The federal government needs to better coordinate its “bewildering matrix” of cybersecurity policy and responsibilities and appoint a dedicated minister, a number of submissions on the 2020 Cyber Security Strategy have said.
The Department of Home Affairs is currently consulting on its update to the cybersecurity strategy, which was last iterated in 2017. It released a discussion paper in September detailing its plans for a significant shift in policy and responsibility, and accepted public submissions until the start of November.
The Department has now released these submission publicly. A common trend of confusion and frustration with the current arrangement of departmental responsibility for cybersecurity governance and policy, and the lack of a specific cybersecurity minister.
In its submission, the Communications Alliance attempted to provide a diagram of which departments and agencies were responsible for which cybersecurity elements, but found this nearly impossible.
“The landscape is so complex that it is difficult to depict it in a legible format in this submission,” Communications Alliance said.
Tech sector body DIGI, whose members include Google, Facebook and Twitter, said that cybersecurity responsibilities are currently shared between the Australian Cyber Security Centre, the Attorney-General’s Department, the Office of the Australian Information Commissioner, the Australian Consumer and Competition Commission, the eSafety Commissioner, the Department of Communications and the Department of Home Affairs.
“It is not clear today where the responsibilities for Australians’ cybersecurity lie across government, as many departments consider elements of it to fall under their remit,” DIGI’s submission said.
“It therefore is not apparently clear to industry nor individuals which government department would be the lead or appropriate port of call for enquiries relating to cyber security,” it said.
The Communications Alliance said the 2020 cyber strategy update needed to focus on “coordination, optimisation and efficiency” in the use of government resources to fight cyber crime and provide cyber resilience,.
“Unfortunately, the Australian cybersecurity landscape is characterised by an almost bewildering matrix of government departments and agencies with an interest in, or portfolio responsibilities, relating to cybersecurity,” the telco industry group said.
“These departments / agencies cover a large array of security-related issues and address a multitude of different stakeholders. It appears that a better coordination of the current spread of agencies and the programs and more focused spending on a single national point of access would be likely to result in a more effective approach to cybersecurity.
“It would also serve to address what must be an enormous and, at times, inefficient coordination burden on the involved departments and agencies.”
Despite the wealth of submissions on the matter, the government may already believe that it has done the job.
The 2016 Cyber Security Strategy included an aim to streamline the government’s cybersecurity governance and structures, and a progress report this year listed this as “complete”.
According to the progress report, efforts to achieve this have involved the establishment of the Australian Signals Directorate as a statutory agency, and the co-location of the government’s cybersecurity functions in the ASD’s Australian Cyber Security Centre. The government has also appointed an Ambassador for Cyber Affairs.
But these are only “initial steps” in this process, Communications Alliance said.
“In our view, more ought to be done in this respect and the streamlining process cannot be considered complete,” it said.
Several submissions also called for the return of a dedicated cybersecurity minister after the role was scrapped by Prime Minister Scott Morrison. Home Affairs minister Peter Dutton now has cyber responsibilities.
“It is not apparently clear to industry nor individuals which government department would be the lead or appropriate port of call for enquiries relating to cybersecurity. In order to assist in creating this clarity and to elevate the importance of cybersecurity within government, we would welcome the reintroduction of a cybersecurity minister,” DIGI said.
“Such a minister can develop expertise on these issues, act as an advocate within government for cybersecurity and assist in the coordination of efforts across different departments. In addition, a minister or a lead agency may also be able to assist in weighing the cybersecurity considerations in legislation designed to achieve other aims.”
This could have helped with avoiding damaging legislation such as the recently passed anti-encryption powers, DIGI said.
A lack of coordinated leadership from the federal government is leading cyber companies to relocate overseas, cybersecurity firm VeroGuard said.