Australia’s Cyber Security Strategy: Execution & Evolution
44
AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Transcript of Australia’s Cyber Security Strategy: Execution & Evolution
AUSTRALIA’S CYBER SECURITY
STRATEGY:
EXEC
UTIO
N
& EV
OLUT
ION
ABOUT THE AUTHORSZoe HawkinsZoe is an Analyst in ASPI’s International Cyber Policy Centre, researching and writing on international and domestic cyber policy issues.
Liam NevillLiam is the Principal Analyst in ASPI’s International Cyber Policy Centre, researching and writing on international and domestic cyber policy issues.
WHAT IS ASPI?The Australian Strategic Policy Institute (ASPI) was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.
ASPI INTERNATIONAL CYBER POLICY CENTREThe ASPI International Cyber Policy Centre (ICPC) brings together the various Australian Government departments with responsibilities for cyber issues, along with a range of private‑sector partners and creative thinkers to assist Australia in creating constructive cyber policies both at home and abroad. The centre aims to facilitate conversations between government, the private sector and academia across the Asia–Pacific region to increase constructive dialogue on cyber issues and do its part to create a common understanding of the issues and possible solutions in cyberspace.
The ICPC has four key aims:
• Lift the level of Australian and Asia–Pacific public understanding and debate on cybersecurity.
• Provide a focus for developing innovative and high‑quality public policy on cyber issues.
• Provide a means to hold Track 1.5 and Track 2 dialogue on cyber issues in the Asia–Pacific region.
• Link different levels of government, business and the public in a sustained dialogue on cybersecurity.
We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various funders, but special mention should go to the Commonwealth Bank, which has been a strong advocate and supporter of our work.
AUSTRALIA’S CYBER SECURITY
STRATEGY:
EXEC
UTIO
N
& EV
OLUT
ION
ZOE HAWKINS AND LIAM NEVILL
CONTENTS
Executive summary 03
Introduction 04
Section 1: Strategy themes 051. Strong cyber defences 05
2. Global responsibility and influence 07
3. Growth and innovation 08
4. A cyber smart nation 08
5. A national cyber partnership 09
Section 2: Implementation challenges and improvements 13Speed of delivery 13
Annual updates and measuring success 14
Communications 14
Human resources 15
Financial resources 15
Section 3: Moving forward—key recommendations 16Strategy implementation 16
Private‑sector engagement 16
The Australian public 17
Cyber governance 17
Appendix 1: Progress in achieving strategy outcomes 18Key 18
National cyber partnership 19
Strong cyber defences 21
Global responsibility and influence 29
Growth and innovation 31
A cyber smart nation 33
Appendix 2: How much is the Australian Government spending on cyber issues? 35
Acronyms and abbreviations 40
02 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
EXECUTIVE SUMMARY
On 21 April 2016, Prime Minister Malcolm Turnbull launched Australia’s Cyber Security Strategy, which outlined how the Australian Government will pursue the goal of ‘enabling innovation, growth and prosperity for all Australians through strong cyber security’.1 This report examines the strategy implementation journey of the past 12 months, through its successes and failures, and puts forward recommendations for government to help ensure that Australia’s government, businesses and citizens can reach their cyber potential and thrive in the digital age.
The past 12 months has seen significant encouraging progress towards the goals of the strategy, thanks to commitment from both the government and the private sector. Efforts towards public and private sector collaboration have most notably manifested in the co‑design of the ASX 100 cyber health checks and the launch of the pilot Joint Cyber Security Centre. This cross‑sectoral cooperation hasn’t been limited to addressing cyber threats but has also focused on developing Australia’s digital economy. Government has been boosting the maturation of the domestic cyber start‑up community through the Australia Cyber Security Growth Network and international Austrade ‘landing pads’. Initiatives to attract, educate and diversify the country’s cyber workforce to ensure the sustainability of Australia’s cyber industry have also commenced.
The strategy called for the appointment of a new cyber leadership: a ministerial position and three key public service positions that lead cyber policy development on domestic, international and operational issues. This new cyber governance structure was put in place to drive the delivery of initiatives that contribute towards the strategy’s five themes: strong cyber defences; global responsibility and influence; growth and innovation; a cyber smart nation; and a national cyber partnership.
Cyber issues have been afforded increasingly high levels of profile and transparency in the past year. Cyber Security Special Adviser to the Prime Minister Alastair MacGibbon’s active engagement with media has helped make cybersecurity a front‑page issue, while the Minister Assisting the Prime Minister for Cyber Security, the Hon. Dan Tehan MP, has made elevating the visibility of the public–private partnership his priority. Despite a delayed appointment, the new Ambassador for Cyber Affairs has hit the ground running and looks set to drive Australia’s regional leadership and international engagement on cyber issues to new heights. At the same time, the government’s greater transparency on Australia’s cyber threats, incidents and capabilities has been a positive development for the country’s cyber maturity.
However, the strategy’s implementation has certainly faced its fair share of challenges and setbacks as well. Progress towards a national cyber partnership has been undermined by the ad hoc nature of government’s communications and insufficient expectation management with industry partners. While some companies could show more initiative, the government also needs to more clearly delineate the division of responsibility within the national cyber partnership.
The very design of the strategy has been an obstacle to its implementation. Some of the document’s outcomes are not quantifiable, so confidently measuring success is impossible. Many of the outcomes that are practically measurable are framed in terms of a relative change but are put forward without supporting baseline information necessary to measure progress. Disappointingly, the government’s failure to enact a communications strategy associated with the strategy’s implementation has meant that a coherent and comprehensive narrative on implementation success has yet to be developed. This is not surprising, given that the human and financial resources afforded to the Department of the Prime Minister and Cabinet are simply not commensurate with the size and importance of the task.
Ultimately, some developments this year have been humbling litmus tests for the additional work that needs to be done to improve Australia’s cyber posture. The results from a March 2017 ANAO audit of government departments revealed that a sub‑par standard of cybersecurity was still in play in key agencies, raising questions about the take‑up of the strategy’s principles on the ground in government. The infamous 2016 #censusfail also revealed the pain points of Australia’s cyber incident response capability, with inconsistent messaging coming straight to the fore.
That said, the confluence of leadership focus, the media spotlight and a mutual desire for public–private partnership means that the scene is set for Australia to learn from these implementation lessons and collectively move forward, committed to building on the successes of the past year.
1 Department of the Prime Minister and Cabinet, Australia’s Cyber Security Strategy, 21 April 2016, p. 5, online.
03
INTRODUCTION
The release of the Australian Government’s Cyber Security Strategy on 21 April 2016 was welcomed by many as an important and necessary step in the evolution of cybersecurity in Australia. The new strategy broke a seven‑year government silence on cyber policy issues since the launch of the 2009 Cyber Security Strategy penned by the Attorney‑General’s Department.2 Since 2009, Australian governments have continued to tinker with the country’s cybersecurity arrangements but haven’t had a detailed and comprehensive plan on how to address the security and economic policy issues presented by the digital age.
Kevin Rudd’s 2009 Defence White Paper emphasised the ‘emerging threat’ of ‘cyber warfare’ and established the Cyber Security Operations Centre in what was then the Defence Signals Directorate.3 However, Rudd’s anticipated Cyber White Paper failed to emerge after Julia Gillard took the prime ministership in 2010—a transition that pushed back a review of the government’s cyber strategy until the current iteration. Gillard’s tenure did see the transfer of cyber policy authority from the Attorney‑General’s Department to the Department of the Prime Minister and Cabinet (PM&C) in 2011, although it was hidden in the notes of a broader speech about a cabinet reshuffle, and her 2013 National Security Strategy created the multiagency Australian Cyber Security Centre (ACSC).4 Meanwhile, other countries took leaps in best practice: the US launched two separate cyber strategies and the UK released cyber strategy documentation every year during that period.
The comparative absence of comprehensive cyber policy direction in Australia meant that the 2016 strategy had a significant void to fill. It needed to provide clarity on national cyber governance, boost confidence in cyber defences and stimulate cyber industry. Engaging the Australian private sector and public in a conversation about cyber policy and security was vital for national prosperity. Following a review of Australia’s cyber governance and policy issues, the strategy’s development was conducted by PM&C, advised by a panel of cybersecurity and business experts from Australia, the US and the UK. The projected release of the strategy in 2015 was significantly delayed by the ascension of Malcolm Turnbull to the prime ministership. However, the personal priority placed on the issue by Turnbull arguably elevated the public profile and political significance of the strategy when it was eventually launched in April 2016. Since that time, there’s been significant activity both in and outside government on delivering the programs initiated by the strategy.
This report provides an accessible and critical appraisal of the government’s implementation of the strategy over the past 12 months. Section 1 addresses each of the strategy’s five themes, highlighting achievements and areas of weakness. Section 2 evaluates issues of execution, and Section 3 suggests ways to evolve the delivery and initiatives of the strategy to achieve its objectives. In addition to analyses of major themes, the report includes a table showing a detailed breakdown of progress against each initiative in the strategy’s Action Plan, and another that examines the funding provided to achieve the objectives of the strategy.
2 Attorney‑General’s Department, Cyber Security Strategy, 2009, online.
3 Department of Defence, Defending Australia in the Asia–Pacific century: Force 2030, 2009, online.
4 ‘Australian cyber security centre to be established’, media release, Department of Defence, 24 January 2013, online; ‘Changes to the ministry’, media release, Department of the Prime Minister & Cabinet, 12 December 2011, online.
04 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
SECTION 1: STRATEGY THEMES
The Cyber Security Strategy is divided into five major themes: strong cyber defences; global responsibility and influence; growth and innovation; a cyber smart nation; and a national cyber partnership. The themes are interdependent, but divide the strategy into more manageable and structured lines of effort towards achieving the strategy’s overall goal of ‘enabling innovation, growth and prosperity for all Australians through strong cyber security’.5
This conceptual framework is accompanied by an Action Plan outlining the individual steps that will be taken to realise the government’s strategic goals. The ambitious list includes 33 initiatives, some of which were originally announced in the National Innovation and Science Agenda (NISA) in December 2015, and was allocated a funding package of $230 million for the next four years.
The following is a perception audit of the implementation of the strategy since April 2016. The analysis is based only on publicly available information and stakeholder perspectives on strategy delivery achievements and obstacles. We acknowledge that additional steps may have been made by government behind the scenes, but those activities fall outside the scope of this report, which is focused on increasing transparency about cyber policy developments from the perspective of the Australian general public, the private sector and academia. This discussion is also not intended to be exhaustive, but a more detailed breakdown of government progress against each action is in Appendix 1.
1. STRONG CYBER DEFENCESAchieving a greater level of cybersecurity for Australia is one of the key overarching goals of the strategy and is necessary to ensure our national security and economic prosperity now and into the future. This task is multifaceted, and coordinated action is needed to improve both the security of government networks and the security of Australian businesses and individuals.
The Defence Department, specifically the Australian Signals Directorate (ASD), retains its leading role in safeguarding the Australian Government both through direct operational involvement in cybersecurity and through setting government cybersecurity standards. While some of ASD’s work is necessarily secret, other areas are not, and the update of the its strategies to mitigate targeted cyber intrusions from the ‘Top 4’ to the ‘Essential 8’ is a clear example of the agency’s critical role in Australia’s national adaptation to evolving cyber threats.6
The 2016 Defence White Paper’s provision of $300–400 million funding for cybersecurity over 10 years will significantly assist Defence in this task. Not only will this facilitate the development of new technologies to monitor and defend Australia’s networks, but the resources will help support the growth of its cyber workforce, which is essential to deliver this task. Similarly, efforts are underway to increase the capacity of CERT Australia and the Australian Criminal Intelligence Commission—a positive step for the country’s cyber defences.
There have been increases not only in cyber defence capability but also in the maturity of Australia’s transparency on its cyber posture and defences. The launch of the strategy was paired with Prime Minster Turnbull’s announcement that Australia has an offensive cyber capability within ASD, and led to further discussion of the use of that capability against Islamic State in November 2016.7 In addition, the release of the second annual ACSC Threat report provided increased transparency on the threats Australia faces and manages and the restrictions on the use of offensive capability. These developments have had a positive effect on Australia’s efforts to build confidence and reduce the risk of conflict through greater transparency in the region.
Another key aspect of this theme is the delivery of joint cyber security centres in capital cities. Government is making steps towards this goal: the first of the centres was launched in Brisbane in February 2017, and more are expected to follow
5 PM&C, Australia’s Cyber Security Strategy, 21 April 2016, p5, online.
6 Strategies to mitigate cyber security incidents, Australian Signals Directorate, February 2017, online.
7 ‘Launch of Australia’s Cyber Security Strategy’, Prime Minister of Australia, April 21 2016, online; ‘Australia launches cyber war against Islamic State’, Australian Financial Review, 22 November 2016, online.
05
later this year. Industry has welcomed the project and invested in its delivery, but there’s been some frustration about the speed of delivery. Bureaucratic slowness, lengthy discussions and a focus on CEO‑level approvals risks disengagement by private‑sector partners who have invested time and human resources. This seems to be a symptom of the government’s desire to have the pilot centre emerge fully formed, when an iterative approach that is faster would be more appropriate.
The co‑design of cyber health checks for ASX 100 companies is another positive achievement in the first 12 months of the strategy. Further efforts to roll the checks out to mid-tier companies should be considered as a next step towards stronger cyber defence of Australia’s private sector. The expected work to deliver the co‑designed cybersecurity good practice guidelines will build upon this effort when it is completed. This is a complex problem, as many of these companies face some severe cyber challenges but don’t have the internal capacity and resources to address them. This gap is more significant after increased regulatory requirements under new mandatory data breach notification legislation. Stakeholder feedback also indicates that future iterations of projects such as the ASX 100 health checks would benefit from using a split-survey design, in which questions on strategic management and risk issues go to company boards and chief executives, while operational questions are reserved for chief information security officers or their equivalents.
Another important step towards delivering stronger cyber defences is the new Critical Infrastructure Centre in the Attorney-General’s Department. While not officially part of the Cyber Security Strategy, this initiative will help to achieve a stronger cybersecurity posture for Australia’s critical infrastructure. There’s currently only limited information publicly available on the centre, and greater transparency about its role for the cybersecurity of critical infrastructure would be welcome.
Unfortunately, a recent ANAO audit found that two key government departments have failed to fully implement the Top 4 mitigation strategies effectively and claimed that there was ‘insufficient protection against cyber attacks from external sources’.8 This finding and concerns over the 2015 Bureau of Meteorology hack mean that greater incentives and penalties must be established to ensure that government agencies meet their minimum cybersecurity standards. Doing so is essential for the government to lead by example by ‘raising the bar’ on this important issue.
Text Box 1: A new cyber governance structureA key element of the government’s effort to improve Australia’s cyber posture was the establishment of ‘clear roles and responsibilities’. The Cyber Security Strategy included the establishment of the role of the Minister Assisting the Prime Minister for Cyber Security, who supports the Prime Minister and engages directly with business leaders to deliver initiatives. This was paired with the creation of a new governance structure: a trio of cyber leadership positions spanning domestic policy, foreign affairs and operations. Clive Lines has continued to lead on Australia’s cyber operations as the Coordinator of the Australian Cyber Security Centre, but the establishment of the new roles meant there was a need to find the right people for those jobs.
The first new role to be filled was that of the Special Adviser on Cyber Security, which was taken up by Alastair MacGibbon in May 2016. He has taken the lead on cyber policy development, spearheading coordination across departments in an effort to achieve a whole-of-government direction. Unfortunately, the relatively nascent public understanding of cyber issues in Australia has made it necessary for him to spend a significant portion of his time on front‑facing public advocacy and media engagement, potentially at the cost of driving implementation at the coalface. In the face of this challenge, the Special Adviser has shown himself to be an energetic spokesman, demonstrating a pleasing level of transparency in his Census inquiry and agitating for change across the Australian Government.9
The Hon. Dan Tehan MP filled the Minister Assisting role in July 2016, and since that time has done a great job in regaining some of the momentum lost due to the length of the caretaker period in the months following the release of the strategy. He has successfully elevated public visibility of cyber issues through a full itinerary of speaking engagements and events. Unfortunately, the need to juggle the minister’s commitments on cyber matters and his additional portfolios has limited the depth and detail to which he can delve into cyber policy. However, he has made a concerted effort to engage with industry on the topic, demonstrating government endorsement behind initiatives that industry has taken and advocating for broader participation in the effort. His quarterly meetings with business leaders are seen by industry to offer a good avenue for practical discussions on public–private partnership, and as a necessary complement to the high‑level meetings with the Prime Minister.
8 Cybersecurity follow-up audit, Australian National Audit Office, 15 March 2017, online.
9 Alastair MacGibbon, Review of the events surrounding the 2016 eCensus: Improving institutional cyber security culture and practices across the Australian government, Office of the Cyber Security Special Adviser, 13 October 2016, online.
06 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Dr Tobias Feakin stepped into the role of Australia’s first Ambassador for Cyber Affairs in January 2017. His position within the Department of Foreign Affairs and Trade is a promising development for Australia’s cyber leadership in the region; however, his appointment a full eight months after the launch of the strategy has left him with a lot of catch‑up to do.
Broadly, this new governance structure has enabled the Australian Government to adopt a more coordinated approach to cyber issues across government. The establishment of key leadership positions has also gradually given a new voice to cyber issues, both for the Australian public and the region more broadly. It is under this governance umbrella that the goals of the strategy have been pursued, with varying degrees of success, over the past 12 months.
Prime Minister
The Hon. Malcolm Turnbull MP
Minister for Foreign Affairs
The Hon. Julie Bishop MP
Minister assisting the PM on Cyber Security
The Hon. Dan Tehan MP
Minister for Defence
Senator the Hon. Marise Payne
Cyber Security Board
Ambassador for Cyber Affairs
Tobias Feakin
Department of Foreign Affairs and Trade
Special Adviser on Cyber Security
Alastair MacGibbon
Department of the Prime Minister & Cabinet
ACSC Coordinator
Clive Lines
Department of Defence
2. GLOBAL RESPONSIBILITY AND INFLUENCEThe Cyber Security Strategy astutely acknowledges the global nature of cyber issues and the associated importance of Australia undertaking a sophisticated international engagement strategy to promote and protect the nation’s interests abroad. Unfortunately, the delayed appointment of the Ambassador for Cyber Affairs has hampered DFAT’s ability to make many gains in cyber diplomacy since the launch of the strategy.
There’s optimism that the appointment of Tobias Feakin as the Ambassador is a good step in the right direction on this front. Since taking up the role in January, Feakin has established DFAT’s new Cyber Cooperation Program, a capacity building funding program that’s part of Australia’s official development assistance. The Ambassador is currently drafting a stand‑alone International Cyber Engagement Strategy, with an open call for submissions, to ensure that Australia’s efforts in this area are coordinated and effective.
Industry is already taking some action on international cyber issues, raising capacity around the region as a way of developing new and secure areas in which to conduct business. It’s important that Australia’s goal of a ‘national cyber partnership’ with the private sector is reflected in international efforts. The Australian private sector’s knowledge and
07
overseas networks need to be leveraged to ensure that Australia’s global cyber influence reaches its full potential. However, while the private sector is a force multiplier, in many cases government-endorsed efforts generate greater traction on the ground, so government must take a leading role to guide and coordinate Australia’s cross-sectoral efforts in the international arena.
A key function of the forthcoming International Cyber Engagement Strategy will be to outline Australia’s approach and priorities in regional cyber capacity building. In this sense, another sector with which the Ambassador should engage is the aid and development community, ensuring that lessons learned in that field are leveraged to inform the international strategy. A principle-based approach to capacity building should be adopted, including an effort to integrate cyber policy and development expertise, an increase in national and international coordination, and the creation of a sustainable and iterative approach to elevating cyber maturity in the region.10
3. GROWTH AND INNOVATIONThe strategy’s ‘growth and innovation’ theme acknowledges that cyberspace offers significant scope for economic growth and diversification. This is also addressed at a larger scale in the NISA, a $1 billion program announced in late 2015, which includes several initiatives that directly support the achievement of the strategy’s goals.
