Governments everywhere are increasingly concerned about implementing frameworks to improve the protection of personal and commercial information and defend national security against cyberattacks. I was recently in Australia, and it was hard to ignore the news that the Australian government released a discussion paper to shape its work on its 2023 – 2030 cybersecurity strategy. The seriousness with which the government there is taking the issue reflects worldwide governmental and legislative efforts, such as those in the U.S. and the EU, to regulate cybersecurity. Inevitably, application security is an important part of this strategy. Let’s briefly examine why this has come about, and what it could mean for application security, both in Australia and worldwide.
In September and October 2022, in just a short three-week period, Optus, Australia’s second-largest wireless carrier, and Medibank, Australia’s largest private health insurance provider, fell victim to major security breaches that led to the theft of personal data of over 9.8 million Optus customers and 9.7 million Medibank customers. AUS $1.7 billion in Medibank shares were wiped off the market following the breach.
And, according to the Australian Cyber Security Centre’s 2021-22 Threat Report, one cyber threat incident is reported on average every seven minutes with over 76,000 cybercrime reports in 2021-22.
Consequently, the Australian government set up an expert advisory board in December 2022, intending to establish a national cybersecurity strategy. Its objective is to make Australia the world’s most cyber-secure nation by 2030.
Despite the challenges it has recently faced, Australia was ranked as the country showing the greatest progress and commitment to enhancing cybersecurity in the world by the MIT Technology Review Cyber Defense Index 2022/23.
So, what exactly is happening now, and what lessons can we learn from Australia?
The Australian government wants to increase national and economic security, build its capabilities to address emerging cyberthreats both nationally and internationally and create ways to promote the education and training of a national cyber workforce. But perhaps most significantly from a security perspective, it wants to ensure that critical infrastructure and government systems are resilient and cyber-secure.
Subject to the findings of the discussion paper, the Australian government may consider it a fit and proper response to strengthen its ‘last resort’ powers to respond to a serious cybersecurity incident relating to critical infrastructure assets in critical infrastructure sectors. If this change had been in place when Otus and Medibank were breached, then the government would have had the power to take over the direction of how these businesses responded to the attacks, if they chose to.
This is a potentially significant measure, at which some organizations may balk, because they could feel that ceding governance to an overbearing government. That’s why the discussion paper and the establishment of the advisory board are so important, to establish what organizations feel is acceptable governmental oversight in an environment of escalating threats.
The Optus and Medibank breaches showed that the Australian government was not well-prepared to respond to either incident, because it didn’t have the necessary regulations and powers in place.
The moves to set up an advisory board and establish a national cybersecurity strategy demonstrate a recognition that cybersecurity should have institutional support and regulation to drive adoption and compliance. Australia is not alone in this, as the U.S. and the EU are taking similar positions. It illustrates a trend, certainly in developed economies, that it is no longer acceptable, nor viable, to leave self-regulation and monitoring to individual organizations and industries. Threats are too rife, opportunities for vulnerabilities to be exploited are too numerous, and a more comprehensive framework of regulation and best practices should be implemented to reinforce security and assure cyber resilience.
The framework and regulations that Australia is considering can’t be fully achieved without comprehensive visibility into organizations’ software, application components, and dependencies, which will increase the need for modern application security solutions that can detect, prioritize, and remediate vulnerabilities. In fact, the new guidance from all three countries will most likely require organizations to take more active responsibility for their application security and to provide inventories of all components and dependencies within their code base. Doing so will require organizations to provide software bills of material (SBOMs) to give visibility to all the components of every code base and help expedite vulnerability scanning. Every organization working with companies under the proposed Australian-style regulations will be required to scan, detect, and remediate any vulnerabilities in their software and applications and assure the health of every component and dependency in both their open source and custom code.