Cybercrime is rife in Australia. A new all-encompassing cybersecurity strategy should help, with engineering expertise crucial to the implementation.
Last year was a costly one in cybercrime, with Australians losing a staggering $3.1bn to scams.
Thousands of Australian customers of brands such as Dan Murphy’s, Binge and Guzman y Gomez fell prey to a “credential stuffing” scam earlier this month, which saw their credit card details used to purchase luxury goods.
Not even our government systems are safe from attack, following 4,500 MyGov phishing scams last year alone.
To create an “additional layer of defence” for Australian consumers and businesses against relentless cyber threats, the Department of Home Affairs launched the 2023-2030 Australian Cyber Security Strategy in November 2023.
The strategy, which shifts cybersecurity from a technical problem to a whole-of-society issue, is a positive step forward, said Jenny Mitchell, General Manager, Policy and Advocacy at Engineers Australia.
“There are three short-, medium- and long-term horizons — with an action plan released for the first horizon, set to take place over two years,” she said.
“Engineers play a critical part in cybersecurity, and we would like to see Engineers Australia work with government to co-design some of the actions in the strategy, particularly around mandatory cybersecurity standards.”
The Engineers Australia Cyber Security Working Group has mapped out the key areas for the implementation of stage one, and where engineering skills and expertise will be a necessity.
Here are some of the things engineers, and society at large, can expect from a beefed-up cybersecurity system.
Labelling scheme for smart devices
Imagine you could choose your smart devices based on security attributes, much like you select other household appliances for sustainability.
The strategy has proposed a voluntary labelling scheme for measuring the cybersecurity of smart devices that could function much like a Green Star Rating, according to Shireane McKinnie, PSM HonFIEAust, Chair of Engineers Australia’s Cyber Engineering Working Group.
“The department indicated they will approach this through a co-design process, adhering to international standards and developed in consultation with industry,” she said.
This process might be more complicated than it looks, with a broad range of consumer devices available, including smart televisions and fridges, along with smart devices used in the internet of things and the biomedical world.
“Any labelling system should be designed around the purpose of the smart device under consideration, such as consumer appliances or those used for specific health purposes,” McKinnie said. “Different risk and safety equations will then need to be identified and dealt with.”
On this front, Engineers Australia will proactively engage with the department to identify opportunities for co-design.
“That’s just one example of where Engineers Australia could be involved in progressing the action plan,” she said.
Embedding cybersecurity into software development practices
As apps increasingly become part of our daily lives, consumers can breathe easier knowing a new cybersecurity code of practice for app stores and developers is in the works.
“The code of practice will be around the types of software development processes that need to be implemented in order to say cybersecurity has been covered off,” McKinnie said.
Similar to the labelling system for smart devices, a product might be given a rating upon release — letting consumers know it has been developed to a robust standard.
“That way, you can have confidence the application will operate as expected and incorporate cybersecurity features in accordance with a particular code of practice,” she said.
These security expectations will extend beyond a rigorous software development process.
“There should be a system of updates for software applications when bugs are detected,” McKinnie said. “Or if hackers, for example, find vulnerabilities in software, developers should have a routine update regime.”
All upgrades should fix bugs and patch known vulnerabilities.
“Any apps exposed to the internet, which have business or safety critical functions should be developed to a higher standard,” she said.
With Engineers Australia actively engaged with Standards Australia on a range of standards, valuable insight can be provided on a set for cybersecurity.
“Engineers Australia could have proactive discussions with the department to understand their intentions and contribute to a broader framework on the approach to a code of practice,” McKinnie said.
Protecting the right assets and ensuring infrastructure is protected
There’s a big focus on IT systems in cybersecurity. However, it’s crucial that operational technology systems are secured to protect critical infrastructure, Mitchell said.
“Through Engineers Australia’s Cyber Engineering community of practice, we’ve got great cyber engineer experts within the membership who can provide the technical advice, along with strategic advice, that the government needs,” she said.
This is where Engineers Australia members have the power to make a difference, with a consultation now open around the potential legislative reforms needed to the Security of Critical Infrastructure (SOCI) Act 2018.
“Engineers Australia members have plenty of experience with the SOCI Act, so it’s vital to harness that knowledge to understand how the Act operates,” McKinnie said.
Thinking of becoming a cyber engineer?
Engineers interested in cybersecurity, an area that will only increase in demand and prevalence, will soon benefit from a more formalised career path — with Engineers Australia receiving business-case approval to develop cyber engineering as an area of practice.
A cyber engineering career development roadmap and competency framework are also slated for release later this month.
“The competency framework will assist with identifying the skills and knowledge cyber engineers need to have, helping training providers and universities design the relevant programs, as well as outline the competencies needed to be recognised as a Chartered practising cyber engineer,” McKinnie said.
Meanwhile, the career roadmap provides a tailorable, indicative career map to help engineers and employers identify the right cyber engineering skills.
“Each employer will have a different emphasis on the cyber skills it requires,” she said. “We’ve covered the full spectrum, from design, development, implementation, through to maintenance, operation and response.”
With a cyber workforce recognised as certified practising engineers, employers will have a greater level of confidence in the skills of new recruits while bridging cyber workforce gaps.
“Skilled migrants wanting to move to Australia with cyber qualifications could be assessed against the framework,” McKinnie said. “That could assist with bringing engineers into the country, assessing their credentials, and providing chartered status — helping employers identify appropriately skilled workers.”
All members are invited to give their views to help inform Engineers Australia’s response to the Australian Cyber Security Strategy: Legislative Reforms consultation by completing this form by COB on Monday 12 February.