The establishment of the Australian Cyber Security Growth Network (ACSGN) in December 2016 is a positive indication of action to better support the growth of Australian cyber companies. With support from Austrade, the ACSGN has supported engagement between Australian companies and the broader international cyber ecosystem, facilitating a delegation of 26 companies to visit the US for the RSA Conference and a separate delegation to attend Austrade’s 2016 Australia–US Industry Week. The ACGSN also appears to be building strong links with CSIRO’s Data61, which has a significant budget of over $70 million (see Table 6 in Appendix 2), to support cyber‑related research and development. Austrade’s Cyber security industry capability report is also a positive step towards increasing global interest in purchasing and investing in Australia’s cybersecurity industry.
While the additional funding for cybersecurity research and support for cyber industries is welcome, stakeholder feedback has been critical of the apparently uncoordinated nature of some investment. Academic researchers, industry vendors and ‘expert’ consultants understand that there’s never been a more lucrative time to talk about cyber issues, and greater oversight is needed to distinguish the most appropriate avenues for investment from opportunistic schemes. This process should ensure that there’s a focus on achieving practical outcomes, not just a desire to demonstrate investment more generally.
The desire to increase the number of Australian cybersecurity businesses and exports and investment in Australian cyber services is admirable. However, the data necessary to assess the success or otherwise of this kind of goal is not yet available, and it’s unclear whether anyone is collecting the information to enable that assessment. Steps towards baselining status quo industry statistics will be necessary to determine what success looks like on this front.
4. A CYBER SMART NATIONWithout the people needed to fill cybersecurity jobs, and without a well-informed population, Australia faces a bleak cyber future. Initiatives under this theme seek to increase cyber skills and knowledge across the board and at all levels of sophistication. This theme can be broken into three pieces: building public awareness, developing a skilled workforce, and increasing the diversity of that workforce.
Public awarenessPre‑strategy public awareness campaigns have continued largely unaltered, but it’s not clear that any work has been done to assess the efficacy of those campaigns and their continued utility. Public awareness campaigns such as Stay Smart Online need to be designed and expanded to create real behavioural change in order to make Australian society more cybersecure by habit.
This shouldn’t involve just promoting the same facts all over again. In many cases, the issue isn’t an absence of information about cyber risk but the lack of compelling engagement on what to do about it. The too common trade-off in technology between security and convenience leaves many people informed but unmotivated. Establishing innovative ways to operationalise public cybersecurity awareness into real behaviour change will require innovative approaches.
10 Mirko Hohmann, Alexander Pirang, Thorsten Benner, Advancing cybersecurity capacity building: implementing a principle-based approach, Global Public Policy Institute, March 2017, online.
08 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Rather than mass awareness campaigns, government’s limited resources may be better spent leveraging existing trust relationships in the community to inspire a shift in perspective. This should first involve bringing together cross-disciplinary experts such as psychologists and technologists to strategise about how to effectively market truly ‘usable security’ concepts. This should go beyond threat information and cyber hygiene tips and instead more persuasively make the case for a fundamental change in mindset in which proper cybersecurity practice isn’t seen as a difficult and optional chore but as a new normal way of life. Tapping into established networks of community ‘influencers’ may be an effective method by which to propagate the concept; for example, there are lessons to be learned from the breast-cancer awareness efforts that have been run through hairdressers’ salons.11
Growing the cyber workforceEfforts to grow and diversify the cyber workforce will also be critical, and there have been positive developments towards that goal. The beginning of the process to establish academic centres of cyber excellence in February 2017 is a positive step; however, the funding available for this initiative is quite limited ($1.9 million over four years) and the inclusion of industry, for whom the graduates are being produced, appears to be haphazard at times.
In the past 12 months, there’s been some growth in the number of tertiary courses focusing on cyber issues in Australia. The Australian Cyber Security Challenge continues to be a positive avenue through which to engage students on cybersecurity concepts, and efforts are underway to expand the scope of its activities. A potential expansion concept to aspire to could be a series of state/territory Cyber Security Challenges throughout the year, culminating in an annual Canberra‑based national finale challenge.
At the same time, initiatives under the NISA are underway to boost digital literacy in primary and secondary schools and to incentivise further study in science, technology, engineering and mathematics (STEM) subjects. Naturally, it’ll be several years before these students will graduate and be available to the workforce, and there’s currently no clear baselining by which to judge any increase in the numbers or skills of graduates when they do. Undertaking and publishing research on cyber education and employment is an essential part of ensuring that this outcome is achieved effectively.
Cyber workforce diversityThe government has made noticeable efforts to increase the representation of women in the cyber industry in the past 12 months. Ensuring that women are aware of and have access to this career path is a vital ingredient in mitigating Australia’s impending cyber workforce shortfall. The government has been proactively tackling the issue, building a ‘women in cyber’ component into the 2016 Australian Cyber Security Challenge, supporting female STEM students through NISA initiatives, and hosting events with women in the cyber industry to identify ways to improve female participation in the field.
Solving both the gender representation issue and the workforce shortage more generally essentially comes down to breaking two misconceptions. The first is that women can’t or shouldn’t take on technical roles; the second, which is arguably less discussed, is that the cyber industry needs only technical people. So, while increasing the number of women equipped to fill technical roles is a necessary ingredient for improving Australia’s cyber workforce, it’s certainly not sufficient. This isn’t just a technology problem: in many ways it’s a social problem, and Australia will flounder without diversity of skills in its cyber industry. The government needs to promote the fact that we also need informed legal minds, policy experts, communications specialists, psychologists and business risk managers. This should be done through broader engagement with universities outside of the STEM communities in order to tap into a wider range of skill sets. Government should consider incorporating a policy and governance element into the Australian Cyber Security Challenge in order to acknowledge the important role that such skills play in the cyber ecosystem and thus prompt young people from different backgrounds to consider a career in cyber policy.
5. A NATIONAL CYBER PARTNERSHIPAchieving the outcomes under the first four themes of the strategy is underpinned by efforts to create a joint leadership model for cybersecurity between the public and private sectors. This reflects the multistakeholder nature of cyberspace, the scope of the challenges and the most efficient use of resources to address a shared problem. In this way, the strategy is a ‘call to arms’ for Australia. There’s been significant activity in response, and both sectors have shown a genuine intention to collaborate. There’s a strong sense of goodwill among the private sector and a willingness to collaborate with government from initiative endorsement to design and even funding, so now is a great time to capitalise on the partnership.
11 Health Western New South Wales, ‘Bosom buddies booming across Western NSW’, Health Western NSW, 14 September 2014, online; Lei Mei Li, ‘A place for bosom buddies: salons spread awareness about cancer’, The Star, 21 March 2014, online.
09
Unfortunately, issues of communication, expectation management and a lack of clarity on roles and responsibilities between sectors have somewhat undermined the benefits of that goodwill. Positive steps so far, and some of the issues noted above, are addressed in more detail below.
Senior engagement on cyber issuesAs noted above, government leaders including Dan Tehan and Alastair MacGibbon have significantly improved the seniority, consistency and scope of engagement on cybersecurity with the private sector. In particular, Dan Tehan’s initiative to establish quarterly industry meetings as a precursor to the annual meeting with the Prime Minister has been a welcome indication of the seriousness with which the government approaches engagement with the private sector. Similarly, Alastair MacGibbon has been an active and engaged advocate on cybersecurity issues, and his outgoing nature has helped to retain goodwill when there have been delays.
Threat information sharingGovernment and the private sector have a mutual interest in sharing cyber threat intelligence effectively. The strategy lays out several initiatives to enhance this cross-sectoral flow of information, most notably through the establishment of a network of joint cyber security centres (JCSCs) and an online cyber threat sharing portal. This is a positive indication that the government is serious about improving the quality of information shared between itself and industry.
The official opening of the first JCSC in Brisbane in February 2017 is a good step in the right direction and demonstrates government follow‑through on a strategy initiative. While industry advocated for a Sydney or Melbourne JCSC pilot, there are high hopes that a successful test centre in Brisbane will build the case for rollouts of JCSCs in the southern capitals. Media commentary indicates that the development of the threat sharing portal is underway but not yet complete.12
The November 2016 announcement of the relocation of the ACSC from the ASIO building to Brindabella Park was an encouraging acknowledgement that the national cyber partnership between government and industry couldn’t achieve its full potential as long as the centre was contained within a high-security building. The swift execution of this move and the follow-through effort to deepen private-sector engagement will boost the success of the ACSC.
Some significant cultural hurdles on both sides must be overcome before the benefit of these developments can be truly realised. There’s a perception among private-sector stakeholders that offering their information to the ACSC doesn’t necessarily elicit a reciprocal information exchange from within government. This expectation of a one‑directional transfer of data is undermining the business case for industry to get involved, and work needs to be done to build trust in reciprocity. In this sense, culture is still a bigger issue than geography or security limitations.
Communications and expectation managementThe government has made a concerted effort to canvass private-sector perspectives on certain cyber issues and has used those insights to shape the delivery of various strategy initiatives. This is a positive development, as it shows an acknowledgement of industry experience and expertise on the topic.
However, true partnership is built on more than a one‑time data collection exercise. It relies on frank, frequent and reciprocal communication. Stakeholder interviews have indicated that there’s often a lack of follow-through from government interlocutors on strategy implementation issues. Information on timelines and priorities has been difficult to obtain, and consultation has been followed by long delays in action or communication. Many stakeholders expressed a keen desire for more frequent communications with government, even when there’s no substantive action to report. There needs to be more outward data distribution from government in the form of updates and follow‑ups to the private sector, notifying it of achievements, potential delays or priority shifts.
Ensuring that this type of sustained two‑directional dialogue is achieved means moving away from ad hoc engagements and towards a structured system of communication with industry. Simple concepts such as a weekly newsletter available by subscription could offer a go-to source of information for interested private-sector partners. The NISA offers an email update service, and the newly established ACSGN has created the option to become a ‘Friend of the Network’.
This is a useful mechanism by which to increase transparency. The government should consider establishing a similar mass update function dedicated to the implementation of strategy initiatives. This kind of regular, routine update could explain the reasons for an absence of action or delays or, if not, at least confirm that work on implementation is continuing to some extent, or when it’s expected to commence. Furthermore, stronger communications from government to stakeholders may help to clarify lead agencies and individuals with responsibility for particular actions. Some stakeholders are unfamiliar with
12 ‘Government launches Joint Cyber Security Centre in Brisbane’, Computer World, 24 February 2017, online.
10 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
government practices, and the clarification of expected timelines, responsibilities and processes may assuage many of the concerns expressed during our stakeholder consultation about progress on the strategy.
Delineation of responsibilityThe importance of cyber policy issues and their ubiquity across the government, private and civil sectors highlight the necessity of the strategy’s national cyber partnership approach. In practical terms, the concept of co‑leadership means that the private sector should take on some responsibility for the implementation of the strategy. By extension, both the public and the private sectors should be held accountable to some extent for the success or failure of the strategy.
However, the exact division of responsibility between government and the private sector for advancing Australia’s cyber maturity is difficult to define. While the intent for the private sector to be a partner of government has been expressed in the strategy and associated rhetoric, stakeholders have voiced frustrations that there’s insufficient clarity on exactly where and how they should step in.
While both the public and the private sectors are eager for more involvement from the other, the strategy ultimately remains a government document. As such, it would be most effective if government, in consultation with stakeholders, were to ascribe leadership roles for certain initiatives to particular industries or organisations that have a specific interest in achieving the outcome. This sort of clear division of responsibility would enable companies to plan, invest and take action accordingly, ideally resulting in an alleviated implementation burden for government.
This approach will also require a higher degree of proactive engagement from the private sector across the board. Large companies have the opportunity to play a coordinating role for groups of companies that share an interest in specific initiatives in order to streamline industry collaboration with government. Clearer government guidance on useful areas for private‑sector action will give companies a clear window to take ownership of an endeavour, allowing private‑sector underparticipation to be more effectively identified.
11
Text Box 2: Measuring effectivenessMeasuring the effectiveness of the Strategy’s 33 initiatives is critical to understanding if they are achieving the desired outcomes. This requires the collection of qualitative and quantitative data, prompting the Strategy’s commitment to ‘Sponsor research to better understand the cost of malicious cyber activity to the Australian economy’. However despite its criticality to assessing the effectiveness of Strategy initiatives, the first annual update notes that work on this has only reached the initial scoping stage of new research efforts. It also notes that this will be done in conjunction with the private sector. The private sector already has a significant body of highly relevant data that can be used to assess the growth of cybercrime issues such as phishing in Australia.
The information below, provided by online brand protection company MarkMonitor, shows the volume of phishing attacks on the ‘Big Four’ Australian banks detected by MarkMonitor in 2015 and 2016. The graph shows worldwide phishing attack trends in 2016 compared to 2017.
Government should look to leverage data collection capabilities that already exist in the private sector when pursuing their national research efforts.
TABLE 1: PHISHING ATTACKS AUSTRALIAN FINANCIAL INSTITUTIONS
Organizations Industry Estimated Detection Volume 2015
Estimated Detection Volume 2016
ANZ Banking Financial 2,233 2474
Westpac Bank Financial 1,411 4547
National Australia Bank Financial 1,941 3006
Commonwealth Bank Financial 761 930
FIGURE 1: PHISHING ATTACK TRENDS WORLDWIDE
Information supplied by MarkMonitor. The data may not reflect all data available.
12 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
SECTION 2: IMPLEMENTATION CHALLENGES AND IMPROVEMENTS
This section discusses the overarching challenges identified in the above assessment of strategy implementation under its distinct themes. The following gap analysis informs discussion of recommended improvements to facilitate the implementation of the strategy in Section 3. Overall, we have found that the speed of delivery, poor communications and human resource limitations have affected implementation.
SPEED OF DELIVERYThe strategy’s Action Plan shows that significant attention was paid during its development to how the objectives of the strategy would be realised. Unfortunately, the extended caretaker period associated with the 2016 federal election and the subsequent adjustments within the ministry and government meant that there was a noticeable lull during which little happened after the strategy’s launch. While this delay was unavoidable, it meant that the strategy’s implementation and the progress of Australian cyber policy were behind the strategy’s (nonexistent) schedule before it even began.
Since that time, there’s been significant effort to implement the Action Plan, which has delivered on several outcomes, as demonstrated in Appendix 1. However, the absence of an initiative delivery timeline has undermined clarity and led to different expectations of implementation speed in the public and private sectors, stoking concerns about the government’s commitment to implementation. The lack of detailed information on this front means that there’s no indication of how fast and in what order things will be done, other than from inferences that can be drawn from the observation that funding is allocated across the forward estimates to 2019–20 (see Appendix 2 for details).
A detailed delivery timeline would be a useful way to communicate to industry and civil society specifically which areas the government considers as priorities for immediate implementation and which ones it deems to be more long‑term goals. Without this guidance, stakeholders have less information with which to prepare their contribution to, or participation in, particular initiatives. Communicating a timeline would lead to greater coordination of resources and facilitate a more efficient delivery of the strategy, with all parties working in concert to achieve shared goals with clear priorities.
Failure to provide a timeline has opened the government up to criticism, since stakeholders are left with nothing but their own expectation against which to judge the pace of activity. There’s a perception among stakeholders that implementation is slow and that the speed of tangible on‑the‑ground delivery isn’t yet commensurate with the importance of the issue or reflective of the government’s narrative of urgency.
Minister Tehan recently offered his assurance that the government was ‘making implementation of the strategy ahead of time a priority’ in the light of the pace of change in cybersecurity developments.13 However, this promise to deliver outcomes ahead of schedule remains vague when there’s no clear original timeline against which to test it. The government needs to develop a clear road map with timelines, milestones and deliverables. Separate annual implementation plans for each strategy theme could be a helpful way to articulate the practical how, when and who of each initiative. Releasing annual iterations will ensure that the approach evolves with the environment and that stakeholders always have an up‑to‑date understanding of implementation expectations.
13 Annabel Hepworth, ‘Dan Tehan ramps up cyber strategy to get ahead of threat to power’, The Australian, 9 March 2017, online.
13
ANNUAL UPDATES AND MEASURING SUCCESS The Strategy committed government to publish an annual update on progress of the Strategy, the first of which was published on 19th April 2017. The update provides summaries of actions taken so far, work planned for the next 12 months, and identifies a few areas in which it intends to make improvements. However it is almost devoid of critical self-assessment, and its approach to the review process is flawed.
The update outlines a plan to publish a ‘view of the cyber security ecosystem’ to overcome structural ambiguity within government and ‘mature its communication channels’ to address the paucity of regular public updates. It also flags the intention to release an update of the 2013 National Plan to Combat Cybercrime, and a greater focus on small business. There are plans to improve coordination between the federal and state and territory governments, and the private sector to make Australia’s critical national infrastructure cyber secure, led by the new Critical Infrastructure Centre within the Attorney‑General’s Department, along with the ACSC.
Unfortunately, the update is artfully forgiving. For example, it refers to government cyber security audits by the Australian National Audit Office, but omits any reference to the audit’s worrying revelations of poor cyber resilience in key government agencies. It also relies on hypothetical victories, referring to a study that predicts an uptick in cybersecurity investment. However the study quoted makes the prediction based on a ‘shift in thinking around cyber security’ and ‘if Australia invests further in cyber security’ rather than on the current trajectory.
The general lack of transparency around strategy delivery timelines that plagued the past 12 months has carried into the first annual assessment and its table of progress on the 33 initiatives. The absence of timelines leaves the government room to mask underperformance, and means that promises to ‘accelerate’ or deliver initiatives ‘ahead of schedule’ hold very little meaning. Upon closer inspection of the table of progress, it’s obvious that its focus on actions, rather than outcomes is a critical methodological failing. Best practice policy evaluation recommends assessing the extent to which intended and unintended outcomes are achieved. Merely stating that an action was undertaken doesn’t clarify whether the desired effect was achieved, or if the action is still the most appropriate way to achieve the end goal. In doing so, an opportunity has been missed to explain what has changed because of Strategy implementation efforts.
Assessing the implementation of this strategy is impeded by the lack of clarity on exactly what success looks like, and how it could feasibly be measured for each outcome. For example, ‘all businesses benefit from cyber security solutions commercialised with Growth Centre support’ is so abstract as to be meaningless in terms of quantifiable progress produced by the time and money invested in the strategy.
Other outcomes in the strategy discuss variables that are quantifiable but rely on the measurement of a relative change—for example, ‘the number of cybersecurity graduates increases’. This reasonable aspiration is undermined by the absence of any data against which to measure the change. The government needs to publish baseline research on these indicators so that any positive future trend, or ‘success’, is identifiable. Doing so would not only make it possible to conduct cost–benefit analyses of certain strategy initiatives, but also assist the achievement of other initiatives aiming to increase the quantity and quality of Australian cybersecurity research.
COMMUNICATIONSActions speak louder than words, but a good communications strategy is vital in order to translate practical efforts and investments that the government has made into awareness and understanding among the general public, the media and civil society.
Cyber issues have certainly been given greater profile thanks to the strategy. Minister Tehan’s and Special Adviser Alastair MacGibbon’s advocacy, particularly on discussions about the importance of skill development and critical national infrastructure protection, has raised the importance of the issue for the Australian people. However, a good communications strategy doesn’t just mean volume, but establishing a narrative that’s both targeted and coordinated. As Appendix 1 suggests, there’s still a gap between the good work being done on strategy initiatives and the public perception of delivery. There’s scope for a more robust communications strategy within PM&C to create a consistent and proactive narrative informing the public of both strategy wins and delays.
Government also needs to be equipped to swiftly establish a coordinated communications strategy in response to any cyber incident that may arise. The #censusfail scenario revealed a plurality of narratives on the nature, severity and significance of a cyber incident that caught the nation’s attention. It was apparent that there wasn’t a pre-planned overarching communications strategy. Delivering a more coherent narrative and a unified government position is essential to sustain public confidence in the government’s approach to cyber issues. This is as important an asset for government as it is for the private sector. Establishing a more mature communications strategy development process that comes into play
14 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
in the wake of a cyber incident, including an accurate and truthful description of what happened, common language, media management and a key spokesperson, will help to ensure that the government can convey its situation assessment and incident response intentions in the most reassuring and coherent manner possible.
HUMAN RESOURCESThe implementation of the strategy is a task of nationally significant scope and scale, but in practice there are precious few people tasked with driving its achievement. The government’s coordinating agency, PM&C, has a small team led by Alastair MacGibbon and focused on delivery. However, our budget assessment in Appendix 2 reveals that PM&C was not provided with any additional funding with which to implement the strategy. While we have made much of the positive effect of MacGibbon’s strong public profile, it may be that this has come at the expense of the time and effort needed to drive the internal leadership of the implementation. Leading the public commentary, developing policy and implementing the strategy are a nearly impossible task for the team with its existing size and scope. Expanding the team within PM&C to include more individuals, some with purely public‑facing roles and others with internally focused coordination responsibilities, may alleviate pressure and facilitate the achievement of the cybersecurity objectives.
