The Australian government's Cyber Security Strategy faces serious difficulties. Modest efforts have been swamped by reality, according to a highly critical report released by the Canberra-based Australian Strategic Policy Institute (ASPI) on Wednesday.
Progress has been slower than hoped, there's no clear timeline for implementation, transparency is lacking, and private-sector partners are still in the dark as to what the government's implementation plan actually is.
Only four of the planned 83 outcomes have been achieved so far, the report said, with work on just 20 more being "on track". Some 22 outcomes need more attention, and work hasn't even started on a further 14 outcomes.
For the remaining 11 outcomes, it's impossible to tell whether work is progressing well or not, because the strategy doesn't specify any qualitative or quantitative targets.
"The constant stream of cyber events, from this month's ransomware incident to France's election hack, highlight how serious a national challenge cybersecurity has become. Unfortunately, while the government is working hard, the pace and scale of the issue is outgrowing the government's current efforts," said a statement from the report's authors, principal analyst Liam Nevill and analyst Zoe Hawkins from the ASPI's International Cyber Policy Centre (ICPC).
According to their report, developments this year have been "humbling litmus tests", highlighting the work that still needs to be done to improve Australia's cyber posture. In March 2017, for example, a report from the Australian National Audit Office (ANAO) revealed what the ICPC called "sub-par cybersecurity" in key agencies, raising questions about the take-up of the strategy's principles.
"The infamous 2016 #censusfail also revealed the pain points of Australia's cyber incident response capability, with inconsistent messaging coming straight to the fore."
Collecting data to measure the strategy's progress hasn't been started either. According to Nevill and Hawkins, that's critical to understanding the next steps for cybersecurity in Australia. The very design of the strategy has been an obstacle, they said.
"Some of the document's outcomes are not quantifiable, so confidently measuring success is impossible. Many of the outcomes that are practically measurable are framed in terms of a relative change but are put forward without supporting baseline information necessary to measure progress," the report said.
"Disappointingly, the government's failure to enact a communications strategy associated with strategy's implementation has meant that a coherent and comprehensive narrative on implementation success has yet to be developed. This is not surprising, given that the human and financial resources afforded to the Department of the Prime Minister and Cabinet [PM&C] are simply not commensurate with the size and importance of the task."
Australia's Cyber Security Strategy was launched in April 2016, with the broad goal of "advancing and protecting our interests online". The government released a progress report, the First Annual Update, in April 2017, and that report is basis for the ICPC's analysis. The bulk of their 44-page report is a detailed commentary on the government's reported progress against all 83 planned outcomes, as well as details of the budget allocated to projects so far.
The four outcomes achieved so far are: appointing Dan Tehan as Minister Assisting the Prime Minister for Cyber Security on 18 July 2016; the Australian Securities and Investments Commission (ASIC) and the Australian Securities Exchange (ASX) launching their cybersecurity health checks for ASX100 companies in November 2016, with the industry-led Cyber Health Check Report released in April 2017; the Australian Signals Directorate (ASD) updating its Top Four strategies to mitigate cyber incidents to become the Essential Eight in February 2017; and releasing the strategy's first Annual Update in April 2017.
The ICPC report also noted achievements such as establishing the Australia Cyber Security Growth Network (ACSGN) and international Austrade landing pads for startups, and the allocation of AU$500 million of new funding for cybersecurity related initiatives.
The ICPC has made 11 recommendations across the strategy's five themes.
Amongst them are calls for the strategy to adapt and evolve more rapidly, with measurable and time-bound annual action plans.
"The first annual update only seems to have assessed actions, not outcomes, and in doing so an opportunity has been missed to explain what has changed because of strategy implementation efforts," the report said.
The ICPC also calls for better support for mid-tier and small to medium enterprises; better communication across the board, moving from public awareness to behavioural change; and clearer leadership structures.
"Elements of cyber policy responsibility are found in PM&C, the Department of Defence, DFAT [Department of Foreign Affairs and Trade], the Attorney-General's Department, and so on. This can be challenging for those responsible for coordinating the delivery of the initiatives," the report said.
"While an agency along the lines of Singapore's Cyber Security Agency may not be the most appropriate response for the Australian Government, the co-location of key personnel may help to streamline the delivery of policy initiatives and enhance engagement."
Despite the many criticisms, however, the ICPC report does reflect some remaining confidence.
"The confluence of leadership focus, the media spotlight, and a mutual desire for public-private partnership means that the scene is set for Australia to learn from these implementation lessons and collectively move forward, committed to building on the successes of the past year."