The disappointment of Australia's new cybersecurity strategy

Finally, after 11 long months, Home Affairs Minister Peter Dutton has delivered a drab and inward-looking cybersecurity plan and has complained about encryption yet again.

dutton.png

Image: APH

The most striking aspects of Australia's new Cyber Security Strategy, launched on Thursday, are how vague and unambitious it is, especially when compared to the strategy launched by then-Prime Minister Malcolm Turnbull in 2016.

With the 2020 strategy now online, Turnbull's vision has of course been thrown down the memory hole despite the government's claim that it's now building on its "strong foundations".

Fortunately for us, the 2016 strategy and its first and only "annual" update are preserved at the Internet Archive.

A comparison of the two is far from flattering to the newcomer.

Turnbull had set out his vision, which in typical Turnbullian style, he referred to as his "philosophy" for a "cyber smart nation".

"The need for an open, free and secure internet goes far beyond economics," he wrote.

"It is important for ensuring public and financial accountability and strengthening democratic institutions. It underpins freedom of expression and reinforces safe and vibrant communities."

Turnbull said that the internet had to be governed by those who use it, not dominated by governments.

He talked about innovation, about a "national cyber partnership", and about Australia taking on "global responsibility and influence".

His action plan included appointing Australia's first Ambassador for Cyber Affairs and publishing an international cyber engagement strategy -- perhaps two of the strategy's greatest successes.

Indeed, Australia continues to play an important role in global cyber diplomacy.

The proposal for a cybersecurity growth centre turned into AustCyber, promoting Australian businesses internationally.

The strategy created the Cyber Security Cooperative Research Centre and the Joint Cyber Security Centres (JCSCs), although the latter have struggled to find their precise role.

Importantly, Turnbull appointed a minister to assist the prime minister on cybersecurity, giving the whole strategy some focus and leadership.

Also importantly, the action plan was to be completed by 2020, although admittedly most of the items didn't come with measurable outcomes.

Turnbull's strategy didn't totally succeed. Far from it. But with its panoramic vision and international engagement, it was seen as world-leading.

Making cybersecurity more cybersecure

By comparison, the new strategy from the Minister for Home Affairs Peter Dutton is drab and inward-looking.

"The Australian Government's vision is to create a more secure online world for Australians, their businesses, and the essential services upon which we all depend," it says.

That's it. Our vision for cybersecurity is to be more cybersecure.

australian-cyber-strategy-figure2.png

Australia's new vision for cybersecurity is to make things cyber better.

Image: Department of Home Affairs 

That said, the Dutton strategy does contain some solid proposals.

Commonwealth network operations will be centralised as a "first priority", reversing the previous doctrine of leaving each agency to fend for itself.

Some AU$35.3 million will go to the Australian Cyber Security Centre (ACSC) to deliver a "new partner portal coupled with a multi-directional threat-sharing platform" that will operate at "machine speed".

Such a capability has been promised for years and it's long overdue.

New laws will enable better responsiveness in cyber emergencies, though exactly what they might contain remains to be seen.

The recommendations of the industry advisory panel are pretty much adopted wholesale, including an active cyber defence program.

But much diminished is Turnbull's focus on developing and growing Australia's cybersecurity industry and on innovation. The AU$90 million allocated to industry development is all about cyber skills and education.

Such broader industry development does get a mention, but it's overshadowed by the emphasis made on intelligence, cyber response, and law enforcement.

The main new international development will be a Cyber and Critical Technology International Engagement Strategy. The rest is to carry on as before.

Looking ahead, the items relating to the internet of things (IoT) are a voluntary cybersecurity code of practice for device manufacturers and something about consumer awareness.

The word "quantum" does not appear in the document.

The Turnbull strategy was long on vision but short on numbers. In fact, it didn't mention dollar values at all. In your correspondent's view that's just fine. A strategy should be about describing a vision and setting goals, not detailing the implementation.

The Dutton strategy is short on vision but does come with a sprinkling of numbers. However, those numbers are a bit of a furphy.

Of the AU$1.67 billion totalled up in the document, the vast majority is the AU$1.35 billion cyber kitty for the Cyber Enhanced Situational Awareness and Response (CESAR) package announced in June.

And for all the waving of the big numbers, this budget is spread across 10 years, or three election cycles. The strategy doesn't specify a target date at all.

australian-cyber-strategy-figure3.png

Cyber circle within cyber circle, being some sort of diagram from Australia's new 2020 Cyber Security Strategy.

Image: Department of Home Affairs

Does Peter Dutton understand his own cyber strategy?

Rather than sell the whole strategy, Dutton has reverted to his usual "we're protecting the kiddies, don't you worry about that" schtick when talking about new policing powers.

"If you're a pedophile you should be worried about these powers," Dutton said at a press conference on Thursday.

"If you're a terrorist you should be worried about these powers if you're committing serious offence[s] in relation to trafficking of drugs, of ice [methamphetamine], for example, that's being peddled to children, you should be worried about these powers as well," he said.

"If you're part of the Australian community, the 99% of people that aren't involved in those activities, then I don't think you have anything to concern yourself with."

The controversial Assistance and Access Act got another plug too, inevitably using terrorism as the example.

"Somehow we allow end-to-end encryption where an exchange of this information can take place but even with a warrant the police can't recover that information or stop a terrorist attack from taking place."

One might be forgiven for getting the impression that Dutton isn't across the whole strategy and is only capable of parrot talking points.

The document itself contains some odd ideas too.

"Cybersecurity allows families and businesses to prosper from the digital economy, just as pool fences provide peace of mind for households," it says. This is despite its emphasis on building resilience, which would be teaching people to swim and perform CPR.

Overall, for a document that took 11 months to gestate and was delivered four months behind schedule, one might have expected something a bit more substantial.

One gets the feeling that Home Affairs produced this strategy just because everyone expected them to, so it's a by-the-numbers exercise.

It also feels like the industry advisory panel has done all the hard work, with Dutton handing up the homework as his own.

Finally, it remains that "the Minister for Home Affairs has primary responsibility for delivering this Strategy, with support from other ministers as required".

Dutton is already spread thin across his sprawling department. How well do we think this strategy will progress under his leadership?

Related Coverage

AFP used voluntary powers in Australia's encryption laws three times in 2019-20

Australian Federal Police say carriers are more willing to assist under TOLA Act.

Scott Morrison cries 'Cyber wolf!' to deniably blame China

Australia's prime minister didn't name China as the source of recent 'sophisticated' cyber attacks in Friday's press conference. He didn't have to.

Labor floats active cyber defence and a civilian cyber corps for Australia

Labor proposes a public health approach, to cybersecurity, addressing the risk and susceptibility of the whole nation to cyber attack, not just critical infrastructure or 'big-ticket capabilities'.

New Australian cybersecurity strategy will see Canberra get offensive

Powers to be created will allow the Commonwealth to actively defend networks.

Committee hits roadblock in probing Commonwealth cybersecurity performance

It's a complex accountability tree, but there's no central mechanism allowing a transparent view of where each Commonwealth entity is at with cybersecurity.