Similarly, Minister Tehan has been an energetic advocate of cybersecurity issues, but his extensive portfolio, which also includes being Minister for Defence Personnel, Minister for Veterans’ Affairs and Minister Assisting the Prime Minister for the Centenary of Anzac, means that cybersecurity can’t be his primary focus. Achieving the significant work detailed in the strategy may demand the appointment of a minister focused solely on cybersecurity, or with somewhat less demanding additional portfolios than Mr Tehan currently manages.
FINANCIAL RESOURCESWhen the strategy was released, the government announced associated funding of ‘about’ $230 million, including $38 million of previously announced initiatives from the NISA. The analysis in Appendix 2 shows that this funding was certainly provided in the 2016–17 Budget, albeit largely through the redirection of existing Defence funding to other agencies and initiatives.
As noted above, achieving the strategy’s outcomes will require significant leadership and coordination from PM&C. It’s noteworthy, in the context of concerns about communications, the speed of delivery and the overloading of personnel in key leadership roles, that PM&C wasn’t provided with additional appropriation to manage the delivery of the strategy. Similarly, the Department of Foreign Affairs and Trade (DFAT) will also fund the $6.7 million announced in the strategy through the redirection of existing appropriation.
The pace of delivery of the strategy and stakeholder communications may be improved if funding for additional human resources can be provided to drive implementation at a quicker pace. If support can’t be increased, then it may be necessary to rationalise the initiatives, prioritise them based on need, and leverage the private sector more effectively.
There’s been some criticism of the amount of funding allocated for the delivery of the strategy. When the funding has been compared to the size of the task, questions have been raised as to whether it’s enough to support the strategy’s ambitions.14 While it’s important to make cyber budget comparisons to the US and the UK on a proportional rather than gross basis, Australia does spend less on cybersecurity that its allies.15 The long absence of strategic direction makes it somewhat understandable that funding may be tracking behind that of other countries that have been more consistent in their development of related policy. However, there are concerns that this is currently manifesting in a government willing but unable to deliver on the ambitious goals set out in the strategy.
This context makes the recommendation to better leverage private investment even more important to achieving the outcomes of the strategy. As noted elsewhere, this will require a more definitive division of responsibilities between the public and private sectors.
14 Greg Austin, Jill Slay, Australia’s response to advanced technology threats: an agenda for the next government, May 2016, online.
15 Zoe Hawkins, Liam Nevill, ‘National cyber budgets: same, same but different’, The Strategist, 16 June 2016, online.
15
SECTION 3: MOVING FORWARD—KEY RECOMMENDATIONS
The government is clearly committed to trying to deliver what it promised, but challenges remain that may undermine the success of action to achieve the strategy’s outcomes. In this section, we discuss a series of short‑, medium‑ and long‑term recommendations to improve the execution, adaptability and delivery of nationally important cybersecurity outcomes.
STRATEGY IMPLEMENTATION
Recommendation 1: Rapid adaptation and evolutionAlastair MacGibbon has previously advised that relying solely on a ‘tick box’ compliance culture is a limited approach to such a complex issue.16 The first annual update was an opportunity to take a more flexible and adaptive approach to the implementation of the Strategy. This should have been based on an assessment of the extent to which intended outcomes have been achieved so far, and changing focus where necessary. However the first annual update only seems to have assessed actions, not outcomes, and in doing so an opportunity has been missed to explain what has changed because of Strategy implementation efforts.
It’s important to follow through on government strategies, but it’s even more important to ensure that the measures that are being implemented are adapted to changes in the environment. Merely stating that an action was undertaken doesn’t clarify whether the desired effect was achieved, or if the action is still the most appropriate way to achieve the end goal. Instead, government should adopt a spiral development approach to the strategy, using future annual updates as an opportunity to abandon initiatives that no longer make sense and adding new ones as new opportunities or challenges arise. There’s a broad agreement with the stated objectives of the strategy, but a focus on execution and adaptation is necessary, evolving as our understanding of more effective and efficient methods and initiatives by which to achieve those objectives grows.
Recommendation 2: Measurable and time-bound annual action plansGovernment should review the Action Plan annually, possibly in connection with its quarterly and annual industry meetings. Releasing new theme-specific action plans that provide clear timeframes and measurable milestones for activity will enable implementation and private‑sector cooperation. It will also increase accountability among responsible government leaders and facilitate better expectation management for the private sector and general public.
Recommendation 3: Undertake baseline researchUnderstanding the effectiveness or otherwise of cybersecurity initiatives requires robust data to measure progress against. Funding should be provided to undertake and publish targeted strategy-specific research, which will improve the government’s ability to measure strategy success while boosting Australia’s cyber research portfolio.
PRIVATE-SECTOR ENGAGEMENT
Recommendation 4: More open communications with the private sectorCommunicating progress, or reasons for delays, will significantly facilitate the development of a trusted and execution‑driven national cybersecurity partnership. Measures such as quarterly threat reporting from the ACSC and regular strategy updates, potentially in the form of a newsletter, would give stakeholders confidence in the commitment to action and delivery.
16 Paris Cowan, ‘Govt undermined by “tick box” security culture: MacGibbon’, itnews, 23 March 2017, online.
16 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Recommendation 5: Define the division of leadership between sectorsThe strategy is a government‑developed, government‑owned document, but it is not solely the responsibility of government to deliver it under the partnership model. Working with industry to define which tasks government wants industry to deliver—and obtaining industry buy-in to do so—will further enable the delivery of outcomes and the growth of this partnership.
Recommendation 6: Better support for mid-tier and small to medium enterprisesThere’s likely to be an expectation that improved cybersecurity in the top end of town will trickle down to the mid‑tier, but evolving threats and government regulation make it unrealistic to expect that this will happen in the timeframe needed. Greater government support to help small and medium enterprises comply with incoming data breach notification legislation is required before the legislation takes effect. The government could consider measures taken to assist business with other regulatory transitions, such as the implementation of the GST, as examples of measures to provide practical assistance.
THE AUSTRALIAN PUBLIC
Recommendation 7: Better communications with the public in both implementation and crisesHaving a strong and coherent communications strategy for the Australian public is essential to the success of the strategy. This involves better coordination of front‑facing discussions on the implementation of the strategy. It’s also necessary to have the ability to quickly establish clear and accurate crisis communications should a cyber incident arise. This two-pronged effort should be supported by a greater communications capacity within PM&C.
Recommendation 8: Moving from public awareness to behavioural changeGrowing the cybersecurity understanding of the general public to the extent that there are obvious behavioural changes is a key way to achieve greater national security and reduce rates of cybercrime. New methods of education and awareness raising that change behaviours positively should be developed and implemented. The government should look for lessons learned from other awareness‑raising programs (for example, those focusing on breast cancer) that leverage existing trust relationships in the community to inspire a shift in mindset.
Recommendation 9: Broaden the conception of cyber skills shortages to include other necessary disciplinesThere’s a perception that cybersecurity is principally a technical issue and that therefore more technically skilled people are needed. While that’s true, it misses another piece of the puzzle: a growing industry needs a variety of disciplines to support technological advances comprehensively. When examining skills shortages, government should look beyond the technical community. Individuals with backgrounds in law, psychology, government studies, communications and many other disciplines have an important role to play in ensuring that Australia’s future cyber workforce is equipped to deal with the full spectrum of challenges that cyberspace presents. This should be reflected in broader engagement through education initiatives such as university careers fairs and Australia’s Cyber Security Challenge.
CYBER GOVERNANCE
Recommendation 10: Provide additional financial and human resources to strategy delivery rolesThe delivery of the Cyber Security Strategy demands a focus on execution and sufficient financial and human capital to manage implementation across many portfolios and private‑sector partners. Consideration should be given to supplementing personnel in these roles and providing additional support to senior leadership positions or rationalising their other tasks to facilitate a focus on the achievement of better cybersecurity outcomes.
Recommendation 11: The co-location model of the ACSC should be examined for use by policy agenciesThe evaluation of the strategy in this report reveals the dispersed leadership of many of the policy initiatives discussed. Elements of cyber policy responsibility are found in PM&C, the Department of Defence, DFAT, the Attorney‑General’s Department, and so on. This can be challenging for those responsible for coordinating the delivery of the initiatives. While an agency along the lines of Singapore’s Cyber Security Agency may not be the most appropriate response for the Australian Government, the co‑location of key personnel may help to streamline the delivery of policy initiatives and enhance engagement between policy agencies and the operational cyber areas of the government. It would also aid engagement with the private sector by providing a one-stop shop for engagement with the senior cyber officials in the Australian Government.
17
APPE
NDIX
1: P
ROGR
ESS
IN A
CHIE
VING
STR
ATEG
Y O
UTCO
MES
The
tabl
e be
low
pro
vide
s com
men
ts a
gain
st e
ach
of th
e 83
out
com
es p
rese
nted
in th
e Ac
tion
Plan
att
ache
d to
the
Cybe
r Sec
urity
Str
ateg
y, a
nd a
n as
sess
men
t of p
rogr
ess u
sing
col
our c
oded
ra
tings
. Whe
n re
view
ing
the
outc
omes
, not
e th
at th
e Ac
tion
Plan
has
bee
n de
vise
d in
the
cont
ext o
f at l
east
four
yea
rs o
f exp
ecte
d de
liver
y. T
here
fore
, it’s
to b
e ex
pect
ed th
at m
any
of th
e in
itiat
ives
won
’t ha
ve s
tart
ed y
et, a
s the
y re
ly o
n th
e ou
tcom
e of
oth
er w
ork,
or d
epar
tmen
ts m
ay n
ot y
et h
ave
the
capa
city
or b
udge
t to
com
men
ce th
em; t
hose
out
com
es a
re in
dica
ted
by
grey
in th
e ra
ting
colu
mn.
As m
entio
ned
in th
is re
port
, som
e of
the
stra
tegy
out
com
es a
re n
ot o
bjec
tivel
y m
easu
rabl
e; th
ose
outc
omes
hav
e be
en h
ighl
ight
ed b
y bl
ack
in th
e ra
ting
colu
mn.
KEY
Rati
ngDe
scri
ptio
n
Out
com
e ac
hiev
ed.
Sign
ifica
nt p
rogr
ess t
owar
ds a
chie
vem
ent.
Und
erw
ay, b
ut m
ore
wor
k is
requ
ired.
Not
sta
rted
.
Dep
ende
nt o
n ac
hiev
emen
t of o
utco
me.
Blac
kO
utco
me
is e
ither
unq
uant
ifiab
le, l
acks
an
indi
cato
r aga
inst
whi
ch
to m
easu
re p
rogr
ess,
or t
he in
form
atio
n is
not
pub
licly
ava
ilabl
e.
18 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
NATI
ONAL
CYB
ER P
ARTN
ERSH
IPGo
al: G
over
nmen
ts, b
usin
esse
s and
the
rese
arch
com
mun
ity to
geth
er a
dvan
ce A
ustr
alia
’s cy
bers
ecur
ity.
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
1.
Del
iver
pro
gres
s upd
ates
on
the
impl
emen
tatio
n of
th
is s
trat
egy
a.
The
Gov
ernm
ent e
valu
ates
its i
mpl
emen
tatio
n pr
ogre
ss a
nd u
pdat
es th
is A
ctio
n Pl
an a
nnua
llyTh
e go
vern
men
t rel
ease
d th
e Fi
rst A
nnua
l Upd
ate
on 1
9 Ap
ril 2
017.
2.
Hol
d an
nual
cyb
er s
ecur
ity
lead
ers’
mee
tings
a.
The
Prim
e M
inis
ter a
nd b
usin
ess l
eade
rs s
et
the
stra
tegi
c cy
bers
ecur
ity a
gend
a an
d dr
ive
the
Cybe
r Sec
urity
Str
ateg
y’s i
mpl
emen
tatio
n fro
m th
e to
p do
wn
The
mee
ting
betw
een
the
Prim
e M
inis
ter a
nd b
usin
ess l
eade
rs to
ok p
lace
on
19 A
pril.
M
inis
ter T
ehan
has
als
o pl
edge
d qu
arte
rly m
eetin
gs, t
wo
of w
hich
hav
e be
en h
eld
so fa
r in
Dec
embe
r 201
6 an
d M
arch
201
7.
b.
Busi
ness
lead
ers a
nd th
e G
over
nmen
t are
eq
uipp
ed w
ith th
e in
form
atio
n th
ey n
eed
to
mak
e ap
prop
riate
inve
stm
ent a
nd b
usin
ess
deci
sion
s on
thei
r cyb
erse
curit
y, in
clud
ing
a co
llect
ive
unde
rsta
ndin
g of
em
ergi
ng c
yber
ch
alle
nges
The
gove
rnm
ent h
as a
ckno
wle
dged
the
impo
rtan
ce o
f im
prov
ing
the
info
rmat
ion
exch
ange
bet
wee
n th
e pr
ivat
e se
ctor
and
gov
ernm
ent o
n th
e to
pic
of c
yber
secu
rity
thro
ugh
the
Prim
e M
inis
ter’s
bus
ines
s lea
ders
’ mee
tings
, the
firs
t of w
hich
was
hel
d in
m
id-A
pril
2017
. Ann
ual m
eetin
gs a
re in
suffi
cien
tly fr
eque
nt to
ach
ieve
this
out
com
e,
give
n th
e pa
ce o
f cha
nge
in th
e cy
ber t
hrea
t env
ironm
ent,
so it
’s pl
easi
ng to
see
the
intr
oduc
tion
of M
inis
ter T
ehan
’s qu
arte
rly b
usin
ess r
ound
tabl
e to
fill
that
gap
. Tho
se
mee
tings
hav
e so
far b
een
held
in D
ecem
ber 2
016
and
Mar
ch 2
017.
The
cybe
rsec
urity
bus
ines
s gui
des p
ublis
hed
by S
tay
Smar
t Onl
ine
are
also
use
ful
info
rmat
ion
on g
ood
cybe
r pra
ctic
es, b
ut g
reat
er re
sear
ch n
eeds
to b
e un
dert
aken
for
gove
rnm
ent a
nd b
usin
ess l
eade
rs to
mak
e tr
uly
info
rmed
judg
emen
ts a
bout
the
cybe
r ris
k an
d in
vest
men
t dyn
amic
s in
Aust
ralia
.
19
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
3.
Stre
amlin
e th
e G
over
nmen
t’s c
yber
se
curit
y go
vern
ance
and
st
ruct
ures
a.
Gov
ernm
ent r
espo
nsib
ility
for c
yber
sec
urity
is
wel
l com
mun
icat
ed a
nd u
nder
stoo
d by
sta
keho
lder
s
The
appo
intm
ent o
f Min
iste
r Teh
an a
nd A
last
air M
acGi
bbon
has
pro
vide
d m
ore
clar
ity
abou
t cyb
er le
ader
ship
in th
e Au
stra
lian
Gov
ernm
ent.
Ther
e is
als
o th
e Cy
ber S
ecur
ity
Boar
d, c
haire
d by
the
Secr
etar
y of
PM
&C, b
ut it
s fun
ctio
ns a
nd a
ctiv
ities
are
opa
que.
G
over
nanc
e st
ruct
ures
and
the
divi
sion
of r
espo
nsib
ility
with
in g
over
nmen
t are
not
w
ell a
rtic
ulat
ed in
acc
essi
ble
docu
men
tatio
n, a
nd m
ore
wor
k ca
n be
don
e to
dem
ystif
y th
ose
stru
ctur
es fo
r the
pub
lic.
b.
The
Prim
e M
inis
ter a
ppoi
nts a
Min
iste
r As
sist
ing
the
Prim
e M
inis
ter o
n Cy
ber S
ecur
ityDa
n Te
han
MP
was
app
oint
ed th
e M
inis
ter A
ssis
ting
the
Prim
e M
inis
ter f
or C
yber
Se
curit
y on
18
July
201
6.
c.
The
Gov
ernm
ent’s
cyb
er s
ecur
ity o
pera
tions
ar
e co
ordi
nate
d, e
ffici
ent a
nd a
lign
with
st
rate
gic
prio
ritie
s
This
is d
iffic
ult t
o as
sess
from
an
exte
rnal
per
spec
tive,
but
reve
latio
ns in
the
seco
nd
annu
al A
CSC
Thre
at re
port
and
cyb
erse
curit
y au
dits
of g
over
nmen
t dep
artm
ents
by
the
ANAO
indi
cate
that
, whi
le th
e op
erat
iona
l res
pons
e is
str
ong,
dep
artm
ents
are
ofte
n fa
lling
beh
ind
in th
eir c
yber
secu
rity
oblig
atio
ns. T
he b
itter
exp
erie
nce
and
less
ons o
f #c
ensu
sfai
l hig
hlig
hted
that
ther
e’s s
till w
ork
to b
e do
ne to
refin
e th
e go
vern
men
t’s
cybe
r inc
iden
t res
pons
e ar
rang
emen
ts.
d.
The
Aust
ralia
n Cy
ber S
ecur
ity C
entr
e is
re
loca
ted
to a
faci
lity
that
allo
ws t
he C
entr
e to
gro
w a
nd e
nabl
es th
e G
over
nmen
t and
the
priv
ate
sect
or to
wor
k m
ore
effec
tivel
y
In N
ovem
ber 2
016,
the
gove
rnm
ent a
nnou
nced
pla
ns to
relo
cate
the
ACSC
from
the
ASIO
bui
ldin
g to
Brin
dabe
lla P
ark
at C
anbe
rra
Airp
ort b
y th
e en
d of
201
7.
4.
Spon
sor r
esea
rch
to b
ette
r un
ders
tand
the
cost
of
mal
icio
us c
yber
act
ivity
to
the
Aust
ralia
n ec
onom
y
a.
A be
tter
und
erst
andi
ng o
f the
eco
nom
ic
impa
ct o
f cyb
er c
ompr
omis
es to
the
Aust
ralia
n ec
onom
y is
dev
elop
ed
No
info
rmat
ion
on p
rogr
ess t
owar
ds th
is o
utco
me
was
dis
cove
red.
b.
Robu
st d
ata
is p
ublis
hed
that
supp
orts
in
form
ed d
ecis
ion
mak
ing
on c
yber
sec
urity
ris
k m
anag
emen
t and
inve
stm
ent
No
info
rmat
ion
on p
rogr
ess t
owar
ds th
is o
utco
me
was
dis
cove
red.
c.
Robu
st d
ata
is p
ublis
hed
that
impr
oves
th
e ab
ility
of o
rgan
isat
ions
to c
onsi
der t
he
effec
tiven
ess o
f the
ir in
vest
men
t in
cybe
r se
curit
y
The
ACSC
Thr
eat r
epor
t and
the
2015
Cyb
er S
ecur
ity S
urve
y pr
ovid
e so
me
usef
ul
info
rmat
ion
for b
usin
ess t
o co
nsid
er, b
ut g
over
nmen
t has
not
yet
pro
vide
d ro
bust
dat
a to
ach
ieve
this
out
com
e.
20 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
STRO
NG C
YBER
DEF
ENCE
SGo
al: A
ustr
alia
’s ne
twor
ks a
nd s
yste
ms a
re h
ard
to c
ompr
omis
e an
d re
silie
nt to
cyb
erat
tack
.
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
DETE
CT, D
ETER
AN
D RE
SPO
ND
5.
In p
artn
ersh
ip w
ith th
e pr
ivat
e se
ctor
, est
ablis
h a
laye
red
appr
oach
to
cybe
r thr
eat i
nfor
mat
ion
shar
ing
thro
ugh:
• pa
rtne
rshi
ps b
etw
een
busi
ness
es a
nd th
e G
over
nmen
t with
in
the
Aust
ralia
n Cy
ber
Secu
rity
Cent
re;
• co
‑des
igne
d jo
int c
yber
th
reat
shar
ing
cent
res
(initi
ally
as a
pilo
t) in
key
ca
pita
l citi
es; a
nd
• a
co‑d
esig
ned
onlin
e in
form
atio
n sh
arin
g po
rtal
a.
