By George Nott
Oct. 13, 2016
The Australian Cyber Security Centre (ACSC) lacks a clear view of the cyber security incidents suffered by Australian businesses because they’re not sufficiently reported, the government body said today.
The ACSC’s 2016 Threat Report, released this morning, says the government “relies heavily” on the voluntary reporting of incidents by the private sector, but business’ “ability and willingness” to notify them was lacking.
ACSC and its cyber response arm CERT Australia “relies heavily on the voluntary self-reporting of cyber security incidents from a wide variety of sources throughout Australia and internationally and therefore does not have a complete view of incidents impacting Australian industry”, the report stated.
The ACSC were sympathetic to industry’s reticence around disclosing cyber security incidents, noting that businesses may fear reputational damage or legal and commercial liabilities. However, this fear is stymieing the development of defences and training against future attacks, it said.
“Increased reporting of cyber security incidents by the private sector would subsequently increase the ACSC’s knowledge of cyber adversaries who target Australian industry and critical infrastructure, and the methods they employ. This knowledge would further enable the development of cyber security advice and mitigation strategies,” the report stated.
In a drive for better collaboration between government and business, the ACSC is relocating from its current home within the Australian Security Intelligence Organisation's Ben Chiefley building in Canberra to ‘a new more accessible location in Canberra that will make it easier for stakeholders to engage with’. The aim is for ‘government and the private sector to work more effectively together’ in resisting cyber threats. The centre would also be co-designing regional hubs – Joint Cyber Security Centres – with the private sector to improve information sharing.
Speaking last month, Clive Lines, coordinator of the ACSC and deputy director of the Australian Signals Directorate said that a combined approach between government, industry and academia was essential to a successful cyber stance.
“There is no other way of solving this problem. No one organisation can do it in isolation. It has to be a combined effort. We are beginning to put the flesh on the bones of the strategy from a government perspective.”
Voluntary to mandatory
The currently voluntary reporting of certain incidents may soon become mandatory for businesses. In August the government indicated it intends to push ahead with legislation to create a mandatory data breach notification scheme.
An exposure draft of the breach notification bill, made public in December, would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
Between July 2015 and June 2016, CERT Australia responded to 14,804 cyber security incidents affecting Australian businesses, a slight increase on previous years. In 2014, CERT responded to 11,073 incidents.