AUSTRALIA’S cybersecurity strategy is already over halfway through its four-year lifespan.
The AU$233 million (US$165 million) package tracks across five themes, bringing in government, the private sector, the research community
But one stakeholder remains glaringly absent – the broader Australian public.
The strategy sits at the collision point between two of today’s most seismic transformations.
Firstly, in a so-called Fourth Industrial Revolution, new technologies are merging cyber systems with the physical world, becoming inseparable from the way we live.
Geographical isolation has spared Australia from the worst of direct military attacks — but not with cyber threats traversing the globe in a span of milliseconds. These realities expand the spectrum of possible harm between war and peace, even as the traditional threat of war persists.
The 2016-2020 strategy thus signals a much-needed policy shift, after years of cyber policy stagnation thanks to a chain of leadership changes.
It embraces all Australians under its fifth theme of a ‘cybersmart nation’, targeting two national imperatives for our cybersecurity: developing a skilled workforce and raising awareness in the community.
But are we on track with our cybersmarts, now that the strategy is well past its halfway point?
The second annual update is yet to be released. The first, published over a year ago, paints a rosy picture. It reports that we are making “strong progress”, having started with our tertiary sector capacity-building and the conversation about diversity.
Dig deeper, though, and it’s not clear how much has changed.
Envisioned outcomes such as “the number of cybersecurity graduates increases” simply lack the data and research to be quantifiable.
Neither the strategy nor its update offers much by way of timelines, responsibilities or ways of measuring success — basic elements of smart goals.
Australia’s “strong progress” consists starkly of scattershot actions packaged as results. This lets the government get away with underperformance, but in the end, it’s self-defeating. No sustained, adaptive change occurs without critical reflection.
Part of the issue is funding.
Clearly delineated plans require a measure of certainty and confidence underpinned by far more resources
The overall package is largely comprised of existing Defence funding.
The deeper issue, however, is that the strategy lacks engagement with what it takes to change behaviour on a society scale.
The main public-facing aspect of the cyber strategy is the informational program Stay Smart Online. But awareness-raising is the easy part. Australians are already wary about online safety, especially when it comes to privacy.
The challenge is bridging the gap between knowledge and
We can draw lessons from 50 years of environmental psychology, wherein knowledge is just one facet of internal factors that also include attitudes, values, personality traits
As a result, old habits die hard. Becoming cybersmart isn’t merely about having a will and a way: we must also create a permissive system with security built in.
So the significance of a ‘cybersmart nation’ goes beyond plugging the yawning technical skills shortage.
Stakeholders across government, business, and civil society are ultimately made up of individuals from an array of backgrounds. Being agents in cyberspace, they too — not just technicians and state actors — play a role in keeping our networks secure, through a mix of precaution and innovation.
We must envision a system where all Australians are along for the
As a corollary, we can do better than piecemeal efforts to boost the workforce, diversity, and awareness.
The dearth of women in cyber, for instance, starts far younger than countenanced by the strategy.
To genuinely engage with the factors of
This is also an opportunity to embed a cybersecurity consciousness into the next generation, which is already growing up surrounded by the cyber-physical.
Never has Australia come under existential threat to the same extent as many of our Indo-Pacific neighbours.
As such, we are slow to wake up to changing times. We insist on the “rules-based global order” and similarly the bounteous optimism of our cyber strategy betrays only one side of the story. While the human element can be a source of strength and innovation, it can also be the weakest link in the chain.
A cybersmart nation, one that is resilient and adaptive, would form the foundation of our cybersecurity.
The current strategy makes a start in identifying risks and opportunities.
But if we neglect the big picture of how to change
In a world of increasing interconnectivity and uncertainty, the government owes it to Australians to shape a system where we are best equipped to help ourselves, and each other.