There’s a point at which government reports on operational matters of public interest teeter between marketing gloss and valuable information. The ACSC Threat Report, released 4 November 2022, straddles that border, falling prey to the first but still yielding useful information.
Readers are encouraged to read it: it’s not that long and for a lay person there’s some useful material that helps provide context for recent press reporting on cyber issues, such as how ransomware attacks work and the growth of the dark cyberattack-as a-service industry. In the meantime, here are some thoughts.
For those of us who have been engaged with either providing or receiving briefings on cyber coverage by government for well over a decade, the report is much the same as past assessments—just more so. The cyber environment is more fraught. More Australian companies and organisations are targets, more often. There are more—many more—vulnerabilities open to exploitation. In short, all the trends are rising to the right; this year is worse than last, next year will be worse than this.
It’s easy to become despondent. Not least because the response also seems to be much the same as in the past, only more so: more reports, more advisory guides, more briefings, more exercises. Then there is the now obligatory advice to individuals and organisation, supplemented by REDSPICE promotions—not to mention, somewhat depressingly, illustrations with the pro forma blue light, screens, industrial setting, and hoodies.
To be fair, the ACSC has sought to liaise better with industry, built pilots, intervened in some cases. Yet the underlying problem, and sense of helplessness, remains—after all, better communications with industry have been a priority for years. And still the dial has not shifted. Slowed perhaps, but hardly pushed back.
That in itself has probably spurred a greater determination to tell the good stories, as illustrated by the case studies outlining sterling work by agencies. But descriptive examples of specific instances, while positive and reaffirming, do not amount to analysis, indicate trends or permit a gimlet eye on outcomes.
The upshot is that judging the efficacy and value of the government’s efforts, and the viability and sustainability of its strategy, is hard. The lack of introspection makes it hard, too, for the agency, and the cyber industry more broadly, to engage with the problem of disillusionment over cyber, leaving it prone to exaggeration, blame-shifting and political machination.
At such times, stepping back and considering some of the structural factors that may be clouding assessment of the state of the environment and the effect/value of cyber defensive measures can be useful.
For example, there are the consequences of an ever more complex, onerous, and potentially costly legal regime. Adding legal obligations is often the first tool to hand for policy makers and ministers. There can be value to a sound legal framework: it provides certainty and encourages a common language. But legal obligations can also act as a means of shifting risk and cost away from governments and well-resourced organisation to those less able to bear them. And it’s a form of signalling: a preference for legal solutions can generate a rush by others to add corporate governance, frameworks, principles, guides, requirements and other overhead, as a means of pre-emptive defence.
We also know that despite the increasing awareness that digital systems are open targets, there’s an ever-increasing uptake of and dependence on those systems and applications. That means the baseline against which an assessment could be made, of both value and threat, is changing. The growth in cyber is naturally related to the availability of systems. But how are we to assess the efficacies of policies encouraging increased security being built in?
There’s a further story to be understood about the loci of use and control of digital systems and the data they generate. Australia is very much a taker of technology, rather than a maker or a shaper. Increasingly, equipment manufacturers build their systems to collect data and beacon that data back to their home base. That raises questions over data ownership and use, especially where it is collected from individuals, raising concerns about privacy, or companies, where there may be issues over intellectual property and commercial intelligence. And then there’s a larger question: in a world driven by data, dependent on digital systems, what does Australian sovereignty mean—and what does cyber security protect?
These are all existential questions that some may argue lie beyond the scope of the ACSC annual threat report. That’s a not unreasonable point. But it does in turn raises one final issue with the report, and that’s its timeframe.
Twelve months, in a fast-changing environment, is too long. Problems don’t vanish with the publication of each ACSC advisory. One of the most worrying vulnerabilities of recent times, log4j, for example, continues to be an issue. The last ACSC advisory on log4j was in December 2021. The latest patch was issued by Apache in September 2022. In October 2022, US agencies published a notice in October flagging continued Chinese exploitation of log4j. Some events, especially as significant and deep as log4j, have long tails.
The ACSC may not have the wherewithal to generate weekly threat briefings, as does the UK’s NCSC. But a monthly report would help shift the report away from marketing and towards operational utility and support. That would also leave scope for an annual analysis of trends that could help inform policy-makers, and decision-makers in organisations. And it may help avoid the temptation to focus on marketing wares.