AISA Response to the Department of Prime Minster and Cabinet Consultation Paper: Cybersecurity Strategy Review

Transcription

1 AISA Response to the Department of Prime Minster and Cabinet Consultation Paper: Cybersecurity Strategy Review 31 March 2015 AISA Cybersecurity Strategy Review Submission Page 1

2 Executive Summary The Australian Information Security Association (AISA) is Australia s primary information security professional representative body. Established in 1999, the Australian Information Security Association (AISA) is a not-for-profit organisation formed to advance the cybersecurity and safety of all sectors of Australian life; public, corporate, and government Through its branch network, AISA provides the broadest opportunities for networking with over 3000 information security professionals from both the public and private sector from all over Australia. AISA's vision is a world where all people, businesses and governments are educated about the risks and dangers of cyber-attack and data theft, and to enable them to take all reasonable precautions to protect themselves against it. AISA is pleased to provide this submission in response to the Department of Prime Minister and Cabinet s (PMC) Cyber Security Review Consultation Paper. Member response is based on members responses to a survey (see Appendix A for a list of the survey questions). Responses headed AISA Role or AISA Response, which relate to AISA s own position in the Australian, is provided by the AISA Executive and the AISA Policy Committee. Roles and responsibilities in cyber security In relation to government agencies, AISA members had heard of ASD/DSD, AusCERT, ASIO and the AFP. Interaction with agencies was more limited. The agencies with which members had the most interaction were ASD/DSD, AusCERT and CERTAustralia. The ASD/DSD was clearly regarded as the most influential agency by AISA members. Most members thought that government agencies were carrying out their responsibilities reasonably well. Criticisms included absence of a consistent, coordinated strategy to improve Australia's cyber security posture, focus by agencies on high level policy development rather than outcomes and lack of collaboration between agencies Members indicated a preference for one agency/regulator having over-all responsibility for cyber security. AISA Cybersecurity Strategy Review Submission Page 2

3 Challenges and opportunities The top challenges for Australia in cyber security selected by survey respondents were poor information sharing and failure at the executive level to appreciate security risks. The top challenges for Australian organisations in cyber security selected by respondents were lack of investment in security and failure at the executive level to appreciate security risks. Most respondents regarded the ability to leverage an existing sophisticated and mature skills base as a key opportunity for Australia in cyber security (44% of respondents). Members also thought that the existence of strong communities of practice such as that supported by AISA offered a unique opportunity to foster skills development and training. Identifying the missing piece of cyber security in Australia AISA Response AISA believes that existing methods of approaching and managing cyber security need to be re-assessed in view of the rapidly changing environment. AISA s focus on thought leadership, skills management and professional development will help ensure that Australian information security professionals have the skills needed to equip them for the new 21 st century. The setting of a mandatory security base-line (29%) and supporting implementation of basic security at SMEs (27%) were regarded as the two most important missing pieces of cyber security in Australia. Most respondents referred to the need for a greater understanding at a board level of cybersecurity risks coupled with some sort of regulatory push by way of a mandated security base line or greater penalties for data security failures to encourage the adoption of improved security controls throughout the ecosystem. Cyber Security in the Australian economy Respondents believed that the following would encourage private sector investment in Australia s cyber security: AISA Cybersecurity Strategy Review Submission Page 3

4 Greater research and development deductions (20%) Wider collaboration with government (18%) Stronger links with universities (16%) Cyber Security Skills & Cyber Literacy AISA Role AISA envisions having a central role in the development and management of cybersecurity skills in Australia. AISA proposes to develop a professional certification program, similar to the UK Institute of Information Security Professionals (IISP) certification program, with the input of key government and industry stakeholders. To support this scheme, AISA will provide on-going education and professional development opportunities to its members. AISA will also contribute to skills development by creating a mentoring program, with a focus on women in security, and increased networking with the education and academic communities AISA has a strong interest in increasing cyber literacy in the community. Members believed that the key skills gaps were in the more advanced security positions such as security architects, secure developers and project managers with security skills. Members believe that Government and industry can work together to address the skills shortage by: o Reviewing current tertiary education & vocational training offerings, including post graduate programs o Sponsor employment of graduates e.g. apprenticeship scheme for employer to take on security graduates Incident Response AISA Role AISA is keen to work with the Government and other key stakeholders in the industry on collaborative incident response exercises. We propose to leverage the work done by the ASD in 2012 to jointly refresh the cyber security response plan and make this more applicable across various industries. AISA Cybersecurity Strategy Review Submission Page 4

