2020年網絡安全戰略-澳大利亞政府（英文版）（56頁）.pdf

《2020年網絡安全戰略-澳大利亞政府（英文版）（56頁）.pdf》由會員分享，可在線閱讀，更多相關《2020年網絡安全戰略-澳大利亞政府（英文版）（56頁）.pdf（56頁珍藏版）》請在三個皮匠報告上搜索。

1、Australias 2020 Cyber Security Strategy Industry Advisory Panel Report Commonwealth of Australia 2020 With the exception of the Commonwealth Coat of Arms, all material presented in this publication is provided under a Creative Commons Attribution 4.0 International license at: https:/creativecommons.

2、org/licenses/by/4.0/legalcode. This means this license only applies to material as set out in this document. The details of the relevant license conditions are available on the Creative Commons website at: https:/creativecommons.org/ as is the full legal code for the CC BY 4.0 license at https:/crea

3、tivecommons.org/licenses/by/4.0/legalcode. Contact us Enquiries regarding the licence and any use of this document are welcome at: Cyber, Digital and Technology Policy Division Department of Home Affairs 4 National Circuit Barton ACT 2600 cybersecuritystrategyhomeaffairs.gov.au P - 20-02329 Australi

4、as 2020 Cyber Security Strategy Industry Advisory Panel Report July 2020 Table of Contents Executive Summary 4 List of Recommendations 9 Process 15 Our vision, framework and recommended outcomes 18 Issues and Conclusions 24 Appendix 1: Industry Advisory Panel Terms of Reference 46 Appendix 2: About

5、the Panel 48 Appendix 3: Problem Statements 50 Executive Summary 4Australias 2020 Cyber Security Strategy Technology now sits at the very heart of the lives of most Australians and increasingly shapes our economy, our society and our future. It is fast changing how we live, learn and work as well as

6、 creating incredible new opportunities, efficiencies and benefits - from remote working to digitised global supply chains, from tele-health to e-commerce. The Federal Government is clear-eyed about the opportunities: “Our Governments goal is for Australia to be a leading digital economy by 2030. Our

7、 degree of success will be critical to income growth and job creation over the next decade and beyond. Our extensive policy agenda encompasses digital access, connectivity, consumer data and competition policy, government service delivery and skills development, trade and global e-commerce governanc

8、e, as well as the necessary focus on security and privacy concerns.” Prime Minister Scott Morrison BCA annual dinner keynote 21 November 2019 The scope and timing of that ambition is well placed. As we enter the 2020s the world is on the exciting cusp of a fourth industrial revolution driven by conn

9、ectivity and digital technologies. Artificial intelligence, sensors, autonomous machines and systems, edge compute, augmented reality and 5G will combine to create incredible new products and services, infuse the physical world with digital, revolutionise business operations, elevate human work, and

10、 serve customers and citizens in many new ways. All of this was true before the emergence of the COVID pandemic which has only further underlined the importance of the digital economy in Australia. In responding to COVID, mandatory social distancing and self-isolation means healthcare, education, wo

11、rk and commerce and even staying in touch with friends and family are largely being done online. Looking beyond this crisis, technology and our ability and willingness to embrace the digital world has now emerged as central to a rapid economic recovery. With so much at stake, robust and effective cy

12、ber security has never been more important and the 2020 Cyber Security Strategy Industry Advisory Panel welcomed the opportunity to contribute to that outcome. 5Industry Advisory Panel Report The Panel were engaged in late 2019 at a time when the Federal Government were reviewing the progress of the

13、 landmark 2016 Cyber Security Strategy. This work led to the establishment of the Joint Cyber Security Centres, creation of cyber.gov.au as a one-stop-shop for cyber security advice and the establishment of key leadership positions including the Ambassador for Cyber Affairs. Despite these achievemen

14、ts the Government acknowledged that significant and ongoing changes in the scope, scale and sophistication of cyber threats required an evolution in our approach to cyber security as a nation. Minister for Home Affairs, Peter Dutton, has described how meeting the evolving cyber challenge is key to A

