Friday marks 12 months since Prime Minister Malcolm Turnbull launched Australia’s Cyber Security Strategy—a welcome development after cyber issues spent seven years wandering in the Canberra wilderness searching for a policy. The Strategy has prompted positive changes in Australia’s approach to complex policy issues.
The Strategy committed government to an annual review of its progress, which we hope to see this week. In anticipation of the government’s own review, we’ve engaged with stakeholders across industry, academia and government to gauge perceptions of success and shortfalls in the delivery of the Strategy in its first year. Those discussions revealed a number of areas where expectations of improvement in cybersecurity haven’t been met.
But there have also been successes. A new cyber leadership team in the APS and the appointment of Dan Tehan as the Minister Assisting the Prime Minister on Cyber Security have had a constructive impact on public awareness and engagement on cyber security. The ASX100 health checks are an encouraging development in improving cybersecurity in the private sector, and the launch of the Joint Cyber Security Centre pilot in Brisbane is a clear sign of the commitment by both government and industry to deepen their cooperation to address cyber security threats.
Activities designed to develop Australia’s digital economy have also moved ahead at a steady clip. Government has boosted support for the domestic cyber start-up community through the Australian Cyber Security Growth Centre and international Austrade ‘landing pads’. Initiatives to attract, educate and diversify the cyber workforce to ensure the sustainability of Australia’s cyber industry are underway through the National Innovation and Science Agenda.
But the Strategy’s implementation has also faced its share of challenges and setbacks in areas of communication, success measurement and leading by example. Progress towards a national cyber partnership between the government and the private sector has been undermined by the ad hoc nature of government’s communications and insufficient expectation management with industry partners. The Strategy called on industry to take a stronger leadership role, but the division of responsibility between government and industry has never been clearly articulated.
The government’s failure to enact a communications strategy for both private sector partners and the public means there’s no coherent and comprehensive messaging on the timeline for implementing measures. This poor expectation management has led to a general feeling amongst stakeholders that implementation so far has been slow, giving rise to a lack of confidence in government’s commitment to actually implement the Strategy. This perception is not unknown to government and is likely to have prompted Minister Tehan’s media statements last month promising to speed up implementation.
Some of the Strategy’s outcomes are hard to assess because of their unquantifiable nature. In other instances, the lack of benchmark information makes it impossible to measure a relative change. And disappointingly, it seems that despite government rhetoric about the priority of cybersecurity, the financial resources afforded to implementing agencies simply don’t match the size and importance of the task. The government has met its commitment to $230 million for the Strategy, but most of this is reallocated or absorbed expenditure from the Defence budget. Other departments and agencies, including PM&C and DFAT, are expected to meet implementation costs from existing resources, which may contribute to the perceived slowness of Strategy implementation. We will be looking to next month’s Budget to see if the original funding is supplemented this year in response to the annual assessment of progress on the Strategy.
When reviewing the extensive action plan included in the Strategy, it’s government’s own progress that’s of most concern. The publicly available evidence suggests that federal government agencies are still deaf to the concerns about cybersecurity from their political masters and the experts at ASD. Indeed, a couple of notable incidents and reviews in 2016 should be seen as humbling indicators of the additional work that needs to be done to improve Australia’s cyber posture. A March 2017 ANAO audit of government departments revealed a sub-par standard of cybersecurity in key agencies, including the ATO and the Department of Immigration and Border Protection, which hold highly sensitive personal information on Australians. The infamous #censusfail also revealed a significant lack of cybersecurity knowledge in government, and the inconsistent messaging during and after the event signalled worrying dysfunction in incident response arrangements, as was later highlighted in government and Senate inquiries.
Overcoming these issues will be critical to achieving Australia’s cyber security goals, but that will require a robust assessment—and, if necessary—a mea culpa from government in its review of implementation progress. Government can rightly claim success on some aspects of implementation, but the overall impression is that Australia’s cybersecurity posture is no stronger today than it was a year ago, and there’s increasing concern that the Strategy was a bumper-sticker solution to a critical national and economic security issue.