{"id":31524,"date":"2017-04-27T10:30:33","date_gmt":"2017-04-27T00:30:33","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=31524"},"modified":"2017-04-27T10:25:42","modified_gmt":"2017-04-27T00:25:42","slug":"2016-cyber-security-strategy-perils-self-assessment","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/","title":{"rendered":"2016 Cyber Security Strategy: the perils of self-assessment"},"content":{"rendered":"

\"Image<\/p>\n

Last week the Australian Government released its First Annual Update<\/em><\/a> on the implementation of its 2016 Cyber Security Strategy<\/em><\/a>. The government\u2019s much anticipated self-assessment contains some useful elements, but also suffers some significant shortcomings.<\/p>\n

Cybersecurity is a constantly evolving challenge, and as such, government policy needs to be iterative and responsive. This first update is a positive step towards that goal, taking stock of domestic and international developments that have influenced the cybersecurity landscape in the last twelve months, such as the Australian Red Cross Blood Service data breach<\/a> and Russian attempts to the influence the outcome of the 2016 US Presidential election<\/a>.<\/p>\n

The update outlines the activities aimed at realising the five key goals of the Strategy: a national cyber partnership, strong cyber defences, global responsibility and influence, growth and innovation, and a cyber smart nation. The most notable feathers in the government\u2019s hat include the appointment of new cyber<\/a> leadership<\/a> positions<\/a>, the launch of the Joint Cyber Security Centre<\/a> pilot in Brisbane, the ASX100 cyber health checks<\/a> and establishment of the Australian Cyber Security Growth Centre<\/a>. The update also covers developments outside the bounds of the Strategy initiatives, such as the Prime Minister\u2019s declaration<\/a> in November 2016 that Australia\u2019s offensive cyber capabilities were being used in support for Australian Defence Force operations against Islamic State.<\/p>\n

The government has identified a few areas in which it intends to make improvements. It commits to publishing a \u2018view of the cyber security ecosystem\u2019 to overcome structural ambiguity within government and to \u2018mature its communication channels\u2019 to address the paucity of regular public updates.<\/p>\n

The update identifies key priorities for the coming year. It describes cybercrime as one of the \u2018most visible and damaging\u2019 threats to Australia\u2019s online society and flags the intention to release an update of the 2013 National Plan to Combat Cybercrime<\/em><\/a>. Small business will be the recipient of greater attention, with industry consultation underway to develop a \u2018targeted approach\u2019. Lastly, there are plans to improve coordination between the federal and state and territory governments, and the private sector to make Australia\u2019s critical national infrastructure cyber secure. The update confirms that the new Critical Infrastructure Centre<\/a> within the Attorney-General\u2019s Department, along with the Australian Cyber Security Centre, will lead this effort.<\/p>\n

Unfortunately, the update is almost devoid of self-assessment, and its approach to the review process is flawed. The report is artfully forgiving, mentioning the Australian National Audit Office cybersecurity reviews of departments, but omitting any reference to the audit\u2019s worrying revelations<\/a>. And it relies heavily on hypothetical victories. For example, the Deloitte study<\/a> it refers to when predicting an uptick in investment, wages and jobs in the Australian cyber industry by 2030 is actually based on a \u2018shift in thinking around cyber security\u2019 and \u2018if Australia invests further<\/em> in cyber security\u2019. It\u2019s not a prediction based on the current trajectory.<\/p>\n

The table of progress towards action implementation is where the government\u2019s reticence to hand out \u2018C minuses\u2019 really stands out. The awkward absence of a status to denote any kind of under-performance amongst the options of \u2018progress\u2019, \u2018strong progress\u2019, or \u2018completed\u2019 is disappointing. A lack of progress on several actions is explained as \u2018not scheduled to have commenced\u2019, accompanied by the opaque comment that \u2018work will commence\u2019 on actions to \u2018develop guidance for Government agencies to consistently manage supply chain security risks for ICT equipment and services\u2019. Without any further information, that looks like an attempt to dodge criticism and avoid future accountability. The general lack of transparency around strategy delivery timelines that plagued the past 12 months has carried into the first annual assessment. The absence of timelines leaves the government room to mask underperformance and means that promises to \u2018accelerate\u2019 or deliver initiatives \u2018ahead of schedule\u2019 hold very little meaning.<\/p>\n

