{"id":78242,"date":"2023-03-08T06:00:02","date_gmt":"2023-03-07T19:00:02","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=78242"},"modified":"2023-03-07T17:12:45","modified_gmt":"2023-03-07T06:12:45","slug":"getting-cybersecurity-right-requires-a-change-of-mindset","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/","title":{"rendered":"Getting cybersecurity right requires a change of mindset"},"content":{"rendered":"
<\/figure>\n

If you work in the federal government in Australia, you know there\u2019ll be occasions when ministers call for ideas\u2014and kudos to Minister for Home Affairs Clare O\u2019Neil for grasping the opportunity presented by the Optus and Medibank hacks.<\/p>\n

Savvy bureaucrats know how to exploit such opportunities. Proposals will be close to hand that, with a bit of wordsmithing, will serve the minister\u2019s need. In some cases, those proposals will simply be the latest variation of long-held policy beliefs or bureaucratic positions.<\/p>\n

We can see elements of that in the latest cybersecurity initiatives announced by the government.<\/p>\n

New agency? Check. That was the Australian Cyber Security Centre, originally established to fuse intelligence and coordinate defence and response.<\/p>\n

New coordinator? Check. Alistair MacGibbon occupied that role.<\/p>\n

More legislation? Check. Politicians like legislation. But Australia already has so much of it\u2014often ill-suited to needs, as we saw with the Optus hack\u2014that the idea that the problem can be fixed by more legislation is at best questionable.<\/p>\n

Greater consolidation of power? Check. Another agency will be located within Home Affairs. That brings operations, policy formulation and ministerial advice together under one roof. Sometimes consolidation is good, but it risks undermining contestability, a cornerstone of democratic governance.<\/p>\n

Because of the pace of technological change and social adaptation, what has worked in the past in cybersecurity may not serve us well for the future. And cybersecurity itself represents a difficult challenge.<\/p>\n

Eric \u2018Astro\u2019 Teller, who heads X, Alphabet Inc.\u2019s \u2018moonshot factory\u2019 for big ideas, uses a heuristic<\/a> to describe how to tackle difficult world-changing problems: such problems, he says, can be like getting a monkey to recite Shakespeare while standing on a pedestal in Hyde Park.<\/p>\n

If we hope to make real progress, it\u2019s important to tackle the tough part of the problem\u2014getting the monkey to recite Shakespeare. That\u2019s hard. But most organisations get caught up on the easy part\u2014building the pedestal. Building a pedestal is doable; it gives the illusion of progress and achievement.<\/p>\n

And that\u2019s the danger here\u2014that we\u2019ll end up building more pedestals, expending so much of our energy and resources that there will be little left for tackling the hard work of cybersecurity.<\/p>\n

So rather than reinventing pedestals, what are the really tough problems of cybersecurity that a government needs to address?<\/p>\n

Well, we can agree that cybersecurity represents an existential challenge to democratic societies. At its core lie deep questions about the sort of society we want to live in, the opportunities we want to create and the fairness of our systems of governance\u2014and all in the context of other systems and ideologies.<\/p>\n

As we\u2019ve been reminded each day of the Robodebt royal commission<\/a>, our government systems quickly and unaccountably encode expectations, prejudices and behaviours into digital systems. How we think about and interact with technology\u2014not just the management problem of cybersecurity\u2014matters.<\/p>\n

At the heart of those questions lies the balance between security, liberty, privacy and agency. We know that good security protects privacy, and that privacy is critical to good security. We also know that trust in democratic government depends on accountability and transparency\u2014and mechanisms for redress when things go awry.<\/p>\n

Keeping cybersecurity under Home Affairs exacerbates the conflation of an intelligence\/offensive approach with an enforcement\/criminal perspective and the focus on attribution and punishment. Such mindsets generally are not readily open to preferencing individual liberties or civic agency.<\/p>\n

When we consider how cyber tools are used against us, it is worth considering the insights emerging from the war in Ukraine.<\/p>\n

Ukraine\u2019s resilience is the result of withstanding continuous targeting and assaults<\/a>\u00a0for around a decade by Russia. Ukraine has been forced to continually learn and adapt, enabling it to prepare well ahead of time, rather than rely on one-off policy statements.<\/p>\n

Ukraine has harnessed civil society effectively<\/a>, enabling individual agency while supporting community groups and not-for-profits. That, plus the relationships with the commercial sector, is helping Ukraine apply and deploy new technologies, defensive measures and tactics, while retaining the essential characteristics of democracy.<\/p>\n

