NZ finally updates its cybersecurity strategy, so where's Australia's?

New Zealand's generic new cybersecurity strategy may be long on motherhood statements, short on detail, and late, but it sure beats Australia's two years of cyber policy stagnation.
Written by Stilgherrian , Contributor

New Zealand 'Beehive'

(Image: Chris Duckett/ZDNet)

The New Zealand government has made good on its 2018 promise to refresh its national cybersecurity strategy and action plan, at least in part.

The Cyber Security Strategy 2019 was published on Tuesday, but it's a brief document.

Five of its 17 pages are the covers, copyright notices, glossary, and a generic internet-good cybers-bad foreword by the Minister of Broadcasting, Communications and Digital Media, Kris Faafoi. Another page is lost to a generic "Cyber threats by the numbers" infographic, and the rest is pretty generic too.

"This strategy has a vision that New Zealand is confident and secure in the digital world -- it is about enabling New Zealand to thrive online," begins a section titled "Our vision".

"We want New Zealanders to make the most of the opportunities provided by an increasingly connected world, without suffering harm or loss."

Lovely words, but what do they mean?

The "guiding principles" include such no-brainers as working in a way that "balances risk with being agile and adaptive", and "uses our collective strengths to deliver better results and outcomes".

One of "[New Zealand's] values" is that "partnerships are crucial". Another is that "National security is protected".

The "five priority areas to improve cyber security (2019–2023)" are listed with inconsistent grammar as:

  • Cyber security aware and active citizens
  • Strong and capable cyber security workforce and ecosystem
  • Internationally active
  • Resilient and responsive New Zealand
  • Proactively tackle cybercrime

And when you look at, say, cybercrime, there's only a series of "areas of focus", none of which have seem to have defined, measurable goals, or concrete action steps to meet them.

  • seeking Cabinet agreement to accede to the Budapest Convention
  • preventing cybercrime particularly for vulnerable groups
  • increasing support to people affected by cybercrime
  • encouraging reporting of cybercrime and improving sharing of information about cybercrimes
  • improving information-sharing between law enforcement and the financial sector to reduce victimisation
  • making the law fit-for-purpose to enable agencies to better manage and respond to cybercrime
  • investing more to contribute to international efforts to deter organised cybercrime at the source, before it affects our communities
  • raising our ability to respond to objectionable material and terrorist activity online
  • investing more in skilled people and resources to combat cybercrime and cyber-enabled crime.

All a bit vague. In spite of being called a "strategy", therefore, it isn't one. But I'm not being totally fair.

"An annual work programme will accompany the strategy. The work programme will outline a range of actions to advance each of these priority areas," the document reads.

"The responsible Minister will release a public annual report on progress under each of the priority areas."

Indeed, the refresh plan [PDF] issued by Faafoi's predecessor Clare Curran in April 2018 specified that a "revised Cyber Security Strategy and Action Plan" was to be delivered in July 2018.

So they have... minus 11 months. Oops.

New Zealand has made significant progress, though, and the 2018 budget boosted funding for the Computer Emergency Response Team (CERT NZ) by NZ$3.9 million.

The new strategy cites the Government Communication Security Bureau's (GCSB) deployment of CORTEX cyber threat detection and disruption services to "organisations of national significance"; the development of so-called "Malware-Free Networks"; more cybercrime training for New Zealand Police; and a cyber credentials scheme to help small businesses improve their cybersecurity.

Meanwhile in Australia...

By comparison, Australia's initial burst of cyber action under its most-recently-knifed prime minister, Malcolm Turnbull, seems to have bogged down.

Australia's Cyber Security Strategy was launched in April 2016, and the First Annual Update appeared in April 2017. But as Australian Strategic Policy Institute (ASPI) described it, the strategy was swamped by reality.

"The first annual update only seems to have assessed actions, not outcomes, and in doing so an opportunity has been missed to explain what has changed because of strategy implementation efforts," the highly critical ASPI report said.

There has also been success under Australia's hawkish diplomatic cyber strategy, a game Australia will continue to play, and with the Australian Cyber Security Growth Network, AustCyber.

But since cybersecurity policy was moved to the Department of Home Affairs, the published strategy has remain untouched.

The agencies themselves have gotten on with their work.

The Australian Signals Directorate (ASD), for example, has shared some war stories, updated the government Information Security Manual (ISM), updated the mandatory access controls for government agencies, completed its network of Joint Cyber Security Centres (JCSC) for private sector collaboration, and released its rules for concealing vulnerabilities.

Only this week did the ASD, through its Australian Cyber Security Centre (ACSC), issue another update to the Essential Eight Maturity Model, which provides advice on how to conduct a phased implementation of its Essential Eight cybersecurity threat mitigation strategies.

But in terms of high-level strategic direction, nothing.

Maybe that's because Prime Minister Scott Morrison doesn't care about the cybers. After all, cyber defence went missing in the August 2018 cabinet reshuffle.

Maybe it's because Home Affairs Minister Peter Dutton is too distracted running the other eleventy billion components of his vast portfolio with his trademark intellectual rigour and attention to detail.

Or maybe it's because they were both too busy worrying about the federal election to get around to, you know, running the country.

Whatever the cause, a refresh of Australia's cybersecurity strategy is long overdue. New Zealand got theirs under way. Now it's Australia's turn.

Related Coverage

Innovation and security score big in New Zealand Budget

Venture capital, connecting businesses with government, computers in homes, and national security initiatives will all secure funding in the country's 2019-20 Budget.

Bank of NZ prepping for open banking using tech and a new way of thinking

Open banking is around the corner and BNZ is ironing out its part through the use of technology and a human-centred approach.

New Zealand Fibre Max connections average over 520Mbps

Speeds held back by an interconnect issue, with top speeds to be much higher in future.

New Zealand to introduce its own 'Google tax' if international law change bid fails

The country wants to better tax the NZ$2.7 billion in revenue from cross-border digital services and is asking its OECD peers to amend international rules.

NZ Treasury says systems 'hacked' ahead of Budget

Follows the National party obtaining Budget documents ahead of Thursday's due date.

Cyberwar risk: Utilities fail to patch critical security vulnerabilities often enough (TechRepublic)

The potential risks associated with compromised systems are severe. Given the prospects of a potential cyberwar, utilities should place a greater emphasis on security.

Editorial standards