Upon closer inspection of the table of progress, it\u2019s obvious that its focus on actions, rather than outcomes is a critical methodological failing. Government\u2019s own advice on best practice policy evaluation<\/a> recommends assessing the extent to which intended and unintended outcomes are achieved. Merely stating that an action was undertaken doesn\u2019t clarify whether the desired effect was achieved, or if the action is still the most appropriate way to achieve the end goal. By failing to avoid the \u2018tick box\u2019 mentality that Special Advisor Alastair MacGibbon has warned against, an opportunity has been missed to explain what has changed because of Strategy implementation efforts.<\/p>\n

We\u2019re pleased that the government has released this factual update but we\u2019d like to see next year\u2019s be directed towards transparency and self-assessment.<\/p>\n","protected":false},"excerpt":{"rendered":"

Last week the Australian Government released its First Annual Update on the implementation of its 2016 Cyber Security Strategy. The government\u2019s much anticipated self-assessment contains some useful elements, but also suffers some significant shortcomings. Cybersecurity …<\/p>\n","protected":false},"author":390,"featured_media":31527,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[416,391,169,1592],"class_list":["post-31524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-government","tag-cyber","tag-cyber-crime","tag-prime-minister-and-cabinet"],"acf":[],"yoast_head":"\n2016 Cyber Security Strategy: the perils of self-assessment | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"2016 Cyber Security Strategy: the perils of self-assessment | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Last week the Australian Government released its First Annual Update on the implementation of its 2016 Cyber Security Strategy. The government\u2019s much anticipated self-assessment contains some useful elements, but also suffers some significant shortcomings. Cybersecurity ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-27T00:30:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-04-27T00:25:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"402\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Zoe Hawkins\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zoe Hawkins\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg\",\"width\":640,\"height\":402,\"caption\":\"Image courtesy of Pixabay user TeroVesalainen.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/\",\"name\":\"2016 Cyber Security Strategy: the perils of self-assessment | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#primaryimage\"},\"datePublished\":\"2017-04-27T00:30:33+00:00\",\"dateModified\":\"2017-04-27T00:25:42+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"2016 Cyber Security Strategy: the perils of self-assessment\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701\",\"name\":\"Zoe Hawkins\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g\",\"caption\":\"Zoe Hawkins\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/zoe-hawkins\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"2016 Cyber Security Strategy: the perils of self-assessment | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/","og_locale":"en_US","og_type":"article","og_title":"2016 Cyber Security Strategy: the perils of self-assessment | The Strategist","og_description":"Last week the Australian Government released its First Annual Update on the implementation of its 2016 Cyber Security Strategy. The government\u2019s much anticipated self-assessment contains some useful elements, but also suffers some significant shortcomings. Cybersecurity ...","og_url":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2017-04-27T00:30:33+00:00","article_modified_time":"2017-04-27T00:25:42+00:00","og_image":[{"width":640,"height":402,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg","type":"image\/jpeg"}],"author":"Zoe Hawkins","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Zoe Hawkins","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/04\/checklist-2077020_640.jpg","width":640,"height":402,"caption":"Image courtesy of Pixabay user TeroVesalainen."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/","url":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/","name":"2016 Cyber Security Strategy: the perils of self-assessment | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#primaryimage"},"datePublished":"2017-04-27T00:30:33+00:00","dateModified":"2017-04-27T00:25:42+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/2016-cyber-security-strategy-perils-self-assessment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"2016 Cyber Security Strategy: the perils of self-assessment"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3c83e374221e7d4e6ccdabb43f9a1701","name":"Zoe Hawkins","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e4e7cfaeb94c847b758be1d5c1c2f346?s=96&d=mm&r=g","caption":"Zoe Hawkins"},"url":"https:\/\/www.aspistrategist.ru\/author\/zoe-hawkins\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/31524"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/390"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=31524"}],"version-history":[{"count":4,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/31524\/revisions"}],"predecessor-version":[{"id":31537,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/31524\/revisions\/31537"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/31527"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=31524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=31524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=31524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}