Budget 2020: Australia’s cyber dollars are full of stale hot air

Australia’s federal budget papers, which dropped on Tuesday night, make it clear just how little attention the government is paying to its cyber policies and to good governance generally.

ZDNet has already reported how most of the Budget was pre-announced, with those previously-announced figures included in the totals of supposedly new spending. In reality, though, it’s even worse.

Yes, the “additional $201.5 million” to help deliver the nation’s disappointing Cyber Security Strategy is just another part of the AU$1.7 billion over 10 years already announced in August.

Yes, the vast majority of that total figure is the AU$1.35 billion cyber kitty for the Cyber Enhanced Situational Awareness and Response (CESAR) package already announced with much fanfare back in June.

Yes, it’s a re-announcement of a re-announcement. New is not new.

But look more closely and you’ll see that CESAR isn’t even an additional investment.

“This measure will be offset by redirecting funding within the Defence Portfolio,” says Budget Paper No. 2.

To be fair, CESAR was something that would’ve been built anyway. Eventually. Probably. It was just given a shiny name to become part of a Scott Morrison prime ministerial announceable. New is not new.

Even this is a cyber throwback, according to Labor’s Shadow Assistant Minister for Communications and Cybersecurity.

“This government first announced funding for an ASD [Australian Signals Directorate] threat sharing platform in the 2016-17 Budget,” Shadow Assistant Minister for Communications and Cybersecurity Tim Watts tweeted.

“But you know, ANNOUNCING and DELIVERING are different things for this government. Still not delivered yet.”

And all of this is spread “over 10 years”, or three election cycles. The Cyber Security Strategy still doesn’t specify a target date for any of this happening.

According to Home Affairs’ Portfolio Budget Statements, that would be too hard.

“Due to the ongoing nature of the program, it is not appropriate to set an expected date of achievement,” it wrote.

I guess that’s true, given that the strategy itself has so very few measurable targets.

Some AU$$37.7 million of the magic and largely mythical AU$1.7 billion goes to the Department of Industry, Science, Energy and Resources to “support industry and academia to develop innovative approaches to improve cybersecurity skills and long-term workforce planning”.

This is all well and good, but it comes from the renamed “Election Commitment — Cyber Security Resilience and Workforce Package” that was part of the Mid-Year Financial and Economic Outlook Statement from months ago.

The AU$19.1 million for the Department of Home Affairs to “undertake a range of initiatives, including expanding outreach to Australian industry on cybersecurity-related matters, providing support services to victims of identity theft and cybercrime and enhancing cybersecurity awareness among households and small businesses” is partially money that was already allocated to the department. New is not new.

The AU$1.6 million to the Commonwealth Ombudsman, intended to monitor the nation’s controversial encryption legislation and other cybercrime law enforcement powers, is only for the current financial year. The money comes from “redirecting funding”, a delightful euphemism, from the Department of Home Affairs.

What happens in 2021-2020? The Ombudsman will presumably have to beg for more, or the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 will go without proper independent oversight.

Admittedly, the Parliamentary Joint Committee on Intelligence and Security’s review of the Act is due to report any day now, so maybe the government is holding off allocating money until then. Yes, I’m sure that’s it.

Given the government’s poor track record with IT projects more broadly, you might think that it’d be eager to make sure future projects stay on track.

As Crikey‘s Bernard Keane wrote recently, the Australian National Audit Office (ANAO) has been instrumental in uncovering widespread bureaucratic failure, especially when it comes to IT and cybersecurity.

But no. ANAO’s funding is actually being cut from AU$112 million in 2019-2020 to AU$98 million in 2020-2021.

One of the few properly new items is AU$39.4 million to the Office of the eSafety Commissioner to cover the increasing demand for its services and, among other things, a new “adult cyber abuse takedown scheme” under the new Online Safety Act.

That’s good, but that law doesn’t even exist yet. There’s isn’t a draft Bill.

The more you dig into Budget 2020, the less actual substance there is to find, which is the perfect summary of the Morrison government.