A New Australian Cybersecurity Strategy — But Still No Leadership

09 September 2019

Last week, Peter Dutton, the Morrison Government’s ‘Baddest MP’ and ‘Worst Minister’, released a ‘Call for Views’ on the development of a new Australian Cyber Security Strategy. Given that the Turnbull-era Cyber Security Strategy will reach the end of its life in 2020, this was a welcome announcement— particularly given that it took this government 17 months to produce the last strategy.

The only problem? Well, it’s Peter Dutton.

The major failing in Australian cyber security over the life of the current strategy has been an absence of political leadership and accountability from the federal government. Cyber security policy has been reduced to a mostly forgotten conquest in Peter Dutton’s campaign of bureaucratic empire building — just another trophy to put on the wall rather than a day to day policy focus for the Minister. The problem is, without engaged political leadership, cyber security policy has been allowed to drift in a bureaucratic miasma. Initiatives have been announced and then forgotten. Programs have been funded with little accountability for progress. The result has been… well it’s hard to say, but it hasn’t been good.

Three and half years after the 2016 cyber security Strategy was released with great fanfare and hundreds of millions of dollars of funding, Peter Dutton now tells us the government has made “strong progress” towards the strategy’s goals. You’ll just have to take their word for it though. There are no data or evidence to back the Government’s claims. Indeed, none of the 2016 cyber security strategy’s five action plans specified any metrics or outcomes against which you could measure success.

Where the government did make specific commitments, they’ve often gone down the memory hole. As just a sample, the 2016 strategy promised:

  • A Minister Assisting the Prime Minister on Cyber Security: yet when Scott Morrison became Prime Minister, this position disappeared.
  • Annual updates reporting on implementation progress: a first annual update was published in 2017, but none have been published since.
  • Annual cyber security leaders’ meetings: Malcolm Turnbull met with public and private sector leaders in 2017, but no meetings have been held since.
  • A layered approach to cyber threat information sharing, including through an online information sharing portal: Yet no online information sharing portal has been established and between September 2018-June 2019, the Government failed to publish any ‘threat advice’ at all on their own website.

In fact, if you ask independent third parties — Australia may have gone backwards . Indeed the International Telecommunication Union’s Cyber Security Index records Australia’s commitment to cyber security falling relative to the rest of the world from third in the world in 2014 to 11th in 2018 .

The Australian National Audit Office’s independent audits of the cyber security practices of 17 Commonwealth entities and agencies, found that only 6 were cyber resilient. Troublingly, Australia is ranked in the top five for data breaches by population.

This lack of leadership on cyber security is costly for Australia. The estimated economic impact of identity theft is $2.1 billion per year. In 2017 alone, $2.3 billion was stolen by cyber criminals from Australian consumers. Of the data breaches reported to the OAIC, 60% were malicious or criminal acts. On top of that, Duncan Lewis, the outgoing head of ASIO, recently identified cyber security as one of the biggest threats to Australian national security. It’s a problem.

In late 2018, the United Kingdom’s Joint Parliamentary Committee on National Security Strategy assessed the cyber security of the UK’s critical national infrastructure and found the biggest problem with the government’s approach to be that:

“[t]here is little evidence to suggest a ‘controlling mind’ at the centre of Government, driving change consistently across the many departments and CNI sectors involved.”

The Committee concluded that without a dedicated minister,

“the Government’s efforts will likely remain long on aspiration and short on delivery”.

So about as effective as a Peter Dutton leadership challenge.

Australia deserves better.

To get the political leadership we need to drive the cultural change across the public and private sectors needed to build cyber resilience, we need to make cyber security someone’s day job in the government.

To have a chance of being effective, the Australia’s next cyber security strategy must reinstate a dedicated minister for cyber security.