Earlier this year, the Government’s cyber security advisor, Alastair MacGibbon, described a “prevailing ‘tick box’ compliance culture” for federal government agencies when it comes to cyber security.
Furthermore, in a report released in May the Australian Strategic Policy Institute (ASPI) recommended various areas where the Government needs to improve its approach to cyber security, particularly, in adapting and implementing the ‘National Cybersecurity Strategy 2016-2021’.
In more positive news, on July 6, the International Telecommunications Union (ITU), released its ‘Global Cybersecurity Index’, where Australia was ranked a top ten nation for its commitment to cyber security.
By Dr. Drew Donnelly, Compliance Quarter
In a range of articles recently we have looked at technological developments which call for strong cyber security compliance requirements, including the Productivity Commission’s proposed data-sharing regime and developments in financial technology. Therefore, it is useful to explore the Government’s progress on cyber security. Today we look at the assessments of the ITU and ASPI on Australian cyber security and some areas that have been identified for ongoing improvement.
The Global Cybersecurity Index
The Global Cybersecurity Index (the index) measures the commitment of member states to cyber security. To make this assessment, it employs five ‘pillars’ representing features of a nation that are conducive to cyber security:
- Legal: legal frameworks and institutions for cyber security
- Technical: the presence of technical frameworks and institutions for cyber security
- Organisational: policy coordination institutions and strategies at national level
- Capacity-building: Research and development, education and training programmes etc aimed at fostering capacity building
- Cooperation: the presence of partnerships, cooperative frameworks and information sharing networks.
As well as its overall placing as 7th best in the world, Australia was ranked third in the Asia-Pacific region, behind Singapore and Malaysia. In particular, the index recognised Australian success in the technical arena. The certification programme for information security skills was singled out as an area of particular strength. The only pillar that Australia did not rank highly in was cooperation.
When the Government released its strategy last year it recognised the importance of improving in this area, claiming “Only Government can drive cooperation across the public and private sectors and ensure information is shared between the two.”
The ASPI review
ASPI recently reviewed the Government’s strategy and implementation progress to date. In light of their review they came up with several recommendations, including:
- Adaptation of the strategy based on outcomes. ASPI pointed out that the Government has focused on assessing the actions it has taken to improve cyber security, rather than in assessing concrete outcomes, and adapting strategy accordingly.
- Fixing the dispersed leadership of cyber security policy reforms across various government departments. This reinforces the assessment made by the ITU.
- Better support for small-to-medium sized enterprises when it comes to cyber security awareness.
While the index aimed to measure cyber security commitment, it clearly emphasised the presence of certain frameworks and institutions being present in a country, rather than actual cyber security outcomes. The ASPI report also suggests that, one year into the Cybersecurity strategy, the emphasis is still on Government outputs, rather than outcomes.
Of course, the Government’s strategy is only one-year old, and many proposed reforms (such as the proposed data-sharing regime) are in their very early stages, so it is likely there will be more concrete process over the next couple of years.