The panel also included Vocus chairman Bob Mansfield, former US secretary of homeland security Kirstjen Nielsen, Tesla chair Robyn Denholm, Northrop Grumman Australia CEO Chris Deeble and NBN Co chief security officer Darren Kane.
It was established by the Department of Home Affairs as part of the consultation for a new cyber-security strategy to overhaul the initial 2016 plan.
Cyber security is considered a joint program between businesses, the government and the community. The new strategy is expected to be released next month.
Patchwork of rules
The report recommends that “industry should increase its cyber-security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber-security harm”.
Resisting calls for a national cyber act to fix the regulatory patchwork, the panel called for “a review of Australia’s legislative environment for cyber security to ensure that suppliers of digital products and services have appropriate obligations to protect their customers”.
Mr Penn said this should be done by strengthening regulations to ensure they covered cyber crime and misbehaviour.
He cited, as an example, a review of the consumer protections the Australian Competition and Consumer Commission oversees, to ensure they were appropriate to capture malicious cyber activity.
Signalling a light-touch regulatory approach, the panel said this should be developed with “consistent, principles-based regulatory requirements” to implement reasonable protection.
The panel said a clear definition was required for what constituted critical infrastructure. This should extend to digital infrastructure such as data centres.
Rather than mandate standards, the report calls for the development of “industry consensus around what cyber-security standards should be used in Australia” and accelerating the adoption of these standards to ensure digital products and services are “secure by design”.
The report also strongly encouraged major vendors to sign up to a voluntary “secure by design” charter to leverage international best practice.
But the report does push for a mandatory cyber-security labelling scheme to help consumers make informed choices. This would also include building transparency into critical and emerging technology supply chains to enable consumers to trust the cyber security of their devices.
The industry panel called for a more aggressive and front-footed approach to malicious cyber activity, saying this could be achieved “by increasing the transparency on government investigative activity”.
“The Australian government should openly describe and advocate the actions it may take in response to a serious cyber-security incident to deter malicious cyber actors from targeting Australia,” the report recommended.
The panel recommended more frequent attribution of the source of attacks and clear consequences for malicious cyber activity.
Prime Minister Scott Morrison last month said Australia had been the target of a cyber campaign from a “sophisticated state actor”, but declined to name the source.
It also called for “legislative certainty” to enable businesses to “automatically block a greater proportion of known cyber security threats in real-time”.
Mr Mansfield said cyber responsibility was spread across different agencies and there needed to be a more co-ordinated approach.
“Who do you call?” Mr Mansfield asked.
The report calls for a unification of all government messaging on online safety and cyber-security awareness. “Existing campaigns run by different government agencies share a common audience who do not distinguish between different online issues.
“Government should speak with one voice. Campaigns should be age and sector appropriate.”
The panel also recommended a national board in partnership with industry, states and territories with integrated governance.
The 56-page report also calls for increased government investment in the Joint Cyber Security Centre program.
Federal agencies spend on average about 6 per cent of their ICT budget on security. Leading jurisdictions, such as Singapore and Israel, spend about 10 per cent.
The panel also said there was a clear need for a mechanism between industry and government for real-time sharing of threat information, beginning with critical infrastructure operators.
“The government should also empower industry to automatically detect and block a greater proportion of known cyber-security threats in real time.”
The panel recommended that the government strengthen the incident response and victim support options already in place.
“This should include conducting cyber-security exercises in partnership with the private sector.”
The panel said speed was critical when it came to recovering from cyber incidents, and proposed that critical infrastructure operators collaborate more closely to increase preparedness for severe cyber incidents.
It said the Australian government needed to consider how it could improve trust in the cyber security of its systems and networks. This comes after several audit reports finding many agencies were not meeting cyber standards.
It recommended that all governments become exemplars of enterprise security risk management, including cyber security, physical security and personnel security.
This would require government agencies providing essential services to meet the same cyber-security standards as privately owned critical infrastructure, with increased accountability and oversight.
The panel recommended that larger more capable government agencies provide cyber security services to smaller agencies.
This should include prioritising the decommissioning or hardening of vulnerable legacy systems as part of an accelerated shift towards secure cloud-based services.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.