Part
ners
hips
bet
wee
n th
e Au
stra
lian
Cybe
r Se
curit
y Ce
ntre
and
the
priv
ate
sect
or a
re
incr
ease
d an
d pr
oven
val
uabl
e fo
r bot
h pa
rtie
s
It is
diff
icul
t to
mea
sure
this
out
com
e. T
here
app
ears
to b
e m
ore
enga
gem
ent b
etw
een
indu
stry
and
the
ACSC
—a
tren
d th
at w
e ho
pe w
ill in
crea
se w
ith th
e ce
ntre
’s re
loca
tion.
H
owev
er, w
heth
er it
has
pro
ven
valu
able
for b
oth
part
ies i
sn’t
obje
ctiv
ely
mea
sura
ble.
Blac
k
b.
An o
pera
ting
mod
el fo
r the
join
t cyb
er th
reat
sh
arin
g ce
ntre
s is d
evel
oped
, suc
cess
fully
pi
lote
d an
d re
view
ed
In O
ctob
er 2
016,
it w
as a
nnou
nced
that
a p
ilot c
entr
e w
ould
ope
n be
fore
the
end
of
2016
. The
firs
t pilo
t joi
nt c
yber
sec
urity
cen
tre
(JCS
C) e
vent
ually
ope
ned
in B
risba
ne o
n 24
Feb
ruar
y 20
17. T
here
is c
lear
ly m
utua
l int
ent f
rom
gov
ernm
ent a
nd th
e pr
ivat
e se
ctor
to
ens
ure
the
succ
ess o
f the
JCS
C pr
ogra
m, b
ut p
rogr
ess s
o fa
r has
bee
n sl
ower
than
so
me
stak
ehol
ders
exp
ecte
d, a
nd th
e pi
lot’s
loca
tion
in B
risba
ne ra
ther
than
Syd
ney
or
Mel
bour
ne h
as b
een
ques
tione
d. A
s the
cen
tre
isn’
t yet
fully
ope
ratio
nal,
mor
e tim
e w
ill
be n
eede
d fo
r an
effec
tive
revi
ew p
roce
ss to
take
pla
ce.
c.
Base
d on
the
outc
omes
of t
he p
ilot,
a ro
llout
of
join
t cyb
er th
reat
shar
ing
cent
res n
atio
nally
im
prov
es c
o‑lo
catio
n of
bus
ines
ses,
the
rese
arch
com
mun
ity to
geth
er w
ith S
tate
, Te
rrito
ry a
nd G
over
nmen
t age
ncie
s and
shar
e:
• tim
ely
and
actio
nabl
e in
form
atio
n on
cyb
er
secu
rity
thre
ats a
nd ri
sks;
• kn
owle
dge
abou
t new
/evo
lvin
g ac
tors
and
in
trus
ion
met
hods
; and
• ex
pert
ise
to s
olve
pro
blem
s and
lear
n le
sson
s fro
m ‘n
ear m
isse
s’ a
nd c
ompr
omis
es
This
act
ion
relie
s on
an a
sses
smen
t of t
he p
ilot J
CSC
open
ed in
Feb
ruar
y 20
17 in
Br
isba
ne. A
dditi
onal
tim
e fo
r the
pilo
t cen
tre
to re
ach
full
oper
atio
nal c
apab
ility
will
be
nee
ded
befo
re a
n as
sess
men
t of t
he p
ilot a
nd a
subs
eque
nt ro
llout
of t
he m
odel
to
othe
r citi
es in
Aus
tral
ia.
d.
Cybe
r sec
urity
info
rmat
ion
is d
eliv
ered
to
a w
ider
rang
e of
org
anis
atio
ns th
roug
h th
e on
line
info
rmat
ion
shar
ing
port
al
Med
ia c
omm
enta
ry su
gges
ts th
at C
ERT
Aust
ralia
, with
in th
e At
torn
ey‑G
ener
al’s
Dep
artm
ent,
has b
egun
wor
k on
dev
elop
ing
the
thre
at in
form
atio
n sh
arin
g po
rtal
, alth
ough
the
abse
nce
of c
oncr
ete
anno
unce
men
ts in
dica
tes t
hat i
t’s n
ot
yet o
pera
tiona
l.
21
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
6.
Incr
ease
the
Com
pute
r Em
erge
ncy
Resp
onse
Tea
m
(CER
T) A
ustr
alia
’s ca
paci
ty
a.
CERT
Aus
tral
ia’s
serv
ices
are
exp
ande
d fo
r a
wid
er g
roup
of b
usin
esse
s, w
ith im
prov
ed
tech
nica
l cap
abili
ty
The
anno
unce
men
t of a
new
CER
T Au
stra
lia re
crui
tmen
t cam
paig
n in
Aug
ust 2
016
is a
po
sitiv
e st
ep to
war
ds in
crea
sing
the
orga
nisa
tion’
s cap
acity
to d
eliv
er th
e fiv
e in
itiat
ives
al
loca
ted
to it
in th
e st
rate
gy.
b.
CERT
Aus
tral
ia in
crea
ses i
ts in
tern
atio
nal
part
ners
hips
, foc
usin
g on
pre
vent
ion
and
shut
ting
dow
n m
alic
ious
cyb
er a
ctiv
ity
The
onbo
ardi
ng o
f add
ition
al s
taff
is in
tend
ed to
impr
ove
CERT
Aus
tral
ia’s
capa
city
to
incr
ease
its i
nter
natio
nal p
artn
ersh
ips a
nd th
e fig
ht a
gain
st c
yber
crim
e. W
hile
th
e or
gani
satio
n’s w
ebsi
te h
as n
ot y
et p
oste
d an
y ne
ws i
tem
s to
this
effe
ct,
unde
rtak
ing
the
nece
ssar
y bo
ost i
n st
affin
g w
ill c
ontr
ibut
e to
the
real
isat
ion
of th
is
part
ners
hip
expa
nsio
n.
7.
Boos
t the
Gov
ernm
ent’s
ca
paci
ty to
figh
t cy
berc
rime
in th
e Au
stra
lian
Crim
e Co
mm
issi
on
a.
The
Aust
ralia
n Cr
ime
Com
mis
sion
incr
ease
s its
ca
paci
ty a
nd c
apab
ility
to d
etec
t and
ana
lyse
cy
berc
rime
Aust
ralia
n Cr
imin
al In
telli
genc
e Co
mm
issi
on h
as re
ceiv
ed fu
ndin
g fo
r fur
ther
inve
stm
ent
in c
yber
crim
e in
vest
igat
ion
capa
bilit
y, a
nd th
e go
vern
men
t adv
ises
that
a su
cces
sful
em
ploy
men
t driv
e ha
s see
n its
inte
llige
nce
unit
doub
le fr
om 6
to 1
2 pe
rson
nel.
8.
Boos
t the
Gov
ernm
ent’s
ca
paci
ty to
figh
t cy
berc
rime
in th
e Au
stra
lian
Fede
ral P
olic
e
a.
The
Aust
ralia
n Fe
dera
l Pol
ice
incr
ease
s its
cap
acity
and
cap
abili
ty to
in
vest
igat
e cy
berc
rime.
The
AFP
has r
ecei
ved
fund
ing
for f
urth
er in
vest
men
t in
cybe
rcrim
e in
vest
igat
ion
capa
bilit
y; h
owev
er, t
here
is n
o da
ta to
mea
sure
the
succ
ess o
f thi
s inv
estm
ent s
o fa
r.Bl
ack
9.
Colla
bora
te w
ith A
ustr
alia
n go
vern
men
ts to
ens
ure
law
enf
orce
men
t offi
cers
re
ceiv
e th
e tr
aini
ng th
ey
need
to fi
ght c
yber
crim
e ac
ross
the
natio
n
Skill
s nee
ds fo
r law
enf
orce
men
t offi
cers
, inc
ludi
ng
spec
ialis
t rol
es, t
o fig
ht c
yber
crim
e ar
e id
entifi
edW
hile
no
info
rmat
ion
is a
vaila
ble
to su
gges
t tha
t thi
s has
com
men
ced,
the
gove
rnm
ent
advi
ses t
hat t
his w
ork
is u
nder
way
.Bl
ack
A sp
ecia
list t
rain
ing
stra
tegy
is d
evel
oped
and
im
plem
ente
dW
hile
no
info
rmat
ion
is a
vaila
ble
to su
gges
t tha
t thi
s str
ateg
y ha
s bee
n de
velo
ped
or im
plem
ente
d, th
e go
vern
men
t adv
ises
that
inte
rnal
cyb
er tr
aini
ng a
ctiv
ities
are
un
derw
ay a
nd th
at a
spec
ialis
t tra
inin
g st
rate
gy w
ill b
e in
clud
ed in
the
fort
hcom
ing
Nat
iona
l Pla
n to
Com
bat C
yber
crim
e.
Blac
k
10.
Incr
ease
the
Aust
ralia
n Si
gnal
s Dire
ctor
ate’
s ca
paci
ty to
iden
tify
new
an
d em
ergi
ng c
yber
th
reat
s to
our s
ecur
ity a
nd
impr
ove
intr
usio
n an
alys
is
capa
bilit
ies
The
Aust
ralia
n Si
gnal
s Dire
ctor
ate
incr
ease
s its
ca
paci
ty a
nd c
apab
ility
to id
entif
y cy
ber t
hrea
ts
and
deve
lops
resp
onse
s to
an in
crea
sing
ly
com
plex
dig
ital e
nviro
nmen
t
Thro
ugh
fund
ing
prov
ided
in th
e D
efen
ce W
hite
Pap
er, A
SD h
as b
een
very
act
ive
hirin
g ne
w s
taff
for c
yber
secu
rity
role
s. H
owev
er, t
he n
atur
e of
this
cap
abili
ty a
nd
ASD’
s act
iviti
es m
akes
it d
iffic
ult t
o as
sess
whe
ther
the
agen
cy’s
capa
bilit
y or
cap
acity
ha
s inc
reas
ed.
The
Aust
ralia
n Si
gnal
s Dire
ctor
ate
expa
nds t
he
num
ber o
f cyb
er s
ecur
ity s
ervi
ces i
t offe
rs to
a
wid
er ra
nge
of o
rgan
isat
ions
Agai
n, th
e ac
hiev
emen
t of t
his o
utco
me
is c
halle
ngin
g to
judg
e fro
m o
pen‑
sour
ce
rese
arch
. How
ever
, it’s
fair
to a
ssum
e th
at th
is e
xpan
sion
of s
ervi
ce is
relia
nt o
n th
e de
liver
y of
the
abov
e m
entio
ned
incr
ease
in A
SD c
apac
ity a
nd c
apab
ility
.
22 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
11.
Stre
ngth
en D
efen
ce’s
cybe
r sec
urity
cap
acity
an
d ca
pabi
lity,
thro
ugh
initi
ativ
es in
the
2016
D
efen
ce W
hite
Pap
er
Def
ence
str
engt
hens
its c
yber
cap
abili
ties
to p
rote
ct it
self
and
othe
r crit
ical
Aus
tral
ian
Gov
ernm
ent s
yste
ms f
rom
mal
icio
us c
yber
in
trus
ion
and
disr
uptio
n
Def
ence
has
bee
n re
crui
ting
to in
crea
se it
s cyb
er w
orkf
orce
acr
oss d
efen
sive
and
off
ensi
ve ro
les,
indi
catin
g th
at th
ere’
s act
ion
tow
ards
the
achi
evem
ent o
f thi
s out
com
e.
Def
ence
enh
ance
s the
resi
lienc
e of
net
wor
ks,
incl
udin
g ne
twor
ks u
sed
by d
eplo
yed
forc
es, a
nd
the
capa
bilit
y of
the
Aust
ralia
n Cy
ber S
ecur
ity
Cent
re a
nd it
s cyb
er w
orkf
orce
, inc
ludi
ng n
ew
mili
tary
and
APS
pos
ition
s and
trai
ning
pro
gram
s
Som
e de
tails
of t
his o
utco
me
are
nece
ssar
ily s
ecre
t, so
ther
e’s l
ittle
sol
id p
ublic
dat
a on
whi
ch to
ass
ess i
ts a
chie
vem
ent.
How
ever
, giv
en th
at D
efen
ce a
ppea
rs to
be
mak
ing
step
s tow
ards
impr
ovin
g its
cyb
er c
apab
ilitie
s (as
not
ed a
bove
), it
stan
ds to
reas
on th
at
ther
e w
ill b
e an
ass
ocia
ted
incr
ease
in th
e re
silie
nce
of D
efen
ce n
etw
orks
.
12. E
xpan
d th
e na
tion’
s cyb
er
inci
dent
man
agem
ent
arra
ngem
ents
and
ex
erci
ses p
rogr
am
The
Gov
ernm
ent’s
cyb
er in
cide
nt m
anag
emen
t ar
rang
emen
ts re
spon
d to
the
evol
ving
cyb
er th
reat
la
ndsc
ape
Revi
sed
cybe
r inc
iden
t man
agem
ent a
rran
gem
ents
hav
e be
en d
evel
oped
, and
an
exe
rcis
e to
test
was
hel
d w
ith th
e pr
ivat
e se
ctor
in A
pril
2017
. Upd
atin
g th
e ar
rang
emen
ts w
as a
lso
a re
com
men
datio
n of
the
Revi
ew o
f the
eve
nts s
urro
undi
ng th
e 20
16 e
Cens
us, p
ublis
hed
by th
e O
ffice
of t
he C
yber
Sec
urity
Spe
cial
Adv
iser
.
Aust
ralia
n go
vern
men
ts u
nder
stan
d ho
w th
eir
resp
ectiv
e cy
ber a
nd in
cide
nt re
spon
se te
ams
wou
ld o
pera
te to
geth
er in
a c
yber
cris
is
Revi
sed
inci
dent
man
agem
ent a
rran
gem
ents
hav
e be
en d
evel
oped
, but
ach
ievi
ng th
is
outc
ome
will
requ
ire si
gnifi
cant
test
ing.
Gov
ernm
ent a
dvis
es th
at te
stin
g of
the
cybe
r in
cide
nt m
anag
emen
t arr
ange
men
ts w
ith p
rivat
e in
dust
ry a
nd th
e fe
dera
l and
sta
te
gove
rnm
ents
com
men
ced
in A
pril
2017
.
The
Gov
ernm
ent a
nd p
rivat
e se
ctor
est
ablis
h a
prog
ram
of j
oint
cyb
er e
xerc
ises
Join
t cyb
er e
xerc
ises
bet
wee
n go
vern
men
t and
indu
stry
hav
e be
en u
nder
dev
elop
men
t. Th
e fir
st it
erat
ion
took
pla
ce in
Apr
il 20
17. G
over
nmen
t adv
ises
that
exe
rcis
e de
velo
pmen
t was
orig
inal
ly in
tend
ed to
take
pla
ce d
urin
g 20
16–1
7, a
nd th
at th
e fir
st
exer
cise
was
not
sch
edul
ed to
be
cond
ucte
d un
til 2
017–
18. U
nfor
tuna
tely
, priv
ate-
sect
or
unce
rtai
nty
over
the
prog
ress
ion
of th
is p
roje
ct m
eans
mor
e w
ork
is re
quire
d.
Aust
ralia
wor
ks w
ith in
tern
atio
nal p
artn
ers o
n de
velo
ping
pol
icie
s for
inci
dent
resp
onse
as a
co
nfide
nce
build
ing
mea
sure
Min
iste
rs fr
om A
ustr
alia
and
New
Zea
land
com
mitt
ed in
Oct
ober
201
6 to
col
labo
rate
on
a ra
nge
of c
yber
issu
es, i
nclu
ding
hol
ding
a tr
ans‑
Tasm
an c
yber
inci
dent
exe
rcis
e as
a
part
of t
he A
ustr
alia
– N
ew Z
eala
nd c
yber
dia
logu
e ex
pect
ed to
take
pla
ce in
the
seco
nd
half
of 2
017.
Mor
e ac
tion
is n
eede
d to
ach
ieve
this
out
com
e.
23
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
RAIS
E TH
E BA
R
13. C
o‑de
sign
vol
unta
ry
guid
elin
es o
n go
od c
yber
se
curit
y pr
actic
e
The
Gov
ernm
ent a
nd p
rivat
e se
ctor
co‑
desi
gn a
nd
publ
ish
base
line
guid
ance
for A
ustr
alia
n cy
ber
secu
rity
that
pro
vide
s a b
ench
mar
k fo
r goo
d pr
actic
e, in
form
s cyb
er s
ecur
ity in
sura
nce
and
mee
ts c
orpo
rate
obl
igat
ions
Aust
ralia
’s cy
ber a
war
enes
s cam
paig
n, S
tay
Smar
t Onl
ine,
has
pub
lishe
d a
rang
e of
gu
ides
on
cybe
rsec
urity
. The
dev
elop
men
t of t
he S
ecur
ity a
war
enes
s im
plem
enta
tion
guid
e, th
e Sm
all b
usin
ess g
uide
, and
My
guid
e fo
r ind
ivid
uals
in p
artn
ersh
ip w
ith N
ew
Zeal
and
and
the
priv
ate
sect
or (A
ustr
alia
Pos
t, AN
Z, C
BA, N
BN C
o, N
AB, W
estp
ac a
nd
Tels
tra)
has
incr
ease
d th
e am
ount
of c
yber
secu
rity
guid
ance
ava
ilabl
e fo
r bus
ines
s an
d co
nsum
ers.
Not
e th
at S
tay
Smar
t Onl
ine
was
orig
inal
ly h
ouse
d w
ithin
the
Dep
artm
ent
of C
omm
unic
atio
ns a
nd th
e Ar
ts, b
ut is
now
the
resp
onsi
bilit
y of
the
Atto
rney
‑Gen
eral
’s D
epar
tmen
t.
Aust
ralia
’s go
od p
ract
ice
guid
elin
es a
re a
n ec
onom
ic a
nd s
ecur
ity a
sset
—th
ey p
rovi
de a
co
mm
erci
al a
dvan
tage
and
ens
ure
cybe
r ris
ks to
cr
itica
l ser
vice
s are
risk
ass
esse
d an
d m
anag
ed
This
is in
tend
ed to
be
a by
‑pro
duct
of s
ucce
ss o
n a
prec
edin
g in
itiat
ive,
so
it’s p
resu
med
to
be
on tr
ack
but r
equi
ring
atte
ntio
n to
ens
ure
deliv
ery.
Aust
ralia
n bu
sine
sses
, sm
all a
nd la
rge,
hav
e im
prov
ed u
nder
stan
ding
of g
ood
cybe
r sec
urity
pr
actic
es
This
is in
tend
ed to
be
a by
‑pro
duct
of s
ucce
ss o
n a
prec
edin
g in
itiat
ive,
so
it’s p
resu
med
to
be
on tr
ack
but r
equi
ring
atte
ntio
n to
ens
ure
deliv
ery.
Gov
ernm
ents
, crit
ical
ser
vice
s and
hig
h ris
k se
ctor
s dem
onst
rate
goo
d cy
ber s
ecur
ity p
ract
ices
The
esta
blis
hmen
t of t
he n
ew C
ritic
al In
fras
truc
ture
Cen
tre
in th
e At
torn
ey‑G
ener
al’s
Dep
artm
ent m
ay h
ave
a po
sitiv
e im
pact
on
cybe
rsec
urity
in th
e fu
ture
, but
no
evid
ence
to
that
effe
ct is
cur
rent
ly a
vaila
ble.
14.
Cont
inue
to re
gula
rly
upda
te th
e Au
stra
lian
Sign
als D
irect
orat
e’s
Stra
tegi
es to
Miti
gate
Ta
rget
ed C
yber
Intr
usio
ns
The
Stra
tegi
es to
Miti
gate
Cyb
er In
trus
ions
rem
ain
wor
ld le
adin
g pu
blic
ly a
vaila
ble
advi
ce o
n ho
w
to b
est p
rote
ct a
gain
st ta
rget
ed m
alic
ious
cyb
er
activ
ity
ASD
upda
ted
its T
op 4
str
ateg
ies t
o m
itiga
te c
yber
inci
dent
s to
beco
me
the
Esse
ntia
l 8
in F
ebru
ary
2017
.
24 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
15. C
o‑de
sign
vol
unta
ry c
yber
se
curit
y ‘h
ealth
che
cks’
for
ASX
100
liste
d bu
sine
sses
Exec
utiv
es a
nd b
oard
s in
the
ASX
100
bett
er
unde
rsta
nd c
yber
sec
urity
str
engt
hs a
nd
oppo
rtun
ities
for t
heir
busi
ness
ASIC
and
the
ASX
laun
ched
cyb
erse
curit
y he
alth
che
cks f
or A
SX 1
00 c
ompa
nies
in
Nov
embe
r 201
6. T
he A
SX re
leas
ed it
s Cyb
er H
ealth
Che
ck R
epor
t in
April
201
7, a
n in
dust
ry le
d su
rvey
on
cybe
r sec
urity
gov
erna
nce
in A
ustr
alia
’s la
rges
t com
pani
es.
