The Federal Government’s annual cyber threat report, released in late 2023, noted that malicious cyber activity continues to pose a risk to Australia’s security and prosperity.
In fact, nearly 94,000 reports were made to law enforcement, which is about one incident being reported every six minutes.
From scam emails and hacks of personal medical information to attacks on transport and energy systems, we are all exposed and vulnerable – either directly or indirectly.
Australia’s critical infrastructure is increasingly interconnected and interdependent in its operations, and that connectivity creates vulnerabilities that cascade throughout society if proper safeguards are not put in place. Those safeguards can only come through a better shared understanding of the threats Australia faces and how they can be overcome.
This demands that owners and operators of critical infrastructure, industry regulators, academia and all levels of government, including local government areas, work together now to ensure Australia’s security practices, policies, laws and regulations bolster the security and resilience of the nation’s critical infrastructure and position all to act in any future emergency.
Australia’s critical infrastructure entities are increasingly being targeted by sophisticated cyber attacks. And while there are several government initiatives, legislation and regulation that address cyber assurance and reporting, one must ask – is that enough?
Defensive strategies cannot be formulated in isolation by individual critical infrastructure entities, no matter how much legislation and regulation are imposed. Australia has yet to develop a community-based approach to support government efforts in fostering genuine cyber resilience across the critical infrastructure ecosystem.
A collective security posture is needed that is well informed of the cyber threats as they emerge, and ideally, even before. Existing sharing initiatives, led by government, are heavily focused on the sharing of technical threat information. Yet among small-to-medium enterprises, galvanising community engagement across the public and private sectors has not been an easy journey.
What needs to be done is to recognise that industry itself must rise to the challenge and offer an internal trusted facilitator for the intelligence exchange, and to ensure the overall quality of information flowing out to the critical infrastructure community.
In mid-February 2024, the Australian Signals Directorate lamented a decline in the frequency and richness of cyber incident data shared with it by the private sector. Without a full understanding of the cyber incidents occurring across business, industry, the health system, educational institutions, etc, Australia remains exposed, vulnerable and at grave risk from attack.
This exposure underlines the importance of establishing some form of a trusted channel for information exchange. Cyber threats span all sectors; therefore, a more holistic approach to sharing information on cyber threats and attacks is needed.
What could such a ”holistic approach” to information sharing look like in reality? An industry-led cyber threat intelligence-sharing, not-for-profit organisation, perhaps? One that would ensure a trusted environment in which to securely and independently gather and disseminate cyber threat intelligence across all critical infrastructure sectors. It would provide a commercially safe environment where intellectual property and liability protections exist.
Its operational processes and technical capabilities would enable sharing of contextualised cyber threat intelligence. And its transparent and open culture would encourage behaviours of participation, collaboration and cooperation between members.
And the good news … it already exists. The Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC) was launched on 6 February 2023, to establish a cyber intelligence-sharing community to help boost the cyber resilience of all critical infrastructure providers in Australia, from the largest to the smallest.
CI-ISAC offers a mechanism for sharing cyber intelligence across the industry owners and operators of Australia’s critical infrastructure to support collective cyber defence. This enables members to manage their risk more effectively by obtaining insights across all critical infrastructure sectors. It represents an opportunity for industry to self-organise and manage its own challenges, offering a united ability to interact with government initiatives and engage on its own terms.
The cross-sectoral perspective facilitates resource pooling, expanded access to support, and improved overall cyber posture as it improves the quality of analysis and adds context to the information being shared. This contextual information sharing is vital as technical indicators in isolation do not inform risk-based decisions to enable a proactive response.
The CI-ISAC offers a compelling strategic narrative and operational capability in building cyber resilience but has yet to receive any government support. How can Australia hope to position itself to survive, and thrive, when the fundamentals of resilience and security remain fragmented?
Dr Gary Waters is a retired Air Commodore and senior public servant in defence who has also worked in senior roles in the private sector, and continues to provide strategic advice to Jacobs Australia in a casual role. He is a founding director of the Integrated Institute for Economic Research – Australia and is strategic adviser to the Board of the Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC).
Original Article published by Gary Waters on Riotact.