Secure Code Warrior

How the Australian Government can build national cybersecurity resilience and stand tall against threats

It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level, but is their strategy reaching far enough?

With 2020 seeing an enormous spike in remote working, plus continued large-scale data breaches and an increasing focus on the consequences of compromised privacy online, there has never been a sharper public focus on cybersecurity. As a result, governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources.

Strategic protection guidelines for cybersecurity are not a new concept, and organizations like NIST have informed the policies of global government departments for many years. As we have moved through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors, and compliance requirements that are part of an ever-changing landscape.

A recent breach of 54,000 New South Wales driver's licenses as a result of an easily accessed, misconfigured S3 bucket on a third-party server has compromised thousands of individuals, with the security researcher who reported it conceding that the data may already have been sold on the dark web. The sad thing is, this is an easy fix and would have been unlikely to happen at all had security been front-of-mind for those configuring the cache.

The Australian Government recently released the Australian Cyber Security Strategy 2020, highlighting new initiatives and a $1.67B funding boost to be used over the next decade, to achieve their "vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend". This is clearly a very welcome review and updated plan, especially since one of the chief objectives is:

"Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities".

While government bodies tend to focus on (as they should) the security measures concerning a country's critical infrastructure -- areas that are ripe for a catastrophic organized attack -- what was lacking in the past were guidelines for the companies that collect and use our data every day.

Now, when it comes to official strategy like this, it's not always beer and Skittles. It can be a little hard to interpret, and vague on the details, leaving it up to an organization's security team to piece together a plan based on non-specific guidelines. This issue is not unique to Australia's government, but let's analyze their brand new release.

A focus on reaction, not prevention.

The updated Australian Cyber Security Strategy is a more relevant uplift to the last release in 2016, with fairly comprehensive plans for businesses, especially SMEs. The strategy outlines:

"Government and large businesses will assist small and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability. The Australian Government will work with large businesses and service providers to provide SMEs with cyber security information and tools as part of "bundles'of secure services (such as threat blocking, antivirus, and cyber security awareness training)."

This will provide SMEs with a decent basic foundation on which to protect their business from cyber threats, but it is largely a reactive approach, and the focus is on detection tooling - a relatively small part of the cybersecurity landscape.

There is also surprisingly little information on how large enterprises can protect themselves and reduce their attack vectors. While many may be part of the plans to protect critical infrastructure (such as telecommunications, transportation), financial services, retail, and many other verticals have a lot to lose when it comes to a successful cyberattack. Perhaps this will be part of forthcoming legislation, but even so, highlighting the importance of meticulous cybersecurity best practices at the enterprise level is fundamental to seeing significant change, and a drop in compromised data and cybercrime.

Overall, when considering the strategy as a whole, it is built around a reactive approach. Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies, are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. Along with protective measures for critical infrastructure, if security was front-of-mind in every business, and every person touching the code that creates our digital world was properly equipped to block attacks before they happen, the savings in time, money, and heartache for victims is immeasurable.

Resilience is possible, but it must be planned.

It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level. Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial - not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.

At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. Billions of lines of code, constant large-scale data breaches, and more risk of penalty (Marriott alone received a USD $123M GDPR fine for their 2018 data breach... and they had another breach this year) than ever before has created a demand chasm for security specialists that, realistically, is unlikely to be closed. There is simply too much code, and too little resources to ensure it is fortified from every angle.

So, should we give up on the idea that we will ever truly stand tall in the face of cyber threats? Not a chance. Resilience requires using all available resources, and thinking one step ahead. And for many companies, their developers can unlock a powerful method of fortification right as code is written. When paired with a visible, positive security culture across the whole business, this provides a secure foundation that is difficult for many attackers to shake and break. However, this method requires taking the suggestions from the Australian Cyber Security Strategy, as an example, and diving deeper into how they can be customized to support effective change that is relevant to the business.

To that end, it is important to break down a couple of the tips:

  • Security awareness training: This is specifically called out for SMEs, and in the context of the whole report, is mainly aimed at teaching all staff basic security hygiene (e.g. spotting phishing emails, not clicking unknown links, etc.). Realistically, it must go much further than that and become role-specific, especially for those who touch code, like developers. It is imperative that security awareness training is a component of preventative measures and building resilience
  • Education: In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.

As security experts, we need to do more to help companies all over the world understand the importance of building an internal security program that goes beyond simple foundational measures of awareness. Spending time to upskill developers takes the pressure off overworked AppSec specialists, and ensuring the entire organization is as security-aware as possible within the context of their role is vital in reducing the threat surface attack area in software.

Developer upskilling is time well spent, so why are so many companies ignoring it?

A recent survey by DDLS concluded that there is very little sense of priority when it comes to cybersecurity training in Australian organizations. In fact, it didn't even make the top three training priorities, despite 77% of respondents ranking cybersecurity awareness as "extremely" or "very important" in their business.

It's little wonder, then, that Australia is struggling to close the widening skills gap, and has some work to do to create a more resilient infrastructure, from essential services to retail, and everything in between.

There is an enormous opportunity here for governments to create a security skills baseline certification, or regulation, and the strategy alludes to this as a way to work with finite resources. However, once again, this seems to be a future-state proposal, and we have the tools to start much sooner if we target high-impact areas first. For me, the beacon of hope lies in the development teams within each organization, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organization.

In 2019, 24% of all data breaches were caused by human error - namely security misconfigurations - which are usually relatively simple, code-level fixes. If training is made a priority here, in conjunction with building company-wide security awareness, I'm betting that there would be fewer CISOs signing off on breach notifications to thousands of compromised customers.