As winter gives way to spring, the cyber arena adamantly remains ablaze with activity. August 2023 has unfurled a complex tapestry of news and trends, spanning unsettling security vulnerabilities, groundbreaking initiatives, and policy shifts that have wide-reaching implications not just for Australia, but for the global community in the UK, the USA, and Europe.
Regulatory Shifts and Corporate Governance: A Balancing Act
The burgeoning cybersecurity industry faces complex challenges that require organisations to evolve rapidly within this dynamically changing landscape. While regulation is often viewed with scepticism, the recent 3-year strategic plan from CISA and the upgraded NIST Cybersecurity Framework signal positive movements towards greater cyber resilience. These initiatives reflect an industry that is growing more mature and structured.
On the flip side, the recent austerity measures by Medibank—slashing executive bonuses and freezing the CEO's salary after a cyber breach—sends a strong message to corporate leaders. The measures imply that the boardroom is not, and should not be, isolated from the consequences of cybersecurity failures. This underscores the inescapable interplay between cybersecurity and corporate governance, requiring an overhaul in mindset from executives.
Lessons and Challenges from Ukraine: The Imperative for Western Unity in Cybersecurity
The Black Hat conference examined by Staff at CNC this August spotlighted severe gaps in Western cyber defence strategies, epitomised by Victor Zhora's expose on Ukraine's nimble cyber-hybrid warfare methods.
The core lesson is urgent: the West must streamline its approach to cybersecurity, learning from Ukraine's agility in rapidly implementing new protocols at a government official's behest. In stark contrast, Western agencies are mired in regulatory quagmires and inter-agency discord, undermining their ability to act swiftly in an ever-evolving cyber landscape where time is of the essence.
One major challenge is the dichotomy between classified and non-classified information in the U.S., which hampers allied response to emerging threats. Calls for 'radical transparency' by experts like John Shier are not just idealistic but essential. This is an era where the cost of data silos is too high, impairing coordinated action against shared adversaries.
Moreover, corporate reticence to disclose breaches, fueled by stock market concerns, exacerbates the situation. While there's ongoing debate on legislating immediate disclosure, such as the U.S. Chamber of Commerce’s opposition to new rules, the call for transparency must extend to the private sector.
Lastly, the disarray among U.S. agencies like the FBI, DHS, and CISA presents a multi-layered challenge. As Robert Lee of Dragos warns, these inter-agency conflicts are not just internal inefficiencies; they are vulnerabilities that adversaries can, and will, exploit.
Australia's Cybersecurity Conundrum: Paradoxes and Imperatives
Australia presents a puzzling cybersecurity picture. While Cloudflare's recent study shows a relatively lower number of incidents compared to other countries in the Asia-Pacific region, it also exposes chronic underinvestment, particularly among small to medium-sized enterprises. This brings into sharp focus questions regarding Australia's readiness for the upcoming CPS 230 regulations. This contrasting data should be a rallying cry for organisations to step up their cybersecurity game significantly.
Member Therese McCarthy Hockey recently gave a speech to GRC2023 in Sydney where she spoke about how the increasing dependence of banks, insurers and superannuation funds, and their customers, on technology is creating new risks that need to be managed to ensure critical financial services remain available. Critically, Ms McCarthy Hockey stated that “APRA has observed a long period of insufficient investment in both cyber security technology…especially among smaller organisations.”
Economic Quandaries: Navigating Growth, Talent, and Contraction
CNC first reported in August which outlined Malwarebytes' decision to dramatically cut its workforce while simultaneously acquiring Cyrus Technologies captures the broader economic enigmas plaguing even industry giants like Rapid7 and Secureworks. This paradox forces the industry to confront the reality that balancing ambitious expansion strategies with the high costs of specialised skills is a delicate act. It also raises questions about the realignment of corporate strategies and resource allocation.
The Layoff Puzzle: Untangling Industry Contradictions
The data from Layoffs.fyi portrays a concerning trend of layoffs across the tech industry in 2023, but it also highlights an interesting anomaly: cybersecurity roles have been mostly immune. Demand for specialised cybersecurity jobs like incident response, threat hunting, and malware analysis is growing, as evidenced by employment statistics. This could signal a seismic shift in resource prioritisation within tech companies, suggesting that cybersecurity is increasingly viewed as an essential function.
Australia's Academic Vulnerability: The Cybersecurity Breach at the University of Sydney
The recent cybersecurity breach at the University of Sydney has focused attention on the vulnerability of educational institutions. While the attack was limited to international applicants, the incident underscores the critical need for academic institutions to significantly bolster their cybersecurity posture. Academic organisations are treasure troves of sensitive information and need to be fortified with equal vigour.
Cyber-Attack Targets Energy One, Disrupts Corporate Operations in Australia and UK
On 18 August, Energy One, an Australia-based energy and software firm, detected a cyber-attack that impacted its corporate infrastructures in both Australia and the United Kingdom. In a statement released through ASX, the company reported swift action to address the issue and has reached out to the pertinent authorities in both affected countries. Ongoing investigations are being carried out to ascertain if any additional systems were compromised in the attack.
Australia's Cybersecurity Policy in Flux: Retired Admiral Michael Rogers Advocates for a Responsive Strategy
Retired Admiral Michael Rogers has added a nuanced perspective to Australia's ongoing cybersecurity policy deliberations by cautioning against a universal prohibition on paying cyber ransoms. This counsel, in conjunction with the Australian Cyber Security Centre's (ACSC) recent advisory on frequently exploited vulnerabilities, underscores the imperative for an agile, context-sensitive approach to cybersecurity. The consensus is that a monolithic, one-size-fits-all strategy is not only impractical but also fraught with risks.
Admiral Rogers advocates for a paradigm shift in both corporate and policymaking circles, suggesting that the success of cybersecurity measures should be evaluated based on post-incident responsiveness. He stated, “How quickly are you recovering? How much are you able to mitigate this and stop it from spreading: both how quickly and how well? How well are you able to ensure you have appropriate control and knowledge over data?”
The call for a more responsive and dynamic strategy aligns with the broader sentiment that cybersecurity is a multifaceted challenge requiring diverse and adaptive solutions.
The Path Forward: Adaptability as the Cornerstone
The landscape of cybersecurity is in a state of continuous flux. August's headlines offer not just a timely status check on current vulnerabilities and challenges but also lay the groundwork for what lies ahead. Companies, policy-makers, and cybersecurity professionals must adapt to this evolving landscape.
