www.austcyber.com

Cyber security guidance for Australian industry Opportunities to harmonise for a globally competitive economy Michelle Price, Don Gomez and Alex Venardos

About This policy paper builds on the analysis undertaken by the MITRE Corporation for AustCyber on analysing the NIST Mobile Device Security Practice Guide’s applicability to Australia, as part of AustCyber’s work to support proactive regulatory reform for Australia’s cyber security ecosystem.

Key points Australian small and medium businesses contribute significant value to the Australian

economy, relying on digital technologies to enable their connectivity to domestic and global markets. Securing systems and data is critical to business operations, productivity, and ultimately, economic survival.

Due to their size, small businesses have reduced resources and capacity to navigate the numerous technical and legislative frameworks, and the plethora of advice to secure their systems and data.

Research conducted by the MITRE Corporation, on behalf of AustCyber, suggests that the US Government’s National Institute of Standards and Technology’s (NIST) cyber security practice guides should be viewed as the foundation for existing Australian guidance and serve as a reference for Australian businesses seeking to improve their cyber resilience.

Harmonising government guidance via use of globally recognised cyber security frameworks and standards would strengthen the ability of Australian businesses to compete in global markets and supply chains.

By harmonising national standards and guidance with international best practice, governments also have the opportunity to bolster their cyber security awareness raising activities with industry, which would benefit the Australian community more broadly.

Policy Recommendations AustCyber recommends that Australian governments, as much as possible, seek to

harmonise cyber security guidance and information resources with international frameworks and standards, noting those most commonly used are the NIST Cybersecurity Framework and the ISO 27000 Series on Information Security Management.

We also recommend that government guidance and advice be appropriately communicated to key actors in Australian industry to achieve broad uptake of international best practice across the economy.

Policy Paper

July 2018

www.austcyber.com info@austcyber.com

Applicability of NIST cyber security frameworks in Australia The United States’ National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Centre of Excellence produces a suite of industry-facing guides in cyber security best practice. The guides leverage the NIST Cybersecurity Framework, established in response to the 2013 US Executive Order 13636 Improving Critical Infrastructure Cybersecurity. The Framework was developed by partners across US government, industry and academia. It references globally recognised standards for cyber security to guide organisations of all sizes and levels of technical maturity on components that should be included in a comprehensive cyber security program.

AustCyber contracted the MITRE Corporation to assess the applicability of NIST Practice Guides for use by Australian industry, using the NIST Practice Guide on Mobile Device Security as a case study (resulting report attached). MITRE’s analysis found that Australian businesses seeking to secure their mobile devices are currently faced with navigating almost 50 security-related regulations, standards and guidelines to understand what steps they should take and what actions are considered best practice.1 The analysis refers to three commonly used Australian government resources relevant to mobile device security.

The MITRE study also suggests that with some local tailoring, NIST Practice Guides are likely to provide useful and practical cyber security advice that could augment existing Australian guidelines and legislation relevant to Australian businesses. Furthermore, the communication of Australian government frameworks and guidance on cyber security could be improved to better serve Australian businesses.

1 Brown, C., Edwards, S., and Lachow, I., 2018, Analysis of the NIST Mobile Security Device Security Practice Guide’s Applicability to Australia – prepared for AustCyber – the Australian Cyber Security Growth Network, the MITRE Corporation, Washington DC, USA. Available for download at: https://www.mitre.org/publications/technical-papers/analysis-of-nist-mds-practice-guide-for-australia 2 Australian Bureau of Statistics, Business Use of Information Technology – Characteristics of Internet Access, 2015-16, Cat# 8129.0.

Reflecting on MITRE’s findings, AustCyber proposes that harmonisation of Australian government cyber security regulatory and guidance frameworks with international best practice and standards has significant economic benefits for Australian small businesses.

Cyber resilience of Australian small businesses Australian businesses, of all sizes, are leveraging the significant and growing opportunities that online connectivity provides. More than 95 per cent of all Australian businesses have access to the internet, with a significant proportion of enterprises relying on online technologies to enable a range of important business-related functions.2 Securing these functions is therefore critical to the continuity of business operations, productivity, and economic survival.

Trusted, industry-focussed cyber security advice that can be leveraged by organisations across the economy would reduce the risk to Australian businesses of cyber threats that negatively impact reputation, business continuity, privacy, and trust. Conservative estimates place the cost of such impacts to the Australian economy at $1.6 billion annually.3 However, other estimates suggest the cost of cyber crime could be as high as $17 billion annually, or one per cent of Australia’s GDP.4

Micro and small-sized companies—defined as those entities employing 0 to 4 and 5 to 19 employees respectively—represent 97 per cent of the 2.2 million businesses operating in Australia (Figure 1).5 Collectively, micro and small businesses contributed 35 per cent of industry value add to the economy in 2015-16, second to large businesses (200 or more employees) at

3 Symantec, 2013, 2013 Norton Report: Total cost of cybercrime in Australia amounts to AU$1.06 billion, media release, 13 October 2013, 4 Hathaway, Melissa, Chris Demchak, Jason Kerben, Jennifer McArdle, and Francesca Spidalieri., 2015, Cyber Readiness Index 2.0. Paper, Potomac Institute for Policy Studies, last accessed 6 July 2018. 5 Australian Bureau of Statistics, Counts of Australian Businesses, Jun 2013 to Jun 2017, Cat# 8165.0.

www.austcyber.com info@austcyber.com

43 per cent and followed by medium-sized businesses (19-199 employees) at 22 per cent.6

Figure 1. The proportion of total businesses by employment size. Data source: ABS Cat. No. 8165.0

Despite their significant contribution to the Australian economy, smaller sized businesses are less likely to have the resources to deepen their cyber security capability, compared to larger enterprises.

