Is The Government’s Cybersecurity Strategy Failing?

Citing a UN report that says Australia is lagging on cybersecurity cooperation, Labor’s spokeswoman on cyber security and defence says our fall from fourth place to seventh is “a direct result of the Turnbull government’s failure to effectively implement its own cyber security strategy and engage with international partners”. Is she right?

The Australian Cybersecurity Strategy has been out for about a year and has been reviewed. It’s important to note it covers a four year period and is fully funded. Saying the strategy is failed, one year into a four year program of work is quite a harsh comment. But the reality is we have been overtaken by other countries when it comes to cooperation according to the United Nations report [PDF link]. The Asia Pacific section, in which Australia is included, starts on page 33.

When you look at the data in the report, the really important statistic isn’t the one number the Labor spokesperson focussed on – which is not a great result – but the table on page 34. On the Asia and Pacific Region Scorecard, we score strongly in almost every category. Two of the categories we scored poorly in were bilateral and multilateral agreements (hence the poor score when it comes to cooperation). This is clearly an area that needs focus.

We also scored poorly in the areas of public/private partnerships and interagency partnerships. And these are areas that are specifically targeted in the strategy. The new Australian Cyber Security Centre has opened in Brisbane and is a place where law enforcement and civilians can meet and work together. And, once the other centres are opened across the rest of the country, there will be greater opportunity for public and private agencies to work together.

The government released a review [PDF link] of progress against the strategy and it’s what you’d expect for a four year program after a year. Some things are done, others are in progress and some haven’t been started (the progress report starts on page 24 of the summary).

Saying the slump in one number is a failure of the entire strategy is like saying you need a new car because of flat tyre.

So, is the Labor spokesperson right? On the one data point she chose in the report she is spot on. Compared to other countries in our region, we are lagging when it comes to cyber security cooperation. But I think we have a bigger issue – and it’s one highlighted in the government’s review of the strategy and from what we’ve seen over recent weeks.

SMBs are lagging badly when it comes to cyber security and resilience. WannaCry and NotPetya reflect a lack of consideration to basic things like patching and backups. And this is an area the government plans to focus on over the next year.

But we are ahead in other areas and, based on my read of the data in the UN report, Malaysia and Singapore have set a very high bar in the region.

Mark Twain’s famous quote holds true here. There are three types of lies; lies, damned lies, and statistics. And this is a case where one data point in a very comprehensive report has been used to paint a false picture.