards responsible for their organisations' cyber defence prowess have been welcomed by industry experts as the bright spot in an underwhelming national cyber security strategy.

Concerns have been raised that only defence and law-enforcement functions are receiving sufficient new funding.

Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton unveiled Australia's overdue Cyber Security 2020 strategy on Thursday morning, after details of new requirements on crucial infrastructure providers were revealed on Wednesday night.

The new strategy included $1.67 billion investment over 10 years, with $1.3 billion going on a Cyber Enhanced Situational Awareness and Response (CESAR) package, including 500 new jobs within the Australian Signals Directorate, which was announced in June.

"Three elements of the strategy are particularly significant to the private sector: increased regulation, new critical infrastructure obligations and a scaled approach to protecting smaller businesses and families," former national cyber security adviser Alastair MacGibbon, who is now chief strategy officer at CyberCX, said.

"Industry and government will co-design new legislation introducing economy-wide cyber security responsibilities, so in the same way as workplace health and safety is now fully accepted as a board responsibility, soon boards and executives will likely be held accountable for cyber security risk management ... A security baseline will drive innovation, stability and profitability."

However, Mr MacGibbon said he believed there was not enough detail about remediating a national shortage in cyber security skills for businesses to access.

Others in the industry complained that the document had too many generic "motherhood statements", without enough detail on what practical things would change in smaller businesses, and how Australia was going to grow a stronger local sector of tech security companies.

"By my calculations more than 90 per cent of the $1.6 billion is going to the ASD and AFP in one way or another ... So really, this is much less of a national cyber strategy, and much more of a warning shot to hostile nation states that Australia is delivering a capability uplift to our signals intelligence and law enforcement capability," CISO Lens managing director James Turner said.

More here:

https://www.afr.com/technology/experts-bemoan-lack-of-detail-in-cyber-strategy-20200806-p55j7m

There was also a common theme of giving more power to the police.

Federal Police given new powers in $1.66 billion cyber security package

By Anthony Galloway

August 5, 2020 — 10.30pm

The Australian Federal Police will be given powerful new cyber tools to break into the networks of online paedophiles and terrorists using computer servers on the "dark web".

The new capability will allow the AFP to penetrate the computer networks of criminals operating domestically for the first time. The agency will be given $88 million to bolster its cyber capabilities under a $1.66 billion cyber security package to be unveiled on Thursday.

Releasing the nation's new four-year cyber security strategy, Prime Minister Scott Morrison will say the new powers are needed to "track criminals in the darkest corners of the internet to protect our families and children".

Home Affairs Minister Peter Dutton said families and businesses were spending more time online and the country needed to make it safer.

"Paedophiles are targeting kids online in chat groups," Mr Dutton said.

"Criminals are scamming money off our elderly by stealing their internet banking details. Businesses are being locked out of their systems by ransomware attacks.

"And some foreign governments are using the internet to steal health data and have the potential to turn off banking or energy systems."

The strategy will put new obligations on the operators of critical infrastructure such as power plants, communications and ports so they can better fend off serious cyber attacks, including giving them $66 million to assess their networks for vulnerabilities.

There will also be a massive broadening of what is considered "critical infrastructure" under laws passed in 2018, allowing the Home Affairs Minister to step in and compel the operators to improve their defences against sabotage and spying - with banking, finance, health, food and grocery added to the list.

Small and medium-sized businesses will also be given more support to upgrade their cyber security systems, and the government will work with large companies and service providers to provide small businesses with better information and "secure services" such as threat blocking and antivirus training.

For a number of years the federal government has been considering the best way to give law enforcement "offensive capabilities" to go after serious criminals using the "dark web" on domestic servers. The dark web is a part of the internet which allows users to interact anonymously and therefore can more easily evade traditional law enforcement or investigation methods.

Under a previous proposal floated within government, the Australian Signals Directorate - Australia's premier foreign cyber intelligence agency - was to be enlisted by the security agencies such as the AFP to help track down serious criminals using domestic servers.

Instead, under this plan the AFP and the Australian Criminal Intelligence Commission will be given the tools and enhanced powers to go after individuals and networks engaging in serious criminal activity.

More here:

https://www.smh.com.au/politics/federal/federal-police-given-new-powers-in-1-66-billion-cyber-security-package-20200805-p55ix4.html

My reading of the document really does confirm the law and order and defence emphasis with many, many fewer dollars being directed to SME and education where I suspect we have the larger gaps right now!

We are still seeing way too many cyber breaches – witness this last week – and we need to do better with the basics:

Regis Healthcare loses data in Maze ransomware infection

By Ry Crozier on Aug 3, 2020 11:25AM

Prompts ACSC warning on broader campaign targeting aged care.

ASX-listed aged care provider Regis Healthcare has lost data to an overseas-based attacker that has also starting leaking it, prompting an industry-wide warning by federal cyber security authorities.

The company said today that it had “been targeted in a cyber attack by an overseas third party” that had “copied some data from [its] IT system and released certain personal data publicly.”

iTnews was able to confirm the cause of the incident as a Maze ransomware infection.

The Australian Financial Review reported that residential care and accommodation agreements for one care facility were among documents leaked.

 Lots more here:

https://www.itnews.com.au/news/regis-healthcare-loses-data-in-maze-ransomware-infection-551183

This sort of thing needs to be got under control and I am not sure what the Government is proposing will do it.

What do you think?

David.

No comments: