AustCyber: Time to 'harmonise' bamboozling government cyber advice

The Australian government should adopt an adapted version of the US Government’s National Institute of Standards and Technology’s (NIST) Cybersecurity Framework as its guidance for businesses, the Australian Cyber Security Growth Centre (AustCyber) has advised in a policy paper published today.

The proposed policy is based on AustCyber commissioned analysis from MITRE which found local businesses are faced with a bamboozling abundance of security advice coming from federal and state governments.

The sheer weight and “complex mix” of guidance is leading to confusion around what advice to take, leading even the most cyber-aware businesses to overregulate, do nothing or adopt a mix of domestic and international standards.

“Harmonising government guidance via use of globally recognised cyber security frameworks and standards would strengthen the ability of Australian businesses to compete in global markets and supply chains,” AustCyber, which was established last year, said.

The disparate cyber guidance put out by governments was particularly tough on small and medium sized businesses which have less capacity to navigate the numerous technical and legislative frameworks, and the plethora of advice to secure their systems and data.

“…it is critical that Australian governments look at opportunities to reduce barriers for businesses to find trusted and consistent cyber security advice,” the policy paper states.

Among the government issued cyber and infosec advice is the Australian Signals Directorate’s Essential Eight, Cyber Security for Contractors, Information Security Manual and Strategies to Mitigate Cyber Security Incidents; the Attorney-General’s Department authored Protective Security Policy Framework and Information Security Management Guidelines; and the Office of the Australian Information Commissioner’s Guide to Securing Personal Information.

Guidance and information resources from government would best be based on the NIST Cybersecurity Framework and the ISO 27000 Series on Information Security Management, the government backed not-for-profit centre said.

The NIST Cybersecurity Framework came out of a Barack Obama issued Presidential Executive Order in 2013. It consists of standards, guidelines, and practices to promote the protection of critical infrastructure, and is made up of three main components: the core, implementation tiers, and profiles.

The core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand; implementation tiers assist organisations by providing context on how to cybersecurity risk management; while profiles are primarily used to identify and prioritise opportunities for improving cybersecurity at an organisation.

AustCyber, who appointed Michelle Price as its new CEO in April, also recommended that refreshed guidance be championed by key players in Australian industry to achieve broad uptake.

“Although Australia’s economy is comparatively small, it is well placed to be a test bed for evolved approaches to cyber security and resilience. While challenging, the case for harmonisation is compelling as it supports local businesses to grow through digitally enabled domestic markets,” AustCyber said.