The newly restructured Australian Signals Directorate (ASD) faces cultural and structural challenges, but its new director-general Mike Burgess has hit the ground running with the agency's Corporate Plan 2018-19.
"People and culture" heads the list of priorities, the others being technology, tradecraft, partnerships, and governance and risk.
A new corporate division will implement "a strategic workforce plan, a diversity and inclusion strategy, and an enterprise-wide learning and development plan".
"These plans form part of ASD's broader cultural change program. We are implementing this cultural change program to make ASD the type of organisation that people aspire to join, and to foster a culture of excellence and inclusion in ASD," the plan says. "This program is key to ensuring the smooth integration of the new elements of ASD's workforce, especially those joining the ACSC [Australian Cyber Security Centre]."
The ACSC now has the extended role of providing cybersecurity advice and assistance not just to Australian governments, but also to "businesses and individuals", requiring the agency to be far more open with its communication than ever before.
The 2017 Independent Intelligence Review had noted the intelligence community's difficulties with recruiting and retaining specialist staff, with some being "put off by salary levels" that were lower than the private sector. As a statutory authority, the ASD's staffing now falls under the Intelligence Services Act 2001 rather than the Public Service Act 1999, offering greater flexibility.
"ASD will therefore use its transition to a statutory agency as a chance to design new career pathways and employment opportunities that better reflect the kind of work that ASD does, so that it can better recruit, retain, train, and develop its specialist staff," Burgess wrote in his introduction to the plan.
The ASD also plans to speed up its technology implementation cycle.
"Rapid technological change makes imposing long-term strategies and plans over a four-year horizon less optimal for our technology capability. Instead, our adaptive posture must enable agile decision-making, so we can consciously pivot into new and upcoming technologies as the enterprise requirement arises."
In April, Burgess had said that his operational priorities for year one included a national assessment of the nation's cybersecurity, focusing initially on critical infrastructure; collaboration with major internet service providers and critical infrastructure providers to "drive out known problems, and equally important, identify and first see new threats"; executing counter-cybercrime campaigns; and outreach and influence.
"My expectations for the centre [ACSC] include comprehensively understanding the cyber threat to Australia, providing timely proactive advice and assistance that makes a real difference across the community, businesses, and government. The centre's work must lead to an improvement in the identification and management of the cybersecurity risk to all Australians," he said.
The ACSC revealed that it is establishing a 24/7 cyber newsroom, and had already had informal discussions with the Australian Bureau of Meteorology (BoM) on how to build effective relationships with the media.
"This is the most significant change to the organisation since the Defence Signals Bureau was established seventy-one years ago, in the aftermath of the Second World War," Burgess wrote in the plan.
"With such an historic change occurring, this Corporate Plan provides a new opportunity for ASD to articulate its purpose and set a baseline for how we will measure success against that purpose."
Differing views within the recently restructured Australian Signals Directorate, described in one media report as an 'internal brawl' and 'internal frictions', could highlight a deeper, more challenging division.
The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.
The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.
When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?
Mike Pezzullo's apparent thought bubble on domestic digital surveillance has been burst, but it foreshadows tense times ahead for Australia's new domestic security arrangements.
Microsoft has received accreditation from the Australian Signals Directorate, allowing it to store highly classified government information up to 'protected' level on its Office 365 platform and specific Azure services.