Australia’s cyber security strategy has been updated and has a remarkably different vision to its predecessor.
Australia’s 2016 Cyber Security Strategy attempted to address the question: ‘how do we secure our prosperity in a connected world?’ This strategy focused on growth, innovation and economic opportunity and recognised Australia’s role in championing an ‘open, free and secure internet’ in the international community. This focus was in large part driven by then Prime Minister Malcolm Turnbull, a former technology investor with a personal interest in technology and cyber security issues. The 2016 strategy was developed within the Department of the Prime Minister and Cabinet and on the day of its launch Turnbull announced a new position of Special Adviser to the Prime Minister on Cyber Security.
The 2020 strategy, by contrast, was developed in the Department of Home Affairs, Australia’s domestically-focused national security and law enforcement ministry. It aims for a ‘more secure online world’ and presents a ‘plan to protect Australians online’, has a strong focus on law enforcement and bolstering Australia’s national cyber security organisations, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD, Australia’s equivalent of GCHQ), but is far less ambitious economically.
The 2020 strategy is much more robust from an enforcement and deterrence perspective:
We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation. Our actions are lawful and aligned with the values we seek to uphold, and will therefore be proportionate, always contextual, and collaborative. We can choose not to respond.
The bulk of funding in the strategy goes to the ASD and the ACSC, expanding their workforce, research and data science capabilities, national awareness and threat sharing. Interestingly, some of the ASD’s funding goes to disrupting offshore cyber crime. ASD has a legislated mandate to ‘prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia’. The Australian Federal Police also received funding to bolster ‘their ability to investigate and prosecute cyber criminals’, enabling them to ‘establish target development teams with partners, build technical cyber capabilities, and enhance operational capacity’. In short, the government is providing a significant amount of funding to build a chain of capability to find and understand offshore cyber crime and disrupt it, through either the legal system or using offensive cyber capabilities.
Although the bulk of the money allocated heads towards Defence and law enforcement agencies, there is a sensible and much stronger focus on shared responsibility among government, business and the community, and the strategy has separate actions for each.
Cyber security is a whole-of-economy issue and the strategy rightly highlights the role of the private sector. This is a tiered approach which at the low-end seems underdeveloped. For business in general, the strategy merely foreshadows the possibility of increased regulation and legislation and the government will release a voluntary Code of Practice for Internet of Things manufacturers. Both of these measures seem too tentative given the current threat environment. The top-end requirements are better. Critical infrastructure will have increased security obligations and the subset of critical infrastructure that is ‘most important to the nation’ will be designated as ‘systems of national significance’ and have enhanced obligations to share threat and cyber security information. All critical infrastructure operators will be expected to take reasonable steps to ensure robust cyber security, and are subject to government direction if they do not.
The strategy also endorses private sector efforts to protect consumers, such as Telstra’s Cleaner Pipes initiative, which protects the company’s customers from omnipresent threats such as phishing and malware. The strategy allocated some money to ‘strategic mitigation and disruption options’, and Cleaner Pipes was later described as a pilot programme for government and private industry collaboration. This is a promising effort that provides practical benefits and should be expanded.
There are two further strands of effort: growing Australia’s skills; and support to small and medium enterprises and vulnerable Australians. Monetarily, these are relatively small initiatives, and even then almost half of the funding to grow skills is focused on the Defence cyber workforce. Support to small and medium enterprises is mostly focused on increased outreach and awareness efforts, although there is a small effort to support victims of cybercrime.
The strategy also has unfunded initiatives. The government also aims to improve government security to ‘lead by example’, and the strategy aims to improve cyber security by centralising the management and operation of the large number of government networks. Truly improving government security without additional funding would certainly be worth further analysis and publicity when this effort comes to fruition.
There is also a section on international engagement, and the strategy recognises the Australian government’s role in capacity building and shaping international behaviour. It also foreshadows a government ‘Cyber and Critical Technology International Engagement Strategy’, building on the ‘2017 International Cyber Engagement Strategy’.
Australia’s 2020 cyber security strategy gets responsibility right: we all have a shared responsibility for cyber security and the strategy identifies responsibilities across the government, business and the community. The strategy correctly identifies obligations for critical infrastructure, but is far too mild when it comes to other businesses; governments should be raising standards of cyber security now, not merely talking about possibly raising standards in the future. But the allocation of funding in the strategy undercuts this shared responsibility rhetoric — we are all responsible, but law enforcement and Defence get the dollars.
By Tom Uren, November 11, 2020, published by RUSI