The Australian Government released Australia’s Cyber Security Strategy for 2020 this week.
It outlines an investment in our nation’s cyber capabilities of $1.67 billion over the next 10 years, advocates for collaboration, and articulates actions required across government, businesses, and the community to make Australia more resilient to cyber incidents.
The strategy is a win for the cyber safety and security of Australia as a whole, as it helps to elevate what has traditionally been a technical discipline to one of national importance that rightfully deserves the focus it now has.
There are a few things of note that the strategy does well, and areas where there is room for improvement.
Improving the cyber resilience of vulnerable targets
Critical infrastructure has and always will be a target for cyber attackers. Incidents in other parts of the world have shown how countries can be brought to their knees when cyber-physical compromises occur. As such, it is appropriate that the government is focused on improving the cyber resilience of services we rely on every day to maintain our standard of living.
In addition, the most vulnerable targets are ones that find cyber security challenging due to a lack of education and budget; small and medium-sized enterprises, and everyday citizens, are often preyed-upon by attackers.
The strategy does the right thing by outlining positive steps to provide additional funding and support in an attempt to make our weakest links more resistant to cyber threats.
Senior leadership accountability for cyber resilience
Accountability at board and senior executive level appear like they will be addressed through regulation. This is a positive step, as long as the regulation can be enforced and the regulatory body responsible does not end up being a “toothless tiger”.
It would have been preferable to include explicit messaging articulating the importance of board and senior executive accountability. Instead, the words “board” and “executive” appear exactly once in the strategy when used in this context, and are only mentioned in relation to education.
This was a missed opportunity to drive home the message that organisations must elevate their game to treat cyber resilience as a key strategic business imperative, not just a compliance requirement.
Allocation of budget
While the strategy appears to be balanced across government, industry, and citizens upon initial reading, analysis of the budget tells a different story. Almost all of the $1.67 billion will be dispensed directly to the key government agencies responsible for our national cyber defences, who will in turn use a subset of those funds to help the wider industry and community.
Further scrutiny suggests less than a third of total funding will ultimately flow to the ecosystem outside of the federal government. Using this financial lens, the strategy looks to be primarily about bolstering our nation’s front-line cyber capabilities.
While this is great for national security, the need for more collaboration, which the government has also been promoting, requires a more balanced allocation of funds across the ecosystem.
The strategy is missing answers relating to the “how” and “what”. Some statements in the strategy are effectively placeholders indicating that details will be determined at a later stage.
In addition, the measures for success are imprecise. In most cases, an improvement larger than 0% can be interpreted as a win. Precision, clarity of execution, and metrics need to be better articulated for the strategy to make the desired impact.
Supporting the local ecosystem
One could infer that the support of research and development efforts will flow through to start-ups and the building of world-class cyber security companies in Australia, but this is not clearly mentioned.
The 2016 iteration of the strategy resulted in the formation of AustCyber, which has been great for cyber security innovation and the start-up ecosystem. The lack of clarity in relation to how the government intends to build on that success is hopefully something that will be addressed sooner rather than later.
The local cyber security industry has never been stronger. It is the right time to embrace the opportunity to supercharge our nation’s cyber start-ups into global significance and further show that Australian innovation has and always will be competitive on the world stage.
Moving forward, together
The 2020 version of Australia’s Cyber Security Strategy is a great starting point and points the industry towards what our government deems to be the most important focus areas.
To make the desired impact, more work needs to be done to clarify what success looks like, how we will know when we get there, and who is actually responsible for the detailed actions required to turn the vision into reality.
While this is something the government should drive and be accountable for, we must all play our part as it is through working together and claiming responsibility even when we are not ultimately accountable, that presents the best chance of being successful, in whatever form success will eventually take.