Agenda for Change 2016: cybersecurity

This piece is drawn from Agenda for Change 2016: strategic choices for the next government.

Regardless of their political stripes, the next Australian government has a solid foundation from which to approach cyber policy, comprised of the new Australian Cyber Security Strategy, the National Innovation and Science Agenda and 2016 Defence White Paper. Alongside the release of the Strategy was the announcement of a four-year $230 million investment to enhance Australian cybersecurity capabilities and launch new cyber initiatives. The Australian government hasn’t invested in this area since 2009, so it’s well overdue.

There’s a significant opportunity to build capacity in our neighbourhood and more actively promote Australia’s vision for the online environment: one which is open, safe and secure, while facilitating economic exchange and innovation. The Strategy sets out a sensible agenda for the next four years and lays the groundwork for expanded engagement. To achieve that, the Minister for Foreign Affairs will appoint Australia’s first Cyber Ambassador, who will play a key role in crafting Australia’s first public International Cyber Strategy. A strong International Cyber Strategy will lay out a more detailed position on key global debates, presenting a carefully considered plan for international engagement, and integrating the private sector into our international strategic thinking.

Over the next four years, the government has allocated $6.7 million to sustain such work. While it’s a significant improvement on DFAT’s existing shoestring budget for cyber work, it remains a modest figure, particularly when compared to the budgets of our key partners. The government must continue to boost the budget allocation for cyber issues in order to keep pace with our lofty international ambitions.

DWP 2016 gave government an opportunity to answer questions about what kind of defence force and capabilities will be required to respond to cyber threats. Positively, cybersecurity has its own dedicated spending line, with a commitment of $300–$400 million to that effort. The larger $730 million investment in threat research is set to include funding for cyber threat and capability R&D, but it’s not clear exactly how much.

A significant disclosure in the Cyber Strategy was the announcement that Australia possesses ‘considerable’ offensive cyber capabilities. When announcing that capability, the PM was careful to note that its use was subject to ‘stringent legal oversight and is consistent with our support for international law.’ That’s an important limitation to reassure the international community that Australia will exercise restraint in the use and development of such capability. However the failure of DWP 2016 to address an offensive cyber capability leaves a gap in our understanding of how Defence will develop, sustain and employ such a capability. To address the gap, Defence should be tasked with delivering a Cyber Operations Strategy that outlines how both offensive and defensive cyber operations are governed and integrated into broader Defence activities.

The new Strategy has elevated the private sector from ‘partner’ to ‘co-leader’ in the new National Cyber Partnership and invites private enterprise to co-lead and co-design initiatives such as new voluntary standards, jointly operate new cyber threat sharing centres, and undertake combined cyber incident exercises. The success of the new partnership will rely on government clearly stating its policy purpose, sustaining engagement and committing to fill the significant gaps in Australia’s cyber workforce.

Unfortunately, current education trends aren’t creating the workforce that will be required to deliver the ‘innovation, growth and prosperity’ promised by the Strategy. Just $13.5 million has been allocated to making Australia a ‘cyber smart’ nation. The Strategy outlines plans to increase the quality and quantity of individuals coming through all levels of Australia’s cyber security education pipeline. That includes the establishment of academic centres of excellence at universities, the expansion of cyber security training in Registered Training Organisations and the development of training for individuals at all career stages. This workforce plan is part of a broader government effort to address Australia’s low number of STEM professionals, and is already supported by private sector efforts.

Despite those positives, more work needs to be done in terms of addressing immediate skills gaps and gender representation in cybersecurity professions. Increasing initiatives and funding for the development of Australia’s cyber workforce is a fundamental prerequisite to achieving all other elements of the Strategy.

The Australian Cyber Security Strategy lays out a clearly prioritised and funded plan to achieve Australia’s goals in cyberspace. It should be an excellent blueprint for any incoming government. Realising success will require equitable relationships between the public and private sectors; a robust, accountable implementation plan; a process of continual engagement; top-level leadership which is aware, engaged and equipped to make a difference; and, a plan which has substantial financial support. With all those elements in place, Australia will be well-positioned to succeed at both at home and abroad.