Cybersecurity cooperation is in the air – but ITU believes Australia is choking

Observers of this month’s G20 meeting are still scratching their heads over the proposed strategic cybersecurity partnership between the United States and Russia, whose leader Vladimir Putin went into the meeting expecting chastising over alleged Russian interference in the US elections.

The alternative outcome – one in which US president Donald Trump later tweeted had presented an opportunity to discuss with Putin an “impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded and safe” – drew consternation from US politicians on both sides of the political spectrum.

Russia, after all, is not only under suspicion of having hacked America’s 2016 election but has also been fingered as the likely perpetrator in the recent WannaCry outbreak – which hit targets including Victorian speed cameras, but is believed to have been a targeted attack on Ukraine on the eve of a holiday celebrating its constitution.

Regardless of the long-term implications for the two countries’ cybersecurity efforts, Trump’s announcement reinforced the growing recognition of the need for cross-border cooperation on cybersecurity – a key international metric where, according to a recent International Telecommunications Union (ITU) ranking, Australia is falling woefully behind its peers.

While Australia is at the forefront of the Asia-Pacific region in terms of development of its ICT industry, poor cooperation dragged down its overall score in the 2017 ITU Global Cybersecurity Index, in which the ITU used extensive questionnaires to judge the cybersecurity climate in its 193 member states.

Australia ranked 7th overall because it scored just 0.44 on the cooperation ranking, putting it well behind countries like France (0.61), Georgia (0.70), the United States (0.73), Oman (0.75), and table leaders Singapore and Malaysia (both of which scored 0.87).

This massive disparity was a significant blow for Australia, which compared favourably with other leading countries in the four other categories – legal, technical, organisational, and capacity building.

“The overall picture shows improvement and strengthening of all five elements of the cybersecurity agenda in various countries in all regions,” the report concluded. “However, there is space for further improvement in cooperation at all levels, capacity building and organisational measures.”

Cooperation, which the ITU says is “measured based on the existence of partnerships, cooperative frameworks and information sharing networks”, has been a key part of the Turnbull Government’s cybersecurity policy but the scathing assessment suggests that Australia’s private-public initiatives are failing to gain real traction.

The past year has seen a rush of cybersecurity investments – including new security operations centres from IBM, NEC Australia, Symantec, CSC Australia, and BAE Systems Applied Intelligence.

Government-led efforts, such as Victoria’s Oceania Cyber Security Centre and the federal Australian Cyber Security Centre, have served to unite many elements of Australia’s previously-fragmented cybersecurity response community – and have been generally welcomed by industry.

The ITU in particular recognised the formation of Australia’s Council of Registered Ethical Security Testers (CREST) – a professional pen-testing body that was expanded with new funding in the 2016 Budget.

However, the ITU ranking suggests that simply establishing centres of excellence isn’t enough to foster cooperation on its own. It posits as paragons initiatives such as Finland’s active involvement with the Council of Europe, OSCE and United Nations; the UK government’s partnership with local firm Netcraft; the US Multilateral Information Sharing Agreement; South Africa’s national cybersecurity hub; and the Nordic National CERT Collaboration.

The ITU identified five sub-elements to its cooperation rankings including intra-state cooperation, multilateral agreements, participation in international fora, public-private partnerships, and inter-agency partnerships.

If Australia is to take the ITU ratings as a guide for future efforts, these areas will offer valuable guidance for the areas where its efforts are best focused. And while it is well ahead of other countries on most measures – just 38 percent of countries have a published cybersecurity strategy and only 11 percent have a dedicated standalone strategy – improving cooperation clearly needs to be a strategic priority.

With cybersecurity framing international relations at a global level, the next three years – after which the ITU will update its GCI rankings – will be critical in determining whether Turnbull’s initiatives have effectively pivoted Australia’s cybersecurity climate to meet future needs.

And that, says the ITU, is the whole point.

“The objective of the GCI as an initiative is to help countries identify areas for improvement in the field of cybersecurity,” the ITU’s report notes, “as well as to motivate them to take action to improve their ranking – thus helping raise the overall level of commitment to cybersecurity worldwide… with the added benefits of helping harmonise practices and fostering a global culture of cybersecurity.”