5 AISA could also co-ordinate exercises across multiple organisations, run awareness and education sessions, keeping members informed of latest developments in cyber security approaches and develop trusted networks to support members in the event of real incidents. Members believed the government could provide better co-ordination of response, including both Australian government responses and the facilitation of international activity including foreign law enforcement Information sharing was seen as another key incident response issue. ICT Supply Chain Security AISA members support government funding of some sort verification or low-level audit activity for essential systems or for service providers hosting personal information and in other cases where assurance is required. Members also suggested that greater investment in research and development of products/services within Australia, rather than reliance on overseas suppliers would assist with supply chain issues. This in turn would also encourage the growth and retention of a skilled workforce in Australia. Partnerships and Information Sharing AISA Role Subject to available funding, AISA could establish two-way information sharing processes for the benefit of the Australian community. Members believes that information sharing about threats, risks, attacks, incidents and compliance to standards should be shared more broadly Members also believe that Whistle blower protection would help support information sharing Legislation, Standards, Guidelines and Privacy Issues AISA members overwhelmingly support a set of baseline standards or guidelines for information security AISA Cybersecurity Strategy Review Submission Page 5

6 There is also wide support for increased enforcement and penalties for noncompliance with agreed base-lines where private information is concerned or where such enforcement would be regarded as for the public good Cyber Security Research, Development and Innovation AISA Position AISA has already positioned itself as a thought leader in information security by engagement with both Australian and international researchers AISA and the government should work closely to identify key innovative cybersecurity research projects which could be managed by AISA as industry partner which would help position Australia as a thought leader in cybersecurity. Members believe that increased research and development deductions would support greater investment from the private sector in new solutions and help position Australia as a thought leader in cyber security. A Centre for Cybersecurity Excellence and Innovation should be established to support thought leadership on cyber security Further Consultation AISA would be happy to provide a more comprehensive response. In particular, AISA would like to run workshops with members to discuss the key issues raised in the review in more detail, and provide details from those more interactive sessions to the Department, as part of the consultation process. We appreciate the opportunity for public consultation and thank the PMC for their efforts. Arno Brok National Director Australian Information Security Association AISA Cybersecurity Strategy Review Submission Page 6

7 Contents AISA Response to the Department of Prime Minster and Cabinet Consultation Paper:... 1 Cybersecurity Strategy Review... 1 Executive Summary... 2 Roles and responsibilities in cyber security... 2 Challenges and opportunities... 3 Identifying the missing piece of cyber security in Australia... 3 Cyber Security in the Australian economy... 3 Cyber Security Skills & Cyber Literacy... 4 Incident Response... 4 ICT Supply Chain Security... 5 Partnerships and Information Sharing... 5 Legislation, Standards, Guidelines and Privacy Issues... 5 Cyber Security Research, Development and Innovation... 6 Further Consultation... 6 Chapter 1: Introduction and Background... 9 Background... 9 Methodology... 9 Chapter 2: General Questions AISA s Response Roles and responsibilities in cyber security Challenges and opportunities Identifying the missing piece of cyber security in Australia AISA s Response Chapter 3: Specific Questions Cyber Security in the Australian Economy AISA s Response AISA Cybersecurity Strategy Review Submission Page 7

8 Cyber Security skills and cyber literacy AISA s Response Incident Response AISA s Response ICT Supply Chain Security Partnerships and Information Sharing AISA s Response Legislation, standards, guidelines and privacy issues Cyber security research, development and innovation AISA s Response Contacts and Further Information Appendix A AISA Cyber Security Review Member Survey AISA Cybersecurity Strategy Review Submission Page 8

