The Australian government should reinstate the position of Minister for Cybersecurity, according to multiple public submissions to the review of the nation’s Cyber Security Strategy 2020.
“We believe consideration should be given to reestablishing a separate Cybersecurity portfolio within government,” wrote Peter Coroneos, international vice president of the Cybersecurity and Cybercrime Advisors Network (CyAN).
“This would send a strong signal to business and the public that the issues our members contend with on a daily basis are receiving the focus and attention they deserve.”
Cybersecurity has only been given specific ministerial attention as recently as December 2017, when Angus Taylor was appointed as the junior Minister for Law Enforcement and Cybersecurity by then prime minister Malcolm Turnbull.
The portfolio was abolished in August 2018, less than a year later, by Scott Morrison when he succeeded Turnbull as PM.
Morrison did appoint Paul Fletcher as Minister for Cyber Safety as well as Communication and the Arts. However this portfolio is about consumer safety in relation to such things as inappropriate online content, online scams, and cyber bullying.
Coroneos notes that the Department of Home Affairs (DHA) under minister Peter Dutton now includes a “very broad” range of responsibilities: not only cybersecurity but also criminal justice, emergency management, immigration and citizenship, multicultural affairs, national security, transport security, and settlement services.
However as the Parliamentary Library noted in its 2018 Budget Review (PDF), the proliferation of federal cybersecurity initiatives has led to a lack of “explicit detail on how any particular measure ties in with the strategy, or the specific outcomes being sought in cyber policy”.
See also: ‘Cyber social value’ could save lives from cyber incompetence: Report
Microsoft wrote that there’s five government functions that should be prioritised, but they’re largely managed across three different agencies: the Australian Cyber Security Centre (ACSC), which is now part of the Australian Signals Directorate (ASD); DHA; and the Department of Foreign Affairs and Trade (DFAT).
Those functions are policy and planning; outreach and partnership; communications to all the stakeholders; operations; and regulation.
“If the desire is to maintain the current structure, the government should consider whether the existing governance arrangements are ensuring that cyber functions performed by the Australian government are collaborative and coordinated,” Microsoft wrote.
“One possible improvement could be to have a single coordinating minister and/or a coordinating executive with oversight across all cyber functions within the existing Machinery of Government arrangements.”
Calls for a dedicated cyber minister also came from Deakin University, the Digital Industry Group (DIGI), the Financial Services Information Sharing and Analysis Centre (FS-ISAC), PwC, and others.
Who’s meant to be doing which cybers?
“There appears to be an element of confusion regarding the roles played by cybersecurity elements within the Australian government, particularly regarding the division of responsibility,” wrote FS-ISAC.
“It remains unclear which minister has prime carriage of cybersecurity.”
As Lockheed Martin Australia wrote: “In the case of the defence industry this has resulted in a fragmented approach that is often contradictory, incomplete, and not cohesive.”
VeroGuard Systems was more blunt. “Currently there is no evidence that a government, association or organisation is responsible for managing cyber risks in the economy,” it wrote.
Cyber leadership must start with the Prime Minister
The tone of any organisation is set at the top, said consulting firm TrustedImpact. That’s where priorities are defined, resources are aligned, and progress is monitored.
“If the government continues to de-prioritise or de-emphasise this issue [cybersecurity], we will experience greater levels of compromise, and conversely, see the productivity benefits of the connected digital world pass Australia by in the next decade,” the company wrote.
TrustWave noted the comments of Dr Tobias Feakin about leadership from 2015, before he became Australia’s Ambassador for Cyber Affairs.
“It requires a prime minister who will be prepared to champion the issue and spend some time talking about it with those that can make a difference,” Feakin wrote.
PwC also called for prime ministerial leadership. The PM “as a priority” should issue a statement on the way ahead for cybersecurity, perhaps with the launch of the 2020 strategy.
That statement should include a reminder of the challenges Australia faces, the appointment of a dedicated minister, and the setting up of annual cybersecurity leaders’ meetings.
The government should also report to parliament annually on its progress in improving the nation’s cyber resilience.
The collaboration of cybersecurity across jurisdictions should be reviewed by the Australian National Audit Office (ANAO) annually, PwC wrote.
National security or keeping the citizens safe?
“The government has lost the trust of the Australian community in terms of its performance in ICT,” wrote Deakin University.
Australia’s controversial encryption legislation passed at the end of 2018 has caused “a significant loss of trust for the Australian ICT community generally, and ‘myth-busting’ papers from ASD do not rectify this situation”.
Indeed, the Telecommunications and other Legislation Amendment (Assistance and Access) Act 2018 came under fire from many submitters, for largely the same reasons.
Last month, the NetThing conference slammed the “national security” agenda of the strategy. In its submission it went further, calling it an “inherent conflict of interest”.
“The government agency responsible for surveillance and national security is simultaneously responsible for cyber security,” NetThing wrote.
“The government has the accountability to drive cyber resilience across the whole of the economy, including critical infrastructure, systems of national interest, federal, state and local governments, small and medium business, academia, the not-for-profit sector and the Australian community.
Read: Schneier slams Australia’s encryption laws and CyberCon speaker bans
“At the same time, the government is also the actor called upon to re-establish control over the misuse of cyberspace, including developing tools and capabilities to conduct surveillance and potentially cyber offensive strikes against rogue actors.”
It’s “vital” that accountability for the two roles is separated, NetThing wrote, to “ensure informed debate” and the creation of policies that result in the best outcomes.
In stark contrast is the submission from Paul Twomey, internet governance veteran and now chief executive officer of Argo Pacific.
He said the overarching goals of the strategy should be to defend the country, keep the democracy stable, and protect the economy.
“Isolation is dead. But most Australians and Australian institutions do not really understand this,” Twomey wrote.
“The challenge for the Australian government is [to] engage the Australian population in a dialog that puts cybersecurity not just in economic and personal safety terms but also in more pressing national defence terms.”
Twomey’s recommendations included developing an international support network beyond the Five Eyes alliance, in both public and private sectors; educating the public about the tactics and motives of information warfare; and adopting a more European approach to taking down illegal content.
Twomey even suggested blocking Chinese content platforms where necessary.
These are “an increasingly influential mechanism for social and political intercourse among parts the the Australian community — and which are subject to Chinese government censorship,” he wrote.
Cyber Security Strategy 2020 will be the successor to Australia’s 2016 Cyber Security Strategy. Initial consultation closed on November 1, but further consultation will be “ongoing until the 2020 Strategy is released”, DHA said.