Dec
isio
n m
aker
s in
the
ASX
100
rece
ive
tailo
red
info
rmat
ion
on th
e im
pact
of c
yber
risk
s to
thei
r co
mpa
nies
Prog
ress
of t
he A
SX 1
00 a
nd A
SIC
cybe
rsec
urity
hea
lth c
heck
s, a
nd in
crea
sing
aw
aren
ess a
t the
boa
rd le
vel o
f cyb
er th
reat
s, a
re p
ositi
ve si
gns o
f pro
gres
s tow
ards
the
achi
evem
ent o
f thi
s out
com
e.
Aust
ralia
’s hi
ghes
t per
form
ing
busi
ness
es le
ad
a na
tiona
l effo
rt to
war
ds b
est p
ract
ice
cybe
r se
curit
y
Whi
le th
ere’
s gre
ater
aw
aren
ess o
f cyb
er th
reat
s am
ong
the
larg
est c
ompa
nies
, the
ir ad
voca
cy fo
r bes
t pra
ctic
e am
ong
smal
l to
med
ium
ent
erpr
ises
is ju
st b
egin
ning
.
Incr
ease
d cy
ber r
esili
ence
in A
ustr
alia
’s la
rges
t co
mpa
nies
The
succ
ess o
f act
ion
tow
ards
this
out
com
e is
diff
icul
t to
asse
ss o
ver t
he ti
mef
ram
e, b
ut
the
invo
lvem
ent o
f the
ASX
100
in h
ealth
che
cks i
s a p
ositi
ve in
dica
tor o
f pro
gres
s.
16.
Supp
ort t
he C
ounc
il of
Re
gist
ered
Eth
ical
Sec
urity
Te
ster
s (CR
EST)
Aus
tral
ia
New
Zea
land
to e
xpan
d its
rang
e of
cyb
er s
ecur
ity
serv
ices
CRES
T Au
stra
lia N
ew Z
eala
nd g
row
s its
cur
rent
po
ol o
f acc
redi
ted
com
pani
es to
mee
t the
dem
and
of b
usin
esse
s acc
essi
ng th
eir s
ervi
ces
The
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce’
s Cyb
er S
ecur
ity S
mal
l Bus
ines
s Pr
ogra
m s
tate
s int
entio
ns to
pro
vide
a g
rant
to C
REST
AN
Z to
incr
ease
its n
umbe
r of
acc
redi
ted
serv
ice
prov
ider
s. T
he g
over
nmen
t adv
ises
that
ther
e’s a
n on
goin
g in
form
atio
n ex
chan
ge o
f les
sons
from
New
Zea
land
’s Cy
ber C
rede
ntia
ls s
chem
e;
how
ever
, the
re’s
no e
vide
nce
of th
e im
plem
enta
tion
of s
olid
ste
ps to
war
ds th
is
outc
ome,
so
it’s r
ated
‘not
com
men
ced’
.
CRES
T Au
stra
lia N
ew Z
eala
nd d
iver
sifie
s the
se
rvic
es it
acc
redi
ts. T
ypes
of a
sses
smen
t mig
ht
incl
ude
pene
trat
ion
test
ing,
vul
nera
bilit
y an
alys
is
and
asse
ssm
ent a
gain
st b
est p
ract
ice
stan
dard
s
The
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce’
s Cyb
er S
ecur
ity S
mal
l Bus
ines
s Pr
ogra
m s
tate
s int
entio
ns to
pro
vide
a g
rant
to C
REST
AN
Z to
div
ersi
fy it
s ser
vice
s to
incl
ude
the
accr
edita
tion
of sk
ills a
nd c
apab
ilitie
s. H
owev
er, t
here
’s no
evi
denc
e of
im
plem
enta
tion
of th
is p
lan
yet,
so it
’s de
emed
‘not
com
men
ced’
.
25
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
17.
Supp
ort s
mal
l bus
ines
ses
to h
ave
thei
r cyb
er s
ecur
ity
test
ed b
y CR
EST
Aust
ralia
N
ew Z
eala
nd a
ccre
dite
d pr
ovid
ers
Aust
ralia
n sm
all b
usin
esse
s hav
e ac
cess
to
accr
edite
d ex
pert
s to
asse
ss th
eir c
yber
sec
urity
, he
lpin
g th
em to
take
resp
onsi
bilit
y fo
r the
sec
urity
of
thei
r ow
n ne
twor
ks
The
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce’
s Cyb
er S
ecur
ity S
mal
l Bus
ines
s Pr
ogra
m in
volv
es a
gra
nt fo
r sm
all b
usin
esse
s to
have
thei
r cyb
erse
curit
y te
sted
by
serv
ice
prov
ider
s app
rove
d by
CRE
ST A
NZ.
Gra
nts o
f up
to $
2,10
0 in
co‑
fund
ing
will
be
ava
ilabl
e on
a o
ne-o
ff ba
sis.
App
licat
ions
are
exp
ecte
d to
ope
n in
201
7–18
for g
rant
pa
ymen
ts to
be
mad
e 20
18–1
9.
Aust
ralia
n sm
all b
usin
esse
s und
erst
and
thei
r po
tent
ial c
yber
sec
urity
vul
nera
bilit
ies a
nd w
here
to
find
trus
ted
cybe
r sec
urity
adv
ice
The
deliv
ery
of th
e pr
eced
ing
thre
e ou
tcom
es m
ay le
ad to
the
achi
evem
ent o
f thi
s one
, bu
t dat
a sh
ould
be
colle
cted
to e
nsur
e th
at it
s ach
ieve
men
t is q
uant
ifiab
le.
Aust
ralia
n sm
all b
usin
esse
s are
em
pow
ered
with
th
e kn
owle
dge
they
nee
d to
mak
e co
nsid
ered
cy
ber s
ecur
ity in
vest
men
ts to
pro
tect
thei
r bu
sine
ss lo
ng te
rm
Gov
ernm
ent h
as fa
cilit
ated
gre
ater
acc
ess t
o cy
bers
ecur
ity k
now
ledg
e fo
r sm
all
busi
ness
es th
roug
h th
e St
ay S
mar
t Onl
ine
Smal
l bus
ines
s gui
de a
nd S
ecur
ity a
war
enes
s im
plem
enta
tion
guid
e. M
inis
ter D
an T
ehan
’s M
arch
bus
ines
s rou
ndta
ble
focu
sed
on sm
all t
o m
ediu
m e
nter
pris
es, a
nd th
e D
epar
tmen
t of I
ndus
try,
Inno
vatio
n an
d Sc
ienc
e pl
ans t
o off
er sm
all b
usin
ess g
rant
s for
CRE
ST A
NZ
accr
edite
d cy
bers
ecur
ity.
How
ever
, the
gen
eral
sta
keho
lder
per
cept
ion
is th
at th
ere’
s stil
l an
urge
nt n
eed
for
the
gove
rnm
ent t
o en
gage
mor
e eff
ectiv
ely
with
smal
l bus
ines
ses o
n cy
ber i
ssue
s.
Data
col
lect
ion
thro
ugh
met
hods
such
as s
entim
ent s
urve
ys o
f bus
ines
s nee
ds to
be
com
men
ced
now
to e
nsur
e th
at p
rogr
ess t
owar
ds th
is o
utco
me
is q
uant
ifiab
le.
Larg
e an
d sm
all b
usin
esse
s inc
reas
e tr
ust i
n th
e co
nnec
tions
they
hav
e w
ith e
ach
othe
rTh
e ac
hiev
emen
t of t
his o
utco
me
is c
halle
ngin
g to
judg
e ob
ject
ivel
y, a
nd it
’s un
clea
r how
this
is re
late
d to
the
actio
n of
sec
urity
test
ing
by C
REST
‑acc
redi
ted
serv
ice
prov
ider
s.
Blac
k
26 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
18. I
mpr
ove
Gov
ernm
ent
agen
cies
’ cyb
er s
ecur
ity
thro
ugh
a ro
lling
pr
ogra
m o
f ind
epen
dent
as
sess
men
ts o
f age
ncie
s’
impl
emen
tatio
n of
th
e Au
stra
lian
Sign
als
Dire
ctor
ate’
s Str
ateg
ies
to M
itiga
te T
arge
ted
Cybe
r Int
rusi
ons
Gov
ernm
ent a
genc
y cy
ber s
ecur
ity p
ract
ices
ar
e th
e ex
empl
ar fo
r pub
lic a
nd p
rivat
e se
ctor
or
gani
satio
ns in
Aus
tral
ia
ASD
has c
ondu
cted
surv
eys o
f Com
mon
wea
lth a
genc
ies c
yber
sec
urity
bas
ed o
n im
plem
enta
tion
of th
e ‘T
op 4
’ str
ateg
ies t
o m
itiga
te ta
rget
ed c
yber
sec
urity
inci
dent
s.
How
ever
AN
AO a
udits
of s
ever
al d
epar
tmen
ts a
nd a
surv
ey o
f gov
ernm
ent a
genc
y cy
bers
ecur
ity p
ract
ice
by th
e Au
stra
lian
Nat
iona
l Uni
vers
ity’s
Nat
iona
l Sec
urity
Col
lege
in
dica
te th
at th
ere’
s sig
nific
ant w
ork
to b
e do
ne to
ach
ieve
this
out
com
e, a
nd th
at s
ome
agen
cies
are
faili
ng to
fully
impl
emen
t the
Top
4 s
trat
egie
s. T
here
fore
, gov
ernm
ent
agen
cies
are
off
trac
k to
win
the
title
of ‘
exem
plar
’ in
this
spac
e.
Gov
ernm
ent a
genc
ies a
re e
mpo
wer
ed to
mai
ntai
n a
high
leve
l of c
yber
sec
urity
and
are
equ
ippe
d to
im
prov
e th
eir c
yber
sec
urity
cap
abili
ty
Gove
rnm
ent a
genc
ies h
ave
acce
ss to
cyb
erse
curit
y ad
vice
from
ASD
, inc
ludi
ng A
SD’s
stra
tegi
es to
miti
gate
cyb
er se
curit
y in
cide
nts a
nd In
form
atio
n se
curit
y man
ual. H
owev
er,
the
impl
emen
tatio
n of
bet
ter c
yber
secu
rity p
ract
ice
in g
over
nmen
t age
ncie
s req
uire
s the
ir ow
n sk
illed
staff
, ade
quat
e fin
anci
al re
sour
ces a
nd c
omm
itmen
t fro
m se
nior
exe
cutiv
es to
ac
t on
cybe
rsec
urity
adv
ice
from
resp
onsi
ble
agen
cies
. The
est
ablis
hmen
t of a
new
Cyb
er
Secu
rity
Advi
sory
Offi
ce w
ithin
the
DTA
was
ann
ounc
ed in
the
2017
-18
Budg
et to
pro
vide
cy
bers
ecur
ity a
dvic
e on
gov
ernm
ent I
T pr
ocur
emen
t.
Non
‑Gov
ernm
ent i
nfor
mat
ion
stor
ed o
n G
over
nmen
t net
wor
ks is
resi
lient
to m
alic
ious
cy
ber a
ctiv
ity
Whi
le th
is is
diff
icul
t to
asse
ss a
t the
who
le-o
f-gov
ernm
ent l
evel
, the
AN
AO a
udit
of th
e Au
stra
lian
Taxa
tion
Offi
ce a
nd th
e D
epar
tmen
t of I
mm
igra
tion
and
Bord
er P
rote
ctio
n,
and
the
2015
Bur
eau
of M
eteo
rolo
gy h
ack,
indi
cate
that
sign
ifica
nt w
ork
is n
eede
d to
ac
hiev
e th
is o
utco
me.
27
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
19. I
mpr
ove
Gov
ernm
ent
agen
cies
’ cyb
er s
ecur
ity
thro
ugh
inde
pend
ent c
yber
se
curit
y as
sess
men
ts fo
r ag
enci
es a
t hig
her r
isk
of
mal
icio
us c
yber
act
ivity
th
at a
lso
help
s tho
se
agen
cies
add
ress
the
findi
ngs
Gov
ernm
ent a
genc
y cy
ber s
ecur
ity p
ract
ices
ar
e th
e ex
empl
ar fo
r pub
lic a
nd p
rivat
e se
ctor
or
gani
satio
ns in
Aus
tral
ia
The
Annu
al U
pdat
e no
tes t
hat A
SD h
as c
ondu
cted
surv
eys o
f Com
mon
wea
lth a
genc
ies
cybe
r sec
urity
bas
ed o
n im
plem
enta
tion
of th
e ‘T
op 4
’ str
ateg
ies t
o m
itiga
te ta
rget
ed
cybe
r sec
urity
inci
dent
s. G
over
nmen
t has
pre
viou
sly
advi
sed
that
pilo
t pro
gram
was
pl
anne
d to
beg
in in
201
8–20
.
Bein
g an
exe
mpl
ar o
f cyb
erse
curit
y is
a lo
fty g
oal f
or a
ny se
ctor
, par
ticul
arly
a la
rge
and
diffu
se o
rgan
isat
ion
such
as t
he A
ustr
alia
n go
vern
men
t. W
hile
the
ANAO
’s cy
bers
ecur
ity
audi
ts o
f gov
ernm
ent d
epar
tmen
ts in
dica
te a
ple
asin
g in
tere
st in
ens
urin
g th
at th
e go
vern
men
t is s
ettin
g a
good
exa
mpl
e, th
e au
dit r
esul
ts a
nd a
surv
ey o
f gov
ernm
ent
agen
cy c
yber
secu
rity
prac
tices
by
the
Nat
iona
l Sec
urity
Col
lege
indi
cate
that
ther
e’s
sign
ifica
nt w
ork
to b
e do
ne to
ach
ieve
this
am
bitio
us o
utco
me.
Gov
ernm
ent a
genc
ies a
re e
mpo
wer
ed to
mai
ntai
n a
high
leve
l of c
yber
sec
urity
and
are
equ
ippe
d to
im
prov
e th
eir c
yber
sec
urity
cap
abili
ty
Gov
ernm
ent a
genc
ies h
ave
acce
ss to
adv
ice
from
ASD
, but
the
impl
emen
tatio
n of
be
tter
cyb
erse
curit
y pr
actic
e re
quire
s ski
lled
staff
, ade
quat
e fin
anci
al re
sour
ces
and
com
mitm
ent f
rom
sen
ior e
xecu
tives
to a
ct o
n cy
bers
ecur
ity a
dvic
e fro
m
resp
onsi
ble
agen
cies
.
Non
Gov
ernm
ent i
nfor
mat
ion
stor
ed o
n G
over
nmen
t net
wor
ks is
resi
lient
to m
alic
ious
cy
ber a
ctiv
ity
Whi
le th
is is
diff
icul
t to
asse
ss a
t the
who
le-o
f-gov
ernm
ent l
evel
, the
AN
AO’s
audi
t of t
he
Aust
ralia
n Ta
xatio
n O
ffice
and
the
Dep
artm
ent o
f Im
mig
ratio
n an
d Bo
rder
Pro
tect
ion
indi
cate
s tha
t sig
nific
ant w
ork
is n
eede
d to
ach
ieve
this
out
com
e.
20. I
mpr
ove
Gov
ernm
ent
agen
cies
’ cyb
er s
ecur
ity
thro
ugh
incr
easi
ng
the
Aust
ralia
n Si
gnal
s Di
rect
orat
e’s c
apac
ity
to a
sses
s Gov
ernm
ent
agen
cies
’ vul
nera
bilit
y,
prov
ide
tech
nica
l sec
urity
ad
vice
and
inve
stig
ate
emer
ging
tech
nolo
gies
Gov
ernm
ent a
genc
y cy
ber s
ecur
ity p
ract
ices
ar
e th
e ex
empl
ar fo
r pub
lic a
nd p
rivat
e se
ctor
or
gani
satio
ns in
Aus
tral
ia
ANAO
aud
its o
f sev
eral
dep
artm
ents
and
a su
rvey
of g
over
nmen
t age
ncy
cybe
rsec
urity
pr
actic
e by
the
Nat
iona
l Sec
urity
Col
lege
indi
cate
that
sign
ifica
nt is
nee
ded
to a
chie
ve
this
out
com
e.
Gov
ernm
ent a
genc
ies a
re e
mpo
wer
ed to
mai
ntai
n a
high
leve
l of c
yber
sec
urity
and
are
equ
ippe
d to
im
prov
e th
eir c
yber
sec
urity
cap
abili
ty
Gov
ernm
ent a
genc
ies h
ave
acce
ss to
adv
ice
from
ASD
, but
the
impl
emen
tatio
n of
be
tter
cyb
erse
curit
y pr
actic
e re
quire
s ski
lled
staff
, ade
quat
e fin
anci
al re
sour
ces a
nd
com
mitm
ent f
rom
sen
ior e
xecu
tives
to a
ct o
n cy
bers
ecur
ity a
dvic
e fro
m re
spon
sibl
e ag
enci
es
Non
Gov
ernm
ent i
nfor
mat
ion
stor
ed o
n G
over
nmen
t net
wor
ks is
resi
lient
to m
alic
ious
cy
ber a
ctiv
ity
Whi
le th
is is
diff
icul
t to
asse
ss a
t the
who
le-o
f-gov
ernm
ent l
evel
, the
AN
AO a
udit
of th
e Au
stra
lian
Taxa
tion
Offi
ce a
nd th
e D
epar
tmen
t of I
mm
igra
tion
and
Bord
er P
rote
ctio
n in
dica
tes t
hat s
igni
fican
t wor
k is
nee
ded
to a
chie
ve th
is o
utco
me.
21. D
evel
op g
uida
nce
for
Gov
ernm
ent a
genc
ies t
o co
nsis
tent
ly m
anag
e su
pply
ch
ain
secu
rity
risks
for I
CT
equi
pmen
t and
ser
vice
s
Gov
ernm
ent a
genc
ies h
ave
clea
r gui
danc
e on
id
entif
ying
and
man
agin
g cy
ber s
ecur
ity ri
sks
whe
n pr
ocur
ing
ICT
equi
pmen
t and
ser
vice
s
The
Annu
al U
pdat
e no
tes t
hat w
ork
on th
is h
as n
ot y
et c
omm
ence
d.
28 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
GLOB
AL R
ESPO
NSIB
ILIT
Y AN
D IN
FLUE
NCE
Goal
: Aus
tral
ia a
ctiv
ely
prom
otes
an
open
, fre
e an
d se
cure
cyb
ersp
ace.
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
22. A
ppoi
nt a
Cyb
er
Amba
ssad
orAu
stra
lia h
as a
coo
rdin
ated
, con
sist
ent a
nd
influ
entia
l voi
ce o
n in
tern
atio
nal c
yber
issu
esD
r Tob
ias F
eaki
n’s a
ppoi
ntm
ent a
s Am
bass
ador
for C
yber
Affa
irs w
as a
nnou
nced
on
10 N
ovem
ber 2
016,
and
he
took
up
his p
ost o
n 3
Janu
ary
2017
. The
del
ay in
app
oint
ing
Dr F
eaki
n to
this
role
mea
ns th
at, w
hile
pro
gres
s tow
ards
ach
ievi
ng a
n in
fluen
tial
inte
rnat
iona
l voi
ce o
n cy
ber i
ssue
s for
Aus
tral
ia is
bei
ng m
ade,
it c
an’t
yet b
e co
nsid
ered
co
mpl
ete.
Pub
lishi
ng th
e ex
pect
ed In
tern
atio
nal C
yber
Eng
agem
ent S
trat
egy
will
be
an
impo
rtan
t way
of a
chie
ving
this
out
com
e.
23. P
ublis
h an
inte
rnat
iona
l en
gage
men
t str
ateg
y on
cy
ber s
ecur
ity
Aust
ralia
’s in
tern
atio
nal e
ngag
emen
t on
cybe
r is
sues
is p
riorit
ised
and
coo
rdin
ated
Wor
k ha
s com
men
ced
with
in D
FAT
on th
e In
tern
atio
nal C
yber
Eng
agem
ent S
trat
egy.