9 Chapter 1: Introduction and Background Introduction AISA thanks the Department of Prime Minister and Cabinet (PMC) for the opportunity to participate in the Australian Government s Cyber Security Review (the Review). AISA is delighted to provide this response to the Consultation Paper issued to AISA by PMC as part of that Review. Background AISA notes that the Review is being undertaken to better protect Australia s networks from cyber-attack and ensure all Australians can benefit from the opportunities provided by cyberspace. The Review s objectives are to: look to the future of the Internet, assess the risks and tell us how to make our online systems more resilient to attack; examine how government and industry can best team up to defend ourselves jointly from those who want to harm us in cyber space; assess how Government protects its own networks and the information it holds on behalf of the Australian people, and how to best protect critical infrastructure; consider ways to better engage with international cyber security forums to further Australia s interests and ways to cement our leadership on cyber security within our region; and Look for ways to better address Australia s cyber security skills needs, including attracting more women to the discipline, and support the Australian community to better understand their role in securing their interaction with cyberspace. Methodology This submission is based on a review by the AISA Executive and Policy Committee of the questions posed in the Consultation Paper and consideration of the role that AISA has to play in the Australian cybersecurity eco-system. Some of the questions in the Consultation Paper were directed more generally to the Australian cybersecurity landscape. To assist in answering those questions, input was sought from AISA s members via an on-line survey. A copy of the questions posed in the AISA Cybersecurity Strategy Review Submission Page 9

10 AISA member survey (which were based on the questions posed in Consultation Paper) is included in Appendix A. Responses to those questions have been collated and summarised in this submission and have been included under the sub-heading to differentiate that data from the information provided by AISA in regard to its own role. There were over 50 responses to the survey. Although sufficient to provide good data on members responses to the questions raised in the Consultation Paper, this number is reflective of both the limited amount of time available to secure member responses and the time needed by members to respond given the complexity of the issues raised. A number of comments were made by the survey participants in regard to the complexity of the issues raised, and the time required to respond. A number of respondents also queried whether a survey was the most appropriate method to secure member input on the questions raised. More detailed and considered input from a larger and broader group of members could be achieved with more time. Although AISA believes that the membership input which has been received has been valuable in terms of assisting AISA form its response to the questions raised in the Consultation Paper, given the complexity of those issues and their importance to the information security community AISA would welcome the opportunity to undertake a more comprehensive consultation process with its members. In particular, AISA believes that a series of facilitated workshops, involving a broader group of members from across different industries and geographies, would provide valuable input to this consultation process. Further submissions generated from those sessions could then be provided to the Department, as part of the consultation process. This would help ensure that the very important issues raised in this Review receive the widest possible consideration from the community of practitioners most concerned. We have responded to the questions raised in the Consultation Paper adopting the same headings, numbering and layout used in that document. AISA Cybersecurity Strategy Review Submission Page 10

11 Chapter 2: General Questions There are three broad areas that PM&C is seeking views from all organisations consulted. Roles and responsibilities, in particular the Australian Government s, in cyber security. Do current roles and responsibilities for cyber security in Australia need clarifying and/or updating? Do they reflect your views on the Australian Government s role and responsibilities and that of your organisation/institution? Challenges and opportunities. What is the key challenge Australia faces in cyber security? What is the key challenge being faced by your organisation in cyber security? What are opportunities for Australia in cyber security? Are we taking advantage of these? Identifying the most important missing piece of cyber security in Australia. What would you change about existing methods of approaching / managing cyber security, and why? AISA s Response AISA welcomes the opportunity to outline both its current role as the pre-eminent representative of the Australian information security community and the ways that AISA may be able to collaborate in the future with government, industry and other stakeholders to support cyber security initiatives in Australia. Generally, AISA regards itself is a vital player in Australian cyber security. Through its extensive member base, AISA supports the connection between government, policy makers, industry and the information security profession. AISA takes an advocacy position in regard to issues important to the information security community and provides an expert consensus view to government, industry and the community. AISA also provides thought leadership regarding cybersecurity in Australia and sees itself as being an important contributor to cybersecurity research, development and innovation in Australia. AISA Cybersecurity Strategy Review Submission Page 11