15、ustralias economic prosperity and national security. In September 2019 he said: “Cyber security has never been more important to Australias economic prosperity and national security. In 2016, the Australian Government delivered its landmark Cyber Security Strategy, which invested $230 million to fos

16、ter a safer internet for all Australians. Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community.” “Cyber criminals are more abundant and better resourced,

17、state actors have become more sophisticated and emboldened, and more of our economy is connecting online. Cyber security incidents have been estimated to cost Australian businesses up to $29 billion per year and cybercrime affected almost one in three Australian adults in 2018.” This escalation in m

18、alicious cyber activity has only increased during COVID as we have been forced to work, learn and connect from home, outside of some of our usual security frameworks. We are seeing malicious actors including criminals and state based actors exploiting this opportunity to their own advantage, to the

19、significant risk and detriment of Australian citizens. On 30 June 2020, Prime Minister Scott Morrison pointed to the urgency of the issue: “The Federal Governments top priority is protecting our nations economy, national security and sovereignty. Malicious cyber activity undermines that.” Australias

20、 ability to prosper as a digital economy can be enhanced if we increase our investment in our cyber defences. We must move to comprehensively protect ourselves and our businesses from cybercrime, protect our national infrastructure and improve the security of our institutions including our democrati

21、c electoral processes, which have been the subject of malicious cyber-attack in other parts of the world. It is crucial we act quickly and decisively. The 2020 Cyber Security Strategy Industry Advisory Panel was formed in November 2019 and asked to provide advice from an industry perspective on best

22、 practices in cyber security and related fields; emerging cyber security trends and threats; key strategic priorities for the 2020 Cyber Security Strategy; significant obstacles and barriers for the delivery of the 2020 Cyber Security Strategy; and the effect of proposed initiatives on different ele

23、ments of the economy, both domestic and international. The Panel met 13 times between November 2019 and July 2020, including two meetings with Minister Dutton and formal briefings, including some classified, from the Department of Home Affairs, the Australian Signals Directorate, the Attorney-Genera

24、ls Department, the Department of the Treasury, the Australian Competition and Consumer Commission, the then Department of Communications and the Arts, the eSafety Commissioner, the Australian Federal Police, the Australian Security Intelligence Organisation, the Cyber Security Cooperative Research C

25、entre and AustCyber. After broad consultation and careful deliberation, the 2020 Cyber Security Strategy Industry Advisory Panel has developed a series of recommendations that we believe strike the right balance between increasing our cyber defences, promoting the development of a digital economy an

26、d countering threats to our economy, safety, sovereignty and national security. 6Australias 2020 Cyber Security Strategy The Panels recommendations are structured around a framework with five key pillars: Deterrence: deterring malicious actors from targeting Australia. Prevention: preventing people

27、and sectors in Australia from being compromised online. Detection: identifying and responding quickly to cyber security threats. Resilience: minimising the impact of cyber security incidents. Investment: investing in essential cyber security enablers. On deterrence, we recommend that the Government

28、establish clear consequences for those targeting Australia and people living in Australia. A key priority is increasing transparency on Government investigative activity with more frequent attribution and consequences applied where appropriate. Strengthening the Australian Cyber Security Centres abi

29、lity to disrupt cyber criminals by targeting the proceeds of cybercrime derived both domestically and internationally is a priority. On prevention, the recommendations include the pursuit of initiatives that make businesses and citizens in Australia harder to compromise online. This includes a clear

30、 definition for critical infrastructure and systems of national significance with a view to capturing all essential services and functions in the public and private sectors; consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for owners and o

31、perators of critical infrastructure and systems of national significance; measures to build trust in technology markets through transparency such as product labelling; and the extension of existing legislative and regulatory frameworks relevant in the physical world to the online world. Ultimately c