Th
e de
part
men
t com
plet
ed th
e fir
st ro
und
of in
tern
atio
nal a
nd w
hole
-of-g
over
nmen
t co
nsul
tatio
ns a
nd o
pene
d pu
blic
subm
issi
ons f
or th
e st
rate
gy u
ntil
31 M
arch
. Pub
lishi
ng
the
Inte
rnat
iona
l Cyb
er E
ngag
emen
t Str
ateg
y, e
xpec
ted
late
r in
2017
, will
be
an
impo
rtan
t way
of a
chie
ving
this
out
com
e.
Stak
ehol
ders
und
erst
and
Aust
ralia
’s po
sitio
n on
key
cy
ber i
ssue
s bei
ng d
ebat
ed o
n th
e w
orld
stag
eTh
is o
utco
me
is re
liant
on
achi
evin
g co
ordi
natio
n an
d a
cons
iste
nt v
oice
on
thes
e is
sues
an
d a
clea
r str
ateg
y.
24.
Cham
pion
an
open
, fre
e an
d se
cure
Inte
rnet
to
enab
le a
ll co
untr
ies t
o ge
nera
te g
row
th a
nd
oppo
rtun
ity o
nlin
e
Aust
ralia
act
ivel
y pa
rtic
ipat
es in
key
inte
rnat
iona
l cy
ber f
ora
to p
rom
ote
agre
ed p
eace
time
norm
s of
appr
opria
te s
tate
beh
avio
ur in
cyb
ersp
ace
Aust
ralia
has
bee
n an
act
ive
part
icip
ant i
n th
e cu
rren
t rou
nd o
f the
UN
Gro
up
of G
over
nmen
tal E
xper
ts o
n De
velo
pmen
ts in
the
Fiel
d of
Info
rmat
ion
and
Tele
com
mun
icat
ions
in th
e Co
ntex
t of I
nter
natio
nal S
ecur
ity, w
hich
dis
cuss
es c
yber
no
rms a
nd c
onfid
ence
bui
ldin
g m
easu
res.
Aus
tral
ia c
ontin
ues t
o ad
voca
te fo
r ope
n, fr
ee
and
secu
re a
cces
s to
cybe
rspa
ce a
nd th
e m
ultis
take
hold
er m
odel
of i
nter
net g
over
nanc
e in
rele
vant
inte
rnat
iona
l for
ums.
Aus
tral
ia is
a m
embe
r of t
he F
reed
om O
nlin
e Co
aliti
on
and
enga
ges i
n re
solu
tions
rela
ting
to in
tern
et fr
eedo
ms i
n th
e H
uman
Rig
hts C
ounc
il an
d U
N G
ener
al A
ssem
bly
Third
Com
mitt
ee. A
ustr
alia
has
eng
aged
bila
tera
lly w
ith
inte
rnat
iona
l par
tner
s to
disc
uss c
yber
secu
rity,
incl
udin
g in
the
Japa
n–Au
stra
lia C
yber
Po
licy
Dial
ogue
hel
d in
Aug
ust 2
016
and
the
Aust
ralia
–Chi
na C
yber
Pol
icy
Dial
ogue
in
Febr
uary
201
6. A
ustr
alia
als
o he
ld th
e ch
air o
f APC
ERT
in 2
016.
29
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
25. P
artn
er in
tern
atio
nally
to
shut
dow
n sa
fe h
aven
s and
pr
even
t mal
icio
us c
yber
ac
tivity
, with
a p
artic
ular
fo
cus o
n th
e In
do-P
acifi
c re
gion
Aust
ralia
’s re
latio
nshi
ps w
ith a
bro
ad ra
nge
of in
tern
atio
nal c
ount
erpa
rts o
n op
erat
iona
l cy
berc
rime
colla
bora
tion
are
stre
ngth
ened
.
Aust
ralia
has
ann
ounc
ed in
crea
sed
coop
erat
ion
with
Indo
nesi
a th
roug
h th
e M
inis
teria
l Co
unci
l on
Law
and
Sec
urity
, but
mor
e ac
tion
tow
ards
this
out
com
e is
nee
ded
to
achi
eve
the
obje
ctiv
e.
Inte
rnat
iona
l effo
rts t
o pr
osec
ute
cybe
rcrim
e ar
e en
hanc
edAu
stra
lia e
ngag
es in
tern
atio
nally
from
mul
tiple
dep
artm
ents
to sh
ut d
own
cybe
rcrim
e sa
fe h
aven
s. T
he A
ttor
ney-
Gen
eral
’s D
epar
tmen
t hel
ps P
acifi
c is
land
cou
ntrie
s tac
kle
cybe
rcrim
e th
roug
h th
e Pa
cific
Isla
nds L
aw O
ffice
r’s N
etw
ork,
CER
T Au
stra
lia o
ffers
tr
aini
ng to
oth
er C
ERTs
in th
e re
gion
, and
the
AFP’
s Cyb
er S
afet
y Pa
sifik
a Pr
ogra
m ra
ises
aw
aren
ess o
n cy
berc
rime
issu
es in
Pac
ific
isla
nd c
ount
ries.
The
gove
rnm
ent a
dvis
es th
at D
FAT
part
nere
d w
ith th
e U
N O
ffice
on
Dru
gs a
nd C
rime
in
2016
to fu
nd a
trai
ning
cou
rse
for c
yber
crim
e in
vest
igat
ors a
nd p
rose
cuto
rs in
Sou
thea
st
Asia
. AFP
Cyb
ercr
ime
liais
on o
ffice
rs a
nd A
ustr
alia
n Cr
imin
al In
telli
genc
e Co
mm
issi
on
cybe
rcrim
e an
alys
ts a
re p
oste
d in
Was
hing
ton
DC
and
Lond
on.
Aust
ralia
has
rece
ntly
incr
ease
d in
tern
atio
nal e
ffort
s to
coop
erat
e on
cyb
ercr
ime
thro
ugh
pres
sing
the
issu
e w
ith In
done
sia
at th
e M
inis
teria
l Cou
ncil
on L
aw a
nd S
ecur
ity
mee
ting.
The
mee
ting
has b
een
held
in D
ecem
ber 2
015,
Jul
y 20
16 a
nd m
ost r
ecen
tly in
Fe
brua
ry 2
017.
Thi
s is a
goo
d st
ep in
the
right
dire
ctio
n, b
ut m
ore
actio
n to
this
effe
ct
will
be
need
ed fo
r thi
s out
com
e to
be
cons
ider
ed ‘o
n tr
ack’
.
26. B
uild
cyb
er c
apac
ity in
the
Indo
-Pac
ific
regi
on a
nd
glob
ally
, inc
ludi
ng th
roug
h pu
blic
‑priv
ate
part
ners
hips
Cybe
r cap
acity
in th
e In
do-P
acifi
c re
gion
, inc
ludi
ng
thro
ugh
part
ners
hips
with
bus
ines
ses a
nd th
e re
sear
ch c
omm
unity
, is i
ncre
ased
and
con
trib
utes
to
impr
oved
cyb
er m
atur
ity
This
is a
n on
goin
g eff
ort t
hat g
over
nmen
t age
ncie
s wer
e en
gage
d in
bef
ore
the
Cybe
r Se
curit
y St
rate
gy, a
nd it
’s di
fficu
lt to
ass
ess t
he e
ffica
cy o
f the
se o
ngoi
ng a
ctiv
ities
in
the
12 m
onth
s sin
ce th
e st
rate
gy w
as re
leas
ed. R
elea
sing
an
Inte
rnat
iona
l Cyb
er
Enga
gem
ent S
trat
egy
that
take
s a s
tron
g vi
sion
on
Aust
ralia
’s co
ntrib
utio
n to
this
issu
e an
d th
e ne
cess
ary
coor
dina
tion
will
ens
ure
that
this
out
com
e is
ach
ieve
d.
DFAT
has
soug
ht p
ropo
sals
from
ext
erna
l org
anis
atio
ns to
und
erta
ke c
apac
ity b
uild
ing
effor
ts in
the
Asia
–Pac
ific
thro
ugh
the
new
Cyb
er C
oope
ratio
n Pr
ogra
m, w
hich
has
bee
n fu
nded
with
$1
mill
ion
per y
ear o
ver f
our y
ears
. Oth
er e
ffort
s inc
lude
spon
sorin
g th
e at
tend
ance
of o
ffici
als f
rom
Sam
oa, V
anua
tu, C
ambo
dia,
Indo
nesia
, Pap
ua N
ew G
uine
a,
Mya
nmar
, Vie
tnam
, Tha
iland
and
Fiji
at t
he A
ustr
alia
n Cy
ber S
ecur
ity C
entr
e co
nfer
ence
in
Mar
ch 2
017.
The
gov
ernm
ent h
as a
lso
advi
sed
that
cyb
er w
orks
hops
run
by IC
T4Pe
ace,
an
NGO
, wer
e ho
sted
in H
anoi
and
Vie
ntia
ne fo
r dip
lom
ats,
offi
cial
s and
aca
dem
ics f
rom
Ca
mbo
dia,
Lao
s, M
yanm
ar a
nd V
ietn
am in
201
6 an
d 20
17.
The
gove
rnm
ent i
s als
o lo
okin
g to
fund
cyb
er o
ffici
als f
rom
Pac
ific
islan
ds to
att
end
the
Paci
fic Is
land
Law
Offi
cers
Net
wor
k on
Cyb
er C
rime
and
the
Paci
fic C
yber
Wor
ksho
p, w
hich
ar
e to
be
host
ed b
y Aus
tral
ia, t
he U
S an
d Ja
pan
in T
onga
dur
ing
May
201
7.
30 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
GROW
TH A
ND IN
NOVA
TION
Goal
: Aus
tral
ian
busi
ness
es g
row
and
pro
sper
thro
ugh
cybe
r sec
urity
inno
vatio
n.
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
27.
Esta
blis
h a
Cybe
r Sec
urity
Gr
owth
Cen
tre
to b
ring
toge
ther
a n
atio
nal c
yber
se
curit
y in
nova
tion
netw
ork
that
pio
neer
s cu
ttin
g ed
ge c
yber
sec
urity
re
sear
ch a
nd in
nova
tion,
th
roug
h th
e N
atio
nal
Inno
vatio
n an
d Sc
ienc
e Ag
enda
Conn
ectio
ns m
ade
betw
een
stak
ehol
ders
, thr
ough
th
e Gr
owth
Cen
tre,
del
iver
a m
ultip
lier e
ffect
on
cybe
r sec
urity
idea
s and
the
num
ber o
f cha
lleng
es
bein
g re
spon
ded
to in
crea
ses
The
Aust
ralia
n Cy
ber S
ecur
ity G
row
th N
etw
ork
(ACS
GN) w
as e
stab
lishe
d on
5 D
ecem
ber
2016
und
er th
e le
ader
ship
of f
orm
er A
tlass
ian
exec
utiv
e Cr
aig
Davi
es. A
ustr
ade
has
supp
orte
d a
grou
p of
26
Aust
ralia
n cy
bers
ecur
ity o
rgan
isat
ions
to a
tten
d th
e RS
A Co
nfer
ence
in th
e U
S, le
d by
Mr D
avie
s, a
nd re
leas
ed th
e Cy
ber s
ecur
ity in
dust
ry
capa
bilit
y rep
ort h
ighl
ight
ing
the
capa
bilit
ies o
f Aus
tral
ia’s
cybe
rsec
urity
indu
stry
to
fore
ign
inve
stor
s. A
CSGN
has
als
o re
leas
ed a
Cyb
er S
ecur
ity S
ecto
r Com
petit
iven
ess P
lan.
Th
e re
port
, dev
elop
ed in
con
junc
tion
with
Alp
haBe
ta is
inte
nded
to h
elp
Aust
ralia
’s cy
bers
ecur
ity in
dust
ry ‘r
each
its f
ull p
oten
tial’
by id
entif
ying
and
ove
rcom
ing
road
bloc
ks
to sm
all b
usin
ess,
com
mer
cial
isat
ion
of re
sear
ch a
nd a
cyb
er sk
illed
wor
kfor
ce.
Mor
e cy
ber s
ecur
ity s
tart
‑ups
acq
uire
cap
ital t
o es
tabl
ish
Whi
le th
ere
have
bee
n pr
omis
ing
step
s, su
ch a
s the
Fut
ure
Fund
’s in
vest
men
t in
Bitg
lass
, th
ere
rem
ains
a p
erce
ptio
n th
at A
ustr
alia
n cy
ber s
tart
‑ups
mus
t tra
vel t
o th
e U
S or
el
sew
here
to o
btai
n th
e ne
cess
ary
capi
tal f
or g
row
th.
Mor
e cy
ber s
ecur
ity s
olut
ions
are
dev
elop
ed
and
com
mer
cial
ised
Th
ere’
s ins
uffic
ient
bas
elin
e in
form
atio
n av
aila
ble
to q
uant
ify a
ny in
crea
se in
the
com
mer
cial
isat
ion
of A
ustr
alia
n cy
bers
ecur
ity s
olut
ions
. Act
ion
shou
ld b
e ta
ken
to
colle
ct th
e in
form
atio
n ne
eded
to m
easu
re th
e gr
owth
of t
he in
dust
ry.
This
out
com
e is
dep
ende
nt o
n th
e su
cces
sful
exp
ansi
on a
nd o
pera
tion
of th
e AC
SGN
.
The
num
ber o
f cyb
er s
ecur
ity b
usin
esse
s in
Aust
ralia
gro
ws
Ther
e’s i
nsuff
icie
nt b
asel
ine
info
rmat
ion
avai
labl
e to
qua
ntify
any
incr
ease
in th
e nu
mbe
rs o
f Aus
tral
ian
cybe
rsec
urity
bus
ines
ses.
Act
ion
shou
ld b
e ta
ken
to c
olle
ct th
e in
form
atio
n ne
eded
to m
easu
re th
e gr
owth
of t
he in
dust
ry.
This
out
com
e is
dep
ende
nt o
n th
e su
cces
sful
exp
ansi
on a
nd o
pera
tion
of th
e AC
SGN
.
Mor
e Au
stra
lian
cybe
r sec
urity
pro
duct
s and
se
rvic
es a
re e
xpor
ted
The
base
line
agai
nst w
hich
this
indi
cato
r is t
o be
mea
sure
d is
not
ava
ilabl
e, a
nd n
o in
form
atio
n ag
ains
t whi
ch su
cces
s or f
ailu
re c
an b
e ju
dged
is y
et a
vaila
ble.
This
out
com
e is
dep
ende
nt o
n th
e su
cces
sful
exp
ansi
on a
nd o
pera
tion
of th
e AC
SGN
.
Mor
e in
tern
atio
nal b
usin
esse
s inv
est i
n Au
stra
lian
cybe
r sec
urity
rese
arch
, inn
ovat
ion
and
solu
tions
Whi
le th
ere’
s no
base
line
data
ava
ilabl
e to
ass
ess a
n in
crea
se, A
ustr
ade
has r
epor
ted
sign
ifica
nt fo
reig
n in
vest
men
t act
ivity
.
This
out
com
e is
dep
ende
nt o
n th
e su
cces
sful
exp
ansi
on a
nd o
pera
tion
of th
e AC
SGN
.
All b
usin
esse
s ben
efit f
rom
cyb
er se
curit
y so
lutio
ns
com
mer
cial
ised
with
Gro
wth
Cen
tre
supp
ort
It is
n’t c
lear
how
pro
gres
s tow
ards
this
out
com
e ca
n be
mea
sure
d.Bl
ack
31
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
28. B
oost
Dat
a61’
s cap
acity
fo
r cyb
er s
ecur
ity
rese
arch
, sup
port
to
com
mer
cial
isat
ion
of
cybe
r sec
urity
sol
utio
ns,
impr
ovin
g cy
ber s
ecur
ity
skill
s and
dee
peni
ng
conn
ectio
ns w
ith
inte
rnat
iona
l par
tner
s,
thro
ugh
the
Nat
iona
l In
nova
tion
and
Scie
nce
Agen
da
Data
61’s
effor
ts o
n cy
ber s
ecur
ity re
sear
ch a
nd
inno
vatio
n ha
ve a
mul
tiplie
r effe
ct o
n th
e ac
tiviti
es
with
in th
e Gr
owth
Cen
tre’
s nat
iona
l cyb
er s
ecur
ity
inno
vatio
n ne
twor
k
As th
e AC
SGN
has
bee
n op
erat
ing
only
sinc
e D
ecem
ber,
it’s d
iffic
ult t
o pe
rcei
ve si
gnifi
cant
pr
ogre
ss a
gain
st th
is o
utco
me.
How
ever
, coo
pera
tion
betw
een
the
ACSG
N a
nd D
ata6
1 ap
pear
s to
be p
rogr
essi
ng. D
ata6
1 ha
s bee
n al
loca
ted
a su
bsta
ntia
l bud
get,
but i
t’s
uncl
ear s
peci
fical
ly w
hat i
t will
be
spen
t on.
The
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce
has e
stab
lishe
d a
‘dig
ital m
arke
t pla
ce’ a
s par
t of t
he N
ISA,
whe
re sm
all
com
pani
es c
an e
ngag
e to
incr
ease
thei
r pro
file
for g
over
nmen
t pro
cure
men
t con
trac
ts.
The
num
ber o
f stu
dent
s in
cybe
r sec
urity
PhD
pr
ogra
ms i
ncre
ase,
thro
ugh
the
supp
ort o
f Dat
a61
scho
lars
hip
prog
ram
s
No
data
on
the
num
ber o
f PhD
stu
dent
s aga
inst
whi
ch to
mea
sure
any
incr
ease
in th
eir
num
ber i
s ava
ilabl
e. H
owev
er, D
ata6
1 do
es h
ave
40 P
hD s
tude
nts w
ith a
spec
ific
focu
s on
cybe
rsec
urity
issu
es, a
nd th
e cu
rren
t sch
olar
ship
roun
d in
clud
es 1
2 ne
w c
yber
focu
ssed
Ph
D off
ers.
SIN
ET is
succ
essf
ully
est
ablis
hed
in A
ustr
alia
br
ingi
ng to
geth
er c
yber
inno
vato
rs, b
uyer
s and
in
vest
ors,
com
plem
entin
g ac
tiviti
es o
f the
Cyb
er
Secu
rity
Grow
th C
entr
e
The
first
SIN
ET61
con
fere
nce
was
hel
d in
Syd
ney
in S
epte
mbe
r 201
6, a
nd th
e se
cond
will
be
hel
d in
Sep
tem
ber 2
017.
29.
Wor
k w
ith b
usin
ess a
nd
the
rese
arch
com
mun
ity to
be
tter
targ
et c
yber
secu
rity
rese
arch
to A
ustr
alia
’s cy
ber
secu
rity c
halle
nges
Aust
ralia
’s cy
ber s
ecur
ity R
&D is
robu
st,
com
petit
ive
and
coor
dina
ted
The
Annu
al U
pdat
e no
tes e
ffort
s to
incr
ease
par
tner
ship
s bet
wee
n in
dust
ry a
nd
acad
emic
inst
itutio
ns, s
uch
as th
e O
cean
ia C
yber
Sec
urity
Cen
tre
in V
icto
ria,
Com
mon
wea
lth B
ank
and
UN
SW, a
nd O
ptus
and
Mac
quar
ie U
nive
rsity
in S
ydne
y.
How
ever
it is
not
app
aren
t tha
t the
se p
artn
ersh
ips h
ave
incr
ease
d th
e co
ordi
natio
n or
co
mpe
titiv
enes
s of A
ustr
alia
n cy
ber R
&D.
Aust
ralia
’s cy
ber s
ecur
ity R
&D e
xplo
res c
urre
nt a
nd
emer
ging
cha
lleng
es fo
r Aus
tral
ia’s
natio
nal c
yber
se
curit
y
In M
arch
201
7 th
e D
epar
tmen
t of D
efen
ce a
nnou
nced
the
Nex
t Gen
erat
ion
Tech
nolo
gies
Fu
nd, w
hich
is in
tend
ed to
faci
litat
e re
sear
ch p
artn
ersh
ips b
etw
een
Data
61 a
nd
Aust
ralia
n un
iver
sitie
s to
addr
ess e
mer
ging
cyb
er th
reat
s. T
he su
cces
s of t
his i
nitia
tive
cann
ot b
e as
sess
ed a
s it h
as o
nly
just
beg
un.
