It’s time to reboot Australia’s cybersecurity strategy

Australia’s 2020 cybersecurity strategy needs the input of all Australians—from individuals to academia, business, community associations and regulators. The government has issued a discussion paper calling for views, asking Australians to contribute to shaping Australia’s future and making our 2020 strategy world-leading. The closing date for submissions is 1 November 2019.

It’s time for a reboot and time to bring everyone into the discussion.

Cybersecurity is a concept that’s not well understood. Frequently it gets tangled up with buzzwords like artificial intelligence and blockchain. More often than not, it’s seen as a scary realm with intangible consequences. So, while everyone has heard of data breaches (and the millions of victims of some of those breaches), many people struggle to work out what the actual loss is.

Consumers aren’t alone in that. Australia’s courts don’t recognise damages like anxiety and emotional harm that may come with identity theft or romance scams. Those losses are very real.

In the business world, the picture in the boardroom (in 2017 at least) appears patchy. Only 45% of companies who responded to the ASX 100 cyber health check survey said that they were confident or very confident in their ability to detect, respond to and manage a cyber intrusion. That statistic suggests that a majority of companies are feeling overwhelmed and underprepared.

All the while, many assert that the government should do more. Yet, when pressed, they often can’t define what it is the government should actually be doing.

Government action in the cybersecurity sphere, in a public sense, is often described as having an effective strategy coupled with legislative and regulatory settings that are favourable to innovation and unlocking all that this connected world brings—while ensuring there are serious consequences for those who fail to keep our personal data safe.

Cybersecurity awareness for every single Australian is a tough sell. The risk is intangible, cybersecurity insurance is offered as some sort of magical solution, and we have legislation that appears to include fines that have never been imposed in relation to recent breaches.

For the average person, it’s easier to just switch off. ‘Quiet Australians’ are used to getting on with the job and prefer not to be drawn into things that are overly contested or seen as niche issues.

However, we all have a vested interest in getting cybersecurity settings right—from protecting our personal information, to thinking about what kinds of jobs will be around in 2025, to ensuring the integrity and safety of critical infrastructure.

In April 2016, the government released a cybersecurity strategy covering the period to 2020. It was ambitious and tried to tackle many of the big-ticket items you would expect from government. It spanned everything from government partnerships with industry and academia, to better preparedness of our networks and systems to detect and respond to cyberattacks, and (of course) growth and innovation.

It also set the goal of raising the cybersecurity awareness of every Australian. In my experience, that is truly a massive undertaking.

In 2019, the government has rightly recognised that it’s time for a cybersecurity strategy ‘reboot’. The discussion paper released in September is a forward-looking document that’s about ensuring Australia is well positioned for the future.

The language is inclusive and invites views on a wide range of questions. Home Affairs Minister Peter Dutton, whose portfolio includes cybersecurity, writes in the foreword, ‘I encourage all Australians to have a say in this discussion paper—from small businesses to large corporations, tech experts to interested individuals.’

Cybersecurity impacts us all—from the personal data we’re required to share in order to obtain services, to the critical infrastructure that we rely on every day to go about our lives and the companies that use and store our data when they don’t always need to.

Strong cybersecurity must be seen as a mandatory part of doing business, irrespective of whether that business is conducted by a government department, a university or a small company.

We should all have a view on cybersecurity. After all, this is about our data and the security of the systems and everyday connected things that we rely on. It’s also about our future, about calling boardrooms to account, and about realising our shared ambition to make Australia the safest place to do business online.

It is time for quiet Australians to find their voices.