Australia’s 2020 cybersecurity strategy: defining the mission

Three summers ago, I was walking with my husband along a South Coast beach when we noticed a woman diving into the surf with her two teenage children. From where we stood, it was obvious they were heading straight into a rip. They were 500 metres from the flags. Close enough to have walked there with ease. But far enough away to drown before help arrived.

The mother managed to keep her feet and grab her daughter. However, her son was carried away from the beach, so she followed him into the water. To my horror, my husband ran across the beach and followed them in.

I stood and watched as all three were swiftly washed away from the shore. Luckily, the boy and his mother could both swim, but they were fighting against the current. My husband was calling for them to swing across the beach and out of the rip. Fortunately they did, so this story has a happy ending. Everyone survived, but it could have ended in tragedy.

As they emerged from the surf, I pointed down the beach and roared at the mother in white-hot rage. ‘Swim between the flags’, I yelled. ‘My husband could have drowned trying to save you and your children because you chose to ignore this warning.’

Australians know the surf as their playground. It is a source of tremendous enjoyment. But bitter experience has taught us it can also be deadly. Which is why we’ve developed a unique national mission where volunteers band together around the country to patrol the beaches and keep us safe.

If you swim between the flags in Australia, the chances you will drown are remote. Test the waters outside the flags and the risk of drowning rises exponentially.

We need to have the same attitude to cybersecurity. We need to develop the same culture of risk management and resilience we impose on the beach. And that begins with defining our national mission.

Since 2016, there’s been a lot of activity on the cybersecurity front in Australia. Loads of strategies, policies, advisory groups, action plans, frameworks, dialogues, agreements, workshops and delegations. But I still don’t get the sense that we’re all pulling together towards a common goal. Because that common goal, and the values and principles underpinning it, hasn’t been defined.

So, the starting point for the next strategy needs to be a clear and collectively developed articulation of what we’re trying to preserve and protect in cybersecurity, who is responsible for what, and what cyber resilience looks like.

It has to be a unique national mission that will focus the efforts of the nation; guide cybersecurity priorities in policy, standards, legislation, education, training, research, innovation, sovereign capability, and private-sector and public-sector engagement and investment; and embed a cyber-resilient culture in Australia.

We then need to mobilise and empower Australians, particularly individuals and small businesses, to get on board and play their part through an education and awareness campaign modelled on the success of ‘Slip, Slop, Slap’.

The campaign would be a call to action to work together to build a ‘herd immunity’ in cyber resilience by giving Australians the confidence and tools to understand and manage cyber risks. It would aim to encourage Australians to manage their cybersecurity in the same way they manage the physical security of their home or car—to protect not just themselves, but the nation.

The campaign would also provide an overarching frame for the separate efforts currently being conducted by state, territory and local governments and industry and should be led by the Australian Cyber Security Centre.

The next version of the strategy also needs to get the government’s own house in order, as a matter of urgency.

Multiple Australian National Audit Office cyber resilience reports over many years have found that just 29% of audited government agencies comply with mandatory cybersecurity standards—even after the Bureau of Meteorology, Department of Parliamentary Services, Australian Bureau of Statistics and Australian National University incidents.

At a time when significant data breaches and cyberattacks are an almost daily occurrence, this is simply unacceptable. These are agencies that hold sensitive and personal data on every Australian and information ‘across a range of economic, commercial, policy or regulatory, national security, program and service delivery and corporate activities.’

Government entities must be the ‘exemplar’ by which others in the community measure themselves. The Joint Committee on Public Accounts and Audit’s recommendations of 2017 should be fully implemented now, particularly mandating:

  • that every government entity must comply with cyber resilience standards and the Internet Gateway Reduction Program and must complete the annual Australian Signals Directorate cybersecurity survey
  • annual reporting on the Commonwealth’s cybersecurity posture to the parliament.

The 2020 strategy should also:

  • include compliance with cyber resilience standards in the performance agreements of entity heads with hard and fast deadlines
  • mandate the appointment of chief information security officers in every government entity and university
  • require training on cybersecurity hygiene for parliamentarians and their staff and volunteers and appoint dedicated cybersecurity officers in electorate offices, along the lines of the first-aid officer or fire warden
  • include electoral systems in our critical resilience infrastructure strategy
  • introduce a data management strategy
  • make it a contractual requirement for suppliers to government entities and critical infrastructure, especially in the national security sector, to meet a specified cyber hygiene standard
  • review the maturity of the cyber insurance market and assess the suitability of cyber insurance as a mandatory requirement for contracting to government agencies, in line with existing requirements for public liability and professional indemnity insurance
  • ensure the Australian Cyber Security Centre provides guidance on, and continuously vets and reports on, technologies being installed in government entities
  • establish a Council of Australian Governments cybersecurity subcommittee.

As more and more government services move online, the Australian people are entitled to know their information is being managed and stored according to best-practice standards and processes.

Australians also deserve to know how their hard-earned taxes are being used on our cybersecurity response.

The 2016 strategy was big on ‘priority actions’, motherhood statements and broad aspirations, but short on detailed, tangible objectives. This accountability and transparency void has made it difficult to assess what results have been achieved and delivered—despite the glowing progress report in the discussion paper—and resulted in duplication and mission creep across some parts of the cybersecurity sector.

The 2020 strategy should therefore include:

  • robust and meaningful key performance indicators for every sector, guided by the national mission
  • measurable targets, grounded in research and written in plain English
  • concrete deadlines with clear milestones, so we can see our return on investment, or not.

The review gives us the chance to take a cold hard look at what has worked, and what hasn’t, since 2016. We should make the most of the time to reflect. Because, like the sea that surrounds our nation, the connected world is at once a place of opportunity and threat.

We can all enjoy the benefits if we know how to mitigate the risks. But right now too many Australians are walking wide-eyed into a rip.