Cybersecurity: Is Australia falling behind the rest of the world?
How resilient are Australia’s critical national information industries?
In today’s hyperconnected world, cybersecurity is no longer a niche. It has become a cornerstone of global security and economic stability. With 17 billion devices connected to the internet, trillions of dollars at stake in global e-commerce, and billions in government-issued digital identities, the cost of cybercrime is immense. In Australia alone, a cyber incident occurs every six minutes, underscoring the growing risks as our reliance on digital infrastructure deepens.
Against this backdrop, the Australian Institute of International Affairs NSW hosted an address on September 17, 2024, featuring cybersecurity experts Huon Curtis and Stephen Chey, consultants and founding members of Chey, Curtis and Plant, a critical infrastructure resilience advisory firm.
Curtis emphasized the importance of resilience, defining it as the capacity to recover from disruptions—whether in physical communities or the digital landscape. He noted that many organisations (much like those vulnerable to natural disasters) remain ill-prepared for cyber incidents, making resilience essential in today’s interconnected world.
Both Curtis and Chey stressed that resilience must be built through collective, coordinated action. Curtis argued that organisations often focus on isolated cybersecurity measures without considering the broader, interconnected ecosystem. “We can’t just think of individual organisations but need to consider the broader community,” he stated, pointing out that cascading vulnerabilities can affect entire sectors. Chey echoed this, emphasizing the need for consequence management—preparing for and mitigating the long-term impacts of cyber disruptions. He used the Medibank data breach as an example, noting that while Australia responded to the attack, the damage could have been minimized with better advance planning.
The speakers also highlighted the confusion surrounding cybersecurity terminology and the general public’s understanding of digital threats. Curtis noted the evolving risk landscape and the need for strategies that go beyond merely preventing disruptions. Australia’s government and businesses are learning from previous breaches and adopting a more holistic approach to resilience, incorporating redundancy and backup systems. He called for a comprehensive resilience framework that defines clear roles and responsibilities, from government entities to individual companies.
A key takeaway from this address was the shift in focus from preventing cyberattacks to managing their consequences. Chey explained that while offensive strategies like retaliatory hacking are often discussed, they can do more harm than good. Instead, the focus should be on building resilient systems that can recover quickly from disruptions. “We don’t need a royal commission every time Optus fails,” Curtis quipped, referencing the recurring failures of large organisations and the public demand for government intervention.
The session closed with reflections on the broader economic implications of cyber resilience. Curtis cautioned against over-reliance on a small number of global vendors, such as Microsoft, and stressed the need to diversify IT supply chains to prevent widespread disruption. Both experts agreed that while the complexity of modern IT systems is unavoidable, fostering resilience through collaboration between government, industry, and individuals is crucial for navigating the unpredictable future of cybersecurity.
During the Q&A session, audience members posed a range of questions, from the role of small businesses in the broader cyber resilience ecosystem to the future of post-quantum cryptography in safeguarding critical infrastructure. One question focused on whether the Australian government’s current policies were sufficient to address the growing threat landscape. Curtis responded by highlighting recent advances but noted that ongoing adaptation is essential to meet the evolving challenges. Chey fielded a question about the role of public-private partnerships, stressing that government and industry must collaborate more closely to ensure collective cybersecurity resilience.
Report by Numan Mousa, AIIA NSW intern
Stephen Chey (left) and Huon Curtis (centre) with AIIA NSW intern Numan Mousa