Australia has ranked fourth in the Australian Strategic Policy Institute's (ASPI) Asia-Pacific cyber maturity scale, but despite overtaking Singapore in 2016, the independent think tank wants to see the country provide a "sophisticated understanding and approach" to cyber operations.
In its report [PDF] Cyber Maturity in the Asia-Pacific Region 2016, ASPI pointed to Prime Minister Malcolm Turnbull's AU$240 million Cyber Security Strategy, noting the April release of the program had revitalised the approach of the Australian government to cyber policy, cybersecurity, and digital commerce.
"Australia is an Asia-Pacific leader in cybercrime enforcement and engagement, CERT engagement activities, and global discussions on norms and confidence building," the report says.
"More work on public-private partnerships has begun, but will need to focus on closer engagement with critical national infrastructure operators to ensure the effectiveness of whole-of-nation cybersecurity measures."
Turnbull's strategy aims to defend the nation's cyber networks from organised criminals and state-sponsored attackers, and sits alongside the AU$400 million provided in the Defence White Paper for cyber activities.
"While the White Paper makes a welcome commitment to new funding and staff for cybersecurity operations and research, it doesn't describe the defence organisation's approach to cybersecurity and operations," the report says.
"Further evidence of a sophisticated understanding and approach to cyber operations, such as an unclassified policy, is needed."
Previously, Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon said Turnbull's 33 cyber initiatives were "ambitious".
"I've been around in this game for quite some time; I've been here for several of these strategies, and I've never detected the same level of interest. I've never seen industry or academia as engaged, and frankly I've never seen government as engaged in this process," he said. "I realise that I now have the fantastic opportunity to take that strategy forward."
In preparing the report, ASPI investigated the approach that 23 regional countries have respectively taken when combating cyberspace challenges and opportunities in terms of their governance structure, legislation, law enforcement, military, business, and social engagement with cyber policy and security issues.
"Asia-Pacific governments are increasingly engaging with cyber policy issues, as the threats and opportunities in cyberspace are better understood by regional policymakers," the report says. "However, the quality of policy development and implementation remains uneven, and many states have achieved minimal or poor-quality outcomes."
ASPI assessed each country on five topics: Governance; financial cybercrime enforcement; military application; digital economy and business; and social engagement, and gave each sub-heading a score out of 10.
The score out of 10 was based on how important -- with 10 being "extremely important" -- each sub-heading appeared to be for a country.
For 2016, ASPI gave Australia a total score of 80.9 out of a possible 100. Australia now ranks fourth, up one place from fifth in 2015, but only clear of Singapore by 0.7 points.
Australia's lowest-scoring sub-heading was the percentage of the population with access to fixed broadband internet connectivity, returning a score of three.
South Korea received the highest score in this category, with a result of five, while Japan, New Zealand, and the United States produced a four. Neck-and-neck with most categories, Singapore also scored a three.
Australia's highest score, a 10, was under the "What percentage of the population has mobile broadband internet connectivity" sub-heading.
Despite Australia's high rate of internet connectivity -- with 27/100 Australians having a fixed-line broadband internet subscription, and 112/100 having an active mobile broadband subscription -- ASPI reported that prices for broadband subscriptions are high by world standards.
The remaining sub-headings returned either an eight or a nine, with the report noting that Australia is doing well when it comes to public awareness, debate, and media coverage of cyber issues, as well as praising the country's international engagement on cybersecurity discussions.
Although not usually considered an Asia-Pacific nation, the US came in first, with a total score of 88.1.
ASPI said that in the wake of several embarrassing breaches last year, the US government took strong action to enhance national cybersecurity through a deeper partnership with the private sector.
The report praised the assistance provided to international partners to fight financial cybercrime, as well as the fact that it publicly disclosed its military was targeting an adversary through cyberspace, which ASPI said indicated significant confidence in the capabilities of the US.
Returning five scores of 10, what the US did well, according to the report, was lead in the pursuit and prosecution of financial cybercriminals, and increase the capability of its armed forces to tackle cybercriminals.
The report did say that the several-year delay of US cyber legislation, as well as issues such as encryption -- which has caused tensions between the government and the private sector -- continue without legislative action. Public attention on cyber issues has again been focused by major incidents, including the encryption debate and the hacking of the Democratic National Committee.
The US was followed by South Korea, with 83.6; then Japan, two points higher than Australia, on 82.9.
South Korea was praised by ASPI on the leadership role it took on international issues, establishing new bodies for multilateral cooperation.
Formed in 2001, ASPI is tasked with providing the federal government with "fresh ideas" on Australia's defence, security, and strategic policy choices.
According to ASPI, it is also responsible for informing the public on a range of strategic issues, generating new thinking for government, and harnessing strategic thinking internationally.
The ASPI International Cyber Policy Centre (ICPC) aims to facilitate conversations between government, the private sector, and academia across the APAC region.
The ICPC has four key aims: To lift the level of APAC public understanding and debate on cybersecurity; to provide a focus for developing public policy on cyber issues; to provide a means to hold Track 1.5 and Track 2 dialogue on cyber issues across the region; and to get different levels of government, business, and the public in a conversation together about cybersecurity.