Pushing a new model for public–private cyber partnerships
29 Apr 2016|

At the heart of the new Australian Cyber Security Strategy is a new paradigm for public–private engagement on cyber security. Business has been elevated from ‘partner’ to ‘co-leader’ in the new ‘National Cyber Partnership’ to jointly drive implementation of the Strategy. The Strategy quite rightly appreciates the criticality of engaging the combined skills, expertise and capabilities of the public and private sectors to manage cyber threats and reap the economic rewards of connectivity.

In the 2009 Cyber Security Strategy, the Government claimed leadership of national cyber security, noting that it was best placed to ‘identify the strategic threats and emerging challenges of Australia’s cyber security’. The 2016 Strategy has retreated from this hubristic statement and introduced new language that invites business to co-lead and co-design initiatives such as new voluntary standards, jointly operate new cyber threat sharing centres, and undertake combined cyber incident exercises. It reflects a more sophisticated approach to engaging the owners and operators of the majority of Australia’s cyber infrastructure.

The Government has already taken steps to enable digital growth, digital innovation and expansion of the national cyber security industry through initiatives such as the previously announced Cyber Security Growth Centres. This Strategy links with the National Innovation and Science Agenda by engaging the private and research sectors to design courses that produce work-ready graduates and attract more people to cyber security and related careers.

It’s been unclear to many on the outside looking in exactly who in Government they should be talking to, and when, about cyber security. The Strategy has sought to address this with the creation of two new leadership positions, the Minister Assisting the PM and the Special Advisor to the PM on Cyber Security. These positions will be critical for leading the successful implementation of the Strategy, and their ability and willingness to meaningfully engage with the private sector will be significant factor in its eventual success or failure. The additional funding to the tune of $21.5 million over five years for CERT Australia is also a welcome boost to the important work CERT Australia does in engaging Australian business and critical infrastructure operators.

When the creation of the ACSC was announced in 2013, it was heralded as an opportunity to engage the private sector in government’s cyber security operations, however its location in ASIO’s secure building was less than inspired. The announcement of the transfer of the ACSC to a new facility in Canberra promises to unlock its unmet potential for greater private sector interaction. The new cyber threat sharing centres in capital cities and the online cyber threat sharing portal should also assist in integrating public and private sector information. To be truly successful they will require government to provide meaningful, actionable information in a timely manner, and the private sector to also engage in a constructive exchange of information.

Other initiatives announced in the Strategy will also better enable the private sector to manage cyber threats and embrace opportunities for digital economic growth. Voluntary Cyber Security Governance ‘health checks’ for ASX 100 companies will seek to provide constructive organisational change and make cyber security a board-level issue. While small businesses received less focus than the top-end of town, they’ve received a small boost with promised funding for pen testing. That will not only encourage small businesses to be more resilient to cyber threats, but also help further develop the Australian cyber security industry. This industry offers significant export opportunities for Australia and the Strategy supports its growth in several ways—including the growth of a skilled workforce.

While the initiatives announced in the Strategy promise a new era of public–private partnership on cyber security in Australia, there are some old hurdles that must be overcome. Business has often lost interest in engaging with government, as the cost often appears to outweigh the benefits. Without clear articulation of government’s policy goals it’s hard for business to stay engaged in the often laborious processes that government imposes on itself (PDF). The success of the new Strategy and its promised new partnership with the private sector will rely on government clearly stating its policy intent and purpose, and sustaining engagement with the private sector now that the review process has concluded.  

Embracing the private sector to share in decisions that shape the national approach to cyber security will create better overall outcomes for both sectors, and should also provide for better co-investment in cyber initiatives. The Strategy has opened the door to a new model for the public–private partnership to enhance Australia’s cyber security to reap the economic benefits that lay in wait in cyberspace. It’s now up to cross-sectoral leadership to deliver the goods.