2016 Cyber Security Strategy: the perils of self-assessment
27 Apr 2017| and

Image courtesy of Pixabay user TeroVesalainen.

Last week the Australian Government released its First Annual Update on the implementation of its 2016 Cyber Security Strategy. The government’s much anticipated self-assessment contains some useful elements, but also suffers some significant shortcomings.

Cybersecurity is a constantly evolving challenge, and as such, government policy needs to be iterative and responsive. This first update is a positive step towards that goal, taking stock of domestic and international developments that have influenced the cybersecurity landscape in the last twelve months, such as the Australian Red Cross Blood Service data breach and Russian attempts to the influence the outcome of the 2016 US Presidential election.

The update outlines the activities aimed at realising the five key goals of the Strategy: a national cyber partnership, strong cyber defences, global responsibility and influence, growth and innovation, and a cyber smart nation. The most notable feathers in the government’s hat include the appointment of new cyber leadership positions, the launch of the Joint Cyber Security Centre pilot in Brisbane, the ASX100 cyber health checks and establishment of the Australian Cyber Security Growth Centre. The update also covers developments outside the bounds of the Strategy initiatives, such as the Prime Minister’s declaration in November 2016 that Australia’s offensive cyber capabilities were being used in support for Australian Defence Force operations against Islamic State.

The government has identified a few areas in which it intends to make improvements. It commits to publishing a ‘view of the cyber security ecosystem’ to overcome structural ambiguity within government and to ‘mature its communication channels’ to address the paucity of regular public updates.

The update identifies key priorities for the coming year. It describes cybercrime as one of the ‘most visible and damaging’ threats to Australia’s online society and flags the intention to release an update of the 2013 National Plan to Combat Cybercrime. Small business will be the recipient of greater attention, with industry consultation underway to develop a ‘targeted approach’. Lastly, there are plans to improve coordination between the federal and state and territory governments, and the private sector to make Australia’s critical national infrastructure cyber secure. The update confirms that the new Critical Infrastructure Centre within the Attorney-General’s Department, along with the Australian Cyber Security Centre, will lead this effort.

Unfortunately, the update is almost devoid of self-assessment, and its approach to the review process is flawed. The report is artfully forgiving, mentioning the Australian National Audit Office cybersecurity reviews of departments, but omitting any reference to the audit’s worrying revelations. And it relies heavily on hypothetical victories. For example, the Deloitte study it refers to when predicting an uptick in investment, wages and jobs in the Australian cyber industry by 2030 is actually based on a ‘shift in thinking around cyber security’ and ‘if Australia invests further in cyber security’. It’s not a prediction based on the current trajectory.

The table of progress towards action implementation is where the government’s reticence to hand out ‘C minuses’ really stands out. The awkward absence of a status to denote any kind of under-performance amongst the options of ‘progress’, ‘strong progress’, or ‘completed’ is disappointing. A lack of progress on several actions is explained as ‘not scheduled to have commenced’, accompanied by the opaque comment that ‘work will commence’ on actions to ‘develop guidance for Government agencies to consistently manage supply chain security risks for ICT equipment and services’. Without any further information, that looks like an attempt to dodge criticism and avoid future accountability. The general lack of transparency around strategy delivery timelines that plagued the past 12 months has carried into the first annual assessment. The absence of timelines leaves the government room to mask underperformance and means that promises to ‘accelerate’ or deliver initiatives ‘ahead of schedule’ hold very little meaning.

Upon closer inspection of the table of progress, it’s obvious that its focus on actions, rather than outcomes is a critical methodological failing. Government’s own advice on best practice policy evaluation recommends assessing the extent to which intended and unintended outcomes are achieved. Merely stating that an action was undertaken doesn’t clarify whether the desired effect was achieved, or if the action is still the most appropriate way to achieve the end goal. By failing to avoid the ‘tick box’ mentality that Special Advisor Alastair MacGibbon has warned against, an opportunity has been missed to explain what has changed because of Strategy implementation efforts.

We’re pleased that the government has released this factual update but we’d like to see next year’s be directed towards transparency and self-assessment.