My ASPI International Cyber Policy Centre (ICPC) colleagues have been quick off the mark in response to the Prime Minister’s recent announcement of the review into Australian Cyber Security. They warn against a ‘cautious audit of existing structures’ and recommending the development of an ‘outward-facing cyber strategy…that addresses how we as a country want to act in a non-traditional strategic environment beyond our own making’.
While there’s little in the way of detail beyond the initial media release as to how the review will be conducted, or its terms of reference, two areas of concern stand out. First, the term ‘practical’ used in the media release—‘the review team will look for practical ways to improve Australia’s security’—may overly restrict the review team’s work. And second, the team might unnecessarily narrow their focus to e-commerce alone.
An outward-facing cyber strategy must be the outcome sought from the review. The non-government sectors of the economy are looking for strong and consistent policy leadership from government—the review can’t be another low-risk activity that simply contributes to the status quo. Whilst acknowledging the earnest work undertaken by the folk at Australian Signals Directorate and the Australian Cyber Security Centre, to date more importance appears to have been placed on inward-looking government policy co-ordination rather than the need to build a robust national cyber capability.
The development of a national cyber posture, which is both robust and agile, is a task of growing urgency for government. But as the composition of the review team acknowledges, government can’t achieve it alone.
The government’s role is to provide the necessary strategy and an unambiguous governance structure, within which the other actors in the non-government sector are empowered, encouraged, or if necessary compelled, to contribute effectively.
As ASPI has recommended in other places, there’s a pressing need for a Cyber White Paper that sets out the national strategy for cyber. The first conclusion of the current review should be to deem the current Australian cyber-security strategy inadequate and recommend the development of a White Paper with a clear timeline and accountabilities for its production.
While a governance structure would seem on the surface to be fairly straightforward, it has proven a particularly problematic topic for previous policy documents. Notwithstanding the apparent difficulty, there are two broad areas requiring attention and action. The first task is whole-of-government policy co-ordination; I’ll leave it to others to explore that particular challenge but at its core is the need for a clear and consistent government policy lead.
The second task and the one I’ll focus on here is how to draw effectively on the expertise of the private sector and the emerging inter-disciplinary research community. The ICPC here at ASPI, the UNSW’s Australian Centre for Cyber Security and Edith Cowan University’s Security Research Institute are all examples of the latter, and demonstrate a concerted attempt from outside government to collaborate with both the government and the non-government sectors in an attempt to enrich the policy and technical discussion around cyber matters.
Those organisations have an important part to play. They bring new ideas to the table. And they’ll be key to growing the policy and technical skills that will underpin the sustained development of Australia’s cyber capabilities.
Effective collaboration with industry will be more challenging. The Attorney General’s Department has been seeking the views of industry over the last 12 months—in what’s been a one-sided activity. One would hope that’s not the engagement model embraced by the review team.
Australia has world-class banks, the largest mining companies in the world and a vibrant technology sector. The views, knowledge and experience of those and other sectors of the economy need to be heard by government both at a board level and at a CERT or operational level. Regular board-level engagement should be led by the PM to reinforce the national importance of the issue. The technical level needs to address true collaboration not just a loose or voluntary sharing arrangement, it should be more assertive than previous policy papers have been.
Moreover, issues such as mandatory reporting—supported, if necessary, by regulation—need to be considered. CERT and operational interoperability which enables the real-time exchange of information beyond a voluntary regime would not only be a good start, it would also be an important enabler of a truly robust, agile and interconnected national cyber response capability.
Six months isn’t much time—but the expectations of the review’s outcomes will grow rapidly during that period. Let’s hope we’re not disappointed.
Michael Clifford is a senior fellow at ASPI. Image courtesy of Flickr Pacific Northwest National Laboratory.