background-color: transparent; background-image: linear-gradient(-90deg, rgba(221, 221, 221, 100% ), rgba(238, 238, 238, 100% )); color: #333333;

Back to Blog

Cyber Security: Reviews, risks, and opportunity for industry in FedGov

In Canberra IT circles, there may be no more feverishly anticipated phrase than “strategy review” (apart from “MOG change” – but...

In Canberra IT circles, there may be no more feverishly anticipated phrase than “strategy review” (apart from “MOG change” – but that’s another story). As I wrote recently, there’s a conjunction like this happening right now in the FedGov cyber space. Specifically, the Labor Government has announced a review of Australia’s Cyber Security Strategy 2020 (CSS20). Industry should be taking notice. From what’s known about this review, I’m suggesting there’s four main take aways for the #cybersecurity industry, with both risk and opportunity looming.
 
Prior to the election, I attended an event where Richard Marles and Tim Watson spoke about cyber security. My impression of their message was that Labor ‘got’ the importance of cyber security as a national security priority and that their approach would be steady-as-she-goes, albeit with a greater focus on community and SMEs. You can see Labor’s policy finessing in the “smarter” cyber security statements in their National Security Policy. And it contains some pointers as to the changes the Government may lean towards in its CSS20 review. Paraphrased: cyber security is not just about who has the best offensive cyber tools, it’s about building systemic resilience across public, private and civil organisations. It’s also about recognising that data security is a modern foundation of national security. Consequently, Labor committed to lifting Australia’s cyber resilience and appointing a dedicated cyber minister.
garycox
Labor’s delivered on the dedicated (albeit dual hatted) Minister of Cyber Security, with Clare O'Neil’s position in Cabinet and the National Security Committee giving a cyber perspective and voice into government’s most important decisions. Given cyber’s place in the global landscape of political, economic, and military competition, I see this as a wise decision.
 
Apart from this, it’ll be interesting to see if there’s funding implications from Labor’s cyber reprioritisations in their NatSec policy. More cyber security funding perhaps? Or a Peter/Paul tradeoff from the CESAR program or REDSPICE’s offensive capabilities into new data security or cyber resilience initiatives?
 
 Another interesting NatSec addition is data security – a focus I support. During the initial SOCI 2018 critical infrastructure reform consultation, I argued that (selected) #data, in and of itself, was critical infrastructure in a digital age – distinct from data storage and processing providers. Since then, Defence recognised data as a strategic asset in its Data Strategy 2022. I couldn’t agree more. Pipes are important. Storage is important. Compute is important. But the game-changing value lies in the data itself, and the meaningful conclusions drawn from it.  
 
And if industry rumours are correct, Labor’s changes are already happening, as Home Affairs is said to be relooking at their role as a “Cyberhub” provider as part of the previous Government’s plan to harden the cyber security of FedGov’s 196-odd Departments, agencies and associated bodies. Unfortunately for industry that thought a Cyberhub is a good idea (and were looking at being a part of them), this relook might delay Home Affair’s spending. If correct, this is in contrast to the Cyber Security Industry Advisory Committee’s recent argument that Cyberhubs should be “given more teeth” and “accelerated”. 

So, change is in the air. And the CSS20 review is a major current in that change. But what do we actually know about it? Well, according to media quotes, it’ll:
  • be “grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber SMEs”;
  • “build resiliency, with real engagement and industry alliances to deal with cyber shocks”;
  • "include the role of critical technologies, our partnerships through the Quad and international norms and standards”; and
  •  “be truly strategic in how it contributes to Australia's economic growth and as part of our national security posture, including securing supply chains".

There’s more in the media about educating the young and reskilling the old(er) in cyber security as part of building Australia’s digital workforce and more to address #cybercrime .


 So what does industry think about CSS20?

That depends on where the commentary is coming from, and where its interests lie. However, let’s look at the positions of industry’s senior voice into Government’s cyber security: the Cyber Security Industry Advisory Committee. The CSIAC, and its predecessor Panel, provided advice into CSS20 and has continued in its advising and reporting, releasing its second Report in August 22. This Report, dropped by Andy Penn in his role as (outgoing) CSIAC Chair, is one industry window into how to polish CSS20. In it, there are six main recommendations (paraphrased) for the next 12 months:

  • Government has an imperative to accelerate the hardening of its ICT systems, mirroring what it’s asking of industry.
  • Strategy is good. Rigorous strategy needs empirical, data-driven measurement and evaluation. CSS20 (or, I’d add, any strategy) needs this.
  • SMEs are having a hard time. They need more support, including in the continuing impacts of a hybrid remote workforce.
  • The “profound” implications of the fully implemented SOCI 2018 reforms need extensive, ongoing Government consultation with industry.
  • Industry and government have agreed to waltz towards a larger, better skilled cyber workforce. But we all need to do more. Now.
  • SOCI 2018 isn’t enough. Australian business that falls outside this regime needs more clarity on their responsibilities, and CSIAC’s recommendations tied to the Best Practice Regulations Taskforce should be noted (and responded to) by Government.

There’s some frustration, justified or not, implicit in these recommendations. Regardless, it seems a reasonable conclusion that industry sees a real need for immediate improvement. While the CSIAC Report is aimed at CSS20, I find it hard to trace their recommendations (except people) into the Government’s publicly known aims for the CSS20 review. Hopefully, ongoing and collaborative consultation will occur.

And what does all this mean for industry?

First, this is a period of increasing cyber security regulatory revolution. Apart from the SOCI 2018 #criticalinfrastructure reforms and whatever comes out of the CSS20 review related to the Best Practice Regulations Taskforce, media has also speculated that the review will tap industry with more regulation, through codes, to define its cyber security responsibilities for protecting consumers and businesses. So what? Well, industry has to find its voice and engage both with Government and government for balanced outcomes. The corollary, of course, is that Government has to listen. Whatever communication channel works best, there’s growing regulatory expectations of, and associated cost to, industry from regulation. Ultimately, however, when Government decides, Boards will have to adapt and act on improving their cyber security. For critical infrastructure at least, that’s now a legislative requirement.

Second, there’s opportunity for industry to position trusted and innovative cyber security solutions to government, sharply focused on its priorities. Offerings will be enhanced by robust training and workforce skilling support, particularly if aligned with accepted training and education standards. This is where a company like NEXTGEN Group, and our vendors and partners, come in.


Third, the Government is serious about building sovereign cyber capabilities. There’s considerable strength in AUKUS, alliances and partnerships – and significant value in reference sites in likeminded governments - but the chance of business success will be boosted by measurable and value-adding ties to Australian cyber security capabilities. Industry needs to pay attention.


Fourth, there’s possibly going to be increased opportunities for community and SME cyber awareness offerings and down-pipe services (including breach impact remediation), hopefully not just in ACSC and its JCSCs, to uplift Australia’s cyber security baseline.


Done. And we’re all relieved … although I plan more pieces on Defence’s new ICT and cyber security strategies for anyone who’s interested.

Finally, please note that this is a personal opinion piece on an evolving, complex issue set. Errors and stylistic indulgences are mine alone. But, penultimate sentence I promise you, cyber security is not a wicked problem. It’s entirely addressable through ongoing focus; programmatic and intellectual agility; consultation; an appetite for risk; and – of course – funding.


Mick Lehmann
NEXTGEN Group General Manager, Government