Today the Prime Minister will release the first annual review of Australia’s Cyber Security Strategy, which the PM foreshadowed in an op-ed for The Australian. The PM says that his government is ‘pleased with progress’, noting the success of the first Joint Cyber Security Centre in Brisbane, and higher levels of awareness amongst business leaders. The PM’s confidence in the growing maturity of Australian public and private sector cyber security awareness is supported by the Australian Cyber Security Centre’s 2016 Cyber Security Survey, also released today, which shows that 71% of surveyed organisations have an incident response plan, an increase of 11% on the 2015 result. Also keep an eye out tomorrow for the release of the Australian Cyber Security Growth Network’s Cyber Security Competitiveness Plan.
Kaspersky Lab has published its Cybersecurity Index for the second half of 2016, aggregating the results of 17,377 respondents across the world on their attitudes to cybercrime, their online activity and the cost of cybercrime. The report shows that more people are concerned about cyber security and are taking steps to protect themselves. Overall, 74% of those surveyed didn’t believe that they would be a target for cybercrime, a 5% drop on the result from the first half of 2016. Only 39% of respondents don’t take any cyber security measures on their devices. At the corporate level, new research from Oxford Economics has found that a company’s share price falls by an average of 1.8% on a permanent basis after a major cyber security breach. For a major UK FTSE100 firm this equates to a loss of £120 million.
China’s Cyberspace Administration has released a new draft law on international data transfers. The legislation would require firms to submit to annual security reviews of their international data transfers, and prohibits the international transfer of data on economic, technological or scientific activities overseas that could damage national security. The draft law would also require companies to obtain the express permission of users before transferring their information overseas. According to the Cyberspace Administration the new rules are necessary to secure ‘personal information, the safety of data and to protect internet sovereignty and national security.’ However the vagueness of the draft law, and long-standing concerns about Chinese cyber protectionism and censorship, mean that many outside China interpret the move as another attempt by Beijing to restrict foreign access to the internet in China.
While China increasingly seeks to control access to cyberspace, the G7 issued a declaration last week that repeated its commitment to an ‘accessible, open… [i]nteroperable, reliable and secure cyberspace.’ The declaration on responsible states behaviour in cyberspace largely repeats previous statements from the G7 including commitments to online rights, the application of international law and the norms agreed by the 2015 UN Group of Governmental Experts and the 2015 G20 Leaders’ Communiqué. It also reiterated the G7’s support for the development of confidence building measures through regional forums including the OSCE and ASEAN Regional Forum such as crisis communications channels. Interestingly the declaration includes the statement that a state ‘is free to make its own determination in accordance with international law with respect to attribution of a cyber-act to another State.’ That runs counter to the calls from some, including Microsoft President Brad Smith for an international cyber attribution agency. Meanwhile RT has reported that Russia has provided a draft of a new international convention on cybercrime to the UN, to replace the 2001 Budapest Convention, which Russia hasn’t signed.
Last week’s failed North Korean missile test has prompted renewed speculation on the role of US cyber capabilities in undermining Pyongyang’s missile program, however the US declined to comment. The tensions with North Korea have also reportedly prompted the US Department of Defense to fund work on cyber protection of the US power grid, and the establishment of an emergency communications system. The Defense Advanced Research Projects Agency (DARPA) issued a statement last week on what it calls the ‘Rapid Attack Detection, Isolations and Characterisation System’ (RADICS). The System, being developed in cooperation with BAE Systems, seeks to protect national security capabilities dependent on the power grid. According to BAE Systems, RADICS, which won’t be ready until 2020, should detect attacks before they occur and isolate target networks, such as enterprise systems and power infrastructure, to disrupt malicious cyber attacks.
And in brief news, Europol and Brazil have signed a new agreement to cooperate on cybercrime, and Germany and Israel have taken steps to depend their cyber cooperation, with the first international chapter of the Cyber-Security Council of Germany opening in Israel last week. NASA’s CIO has told Bloomberg that she considers it a ‘matter of time’ before an object in space is hacked, and discussed the challenges of securing decades old equipment orbiting Earth from cyber threats. And in the UK it has been revealed that the Foreign Office has been subjected to a sophisticated phishing campaign by hackers dubbed the ‘Callisto Group’, which targeted personnel working on Eastern European and South Caucasus policy issues.