According to the Australian Government’s Australian Small Business and Family Enterprise Ombudsman (ASBFEO), small business size appears to limit the tendency for Australian businesses to innovate in terms of their operational and organisational processes, suggesting that smaller organisations have less resources and capacity to invest in improving their operational and management practices, compared to larger businesses.7 This is supported by data from the Australian Bureau of Statistics that indicates micro businesses were almost 50 per cent less likely to introduce new or significantly improved management practices compared to small business, and more than 75 per cent less likely than medium and large businesses (Figure 2).8 Similarly, micro-sized businesses were less likely to introduce new or significantly improved operational processes compared to their larger counterparts (Figure 2).

Given that cyber security straddles management and operational aspects of businesses operations,

6 Australian Bureau of Statistics, Australian Industry by division, 2015-16, ABS Catalogue Number 8155.0. 7 The Australian Small Business and Family Enterprise Ombudsman, 2016, Small Business Counts – small businesses in the Australian Economy, Commonwealth of Australia. 8 Australian Bureau of Statistics, Selected Characteristics of Australian Business, 2015-16, Cat# 8167.0.

it is critical that Australian governments look at opportunities to reduce barriers for businesses to find trusted and consistent cyber security advice; and to assist them to apply sound practice in their organisation (directly or through contracted advice and services) as well as to ensure they are economically competitive and have growth opportunities in a digitally enabled world.

Figure 2. Proportion of business that introduced new or significantly improved processes. Data source: ABS Cat. No. 8167.0

Harmonising guidance on cyber security practices Regulation and best-practice cyber security frameworks for industry are relatively nascent in Australia but are growing and maturing in response to the increasing frequency of cyber attacks and data breaches.9

Based on MITRE’s analysis, AustCyber proposes that NIST’s cyber security practice guides could be tailored to evolve existing Australian guidance and legislation and serve as a reference for Australian businesses seeking to improve their cyber resilience.

Other internationally recognised frameworks and standards should also be considered in any future work undertaken to harmonise Australian guidance and advice. For example, the frameworks and standards by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC),

9 Arun, R., 2018, A Comparison of Cyber Security Regulation in the USA and Australia, Hivint blog post, URL:https://blog.hivint.com/a-comparison-of-cyber-security-regulation-in-the-usa-and-australia-5bdeb5c4c2df, last accessed 13 June 2018.

www.austcyber.com info@austcyber.com

in particular ISO/IEC 27000 series, which provides industry-agnostic requirements for information security management. It is worth noting that Australia is a member of the ISO and IEC through Australia’s peak standards development body, Standards Australia.

Although Australia’s economy is comparatively small, it is well placed to be a test bed for evolved approaches to cyber security and resilience. While challenging, the case for harmonisation is compelling as it supports local businesses to grow through digitally enabled domestic markets. Harmonisation may also facilitate innovate through improved access to global customers and supply chains that have increasing requirements for security and trust in the products and services they procure.

Governments have a key role in ensuring that regulatory systems in our digitally-enabled economy are in step with technological developments, and take a risk and education- based approach in order to encourage market entry.10 By taking a leadership role in leveraging our comparative advantages, delivered in part by the agility of an economy dominated by small businesses, the Australian Government has an opportunity to help strengthen industry’s resilience against cyber threats and increase value to our economy.

About AustCyber AustCyber – the Australian Cyber Security Growth Network – is a not-for-profit and industry-led company established in January 2017 under the Australian Government’s Industry Growth Centres Initiative. Its mission is to support the development of a vibrant and globally competitive Australian cyber security sector to enhance Australia’s future economic growth in a digitally enabled global economy.

The authors

Michelle Price is AustCyber’s Chief Executive Officer.

Don Gomez is the Strategy and Reporting Adviser at AustCyber.

Alex Venardos is a Program Manager at AustCyber.

Policy Recommendations AustCyber recommends that Australian governments, as much as possible, seek to harmonise cyber

security guidance and information resources with international frameworks and standards, noting those most commonly used are the NIST Cybersecurity Framework and the ISO 27000 Series on Information Security Management.

We also recommend that government guidance and advice be appropriately communicated to key actors in Australian industry to achieve broad uptake of international best practice across the economy.

10 Productivity Commission 2017, Regulation in the Digital Age, Shifting the Dial: 5 year Productivity Review, Supporting Paper No. 13, Canberra.