On 12 December, Australia issued its first Cyber Incident Management Arrangements (CIMA) for government, territory, and federal governments. It is a commendable step towards a comprehensive national cyberspace civil defense strategy. Coming at least a decade after the government first anticipated the need; this is just the first step on a path that requires a lot more development. In addition to CIMA, the government must better explain to the public the unique threats posed by large-scale cyber incidents and therefore involve the private sector and a wider expert community in addressing these unique threats.
Australia is poorly prepared
The new cyber incident arrangements are aimed at reducing the scope, impact and severity of the a’ national cyber incident.’ A national cyber incident is defined as potentially important nationally, but less serious than a “crisis” that would trigger the Australian government’s crisis management framework (AGCMF). Australia is currently unprepared to respond to a major cyber incident such as the 2017 attacks on Wannacry or NotPetya. At the cost of A$ 160 million, Wannacry severely disrupted the UK National Health Service. NotPetya shut down Maersk, the world’s largest container shipping company, for several weeks at a cost of A$ 500 million. When the cost of random cyber-attacks is so high, it is essential that all Australian governments have coordinated plans to respond to hazardous incidents. The CIMA establishes inter-jurisdictional coordination arrangements, roles, responsibilities, and cooperation principles. A higher-level cyber crisis that would trigger the AGCMF (a process that itself appears to be somewhat under-prepared) is one that:… leads to sustained disruption of essential services, severe economic damage, a threat to national security, or to death. More cyber experts and cyber incident exercise CIMA does not outline specific operational incident management protocols on a length of only seven pages in a glossy brochure format. It is up to the governments of the state and the territories to negotiate with the Commonwealth. This means that the protocols that have been developed can be subject to competing for budgetary priorities, political appetite, different cyber maturity levels, and, most importantly, staffing needs. Australia is experiencing a serious crisis in the availability of qualified cyber staff in general. This applies especially to specialist areas for the management of complex cyber incidents. Government agencies are struggling to compete for top-level recruits with large companies, such as major banks. Australia needs people with cybersecurity expertise. The skills crisis is exacerbated by Australia’s lack of high-quality education and training programmers. For the most part, our universities do not teach–or even investigate–complex cyber incidents on a scale that can begin to serve national needs. The federal government needs to rapidly strengthen and formalize cooperation arrangements with key non – governmental partners –especially the business sector, but also researchers and large non – profit organizations. Critical infrastructure providers, such as electricity companies, should be among the first companies to cooperate because of the scale of potential impacts when they are attacked. In order to do this, CIMA sets out plans to institutionalize regular cyber incident exercises that address national needs for the first time. Better long-term planning is needed. Although these movements are a good start, three longer-term tasks need to be addressed. First, the government needs to build a consistent, credible, and lasting public narrative for its cyber incident policies and related exercise programs. Former Cyber Security Minister Dan Tehan spoke of a single cyber storm, former Prime Minister Malcolm Turnbull spoke of a perfect cyber storm (several storms together), and cyber coordinator Alastair McGibbon spoke of a cyber-catastrophe, which is Australia’s only existential threat. But there is a little public expression of what these ideas mean. The new cyber incident management arrangements should work below the national cyber crisis level. However, the country is in dire need of a cyber-space civil defense strategy that addresses both attack levels. Cyber threats are not mentioned on the Australian Disaster Resilience Knowledge Hub website. This is an entirely new form of civil defense and a new form of organization may be required to carry it forward. Another potential solution is a new, dedicated arm of an existing agency, such as the State Emergency Services (SES). One of us (Greg Austin) proposed that a new “cyber civil corps ” be created in 2016. This would be a disciplined service based on commitments made by the people best trained to respond to national cyber emergencies part-time. A cyber civil society could also contribute to the definition of training needs and to national training packages. The second task is for private companies, which face potentially crippling costs in cyber-attacks at random. You will have to develop your own expertise in cyber simulations and exercises. Such responsibilities would lead to scattered results by consulting companies or one-off reports. Any “learned lessons “about contingency management in companies could not be consolidated and shared with the broader business community. The third task of all stakeholders is to mobilize a growing knowledge community led by academic, government, and private researchers. What currently exists is minimalist and appears to be hostage to the preferences of a few senior officials in the Australian Cyber Security Center (ACSC) and the Department of Home Affairs who may not be in office for several years. The whole community is responsible for cyber civil defense. Australia needs a national Cyber Security Emergency Management and Resilience Standing Committee which is a partnership between government, business, and academic experts.