30. P
rom
ote
Aust
ralia
n cy
ber
secu
rity
prod
ucts
and
se
rvic
es fo
r dev
elop
men
t an
d ex
port
The
Aust
ralia
n pu
blic
and
priv
ate
sect
ors m
atur
e th
eir u
nder
stan
ding
of h
ome‑
grow
n cy
ber s
ecur
ity
capa
bilit
ies
Initi
ativ
es su
ch a
s Aus
trad
e’s C
yber
secu
rity
indu
stry
cap
abili
ty re
port
, hig
hlig
htin
g th
e ca
pabi
litie
s of A
ustr
alia
’s cy
bers
ecur
ity in
dust
ry to
fore
ign
inve
stor
s, in
dica
te th
at
ther
e’s s
igni
fican
t act
ivity
tow
ards
this
obj
ectiv
e, b
ut m
ore
wor
k is
nee
ded
for t
heir
unde
rsta
ndin
g to
be
cons
ider
ed m
atur
e.
The
Gov
ernm
ent i
nves
ts in
dev
elop
ing
Aust
ralia
n‑ba
sed
cybe
r sec
urity
idea
sIn
itiat
ives
such
as f
undi
ng fo
r Aus
tral
ian
dele
gatio
ns a
t the
RSA
Con
fere
nce
and
the
cybe
rsec
urity
del
egat
ion
that
vis
ited
the
US fo
r Aus
tral
ia–U
S Bu
sine
ss W
eek
in A
ugus
t 20
16 a
re e
ncou
ragi
ng si
gns o
f pro
gres
s. F
utur
e Fu
nd in
vest
men
t in
cybe
rsec
urity
firm
s is
a p
rom
isin
g si
gn, b
ut fu
rthe
r evi
denc
e of
gov
ernm
ent i
nves
tmen
t is n
eede
d to
ens
ure
actio
n to
war
ds th
e ac
hiev
emen
t of t
his o
utco
me.
Aus
trad
e’s e
stab
lishm
ent o
f Aus
tral
ian
inno
vatio
n ‘la
ndin
g pa
ds’ i
n Be
rlin,
San
Fra
ncis
co, S
hang
hai,
Sing
apor
e an
d Te
l Avi
v is
als
o he
lpin
g to
supp
ort t
he m
atur
atio
n of
Aus
tral
ian
star
t‑ups
.
Mor
e in
tern
atio
nal o
rgan
isat
ions
inve
st in
Aus
tral
ia
and
the
Aust
ralia
n cy
ber s
ecur
ity se
ctor
Whi
le n
o ba
selin
e da
ta to
ass
ess a
n in
crea
se is
ava
ilabl
e, A
ustr
ade
has r
epor
ted
sign
ifica
nt fo
reig
n in
vest
men
t act
ivity
.Bl
ack
32 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
A CY
BER
SMAR
T NA
TION
Goal
: Aus
tral
ians
hav
e th
e cy
ber s
ecur
ity sk
ills a
nd k
now
ledg
e to
thriv
e in
the
digi
tal a
ge.
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
31.
Part
ner w
ith A
ustr
alia
n go
vern
men
ts, b
usin
esse
s,
educ
atio
n pr
ovid
ers a
nd th
e re
sear
ch c
omm
unity
in a
nat
iona
l eff
ort t
o de
velo
p cy
ber s
ecur
ity
skill
s to:
• es
tabl
ish
acad
emic
cen
tres
of
cyb
er s
ecur
ity e
xcel
lenc
e in
uni
vers
ities
;
• en
sure
qua
lifica
tions
in th
e IC
T fie
ld p
rovi
de c
yber
sec
urity
skill
s;
• in
trod
uce
prog
ram
s for
all
peop
le a
t all
leve
ls in
the
wor
kfor
ce to
impr
ove
thei
r cy
ber s
ecur
ity sk
ills a
nd
know
ledg
e, s
tart
ing
with
thos
e in
exe
cutiv
e‑le
vel p
ositi
ons;
• co
ntin
ue to
rais
e aw
aren
ess i
n sc
hool
s of t
he c
ore
skill
s nee
ded
for a
car
eer i
n cy
ber s
ecur
ity;
• un
ders
tand
and
add
ress
the
caus
es o
f low
par
ticip
atio
n by
w
omen
in c
yber
secu
rity
care
ers;
an
d
• ex
pand
the
Gov
ernm
ent’s
an
nual
Cyb
er S
ecur
ity
Chal
leng
e Au
stra
lia to
a b
road
er
prog
ram
of c
ompe
titio
ns a
nd
skill
s dev
elop
men
t.
The
skill
s of u
nive
rsity
gra
duat
es a
nd
tech
nica
l col
lege
stu
dent
s with
cyb
er
secu
rity
qual
ifica
tions
are
impr
oved
In F
ebru
ary
2017
, the
Min
iste
r for
Edu
catio
n, S
enat
or S
imon
Birm
ingh
am, a
nd th
e M
inis
ter A
ssis
ting
the
Prim
e M
inis
ter o
n Cy
ber S
ecur
ity, D
an T
ehan
, ann
ounc
ed
that
app
licat
ions
wou
ld b
e ac
cept
ed fr
om u
nive
rsiti
es s
eeki
ng to
be
reco
gnis
ed a
s cy
ber a
cade
mic
cen
tres
of e
xcel
lenc
e. T
he A
nnua
l Upd
ate
note
s tha
t the
succ
essf
ul
inst
itutio
ns w
ill b
e an
noun
ced
in 2
017.
Thi
s pro
gram
has
a to
tal b
udge
t of $
1.9
mill
ion
over
four
yea
rs (t
o 20
20),
or $
475,
000
per y
ear.
Ther
e ha
s als
o be
en s
tron
g pr
ivat
e se
ctor
ac
tivity
in th
is sp
ace,
incl
udin
g CB
A’s p
artn
ersh
ip w
ith U
NSW
and
Opt
us’s
colla
bora
tion
with
Mac
quar
ie U
nive
rsity
.
Des
pite
thos
e ac
tiviti
es, i
t’s n
ot c
lear
how
pro
gres
s tow
ards
this
out
com
e ca
n be
pr
actic
ally
mea
sure
d.
Blac
k
The
num
ber o
f cyb
er s
ecur
ity g
radu
ates
in
crea
ses
Seve
ral n
ew c
yber
secu
rity
cour
ses h
ave
been
laun
ched
by
Aust
ralia
n un
iver
sitie
s in
the
past
12
mon
ths.
How
ever
, the
re’s
no in
form
atio
n av
aila
ble
publ
icly
on
how
man
y cy
bers
ecur
ity g
radu
ates
ther
e ar
e in
Aus
tral
ia, s
o it
isn’
t pos
sibl
e to
ass
ess w
heth
er
ther
e ha
s bee
n an
incr
ease
in n
umbe
rs. A
gain
, priv
ate-
sect
or e
ffort
s to
co-d
esig
n an
d su
ppor
t cyb
erse
curit
y co
urse
s are
mak
ing
head
way
on
this
issu
e.
Blac
k
The
num
ber o
f chi
ldre
n st
udyi
ng su
bjec
ts
at s
choo
l tha
t will
equ
ip th
em fo
r car
eers
in
cybe
r sec
urity
incr
ease
s
The
‘You
ng A
ustr
alia
ns’ p
rogr
am o
f the
NIS
A is
pro
mot
ing
digi
tal l
itera
cy in
prim
ary
scho
ol a
nd s
tude
nts’
take
‑up
of S
TEM
cla
sses
in h
igh
scho
ol, A
SD h
as p
ushe
d a
high
sc
hool
recr
uitm
ent d
rive
for s
hort
‑ter
m s
tude
nt p
lace
men
ts, a
nd b
otto
m‑u
p ch
ange
s ar
e oc
curr
ing
in s
choo
l cur
ricul
ums a
nd e
xtra
curr
icul
ar p
rogr
ams.
How
ever
, the
ab
senc
e of
rese
arch
dat
a on
how
man
y Au
stra
lian
stud
ents
wer
e eq
uipp
ed fo
r car
eers
in
cybe
rsec
urity
12
mon
ths a
go m
akes
impr
ovem
ent i
n th
is a
rea
hard
to ju
dge.
Blac
k
33
Acti
onO
utco
me
Prog
ress
to d
ate
Rati
ng
Mor
e w
omen
and
peo
ple
with
div
erse
ba
ckgr
ound
s tak
e up
and
cha
nge
to a
ca
reer
in c
yber
sec
urity
Whi
le th
ere’
s no
base
line
data
ava
ilabl
e to
ass
ess a
ny in
crea
se in
the
dive
rsity
of t
he
cybe
r wor
kfor
ce, t
here
is a
n ac
tive
prog
ram
of e
ngag
emen
t with
wom
en in
the
indu
stry
to
und
erst
and
barr
iers
to p
artic
ipat
ion
and
prov
ide
solu
tions
. To
date
thes
e in
itiat
es
are
focu
ssed
on
incr
easi
ng fe
mal
e pa
rtic
ipat
ion
in th
e cy
ber w
orkf
orce
, and
ther
e is
no
evid
ence
of w
ork
to a
ddre
ss b
oard
er d
iver
sity
issu
es. F
or e
xam
ple,
a ‘w
omen
in c
yber
’ lu
nch
was
hel
d in
Mel
bour
ne o
n In
tern
atio
nal W
omen
’s Da
y 20
17, l
ast y
ear t
he fe
mal
e pa
rtic
ipan
ts o
f the
201
5 Au
stra
lian
Cybe
r Sec
urity
Cha
lleng
e w
ere
offer
ed a
spec
ial
prog
ram
of e
vent
s and
men
tors
hip,
and
the
ACSC
hel
d a
wom
en’s
netw
orki
ng e
vent
fo
r fem
ale
tech
nica
l pra
ctiti
oner
s. T
hese
act
ions
are
a p
ositi
ve in
fluen
ce, b
ut it
will
ta
ke c
onsi
dera
ble
time
befo
re th
ey tr
ansl
ate
into
wom
en m
akin
g ca
reer
cha
nges
. Als
o,
focu
sing
on
tech
nica
l ski
lls w
ill so
lve
only
par
t of t
he p
robl
em. T
here
’s a
need
to a
ttra
ct
indi
vidu
als f
rom
a b
road
er ra
nge
of d
isci
plin
es, i
nclu
ding
pol
icy,
com
mun
icat
ions
and
la
w, t
o ac
hiev
e a
trul
y di
vers
e cy
ber w
orkf
orce
.
Blac
k
Peop
le a
t all
leve
ls in
the
wor
kfor
ce,
incl
udin
g th
ose
in e
xecu
tive‑
leve
l po
sitio
ns, h
ave
the
oppo
rtun
ity to
impr
ove
thei
r cyb
er s
ecur
ity k
now
ledg
e an
d sk
ills
by p
artic
ipat
ing
in c
ompe
titio
ns, s
hort
co
urse
s, e
xecu
tive
trai
ning
and
oth
er
prog
ram
s suc
h as
Mas
ters
deg
rees
Initi
ativ
es su
ch a
s Sta
y Sm
art O
nlin
e w
eek
and
incr
easin
g nu
mbe
rs o
f uni
vers
ity c
ours
es
sugg
est t
hat t
he o
ppor
tuni
ty to
impr
ove
cybe
rsec
urity
kno
wle
dge
is av
aila
ble,
but
ther
e’s
no d
ata
on h
ow m
any p
eopl
e ha
ve ta
ken
up th
at o
ppor
tuni
ty. D
ata6
1 an
d th
e Au
stra
lian
Inst
itute
of C
ompa
ny D
irect
ors b
egan
wor
king
toge
ther
in A
pril
2016
to e
leva
te th
e le
vel o
f cy
ber l
itera
cy o
f dire
ctor
s and
boa
rds a
cros
s Aus
tral
ia. D
ata6
1 CE
O A
dria
n Tu
rner
hos
ted
an
educ
atio
nal w
ebin
ar o
n cy
ber i
ncid
ent m
anag
emen
t in
Nov
embe
r 201
6 fo
r 440
mem
bers
of
the
inst
itute
. How
ever
, the
cur
ricul
um st
ill a
ppea
rs to
be
in th
e de
velo
pmen
t sta
ge, a
nd
grea
ter s
peed
of d
eliv
ery w
ill b
e ne
eded
for t
his o
utco
me
to b
e ac
hiev
ed. .
Opp
ortu
nitie
s to
part
icip
ate
in A
ustr
alia
n cy
ber s
ecur
ity c
ompe
titio
ns in
crea
ses,
in
clud
ing
inte
rnat
iona
lly
The
Cybe
r Sec
urity
Cha
lleng
e Au
stra
lia re
mai
ns th
e on
ly n
atio
nal l
evel
com
petit
ion.
ASD
ha
s beg
un a
hig
h sc
hool
leve
l com
petit
ion,
whi
ch re
cent
ly fe
atur
ed a
cod
ing
day f
or fe
mal
e st
uden
ts in
Can
berr
a sc
hool
s, a
nd L
a Tr
obe
Uni
vers
ity h
as p
artn
ered
with
Cis
co a
nd O
ptus
to
hol
d Cy
ber G
ames
for M
elbo
urne
hig
h sc
hool
stud
ents
. How
ever
, mor
e ev
iden
ce o
f su
ppor
t for
par
ticip
atio
n in
inte
rnat
iona
l com
petit
ions
, and
mor
e fre
quen
t com
petit
ions
in
Aust
ralia
, wou
ld b
e ne
eded
for t
he a
chie
vem
ent o
f thi
s out
com
e.
32. B
ring
toge
ther
and
gro
w p
ublic
an
d pr
ivat
e se
ctor
cyb
er s
ecur
ity
awar
enes
s pro
gram
s to
mak
e th
e be
st u
se o
f com
bine
d re
sour
ces
Mor
e pe
ople
hav
e im
prov
ed k
now
ledg
e of
th
e re
al‑w
orld
impa
cts o
f cyb
er ri
sks a
nd
the
way
they
affe
ct o
ur c
urre
nt a
nd fu
ture
pr
ospe
rity
Achi
evem
ent o
f thi
s out
com
e is
diff
icul
t to
mea
sure
, but
ther
e’s o
ngoi
ng g
row
th in
the
exch
ange
of i
nfor
mat
ion
betw
een
the
publ
ic a
nd p
rivat
e se
ctor
s, in
clud
ing
shar
ing
of
corp
orat
e an
d go
vern
men
t inf
orm
atio
n an
d aw
aren
ess p
rogr
ams.
33. W
ork
with
oth
er c
ount
ries o
n cy
ber s
ecur
ity‑a
war
enes
s‑ra
isin
g pr
ogra
ms t
o de
liver
mut
ually
be
nefic
ial o
utco
mes
We
achi
eve
econ
omie
s of s
cale
thro
ugh
join
ed‑u
p aw
aren
ess‑
rais
ing
prog
ram
s Au
stra
lia’s
cybe
r aw
aren
ess r
aisin
g ca
mpa
ign,
Sta
y Sm
art O
nlin
e, w
as h
eld
in c
oord
inat
ion
with
Cyb
er S
ecur
ity A
war
enes
s Mon
th in
the
US. S
tay S
mar
t Onl
ine
repo
rts n
ew
info
rmat
ion‑
shar
ing
arra
ngem
ents
with
inte
rnat
iona
l par
tner
s, in
clud
ing
the
US, N
ew
Zeal
and
and
the
UK.
Aus
tral
ia’s
Stay
Sm
art o
nlin
e al
so c
olla
bora
ted
with
New
Zea
land
’s Co
nnec
t Sm
art a
war
enes
s ini
tiativ
e, a
s wel
l as t
he p
rivat
e se
ctor
, to
co‑d
evel
op th
e Se
curit
y aw
aren
ess i
mpl
emen
tatio
n gu
ide
for b
usin
esse
s in
Oct
ober
201
6.
34 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
APPE
NDIX
2: H
OW
MUC
H IS
TH
E AU
STRA
LIAN
GO
VERN
MEN
T SP
ENDI
NG
ON
CYB
ER IS
SUES
?
The
cros
s-po
rtfo
lio n
atur
e of
cyb
er is
sues
and
a la
ck o
f defi
nitio
n ab
out w
hat i
s ‘cy
ber’
expe
nditu
re m
ake
it di
fficu
lt to
par
se th
e tr
ue e
xten
t of t
he o
vera
ll Au
stra
lian
Gov
ernm
ent c
yber
bud
get.
Maj
or p
olic
y an
noun
cem
ents
such
as t
he C
yber
Sec
urity
Str
ateg
y, b
ut a
lso
the
Nat
iona
l Inn
ovat
ion
and
Scie
nce
Agen
da a
nd th
e 20
16 D
efen
ce W
hite
Pap
er, a
ll in
clud
e ex
pend
iture
that
can
be
rela
ted
to th
e cy
bers
ecur
ity o
bjec
tives
of t
he s
trat
egy.
Thi
s fun
ding
is d
istr
ibut
ed a
cros
s sev
eral
age
ncie
s and
dep
artm
ents
, inc
reas
ing
the
opac
ity o
f the
fina
ncia
l res
ourc
es g
over
nmen
t has
co
mm
itted
to a
chie
ve it
s obj
ectiv
es fo
r cyb
erse
curit
y. T
he a
naly
sis i
n th
is a
ppen
dix a
ttem
pts t
o br
eak
the
fund
ing
com
mitm
ents
dow
n us
ing
info
rmat
ion
avai
labl
e in
the
2016
–17
and
201
7–18
Bu
dget
, and
the
2015
–16
and
2016
–17
Mid
-Yea
r Eco
nom
ic a
nd F
isca
l Out
look
s (M
YEFO
s) to
det
erm
ine
the
exte
nt o
f new
Aus
tral
ian
Gov
ernm
ent c
yber
fund
ing.
Exi
stin
g fu
ndin
g fo
r cyb
er-r
elat
ed
activ
ities
by
agen
cies
is e
ven
mor
e di
fficu
lt to
dis
cern
. The
tabl
es b
elow
dis
cuss
new
app
ropr
iatio
ns, e
xcep
t whe
re th
e us
e of
exi
stin
g fu
nds h
as b
een
expl
icitl
y m
entio
ned
in p
olic
y do
cum
ents
an
d an
noun
cem
ents
.
Whe
n bu
dget
com
mitm
ents
abo
ve e
xist
ing
base
line
fund
ing
for i
nitia
tives
rela
ted
to a
chie
vem
ent o
f the
obj
ectiv
es o
utlin
ed in
the
Cybe
r Sec
urity
Str
ateg
y, in
clud
ing
thos
e fu
nded
und
er
the
NIS
A an
d th
e D
efen
ce W
hite
Pap
er, a
re a
mal
gam
ated
, gov
ernm
ent h
as b
udge
ted
to sp
end
$493
.9 m
illio
n be
twee
n 20
15–1
6 an
d 20
19–2
0. T
hese
fund
s are
larg
ely
fund
ing
the
effor
ts o
f th
e At
torn
ey‑G
ener
al’s
Dep
artm
ent,
Data
61 a
nd th
e D
epar
tmen
t of I
nnov
atio
n an
d Sc
ienc
e. W
hile
Def
ence
was
pro
mis
ed a
n ad
ditio
nal $
300–
400
mill
ion
out t
o 20
26 in
the
Def
ence
Whi
te
Pape
r, w
hen
that
fund
ing
is sp
read
eve
nly
over
10
year
s, a
nd tr
ansf
ers o
f app
ropr
iatio
n to
oth
er d
epar
tmen
ts a
re in
clud
ed, n
ew fu
ndin
g to
Def
ence
out
to 2
019–
20 d
ips b
elow
$40
mill
ion.
M
ost t
he n
ew fu
ndin
g do
esn’
t beg
in u
ntil
2018
–19,
sugg
estin
g th
at d
epar
tmen
ts a
nd a
genc
ies h
ave
been
giv
en a
two‑
year
lead
tim
e to
pre
pare
for t
he b
egin
ning
of n
ew c
yber
initi
ativ
es.
Whi
le it
’s re
ason
able
for a
genc
ies t
o be
giv
en s
ome
time
to p
repa
re, t
wo
year
s for
a p
riorit
y is
sue
is v
ery
gene
rous
for p
rogr
ams w
ith n
o ca
pita
l com
pone
nt, s
uch
as a
war
enes
s‑ra
isin
g an
d ed
ucat
ion
prog
ram
s.