32、ybercrime is just crime, cyber espionage is just espionage and hacktivism is just activism online. All levels of Government should take steps to better protect public sector networks from cyber security threats. Government agencies should be required to achieve the same or higher levels of protectio

33、n as privately-owned critical infrastructure operators. Different levels of government should collaborate to share best practices and lessons learned. Ultimately Governments should be exemplars of cyber security best practice and Australian governments have some way to go in achieving this aspiratio

34、n. On detection, recommendations include that Government establish automated, real-time and bi-directional threat sharing mechanisms between industry and Government, beginning with critical infrastructure sectors. Government should also empower industry to automatically block a greater proportion of

35、 known cyber security threats in real-time including initiatives such as cleaner pipes. On resilience, recommendations include the development of proactive mitigation strategies and strengthening of systems essential for end-to-end resilience. Government should strengthen the incident response and v

36、ictim support options already in place. Speed is key when it comes to recovering from cyber incidents and Government should hold regular large scale and cross-sectoral cyber security incident response exercises to improve the readiness of interdependent critical infrastructure providers and governme

37、nt agencies. Resilience includes both the ability to recover from a cyber-attack as well as the redundancy designed-in to systems and processes. In other words, a key factor influencing the ability to recover is the level of redundancy present in systems in the first place. It is important to also c

38、all out that a number of recommendations to build resilience relate to the role of the individual, in particular around building cyber awareness. In this regard there is an important distinction between cyber security (which means protecting data and information networks and critical infrastructure

39、functions) and cyber safety (which means protecting users from 7Industry Advisory Panel Report harmful online content). The fundamental ability to participate safely online is the difference between enjoying the internets abundant information resources and opportunities, and being a potential victim

40、 of a cybercrime. On investment, recommendations support the ongoing development of highly specialised and effective capabilities exemplified by the Australian Cyber Security Centre and the state-based Joint Cyber Security Centres. This existing capability should be substantially increased and enhan

41、ced through significant investment and a more integrated governance structure that maintains an industry leadership role. It is going to be a critical enabler to the success of the 2020 Cyber Security Strategy. The Panel is also of the view that it is important for Government and industry to continu

42、e to invest in cyber skills development and security risk management in Australia. Good enterprise security management includes all aspects of securing people, property and technology. This skills investment is recommended at both a professional and specialist skills level and also more broadly, and

43、 should include primary, secondary and tertiary courses (including programs that focus on all aspects of enterprise security risk management, particularly cyber skills uplift). Importantly many of these skills should be built as foundational requirements in science, maths, engineering and technology

44、. Although the cyber skills and awareness of directors on the boards of Australias listed companies has been developed in recent years, there is opportunity for further development and support. Within this framework of 60 recommendations sit 25 high priority and 35 other recommendations that address

45、 the full spectrum of cyber security threats from the routine threats that target vulnerable people in Australia every day to sophisticated state actor cyber-attacks that threaten our economy, safety, sovereignty and national security. The Panel recommends that threats to critical infrastructure, di

46、gital supply chains and systems of national significance should be addressed first. State, territory and local governments should also be considered key implementation partners for all elements of the Strategy. We encourage the Australian Government to establish formal mechanisms to ensure ongoing e

47、ngagement with all levels of government. Clear roles and responsibilities Cyber threats continue to shift and evolve and, as the threats evolve, so must our response. The recommendations we propose are built around creating robust and adaptable defences as threats emerge and technologies and opportu

48、nities change. It is important to recognise that effective cyber defences involve more than just investment dollars. Our report highlights that an effective response includes fundamentally organising and governing differently to ensure more efficient and effective use of resources and aligning cyber

49、 security imperatives across Australia. This requires clearly defined roles, responsibilities and authorities to be established and the Federal Governments role in leading and coordinating the national effort is therefore critical. Ultimately the Government is in a unique position with access to information and tools which mean that in particular circumstances it is the appropriate party to lead our cyber defence. This is not only about the Federal Government but effective coordination with other tiers of Government. Government also plays an importa