In Back in September last year, I wrote about the Government’s review of Australia’s Cyber Security Strategy 2020 (CSS20). Yesterday, the review’s Expert Advisory Board released a discussion paper with 21 specific questions, asking for our input.

I gave it a read through, over a glass of red, last night.

The vision is as simple as it is ambitious: to make Australia a world-leader in cyber security by 2030. Although – and I don’t think it’s nit-picking - those words (in the Forward) are different to the 'most cyber secure nation in the world by 2030' in the body of the paper.

Some things I like:

• Our Government is taking #cybersecurity seriously. Therefore, business needs to pay attention. As an aside, I’m glad to see that the long-term cyber passion of Tim Watts has earned him a place assisting the Minister in the review.
• Explicitly adding Data. The review says, ‘the Strategy must reflect the importance of protecting customer data’, which I wholeheartedly support. During the initial SOCI 2018 reform consultations, I argued that #data, in and of itself, could be #criticalinfrastructure. Pipes are important. Storage is important. Compute is important. But the game-changing value lies in the data itself, and the meaningful conclusions drawn from it.
• The emphasis on increasing the Government’s own cyber security. The paper says that 'government agencies have a long way to go to properly secure government systems … and the majority of entities are yet to implement basic policies and procedures.' This is consistent with Andy Penn's previous advice to Government to accelerate the hardening of government's ICT systems, mirroring what's being asked of industry.
• The suggestion to declassify threat intelligence. Noting that this is already done (to an extent that only specialised bodies know), “Hell, yes!” to operationalising and sharing intelligence … appropriately AND boldly.
• The suggestion for a transparent evaluation framework. If cyber security is a truly national endeavour, like the paper suggests, then accountability is key. Does anyone remember 2017’s First Annual Update to Australia’s 2016 Cyber Security Strategy? Iirc, it’s the only one ever done.

.What I like less:

• The timeline. The paper says that the new Strategy will run to 2030. That’s 7 years. What’s the baseline for significant change in a digital world? Well, the constant eruptions in our technology and threat landscape led the Government to begin reviewing CSS20 in late 2022. That’s 2-ish years validity. Look, I know that strategy requires consistency, but ... 7 years strikes me as wearing analogue shoes in a digital race. My reluctant counteroffer would be 5 years with a formal review done in year 3.
• The workforce and STEM. Like just about every cyber conference or workshop you’ve been to, the paper raises the challenge of how to grow Australia’s cyber workforce. They’re right to ask the question. Unfortunately, I don’t see any answer in what Australia is doing, or might start to do, by 2030. Perhaps skilled immigration? Perhaps ML/AI?
• What I’m really not sure about: more regulation. The paper raises a possible new Cyber Security Act and further reforms to SOCI 2018. I don't think it's unfair to say that there’s uncertainty and cost around the cyber reforms Australia already has. It’ll be interesting to see how regulation, bureaucracy, Australia’s cybersecurity, and business can all be balanced in a way that leads to benefits for the last two.

What I’m really not sure about: more regulation. The paper raises a possible new Cyber Security Act and further reforms to SOCI 2018. I don't think it's unfair to say that there’s uncertainty and cost around the cyber reforms Australia already has. It’ll be interesting to see how regulation, bureaucracy, Australia’s cybersecurity, and business can all be balanced in a way that leads to benefits for the last two.

Finally, to contribute the smallest of ideas. The paper says there's a lack of understanding of 'the practical steps that consumers, small and medium-sized enterprises, and other organisations must take to enhance their cyber security’. It then suggests that the new Strategy can ‘invest further’ to improve this. Agreed. But why wait for the Strategy to be published at the rearend of 2023? Why not scour what the Government already provides/does and embed cyber security into it now? For example, the #AustralianCyberSecurityCentre has great resources for SMEs, including a guide for small business. How about linking/embedding these in the government’s primary SME portal, business.gov.au?

I’m guessing there are scores of cyber security quick wins – consistent with the Strategy’s vision – that could be made in the next nine months. 

Fyi, submissions to the paper are due in mid-April. The paper can be found at the link below or (better) by searching yourself for '2023-2030 Australian Cyber Security Strategy Discussion Paper'.

 

Mick Lehmann
NEXTGEN Group General Manager, Government