As cybersecurity threats continue to escalate, Australia has joined a US-led effort to shift the burden of responsibility for cybersecurity from end users to software developers.
In this regard, the Australian Cyber Security Centre (ACSC) issued a statement in collaboration with its Five Eyes counterparts in the United States, United Kingdom, Canada, and New Zealand, as well as Germany and the Netherlands, urging software vendors to take urgent steps to prioritise security in their products.
"To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers," the statement said.
This push comes in the wake of the release of the US cyber strategy, which seeks to shift burdens and liabilities away from end users towards vendors, including removing legal shields provided to companies through "shrink-wrap licensing".
The collaboration aims to enforce 'Secure-by-Design' and 'Secure by Default' products which are developed in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.
It’s great to see conversations opening up about secure-by-design and secure-by-default approaches. If you would like to read the full publication released in partnership with @CISA and our international partners, visit https://t.co/gBaoFLFM67 https://t.co/PoU3Xe1ny4— Australian Cyber Security Centre (@CyberGovAU) April 24, 2023
World's most cyber-secure country by 2030
Industry experts have recommended that the Australian Government consider adopting a similar approach as it redevelops its national cybersecurity strategy in order to achieve its goal of becoming the world's most cyber-secure country by 2030.
In the wake of the Latitude cyber-attack, which affected nearly 14 million Australians and New Zealanders, Australia's Minister for Cyber Security Clare O’Neil has urged the Federal Police and the cyber guns in the signals directorate to collaborate and focus their efforts on “debilitating and degrading” the capabilities of hacking groups.
To ensure that financial institutions and banks are adequately prepared for potential cyber threats, the Minister has previously proposed a series of ‘war-gaming exercises’.
Furthermore, O’Neil is advocating for a ban on ransom payments, further highlighting the government's stern stance on tackling cybercrime.
Read:Australia's cybersecurity efforts intensify as Minister calls for collaborative action
First of its kind
The advice for software manufacturers, which is the first of its kind to be issued, aims to "catalyse progress toward further investments and cultural shifts necessary to achieve a safe and secure future" through technical recommendations and core principles.
One key principle is for manufacturers to take ownership of the security outcomes of their technology products, shifting the burden of security from the customer, in line with the approach advocated by the US Cybersecurity and Infrastructure Security Agency.
"A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors," the statement said.
Radical transparency and accountability
The guidance also calls for manufacturers to embrace radical transparency and accountability, including ensuring that common vulnerability and exposure records are complete and accurate and committing to prioritise security as a critical element of product development.
"Cybersecurity cannot be an afterthought. Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital," said ACSC chief Abigail Bradshaw.
A discussion paper being drafted by an advisory board led by former Telstra boss Andy Penn to inform Australia’s next cybersecurity strategy said that Australians would expect “advanced cyber security built-in by-design” by 2030.