12 AISA recognises some existing weakness in collaboration between government and industry, 1 and is supportive of greater engagement between industry and government. With its membership base of over 3000, AISA is an important and uniquely placed intermediary to support this engagement. In particular, AISA can: Provide access to the most extensive network of information security professionals in Australia Support the development of the profession, including the assessment of professional skills Disseminate threat and risk information and act as a trusted intermediary in the two-way sharing of information between government agencies and the public sector Promote general public awareness of cybersecurity issues Be an international thought leader in information security. AISA is progressing the development of its role as the provider of independent skills assessment of information security professionals for different roles within the cybersecurity eco-system. AISA proposes to leverage an existing program such as the IISP framework developed and implemented in the UK, modifying it for the Australian environment. AISA recognises that the information security landscape is rapidly changing and that new lenses are required for considering information security in terms of risks, solutions and the information security community itself. AISA is positioning itself as a thought leader in information security, establishing links with leading local (such as the University of NSW, University of Queensland, Edith Cowan University and DSTO) and international academic research institutions (Information Security Group, Royal Holloway, University of London). AISA has already contributed to a pilot study of the Australian information security cohort, together with Royal Holloway as part of its Cyber Security Cartographies project. 2 AISA also recognises that there is a number of existing certification programs for information security professionals (such as CISSP, CISA and CISM). AISA has supported and will continue to support its members in achieving recognition pursuant to existing 1 The ASPI Cyber maturity index report identified weakness in collaboration between government and industry. 2 More information about the Cyber Security Cartographies project is available at AISA Cybersecurity Strategy Review Submission Page 12

13 certifications. In particular, AISA has established relationships with the providers of key existing security certifications (such as (ISC)² ISACA and others) Roles and responsibilities in cyber security Survey Questions Members were asked to respond to the following survey questions: Which agencies have you heard of in terms of their involvement in cyber security in Australia? [Number of different agencies were listed] Which have you interacted with in your professional capacity? How do you think each of the current government agencies is carrying out their role? Which do you think is the most influential in terms of Australia s cyber security? Should there be a single agency/regulator with over-all responsibility for cyber security (both government and private sector) Which of these agencies have you heard of in terms of their involvement in cyber security in Australia? From the list, most respondents indicated that they had heard of ASD/DSD, AusCERT, ASIO and the AFP. Somewhat fewer had head of CERT Australia and AGD and even fewer were aware of the role of the Australian Privacy Commissioner in relation to cyber security. Other agencies referred to by respondents included CLEDS, VAGO, NICTA, CSIRO, DSTO, DBCDE, and AGIMO. Although the AISA members have a reasonable understanding of the different agencies and their roles, managers (including CIO s and CISO s) are often uncertain about when and how an issue can be handed from one agency to another, and whether there is any coordination between these. Which have you interacted with in your professional capacity? While a number of respondents indicated that they had interaction with all or most of the listed agencies, approximately the same number of the respondents indicated that they had had no interaction with any government agency. In those responses where specific agencies were referred to, the agencies with which respondents had the most interaction were ASD/DSD, AusCERT and CERTAustralia AISA Cybersecurity Strategy Review Submission Page 13

