Uncertainty Is the Biggest Challenge to Australia’s Cyber Security Strategy
Just the highlights
|
The Australian government announced the 2023-2030 Australian Cyber Security Strategy, which aims to “help realise the Australian Government’s vision of becoming a world leader in cyber security.” Overall, the strategy is designed to bring the public and private sectors together in delivering a cohesive vision.
While such ambition is inspiring and desperately needed in a nation that, given its population and economy size, has been disproportionately affected by cybersecurity breaches, it requires that all of Australia remain aligned to the vision. Businesses will need to make investments and adjust their approach to regulation and risk management to meet the government’s requirements. The government, for its part, needs to provide consistent coherence around the vision.
Unfortunately for those involved, the partisan nature of cyber security may complicate and ultimately undermine the delivery of the vision.
Political shifts could lead to changes in Australia’s cyber security strategy
Early in 2023, as the (then new) Australian government started to craft its cyber security vision, it met with opposition at both ends of the political spectrum. As reported in The Guardian, both the right-wing Coalition and centre-left wing Greens parties — the two major alternatives to the Labor government — “expressed reservations” about changes to the existing cyber security laws the Labor government was developing.
On the right wing, the issue is the level of investment that the government wants to make and the level of importance it places on cyber security as a national concern. The L/NP is known for austerity and cost-cutting, and its commitment to cyber security was AUD $1.67 billion (USD $1.13 billion) spread over 10 years. The previous L/NP government also specifically left cyber security out of its minister portfolios, indicating that it was of a lower priority to them in comparison to Labor’s vision.
Meanwhile, the Greens on the left side of politics are concerned the government might be misdirecting the investment and that the current vision for the laws might constitute overreach. As Greens Senator David Shoebridge was quoted in The Guardian: “the nation cannot keep relying on reactive measures and god-like takeover powers. Any powers must be strictly limited in scope and subject to close scrutiny and review, including full transparency in the way the powers are used to ensure people’s personal data is safe.”
PREMIUM: Explore tactics, implementation challenges and effectiveness of cyber security strategy.
What this means is that both the L/NP and Greens are likely to unveil significantly different and alternative cyber security visions in the leadup to the next election, promising to make fundamental shifts in approach, investment and engagement with the private sector.
Lack of bipartisan agreement means a lack of clear cyber security strategy
This is a problem for any companies or IT pros that are working in cyber and will therefore need to work to accommodate the government’s changing regulations and approaches to cyber security.
There are two federal elections in Australia between now and 2023. There is a high chance the current Labor government will no longer be in power before the proposed end of the 2023-2030 Australian Cyber Security Strategy.
This in turn means that, while the 2023-2030 Australian Cyber Security Strategy is asking the entire industry to start taking the steps towards an all-of-nation cyber security vision, IT professionals can’t be certain the same cyber security strategy will be in place in even 2025, much less 2028.
This makes it difficult for companies to develop cyber security strategies in alignment with the policy, as they have no way of knowing how those strategies might need to change following future elections.
Example of how political uncertainty can disrupt cyber security strategies
For Australia to be able to meet the 2023-2030 Australian Cyber Security Strategy vision, one area that will need to be a critical focus is skills. Australia has a significant skills shortage, particularly in cyber security, and addressing this will require government policy.
SEE: The Australian government’s cyber shields strategy may intensify the current skills shortage.
As University of Queensland academics noted in response to the paper:
“From an immigration perspective, streamlining visa processing and facilitating the immigration of talented cyber security professionals to Australia would be two obvious recommendations. To do so, the government should have a longer-term view of who could become, with support and necessary education or experience, a valid cyber security professional, tapping into the required diversity of backgrounds needed to effectively work in this field.”
However, there is strong opposition to the current migration system in political debate, particularly from the L/NP.
While there is a chance the migration system won’t change, the uncertainty makes it difficult for organisations to strategically look as far into the distance as the Labor government wants them to, and with the 2023-2030 Australian Cyber Security Strategy being a long-term vision, this is a challenge for it to deliver on its promises.
Australia needs a cohesive, bipartisan approach to cyber security
As noted in The Conversation, the success of the Australian cyber security vision will require strategic decisions and some level of trade-offs and compromise.
“Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation and regulation,” The Conversation noted. “For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks.”
Because there are significant changes in approach to cyber security involved, enterprises and IT pros need to be preparing for these changes now. Flexibility in how cyber security is handled is going to be a key theme in the coming years.
But if there isn’t consensus on what those trade-offs should be and agreements on the long-term goal of the Australian cyber security vision, then it’s going to be difficult to bring businesses along on the journey. Already, the Digital ID system, which represents an early step in the vision, is meeting fierce opposition. Overcoming these hurdles and providing certainty will help the industry and IT pros participate in this national vision.