The update is well overdue. There are gaping holes requiring attention, several of which appear to be covered in the strategy. However, early responses suggest the strategy will be more about catching up with better global practice rather than positioning Australia out towards the front.
The pace of technology-driven change coming down the pipeline is so massive the most important yardstick of success for the strategy will be whether it can stand up the structures necessary to manage reaction to the impending tech revolutions: particularly artificial intelligence, autonomous vehicles, robotics and the internet of things.
As the US Director of National Intelligence noted to Congress in February:
'Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities. The Internet of Things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems – and potentially disrupt labor markets.'
In this regard, iTnews reports: 'the government intends to streamline its cyber security structures. At the moment, cyber capability and expertise exists in pieces across a myriad of agencies including the Department of Premier and Cabinet, the AGD, ASD and others.'
That's tentatively promising, but still sounds a ways off a joined-up national strategy, that incorporates critical elements like agreements with China to stop stealing Australian IP and accelerating international rules on peacetime cyber attacks. [fold]
Next in importance will be funding to get the strategy on the ground. The US upped its cyber security spend by US$5 billion to US$19 billion for 2017. News on funding when the strategy is released will be worth watching.
Beyond these issues, the strategy 'outlines five key areas: strengthening cyber defences, education, partnerships, research and development, and awareness, containing a total of around 19 specific initiatives.' It also emphasises the heavy reliance on the private sector 'which the government will lean on to help deliver the majority of its points of action.'
The focus on defences and raising awareness is especially important given the risk of attacks on critical infrastructure (as the NSA recently noted) and the huge cost to the Australian economy from stolen IP. The specifics here will be important. At present business is highly exposed to cyber attacks. There are numerous examples of attacks destroying individual companies, but even here business is not always aware of the threat. In other cases, a business might not assess IP theft as a high risk to its continued ability to operate (a law firm, for example, where it's not possible to simply replicate the expertise and training of its employees or where knowledge of Australian law won't be of much value in a foreign country), but cyber theft can still pose big financial risks to the wider economy (for example by exposing the confidential dealings of the law firm's clients to foreign state owned entities competing against these clients). The government has a responsibility to both make business aware of the threat and to correct any market failures where businesses' failure to act poses a threat to the wider economy.
The initiative is a good one, and the provision for annual reviews provides the much-needed room to continually adapt. Next stop should be development of an international cyber strategy that allows for systematic prosecution of Australia's many cyber interests abroad. And perhaps appointment of our first Minister for Cyber Affairs.
Photo courtesy of Australian Defence Image Library.