'[update wording against latest status at time of publishing'. This typo in Australia’s first Cyber Security Strategy since 2009 is not only a pointer to a hurried release. It spoke to the fact this is very much an iterative work in progress. There’s good stuff in the strategy, but a lot will come down to the implementation.
In my earlier post I argued the yardstick of the strategy’s success would be whether it can stand up the structures necessary to manage reaction to the impending tech revolutions.
The verdict after release? Solid progress. Getting to where we need to be is probably a step function, and this strategy gets us closer. It raises the profile of the issue to the top of government with the prime minister to host annual cyber security meetings with leaders from business and the research community. That should allow the government to pivot and beef up its approach as the impact of the next wave of tech revolutions become apparent. The strategy proposes the appointment of a minister assisting the prime minister on cyber security, (hopefully) paving the way for a minister for cyber affairs further down the track who would be able to drive a whole-of-government approach to the full spectrum of cyber issues (not just security). Internationally, it proposes the appointment of a much-needed cyber ambassador to engage on neglected issues critical to Australia’s economic and security future and, if the appointee is good, formulation of a cyber foreign policy.
At an operational level, moving the Australian Cyber Security Centre outside the strict confines of government has the potential to lead to stronger collaboration with business and the research community. Particularly appealing are proposals for a 'layered' approach to cyber threat sharing, with more sensitive information on threats being exchanged with business. Other proposals to harden business defences will depend on implementation. The idea of voluntary business health checks and awareness raising should help. But a heavier hand may be needed to get cyber issues pushed up to the board level and force laggard companies to act when they threaten others.
At a government level, there are solid efforts to strengthen defences, including 'a rolling programme of independent assessments of Government agencies’ implementation of the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions'. After the debacle at the Office of Personnel Management in the US, there is ample evidence this issue needs to be taken extremely seriously. And as the strategy admirably acknowledges, an audit of seven Australian government agencies found 'most fell well short'.
At a policy level, the Strategy is fairly light on guidance, but there are some useful pointers scattered throughout. The prospective cyber ambassador is told we 'champion an open, free and secure internet'. There is also a clear warning to China in the Prime Minister’s foreword: 'states should not knowingly conduct or support cyber-enabled intellectual property theft for commercial advantage.'
Proposals to sponsor research on the cost of cyber crime may sound squidgy until you read (on page 15) about the lack of baseline knowledge: the Strategy’s variations in estimates range from $1 billion to $17 billion.
The section on commercialisation got bogged down in bureaucratese in places: '[The Cyber Security Growth Centre] will provide the national mechanism for cross-sector collaboration and investment in nationally-significant cyber security infrastructure and frameworks that are not singly commercially-viable.' But as with much in this worthwhile strategy, a lot will depend on implementation and constant adjustment.
Photo: Gavin Roberts/Getty Images