Today ASPI has released a Strategic Insight on President Obama’s cybersecurity executive order. The report breaks down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context. Here’s the executive summary:
On 12 February 2014, the US National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, the flagship accomplishment of the Obama administration’s 2013 cybersecurity Executive Order. Just weeks before the White House announced the order, the then Australian Prime Minister Julia Gillard made an equally exciting declaration introducing the Australian Cyber Security Centre (ACSC). One year on, the contrast between the two efforts is stark.
Facing years of congressional inaction on cyber issues, President Obama chose to take executive action on this critical national security issue. Executive Order 13636 set in motion a range of cross-governmental efforts to drive improvements to America’s critical infrastructure cybersecurity, with an emphasis on public–private partnerships.
Although legislative malaise continues to mar progress, the US administration’s cyber efforts are effective in laying out clear milestones and definitive timeframes to keep the gears of government moving and to measure progress. With the launch of the NIST framework, the merits of the effort will face further scrutiny. But efforts to harmonise priorities across the US Government and the commitment to engaging the private sector will ensure that the US has, at the very least, taken a significant first step forward in critical infrastructure cybersecurity.
Similarly, the ACSC offers Australia a promising road forward to improve public–private partnerships in cyberspace. However, with the ‘Coming soon!’ sign gathering dust and cyber efforts retreating behind the veil of government, Canberra needs to recommit to cyberspace.
The US and Australia have common interests in developing a robust partnership between the government and private sector to develop whole-of-system cybersecurity. The Obama administration’s efforts, while far from perfect, offer critical lessons that the Australian Government can adopt and adapt to improve system-wide cybersecurity and ensure that the ACSC is a successful endeavour. To move beyond political optics, the ACSC must embrace existing best practices, commit to meaningful public–private partnerships, and set a pragmatic forward strategy.
In any truly two-way dialogue on cybersecurity, the private sector must be equal participants. Efforts to streamline security clearances for critical private-sector actors, a dedicated public–private secondment scheme, industry protections, and a collaborative standards process with clear incentives are needed to ensure that public–private partnerships transcend simple lip service. In a sector as dynamic as cybersecurity, it’s essential that efforts are underscored by flexibility and resilience and that the private sector is meaningfully engaged in the conversation rather than dictated to.
At the same time, the government must hold itself to higher standards. A clear roadmap for whole-of-government cybersecurity policy is needed to provide direction and offer markers by which to measure success. Coordinating this effort will require that ownership of the policy area is reaffirmed, but also that power remains devolved to the most effective departments and agencies. Fixed deadlines and clearer leadership and coordination will not only improve intragovernmental efforts on cybersecurity, but also provide clarity for the private sector, improving confidence and collaboration.
The ACSC offers the Australian Government a real opportunity not only to demonstrate that it takes cybersecurity seriously, but also to take practical steps to improve whole-of-system cooperation and security. It’s up to the current government to be responsible stewards of this effort and transform the ACSC into a truly effective mechanism for intragovernmental and public–private cooperation and collaboration on cyber issues. To do this, the Abbott government should channel the pragmatic steps outlined in the US Executive Order, pre-empt its weaknesses in privacy and liability protection, and put some weight behind the claim that Australia is indeed a regional cyberpower.