Australia's Cyber Review Board: A New Approach to Cybersecurity
Australia has announced the establishment of a Cyber Incident Review Board, an independent body tasked with reviewing major cyberattacks on Australian government and industry. The board will focus on identifying systemic lessons and areas for improvement, rather than assigning individual or corporate blame.
The board, which is majority female, will be chaired by Narelle Devine, the global chief information security officer at Telstra. Other members include representatives from Boeing Australia, NBN Co, the University of New South Wales, law firm Allens, Toll Group, and SA Power Networks.
Background and Context
The establishment of the Cyber Incident Review Board follows a series of high-profile cyberattacks in Australia in recent years, including those affecting health insurer Medibank and telecommunications company Optus. These attacks have put pressure on the Australian government to strengthen the country's cyber defenses.
The board is modeled on the Cyber Safety Review Board established by the Biden administration in 2022, although with a narrower membership drawn largely from critical infrastructure industries. The US board produced three reports before it was disbanded by the Trump administration.
Key Features and Powers
The Australian Cyber Incident Review Board has the power to compel information from entities that decline to participate in reviews, a key difference from its US counterpart. This power is designed to ensure that the board has access to all relevant information and can conduct thorough and effective reviews.
The board's reviews will focus on identifying systemic lessons and areas for improvement, rather than assigning individual or corporate blame. This approach is designed to promote a culture of transparency and cooperation, and to help organizations learn from their mistakes and improve their cybersecurity practices.
International Context
Australia is not the only country to establish a cyber review board. The European Union has also set up a similar mechanism under its Cyber Solidarity Act, tasking the EU's cybersecurity agency ENISA with conducting post-incident reviews of significant cross-border attacks.
The US Cyber Safety Review Board's most consequential report accused Microsoft of a cascade of avoidable errors that allowed Chinese state-linked hackers to access email accounts belonging to senior US government officials. The report demanded "real cultural and leadership changes" at the company, and Microsoft chief executive Satya Nadella subsequently issued a company-wide directive declaring that prioritizing security "above all else" was critical to the company's future.
Conclusion
The establishment of the Cyber Incident Review Board is an important step forward for Australia's cybersecurity. By providing a framework for independent review and analysis of major cyberattacks, the board can help identify areas for improvement and promote a culture of transparency and cooperation. As the cyber threat landscape continues to evolve, the board's work will be critical in helping Australia stay ahead of emerging threats and protect its citizens and organizations from cyber harm.
- The Cyber Incident Review Board will conduct independent reviews of major cyberattacks on Australian government and industry.
- The board will focus on identifying systemic lessons and areas for improvement, rather than assigning individual or corporate blame.
- The board has the power to compel information from entities that decline to participate in reviews.
"We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience," said Tony Burke, the Australian home affairs and cybersecurity minister.
Source: The Record