Australia: the coming cyber review and beyond

Make no little [cyber] plans. They have no magic to stir men’s blood and probably will not themselves be realized.

This morning at the much-anticipated opening of the Australian Cyber Security Centre (ACSC), Prime Minister Tony Abbott announced a review into Australian cybersecurity. The review is intended to assess Australia’s current cybersecurity arrangements relating to the security of government information and communications in addition to the security of businesses and individuals.

The fact that the Prime Minister is giving the issue such direct attention is certainly encouraging. When coupled with the ramp-up to the ACSC launch and the Australian Cybercrime Online Reporting Network (ACORN) roll-out yesterday it shows that there’s significant momentum on cyber issues in Canberra.

Also promising is that the review will look at how to expand interaction with the private sector and draw on the expertise of an independent external panel. Top-level support and stakeholder engagement are the hallmarks of a solid policy process, which has been disjointed in the five year gap since the last Australian Cyber Security Strategy.

While the fundamentals of the 2009 strategy remain strong, it spoke glowingly of a newly-launched CERT Australia and Cyber Security Operations Centre, both now established mainstays, and the freshly minted NBN Co. It was published during the first Rudd Ministry at a time when responsibility for cyber security policy coordination still lay with the Attorney-General’s Department, and cyber security thinking remained largely domestically focused. The rapid spread and development of technology, the growing international internet governance debate, and the evolution in online threats make it imperative that the earlier document be updated.

Taking stock of Australia’s current positioning is an important first step on any journey of policy progression. But we shouldn’t stop there. A strategic-level document provides clarity and coherence on Australian government cyber security positions, both to domestic and international audiences. Unfortunately, this morning the Prime Minister didn’t offer a comprehensive roadmap forward. As a review, the process is likely to focus on pre-existing policies, more closely resembling a cautious audit of existing structures than a forward looking strategy.

Australia needs to elevate the discussion beyond an inward-facing review and into a whole-of-government, outward-facing cyber strategy—one that addresses how we as a country want to act in a non-traditional strategic environment beyond our own making. We need a document that’ll answer the critical questions of what we want our cyber environment to look like and how we as a nation will achieve those ends.

The launch of the ACSC represents an attempt to bring together disparate government cyber security capabilities under one roof. The aim is to improve technical coordination across departments and enhance much-needed cooperation with the private sector. Such an effort deserves a holistic policy strategy to match.

With all that said, carrying out a comprehensive review won’t be without benefit. Any movement towards clarifying the often confusing maze that is the government’s cyber organisational structure will be beneficial. So too will any additional funding that results for the resource-strapped cyber policy community. But the review must be careful to avoid window-dressing that could have a detrimental impact. Shuffling departmental responsibilities and staff in the past has resulted in a loss of institutional cyber knowledge and expertise, which is in short supply. The temptation to pursue cyber policy colonisation and issue stove-piping as opposed to effective whole-of-government coordination must be avoided.

The last attempt at an Australian cyber security white paper was in 2013. That paper was demoted to ‘an update to the digital economy strategy’ and the Department of Broadband, Communications and the Digital Economy was left holding the bag. Given that history, a review offers a ‘safe’, yet prudent first option for the government to pursue. But Australia needs more than a review to keep pace with its 5-eye partners and as the Prime Minister said, to stay a step ahead of our adversaries.

Jessica Woodall and Klée Aiken are analysts in ASPI’s International Cyber Policy Centre.