Over the last few months, Minister for Home Affairs and for Cyber Security, Claire O’Neil, has alluded to a review of cyber security strategy and arrangements. Such a review is needed.
Australia’s efforts in cyber are suffering from some key systemic and structural problems. It’s not a matter of few potholes that need fixing, or even straightening the track. It’s that a road in disrepair will not take us where we need to go, and we need to be better equipped to cope with an increasingly parlous environment.
Government holds vast stocks of not simply national security information, but personal, industry, and economic data, all increasingly attractive to both criminals and spies. Its increasingly automated systems make decisions based on that data affecting the economy, companies, communities and down to individuals’ identity and wellbeing.
Yet the government struggles to meet its own basic cybersecurity requirements. Its minimalist approach focusses on the Essential Eight, plus the AGD’s Protective Security Policy Framework. The bulk of its resources is dedicated to the defence and intelligence community. The $9.9 billion REDSPICE program, for example, lies within the high walls and deep wells of that community, with increasing effort given to the offence.
The effort, risk, and burden of protecting and building domestic, civilian capability has been shifted onto other parties—companies, boards, and individuals—through legislative change. Legislation has its place. But there are undesirable consequences to this approach: a compliance mentality within organisations, increasing overall fragility and the potential for over-reach. The Security of Critical Infrastructure Act follows the path of earlier changes to the Telecommunications Act, which mandated the secret, forced access to encrypted data, through decryption or creation of new tools, for the purpose of law enforcement.
Consequently, our cyber posture is fraying, with widening gaps between the government’s ambitions and its capacity to meet them, and between the need for system defence across the economy and community, and the available capability. A continuing preference for offence and for the needs of the intelligence and national security community—as important as they are—no longer suffice.
There are four main, inter-related areas in need of repair: national capacity building; rationalising the government’s ICT footprint; people; and structural reform.
Capacity building—within government, and across the economy—has to be a central tenet of government policy, rather than the occasional add-on, or something we only do overseas. We don’t expect people to successfully run marathons, facing unknown dangers, without maps, resources, training, or support. Yes, the ACSC is trying to assist, but the broader assumption remains true for both departments and the broader economy.
Within government, the ICT stack needs modernisation and rationalisation—especially its data holdings. That will be a hard, largely thankless and costly task, given the diversity of technologies across government. And it is one that cannot rely on the current means of funding new ICT through ad hoc new policy proposals.
But it can be made easier over time provided some key principles and programs are adopted, including strict control over, and minimising the collection of, personal data; the rigorous renewal of platforms and applications; and security and privacy by design.
An intensified focus on people covers three key dimensions. First, in a digital democracy, citizen enfranchisement depends on their access to and control of their data. Government should be merely the steward of that data, and the protector of people’s rights and due process, not the owner of that data.
Second, while it’s often said that people are the weakest link in security, they are really its strongest asset. Giving people agency, trusted assurances around privacy, easier means to protect their own systems—such as automated updates and data encryption—and appropriate recourse for breaches do occur will improve the security of the whole.
Last, skills and knowledge are continue to be in short supply in cyber and related fields. Current settings lead to poaching, spiralling costs and increasing vulnerability for organisations unable to afford staff. And current responses—generally focussing on education within existing institutions—haven’t delivered.
We’ll need a different approach to achieve the necessary step change in the time we have. That may be a combination of forcing functions, increased opportunities and incentives, such as—speculatively—taxation exemptions for qualified individuals; a mandated weekly day for training; the use of consultants for advice and training only, not delivery; and encouraging alternate modes of training and education.
All this leads to the need for structural reform within government, to enable the necessary repairs and set the new direction for the economy. Cyber defence and resilience need to be extracted from within the intelligence, defence and home affairs silo and consolidated with digital in a new ministry for digital transformation and cyber, suitable for a digital democracy.
Such a new ministry will need cabinet representation, a broad remit, and budgetary control. It will need new people, with deep technical expertise but also strong policy, statecraft, management, and communication skills. Those aren’t readily to hand—there’s little point revamping the DTA, for example. But better to start small, with quality and grow, rather than be swamped with overhead.
None of these initiatives are cost-free. If we are serious about national security, about economic competitiveness, and about people’s data and well-being, the days of doing it on the cheap are gone. There are no quick fixes. The choice is stark: fundamental repair and realignment, with the prospect of improvement; or simply more of the same, in the same way, in a worsening environment.