14 (which all had 15 respondents who indicated some interaction). Following that were the AFP (8 respondents) and the AGD (6 respondents). Only 4 respondents referred to any specific interaction with the Australian Privacy Commissioner. How do you think each of the current government agencies is carrying out their role? Most respondents thought that government agencies were carrying out their responsibilities reasonably well. Comments included the following: Reasonably well, though it's a lot of bodies to deal with and knowing where to go is not always easy. I think there is some overlap/duplication, and some gaps. Given the number of different bodies with some responsibility, it is not always easy to know where to go and there is some overlap and duplication as well as some gaps Better coordination or clarity of scope would be helpful Criticisms included: Absence of a consistent, coordinated strategy to improve Australia's cyber security posture Focus by agencies on high level policy development rather than outcomes Lack of collaboration between agencies Effectiveness limited by funding and lack of evidence based responses. There was some suggestion that activities were motivated by politics rather than evidence At a state level, these government agencies have limited reach and as such governance over security matters is disjointed at best Information tends to be one way (towards the government) with little return Which do you think is the most influential in terms of Australia s cyber security? The ASD/DSD was clearly regarded as the most influential agency by AISA members responding to the survey. A number of members referred specifically to the ASD Top 35 one calling to practical and persuasive. Reference was also made to AGD and PM&C. Should there be a single agency/regulator with over-all responsibility for cyber security (both government and private sector)? AISA Cybersecurity Strategy Review Submission Page 14

15 Members indicated a preference for one agency/regulator having over-all responsibility for cyber security. Those in favour thought that would simplify the current approach. There was some suggestion that privacy should be outside the remit of the cyber security over sight authority. Some of those not in favour of a single over-sight authority regarded it as too difficult to establish or too important to have a single agency with over-all responsibility. Others indicated that there was still a central co-ordination role that could help with navigating through the different departments. Challenges and opportunities Survey Questions Members were asked to respond to the following survey questions: What is the key challenge Australia faces in cyber security? [Number of challenges listed] What would you regard as the main challenge for your organisation? [Number of challenges listed] What are opportunities for Australia in cyber security? [Number of opportunities listed] What is the key challenge Australia faces in cyber security? The top challenges for Australia in cyber security selected by respondents were: Poor information sharing (35%) Failure at the executive level to appreciate security risks (27%) Weak and under-resourced regulators (8.3%) What would you regard as the main challenge for your organisation? The top challenges for Australian organisations in cyber security selected by respondents were: Lack of investment in security (27%) Failure at the executive level to appreciate security risks (17%) Changing user behaviour (12.5%) AISA Cybersecurity Strategy Review Submission Page 15

16 The adoption of cloud computing and lack of reliable threat/risk information was regarded as the main challenge by only 4.17% of respondents. What are opportunities for Australia in cyber security? Most respondents regarded the ability to leverage an existing sophisticated and mature skills base as a key opportunity for Australia in cyber security (44% of respondents). Members also thought that the existence of strong communities of practice such as that supported by AISA offered a unique opportunity to foster skills development and training. Reference was made to CSIRO s invention of Wifi as an example of the things that could be achieved with appropriate support and collaboration with research organisations. Particular areas where it was felt that Australia had some special expertise that provided any opportunity for leadership in cyber security included: Security of ehealth is a major area where Australia could be exporting software, services, and intellectual property to the rest of the world. China has an aging population and is seeking to improve their healthcare systems to prepare for this. Australia could leverage our strong economic ties with China in this emerging industry. The Internet of Everything here Australia has an opportunity to provide leadership to the rest of the world. Securing of smartgrids, safety for driverless cars, security of e-voting, etc. There are a stunning number of areas in cyber security where our geographic isolation really doesn t matter. Identifying the missing piece of cyber security in Australia AISA s Response AISA believes that existing methods of approaching and managing cyber security need to be re-assessed in view of the rapidly changing environment. The convergence of the spread of cloud, the proliferation of user devices in the organisational environment, the growing recognition of shadow IT where the technology is being taken outside the control of the IT department, the rolling out of the internet of things all introduce new levels of ambiguity and contestation for IT and information security professional. AISA Cybersecurity Strategy Review Submission Page 16

