Last week the Australian government announced a new cybersecurity initiative that will cost upwards of AU$240 million and create 100 “highly specialized” jobs. This comes on the heels of Obama’s February announcement of the Cybersecurity National Action Plan, which hopes to establish a cybersecurity committee and create a 3.1 billion dollar “modernization fund.” With business and communications now done almost entirely online, it makes sense that governments are taking cybersecurity seriously, but what does it mean for the state to establish a cybersecurity presence and how will these initiatives ultimately play out? We’ll look at the details of both plans and how they align with their government’s cybersecurity actions, as well as their potential impact on citizens.
The Australian Plan
Details of the Australian cybersecurity initiative show that the bulk of the effort will be spent protecting Australia from organized crime and state-sponsored hackers, as well as coordinating with Australian businesses to boost security. Some highlights of the report include:
⇒ Appointment of a “Cybersecurity Minister”
⇒ Creation of 100 specialized jobs
⇒ AU$136 million for small business grants
⇒ AU$6.7 million for overseas cybersecurity advocacy
⇒ AU$38 million to support new business and promote the exporting of security products
The government has stated in its announcement that it is in favor of “an open and secure internet.” Yet Australia has been embattled in an internet censorship debate for years now, with many advocating for mandatory internet filtering and other blacklisting techniques. Additionally, state surveillance of Australian citizens has increased under the “data retention” policy of 2015. This is consistent with a global increase in domestic digital surveillance by the state. Finally, laws criminalizing the teaching and research of encryption techniques contradict the idea of cybersecurity altogether, without even speculating on why the government would want to do such a thing. The focus on business will improve the security of commerce, but reinforces the idea of the internet as a business space, without addressing individual privacy.
The American Plan
Focused much more on improving government infrastructure and standardizing government IT practices, the American cybersecurity plan outlines a strategy to bring government agencies in line with a central security standard, overseen by a newly created office. Some highlights of the report include:
⇒ Creation of a Federal Chief Information Security Officer (CISO) position to oversee strategy across agencies.
⇒ Centralization of federal IT resources for multiple agencies
⇒ Student loan forgiveness for cybersecurity specialists joining the workforce
⇒ $3.1 billion technology modernization fund
⇒ Increased DoJ funding for cybersecurity related incidents
⇒ Total 2017 cybersecurity budget of $19 billion, a 35% increase over 2016.
⇒ Creation of a cybersecurity incident response policy
The American plan does mention improving user security (such as by championing two-factor authentication) and even goes so far as to claim “Privacy has been core to our Nation from its inception, and in today’s digital age safeguarding privacy is more critical than ever.” But since Edward Snowden leaked the NSA documents pertaining to domestic surveillance, we know that the American government has been collecting massive amounts of metadata and even content through several different coordinated spying efforts, all of which were created and operated in secret. Apple’s recent battle with the FBI over encryption shows that the government is willing to circumvent cybersecurity when it suits them, retaining the services and tools of hackers to access private data.
In reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in.
There are several wars being fought on the cybersecurity front and not all of them put the people and their government on the same side. The continual battles for net neutrality and uncensored internet prove that maintaining an "open and secure" environment requires resisting the state as much as modernizing it. Be careful not to let the frame of cybersecurity overshadow the political importance of the decisions being made and their potential impact on citizens, current and future. "Security," cyber or not, tends to always precede some erosion of rights, even if the threat being secured against is real.
The specialized skills necessary to understand "cyber" can cloud the basic issues at stake for initiatives such as these. Increasing government cybersecurity resources seems like a good thing, when it’s framed as an effort to protect legitimate government services from malicious actors, or to assist citizens in maintaining their own security and privacy, but given how these two governments have acted regarding cybersecurity, it’s difficult to accept such an optimistic viewpoint. Consolidating government infrastructure, as in the American plan, would also make data mining and cross-agency data access much easier. Improvements in infrastructure would help online services, but also create more powerful environments for government sponsored espionage. It's also important to keep in mind that while some cybersecurity laws may target illegal online activity, they can also target political speech and activism, and provide law enforcement and other government representatives access to information on protestors that would otherwise be protected by the constitution. When a good portion of cybersecurity has to do with protecting yourself from the government, especially in countries with harsh censorship laws, allowing the government to lead the cybersecurity initiative begs the question how much of the resulting security will be for the people and how much will be for the state.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >