In April, the government released their first annual update on implementation of the 2016 Cyber Security Strategy. We provided our assessment of that report on The Strategist shortly afterwards, and yesterday we released our own evaluation of the progress made on improving Australia’s cybersecurity over the past 12 months. ICPC’s new report, Australia’s Cyber Security Strategy: Execution & Evolution, is the product of our consultation with private sector, and academic and government stakeholders on the progress made towards the 83 outcomes listed in the Strategy. We also dug into the Budget figures to parse the true extent of government’s investment in new cybersecurity initiatives. While the progress made is a positive change, the work that remains is considerable, and greater speed and investment is required.
In the foreword to the government’s annual update, Prime Minister Malcolm Turnbull wrote that the 2016 Cyber Security Strategy has been a ‘catalyst for change’. The government has undisputedly been active, filling the leadership roles created by the Strategy, standing up the first joint cyber security centre in Brisbane, and supporting the growth of Australia’s cyber security industry. Those are clear signs that government is committed to following through with the Strategy. But we think there are several areas in which improvements could be made to assure the success of the Strategy, and achieve better cybersecurity outcomes for Australia.
Cybersecurity threats are evolving, and Australia’s approach to cybersecurity needs to evolve with it to remain effective. Adaptation of the Strategy should be driven by frequent assessment of the effectiveness of cybersecurity initiatives, and build stronger relationships between the government, the private sector and research communities to identify new issues and appropriate responses as they emerge. Such a spiral policy development and implementation process would be better able to manage the complexity of cybersecurity issues, and could adapt to challenges that arise between major updates of policy settings. The government has already committed to annual updates, but those should also include annual and forward action plans, informed by quarterly and annual meetings between government and business leaders. The plans should be both timebound and have measurable outcomes, supported by qualitative and quantitative research into the effectiveness of cybersecurity initiatives.
Annual plans would also improve the quality of communication between government and key implementation partners. That was noted as an issue during our consultation, and it requires concerted effort to ensure that stakeholders are well informed, particularly when there are delays. Established reports, such as the Australian Cyber Security Centre’s annual threat report, could become a quarterly publication. Regular updates on progress would help improve the quality of engagement between the government, key implementation partners in the private sector and the public. Open communication between implementation partners across government and the private sector is a fundamental building block of increased trust, which in turn will enhance the quality of delivery and cooperation on cybersecurity.
The government should also improve its communication with the Australian public. That shouldn’t be isolated to updates on the Strategy and improvements in cybersecurity outcomes. #Censusfail showed that a strong and coherent communications plan is critical during cyber incidents to reinforce public confidence. Similarly, incidents such as this month’s wannacry global ransomeware attack highlight the importance of mobilizing the population to protect themselves where possible… Taken together, those observations lead us to recommend that the government’s communications capacity on cybersecurity be beefed up. That’s particularly true for PM&C, if they’re to continue to be the government’s leading voice on cybersecurity.
Financial and human resources will be key to achieving the outstanding outcomes of the Cyber Security Strategy. The government announced a funding package of $233 million with the Strategy, which was provided in last year’s Budget. However most of this wasn’t “new” funding, but rather money redirected from Defence’s budget allocation. New funding for the Strategy only kicks in noticeably in 2018–19, rising to $5.4 million from just $400,000 in 2017–18. However, aggregating strategy funding with that from other related initiatives such as the National Innovation and Science Agenda paints a rosier picture, with new funding of nearly $500 million over four years to 2020. Most of that funding is directed towards supporting the growth of Australia’s cybersecurity industry and skilled personnel. That’s necessary to grow an ecosystem in which Australia has the talent and capability to secure itself against cyber threats. Unfortunately, other critical agencies such as PM&C who are responsible for implementing key aspects of the Strategy haven’t had their funding supplemented commensurately.
The 2016 Cyber Security Strategy was certainly a significant turning point for cybersecurity in Australia. The government’s efforts to implement the Strategy so far are laudable, but greater effort on communications and planning is required to fully engage the national partnership model for implementation it proposed, and more resources are needed to achieve the Strategy’s lofty objectives.