Making judgements about the state of cybersecurity isn’t easy. Much depends on the metrics we use to measure success and failure, where it’s all too easy to fall into the trap of doing things right rather than doing the right thing ^[1].

Asking ourselves whether we’re doing things right merely asks us to measure our progress down a prescribed path. Judgements about whether we’re doing the right things are harder to make. It’s entirely possible we’re not even on the right path, regardless of how far along it we’ve come. A word of warning: this is a fairly dense and difficult topic.

Cybersecurity—at its core—is cloaked in both technical and operational obscurantism. Operationally, an important chunk of what we might think of as cybersecurity’s bandwidth is about countering subversion, espionage and sabotage ^[2]—all activities where the defender must be just as adept as the attacker in the black arts of disinformation, hiding and diversion. Trying to measure whose artistry is blacker, when both sides are doing all they can to conceal their true capabilities, is a fool’s errand.

We might consult those in the actual business of cybersecurity, of course, to ask whether things are getting better or worse. But the business model of many in the industry, and even messaging by decision-makers, typically feed on fear, uncertainty and doubt.

Alternatively, we could interrogate manufacturers to examine whether enhanced security features are now the default attributes of their products. The answers would be mixed. Many newer applications originate in civilian offices and research facilities a long way from government. They may be found, often without differentiation, in the civilian, national security and military worlds.

Another option is to make some judgements about success and our own situation based on the health of that which we are seeking to protect. Let’s do that.

First, let’s look at the current apparent trends in the environment. There lies perhaps the strongest case that we are failing. The Australian Department of Home Affairs discussion paper ^[3] makes the case that the environment is increasingly threatening and that the costs of mitigating those threats are increasing—as do report ^[4] after report ^[5] from industry.

Plus, there’s an increasingly threatening geopolitical environment. Advanced persistent threat actors ^[6], driven by geopolitical interests, are progressively more brazen, targeting national security, commercial and personnel systems and data across a wide range of sectors, regions and activities. There are deepening concerns over supply chains ^[7], ‘insider threats ^[8]’ and the theft of intellectual property ^[9] developed in Western universities ^[10], research institutions ^[11] and companies ^[12].

Non-state actors are proving not merely resistant but more adept at exploiting the internet than nation-states. Child exploitation ^[13] is increasing. Successes against groups such as Islamic State ^[14] may prove ephemeral as they adapt. Ransomware is a tool of choice of criminal groups and pariah states, and is now directed at a wide range of industry sectors, from small and medium-sized businesses to local and state governments ^[15]. Once code is in the wild, anyone can use it, broadening the number of possible attackers and deepening their arsenals.

It’s not pretty and it’s fair to conclude that we are worse off.

It’s hard to assess expenditure on cybersecurity—after all, it’s often rolled into other programs ^[16] or comprises a series of disjointed activities. Australia ^[17] spent $238 million over four years on its 2016 cybersecurity strategy, with another $300–400 million allocated to Defence over 10 years.

The UK government assigned ^[18] £1.9 billion ($3.7 billion) to its 2016–21 cybersecurity strategy, while the US government is seeking ^[19] US$17.4 billion ($25.6 billion) for cybersecurity in 2020 alone. As the UK public accounts committee also noted ^[18], it’s often hard to see the value of such expenditure.

Cybersecurity must contend with threats and vulnerabilities that are often unknown, uncertain and exhibit non-linear behaviours. They may lie dormant for months, even years, or be constant and escalating. They may arise either from external actors or from internal issues that may be deeply technical (in code, logic or architecture) or simply social (practice, process, cultural).

Cybersecurity also feeds on technical debt ^[20], particularly the type that represents failure to maintain and update systems and ensure adequate support over time. Funding mechanisms typically favour new builds through capital funding rather than maintenance, patching and updates, support and skills development, all of which draw on operating expenditure.

That funding pattern invariably means that the newest, shiniest bit of kit gets the most attention—attention that in many instances may be better devoted to the legacy systems and processes within which the new piece of kit is nested. The result is the steady accretion of complexity, cost and vulnerability.

A good deal of cybersecurity is about doing the technology well. But that requires constant attention, adaptability, and a sound partnership with and knowledge of the business; good governance and culture; expertise and capability; and sufficient funding. And, of course, we are simply not as good as we think we are—or should be—at building, integrating or running highly complex, distributed and changeable technological systems.

External costs and inertia may be found in the modern legislative environment. Thickets of regulations impair flexibility, adaptiveness and capability. They tend to encourage compliance, focusing minds on ‘ticking boxes’, often with little effect on actual cybersecurity.

Given the costs and difficulties, notions that government should resolve other organisations’ cyber problems are likely to be short-lived: the complexity, costs, resources and assumption of liability required are simply too great.

It’s unrealistic to expect a government agency ^[21] to possess sufficient capability or awareness of an external organisation’s local systems or activities to protect it without risking damage to that organisation’s business. Imposing standardisation risks imposing additional costs and impairing adaptiveness, the ability to learn and overall resilience.

Within the older Western democracies—weakened by populism and sclerotic economies—it may be tempting simply to exert top-down control rather than undertake the difficult work of empowering individuals and building trusted communities. That temptation increases particularly as China strengthens its economic and technological prowess.

But restricting the ability of individuals and organisations to secure their interests and identity and control their own data does not simply undermine the cyber resilience of individuals, organisation and society. It also risks our credibility and our identity as a Western, liberal democracy.

Cybersecurity is just as challenging and contentious as other areas of security in our increasingly unsettled world—perhaps even more so, given its reach into our everyday lives.

It’s difficult to argue that here, too, we are doing things right, let alone doing the right thing.