There are varying opinions of who should be Australia’s next cyber security chief, what that role should look like, and whether there’s an opportunity for an incoming government to change it after Alastair MacGibbon finishes up in the high-profile position on May 28.
Mr MacGibbon handed his resignation to Australian Signal Directorate director-general Mike Burgess last weekend for a position in the private sector.
He has been the public face of cybersecurity in Australia since he was handpicked by then-Prime Minister Malcolm Turnbull to be a special adviser of cybersecurity in May 2016, before being appointed as head of the Australian Cyber Security Centre (ACSC) when the centre was shuffled under ASD in January 2018.
His twin role as head of the ACSC and national cyber security adviser effectively gave him two reporting lines: to Mike Burgess on the one hand, and to Home Affairs secretary Mike Pezzullo on the other. The dual reporting lines are thought to have been a challenge.
ASD principal deputy director-general John Frewen has added leadership of the ACSC to his responsibilities until the role is permanently filled.
Australian National University cyber institute chief executive Lesley Seebeck has expressed her concern about Mr Frewen coming in as the interim head of the ACSC. She tweeted: “While John is a great fellow and I respect his capabilities, it disturbs me that we are placing a military officer [in] an essentially civilian role.”
Ms Seebeck’s reason to be worried is perhaps valid. While Mr Frewen is a high-ranking officer in the Australian Army, what cyber security expertise does he have?
Cybersecurity has evolved over the years where cyber groups and nation-state attacks have blurred together, making it inherently a national security concern. With Mr Frewen in charge for the meantime, it forces us to question since when does national security fall under the remit of the military, which has always been focused around operational tactics?
Maybe our approach to cyber security has been completely wrong all along and the responsibility of cyber security shouldn’t be dependent on one person. After all, cyber security is a national issue.
For Australian Strategic Policy Institute’s head of international cyber policy centre, Fergus Hanson, it’s just about getting someone – or people – in who can get the job done.
He said it’s important for the ACSC to prioritise project management and delivery over having a public figure like Mr MacGibbon was, given that the country is now at a different stage when it comes to cyber security.
“Alastair was a very public figure in the position. Depending on which side wins [the federal election] there would be different views on whether that role continues to be very public or be a more operational role as there’s a lot of work that needs to be done and focusing on that,” Mr Hanson told InnovationAus.com.
Mr Hanson believes there’s an opportunity to streamline the reporting structure, so “it’s not as messy.”
Opposition leader Bill Shorten made a similar suggestion in Parliament in February. He said the dual hatted role in cybersecurity needed to change.
“Some are concerned that this dual-hatting creates fragmentation and stove-piping,” Mr Shorten said at the time.
“We need a cohesive national approach through the Cyber Security Centre as a single entity responsible for managing the cyber mission in totality and reporting up through a single chain.”
“We perhaps need to consider whether the Cyber Security Centre should be the single point of contact and accountability for all cyber-related communication, reporting, incident response, crisis communication, management, threat intelligence capability operations and policy,” he said.
“This centre should remain based in the Defence portfolio and continue to report to the Director-General of the Australian Signals Directorate.”