The Department of Prime Minister and Cabinet recently released a $230 million Cyber Security Strategy. Interestingly, the last such document, issued in 2009 under former Prime Minister Kevin Rudd, was put forth by the Attorney General's Department. This change is most likely a display of Prime Minister Malcolm Turnbull's own keen interest in the matter, which is splendid news for Australia.
Though the Strategy suffered from a short-lived leak on 11 April, there was no formal mention of its official release date until 19 April, when the PM&C Twitter page attempted to gather momentum announcing its launch for the following day. Long-awaited in the information security — and broader national security — community, the government could have built up more interest among Australians if its release would have been openly discussed sooner. As one of the key focus areas of the new strategy is developing a 'Cyber Smart Nation', the launch of the strategy could have been handled more transparently.
However, the 2016 Cyber Security Strategy is certainly a document that was worth the wait; at least Australia once more has a clear idea of where it is going, and an updated, relevant path drawn ahead.
The Strategy's emphasis on bringing together public and private sectors, along with academia and the broader community, is commendable, and the actions set out to deliver on these goals seem pertinent and achievable.
The strategy's deliverables have been partitioned into six distinct portfolios: [fold]
- Defence;
- Attorney-General;
- Industry, innovation and science;
- Foreign affairs and trade;
- CSIRO
- Education and training.
This is a double-edged sword. Integrating such diversity and priorities is always good for keeping dialogue open and sharing responsibilities. Yet a whole-of-government, streamlined approach, such as that taken by the Pentagon under the US Department of Defense Cyber Strategy, could arguably prove more beneficial. Australia released a Defence White Paper earlier this year, committing $400 million to cyber security in the defence realm over the coming decade. Though this is a welcome and important investment in the area, it is rather disconnected from the national strategy that has just been released.
While the new strategy displays a number of outstanding and well thought-out initiatives, much of it is built upon the seven strategic priorities laid out in the 2009 Cyber Security Strategy; the only two not thoroughly addressed in the 2016 document being a focus on the protection of government ICT systems and the emphasis on the importance of the legal framework within which it operates. These two have instead been explored in the 2013 Attorney General's National Plan to Combat Cybercrime. The fact that there is relatively little 'fresh' approach falls in line with some comments that Australia is still playing catch-up when it comes to developing dynamic and relevant policy in this field.
Perhaps because I am still a relatively recent arrival to Australia, with only seven years' exposure to its politics, I was taken aback by the distinct lack of a global outlook in the new Strategy. In Europe, states simply do not get the choice to act in isolation, and their national policies on most levels will include some degree of interstate collaboration.
New Zealand's 2015 Cyber Security Strategy, presented alongside its National Plan to Address Cybercrime, puts forth the concept of 'international connections' as a substantial portion of its policy. Similarly, the 2015 US Cyber Strategy dedicates large sections to, and makes thorough mention of, 'international allies and partners,' referring to furthering aligned interests.
The Australian Strategy focuses on international cyber policy dialogue, advocating for Australia's values of 'an open, free and secure Internet.' The appointment of a Cyber Ambassador will go a long way in raising Australia's profile and influence in the global dialogue on cyber norms.
In scattered places, the Strategy ambiguously refers to international 'partners' and 'cooperation,' but leaves the reader wanting more substance. Will Australia pursue more formalised alliances to avoid cyber attacks and prosecute cyber crime with Five Eyes, or indeed other states, as part of its Cyber Security Strategy? Is an effort being made at aligning and facilitating legal cyber interests in this regard? Even in the Strategy's section on shutting down malicious cyber actors' safe havens, formal cooperation is not meaningfully discussed. One cannot help but wonder whether it actually is a priority at the national strategy level.
Another issue is that the total budget assigned to the 'Global Responsibility and Influence' section of the strategy is AUS$6.7 million over four years. Disregarding the shortfall of international cooperation, and focusing purely on what the Strategy sets out to do, we are talking of being able to perhaps hire a team of 15-20 full time staff for this period. This would be without any further project costs, realistic international travel arrangements and allowances and other expenses.
One other aspect of the strategy has left me uneasy: education. An ambitious 'Cyber Smart Nation' vision looks at how to address the shortage of people with cyber security skills. The strategy hopes to revisit how students are encouraged to engage with STEM subjects at school, develop (more) TAFE courses in cyber, create tertiary education 'centres of excellence,' encourage students to select (and actually graduate from) cyber-related university degrees, tackle diversity (or lack thereof), the issue of a dismal rate of 10% women in the field and provide short training courses in relevant areas to government and private employees.
All unquestioningly noble causes, with valid action points. However, the downfall is the meagre $3.5 million over four years allocated to all of the above, the fourth lowest budget out of the 15 initiative areas set out in the Strategy's budget. This is a disappointing approach to what is formally referred to in the paper as 'Australia's commitment to addressing the critical shortage of skilled cyber security professionals.' In all fairness, the primary education and STEM subjects' aspect of the initiative is covered under the Innovation Agenda, with a solid $99 million allocated to it — but what of the rest? It will be interesting to assess the effectiveness of this particular set of enterprises in the first promised annual progress report.
Overall, however, it is a thoroughly researched and well written document, which will set Australia up for its next moves and ensure it remains relevant in the eyes of its allies, and hopefully feared in those of its foes. Yet one cannot help but wonder whether the Strategy simply stretches itself too thinly, and tries to do too much on too little capital.
Photo courtesy of Flickr user West Point.