Shields beyond the horizon: landing Australia’s 2023 cybersecurity strategy
18 Oct 2023|

Australia’s new cybersecurity strategy is all but released. Home Affairs Minister Clare O’Neil and National Cyber Security Coordinator Darren Goldie have familiarised the government and industry with the strategy’s six ‘cyber shields’ and timeline of two-year ‘horizons’ out to 2030.

The six shields remix the 2009 strategy’s seven ‘strategic priorities’, the 2016 strategy’s five ‘themes’ and 2020’s 16 ‘key themes’. That’s not a bad thing. Over these four iterations, Australia has avoided pigeonholing cybersecurity as only a national security issue and correctly characterised it as a whole-of-nation problem that needs multistakeholder solutions.

Strategies are hard to write, but they’re even harder to land. Cyber is a contested space—every person and their dog have opinions about what should and shouldn’t be included. The process of developing a coherent and actionable strategy thus becomes one of cruel prioritisation—not only excluding things from the strategy’s scope, but making hard, clear decisions on where the government’s responsibility starts and ends. This makes O’Neil’s push to have the new strategy ready for release less than a year after its announcement all the more impressive.

Once the strategy is released, the real work begins. A good strategy has actions and an implementation plan. The next step is real-world scoping, resourcing and scheduling of those actions. It’s one thing to say that agency X will deliver action Y by year Z. It’s another to put people to work and make it happen. The new strategy needs make a soft landing and keep momentum across the vagaries of agency restructures and future governments.

To steer and propel the strategy after its release, O’Neil and Goldie should focus on three communication themes: merge, maintain and modify.

First, communications around the strategy should merge cyber’s national security importance with a compelling vision that speaks to the average Australian. Cybersecurity is a whole-of-nation effort. The strategy should seek to recruit all Australians into this conversation.

Any national cybersecurity strategy must have defence and national security at its core. But outside the Canberra bubble, these ideas tend to be unfamiliar and irrelevant. In a recent survey of Australians by market research firm Ipsos, defence ranked 17th among the 19 top issues, falling from its average of 14th place over the past 12 years. Surveys by universities and a polling company support that finding.

This isn’t about the government seeking the community’s social licence to manage aspects of cybersecurity. It’s about our ability to improve cybersecurity depending in large part on the community’s informed participation. Everyone has a phone in their pocket, everyone has data, everyone has a role to play in cybersecurity. Communications around the strategy should avoid selling cyber as only a national security issue and instead illustrate a concept that’s more familiar and positive.

The concept of public health gives Australians a recognisable and compelling vision for cybersecurity. The public health metaphor has hovered for years around the edges of cybersecurity discourse. It’s time to centre it. Like health, cyber is a problem we can’t entirely solve, only manage. And like with health, there’s a whole-of-nation system paired with personal accountability. Communicating Australia’s cybersecurity strategy through a public health lens will help explain roles, responsibilities and structures.

Second, O’Neil and Goldie should focus on how they will maintain the strategy through shifting governments, agencies and budgets. Cybersecurity strategy in Australia has been plagued by short‑term thinking, fluctuating policy, on-and-off official positions and reactionary regulatory regimes. The 2023 strategy’s three horizons over seven years are a welcome early peek at a structured, long‑term view.

Undoubtedly, the strategy will be supported by the ongoing funding of $9.9 billion over 10 years for the Australian Signals Directorate’s REDSPICE program announced in 2022. That alone gives some certainty. But public assessment and communication of how well the government is using this funding will further boost its effectiveness. In other words, regular evaluation will help the government maintain the new strategy.

Evaluation builds transparency, keeps the conversation alive and adds to the evidence base that supports better cyber policy and strategy. The 2016 strategy had one public evaluation with its first (and only) annual update. The 2020 strategy did better, with its industry advisory committee releasing annual reports in 2021 and 2022 that evaluated progress on the 19 actions. These were excellent products. They delivered much-needed specifics—such as metrics and accountabilities for actions—and held the government to account.

The 2023 strategy should reproduce a similar arrangement for annual reviews and add major strategy updates in 2026 and 2029 at the dawns of horizons two and three. However, evaluation should be on more than just how well it is implementing its actions. It should also be clear about how well the actions improve our cybersecurity. While that may be technically difficult and politically fraught, it is essential to understanding whether the new strategy has put us on the right path.

This brings us to the third communication theme. O’Neil and Goldie should state publicly that they will modify the strategy when necessary. The 2023 strategy should be able to maintain a steady strategic focus and be able to react to changes in the technology and security environments.

Seven years is a long time in cyber. Accelerating technologies such as artificial intelligence, ambient computing and brain–computer interfaces will radically shift the meaning of cybersecurity over the strategy’s three horizons. Like the concept of public health, cybersecurity is a broad, complex concept in constant flux. The strategy should look to include new concepts and actions that help us get better outcomes, while keeping cruel prioritisation front of mind. Scope creep is the enemy. The government cannot and should not be at the centre of every cybersecurity issue.

In many ways, the 2023 strategy finds itself with the easiest job of the four national cyber strategies Australia has developed over the past 14 years. Yes, cyber threats are more dangerous, technology more pervasive, personal data more vulnerable and the strategic environment more turbulent. But over those 14 years, cybersecurity has become a mainstream political issue. Our cyber policies and organisational architecture have matured. And REDSPICE funding will fuel ongoing cyber capability growth. Careful narrative building and implementation vigilance will help ensure we don’t miss the opportunity this presents.