An expert panel advising the government on its new four-year cyber security strategy on Tuesday also recommended other telcos create “cleaner pipes”.
The onus to provide these protections has traditionally been on web browsers such as Google and companies in the software, hardware and operating systems space. But the ASPI report said ISPs were best placed because they could see all connections to the internet, including from “internet of things” devices such as fridges, microwaves and televisions.
The report raised the alarm about the lack of investment in cyber security by small and medium-sized businesses, warning many firms did not have the resources to protect themselves.
“Large parts of the Australian economy and community can’t protect themselves online because they don’t have the skills or resources to do so,” the report said.
“Criminals, meanwhile, are agnostic about their targets and will attack whoever it is profitable to attack. As weaknesses in security in one area of the economy get shored up, other avenues are explored. If the top end of town is too tough, criminals will ransack those with relatively poor security – individuals and small and medium-sized enterprises.”
Australia is facing a wave of cyber attacks against governments and businesses, including critical infrastructure such as hospitals and state-owned utilities. Cyber crime is estimated to cost the economy $29 billion a year.
The report said ISPs had been hesitant to provide a “clean pipe” for several reasons, including cost, lack of capability and the reputational risk of inadvertently blocking legitimate traffic.
But Sean Duca, regional chief security officer with global cyber-security company Palo Alto Networks, said elsewhere in the world there was reputational risk for ISPs that didn’t provide clean pipes.
ISPs shouldn’t just identify threats after a customer has been targeted, “they need to be ahead of the game”.
“ISPs can play a role in limiting an attacker’s ability to launch attacks from their networks by enabling full threat visibility and prevention in real time,” Mr Duca said.
“Should the Australian government adopt such a policy, they should work with ISPs, leading Australian companies and the cyber security industry on what ‘good’ looks like – as leaving ISPs to decide the standard here is like having them mark their own homework.”
Get our Morning & Evening Edition newsletters
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.