To Meet Bold Ambitions and Combat Mounting Threats, Australia Endorses Zero Trust

Originally published by CXO REvolutionaries.

Written by Heng Mok, CISO in Residence, Zscaler.

If Australia is to become the most cyber-secure nation in the world by 2030, as Cyber Security Minister Clare O'Neill has said it can be, it has a ways to go. The Australian government’s recognition of this fact can be seen in two recent reports highlighting the need for cyber readiness in an era of heightened tension.

First came a report from the Australian Securities and Investment Commission (ASIC) calling for "greater organisational vigilance to combat cyber threats." It followed a survey in which respondents voluntarily ranked their organisation according to its cyber maturity, returning a weighted average of 1.6 on a scale from 0-4.

Given the source of the study and the (self-reported) poor performance of participating organizations, some CISOs are bracing for similar legislation as that from the U.S. Securities and Exchange Commission, which has preoccupied their American counterparts for months. It would certainly follow a pattern of close involvement by the Australian government in cyber-related matters, especially in the wake of a breach.

Optus, one of Australia’s large telcos, for instance, was breached in 2022. This led to the Australian government recently reclassifying the sector as critical infrastructure and imposing stricter cybersecurity standards on providers. Since such a minimum maturity framework exists for sensitive sectors like critical infrastructure, it would not be a surprise to see such standards applied to governmental agencies and their contractors.

Another example of close government involvement entails debates over whether or not to ban the payment of ransoms to cybercriminal groups – or at least a requirement that organizations disclose when they do make payments. While Australia seems to have been dissuaded from criminalizing ransom payments, mandatory disclosure has considerably more momentum.

It is also worth noting that, among the major concerns highlighted by the ASIC report, supply chain risk management received special attention. With fresh memories of the number of security incidents caused by a third-party compromise, the country is understandably concerned about the potential for further incidents. Truly building resilience against cyber threats will require more than just a first- or second-order understanding of an organisation’s supply chain. It will require a holistic understanding of their inputs from data, business processes, and fourth- and fifth-party relationships.

Shortly after the ASIC report, the government released its Australian Cyber Security Strategy, which is meant to provide guidance and benchmarks for the remainder of the decade. The gist of this document is that, though the country has been victimized by the rising threat of cybercrime, it has the opportunity to be a regional leader and must seize it for the economic and security benefits it promises.

To do so, Australia has divided its cyber responsibilities into six “shields" for executing its goals. At its core are “Strong business and citizens.” This reflects the fact that Australia’s economy is largely powered by small and medium-sized businesses and that users can either be the first line of defence or the initial enablers of a cyber incident.

Australia’s six “cyber shields”. Source: 2023–2030 Australian Cyber Security Strategy

Interestingly, in its section detailing how the Australian government itself plans to take action in light of this strategy document, Australia has pledged “to develop a whole-of-government zero trust culture.” While light on details, it is a positive sign to see this emphasis on the part of the government and, I think, likely to spill over in a positive way to businesses and other organizations based here. But that will ultimately depend on a more fully formed zero trust strategy complete with advice for the private sector on its adoption. The need to formalise the funding models for cyber (similar to defense) and support the hardening of the government beyond compliance mandates will be key to ensuring sustainability and that Australia can be a world leader in cyber.

Cybersecurity in a shrinking world

The English poet John Donne famously wrote “No man is an island.”

Neither, for that matter, is Australia. And not because it sits on its own continental plate and therefore doesn’t technically qualify as one (although that’s true). Rather, because many of the same forces governing cybersecurity trends elsewhere are being felt Down Under.

War, geopolitical posturing, and globalized supply chains are shifting the winds of the cyber threat landscape as much here as they are elsewhere – if not more so. This is apparent in the compromise of four ports across Australia in recent weeks.

Australia’s location in the Pacific, Western alignment, support for Ukraine and commentary on the Israel-Gaza conflict make it a target for operations from actors with differing geopolitical points of view, relating to Taiwanese sovereignty or ownership of disputed island territories, for instance. The government’s supply chain security concerns could reflect the possibility that Australia could be drawn into the U.S.-China “Chip War" or, in a worst-case scenario, actual fighting between the two powers if a conflict erupts over the Taiwan Strait.

It’s unlikely a coincidence that when the shadowy coalition known as Five Eyes made its most public appearance to date, from Silicon Valley for the primetime TV news show 60 Minutes, it was to warn of the dangers of Chinese espionage operations. As competition continues to play out in emerging tech applications like AI, the group’s members clearly anticipate cyber-enabled intelligence gathering to intensify.

As I’ve written, taking a stand on sensitive social matters or wading into geopolitical disputes can itself be a source of cyber risk. Hacktivists have lashed out in support of both sides in the conflict between Israel and Hamas, for example. Domestic businesses are not immune to the stances of their governments. As tense global situations play out, Australia – its government and its citizens – must fortify itself against malicious actors bent on spreading chaos in its corner of the world and beyond.

By publicly announcing its intention to develop a whole-of-government zero trust approach, Australia has taken a step in the right direction. But successfully combating a full roster of challenges on the way to becoming the most cyber secure nation in the world will require continued, widespread commitment to achieving zero trust maturity.