The New Zealand government has made good on its 2018 promise to refresh its national cybersecurity strategy and action plan, at least in part.
The Cyber Security Strategy 2019 was published on Tuesday, but it's a brief document.
Five of its 17 pages are the covers, copyright notices, glossary, and a generic internet-good cybers-bad foreword by the Minister of Broadcasting, Communications and Digital Media, Kris Faafoi. Another page is lost to a generic "Cyber threats by the numbers" infographic, and the rest is pretty generic too.
"This strategy has a vision that New Zealand is confident and secure in the digital world -- it is about enabling New Zealand to thrive online," begins a section titled "Our vision".
"We want New Zealanders to make the most of the opportunities provided by an increasingly connected world, without suffering harm or loss."
Lovely words, but what do they mean?
The "guiding principles" include such no-brainers as working in a way that "balances risk with being agile and adaptive", and "uses our collective strengths to deliver better results and outcomes".
One of "[New Zealand's] values" is that "partnerships are crucial". Another is that "National security is protected".
The "five priority areas to improve cyber security (2019–2023)" are listed with inconsistent grammar as:
- Cyber security aware and active citizens
- Strong and capable cyber security workforce and ecosystem
- Internationally active
- Resilient and responsive New Zealand
- Proactively tackle cybercrime
And when you look at, say, cybercrime, there's only a series of "areas of focus", none of which have seem to have defined, measurable goals, or concrete action steps to meet them.
- seeking Cabinet agreement to accede to the Budapest Convention
- preventing cybercrime particularly for vulnerable groups
- increasing support to people affected by cybercrime
- encouraging reporting of cybercrime and improving sharing of information about cybercrimes
- improving information-sharing between law enforcement and the financial sector to reduce victimisation
- making the law fit-for-purpose to enable agencies to better manage and respond to cybercrime
- investing more to contribute to international efforts to deter organised cybercrime at the source, before it affects our communities
- raising our ability to respond to objectionable material and terrorist activity online
- investing more in skilled people and resources to combat cybercrime and cyber-enabled crime.
All a bit vague. In spite of being called a "strategy", therefore, it isn't one. But I'm not being totally fair.
"An annual work programme will accompany the strategy. The work programme will outline a range of actions to advance each of these priority areas," the document reads.
"The responsible Minister will release a public annual report on progress under each of the priority areas."
Indeed, the refresh plan [PDF] issued by Faafoi's predecessor Clare Curran in April 2018 specified that a "revised Cyber Security Strategy and Action Plan" was to be delivered in July 2018.
So they have... minus 11 months. Oops.
New Zealand has made significant progress, though, and the 2018 budget boosted funding for the Computer Emergency Response Team (CERT NZ) by NZ$3.9 million.
The new strategy cites the Government Communication Security Bureau's (GCSB) deployment of CORTEX cyber threat detection and disruption services to "organisations of national significance"; the development of so-called "Malware-Free Networks"; more cybercrime training for New Zealand Police; and a cyber credentials scheme to help small businesses improve their cybersecurity.
Meanwhile in Australia...
By comparison, Australia's initial burst of cyber action under its most-recently-knifed prime minister, Malcolm Turnbull, seems to have bogged down.
Australia's Cyber Security Strategy was launched in April 2016, and the First Annual Update appeared in April 2017. But as Australian Strategic Policy Institute (ASPI) described it, the strategy was swamped by reality.
"The first annual update only seems to have assessed actions, not outcomes, and in doing so an opportunity has been missed to explain what has changed because of strategy implementation efforts," the highly critical ASPI report said.
But since cybersecurity policy was moved to the Department of Home Affairs, the published strategy has remain untouched.
The agencies themselves have gotten on with their work.
The Australian Signals Directorate (ASD), for example, has shared some war stories, updated the government Information Security Manual (ISM), updated the mandatory access controls for government agencies, completed its network of Joint Cyber Security Centres (JCSC) for private sector collaboration, and released its rules for concealing vulnerabilities.
Only this week did the ASD, through its Australian Cyber Security Centre (ACSC), issue another update to the Essential Eight Maturity Model, which provides advice on how to conduct a phased implementation of its Essential Eight cybersecurity threat mitigation strategies.
But in terms of high-level strategic direction, nothing.
Maybe that's because Prime Minister Scott Morrison doesn't care about the cybers. After all, cyber defence went missing in the August 2018 cabinet reshuffle.
Maybe it's because Home Affairs Minister Peter Dutton is too distracted running the other eleventy billion components of his vast portfolio with his trademark intellectual rigour and attention to detail.
Or maybe it's because they were both too busy worrying about the federal election to get around to, you know, running the country.
Whatever the cause, a refresh of Australia's cybersecurity strategy is long overdue. New Zealand got theirs under way. Now it's Australia's turn.
Venture capital, connecting businesses with government, computers in homes, and national security initiatives will all secure funding in the country's 2019-20 Budget.
Open banking is around the corner and BNZ is ironing out its part through the use of technology and a human-centred approach.
Speeds held back by an interconnect issue, with top speeds to be much higher in future.
The country wants to better tax the NZ$2.7 billion in revenue from cross-border digital services and is asking its OECD peers to amend international rules.
Follows the National party obtaining Budget documents ahead of Thursday's due date.
The potential risks associated with compromised systems are severe. Given the prospects of a potential cyberwar, utilities should place a greater emphasis on security.