Why should government take action on cyber security?
KPMG recently welcomed the opportunity to provide a submission to the Department of Home Affairs’ Discussion Paper: Strengthening Australia’s cyber security regulations and incentives. The report highlights the already strong evidence that cyber incidents are affecting Australian government agencies, businesses, and individuals with often devastating implications.
In section one of the submission we look at why the government should take action. We look at the increased risk environment brought about by the COVID-19 pandemic, changing priorities of cyber workforce professionals and the impact that geopolitics is having on the threat environment. While these issues in isolation may not have a significant impact, together they are creating an urgent need for government to act to better protect businesses and individual from cyber security related harm.
Digital transformation and cybercrime
It is no surprise that Australian business and government leaders are focused on cyber security. Digital transformation has and is changing how we live, and how businesses and governments operate. It is also increasing our vulnerability to cybercrime. Since the start of the pandemic, cyber criminals have capitalised on this disruption. They have industrialised the scale at which they can launch attacks. There has never been a more important time for government and business to reassess the key pillars that support a safe, secure, and resilient cyber sector.
In this context, cybercrime is presenting an increasing challenge for Australian law enforcement agencies in their efforts to bring to justice individuals or groups responsible for cybercrime. Overcoming the current challenges and increasing law enforcement successes should help to deter cybercriminal activity, but this needs to be balanced with the right oversight, accountability, and privacy protections.
Attracting and retaining cyber security professionals
Unsurprisingly, the Harvey Nash / KPMG CIO Survey 2020 found that security is now the top technology investment priority, listed by 47 percent of respondents and for the first time in this survey’s history, cyber security expertise has become the most in-demand skill set. But the demands of these employees have changed with the pandemic. In August 2020, the Australian Government launched Australia’s Cyber Strategy 2020 (the Australian Cyber Strategy). The Australian Cyber Strategy included the Cyber Security National Workforce Growth Program underpinned by a Cyber Skills Partnerships Innovation Fund. The program encourages businesses and academia to partner together to find innovative new ways to improve cyber security skills. These initiatives have been strengthened by the Minister for Employment, Skills, Small and Family Business’s announcement of new, fast-tracked training qualifications for the ICT sector to further equip Australia’s workforce with cyber security and digital skills.
While the strategy and related cyber workforce actions were welcomed by the industry, AustCyber has forecast that almost 17,000 new jobs will be needed to 2026. Given the scale of the required pipeline of skilled cyber professionals required across Australia, the Australian Government could consider a standalone Cyber workforce strategy be developed, that would look at the numbers of people entering the profession across the entire education system to plan for the workforce needed by 2030. This planning would also need to consider the COVID-19 border closures and the current inability for businesses to source skilled cyber professionals from outside Australia.
Geopolitics and its impact on the threat environment
We know that in the cyber domain, cyber threats are not inhibited by distance or borders. While digital and cyber risk is not new to business, what is changing is the external threat environment that drives cyber-attacks and determines who or what is of interest to cyber attackers. It might not seem immediately obvious, but the global geopolitical dynamics are fundamentally increasing businesses’ exposure to cyber risk.
The 21st Century has been termed ‘the Asian Century’, an era in which many analysts see the centre of economic and political power shifting from the West to the East. This redistribution of global weight is not uncontested, and we are seeing growing strategic competition between two major economies, China and the United States. At the same time, we are seeing various state actors racing to position themselves at the forefront of the emerging order. This geopolitical context of strategic competition and race for primacy and influence means that state actors are increasingly turning to the cyber domain to achieve their objectives. Pre-eminence in the cyber domain will, in the not too distant future, be highly relevant to overall geopolitical power. Businesses can be direct targets or caught in the crossfire.
Given cyber-attacks can spread indiscriminately across jurisdictional boundaries, Australia should continue its strong partnership with the Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, to share information and coordinate responses. These, and other international alliances enable a more collaborative and global response to cyber threats and impacts.