A re
gula
r upd
ate
from
gov
ernm
ent o
n its
exp
endi
ture
and
futu
re b
udge
ts fo
r cyb
er is
sues
, per
haps
as p
art o
f reg
ular
ann
ual r
evie
ws o
f cyb
er p
olic
y an
d st
rate
gy, w
ould
be
a si
gnifi
cant
ste
p to
war
ds tr
acki
ng th
e ac
hiev
emen
t of c
yber
secu
rity
goal
s. It
wou
ld a
lso
prov
ide
a ba
selin
e fro
m w
hich
to a
sses
s Aus
tral
ian
expe
nditu
re a
gain
st re
gion
al a
nd o
ther
cou
ntrie
s to
ensu
re th
at
inve
stm
ent i
s rea
sona
ble
and
adeq
uate
to m
eet e
mer
ging
cha
lleng
es. I
t may
als
o gi
ve th
e go
vern
men
t the
opp
ortu
nity
to b
ette
r und
erst
and
area
s of d
uplic
atio
n or
gap
s in
its s
trat
egy
and
prov
ide
priv
ate‑
sect
or p
artn
ers w
ith su
rety
of c
ontin
uity
of p
rogr
ams t
hat t
hey
may
inve
st th
eir o
wn
fund
s in
impl
emen
ting.
Tabl
e 2
com
pile
s the
NIS
A pr
ogra
ms t
hat a
re re
late
d to
ach
ievi
ng th
e go
vern
men
t’s c
yber
secu
rity
goal
s fro
m th
e 20
15–1
6 M
YEFO
. The
se p
rogr
ams,
tota
lling
$35
6.6
mill
ion
over
five
yea
rs, a
re
eith
er d
irect
ly re
late
d to
cyb
erse
curit
y or
hav
e a
sign
ifica
nt re
latio
nshi
p w
ith th
e ac
hiev
emen
t of t
he g
over
nmen
t’s C
yber
Sec
urity
Str
ateg
y ob
ject
ives
by
supp
ortin
g th
e gr
owth
of A
ustr
alia
n cy
ber s
kills
and
indu
stry
. Thi
s inc
lude
s $74
.6 m
illio
n fo
r CSI
RO’s
Data
61, f
ar b
eyon
d th
e $7
.5 m
illio
n no
ted
as e
arm
arke
d by
NIS
A fo
r Dat
a61
in th
e Cy
ber S
ecur
ity S
trat
egy
fund
ing
tabl
e. A
smal
l po
rtio
n of
this
fund
ing
com
es d
irect
ly fr
om P
M&C
, and
is n
otew
orth
y as
the
only
fund
ing
allo
cate
d to
PM
&C a
nyw
here
for t
he im
plem
enta
tion
of c
yber
‑rel
ated
act
iviti
es.
35
TABL
E 2:
201
5–16
MYE
FO
Expe
nse
($m
)20
15–1
620
16–1
720
17–1
820
18–1
920
19–2
0To
tal
CSIR
O—
Data
610
24.2
24.4
24.5
073
.1
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce
26.6
27.7
25.8
36.3
011
6.4
NIS
A—Ad
vanc
ing
Aust
ralia
’s cy
ber s
ecur
ity0
4.2
6.8
10.8
021
.8
NIS
A—In
nova
tion
and
Scie
nce
Aust
ralia
1.1
2.3
2.5
2.3
08.
2
NIS
A—In
spiri
ng a
ll Au
stra
lians
in S
TEM
25.5
13.2
8.7
15.5
062
.9
NIS
A—Q
uant
um c
ompu
ting
05.
45
50
15.4
NIS
A—Su
ppor
ting
incu
bato
rs0
2.6
2.8
2.7
08.
1
Dep
artm
ent o
f Edu
catio
n an
d Tr
aini
nga
014
.916
.517
.80
49.2
Dep
artm
ent o
f the
Prim
e M
inis
ter a
nd C
abin
etb
00.
50.
50.
50
1.5
Tota
l53
.295
9311
5.4
035
6.6
a N
ISA:
Insp
iring
all
Aust
ralia
ns in
STE
M.
b N
ISA:
Dat
a61.
Whe
n th
e go
vern
men
t rel
ease
d th
e Cy
ber S
ecur
ity S
trat
egy,
it no
ted
that
‘abo
ut’ $
230
mill
ion
wou
ld b
e al
loca
ted
over
four
yea
rs to
fund
the
actio
ns in
itiat
ed b
y th
e st
rate
gy. T
he fu
ndin
g ta
ble
prov
ided
by
PM&C
not
es th
at a
t lea
st $
38 m
illio
n of
that
am
ount
had
pre
viou
sly
been
ann
ounc
ed a
s par
t of t
he g
over
nmen
t’s $
1.1
billi
on N
atio
nal I
nnov
atio
n an
d Sc
ienc
e Ag
enda
, rel
ease
d in
De
cem
ber 2
015.
17 A
dditi
onal
ly, t
he 2
016
Defe
nce
Whi
te P
aper
indi
cate
d th
at D
efen
ce w
ould
spen
d $3
00–4
00 m
illio
n ov
er 1
0 ye
ars o
n ex
pand
ing
its c
yber
secu
rity
capa
bilit
ies.
Fund
ing
of $
195
mill
ion
over
four
yea
rs fo
r str
ateg
y in
itiat
ives
was
app
ropr
iate
d in
the
2016
–17
Budg
et. T
able
3 m
akes
it c
lear
that
, whi
le th
e st
rate
gy is
cer
tain
ly fu
nded
, a si
gnifi
cant
pro
port
ion
of th
e bu
dget
is a
ctua
lly re
appr
opria
ted
Def
ence
fund
ing
rath
er th
an n
ew fu
ndin
g. D
efen
ce h
as tr
ansf
erre
d $1
22 m
illio
n to
sev
eral
oth
er d
epar
tmen
ts a
nd a
genc
ies a
nd h
as n
ot b
een
allo
cate
d ad
ditio
nal a
ppro
pria
tion
for t
he $
51 m
illio
n of
str
ateg
y in
itiat
ives
that
it’s
resp
onsi
ble
for i
mpl
emen
ting.
Onc
e th
e tr
ansf
er o
f app
ropr
iatio
n fro
m D
efen
ce is
take
n in
to a
ccou
nt, n
ew fu
ndin
g fo
r str
ateg
y in
itiat
ives
in 2
016–
17 a
nd 2
017–
18 is
$0.
4 m
illio
n an
d $0
.2 m
illio
n, re
spec
tivel
y, b
efor
e ra
mpi
ng
up to
$5.
4 m
illio
n of
new
fund
ing
in 2
018–
19. T
his s
ugge
sts t
hat f
undi
ng h
as b
een
phas
ed to
acc
ount
for e
xpec
ted
dela
ys in
impl
emen
tatio
n w
hile
age
ncie
s dev
elop
cap
acity
to d
eliv
er th
e in
itiat
ives
. In
tota
l, th
e go
vern
men
t has
to fi
nd o
nly
an a
dditi
onal
$14
.2 m
illio
n ov
er fo
ur y
ears
to fu
nd th
e st
rate
gy’s
impl
emen
tatio
n, o
f whi
ch $
13.6
mill
ion
does
n’t n
eed
to b
e fo
und
until
the
late
r yea
rs o
f the
est
imat
es.
Desp
ite b
eing
giv
en a
sign
ifica
nt le
ader
ship
role
in th
e de
liver
y of t
he C
yber
Sec
urity
Str
ateg
y, PM
&C h
asn’
t rec
eive
d an
y add
ition
al fu
ndin
g ov
er th
e fo
rwar
d es
timat
es fo
r str
ateg
y im
plem
enta
tion.
Th
e De
part
men
t of C
omm
unic
atio
ns a
nd th
e Ar
ts p
lays
a k
ey ro
le in
pur
suin
g Au
stra
lia’s
inte
rnat
iona
l cyb
er o
bjec
tives
thro
ugh
its w
ork
in b
odie
s suc
h as
the
Inte
rnat
iona
l Tel
ecom
mun
icat
ion
Uni
on,
but h
as a
lso
rece
ived
no
addi
tiona
l fun
ding
. Sim
ilarly
, DFA
T w
ill m
eet i
ts st
rate
gy c
omm
itmen
ts fr
om e
xist
ing
fund
ing,
and
no
new
fund
ing
has b
een
appr
opria
ted.
17
http
s://
cybe
rsec
urity
stra
tegy
.dpm
c.go
v.au
/ass
ets/
img/
Cybe
r‑Sec
urity
‑Str
ateg
y‑Fu
ndin
g‑fa
ct‑s
heet
.doc
x
36 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
The
far r
ight
col
umn
of T
able
3 sh
ows t
he d
iffer
ence
bet
wee
n fu
ndin
g an
noun
ced
in th
e Cy
ber S
ecur
ity S
trat
egy
and
fund
ing
prov
ided
in th
e Bu
dget
. Whi
le m
ost a
genc
ies w
ere
appr
opria
ted
the
fund
ing
prom
ised
in th
e st
rate
gy, i
t’s c
lear
that
mos
t of t
he fu
ndin
g is
redi
strib
uted
or r
ebad
ged
exis
ting
fund
ing
and,
as n
oted
abo
ve, m
ost o
f thi
s has
com
e ou
t of t
he D
efen
ce b
udge
t.
TABL
E 3:
201
6–17
BUD
GET—
CYBE
R SE
CURI
TY —
IMPL
EMEN
TATI
ON
OF
AUST
RALI
A’S
CYBE
R SE
CURI
TY S
TRAT
EGY
Fund
ing
anno
unce
d in
str
ateg
yDi
ffer
ence
bet
wee
n st
rate
gy fu
ndin
g an
d 16
–17
Budg
et
($m
)20
15–1
620
16–1
720
17–1
820
18–1
920
19–2
0To
tal
($m
ove
r fo
ur y
ears
)($
m o
ver
four
yea
rs)
Atto
rney
‑Gen
eral
’s D
epar
tmen
t0.
016
.522
.522
.021
.382
.382
.4–0
.1
Expe
nse
0.0
12.8
17.4
17.3
18.3
65.8
Capi
tal
0.0
3.7
5.1
4.7
3.0
16.5
Aust
ralia
n Fe
dera
l Pol
ice
0.0
4.1
5.5
5.4
5.4
20.4
20.4
0.0
Expe
nse
0.0
3.1
5.3
5.4
5.4
19.2
Capi
tal
0.0
1.0
0.2
0.0
0.0
1.2
Aust
ralia
n Cr
imin
al In
telli
genc
e Co
mm
issi
on0.
01.
74.
84.
44.
415
.316
–0.7
Expe
nse
0.0
1.7
4.8
4.4
4.4
15.3
Capi
tal
0.0
0.3
0.4
0.0
0.0
0.7
Dep
artm
ent o
f Def
ence
0.0
–23.
5–3
4.0
–32.
6–3
2.0
–122
.151
.1–1
73.2
Capi
tal
0.0
–23.
5–3
4.0
–32.
6–3
2.0
–122
.1
Dep
artm
ent o
f Edu
catio
n an
d Tr
aini
ng0.
00.
90.
80.
80.
93.
43.
5–0
.1
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
ncea
0.0
0.7
0.6
5.4
8.2
14.9
15–0
.1
Dep
artm
ent o
f the
Prim
e M
inis
ter a
nd C
abin
et0.
00.
00.
00.
00.
00.
00.
00.
0
Dep
artm
ent o
f Com
mun
icat
ions
and
the
Arts
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
Dep
artm
ent o
f For
eign
Affa
irs a
nd T
rade
0.0
0.0
0.0
0.0
0.0
0.0
6.7
–6.7
Tota
lb0.
00.
40.
25.
48.
214
.219
5.1
–180
.9
a D
oes n
ot in
clud
e $3
0.5
mill
ion
anno
unce
d un
der N
ISA.
b D
oes n
ot in
clud
e $3
0.5
mill
ion
anno
unce
d un
der N
ISA
for I
nnov
atio
n an
d $7
.5 m
illio
n fo
r CSI
RO a
lso
anno
unce
d un
der N
ISA.
37
Two
furt
her c
yber
-rel
ated
initi
ativ
es w
ere
anno
unce
d in
the
2016
–17
MYE
FO: a
dditi
onal
supp
ort f
or w
omen
and
girl
s in
STEM
and
an
expa
nsio
n of
incu
bato
r sup
port
of i
nnov
ativ
e ne
w
busi
ness
es (T
able
4).
Thes
e tw
o in
itiat
ives
add
a fu
rthe
r $46
.4 m
illio
n to
cyb
er‑r
elat
ed fu
ndin
g ou
t to
2019
–20.
TABL
E 4:
201
6–17
MYE
FO
Expe
nse
($m
)20
15–1
620
16–1
720
17–1
820
18–1
920
19–2
0To
tal
Dep
artm
ent o
f Edu
catio
n an
d Tr
aini
nga
0.0
2.8
8.1
9.7
10.6
31.2
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nceb
0.0
3.8
3.8
3.8
3.8
15.2
Tota
l0.
06.
611
.913
.514
.446
.4
a S
uppo
rtin
g W
omen
and
Girl
s in
STEM
.b
Incu
bato
r Sup
port
for I
nnov
ativ
e N
ew B
usin
esse
s and
Job
s—ex
pans
ion.
TABL
E 5:
201
7–18
BUD
GET
Expe
nse
($m
)20
16–1
720
17–1
820
18–1
920
19–2
020
20–2
1To
tal
Digi
tal T
rans
form
atio
n Ag
ency
0
2.8
2.7
2.6
2.6
10.7
Cybe
r Sec
urity
Adv
isor
y O
ffice
02.
82.
72.
62.
610
.7
Bure
au o
f Met
eoro
logy
—im
prov
ed se
curit
y an
d re
silie
nce
00.
20
00
0.2
Tota
l0
32.
72.
62.
610
.9
The
2017
–18
Budg
et in
clud
ed a
dditi
onal
fund
ing
for a
new
Cyb
er S
ecur
ity A
dvis
ory
Offi
ce (C
SAO
) with
in th
e Di
gita
l Tra
nsfo
rmat
ion
Agen
cy (D
TA),
part
of t
he D
epar
tmen
t of t
he P
rime
Min
iste
r an
d Ca
bine
t. Th
e CS
AO’s
esta
blis
hmen
t is t
he g
over
nmen
t’s re
spon
se to
reco
mm
enda
tions
ste
mm
ing
from
#ce
nsus
fail
to im
prov
e th
e qu
ality
and
coo
rdin
atio
n of
cyb
erse
curit
y ad
vice
to
gove
rnm
ent a
genc
ies o
n in
form
atio
n te
chno
logy
pro
ject
s. D
TA w
as a
lso
prov
ided
an
addi
tiona
l $20
0,00
0 fo
r cyb
erse
curit
y im
prov
emen
ts a
t the
Bur
eau
of M
eteo
rolo
gy fo
llow
ing
that
age
ncy’
s si
gnifi
cant
cyb
erse
curit
y br
each
repo
rted
in 2
015.
38 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
TABL
E 6:
TOT
AL B
UDGE
TED
EXPE
NDIT
URE,
201
5–16
TO
2019
–20
Expe
nse
and
capi
tal (
$m)
2015
–16
2016
–17
2017
–18
2018
–19
2019
–20
Tota
l
Atto
rney
Gen
eral
’s D
epar
tmen
t0.
016
.522
.522
.021
.382
.3
Aust
ralia
n Fe
dera
l Pol
ice
0.0
4.1
5.5
5.4
5.4
20.4
Aust
ralia
n Cr
imin
al In
telli
genc
e Co
mm
issi
on0.
01.
74.
84.
44.
415
.3
Dep
artm
ent o
f Def
ence
0.0
16.5
6.0
7.4
8.0
37.9
2016
–17
Budg
et0.
0–2
3.5
–34.
0–3
2.6
–32.
0–1
22.1
2016
Def
ence
Whi
te P
aper
a0.
040
.040
.040
.040
.016
0.0
Dep
artm
ent o
f Edu
catio
n an
d Tr
aini
ng0.
018
.625
.428
.311
.583
.8
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce
26.6
32.2
30.2
45.5
30.1
164.
6
Dep
artm
ent o
f Com
mun
icat
ions
and
the
Arts
0.0
0.0
0.0
0.0
0.0
0.0
Dep
artm
ent o
f For
eign
Affa
irs a
nd T
rade
b0.
01.
71.
71.
71.
76.
7
Digi
tal T
rans
form
atio
n Ag
ency
c0
03.
02.
72.
68.
3
Data
610
24.7
24.9
250
74.6
CSIR
O0
24.2
24.4
24.5
073
.1
Depa
rtm
ent o
f the
Prim
e M
inis
ter a
nd C
abin
et0
0.5
0.5
0.5
01.
5
Tota
l26
.611
6.0
124.
014
2.4
85.0
493.
9
a A
ssum
es 2
016
Def
ence
Whi
te P
aper
Fun
ding
dis
trib
uted
eve
nly
over
10
year
s.b
Ass
umes
eve
n di
strib
utio
n of
inte
rnal
fund
ing.
c D
oes n
ot in
clud
e 20
20–2
1 fu
ndin
g fr
om 2
017–
18 B
udge
t.
Tabl
e 6
aggr
egat
es th
e fu
ndin
g fro
m th
e 20
15–1
6 M
YEFO
, the
201
6–17
Bud
get a
nd M
YEFO
, 201
7–18
Bud
get,
and
estim
ated
fund
ing
prov
ided
und
er th
e D
efen
ce W
hite
Pap
er fo
r an
expa
nsio
n of
D
efen
ce’s
cybe
r cap
abili
ty ($
300–
400
mill
ion
over
10
year
s) a
nd in
tern
al fu
ndin
g fro
m D
FAT
for t
he C
yber
Am
bass
ador
pos
ition
and
cap
acity
bui
ldin
g ac
tiviti
es o
f $6.
7 m
illio
n ov
er fo
ur y
ears
. Th
is sh
ows t
hat,
whe
n th
e Cy
ber S
ecur
ity S
trat
egy’
s pro
gram
s are
com
bine
d w
ith p
rogr
ams f
unde
d un
der t
he N
ISA
and
the
Def
ence
Whi
te P
aper
that
are
rela
ted
to th
e ac
hiev
emen
t of t
he
gove
rnm
ent’s
cyb
erse
curit
y ob
ject
ives
, the
gov
ernm
ent h
as c
omm
itted
new
fund
ing
of o
ver $
493.
9 m
illio
n ov
er fi
ve y
ears
to c
yber
secu
rity
issu
es.
The
larg
est a
mou
nt ($
164
mill
ion
over
four
yea
rs) i
s adm
inis
tere
d by
the
Dep
artm
ent o
f Ind
ustr
y, In
nova
tion
and
Scie
nce
as p
art o
f NIS
A pr
ogra
ms.
The
Att
orne
y‑G
ener
al’s
Dep
artm
ent
($82
.3 m
illio
n) a
nd th
e D
epar
tmen
t of E
duca
tion
and
Trai
ning
($83
.8 m
illio
n) a
re a
lso
man
agin
g si
zeab
le c
yber
‑rel
ated
bud
gets
. Whe
n co
mpa
red
to th
e al
loca
tions
for t
hese
larg
e lin
e de
part
men
ts, t
he $
74.6
mill
ion
allo
cate
d to
Dat
a61
is a
n im
pres
sive
sum
for t
he a
genc
y.
39
ACRONYMS AND ABBREVIATIONS
ACSC Australian Cyber Security Centre
ACSGN Australian Cyber Security Growth Network
AFP Australian Federal Police
ANAO Australian National Audit Office
ASD Australian Signals Directorate
CSAO Cyber Security Advisory Office
DFAT Department of Foreign Affairs and Trade
DTA Digital Transformation Agency
JCSC Joint Cyber Security Centre
MYEFO MidYear Economic and Fiscal Outlook
NISA National Innovation and Science Agenda
PM&C Department of the Prime Minister and Cabinet
STEM science, technology, engineering and mathematics
40 AUSTRALIA’S CYBER SECURITY STRATEGY: EXECUTION & EVOLUTION
Important disclaimerThis publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.
ASPITel +61 2 6270 5100 Fax + 61 2 6273 9566 Email [email protected] Web www.aspi.org.au Blog www.aspistrategist.org.au
facebook.com/ASPI.org @ASPI_ICPC
www.aspi.org.au/icpc/home
© The Australian Strategic Policy Institute Limited 2017
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.
