The government’s discussion paper seeking community views ahead of a landmark 2020 National Cyber Security Strategy paints a picture of a dramatically changed cyber environment, and sets the scene for significantly different roles for both government and business.
Home Affairs Minister Peter Dutton released the discussion paper on Friday and will appoint a “panel of experts” to guide the development of the strategy in the next several weeks.
Australia’s first National Cyber Security Strategy was launched by former Prime Minister Malcolm Turnbull in 2016 and updated in 2017. Its original intent was to update the strategy annually, but the department has instead moved to a consultation process for a significant re-write due next year.
Even in its short history, it is clear the 2016 changed the cybersecurity landscape in Australia, and has drawn closer ties between different part of the cyber ecosystem. The 2020 strategy seeks to take that further, and potentially to broaden the collaborative arrangements between business and government on cyber issues.
It also opens the way to greater government-private sector collaboration on critical infrastructure, broadening definitions of critical infrastructure from the tradition – water, electricity, telecommunications – to include data centres, digital services, and even data itself.
“Strong collaboration and partnerships are vital to ensure this strategy is well positioned to tackle the cyber security challenges we face as a nation,” Mr Dutton said.
Submissions are being accepted by the Department of Home Affairs until November 1.
The discussion paper raises the prospect of creating a more centralised architecture for cyber protection, shifting cyber risk away from end-users and more on to businesses and industry. This could include a review of regulation – and potentially the introduction of new legislation – to enforce cyber security standards.
“To identify any gaps, we are interested in exploring with all stakeholders what existing legislation is available to ensure consumers can be confident products and services include reasonable cyber security protections,” the paper says.
“Importantly, we also want to examine whether such legislation is proactive in providing and enforcing such protections for consumers, which can be either individuals, businesses or governments.”
“As the risks and consequences from malicious cyber activity rise, we are seeking your feedback about whether Government’s approach to cyber security laws needs to change. Both stronger enforcement of existing laws and new requirements could be considered.
“If change is needed, Government would favour the option that delivers the largest long-term benefits for society while minimising any upfront costs for industry.”
The challenge for government will be in maintaining the confidence of the Australian people in the cyber systems and practices that are put in place to strengthen the overall resilience of the infrastructure and services that keep the digital economy ticking.
The role of government online has increased in dramatically in the decades since the internet became mainstream. But it has operated in a legislative framework that was put in place before the internet became a foundation of the economy, the paper says, and without a modern perspective on how malicious cyber activity crosses traditional borders.
While government’s “first priority” is keeping the trust and confidence of the Australian people, it is seeking input on whether its role could be expanded to better meet the cyber security threats.
“If you think there is scope for Government to do more, we are seeking your views on how it could do this in a way that means you remain confident your rights as an Australian citizen are protected.”
The 2020 National Security Strategy will mark a significant shift, just as the 2016 strategy was the start of a period of great change in the way government works to protect the digital economy.
The Australian Cyber Security Centre, the creation of programs of cooperation with state governments through Joint Cyber Security Centres in five capital cities, the closer collaboration with other countries – particularly ASEAN – and the appointment of Australia’s first Cyber Ambassador have all flowed from the 2016 strategy.
The 2016 plan also included the creation of the industry development body AustCyber, and led to the creation of a cyber-specific Cooperative Research Centre. It also marked the start of the “name and shame” doctrine, in which publicly attributed significant cyber incidents to multiple nation states.
Macquarie Government managing director Aidan Tudehope said the discussion paper acknowledged not only the evolving cyber threat landscape being faced at an individual, business and country level, but also the increased importance of technology and cybersecurity to drive our national economy.
Some of the most critical areas to address were around sovereign capability and skills in cybersecurity and information technology generally. These skills can’t be offshored, and Mr Tudehope wants to see sovereign capability built into the cyber strategy.
“Global GDP is already heavily dependent on the digital economy and this will only increase; we need the right sovereign capabilities to futureproof Australia’s global position, particularly in today’s uncertain economic times,” he said.
“It is crucial that Government, at all levels, are exemplars in how they bake in cyber security to everything they do. Innovation without the strongest cyber security underpinnings are a train crash waiting to happen.
“Government needs to know where citizen data resides and whether 24×7 global support models mean unknown individuals have privileged access to government systems,” Mr Tudehope said.