17 AISA s focus on thought leadership, skills management and professional development will help ensure that Australian information security professionals have the skills needed to equip them for the 21 st century. By supporting AISA in its skills development and research and education engagements, as part of AISA s commitment to thought leadership and the information security profession, the Australian government could make a significant contribution to solving the most important missing piece of cyber security in Australia. Survey Questions Members were asked to respond to the following survey questions: What is the most important missing piece of cyber security in Australia? What would you change about existing methods of approaching / managing cyber security, and why? What is the most important missing piece of cyber security in Australia? The two most important missing pieces of cyber security in Australia were: Setting a mandatory security base-line (29% of respondents) Supporting the implementation of based security at SME s (27%) Other comments included: Innovation in our approach to managing information security Objective, reliable and performance based assessment of the best performing security solutions to give Business and individuals a fair chance at selecting a solution that will best minimise their risk Not re-inventing the wheel, and taking advantage of established global standards/approaches etc. What would you change about existing methods of approaching / managing cyber security, and why? Most respondents referred to the need for a greater understanding at a board level of cybersecurity risks coupled with some sort of regulatory push by way of a mandated security base line or greater penalties for data security failures to encourage the adoption of improved security controls throughout the ecosystem. AISA Cybersecurity Strategy Review Submission Page 17

18 The importance of business accountability for and correlating business risk to cyber security was referred to by a number of respondents. Ways to achieve this included the need to educate boards on information risk (which would lead to the introduction of more of a top down approach to information security with security becoming an integral cost of business much the same as hardware and software, not an optional overhead ). In addition to greater education, suggested changes that could be made in terms of business accountability included mandatory incident reporting and government incentives with measurable outcomes and increased sharing of information. A number of respondents referred to the need for better coordination of information exchanges between public and private sectors, so we can tackle cyber security problems collaboratively. Others referred to more streamlining of communication to avoid repeated information constantly needing to be relayed. Many respondents suggested the introduction of a set of mandatory base-line security controls, although problems with this approach were also acknowledged. Members were of the view that the base-line should be supported by some sort of penalty system. For example, one respondent said: Mandate a minimum baseline. Measure that baseline and penalise parties not compliant or not meeting the minimum requirements. It should come from organisations like the AICD, Government and other peak industry bodies. A law without a stick will never work and it hasn't worked in Australia. A mandatory security base-line is discussed further below. Reference was also made to the development of the information security profession and the importance of AISA s role in helping industry define and understand the varying roles within the professional. A number of respondents referred to the need to change the emphasis in security from technology to strategic thinking. One respondent referred to the need for information security to differentiate between technology and the human aspects of security, saying: At the heart of technology is human - human communications. These communications are either direct, mediated by a machine or undertaken by two machines for a human designated purpose. Once we shift the policy debate to that perspective, technological change becomes a feature of the environment rather than a hindrance. This can help shift the policy discussion to where it needs to be, focusing on the human consequences of cyber security rather than the technical AISA Cybersecurity Strategy Review Submission Page 18

19 AISA Cybersecurity Strategy Review Submission Page 19

20 Chapter 3: Specific Questions Cyber Security in the Australian Economy AISA s Response What do you see as AISA s role in Australia s cyber security and beyond? Established in 1999, the Australian Information Security Association (AISA) is a not-for-profit organisation formed to advance the cyber-security and safety of all sectors of Australian life; public, corporate, and government. AISA is the peak body for the information security profession in Australia. Through its extensive branch network, AISA provides the broadest opportunities for networking with over 3000 information security professionals from both the public and private sector from all over Australia. AISA's vision is a world where all people, businesses and governments are educated about the risks and dangers of cyber-attack and data theft, and to enable them to take all reasonable precautions to protect themselves against it. Our intention is to make Australia more secure on the Internet. This stretches from our largest banks, through to sole traders, through to retirees, through to schoolchildren. AISA wants all Australians to be more secure as a result of the collegial learning that AISA provides. There are a number of dimensions to AISA s role in Australia s cyber security, both now and in the future. AISA supports the connection between government and policy makers and the information security profession. On strategic policy issues such as those raised by this Review AISA is able to go to its extensive membership and provide feedback. In addition, through its branch meetings and education program AISA is both developing and supporting communities of practice throughout Australia and engaging with a wide range of different stakeholders, including the broader community. AISA supports the education of its members, takes an advocacy position in regard to issues important to the information security community and provides an expert consensus view to AISA Cybersecurity Strategy Review Submission Page 20