Australia has all the advantages of Five Eyes membership, but those benefits are held deep within the well of the intelligence community. And there\u2019s a ways to go in establishing responsive, collaborative relationships between Australian companies and a government that can at times be tone deaf in its dealings with industry.<\/p>\n

All this points to the need for a mindset change. Cybersecurity is, in James P. Carse\u2019s terminology<\/a>, an infinite game; it is not bound by the finite-game concerns of politics in Canberra.<\/p>\n

Infinite games\u2014in contrast to finite games\u2014have no single universal, agreed \u2018winning\u2019 condition. Nor are they bounded; indeed, in cybersecurity the available attack surface and opportunities for exploitation are infinite and everchanging.<\/p>\n

Under such conditions, cybersecurity is not an endpoint, a single achievement or a guarantee\u2014whether by a government, a company or even an individual.<\/p>\n

Some may see the open-ended, unpredictable and unending nature of cybersecurity as a deterrent to attempting good policy outcomes\u2014after all, if claiming a policy \u2018win\u2019 is impossible, why bother and expose oneself to political risk?<\/p>\n

But that\u2019s a tad misguided. There is an optimistic side to cybersecurity. We engage because cybersecurity is something we work at and in doing so earn the right to keep doing. And by continuously learning and adapting, we get to shape our own destiny and take \u2018an unfinished past into the unknown future\u2019<\/a>. That\u2019s much better than looking back, shutting doors and barring windows\u2014and burnishing pedestals.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you work in the federal government in Australia, you know there\u2019ll be occasions when ministers call for ideas\u2014and kudos to Minister for Home Affairs Clare O\u2019Neil for grasping the opportunity presented by the Optus …<\/p>\n","protected":false},"author":861,"featured_media":78246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[416,2138,107,332],"class_list":["post-78242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-government","tag-cybersecurity","tag-policymaking","tag-technology"],"acf":[],"yoast_head":"\nGetting cybersecurity right requires a change of mindset | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Getting cybersecurity right requires a change of mindset | The Strategist\" \/>\n<meta property=\"og:description\" content=\"If you work in the federal government in Australia, you know there\u2019ll be occasions when ministers call for ideas\u2014and kudos to Minister for Home Affairs Clare O\u2019Neil for grasping the opportunity presented by the Optus ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-07T19:00:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-07T06:12:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"683\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lesley Seebeck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lesley Seebeck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg\",\"width\":683,\"height\":512,\"caption\":\"http:\/\/www1.istockphoto.com\/file_thumbview_approve\/17401820\/2\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/\",\"name\":\"Getting cybersecurity right requires a change of mindset | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#primaryimage\"},\"datePublished\":\"2023-03-07T19:00:02+00:00\",\"dateModified\":\"2023-03-07T06:12:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Getting cybersecurity right requires a change of mindset\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\",\"name\":\"Lesley Seebeck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"caption\":\"Lesley Seebeck\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Getting cybersecurity right requires a change of mindset | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/","og_locale":"en_US","og_type":"article","og_title":"Getting cybersecurity right requires a change of mindset | The Strategist","og_description":"If you work in the federal government in Australia, you know there\u2019ll be occasions when ministers call for ideas\u2014and kudos to Minister for Home Affairs Clare O\u2019Neil for grasping the opportunity presented by the Optus ...","og_url":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2023-03-07T19:00:02+00:00","article_modified_time":"2023-03-07T06:12:45+00:00","og_image":[{"width":683,"height":512,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg","type":"image\/jpeg"}],"author":"Lesley Seebeck","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Lesley Seebeck","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/03\/GettyImages-155148637.jpg","width":683,"height":512,"caption":"http:\/\/www1.istockphoto.com\/file_thumbview_approve\/17401820\/2"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/","url":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/","name":"Getting cybersecurity right requires a change of mindset | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#primaryimage"},"datePublished":"2023-03-07T19:00:02+00:00","dateModified":"2023-03-07T06:12:45+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/getting-cybersecurity-right-requires-a-change-of-mindset\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Getting cybersecurity right requires a change of mindset"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4","name":"Lesley Seebeck","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","caption":"Lesley Seebeck"},"url":"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/78242"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/861"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=78242"}],"version-history":[{"count":4,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/78242\/revisions"}],"predecessor-version":[{"id":78244,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/78242\/revisions\/78244"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/78246"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=78242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=78242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=78242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}