After nearly four years, the new government has reinstalled a dedicated minister for cybersecurity. Clare O’Neil will hold the reins, as well as running the (now slightly shrunk) mega-portfolio of Home Affairs.
During the period cybersecurity has been without a dedicated minister, the cyber challenge has further exploded.
Getting departments, businesses, civil society and individuals to patch their computers and adopt basic protections is only the simplest aspect of cybersecurity (and it’s not that simple, as every secretary will no doubt inform the minister).
Cybersecurity has become a massive, cross-cutting portfolio. There is the policy arm in Home Affairs; there are the operational arms that encompass the Australian Signals Directorate (and the Australian Cyber Security Centre), the Australian Federal Police and AUSTRAC; and there is the international dimension that brings in the Department of Foreign Affairs and Trade.
The areas of focus are also broad—take the theft of intellectual property. A decade ago, a US commission estimated annual losses from IP theft at more than US$300 billion, and agreed with the then National Security Agency director that it constituted ‘the greatest transfer of wealth in history’.
But the cybersecurity portfolio goes well beyond IP theft. It encompasses the protection of infrastructure and defending against espionage. It increasingly involves the information space including aspects of election interference, foreign interference, disinformation and hybrid threats. It will require protecting critical space assets.
And all of this will require skilled immigration and a training uplift to facilitate what is effectively the birth of a whole new industry.
There is also an important international relations dimension to cybersecurity. Australia must work to drive norms in international forums, build capacity to respond to these threats in our region, and work with like-minded countries to respond to cyber criminals.
This latter function will require bringing DFAT, the AFP, ASD, AUSTRAC, state police and industry together, alongside their international counterparts, to aggressively tackle the problem. As any victim of cybercrime will tell you, it’s a process that has barely begun.
To add to the list, new technologies will present new cyber risks. Technologies like 5G will connect much of what we own to the internet, creating potentially diabolical cybersecurity risks, while automation and artificial intelligence will also open up new challenges, requiring a new generation of defensive measures.
So, what can the new minister do to address these challenges?
The first priority should be the talent pipeline. Here, there are only two options: training more people and increasing skilled migration. O’Neil should use both. Migrants should be encouraged to come to Australia and a serious training effort should be commenced, including restoring STEM (science, technology, engineering and mathematics) teaching in schools.
To date, ASD has performed a critical but unsung national service in training Australia’s top cybersecurity experts. Our policy settings should empower it to fully embrace this role—options could include appointing a dedicated executive to oversee training of cyber experts at scale, looking beyond ASD, and at how the agency can support nationwide efforts.
Second, we must measure impact. For example: has mandatory data breach reporting helped the health sector protect sensitive data? How large is the ransomware problem, and by how much have we reduced it through recent initiatives?
A third focus should be on the cyber dimensions of AUKUS. The trilateral pact goes much further than defence, as then prime minister Scott Morrison made clear at its inception.
One big initiative the cybersecurity minister could champion is mutual recognition of security assessments like IRAP (Infosec Registered Assessors Program) across AUKUS countries, so that companies that pass security assessments here can instantly sell into US and UK markets. The minister could also focus AUKUS on (what should be) low-hanging fruit, such as agreements on the next stages of 5G and 6G.
Fourth, the minister should marshal all relevant instruments of international power (DFAT, the AFP, AUSTRAC, ASD and ASIO) to counter malicious cyber actors. We should aggressively track down cybercriminals and put pressure on financial entities and governments that allow them to operate. This pressure includes increased transparency of malicious and harmful activities, which would require an increased willingness to use public attribution and cyber-related sanctions.
Fifth, while Home Affairs should lead on cyber policy and ASD on operations, the minister should also join with Foreign Minister Penny Wong to ensure any increase in foreign aid includes significant resources for cyber and technology capacity building in the region—a dual benefit for the economies and resilience of our regional partners, as well as our own security.
Sixth, with authoritarian regimes ramping up digital transnational repression (targeting, for example, women), the government must set itself up to tackle the challenges of cyber-enabled foreign interference.
This issue spans many areas in addition to cybersecurity, but the outcome is the same—government and social media platforms can’t continue passing the buck when our public discourse is covertly shaped or hijacked by actors overseas, or when citizens, organisations and diaspora communities are threatened and silenced by foreign governments. The new minister should prioritise this policy issue.
Finally, O’Neil should be building a focus on technology. While the portfolio is titled ‘cyber security’, it should really be ‘cyber and technology’. The minister will need to drive security policy across emerging and critical technologies, and this will consume more of her time every year she’s in the job.